Write this blog due to Xray was EOL. Last version 1.9.11.
1. Patching Walkthrough for x86
run program
1 2 ./xray_darwin_amd64 this license is expired, expiration time is 2022-08-03 08:00:00
find and locate string
1 2 3 4 00000000 : 74 68 69 73 20 6c 69 63 65 6e 73 65 20 69 73 20 this license is 00000010 : 65 78 70 69 72 65 64 2c 20 65 78 70 69 72 61 74 expired, expirat00000020 : 69 6f 6e 20 74 69 6d 65 20 69 73 20 25 73 ion time is %s
find references
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 04f92ba3 e838fdffff call sub_4f928e0 04f92ba8 440f11bc24980000…movups xmmword [rsp +0x98 {var_48}], xmm15 04f92bb1 e8eabf07ff call sub_400eba0 04f92bb6 488d0dc3d46800 lea rcx , [rel data_5620080] 04f92bbd 48898c2498000000 mov qword [rsp +0x98 {var_48}], rcx {data_5620080} 04f92bc5 48898424a0000000 mov qword [rsp +0xa0 {var_48+0x8 }], rax 04f92bcd 488d05657aab00 lea rax , [rel data_5a4a639] {"this license is expired, expirat…" } 04f92bd4 bb2e000000 mov ebx , 0x2e 04f92bd9 488d8c2498000000 lea rcx , [rsp +0x98 {var_48}] 04f92be1 bf01000000 mov edi , 0x1 04f92be6 4889fe mov rsi , rdi {0x1 } 04f92be9 e8d21417ff call sub_41040c0 04f92bee 4889d9 mov rcx , rbx {0x2e } 04f92bf1 4889c3 mov rbx , rax 04f92bf4 31c0 xor eax , eax {0x0 } 04f92bf6 488bac24d8000000 mov rbp , qword [rsp +0xd8 {__saved_rbp}] 04f92bfe 4881c4e0000000 add rsp , 0xe0 04f92c05 c3 retn {__return_addr}
04f92ba3
was jumped from 04f92a26
1 2 3 04f92a1f 488b5838 mov rbx , qword [rax +0x38 ] 04f92a23 4839fb cmp rbx , rdi 04f92a26 0f8c77010000 jl 0x4f92ba3
NOP the jl
to force ignore license expire date
1 2 3 4 5 6 7 8 04f92a1f 488b5838 mov rbx , qword [rax +0x38 ] 04f92a23 4839fb cmp rbx , rdi 04f92a26 90 nop 04f92a27 90 nop 04f92a28 90 nop 04f92a29 90 nop 04f92a2a 90 nop 04f92a2b 90 nop
save binary as xray_darwin_amd642
2. Test Patched Binary
need a expired license , can be found anywhere.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 chmod +x ./xray_darwin_amd642 && ./xray_darwin_amd642____ ___.________. ____. _____.___. \ \/ /\_ __ \ / _ \ \__ | | \ / | _ _/ / /_\ \ / | | / \ | | \/ | \ \____ | \___/\ \ |____| /\____|_ / / _____/ \_/ \_/ \_/ \/ Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00 NAME: xray - A powerful scanner engine [https://docs.xray.cool] USAGE: [global options] command [command options] [arguments...] COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help , h Shows a list of commands or help for one command GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml" ) --log-level value Log level, choices are debug, info, warn, error, fatal --help , -h show help [INFO] 2023-12-24 18:16:39 [default:entry.go:226] Loading config file from config.yaml 没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal. 参考链接(Help link ):https://docs.xray.cool/ 按任意键继续... / Press Enter to continue ...
3. ARM Version
Walkthrough is 99% same as x86 version
1 2 3 4 100 f14820 021 c40f9 ldr x2 , [x0 , #0x38 ]100 f14824 5 f0001eb cmp x2 , x1 100 f14828 eb0e0054 b.lt 0x100f14a04
NOP the b.lt
1 2 3 4 5 6 7 8 100 f14820 021 c40f9 ldr x2 , [x0 , #0x38 ]100 f14824 5 f0001eb cmp x2 , x1 100 f14828 1 f2003d5 nop 100 f1482c 1 f2003d5 nop 100 f14830 a00080d2 mov x0 , #0x5 100 f14834 e01300f9 str x0 , [sp , #0x20 {var_e0}] {0x5 }100 f14838 ffff02a9 stp xzr, xzr, [sp , #0x28 ] {var_d0} {0x0 } {0x0 }
4. Exit with Killed 1 2 chmod +x ./xray_darwin_arm642 && ./xray_darwin_arm642[1] 94656 killed ./xray_darwin_arm642
resign the binary
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 codesign --force --deep --sign - ./xray_darwin_arm642 && ./xray_darwin_arm642 ./xray_darwin_arm642: replacing existing signature ____ ___.________. ____. _____.___. \ \/ /\_ __ \ / _ \ \__ | | \ / | _ _/ / /_\ \ / | | / \ | | \/ | \ \____ | \___/\ \ |____| /\____|_ / / _____/ \_/ \_/ \_/ \/ Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00 NAME: xray - A powerful scanner engine [https://docs.xray.cool] USAGE: [global options] command [command options] [arguments...] COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help , h Shows a list of commands or help for one command GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml" ) --log-level value Log level, choices are debug, info, warn, error, fatal --help , -h show help [INFO] 2023-12-24 18:38:53 [default:entry.go:226] Loading config file from config.yaml 没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal. 参考链接(Help link ):https://docs.xray.cool/ 按任意键继续... / Press Enter to continue ...
5. Verify Advanced License Workable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 ./xray_darwin_arm642 webscan --url http://127.0.0.1:8080/ ____ ___.________. ____. _____.___. \ \/ /\_ __ \ / _ \ \__ | | \ / | _ _/ / /_\ \ / | | / \ | | \/ | \ \____ | \___/\ \ |____| /\____|_ / / _____/ \_/ \_/ \_/ \/ Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00 [INFO] 2023-12-24 18:51:05 [default:entry.go:226] Loading config file from config.yaml [!] Warning: you should use --html-output, --webhook-output or --json-output to persist your scan result Enabled plugins: [dirscan xss baseline crlf-injection jsonp sqldet fastjson xxe shiro thinkphp xstream brute-force cmd-injection path-traversal redirect ssrf upload phantasm struts] [INFO] 2023-12-24 18:51:05 [phantasm:phantasm.go:185] 819 pocs have been loaded (debug level will show more details) [INFO] 2023-12-24 18:51:05 [shiro:shiro.go:92] shiro key count 117 These plugins will be disabled as reverse server is not configured, check out the reference to fix this error. Ref: https://docs.xray.cool/ Plugins: fastjson/fastjson/cve-2022-25845 fastjson/fastjson/deserialization poc-go-apache-log4j2-rce poc-go-weblogic-cve-2023-21839 poc-yaml-apache-druid-kafka-rce poc-yaml-apache-spark-rce-cve-2022-33891 poc-yaml-dlink-cve-2019-16920-rce poc-yaml-dotnetnuke-cve-2017-0929-ssrf poc-yaml-drawio-cve-2022-1713-ssrf poc-yaml-full-read-ssrf-in-spring-cloud-netflix poc-yaml-ghostscript-cve-2018-19475-rce poc-yaml-gitlab-cve-2021-22214-ssrf poc-yaml-httpd-ssrf-cve-2021-40438 poc-yaml-jenkins-cve-2018-1000600 poc-yaml-jira-cve-2019-11581 poc-yaml-jira-ssrf-cve-2019-8451 poc-yaml-keycloak-cve-2020-10770-ssrf poc-yaml-kibana-cve-2019-7609-rce poc-yaml-landray-oa-datajson-rce poc-yaml-lg-n1a1-nas-cnnvd-201607-467-rce poc-yaml-mongo-express-cve-2019-10758 poc-yaml-oracle-ebs-cve-2018-3167-ssrf poc-yaml-pandorafms-cve-2019-20224-rce poc-yaml-php-imap-cve-2018-19518-rce poc-yaml-ruanhong-oa-xxe poc-yaml-saltstack-cve-2020-16846 poc-yaml-solr-cve-2017-12629-xxe poc-yaml-spiderflow-save-remote-command-execute poc-yaml-spring-cloud-gateway-cve-2022-22947-rce poc-yaml-supervisord-cve-2017-11610 poc-yaml-wavlink-cve-2020-13117-rce poc-yaml-weblogic-cve-2017-10271 poc-yaml-yongyou-nc-iupdateservice-xxe poc-yaml-zoho-manageengine-adaudit-plus-cve-2022-28219-xxe ssrf/ssrf/default struts/s2-052/default struts/s2-059/default struts/s2-061/default struts/s2-062/default xstream/Arbitrary-File-Deletion/CVE-2020-26259 xstream/Arbitrary-File-Deletion/CVE-2021-21343 xstream/DoS/CVE-2021-21341 xstream/DoS/CVE-2021-21348 xstream/DoS/CVE-2021-39140 xstream/RCE(LDAP)/CVE-2021-21344 xstream/RCE(LDAP)/CVE-2021-39141 xstream/RCE(LDAP)/CVE-2021-39146 xstream/RCE/CVE-2013-7285 xstream/RCE/CVE-2020-26217 xstream/RCE/CVE-2021-21345 xstream/RCE/CVE-2021-21346 xstream/RCE/CVE-2021-21347 xstream/RCE/CVE-2021-21350 xstream/RCE/CVE-2021-21351 xstream/RCE/CVE-2021-39139 xstream/RCE/CVE-2021-39144 xstream/RCE/CVE-2021-39145 xstream/RCE/CVE-2021-39147 xstream/RCE/CVE-2021-39148 xstream/RCE/CVE-2021-39149 xstream/RCE/CVE-2021-39151 xstream/RCE/CVE-2021-39153 xstream/RCE/CVE-2021-39154 xstream/SSRF/CVE-2020-26258 xstream/SSRF/CVE-2021-21342 xstream/SSRF/CVE-2021-21349 xstream/SSRF/CVE-2021-39150 xstream/SSRF/CVE-2021-39152 xxe/xxe/blind [INFO] 2023-12-24 18:51:05 [default:dispatcher.go:444] processing GET http://127.0.0.1:8080/ [INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload linux [INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload windows [INFO] 2023-12-24 18:51:05 [shiro:default.go:82] checking cookie names [rememberMe] [INFO] 2023-12-24 18:51:05 [shiro:default.go:88] target is shiro, trying get shiro key with mode gcm [INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload hasPrefix [INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload nonePrefix [INFO] 2023-12-24 18:51:06 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload linux [INFO] 2023-12-24 18:51:07 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload win [INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req01 [INFO] 2023-12-24 18:51:08 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req01 [INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req02 [INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req01 [INFO] 2023-12-24 18:51:09 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req02 [INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req03 [INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req04 [INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req02 [INFO] 2023-12-24 18:51:09 script poc-yaml-bitbucket-unauth run payload path01 [INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req05 [INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload linux [INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload win [INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path02 [INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path03 [*] scanned: 0, pending: 1, requestSent: 659, latency: 162.86ms, failedRatio: 0.00% [INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path04 [INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req01 [INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path05 [INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req02 [INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path06 [INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path07 [INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path08 [INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload oracle [INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mysql [INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req01 [INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req02 [INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mssql [INFO] 2023-12-24 18:51:11 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload windows [INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p1 [INFO] 2023-12-24 18:51:12 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload linux [INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p2 [INFO] 2023-12-24 18:51:13 [shiro:default.go:88] target is shiro, trying get shiro key with mode cbc [Vuln: shiro] Target "http://127.0.0.1:8080/" VulnType "shiro/default-key" key "kPH+bIxk5D2deZiIxcaaaA==" cookie_name "rememberMe" origin_count "1" current_count "0" mode "cbc" [INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:73] shiro key is kPH+bIxk5D2deZiIxcaaaA==, cookie key is rememberMe [INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:74] now trying to check tomcat echo [Vuln: shiro] Target "http://127.0.0.1:8080/" VulnType "shiro/rememberme-deserialization" cookie_name "rememberMe" follow_redirect "true" mode "cbc" key "kPH+bIxk5D2deZiIxcaaaA==" gadget "CommonsCollectionsK1" gadget_type "tomcat_echo" [INFO] 2023-12-24 18:51:13 [controller:dispatcher.go:553] wait for reverse server finished [*] All pending requests have been scanned [*] scanned: 1, pending: 0, requestSent: 1148, latency: 117.57ms, failedRatio: 0.00% [INFO] 2023-12-24 18:51:16 [controller:dispatcher.go:573] controller released, task done