Recent Posts
- Export Address Table Filtering (EMET v2)
- Time of check, time of use
- MalwareDomains.com Serving Malware
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- Vuln: maildrop Group Permission Dropping Privilege ..
-
maildrop Group Permission Dropping Privilege Escalation ..
- Vuln: Quagga bgpd Null Pointer Deference Denial Of ..
-
Quagga bgpd Null Pointer Deference Denial Of Service Vul..
- Vuln: Quagga bgpd Route-Refresh Message Stack Buffe..
-
Quagga bgpd Route-Refresh Message Stack Buffer Overflow ..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
All you can spray
Posted on 2009-08-13 12:49:25 in PornoSecurity
Since I'm tired of reinventing the wheel, I decided to write a couple of lines of code an to wrap it in a easy-to-use, single php file.
Just put it in your DocumentRoot and you get ActionScript(flash) heap spraying and/or a wonderful .NET assembly loaded at the address you choose.
The script accepts different parameters:
- t: 'd' if you want a .NET assembly, 'f' for SWF
- s: shellcode
- n: nop
- c: number of chunks to spray (for SWF)
- b: base address (for .NET assembly)
For example, to request a .NET assembly with base address of 0x41410000, a nopsled of 0x0a and an INT 3 as shellcode:
/spray.php?t=d&s=%cc&n=0x0a&b=4141
if you want to spray the heap with flash instead:
/spray.php?t=f&s=%cc&n=0x0a&c=0x500
Here you can find a .tar.gz with the script, an html example and the flash spray sources(to be compiled with haxe).
No, there's no source for the .NET control in the .tar.gz(it's 1Mb, too heavy). To make one, just create a class and put in there a huge static string, it will be loaded in +rx area.
Have fun :)