[Analysis] SERV-U "MDTM" command remote overflow analysis

Serv-U "MDTM" command remote overflow analysis

Creation time: 2004-03-05

Article properties: reprint

Article submission:

PEAK (pe4k_at_eyou.com)

Serv-U "MDTM" command remote overflow analysis

Czy at 04.02.29

On February 27th, I saw this vulnerability announcement in SecurityFocus, which clearly explains you Must Have A.

Valid User Account and Password To Exploit IT, And You Are Not Need Write or Any Other Privilege.

This is not harmful than the cave of the last serv-u Site Chmod, and I think that many movie websites are used for serv-u ...

It's nothing here to discontinue the following analysis based on the Serv-U Server version 4.0.0, only the case where the "MDTM" command overflows.

In fact, when the Serv-U is dealing with the MDTM command, many places have long judgments, but there is a place he missed, then our chance is coming :-)

The vulnerability function reference relationship is as follows:

LOC_434748 [0]

|

Call Loc_41fae8 [1]

|

| __CALL SUB_59BFB8 (STRNCPY)

| __CALL SUB_4422A4

|

| __ JMP SUB_41FBB6 [2]

|

| __CALL SUB_59BEB1

| __call sub_59bda4 (Strlen)

| __call sub_59bfb8 (STRNCPY) / __ call six times, used to put the annual month-time day or second to the variable

| __CALL SUB_5A4008 /

...........

| __loc_41fd99 [3]

| __loc_41FDC3 (STRCPY) [4] Cave comes out, overwriting the procedure itself processing function address

| __LOC_41FE16

| __loc_41fe30 [5]

|

| __call sub_59bda4 (Strlen)

| __call sub_59bc1c (strncpy) trigger program exception handling

[0] Judging whether it is "MDTM" command

Loc_434748:; code xref: .text: 0043473A

.TEXT: 00434748 PUSH 4 // Compare four bytes

.TEXT: 0043474A Push EDI // EDI Store the first address of the command string

.text: 0043474B Lea Eax, [ESI 354H]

.text: 00434751 Push Eax // Get a list of commands

.text: 00434752 Call Near PTR UNK_59C008 / / Equivalent to Strncmp

.TEXT: 00434757 Add ESP, 0CH

.TEXT: 0043475A Test Eax, EAX

.text: 0043475C JNZ Short Loc_43476D / / Not MDTM, compare the next command site

.text: 0043475E Push EDI // The second parameter is the first address of the command string

.TEXT: 0043475F PUSH EBX.TEXT: 00434760 Call Loc_41fae8 // The same words jump to the MDTM command processing function

.TEXT: 00434765 Add ESP, 8

.TEXT: 00434768 JMP LOC_434AC7

[1] Specific processing MDTM command function

.text: 0041FAE8 SUB_41FAE8 Proc Near; Code Xref: SUB_434244 51CP

.TEXT: 0041FAE8 PUSH EBP

.TEXT: 0041FAE9 MOV EBP, ESP

.text: 0041FAEB Add ESP, 0FFFFFFF004H / / Local variable allocation space

.TEXT: 0041FAF1 PUSH EAX

.TEXT: 0041FAF2 Add ESP, 0FFFFFC74H / / Local variable allocation space

.text: 0041FAF8 MOV EAX, Offset UNK_59C243 / / Important Program Self-Processing Function Inlet

.text: 0041FAFD XOR EDX, EDX

.TEXT: 0041FAFF PUSH EBX

.TEXT: 0041FB00 PUSH ESI

.text: 0041FB01 PUSH EDI

.TEXT: 0041FB02 MOV EBX, [EBP 8] // Processing the first parameter

.TEXT: 0041FB05 MOV DWORD PTR [EBP-4CH], OFFSET UNK_5B8520

.TEXT: 0041FB0C MOV [EBP-48H], ESP

.text: 0041fb0f MOV [EBP-50H], ​​EAX // Second Member of the ERR Structure

// is the exit of the procedure of the procedure

.TEXT: 0041FB12 MOV WORD PTR [EBP-44H], 0

.TEXT: 0041FB18 MOV [EBP-38H], EDX

.TEXT: 0041FB1B MOV ECX, Large FS: 0 // Important Get an ERR structure address

.TEXT: 0041FB22 MOV [EBP-54H], ECX // Established the first member of the ERR structure

.TEXT: 0041FB25 LEA EAX, [EBP-54H] // Get the address of the current ERR structure (017AD280)

.Text: 0041fb28 MOV LARGE FS: 0, Eax // Put in FS: [0], so if this code

// If an error, the function in EBP-50 will be executed.

.TEXT: 0041FB2E MOV BYTE PTR [EBP-55H], 0

.TEXT: 0041FB32 MOV BYTE PTR [EBP-56H], 0 /

The normal stack of the program is as follows:

EBP-56 017AD27E 00

EBP-55 017AD27F 00

EPB-54 017AD280 40

EBP-53 017AD281 E2

EBP-52 017AD282 7A

EBP-51 017AD283 01 017AE240 value pointing to a ERR structure

EBP-50 017AD284 43

EBP-4F 017AD285 C2

EBP-4E 017AD286 59

EBP-4D 017AD287 00 0059C243 is the entry of the procedure self-abnormal processing function

.TEXT: 0041FB36 XOR EDX, EDX

.TEXT: 0041FB38 MOV [EBP-74H], EDX

.TEXT: 0041FB3B MOV [EBP-70H], EDX

.TEXT: 0041FB3E MOV [EBP-6CH], EDX

.TEXT: 0041FB41 MOV [EBP-68H], EDX

.TEXT: 0041FB44 MOV [EBP-64H], EDX

.TEXT: 0041FB47 MOV [EBP-60H], EDX

.TEXT: 0041FB4A MOV [EBP-5CH], EDX // Local variables give initial value 0

.TEXT: 0041FB4D PUSH 7FFH

.text: 0041fb52 MOV EAX, [EBP 0CH] // Handling the second parameter is the address of the command string

.TEXT: 0041FB55 Add Eax, 4 // Remove the MDTM at the beginning of the command string

.Text: 0041FB58 PUSH EAX

.TEXT: 0041FB59 Lea ECX, [EBP-9FCH]

.TEXT: 0041FB5F PUSH ECX

.TEXT: 0041FB60 CALL SUB_59BFB8 // Plus the command to copy the command to local variables EBP-9FCH

// length does not exceed 2KB

.TEXT: 0041FB65 Add ESP, 0CH

.text: 0041fb68 Lea EAX, [EBP-9FCH]

.TEXT: 0041FB6E MOV BYTE PTR [EBP-1FDH], 0

.TEXT: 0041FB75 PUSH EAX

.TEXT: 0041FB76 CALL SUB_4422A4 // The string is another step by step to remove MDTM and

// The space in the middle of the command, the carriage return behind the command

/ / Do you want to judge whether the command is empty

.TEXT: 0041FB7B CMP BYTE PTR [EBP-9FCH], 0

.TEXT: 0041FB82 POP ECX

.TEXT: 0041FB83 JNZ Short Loc_41fb6 // Legal words

[2] Processing detection for time zones

.TEXT: 0041FBB6 LOC_41FBB6:; Code Xref: Sub_41fae8 9bj.Text: 0041FBB6 PUSH 20H

.TEXT: 0041FBB8 LEA EDX, [EBP VAR_9FC] // EBP-9FC Save all commands

.TEXT: 0041FBBE PUSH EDX

.text: 0041fbbf call sub_59beb1 // Look for the space in the command to find the space

// The address is placed in EBP-78, that is, find the file name.

.TEXT: 0041FBC4 Add ESP, 8

.TEXT: 0041FBC7 MOV [EBP VAR_78], EAX

.Text: 0041FBCA Test Eax, EAX

.text: 0041FBCC JZ LOC_41FE6D / / No file name jump, jump over and will process

// mdtm automoexec.bat This type of command time

.Text: 0041fbd2 Lea EDX, [EBP VAR_9FC]

.TEXT: 0041FBD8 PUSH EDX

.TEXT: 0041FBD9 CALL SUB_59BDA4 // Get the length of the command

.text: 0041fbde pop ECX

.text: 0041FBDF CMP EAX, 10H // Command length is less than 16 jump

.TEXT: 0041FBE2 JB LOC_41FE6D

.TEXT: 0041FBE8 LEA ECX, [EBP VAR_9FC]

.text: 0041fbee Mov Eax, [EBP VAR_78]

.text: 0041fbf1 sub eax, ECX // get the length of the time is not nervous, there is no cave

.text: 0041FBF3 CMP Eax, 0eh

.text: 0041FBF6 JL LOC_41FE6D / / must be greater than or equal to 14 bytes

.TEXT: 0041FBFC MOV [EBP VAR_88], 1

.text: 0041FC06 XOR EDI, EDI

.TEXT: 0041FC08 Lea ESI, [EBP VAR_9FC]

.TEXT: 0041FC0E

.text: 0041FC0E LOC_41FC0E:; Code Xref: SUB_41FAE8 141J

.Text: 0041FC0E Movsx Eax, Byte Ptr [ESI]

.text: 0041FC11 PUSH EAX

.TEXT: 0041FC12 CALL SUB_5A1304

.Text: 0041FC17 POP ECX.TEXT: 0041FC18 TEST EAX, EAX

.TEXT: 0041FC1A JNZ Short Loc_41FC24

.TEXT: 0041FC1C XOR EDX, EDX

.TEXT: 0041FC1E MOV [EBP VAR_88], EDX

.TEXT: 0041FC24

.Text: 0041FC24 LOC_41FC24:; Code XREF: SUB_41FAE8 132J

.TEXT: 0041FC24 Inc EDI

.TEXT: 0041FC25 Inc ESI

.TEXT: 0041FC26 CMP EDI, 0EH

.TEXT: 0041FC29 JL Short Loc_41FC0E

.TEXT: 0041FC2B CMP [EBP VAR_88], 0

.TEXT: 0041FC32 JZ LOC_41FD99 // Judgment the first 14 letters of the time zone

// If not a number jumps to 411fd99

// -----------------------

.TEXT: 0041FC38 PUSH 4

.TEXT: 0041FC3A Lea ECX, [EBP VAR_9FC]

.text: 0041FC40 PUSH ECX

.Text: 0041FC41 Lea Eax, [EBP VAR_84]

.Text: 0041FC47 Push EAX

.TEXT: 0041FC48 CALL SUB_59BFB8

.text: 0041FC4D Add ESP, 0CH

.text: 0041fc50 Lea EDX, [EBP VAR_84]

.TEXT: 0041FC56 MOV [EBP VAR_80], 0

.TEXT: 0041FC5A PUSH EDX

.TEXT: 0041FC5B CALL SUB_5A4008

.TEXT: 0041FC60 POP ECX

.TEXT: 0041FC61 MOV [EBP VAR_5C], EAX

.TEXT: 0041FC64 PUSH 2

.TEXT: 0041FC66 Lea ECX, [EBP VAR_9F8]

.TEXT: 0041FC6C PUSH ECX

.Text: 0041FC6D Lea Eax, [EBP VAR_84]

.TEXT: 0041FC73 PUSH EAX

.TEXT: 0041FC74 CALL SUB_59BFB8

.text: 0041FC79 Add ESP, 0ch.Text: 0041FC7C Lea EDX, [EBP VAR_84]

.TEXT: 0041FC82 MOV [EBP VAR_82], 0

.TEXT: 0041FC89 PUSH EDX

.TEXT: 0041FC8A CALL SUB_5A4008

.TEXT: 0041FC8F POP ECX

.TEXT: 0041FC90 MOV [EBP VAR_60], EAX

.TEXT: 0041FC93 PUSH 2

.TEXT: 0041FC95 Lea ECX, [EBP VAR_9F6]

.TEXT: 0041FC9B PUSH ECX

.Text: 0041FC9C Lea Eax, [EBP VAR_84]

.TEXT: 0041FCA2 PUSH EAX

.TEXT: 0041FCA3 CALL SUB_59BFB8

.text: 0041FCA8 Add ESP, 0CH

.TEXT: 0041FCAB Lea EDX, [EBP VAR_84]

.TEXT: 0041FCB1 MOV [EBP VAR_82], 0

.Text: 0041FCB8 PUSH EDX

.TEXT: 0041FCB9 CALL SUB_5A4008

.TEXT: 0041FCBE POP ECX

.TEXT: 0041FCBF MOV [EBP VAR_64], EAX

.TEXT: 0041FCC2 PUSH 2

.TEXT: 0041FCC4 LEA ECX, [EBP VAR_9F4]

.TEXT: 0041FCCA PUSH ECX

.Text: 0041FCCB Lea Eax, [EBP VAR_84]

.text: 0041FCD1 PUSH EAX

.TEXT: 0041FCD2 CALL SUB_59BFB8

.TEXT: 0041FCD7 Add ESP, 0CH

.Text: 0041FCDA Lea EDX, [EBP VAR_84]

.TEXT: 0041FCE0 MOV [EBP VAR_82], 0

.TEXT: 0041FCE7 PUSH EDX

.TEXT: 0041FCE8 CALL SUB_5A4008

.text: 0041fced pop ECX

.TEXT: 0041FCEE MOV [EBP VAR_68], EAX

.TEXT: 0041FCF1 Push 2.Text: 0041FCF3 LEA ECX, [EBP VAR_9F2]

.TEXT: 0041FCF9 PUSH ECX

.text: 0041FCFA Lea Eax, [EBP VAR_84]

.Text: 0041FD00 Push EAX

.TEXT: 0041FD01 CALL SUB_59BFB8

.TEXT: 0041FD06 Add ESP, 0CH

.text: 0041fd09 Lea EDX, [EBP VAR_84]

.TEXT: 0041FD0F MOV [EBP VAR_82], 0

.TEXT: 0041FD16 PUSH EDX

.TEXT: 0041FD17 CALL SUB_5A4008

.TEXT: 0041FD1C POP ECX

.TEXT: 0041FD1D MOV [EBP VAR_6C], EAX

.TEXT: 0041FD20 PUSH 2

.TEXT: 0041FD22 LEA ECX, [EBP VAR_9F0] // Get positions in the middle of the command

.Text: 0041FD28 PUSH ECX

.TEXT: 0041FD29 LEA EAX, [EBP VAR_84] // Variable Address

.Text: 0041FD2F Push EAX

.TEXT: 0041FD30 CALL SUB_59BFB8

.Text: 0041FD35 Add ESP, 0CH

.Text: 0041FD38 Lea EDX, [EBP VAR_84]

.TEXT: 0041FD3E MOV [EBP VAR_82], 0

.Text: 0041FD45 Push EDX

.TEXT: 0041FD46 CALL SUB_5A4008 // Format Transformation

.TEXT: 0041FD4B POP ECX

.TEXT: 0041FD4C MOV [EBP VAR_70], EAX

// -------------- The above code puts the annual day and months in the variable

//details as follows:

EBP-5C

Month EBP-60

Day EBP-64

Time EBP-68

EBP-6C

Second EBP-70

/ / Test the correctness of the time

.TEXT: 0041FD4F CMP [EBP VAR_5C], 7BCH

.text: 0041fd56 jl short loc_41fd91// year less than 1980 jump

.TEXT: 0041FD58 CMP DWORD PTR [EBP-5CH], 81BH

.Text: 0041FD5F JG Short Loc_41fd91 // More than 2075 Jump .Text: 0041FD61 CMP DWORD PTR [EBP-60H], 1

.TEXT: 0041FD65 JL Short Loc_41fd91

.text: 0041FD67 CMP DWORD PTR [EBP-60H], 0CH

.text: 0041fd6b JG Short Loc_41fd91 // Monthly 1-12

.TEXT: 0041FD6D CMP DWORD PTR [EBP-64H], 1

.TEXT: 0041FD71 JL Short Loc_41fd91

.TEXT: 0041FD73 CMP DWORD PTR [EBP-64H], 1FH

.Text: 0041FD77 JG Short Loc_41fd91 // The number can only be 1-31

.TEXT: 0041FD79 CMP DWORD PTR [EBP-6CH], 0

.TEXT: 0041FD7D JL Short Loc_41fd91

.TEXT: 0041FD7F CMP DWORD PTR [EBP-6CH], 3BH

.TEXT: 0041FD83 JG Short Loc_41fd91

.TEXT: 0041FD85 CMP DWORD PTR [EBP-70H], 0

.TEXT: 0041FD89 JL Short Loc_41fd91

.TEXT: 0041FD8B CMP DWORD PTR [EBP-70H], 3BH // 分 秒 只 只 0 0-59

.text: 0041fd8f Jle Short Loc_41fd99 // Time is legally jumped to 411fd99

[3] Decision time is there in the time zone?

.TEXT: 0041FD99

.text: 0041fd99 Loc_41fd99:; code Xref: SUB_41FAE8 14AJ

.TEXT: 0041FD99; SUB_41FAE8 2A7J

.TEXT: 0041FD99 CMP [EBP VAR_88], 0

.Text: 0041FDA0 JZ LOC_41FE30 // For MDTM 200201112233 111 AUTEXEC.BAT, this command does not jump

.text: 0041FDA6 MOVSX EAX, [EBP VAR_9EE] // A string after processing time zone

.Text: 0041FDAD CMP Eax, 20h

.text: 0041fdb0 jz short loc_41fe1c //

.Text: 0041FDB2 MOVSX EAX, [EBP VAR_9EE] .Text: 0041FDB9 CMP EAX, 2DH

.Text: 0041FDBC JZ Short Loc_41fdc3 // Take a minus!

.Text: 0041FDBE CMP Eax, 2BH

.TEXT: 0041FDC1 JNZ Short Loc_41FE1C / / Do not jump to the plus sign to 41FE1C!

[4] The situation of the time area is - number

.TEXT: 0041FDC3 LOC_41FDC3:

.TEXT: 0041FDC3 XOR EDI, EDI

.TEXT: 0041FDC5 LEA EAX, [EBP VAR_84] // Get the last two digits of the time zone (EBP-84)

.TEXT: 0041FDCB Lea ESI, [EBP VAR_9EE] // Get the address started with

.TEXT: 0041FDD1 JMP Short Loc_41FDDA

.TEXT: 0041FDD3 LOC_41FDD3:

.Text: 0041FDD3 MOV DL, [ESI]

.TEXT: 0041FDD5 Inc EDI // EDI is the numerical

.Text: 0041FDD6 MOV [EAX], DL

.Text: 0041FDD8 Inc EAX

.TEXT: 0041FDD9 Inc ESI

.TEXT: 0041FDDA

.Text: 0041fdda Loc_41fdda:

.Text: 0041fdda Movsx ECX, Byte Ptr [ESI]

.Text: 0041FDDD CMP ECX, 20H

.TEXT: 0041FDE0 JNZ Short Loc_41FDD3 // encountered a space exit

// ---------------------- The top is that the vulnerability code program is intended to put the four bytes of the time area plus in the EBP-84 variable.

/ / But there is no inspection of the length, so it will not only cover EBP-84. If it is a super long string, it will also cover the EBP-54, EBP-78 and other changes!

.TEXT: 0041FDE2 MOV [EBP EDI VAR_84], 0 // EDI is the string length of the treasure, here is the end of the word in the word

.Text: 0041fdea Lea Eax, [EBP VAR_84]

.text: 0041FDF0 PUSH EAX

.TEXT: 0041FDF1 CALL SUB_5A4008

.TEXT: 0041FDF6 POP ECX

.TEXT: 0041FDF7 MOV [EBP VAR_74], EAX

.text: 0041FDFA cmp [ebp var_74], 0FFFFFC18h // number of comparison and later time is less than -1000

.text: 0041FE01 JL Short Loc_41fe0c.text: 0041FE03 CMP [EBP VAR_74], 3E8H

.TEXT: 0041FE0A JLE SHORT LOC_41FE16 // Is it greater than or equal to 1000

.TEXT: 0041FE0C

.TEXT: 0041FE0C LOC_41FE0C:

.Text: 0041FE0C xor Eax, EAX

.TEXT: 0041FE0E MOV [EBP VAR_88], EAX

.TEXT: 0041FE14 JMP Short Loc_41FE30

.TEXT: 0041FE16 LOC_41FE16:

.TEXT: 0041FE16 MOV [EBP VAR_56], 1 // Set EBP-56 is 1

.TEXT: 0041FE1A JMP Short Loc_41FE30

.Text: 0041FE1C LOC_41FE1C:

.TEXT: 0041FE1C

.text: 0041FE1C Movsx EDX, [EBP VAR_9EE]

.TEXT: 0041FE23 CMP EDX, 20H

.TEXT: 0041FE26 JZ Short Loc_41FE30

.text: 0041FE28 XOR ECX, ECX

.TEXT: 0041FE2A MOV [EBP VAR_88], ECX

[5] copy the file name to a variable to change the time

.text: 0041FE30 LOC_41FE30:

.TEXT: 0041FE30

.TEXT: 0041FE30 CMP [EBP VAR_88], 0 // Setting time less than -1000 EBP-88 is 0 jump

.TEXT: 0041FE37 JZ Short Loc_41FE6D

.TEXT: 0041FE39 MOV [EBP VAR_55], 1

.TEXT: 0041FE3D LEA EAX, [EBP VAR_9FC] // Get the length of the command after

.text: 0041fe43 Push EAX

.TEXT: 0041FE44 CALL SUB_59BDA4

.TEXT: 0041FE49 POP ECX

.Text: 0041FE4A Inc EAX

.Text: 0041FE4B Push Eax // Copy number

.text: 0041FE4C MOV EDX, [EBP VAR_78] // EBP-78 Save the file name

.TEXT: 0041FE4F Inc EDX

.text: 0041FE50 Push EDX

.text: 0041FE51 LEA ECX, [EBP VAR_9FC] // This stores the command string, now is a copy of the destination address .Text: 0041FE57 PUSH ECX

.TEXT: 0041FE58 CALL SUB_59BC1C

.Text: 0041FE5D Add ESP, 0CH

.Text: 0041FE60 Lea Eax, [EBP VAR_9FC]

.text: 0041fe66 Push EAX

.TEXT: 0041FE67 CALL SUB_4422A4

.TEXT: 0041FE6C POP ECX

Q & A:

[1] Why do you generate an exception in the LOC_41FE30?

Because the value of the EBP-78 variable is originally to change the address of the file time of the file time, but due to the LOC_41FDC3

The value of the variable EBP-84 will overwrite it if we enter commands

Quote Mdtm 20020102112233 Aaaaaaaaaaaaaaaaaaaaaaaaa /autoexec.bat

Then, the value of EBP-78 became 61616161, and this address cannot be asked, of course, there is an abnormality.

[2] How do we perform code after abnormality?

At the beginning of the analysis, we have known the normal abnormal handler entry in EBP-50, then we can only put

The address of the code with JMP EBX is placed in EBP-50. Then EBP-54 is placed in NOP NOP JMP 6 (9090EB04)

[3] How many a is to send? Can I just override EBP-50, EBP-54?

84H-54H = 30H = 48D

[4] I still don't know how to use SEH to do shellcode?

Use SEH to execute shellcode

Http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1964

Thanks: SCZ, T0MBKEEPER, EYAS, etc. ... Too many ...

Tools: IDA Softice WDASM32 TRW