|
Serv-U "MDTM"命令远程溢出分析
czy 于 04.02.29
2月27号一早在securityfocus看到了这个漏洞的公告,上面清楚的说明了You must have a
valid user account and password to exploit it, and you are not need WRITE or any other privilege.
这不是比上次Serv-U那个site chmod的洞洞还利害,一想到不少电影网站都是用的Serv-U....
好不在这儿废话了以下分析基于Serv-U Server 4.0.0版,只分析"MDTM"命令溢出的情况。
事实上,Serv-U在处理MDTM命令时,很多地方都有长度判断,但是,有一个地方他遗漏了,那么,我们的机会就来了:-)
漏洞函数引用关系如下:
loc_434748 [0]
|
call loc_41FAE8 [1]
|
|__call sub_59BFB8(strncpy)
|__call sub_4422A4
|
|__ jmp sub_41FBB6 [2]
|
|__call sub_59BEB1
|__call sub_59BDA4(strlen)
|__call sub_59BFB8(strncpy)\__分别调用了六次,用来把年月日时分秒放到变量中
|__call sub_5A4008 /
...........
|__loc_41FD99[3]
|__loc_41FDC3(strcpy) [4] 洞洞出来啦,覆盖程序自身异常处理函数地址
|__loc_41FE16
|__loc_41FE30 [5]
|
|__call sub_59BDA4(strlen)
|__call sub_59BC1C(strncpy) 触发程序异常处理
[0]判断是否是"MDTM"命令
loc_434748: ; CODE XREF: .text:0043473A
.text:00434748 push 4 //比较四个字节
.text:0043474A push edi //edi存放命令字串的首地址
.text:0043474B lea eax, [esi+354h]
.text:00434751 push eax // 得到命令列表
.text:00434752 call near ptr unk_59C008 // 相当于Strncmp
.text:00434757 add esp, 0Ch
.text:0043475A test eax, eax
.text:0043475C jnz short loc_43476D //不是MDTM的话比较下一个命令SITE
.text:0043475E push edi //第二个参数是命令字串的首地址
.text:0043475F push ebx
.text:00434760 call loc_41FAE8 //相同的话跳到MDTM命令处理函数
.text:00434765 add esp, 8
.text:00434768 jmp loc_434AC7
[1] 具体处理MDTM命令函数
.text:0041FAE8 sub_41FAE8 proc near ; CODE XREF: sub_434244+51C�p
.text:0041FAE8 push ebp
.text:0041FAE9 mov ebp, esp
.text:0041FAEB add esp, 0FFFFF004h //为本地变量分配空间
.text:0041FAF1 push eax
.text:0041FAF2 add esp, 0FFFFFC74h //为本地变量分配空间
.text:0041FAF8 mov eax, offset unk_59C243 //重要程序自已的异常处理函数入口
.text:0041FAFD xor edx, edx
.text:0041FAFF push ebx
.text:0041FB00 push esi
.text:0041FB01 push edi
.text:0041FB02 mov ebx, [ebp+8] //处理第一个参数
.text:0041FB05 mov dword ptr [ebp-4Ch], offset unk_5B8520
.text:0041FB0C mov [ebp-48h], esp
.text:0041FB0F mov [ebp-50h], eax //重要建立ERR结构的第二个成员
//也就是程序自已的异常处理函数入口
.text:0041FB12 mov word ptr [ebp-44h], 0
.text:0041FB18 mov [ebp-38h], edx
.text:0041FB1B mov ecx, large fs:0 //重要得到上一个ERR结构地址
.text:0041FB22 mov [ebp-54h], ecx //建立ERR结构的第一个成员
.text:0041FB25 lea eax, [ebp-54h] //得到当前ERR结构的地址(017AD280)
.text:0041FB28 mov large fs:0, eax //放到fs:[0]中,这样如果这段代码
//出错的话就会执行ebp-50里的的函数
.text:0041FB2E mov byte ptr [ebp-55h], 0
.text:0041FB32 mov byte ptr [ebp-56h], 0
/////////////////////////////////////////////////////
程序正常的栈情况如下:
ebp-56 017AD27E 00
ebp-55 017AD27F 00
epb-54 017AD280 40
ebp-53 017AD281 E2
ebp-52 017AD282 7A
ebp-51 017AD283 01 017AE240的值指向上一个ERR结构
ebp-50 017AD284 43
ebp-4F 017AD285 C2
ebp-4E 017AD286 59
ebp-4D 017AD287 00 0059C243是程序自已的异常处理函数入口
////////////////////////////////////////////////////
.text:0041FB36 xor edx, edx
.text:0041FB38 mov [ebp-74h], edx
.text:0041FB3B mov [ebp-70h], edx
.text:0041FB3E mov [ebp-6Ch], edx
.text:0041FB41 mov [ebp-68h], edx
.text:0041FB44 mov [ebp-64h], edx
.text:0041FB47 mov [ebp-60h], edx
.text:0041FB4A mov [ebp-5Ch], edx //本地变量给初值0
.text:0041FB4D push 7FFh
.text:0041FB52 mov eax, [ebp+0Ch] //处理第二个参数也就是命令字串的地址
.text:0041FB55 add eax, 4 //去除命令字串开头的MDTM
.text:0041FB58 push eax
.text:0041FB59 lea ecx, [ebp-9FCh]
.text:0041FB5F push ecx
.text:0041FB60 call sub_59BFB8 //相当于strncpy把命令拷到本地变量ebp-9fch中
//长度不超过2KB
.text:0041FB65 add esp, 0Ch
.text:0041FB68 lea eax, [ebp-9FCh]
.text:0041FB6E mov byte ptr [ebp-1FDh], 0
.text:0041FB75 push eax
.text:0041FB76 call sub_4422A4 //对字串进行再一步处理去除MDTM与
//命令中间的那个空格,命令后面的回车
//还要判断命令是否为空
.text:0041FB7B cmp byte ptr [ebp-9FCh], 0
.text:0041FB82 pop ecx
.text:0041FB83 jnz short loc_41FBB6 //合法的话跳
[2] 对时间区域进行处理检测
.text:0041FBB6 loc_41FBB6: ; CODE XREF: sub_41FAE8+9B�j
.text:0041FBB6 push 20h
.text:0041FBB8 lea edx, [ebp+var_9FC] //ebp-9fc中存放全部命令
.text:0041FBBE push edx
.text:0041FBBF call sub_59BEB1 //找命令中的空格找到后把空格后
//的地址放在ebp-78中,也就是找文件名
.text:0041FBC4 add esp, 8
.text:0041FBC7 mov [ebp+var_78], eax
.text:0041FBCA test eax, eax
.text:0041FBCC jz loc_41FE6D //没有找到文件名跳,跳过去将处理
//mdtm autoexec.bat这类看文件时间的命令
.text:0041FBD2 lea edx, [ebp+var_9FC]
.text:0041FBD8 push edx
.text:0041FBD9 call sub_59BDA4 //得到命令长度
.text:0041FBDE pop ecx
.text:0041FBDF cmp eax, 10h //命令长度小于16跳
.text:0041FBE2 jb loc_41FE6D
.text:0041FBE8 lea ecx, [ebp+var_9FC]
.text:0041FBEE mov eax, [ebp+var_78]
.text:0041FBF1 sub eax, ecx //得时间区域长度不要紧张这儿没洞洞
.text:0041FBF3 cmp eax, 0Eh
.text:0041FBF6 jl loc_41FE6D //必须是大于等于14字节
.text:0041FBFC mov [ebp+var_88], 1
.text:0041FC06 xor edi, edi
.text:0041FC08 lea esi, [ebp+var_9FC]
.text:0041FC0E
.text:0041FC0E loc_41FC0E: ; CODE XREF: sub_41FAE8+141�j
.text:0041FC0E movsx eax, byte ptr [esi]
.text:0041FC11 push eax
.text:0041FC12 call sub_5A1304
.text:0041FC17 pop ecx
.text:0041FC18 test eax, eax
.text:0041FC1A jnz short loc_41FC24
.text:0041FC1C xor edx, edx
.text:0041FC1E mov [ebp+var_88], edx
.text:0041FC24
.text:0041FC24 loc_41FC24: ; CODE XREF: sub_41FAE8+132�j
.text:0041FC24 inc edi
.text:0041FC25 inc esi
.text:0041FC26 cmp edi, 0Eh
.text:0041FC29 jl short loc_41FC0E
.text:0041FC2B cmp [ebp+var_88], 0
.text:0041FC32 jz loc_41FD99 //判断时间区域的前14个字母
//如果不是数字跳到41fd99
//-----------------------
.text:0041FC38 push 4
.text:0041FC3A lea ecx, [ebp+var_9FC]
.text:0041FC40 push ecx
.text:0041FC41 lea eax, [ebp+var_84]
.text:0041FC47 push eax
.text:0041FC48 call sub_59BFB8
.text:0041FC4D add esp, 0Ch
.text:0041FC50 lea edx, [ebp+var_84]
.text:0041FC56 mov [ebp+var_80], 0
.text:0041FC5A push edx
.text:0041FC5B call sub_5A4008
.text:0041FC60 pop ecx
.text:0041FC61 mov [ebp+var_5C], eax
.text:0041FC64 push 2
.text:0041FC66 lea ecx, [ebp+var_9F8]
.text:0041FC6C push ecx
.text:0041FC6D lea eax, [ebp+var_84]
.text:0041FC73 push eax
.text:0041FC74 call sub_59BFB8
.text:0041FC79 add esp, 0Ch
.text:0041FC7C lea edx, [ebp+var_84]
.text:0041FC82 mov [ebp+var_82], 0
.text:0041FC89 push edx
.text:0041FC8A call sub_5A4008
.text:0041FC8F pop ecx
.text:0041FC90 mov [ebp+var_60], eax
.text:0041FC93 push 2
.text:0041FC95 lea ecx, [ebp+var_9F6]
.text:0041FC9B push ecx
.text:0041FC9C lea eax, [ebp+var_84]
.text:0041FCA2 push eax
.text:0041FCA3 call sub_59BFB8
.text:0041FCA8 add esp, 0Ch
.text:0041FCAB lea edx, [ebp+var_84]
.text:0041FCB1 mov [ebp+var_82], 0
.text:0041FCB8 push edx
.text:0041FCB9 call sub_5A4008
.text:0041FCBE pop ecx
.text:0041FCBF mov [ebp+var_64], eax
.text:0041FCC2 push 2
.text:0041FCC4 lea ecx, [ebp+var_9F4]
.text:0041FCCA push ecx
.text:0041FCCB lea eax, [ebp+var_84]
.text:0041FCD1 push eax
.text:0041FCD2 call sub_59BFB8
.text:0041FCD7 add esp, 0Ch
.text:0041FCDA lea edx, [ebp+var_84]
.text:0041FCE0 mov [ebp+var_82], 0
.text:0041FCE7 push edx
.text:0041FCE8 call sub_5A4008
.text:0041FCED pop ecx
.text:0041FCEE mov [ebp+var_68], eax
.text:0041FCF1 push 2
.text:0041FCF3 lea ecx, [ebp+var_9F2]
.text:0041FCF9 push ecx
.text:0041FCFA lea eax, [ebp+var_84]
.text:0041FD00 push eax
.text:0041FD01 call sub_59BFB8
.text:0041FD06 add esp, 0Ch
.text:0041FD09 lea edx, [ebp+var_84]
.text:0041FD0F mov [ebp+var_82], 0
.text:0041FD16 push edx
.text:0041FD17 call sub_5A4008
.text:0041FD1C pop ecx
.text:0041FD1D mov [ebp+var_6C], eax
.text:0041FD20 push 2
.text:0041FD22 lea ecx, [ebp+var_9F0] //得到命令中秒存放的位置
.text:0041FD28 push ecx
.text:0041FD29 lea eax, [ebp+var_84] //变量地址
.text:0041FD2F push eax
.text:0041FD30 call sub_59BFB8
.text:0041FD35 add esp, 0Ch
.text:0041FD38 lea edx, [ebp+var_84]
.text:0041FD3E mov [ebp+var_82], 0
.text:0041FD45 push edx
.text:0041FD46 call sub_5A4008 //格式转化
.text:0041FD4B pop ecx
.text:0041FD4C mov [ebp+var_70], eax
//---------------上面的代码把年月日时分秒放到变量中
//具体如下:
年 ebp-5c
月 ebp-60
日 ebp-64
时 ebp-68
分 ebp-6c
秒 ebp-70
//对时间的正确性进行检验
.text:0041FD4F cmp [ebp+var_5C], 7BCh
.text:0041FD56 jl short loc_41FD91 //年小于1980跳
.text:0041FD58 cmp dword ptr [ebp-5Ch], 81Bh
.text:0041FD5F jg short loc_41FD91 //年大于2075跳
.text:0041FD61 cmp dword ptr [ebp-60h], 1
.text:0041FD65 jl short loc_41FD91
.text:0041FD67 cmp dword ptr [ebp-60h], 0Ch
.text:0041FD6B jg short loc_41FD91 //月分只能是1-12
.text:0041FD6D cmp dword ptr [ebp-64h], 1
.text:0041FD71 jl short loc_41FD91
.text:0041FD73 cmp dword ptr [ebp-64h], 1Fh
.text:0041FD77 jg short loc_41FD91 //号数只能是1-31
.text:0041FD79 cmp dword ptr [ebp-6Ch], 0
.text:0041FD7D jl short loc_41FD91
.text:0041FD7F cmp dword ptr [ebp-6Ch], 3Bh
.text:0041FD83 jg short loc_41FD91
.text:0041FD85 cmp dword ptr [ebp-70h], 0
.text:0041FD89 jl short loc_41FD91
.text:0041FD8B cmp dword ptr [ebp-70h], 3Bh //分秒只能是0-59
.text:0041FD8F jle short loc_41FD99 //时间都合法了跳到41FD99
[3] 判断时间区域后面是否有+-号
.text:0041FD99
.text:0041FD99 loc_41FD99: ; CODE XREF: sub_41FAE8+14A�j
.text:0041FD99 ; sub_41FAE8+2A7�j
.text:0041FD99 cmp [ebp+var_88], 0
.text:0041FDA0 jz loc_41FE30 //对于mdtm 20020201112233+111 autexec.bat这样的命令不跳
.text:0041FDA6 movsx eax, [ebp+var_9EE] //处理时间区域后的一个字串
.text:0041FDAD cmp eax, 20h
.text:0041FDB0 jz short loc_41FE1C //为空格跳
.text:0041FDB2 movsx eax, [ebp+var_9EE]
.text:0041FDB9 cmp eax, 2Dh
.text:0041FDBC jz short loc_41FDC3 //为减号跳!
.text:0041FDBE cmp eax, 2Bh
.text:0041FDC1 jnz short loc_41FE1C //不为加号跳到41FE1C!
[4] 对时间区域有+-号的情况进行处理
.text:0041FDC3 loc_41FDC3:
.text:0041FDC3 xor edi, edi
.text:0041FDC5 lea eax, [ebp+var_84] //得到时间区域的最后两位(ebp-84)
.text:0041FDCB lea esi, [ebp+var_9EE] //得到+号开始的地址
.text:0041FDD1 jmp short loc_41FDDA
.text:0041FDD3 loc_41FDD3:
.text:0041FDD3 mov dl, [esi]
.text:0041FDD5 inc edi //edi为记数器
.text:0041FDD6 mov [eax], dl
.text:0041FDD8 inc eax
.text:0041FDD9 inc esi
.text:0041FDDA
.text:0041FDDA loc_41FDDA:
.text:0041FDDA movsx ecx, byte ptr [esi]
.text:0041FDDD cmp ecx, 20h
.text:0041FDE0 jnz short loc_41FDD3 //遇到空格退出
//----------------------上面就是漏洞代码程序本意是把时间区域加号后面的四个字节放在ebp-84变量中
//但没有对长度进行检查,所以不但会覆盖ebp-84,如果是一个超长字串的话还会把ebp-54,ebp-78等变理覆盖!
.text:0041FDE2 mov [ebp+edi+var_84], 0 //edi为考贝的字串长度,这儿是为拷过去的字中设置结尾符
.text:0041FDEA lea eax, [ebp+var_84]
.text:0041FDF0 push eax
.text:0041FDF1 call sub_5A4008
.text:0041FDF6 pop ecx
.text:0041FDF7 mov [ebp+var_74], eax
.text:0041FDFA cmp [ebp+var_74], 0FFFFFC18h //比较+号后面的时间是否小于-1000
.text:0041FE01 jl short loc_41FE0C
.text:0041FE03 cmp [ebp+var_74], 3E8h
.text:0041FE0A jle short loc_41FE16 //是否大于等于+1000
.text:0041FE0C
.text:0041FE0C loc_41FE0C:
.text:0041FE0C xor eax, eax
.text:0041FE0E mov [ebp+var_88], eax
.text:0041FE14 jmp short loc_41FE30
.text:0041FE16 loc_41FE16:
.text:0041FE16 mov [ebp+var_56], 1 //设置ebp-56为1
.text:0041FE1A jmp short loc_41FE30
.text:0041FE1C loc_41FE1C:
.text:0041FE1C
.text:0041FE1C movsx edx, [ebp+var_9EE]
.text:0041FE23 cmp edx, 20h
.text:0041FE26 jz short loc_41FE30
.text:0041FE28 xor ecx, ecx
.text:0041FE2A mov [ebp+var_88], ecx
[5] 拷贝要更改时间的文件名到一个变量中
.text:0041FE30 loc_41FE30:
.text:0041FE30
.text:0041FE30 cmp [ebp+var_88], 0 //设置的时间小于-1000时ebp-88为0跳
.text:0041FE37 jz short loc_41FE6D
.text:0041FE39 mov [ebp+var_55], 1
.text:0041FE3D lea eax, [ebp+var_9FC] //得到+号后的命令长度
.text:0041FE43 push eax
.text:0041FE44 call sub_59BDA4
.text:0041FE49 pop ecx
.text:0041FE4A inc eax
.text:0041FE4B push eax //拷贝的个数
.text:0041FE4C mov edx, [ebp+var_78] //ebp-78为源地址存放文件名
.text:0041FE4F inc edx
.text:0041FE50 push edx
.text:0041FE51 lea ecx, [ebp+var_9FC] //本来存放命令字串,现在是拷贝的目的地址
.text:0041FE57 push ecx
.text:0041FE58 call sub_59BC1C
.text:0041FE5D add esp, 0Ch
.text:0041FE60 lea eax, [ebp+var_9FC]
.text:0041FE66 push eax
.text:0041FE67 call sub_4422A4
.text:0041FE6C pop ecx
Q&A:
[1]为什么执行到loc_41FE30处会产生程序异常呢?
因为ebp-78这个变量的值本来是要改变文件时间的文件名的地址,但是由于在loc_41FDC3处
对变量ebp-84的操作中会覆盖它的值,如果我们输入命令
quote mdtm 20020102112233+aaaaaaaaaaaaaaaaaaaaaaaaaa /autoexec.bat
那么这时ebp-78的值就成了61616161,而这个地址是不能仿问的,当然就产生异常了.
[2]产生异常后我们怎么执行代码呢?
在分析刚开始的时候我们已经知道程序正常的异常处理程序入口在ebp-50中,那么我们只能把
系统中有jmp ebx的代码的地址放到ebp-50中就可以了.然后ebp-54中放入nop nop jmp 6(9090EB04)
[3]要发送多少个A才能刚好覆盖ebp-50,ebp-54呢?
84h-54h=30h=48d
[4]我还不知道怎么利用SEH执行SHELLCODE怎么办?
利用SEH执行shellcode
http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1964
|
