漏洞程序源自failwest的《0day2》,书中以此程序为例介绍了metasploit下exploit的开发,直接给出了exp,of course对着code白盒很容易发现溢出点所在(当然自己黑盒也很简单)。
此文纯属小生过把黑盒挖掘远程溢出漏洞的瘾,黑盒分析一下release版和debug版漏洞的挖掘及利用(最后贴出程序源码供参考)。
======================================邪恶的分割线==============================================
1. 漏洞程序
功能:服务端程序,本地监听7777号端口,并打印接收的数据。
2. 环境介绍
靶机系统:XP sp3
靶机IP :10.10.10.128
攻击主机系统:backtrack 5
攻击主机IP :10.10.10.132
3. 黑盒测试(Release版本)
运行release.exe,程序是console版的,界面如下:
写个脚本向服务器发送"dami"
import socketif "__main__" == __name__ :sockClient = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sockClient.connect(('10.10.10.128', 7777))sockClient.send(b'dami')print('send:dami')sockClient.close()print('connect closed')靶机程序接收并打印了“dami”:
这次我们向靶机发送超常字符串:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa靶机程序崩溃了:
缓冲区溢出,根据错误提示“0x61616161”指令引用的"0x61616161"内存,可以知道此时EIP已经本覆盖为‘aaaa’,∴是可以执行任意命令的。
4. 定位溢出点
使用od加载这个程序跑起来,通过逆向可以知道程序本地监听7777端口,并打印接收到的数据,本文介绍重点不在逆向所以不完全分析其逆向代码,贴关键代码
0040115B |. 50|PUSH EAX; /Flags => 00040115C |. F3:AB|REP STOS DWORD PTR ES:[EDI]; |0040115E |. 8D4C24 38|LEA ECX,DWORD PTR SS:[ESP+38]; |00401162 |. 68 00020000 |PUSH 200; |BufSize = 200 (512.)00401167 |. 51|PUSH ECX; |Buffer00401168 |. 53|PUSH EBX; |Socket00401169 |. FF15 E4904000 |CALL DWORD PTR DS:[<&WS2_32.#16>]; \recv0040116F |. 8BF0|MOV ESI,EAX00401171 |. 85F6|TEST ESI,ESI00401173 |. 7D 26|JGE SHORT release.0040119B00401175 |. 68 50A04000 |PUSH release.0040A050; ASCII "reading stream message error!"0040117A |. B9 98CA4000 |MOV ECX,release.0040CA980040117F |. E8 A3020000 |CALL release.0040142700401184 |. 68 D0124000 |PUSH release.004012D000401189 |. 6A 0A|PUSH 0A; /Arg1 = 0000000A0040118B |. 8BC8|MOV ECX,EAX; |0040118D |. E8 4E010000 |CALL release.004012E0; \release.004012E000401192 |. 8BC8|MOV ECX,EAX00401194 |. E8 17010000 |CALL release.004012B000401199 |. 33F6|XOR ESI,ESI0040119B |> 8D5424 34|LEA EDX,DWORD PTR SS:[ESP+34]0040119F |. 52|PUSH EDX004011A0 |. E8 5B000000 |CALL release.004012000×00401169处接收数据存于0x200大小的缓冲区中,recv下方判断实际接收数据大小,>=0时调用0x00401200处函数,参数edx为接收的数据。
在0x004011A0处下断点,再次发送数据程序中断:
单步跟入0x00401200处函数:
00401200 /$ 81EC C8000000 SUB ESP,0C800401206 |. 83C9 FFOR ECX,FFFFFFFF00401209 |. 33C0XOR EAX,EAX0040120B |. 8D5424 00LEA EDX,DWORD PTR SS:[ESP]0040120F |. 56PUSH ESI00401210 |. 57PUSH EDI00401211 |. 8BBC24 D40000>MOV EDI,DWORD PTR SS:[ESP+D4]00401218 |. 68 00A14000 PUSH release.0040A100; ASCII "**********************"0040121D |. F2:AEREPNE SCAS BYTE PTR ES:[EDI]0040121F |. F7D1NOT ECX00401221 |. 2BF9SUB EDI,ECX00401223 |. 8BC1MOV EAX,ECX00401225 |. 8BF7MOV ESI,EDI00401227 |. 8BFAMOV EDI,EDX00401229 |. C1E9 02SHR ECX,20040122C |. F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]0040122E |. 8BC8MOV ECX,EAX00401230 |. 83E1 03AND ECX,300401233 |. F3:A4REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]00401235 |. B9 98CA4000 MOV ECX,release.0040CA980040123A |. E8 E8010000 CALL release.004014270040123F |. 68 D0124000 PUSH release.004012D000401244 |. 6A 0APUSH 0A; /Arg1 = 0000000A00401246 |. 8BC8MOV ECX,EAX; |00401248 |. E8 93000000 CALL release.004012E0; \release.004012E00040124D |. 8BC8MOV ECX,EAX0040124F |. E8 5C000000 CALL release.004012B000401254 |. 68 F4A04000 PUSH release.0040A0F4; ASCII "received:"00401259 |. B9 98CA4000 MOV ECX,release.0040CA980040125E |. E8 C4010000 CALL release.0040142700401263 |. 68 D0124000 PUSH release.004012D000401268 |. 6A 0APUSH 0A; /Arg1 = 0000000A0040126A |. 8BC8MOV ECX,EAX; |0040126C |. E8 6F000000 CALL release.004012E0; \release.004012E000401271 |. 8BC8MOV ECX,EAX00401273 |. E8 38000000 CALL release.004012B000401278 |. 8D4C24 08LEA ECX,DWORD PTR SS:[ESP+8]0040127C |. 51PUSH ECX0040127D |. B9 98CA4000 MOV ECX,release.0040CA9800401282 |. E8 A0010000 CALL release.0040142700401287 |. 68 D0124000 PUSH release.004012D00040128C |. 6A 0APUSH 0A; /Arg1 = 0000000A0040128E |. 8BC8MOV ECX,EAX; |00401290 |. E8 4B000000 CALL release.004012E0; \release.004012E000401295 |. 8BC8MOV ECX,EAX00401297 |. E8 14000000 CALL release.004012B00040129C |. 5FPOP EDI0040129D |. 5EPOP ESI0040129E |. 81C4 C8000000 ADD ESP,0C8004012A4 \. C3RETN读反汇编代码,此函数首先开辟了0xc8大小的空间,0x0040121D至0x00401233的指令完成了传入参数复制到开辟的0xc8的栈空间内,产生了溢出,覆盖了函数返回地址。
5. sh3llcode的开发
根据上面的分析可知,客户端发送的数据第201~204字节会覆盖到调用函数的返回地址,这个dword在函数返回时会弹入EIP,开发shellcode的思路:
积极思考造成积极人生,消极思考造成消极人生。
