Xray Crack Patching

Write this blog due to Xray was EOL. Last version 1.9.11.

1. Patching Walkthrough for x86

  1. run program
1
2
./xray_darwin_amd64
this license is expired, expiration time is 2022-08-03 08:00:00
  1. find and locate string
1
2
3
4
00000000: 74 68 69 73 20 6c 69 63 65 6e 73 65 20 69 73 20  this license is 
00000010: 65 78 70 69 72 65 64 2c 20 65 78 70 69 72 61 74  expired, expirat
00000020: 69 6f 6e 20 74 69 6d 65 20 69 73 20 25 73        ion time is %s

  1. find references
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
04f92ba3  e838fdffff         call    sub_4f928e0
04f92ba8  440f11bc24980000…movups  xmmword [rsp+0x98 {var_48}], xmm15
04f92bb1  e8eabf07ff         call    sub_400eba0
04f92bb6  488d0dc3d46800     lea     rcx, [rel data_5620080]
04f92bbd  48898c2498000000   mov     qword [rsp+0x98 {var_48}], rcx  {data_5620080}
04f92bc5  48898424a0000000   mov     qword [rsp+0xa0 {var_48+0x8}], rax
04f92bcd  488d05657aab00     lea     rax, [rel data_5a4a639]  {"this license is expired, expirat…"}
04f92bd4  bb2e000000         mov     ebx, 0x2e
04f92bd9  488d8c2498000000   lea     rcx, [rsp+0x98 {var_48}]
04f92be1  bf01000000         mov     edi, 0x1
04f92be6  4889fe             mov     rsi, rdi  {0x1}
04f92be9  e8d21417ff         call    sub_41040c0
04f92bee  4889d9             mov     rcx, rbx  {0x2e}
04f92bf1  4889c3             mov     rbx, rax
04f92bf4  31c0               xor     eax, eax  {0x0}
04f92bf6  488bac24d8000000   mov     rbp, qword [rsp+0xd8 {__saved_rbp}]
04f92bfe  4881c4e0000000     add     rsp, 0xe0
04f92c05  c3                 retn     {__return_addr}

04f92ba3 was jumped from 04f92a26

1
2
3
04f92a1f  488b5838           mov     rbx, qword [rax+0x38]
04f92a23  4839fb             cmp     rbx, rdi
04f92a26  0f8c77010000       jl      0x4f92ba3
  1. NOP the jl to force ignore license expire date
1
2
3
4
5
6
7
8
04f92a1f  488b5838           mov     rbx, qword [rax+0x38]
04f92a23  4839fb             cmp     rbx, rdi
04f92a26  90                 nop     
04f92a27  90                 nop     
04f92a28  90                 nop     
04f92a29  90                 nop     
04f92a2a  90                 nop     
04f92a2b  90                 nop
  1. save binary as xray_darwin_amd642

2. Test Patched Binary

need a expired license , can be found anywhere.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
chmod +x ./xray_darwin_amd642 && ./xray_darwin_amd642

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

NAME:
   xray - A powerful scanner engine [https://docs.xray.cool]

USAGE:
    [global options] command [command options] [arguments...]

COMMANDS:
   webscan, ws        Run a webscan task
   servicescan, ss    Run a service scan task
   subdomain, sd      Run a subdomain task
   poclint, pl, lint  lint yaml poc
   burp-gamma, btg    Convert the export file of burp historical proxy records to POC format
   transform          transform other script to gamma
   reverse            Run a standalone reverse server
   convert            convert results from json to html or from html to json
   genca              GenerateToFile CA certificate and key
   upgrade            check new version and upgrade self if any updates found
   version            Show version info
   x                  A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config FILE      Load configuration from FILE (default: "config.yaml")
   --log-level value  Log level, choices are debug, info, warn, error, fatal
   --help, -h         show help
[INFO] 2023-12-24 18:16:39 [default:entry.go:226] Loading config file from config.yaml

没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/#/guide/faq?id=no-command-provided

按任意键继续... / Press Enter to continue...


3. ARM Version

Walkthrough is 99% same as x86 version

1
2
3
4
100f14820  021c40f9   ldr     x2, [x0, #0x38]
100f14824  5f0001eb   cmp     x2, x1
100f14828  eb0e0054   b.lt    0x100f14a04

NOP the b.lt

1
2
3
4
5
6
7
8
100f14820  021c40f9   ldr     x2, [x0, #0x38]
100f14824  5f0001eb   cmp     x2, x1
100f14828  1f2003d5   nop     
100f1482c  1f2003d5   nop     
100f14830  a00080d2   mov     x0, #0x5
100f14834  e01300f9   str     x0, [sp, #0x20 {var_e0}]  {0x5}
100f14838  ffff02a9   stp     xzr, xzr, [sp, #0x28] {var_d0}  {0x0}  {0x0}

4. Exit with Killed

1
2
chmod +x ./xray_darwin_arm642 && ./xray_darwin_arm642
[1]    94656 killed     ./xray_darwin_arm642

resign the binary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
codesign --force --deep --sign - ./xray_darwin_arm642 && ./xray_darwin_arm642
./xray_darwin_arm642: replacing existing signature

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

NAME:
   xray - A powerful scanner engine [https://docs.xray.cool]

USAGE:
    [global options] command [command options] [arguments...]

COMMANDS:
   webscan, ws        Run a webscan task
   servicescan, ss    Run a service scan task
   subdomain, sd      Run a subdomain task
   poclint, pl, lint  lint yaml poc
   burp-gamma, btg    Convert the export file of burp historical proxy records to POC format
   transform          transform other script to gamma
   reverse            Run a standalone reverse server
   convert            convert results from json to html or from html to json
   genca              GenerateToFile CA certificate and key
   upgrade            check new version and upgrade self if any updates found
   version            Show version info
   x                  A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config FILE      Load configuration from FILE (default: "config.yaml")
   --log-level value  Log level, choices are debug, info, warn, error, fatal
   --help, -h         show help
[INFO] 2023-12-24 18:38:53 [default:entry.go:226] Loading config file from config.yaml

没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/#/guide/faq?id=no-command-provided

按任意键继续... / Press Enter to continue...

5. Verify Advanced License Workable

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
./xray_darwin_arm642 webscan --url http://127.0.0.1:8080/

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

[INFO] 2023-12-24 18:51:05 [default:entry.go:226] Loading config file from config.yaml
[!] Warning: you should use --html-output, --webhook-output or --json-output to persist your scan result

Enabled plugins: [dirscan xss baseline crlf-injection jsonp sqldet fastjson xxe shiro thinkphp xstream brute-force cmd-injection path-traversal redirect ssrf upload phantasm struts]

[INFO] 2023-12-24 18:51:05 [phantasm:phantasm.go:185] 819 pocs have been loaded (debug level will show more details)
[INFO] 2023-12-24 18:51:05 [shiro:shiro.go:92] shiro key count 117
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
	fastjson/fastjson/cve-2022-25845
	fastjson/fastjson/deserialization
	poc-go-apache-log4j2-rce
	poc-go-weblogic-cve-2023-21839
	poc-yaml-apache-druid-kafka-rce
	poc-yaml-apache-spark-rce-cve-2022-33891
	poc-yaml-dlink-cve-2019-16920-rce
	poc-yaml-dotnetnuke-cve-2017-0929-ssrf
	poc-yaml-drawio-cve-2022-1713-ssrf
	poc-yaml-full-read-ssrf-in-spring-cloud-netflix
	poc-yaml-ghostscript-cve-2018-19475-rce
	poc-yaml-gitlab-cve-2021-22214-ssrf
	poc-yaml-httpd-ssrf-cve-2021-40438
	poc-yaml-jenkins-cve-2018-1000600
	poc-yaml-jira-cve-2019-11581
	poc-yaml-jira-ssrf-cve-2019-8451
	poc-yaml-keycloak-cve-2020-10770-ssrf
	poc-yaml-kibana-cve-2019-7609-rce
	poc-yaml-landray-oa-datajson-rce
	poc-yaml-lg-n1a1-nas-cnnvd-201607-467-rce
	poc-yaml-mongo-express-cve-2019-10758
	poc-yaml-oracle-ebs-cve-2018-3167-ssrf
	poc-yaml-pandorafms-cve-2019-20224-rce
	poc-yaml-php-imap-cve-2018-19518-rce
	poc-yaml-ruanhong-oa-xxe
	poc-yaml-saltstack-cve-2020-16846
	poc-yaml-solr-cve-2017-12629-xxe
	poc-yaml-spiderflow-save-remote-command-execute
	poc-yaml-spring-cloud-gateway-cve-2022-22947-rce
	poc-yaml-supervisord-cve-2017-11610
	poc-yaml-wavlink-cve-2020-13117-rce
	poc-yaml-weblogic-cve-2017-10271
	poc-yaml-yongyou-nc-iupdateservice-xxe
	poc-yaml-zoho-manageengine-adaudit-plus-cve-2022-28219-xxe
	ssrf/ssrf/default
	struts/s2-052/default
	struts/s2-059/default
	struts/s2-061/default
	struts/s2-062/default
	xstream/Arbitrary-File-Deletion/CVE-2020-26259
	xstream/Arbitrary-File-Deletion/CVE-2021-21343
	xstream/DoS/CVE-2021-21341
	xstream/DoS/CVE-2021-21348
	xstream/DoS/CVE-2021-39140
	xstream/RCE(LDAP)/CVE-2021-21344
	xstream/RCE(LDAP)/CVE-2021-39141
	xstream/RCE(LDAP)/CVE-2021-39146
	xstream/RCE/CVE-2013-7285
	xstream/RCE/CVE-2020-26217
	xstream/RCE/CVE-2021-21345
	xstream/RCE/CVE-2021-21346
	xstream/RCE/CVE-2021-21347
	xstream/RCE/CVE-2021-21350
	xstream/RCE/CVE-2021-21351
	xstream/RCE/CVE-2021-39139
	xstream/RCE/CVE-2021-39144
	xstream/RCE/CVE-2021-39145
	xstream/RCE/CVE-2021-39147
	xstream/RCE/CVE-2021-39148
	xstream/RCE/CVE-2021-39149
	xstream/RCE/CVE-2021-39151
	xstream/RCE/CVE-2021-39153
	xstream/RCE/CVE-2021-39154
	xstream/SSRF/CVE-2020-26258
	xstream/SSRF/CVE-2021-21342
	xstream/SSRF/CVE-2021-21349
	xstream/SSRF/CVE-2021-39150
	xstream/SSRF/CVE-2021-39152
	xxe/xxe/blind


[INFO] 2023-12-24 18:51:05 [default:dispatcher.go:444] processing GET http://127.0.0.1:8080/
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload linux
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload windows
[INFO] 2023-12-24 18:51:05 [shiro:default.go:82] checking cookie names [rememberMe]
[INFO] 2023-12-24 18:51:05 [shiro:default.go:88] target is shiro, trying get shiro key with mode gcm
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload hasPrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload nonePrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload linux
[INFO] 2023-12-24 18:51:07 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload win
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req01
[INFO] 2023-12-24 18:51:09 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req03
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req04
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-bitbucket-unauth run payload path01
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req05
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload linux
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload win
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path02
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path03
[*] scanned: 0, pending: 1, requestSent: 659, latency: 162.86ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path04
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req01
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path05
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path06
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path07
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path08
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload oracle
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mysql
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req01
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mssql
[INFO] 2023-12-24 18:51:11 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload windows
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p1
[INFO] 2023-12-24 18:51:12 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload linux
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p2
[INFO] 2023-12-24 18:51:13 [shiro:default.go:88] target is shiro, trying get shiro key with mode cbc
[Vuln: shiro]
Target           "http://127.0.0.1:8080/"
VulnType         "shiro/default-key"
key              "kPH+bIxk5D2deZiIxcaaaA=="
cookie_name      "rememberMe"
origin_count     "1"
current_count    "0"
mode             "cbc"

[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:73] shiro key is kPH+bIxk5D2deZiIxcaaaA==, cookie key is rememberMe
[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:74] now trying to check tomcat echo
[Vuln: shiro]
Target           "http://127.0.0.1:8080/"
VulnType         "shiro/rememberme-deserialization"
cookie_name      "rememberMe"
follow_redirect  "true"
mode             "cbc"
key              "kPH+bIxk5D2deZiIxcaaaA=="
gadget           "CommonsCollectionsK1"
gadget_type      "tomcat_echo"

[INFO] 2023-12-24 18:51:13 [controller:dispatcher.go:553] wait for reverse server finished
[*] All pending requests have been scanned
[*] scanned: 1, pending: 0, requestSent: 1148, latency: 117.57ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:16 [controller:dispatcher.go:573] controller released, task done
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
Page View
⬆︎TOP