Write this blog due to Xray was EOL. Last version 1.9.11.

1. Patching Walkthrough for x86

  1. run program
1
2
./xray_darwin_amd64
this license is expired, expiration time is 2022-08-03 08:00:00
  1. find and locate string
1
2
3
4
00000000: 74 68 69 73 20 6c 69 63 65 6e 73 65 20 69 73 20  this license is 
00000010: 65 78 70 69 72 65 64 2c 20 65 78 70 69 72 61 74 expired, expirat
00000020: 69 6f 6e 20 74 69 6d 65 20 69 73 20 25 73 ion time is %s

  1. find references
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
04f92ba3  e838fdffff         call    sub_4f928e0
04f92ba8 440f11bc24980000…movups xmmword [rsp+0x98 {var_48}], xmm15
04f92bb1 e8eabf07ff call sub_400eba0
04f92bb6 488d0dc3d46800 lea rcx, [rel data_5620080]
04f92bbd 48898c2498000000 mov qword [rsp+0x98 {var_48}], rcx {data_5620080}
04f92bc5 48898424a0000000 mov qword [rsp+0xa0 {var_48+0x8}], rax
04f92bcd 488d05657aab00 lea rax, [rel data_5a4a639] {"this license is expired, expirat…"}
04f92bd4 bb2e000000 mov ebx, 0x2e
04f92bd9 488d8c2498000000 lea rcx, [rsp+0x98 {var_48}]
04f92be1 bf01000000 mov edi, 0x1
04f92be6 4889fe mov rsi, rdi {0x1}
04f92be9 e8d21417ff call sub_41040c0
04f92bee 4889d9 mov rcx, rbx {0x2e}
04f92bf1 4889c3 mov rbx, rax
04f92bf4 31c0 xor eax, eax {0x0}
04f92bf6 488bac24d8000000 mov rbp, qword [rsp+0xd8 {__saved_rbp}]
04f92bfe 4881c4e0000000 add rsp, 0xe0
04f92c05 c3 retn {__return_addr}

04f92ba3 was jumped from 04f92a26

1
2
3
04f92a1f  488b5838           mov     rbx, qword [rax+0x38]
04f92a23 4839fb cmp rbx, rdi
04f92a26 0f8c77010000 jl 0x4f92ba3
  1. NOP the jl to force ignore license expire date
1
2
3
4
5
6
7
8
04f92a1f  488b5838           mov     rbx, qword [rax+0x38]
04f92a23 4839fb cmp rbx, rdi
04f92a26 90 nop
04f92a27 90 nop
04f92a28 90 nop
04f92a29 90 nop
04f92a2a 90 nop
04f92a2b 90 nop
  1. save binary as xray_darwin_amd642

2. Test Patched Binary

need a expired license , can be found anywhere.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
chmod +x ./xray_darwin_amd642 && ./xray_darwin_amd642

____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

NAME:
xray - A powerful scanner engine [https://docs.xray.cool]

USAGE:
[global options] command [command options] [arguments...]

COMMANDS:
webscan, ws Run a webscan task
servicescan, ss Run a service scan task
subdomain, sd Run a subdomain task
poclint, pl, lint lint yaml poc
burp-gamma, btg Convert the export file of burp historical proxy records to POC format
transform transform other script to gamma
reverse Run a standalone reverse server
convert convert results from json to html or from html to json
genca GenerateToFile CA certificate and key
upgrade check new version and upgrade self if any updates found
version Show version info
x A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--config FILE Load configuration from FILE (default: "config.yaml")
--log-level value Log level, choices are debug, info, warn, error, fatal
--help, -h show help
[INFO] 2023-12-24 18:16:39 [default:entry.go:226] Loading config file from config.yaml

没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/#/guide/faq?id=no-command-provided

按任意键继续... / Press Enter to continue...


3. ARM Version

Walkthrough is 99% same as x86 version

1
2
3
4
100f14820  021c40f9   ldr     x2, [x0, #0x38]
100f14824 5f0001eb cmp x2, x1
100f14828 eb0e0054 b.lt 0x100f14a04

NOP the b.lt

1
2
3
4
5
6
7
8
100f14820  021c40f9   ldr     x2, [x0, #0x38]
100f14824 5f0001eb cmp x2, x1
100f14828 1f2003d5 nop
100f1482c 1f2003d5 nop
100f14830 a00080d2 mov x0, #0x5
100f14834 e01300f9 str x0, [sp, #0x20 {var_e0}] {0x5}
100f14838 ffff02a9 stp xzr, xzr, [sp, #0x28] {var_d0} {0x0} {0x0}

4. Exit with Killed

1
2
chmod +x ./xray_darwin_arm642 && ./xray_darwin_arm642
[1] 94656 killed ./xray_darwin_arm642

resign the binary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
codesign --force --deep --sign - ./xray_darwin_arm642 && ./xray_darwin_arm642
./xray_darwin_arm642: replacing existing signature

____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

NAME:
xray - A powerful scanner engine [https://docs.xray.cool]

USAGE:
[global options] command [command options] [arguments...]

COMMANDS:
webscan, ws Run a webscan task
servicescan, ss Run a service scan task
subdomain, sd Run a subdomain task
poclint, pl, lint lint yaml poc
burp-gamma, btg Convert the export file of burp historical proxy records to POC format
transform transform other script to gamma
reverse Run a standalone reverse server
convert convert results from json to html or from html to json
genca GenerateToFile CA certificate and key
upgrade check new version and upgrade self if any updates found
version Show version info
x A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--config FILE Load configuration from FILE (default: "config.yaml")
--log-level value Log level, choices are debug, info, warn, error, fatal
--help, -h show help
[INFO] 2023-12-24 18:38:53 [default:entry.go:226] Loading config file from config.yaml

没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/#/guide/faq?id=no-command-provided

按任意键继续... / Press Enter to continue...

5. Verify Advanced License Workable

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
./xray_darwin_arm642 webscan --url http://127.0.0.1:8080/

____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

[INFO] 2023-12-24 18:51:05 [default:entry.go:226] Loading config file from config.yaml
[!] Warning: you should use --html-output, --webhook-output or --json-output to persist your scan result

Enabled plugins: [dirscan xss baseline crlf-injection jsonp sqldet fastjson xxe shiro thinkphp xstream brute-force cmd-injection path-traversal redirect ssrf upload phantasm struts]

[INFO] 2023-12-24 18:51:05 [phantasm:phantasm.go:185] 819 pocs have been loaded (debug level will show more details)
[INFO] 2023-12-24 18:51:05 [shiro:shiro.go:92] shiro key count 117
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
fastjson/fastjson/cve-2022-25845
fastjson/fastjson/deserialization
poc-go-apache-log4j2-rce
poc-go-weblogic-cve-2023-21839
poc-yaml-apache-druid-kafka-rce
poc-yaml-apache-spark-rce-cve-2022-33891
poc-yaml-dlink-cve-2019-16920-rce
poc-yaml-dotnetnuke-cve-2017-0929-ssrf
poc-yaml-drawio-cve-2022-1713-ssrf
poc-yaml-full-read-ssrf-in-spring-cloud-netflix
poc-yaml-ghostscript-cve-2018-19475-rce
poc-yaml-gitlab-cve-2021-22214-ssrf
poc-yaml-httpd-ssrf-cve-2021-40438
poc-yaml-jenkins-cve-2018-1000600
poc-yaml-jira-cve-2019-11581
poc-yaml-jira-ssrf-cve-2019-8451
poc-yaml-keycloak-cve-2020-10770-ssrf
poc-yaml-kibana-cve-2019-7609-rce
poc-yaml-landray-oa-datajson-rce
poc-yaml-lg-n1a1-nas-cnnvd-201607-467-rce
poc-yaml-mongo-express-cve-2019-10758
poc-yaml-oracle-ebs-cve-2018-3167-ssrf
poc-yaml-pandorafms-cve-2019-20224-rce
poc-yaml-php-imap-cve-2018-19518-rce
poc-yaml-ruanhong-oa-xxe
poc-yaml-saltstack-cve-2020-16846
poc-yaml-solr-cve-2017-12629-xxe
poc-yaml-spiderflow-save-remote-command-execute
poc-yaml-spring-cloud-gateway-cve-2022-22947-rce
poc-yaml-supervisord-cve-2017-11610
poc-yaml-wavlink-cve-2020-13117-rce
poc-yaml-weblogic-cve-2017-10271
poc-yaml-yongyou-nc-iupdateservice-xxe
poc-yaml-zoho-manageengine-adaudit-plus-cve-2022-28219-xxe
ssrf/ssrf/default
struts/s2-052/default
struts/s2-059/default
struts/s2-061/default
struts/s2-062/default
xstream/Arbitrary-File-Deletion/CVE-2020-26259
xstream/Arbitrary-File-Deletion/CVE-2021-21343
xstream/DoS/CVE-2021-21341
xstream/DoS/CVE-2021-21348
xstream/DoS/CVE-2021-39140
xstream/RCE(LDAP)/CVE-2021-21344
xstream/RCE(LDAP)/CVE-2021-39141
xstream/RCE(LDAP)/CVE-2021-39146
xstream/RCE/CVE-2013-7285
xstream/RCE/CVE-2020-26217
xstream/RCE/CVE-2021-21345
xstream/RCE/CVE-2021-21346
xstream/RCE/CVE-2021-21347
xstream/RCE/CVE-2021-21350
xstream/RCE/CVE-2021-21351
xstream/RCE/CVE-2021-39139
xstream/RCE/CVE-2021-39144
xstream/RCE/CVE-2021-39145
xstream/RCE/CVE-2021-39147
xstream/RCE/CVE-2021-39148
xstream/RCE/CVE-2021-39149
xstream/RCE/CVE-2021-39151
xstream/RCE/CVE-2021-39153
xstream/RCE/CVE-2021-39154
xstream/SSRF/CVE-2020-26258
xstream/SSRF/CVE-2021-21342
xstream/SSRF/CVE-2021-21349
xstream/SSRF/CVE-2021-39150
xstream/SSRF/CVE-2021-39152
xxe/xxe/blind


[INFO] 2023-12-24 18:51:05 [default:dispatcher.go:444] processing GET http://127.0.0.1:8080/
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload linux
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload windows
[INFO] 2023-12-24 18:51:05 [shiro:default.go:82] checking cookie names [rememberMe]
[INFO] 2023-12-24 18:51:05 [shiro:default.go:88] target is shiro, trying get shiro key with mode gcm
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload hasPrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload nonePrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload linux
[INFO] 2023-12-24 18:51:07 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload win
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req01
[INFO] 2023-12-24 18:51:09 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req03
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req04
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-bitbucket-unauth run payload path01
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req05
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload linux
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload win
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path02
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path03
[*] scanned: 0, pending: 1, requestSent: 659, latency: 162.86ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path04
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req01
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path05
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path06
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path07
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path08
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload oracle
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mysql
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req01
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mssql
[INFO] 2023-12-24 18:51:11 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload windows
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p1
[INFO] 2023-12-24 18:51:12 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload linux
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p2
[INFO] 2023-12-24 18:51:13 [shiro:default.go:88] target is shiro, trying get shiro key with mode cbc
[Vuln: shiro]
Target "http://127.0.0.1:8080/"
VulnType "shiro/default-key"
key "kPH+bIxk5D2deZiIxcaaaA=="
cookie_name "rememberMe"
origin_count "1"
current_count "0"
mode "cbc"

[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:73] shiro key is kPH+bIxk5D2deZiIxcaaaA==, cookie key is rememberMe
[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:74] now trying to check tomcat echo
[Vuln: shiro]
Target "http://127.0.0.1:8080/"
VulnType "shiro/rememberme-deserialization"
cookie_name "rememberMe"
follow_redirect "true"
mode "cbc"
key "kPH+bIxk5D2deZiIxcaaaA=="
gadget "CommonsCollectionsK1"
gadget_type "tomcat_echo"

[INFO] 2023-12-24 18:51:13 [controller:dispatcher.go:553] wait for reverse server finished
[*] All pending requests have been scanned
[*] scanned: 1, pending: 0, requestSent: 1148, latency: 117.57ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:16 [controller:dispatcher.go:573] controller released, task done
⬆︎TOP