编写CVE-2017-7269(IIS 6.0) EXP 发表于 2017-03-29 | 分类于 漏洞利用 | 暂无评论 直切主题,测试环境是`Windows Server 2003 R2 Enterprise Edition SP2 x86` ![image_1bccub7e11kjg12de1cfeao5ig29.png-43.2kB][1] 先调试一下[POC][2] ![image_1bccunicd1uln1n0k1n7l1qua1dkom.png-159.1kB][3] [1]: http://static.zybuluo.com/birdg0/ddbt7i9kmhwgbouwril1g9l3/image_1bccub7e11kjg12de1cfeao5ig29.png [2]: https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py [3]: http://static.zybuluo.com/birdg0/1fr4b4mm8batuk12r4ulnyy0/image_1bccunicd1uln1n0k1n7l1qua1dkom.png [4]: http://static.zybuluo.com/birdg0/w7il54i1b6axxnc7uj7o57d8/image_1bcd0qt101j0vhp57vikkq1g3s13.png [5]: http://static.zybuluo.com/birdg0/jp212q6i170xefb1ypt2wbzv/image_1bcd2930s1ejn1nse16pe18et1hjr2n.png [6]: http://static.zybuluo.com/birdg0/qcmzzwsvrq5tvywi9hvjp9mi/2017-03-30_095853.png [7]: https://github.com/birdg0/exp/blob/master/local/windows/ms15-077.exe 阅读全文 »
MS16-063 IE11 jscript9.dll TypedArray UAF漏洞分析及利用(Windows 10 Bypass CFG) 发表于 2017-03-04 | 分类于 漏洞利用 | 暂无评论 # 1. 漏洞分析 由于是关于堆的漏洞,为了调试方便开启`HPA`和`UST`,打开POC页面 ```html ``` 立即造成Crash ![image_1bac26g3c1vuks2tdvcpnrgq19.png-9.9kB][1] [1]: http://static.zybuluo.com/birdg0/3zkkrawhg3j9bm0vy2j3vsmi/image_1bac26g3c1vuks2tdvcpnrgq19.png [2]: http://static.zybuluo.com/birdg0/9c5ow6v0bt8bgzh5qrh68sgw/image_1bac2at774jqn2s1imh1sf41p1q13.png [3]: http://static.zybuluo.com/birdg0/iy5jjgutgc8p14cjeiznah5j/image_1bac2hi8d1vak106alsg10ul19411t.png [4]: http://static.zybuluo.com/birdg0/h8qxbwt6m9cazhxedjvww3mp/image_1bac35vj51i4igrc63d10174h2a.png [5]: https://github.com/theori-io/jscript9-typedarray-cfg [6]: http://static.zybuluo.com/birdg0/n3lmeejy6gezy9tpfzgdzvwo/image_1bac5nnke1o9b53v15g5vep1oam2n.png [7]: https://github.com/birdg0/exp/blob/master/browser/ie11-ms16-063-bypass-cfg-exp.html [8]: http://theori.io/research/jscript9_typed_array [9]: http://theori.io/research/chakra-jit-cfg-bypass 阅读全文 »
CVE-2013-3918 IE11 CardSpaceClaimCollection ActiveX Integer Underflow漏洞分析及利用 发表于 2017-02-25 | 分类于 漏洞利用 | 暂无评论 # 1. 漏洞分析 首先WinDbg附加IE进程访问POC页面 ```html ``` 访问后造成Crash,这是由于访问了不可访问的内存 ![image_1b9o1mfmul5q1q4i1c2c1m497ba9.png-18.2kB][1] 根据栈回溯可以知道是在`CCardSpaceClaimCollection::remove`函数中触发的异常 ![image_1b9o1resa19nl16rneahuam1og0m.png-25.7kB][2] [1]: http://static.zybuluo.com/birdg0/0205ln6niau5e57lcaca9zfl/image_1b9o1mfmul5q1q4i1c2c1m497ba9.png [2]: http://static.zybuluo.com/birdg0/c5merweql1is6iuxjxutvnyi/image_1b9o1resa19nl16rneahuam1og0m.png [3]: https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf [4]: http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/ [5]: http://static.zybuluo.com/birdg0/auejwjk8q3huyeph69utojob/image_1b9pqottn1k1l1gjf1dhd10d01o6m9.png [6]: http://static.zybuluo.com/birdg0/iu3at4dg8whad1d4qlwz606e/image_1b9ps0o9m12heeprc761o0253713.png [7]: http://static.zybuluo.com/birdg0/h5jo6a1pvgga89sr9q1fm8ua/image_1b9ps9tcd17c0163kqfs15os1bdt1g.png [8]: http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/ [9]: https://github.com/birdg0/exp/blob/master/browser/ie11-cve-2013-3918-exp.html [10]: https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf [11]: http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/ 阅读全文 »
CVE-2014-1776 IE11 VGX.DLL UAF漏洞分析及利用 发表于 2017-02-20 | 分类于 漏洞利用 | 暂无评论 # 1. 漏洞分析 由于是UAF的漏洞,因此先开启`HPA`和`UST`然后用WinDbg附加并打开POC页面 ```html IE Case Study - STEP1 ``` 访问后WinDbg崩溃,可以看到错误是发生在`CMarkup::IsConnectedToPrimaryMarkup`函数,并且这个释放的堆大小为`0x428` ![image_1b9cphm1q1m0e1susc1m1ok10nbm.png-25.9kB][1] [1]: http://static.zybuluo.com/birdg0/5j89yatcb89krz866irayxjq/image_1b9cphm1q1m0e1susc1m1ok10nbm.png [2]: http://static.zybuluo.com/birdg0/pwfp6up97p7o1vfj8u3xjxvh/image_1b9cs2ugm1hrbjhc19k11vcj17vl13.png [3]: http://static.zybuluo.com/birdg0/efrmvsj6cksurbaw9i707n5k/1.png [4]: http://static.zybuluo.com/birdg0/r8f2cnpunv84t6cocguq44ol/2.png [5]: http://static.zybuluo.com/birdg0/9vxdvdigbwd6qkp1ozqquag3/3.png [6]: http://static.zybuluo.com/birdg0/fmsaysbjrruil2n0s4j0ogpz/4.png [7]: http://static.zybuluo.com/birdg0/b1lmt6ljnptuq1h5x1mgfsmn/5.png [8]: http://static.zybuluo.com/birdg0/4zjc0zmquwsu6jrhf3njlmi1/6.png [9]: http://static.zybuluo.com/birdg0/2gwc2fiz8wdwwtat5pijbvf7/image_1b9corp961r711ra21b75o17k0i9.png [10]: https://github.com/birdg0/exp/blob/master/browser/ie11-cve-2014-1776-exp.html 阅读全文 »
2017 CODEGATE CTF PNGParser writeup 发表于 2017-02-16 | 分类于 漏洞利用 | 4 条评论 # 1. 漏洞分析 网站中包含一个任意文件读的漏洞,把协议改成`file://`并在`url`处输入路径就可以进行任意读,传回来的时候经过了base64编码,解码即可,读取文件知道上传后的图片其实是让二进制程序进行解析 ```python def parser_run(png_data): f = tempfile.NamedTemporaryFile(delete=False) f.write(png_data) f.close() args = "./PNGParser %s" %(f.name) proc = Popen(args, stdout=PIPE, stderr=PIPE, stdin=PIPE, shell=True) out, err = proc.communicate() os.unlink(f.name) return out ``` 其实这是一个pwn题。。。通过逆向知道这是一个PNG解析程序,并存在多个漏洞。 阅读全文 »
CVE-2014-0322 IE10 CMarkup UAF漏洞分析及利用 发表于 2017-02-13 | 分类于 漏洞利用 | 暂无评论 # 1.漏洞分析 由于这是关于堆的漏洞,为了方便分析先用`gflags`开启`iexplore.exe`的`HPA`和`UST`,然后用WinDbg附加IE进程后访问POC页面 ```html ``` 访问后造成Crash ![image_1b8om95s2q1sk7l1t2g17r617gg9.png-11.3kB][1] [1]: http://static.zybuluo.com/birdg0/0720esvnhj8wpvvvkzmvk2u6/image_1b8om95s2q1sk7l1t2g17r617gg9.png [2]: http://static.zybuluo.com/birdg0/ca0cksznqxj9oxhd4l9di0ok/image_1b8omnjpr31514rk1a2v1gdfnem.png [3]: http://static.zybuluo.com/birdg0/2i4vwhpx607uvkwm5d6w7j9o/image_1b8onef0gehe1ntb1nmnk9j2jp1g.png [4]: http://static.zybuluo.com/birdg0/gagst224a9bet2zzpgpx20tc/image_1b8on5liu190n1d2polje74135t13.png [5]: http://static.zybuluo.com/birdg0/zag2dfaj4r8xvztc7httmvaw/image_1b8qkvhp7nls13tg151urvbekj1t.png [6]: http://static.zybuluo.com/birdg0/ey3vjfvlwmjpuyibbycrh423/image_1b8qlo1ji11gf1s1h87meg6s102a.png [7]: http://static.zybuluo.com/birdg0/ldgktdslnmskdada6jdsacxr/image_1b8qmsi246331d281mh91ipjnc62n.png [8]: http://static.zybuluo.com/birdg0/1bkyrip6dh4y2fim2uczb3us/image_1b8qnjuc6v4q1paqcmu1nvv1edt34.png [9]: https://github.com/birdg0/exp/blob/master/browser/ie10-cve-2014-0322-exp.html 阅读全文 »