>From scz idea 1) 就算是溢出,也是一个堆溢出,wcscpy()的目标缓冲区是刚刚LocalAlloc()出来 的。 2) 这些眼花缭乱的调用栈回溯之后是一个RPC入口,NetrUseAdd(),他没有给出来,我 看了一下, 主调函数传过来的a6是wcslen(a5),想像中的堆溢出也不存在。
我还被忽悠的一愣一愣的了,还门写了一个测试脚本了,kao /* * IDL code generated by mIDA v1.0.10 * Copyright (C) 2006, Tenable Network Security * http://cgi.tenablesecurity.com/tenable/mida.php * * * Decompilation information: * RPC stub type: interpreted / fully interpreted */ [ uuid(6bffd098-a112-3610-9833-46c3f87e345a), version(1.0) ] interface mIDA_interface { typedef [switch_type( unsigned long )] union union_1 { [case(0)] struct struct_2 * elem_1; [case(1)] struct struct_3 * elem_2; [case(2)] struct struct_4 * elem_3; [case(3)] struct struct_5 * elem_4; [default] ; } union_1; typedef struct struct_2 { [string] wchar_t * elem_1; [string] wchar_t * elem_2; } struct_2 ; typedef struct struct_3 { [string] wchar_t * elem_1; [string] wchar_t * elem_2; [string] wchar_t * elem_3; long elem_4; long elem_5; long elem_6; long elem_7; } struct_3 ; typedef struct struct_4 { [string] wchar_t * elem_1; [string] wchar_t * elem_2; [string] wchar_t * elem_3; long elem_4; long elem_5; long elem_6; long elem_7; [string] wchar_t * elem_8; [string] wchar_t * elem_9; } struct_4 ; typedef struct struct_5 { struct struct_4 elem_1; long elem_2; } struct_5 ; /* opcode: 0x08, address: 0x74F040F5 */ long _NetrUseAdd ( [in][unique][string] wchar_t * arg_1, [in] long arg_2, [in][switch_is(arg_2)] union union_1 * arg_3, [in, out][unique] long * arg_4 ); } 此君不厚道 import sys, os, struct sys.path.append("..") from rpc import * from ndr import * from debug import print_hex class opcode_08: def __init__(self): self.arg1 = ndr_unique(data=ndr_wstring(data="AAAAAAAAAAAAAAAAAAAAAA")) self.arg2 = ndr_long(data=100) self.arg3 = ndr_long(data=1) self.arg4 = ndr_long(data=1) def get_packed(self): packeddata = "" packeddata += self.arg1.serialize() packeddata += self.arg2.serialize() packeddata += self.arg3.serialize() packeddata += self.arg4.serialize() print "[%s]" % print_hex(packeddata) return packeddata host = '10.8.7.63' port = 445 pipe = 'browser' uuid = '6bffd098-a112-3610-9833-46c3f87e345a' version = '1.0' rpc = RPCnp(host, port, pipe) rpc.connect() rpc.bind(uuid, version) opcode = 0x08 request = opcode_08().get_packed() rpc.call(opcode, request) recvbuffer = rpc.recv() rpcerror = rpc.rpcerror(struct.unpack("<L", recvbuffer[:4])[0]) if not rpcerror: print "[%s]" % print_hex(recvbuffer) else: if rpcerror == "rpc_x_bad_stub_data": print "%s" % (rpcerror) 发件人: [email protected] [mailto:[email protected]] 代表 Nidayes 发送时间: 2009年1月6日 8:45 收件人: [email protected] 主题: [Ph4nt0m] Windows WorkStation Remote BufferOverflow(0day) http://www.friddy.cn/article.asp?id=66 作者:friddy 日期:2009-01-04 Microsoft Windows WorkStation 服务(windows xp sp3)存在栈溢出漏洞。 a5这个参数,由于在执行wcscpy的字符串拷贝前,没有校验字符串的长度,因此会诱发 栈缓冲区溢出(Stack Overflow) ,成功利用可以远程执行任意代码。 存在漏洞DLL 文件: wkssvc 或者 wkssvc.dll DLL 名称: Network Workstation service library 描述: wkssvc.dll是本地系统进行远程文件打印相关服务文件。 属于: Windows 系统 DLL文件: 是 分析如下(伪代码): /* Found by Friddy 12.25 Email:[email protected] <mailto:email%[email protected]> http://www.friddy.cn <http://www.friddy.cn/> */ DWORD __userpurge sub_76854A96<eax>(int a1<eax>, HLOCAL *a2<esi>, int a3, wchar_t *a4,wchar_t *a5,int a6, int a7, int a8) { int v8; // e...@1 int v9; // e...@1 HLOCAL v10; // e...@3 HLOCAL v11; // e...@4 HLOCAL v12; // e...@7 HLOCAL v13; // e...@7 int v15; // e...@4 int v16; // e...@4 int v17; // e...@4 char v18; // z...@4 wchar_t *v19; // st0...@5 v9 = a1; v8 = 0; if ( a4 ) v8 = *(_WORD *)(a7 + 2); v10 = LocalAlloc(0x40u, v8 + ((2 * v9 + 39) & 0xFFFFFFFE)); *a2 = v10; if ( v10 ) { *(_DWORD *)v10 = 0; v15 = a3; v16 = a8; *((_DWORD *)*a2 + 3) = v9; *((_DWORD *)*a2 + 4) = 1; *((_DWORD *)*a2 + 5) = v15; v17 = dword_7686F588; *((_DWORD *)*a2 + 6) = dword_7686F588; v18 = a4 == 0; *((_DWORD *)*a2 + 8) = v16; dword_7686F588 = (v17 + 1) & 0x7FFFFFFF; v11 = *a2; if ( v18 ) { *((_DWORD *)v11 + 2) = 0; *((_DWORD *)*a2 + 7) = 0; } else { v19 = a4; *((_DWORD *)v11 + 2) = (char *)v11 + 36; wcscpy(*((wchar_t **)*a2 + 2), v19); *((_DWORD *)*a2 + 7) = (unsigned int)(*a2 + 2 * v9 + 39) & 0xFFFFFFFE; wcscpy(*((wchar_t **)*a2 + 7), *(const wchar_t **)(a7 + 4)); } if ( !a5 ) return 0; v12 = LocalAlloc(0x40u, 2 * a6 + 12); v13 = v12; if ( v12 ) { wcscpy((wchar_t *)v12 + 4, a5);//栈溢出发生在这里 *((_DWORD *)v13 + 1) = a6; *(_DWORD *)v13 = 1; *((_DWORD *)*a2 + 1) = v13; return 0; } LocalFree(*a2); } return GetLastError(); } ############################################################################ ############################################################################ ####################################################### //----- (7685499D) -------------------------------------------------------- signed int __stdcall sub_7685499D(int a1, int a2, wchar_t *a3, int a4, wchar_t *a5, int a6, int a7, int a8) { signed int v8; // e...@1 DWORD v9; // e...@2 wchar_t *v10; // e...@7 int v12; // e...@21 int v13; // [sp+14h] [bp-...@1 int v14; // [sp+10h] [bp-...@1 int v15; // [sp+Ch] [bp-...@2 v8 = 0; v13 = 0; v14 = 0; if ( !(unsigned __int8)RtlAcquireResourceExclusive(&unk_7686F3E4, 1) ) { v8 = 2140; goto LABEL_18; } v9 = sub_76852B71((int)&dword_7686F3E0, a1, (int)&v15, 1); if ( v9 ) goto LABEL_13; if ( *(_DWORD *)(dword_7686F3E0 + 12 * v15) ) sub_76854B88(*(_DWORD *)(dword_7686F3E0 + 12 * v15), a5, (int)&v13, (int)&v14); if ( v13 ) { if ( !a3 && !*(_DWORD *)(v13 + 8) ) { ++*(_DWORD *)(v13 + 16); ++**(_DWORD **)(v13 + 4); goto LABEL_17; } v9 = sub_76854A96(a4, (HLOCAL *)&a3, a2, a3, 0, 0, a7, a8); if ( !v9 ) { v12 = *(_DWORD *)(v13 + 4); v10 = a3; *((_DWORD *)a3 + 1) = *(_DWORD *)(v13 + 4); ++*(_DWORD *)v12; goto LABEL_8; } LABEL_13: v8 = v9; LABEL_17: RtlReleaseResource(&unk_7686F3E4); LABEL_18: NtClose(a2); return v8; } v9 = sub_76854A96(a4, (HLOCAL *)&a3, a2, a3, a5, a6, a7, a8);//这里调用了 漏洞,由此触发 if ( v9 ) goto LABEL_13; v10 = a3; LABEL_8: if ( v14 ) *(_DWORD *)v14 = v10; else *(_DWORD *)(dword_7686F3E0 + 12 * v15) = v10; RtlReleaseResource(&unk_7686F3E4); return 0; } --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [email protected] -~----------~----~----~----~------~----~------~--~---
