Deep MS06-040 (5)

2 in-depth
-- Do not build a high platform in the sand float
Security Technology and reverse technology have always been inseparable. Both crack and hack are like the horse steps before the best practices. Just like the brave and brave man-in-law, the boring things behind the horse-training are hidden. behind all the beautiful exploits, there are countless sleepless nights staring at registers, without such training, it is like a high-end platform in the sand. It cannot be a long time.
2.1 first glance, RPC xuanjicang
Local overflow is used to learn technology and principles by yourself. The real effective attack is remote overflow on the network. Everyone knows that MS06-040 is so famous because it is a remote trigger vulnerability that can be called by RPC.
I have collected three versions of the currently popular Remote Overflow Code on the Internet. You can find these codes in the appendix.
If you are proficient in the network protocol, you can build your own data packet to overflow in the underlying analog RPC session as exploit in the appendix, but I haven't reached the operator realm in the matrix yet, looking at a bunch of binary strings, we can see that Nero is being served. In subsequent experiments in this chapter, we will use Microsoft's standard RPC call method to trigger this vulnerability.
Remote Procedure Call is a common technology in distributed computing. In msdn, the communication process between two computers is two forms: one is data exchange and the other is inter-process communication. RPC is the latter. To put it simply, RPC allows you to call a function in your program (which may require a large amount of computing), which is executed on another or multiple remote machines, after the execution, the result is returned to your machine for subsequent operations. Network operations during the call process are transparent to programmers. Calling this remote function in the Code is as convenient as calling a local printf (). You only need to define the interface, the RPC system will complete detailed issues such as connection establishment, session handshake, user verification, parameter transmission, and result return for you, so that programmers can pay more attention to program algorithms and logic, rather than network details.
What we need to do is the simplest client RPC call, define the interface file of the function we want to call, and then call the NetpwPathCanonicalize () function of the target host, according to our local overflow, the specially constructed string containing the shellcode is passed in, so the remote host will overflow when executing this function, and will execute our shellcode!
RPC client development process (from MSDN)
7. First, define the interface IDL file of the remote process. IDL is the Interface Deion Language, which is a Language specifically used to define interfaces. Friends who have programming with COM are certainly not unfamiliar with this stuff. In this file, we need to specify the RPC interface and the function information under this interface, including the function declaration and parameters. In addition, Microsoft's IDL is called MIDL and is compatible with the IDL standard.
After the defined IDL file interface is compiled by Microsoft's MIDL compiler, three files will be generated, one client stub (the Chinese character seems to be converted into a plug-in code), and the other server stub, there is also a header file called by RPC. Stub is responsible for all network operation details during the RPC call.
Include the generated RPC header file in your code. After adding the stub file to the project and link it with your code, you can call the function you specified on the remote machine.
Specifically, our IDL file is probably like this:
========================================================== ======================================
[
Uuid (\ "4b324fc8-1670-01d3-4268-5a47bf6ee188 \"),
Version (3.0 ),
Endpoint (\ "ncacn_np: [\\\\ pipe \\\ browser] \")
]
Interface browser
{
......
Long netpwpathcanonicalize (
Wchar_t * arg_00,
Wchar_t * arg_01,
[Size_is (arg_03)] char * arg_02,
[Range (0, 64000)] Long arg_03,
Wchar_t * arg_04,
[In, out] Long * arg_05,
Long arg_06
);
......
}
Code 5: IDL code snippet. For the complete code, see rpc_exploit_040.idl
The first part of IDL is to define the header used for the interface. You must specify the uuid and endpoint. In short, UUID is used to specify a unique interface. The netpwpathcanonicalize () function we want to call is in the SRVSVC interface. The technical materials for these interfaces are relatively small. I found them only by referring to the Windows Network Programming technical materials above Samba. If you want to write a network program, you may need to often go to the http://www.samba.org to check the relevant interface information. On
On the samba FTP (http://samba.org/ftp/unpacked/samba4/source/librpc/idl/srvsvc.idl
Download the interface definition file srvsvc. IDL, which defines all function information that can be called under srvsvc. In addition, I have also sorted out some other RPC interface materials and put them in additional materials for you to enjoy.
It is worth mentioning that when the RPC system maps a specific function to a remote interface, it locates the function in the sequence defined by the function in IDL, rather than the function name! Looking at rpc_exploit_040.idl in the attachment, you will find that I have defined 0x1e functions randomly before the function definition actually used, to ensure that our function is at 0x1f.
In addition to IDL, I also used an ACF file to specify a handle. You can use the midl compiler to compile the two interface definition files rpc_exploit_040.acf and rpc_exploit_040.idl. This compiler is included in the vc6.0 component and used in the command line. After setting the correct path, enter the command:
Midl/ACF rpc_exploit_040.acf rpc_exploit_040.idl
After compilation is successful, three files are generated in the current path:
Rpc_exploit_040_s.c RPC server stub (pile)
Rpc_exploit_040_c.c RPC client stub (pile)
Rpc_exploit_040.h RPC header file
Add two stubs to the project, the header file include, and link with the program that calls the remote function. Then you can try to call the netpwpathcanonicalize () function of the remote host. You can refer to the rpc_exploit_040.c code in the appendix below to experience the remote call feeling.
Note that the netpwpathcanonicalize () function defined in IDL has an extra parameter arg_00 than the function we used in the local overflow experiment in the previous chapter. This parameter is added by RPC and will not be passed to the netpwpathcanonicalize () function in netapi32.dll. You can leave it blank when using this parameter without affecting our experiment.
2.2 hacking, remote attack
After reading network programming in the previous section, I believe you can't wait to send our shellcode to a remote machine and try to see if MessageBoxA can be generated. But first there must be a host under attack. In fact, my target has been patched, but I can't help but remove the hard disk and attach it to another machine, use netapi32.dll with the vulnerability in the backup to replace the patched DLL in system32 and the system32 \ dllcache directory, which is an environment for debugging.
Slightly modify the code in the previous chapter of local overflow and change it to RPC call. As a result, the target did not pop up as we expected, but crashed and restarted!
An error occurred while executing the remote shellcode.
Think about what's going on? The following figure shows an exception in services.exe. Attach VC6.0 and OLLYDBG to the target, attach them to the service process using OLLYDBG, ctr + g to the entry of NetpwPathCanonicalize (), and press the next breakpoint of F2, in this way, you can debug it on a remote machine.
It is not difficult to find that the problem lies in the address of the two functions called in shellcode. I used XP SP2 for debugging and WIN2000 SP4 for the target, whether user32.dll or kernel. dll is far behind, so you need to recalculate the function address, for example, in my experiment environment:
Function Name base address (2000) offset (2000) RVA (2000) RVA (XP)
Beep 0x700000000 0x0000D4E1 0x70000d4e1 0x7C837A77
MessageBoxA 0x77E10000 0x00003D81 0x77E13D81 0x77D504EA
ExitProcess 0x700000000 0x000269DA 0x7C5969DA 0x7C81CDDA
Modify the function address at the corresponding location in shellcode. Send it out now! At that time, when I clicked an exclamation mark in VC, It was like xingya's feeling of shooting yellow arrows in Boston, filled with good and beautiful expectations, carrying the important task of maintaining world peace, let it run for the sake of freedom and for the sake of love and for the sake of friends.
Unfortunately, the target did not bring up the desired BOX, but it did not restart as if the previous attack failed. If you have a sound card connected to a sound card, you should be able to hear the familiar "Dong" sound when MessageBox pops up; if you do not have a sound card, the motherboard will also be "yellow. Using OLLYDBG for tracking and debugging, we found that the Program executed the call ecx when the function was returned as we designed, and then followed the shellcode. However, when the call MessageBoxA was reached, the program could not be returned, the program is suspended. I tracked the MessageBoxA call to the bottom layer, probably because of a problem when obtaining the top window handle. The process of service.exe in the target's task manager will continuously increase memory usage, and the process will also be "choppy" or "Didi ".
Why? I think this phenomenon can be explained as follows: from our excellent process, service.exe is a service that does not deal with user interfaces. Before a user logs on to the operating system, it has started to run in the background, although it also loads user32.dll, it cannot even know which user's desktop to pop the box to when the UI is actually involved. So here we have actually succeeded in the attack, and MessageBox is a solid pop-up. Then, "Dong" or "Xiao" can testify, and the system does not crash to testify. Memory regularly increases memory usage.
In summary, combined with the RPC call programming and the technology in the local overflow experiment, we can have the remote target machine execute arbitrary code (although only the sound is heard and no frame is displayed ).
2.3 trace the snow, and the Register status is restored.
If you are a real hacker, the most important thing for you is to quietly control it, not to destroy it with a knife. Recall that our shellcode called exit (logout) When exiting. If service.exe exits, what will happen to the operating system? In the previous section, the system did not crash because the program stops calling MessageBoxA and waits for us to click the "OK" button. It would be strange if the system does not crash.
I believe that you will not be willing to defend against an attack that fails to exit normally, this is like a thief who is not as professional as the guy in crazy rock who grabs the bread with his hair. Professional intrusion should "sneak into the night with the wind, clean and smooth ". Next, let's talk about how to restore the normal execution of the original process after the overflow ends, so that shellcode can be traced!
Function return is implemented through the EBP, EIP, and ESP of three important registers at ret, as long as the content of these three registers is restored at the end of shellcode, so that the function can return normally.
Let's take a look at the overflow of these registers:
EBP refers to the stack bottom of the previous call, which is damaged when overflow occurs.
The EIP points to the address of the next instruction of the function call. we replace it with the address of call ecx.
ESP refers to the top stack of the previous call, which is not damaged in exploit of this experiment.
The next instruction address of the function call is 0x7517F85B in OLLYDBG. This is the dead address in the DLL code segment. It allows the last command of shellcode to pass through jmp directly.
The recovery of EBP is a little more complex. Although the addresses at the top and bottom of the stack are dynamic and each call is different, the size of the stack space opened by the previous function is certain, depending on the internal variable size of the function. That is to say, although each call of EBP and ESP is different, the difference between EBP and ESP is certainly the same in each call, and ESP is not damaged here, we can calculate the value of EBP through the value of ESP and the size of stack space, and restore this value before shellcode exits.
After the analysis, debug it several times with OLLYDBG to check the relationship between EBP and ESP. Then you can modify the shellcode.
As a problem occurs when calling a graphical function, here we change the function call in shellcode, that is, the BEEP () function. This is a function in kernel32.dll. It uses the piezoelectric ceramic chip sound function on the motherboard. That is to say, no matter whether you have a sound card or a horn, it will use the chassis to "beep, those who are familiar with DOS are familiar with this function. In those days, sound cards and audios were far away from computers. This function has two parameters, one for the frequency of the voice, and the other for the duration of the voice. If you have never used msdn, do not set the frequency to something your ears cannot hear.
Finally, the shellcode I wrote to allow the remote host to "Abort" and return normally is as follows:
========================================================== ====================================
# Include
Int main ()
{
_ ASM {
MoV EBP, ESP
Add bp, 0x10 // recover EBP
Pop ECx
Push EBP
MoV EBP, ESP
Sub sp, 0x444
Push eax
XOR eax, eax
MoV ax, 0x444
Push eax
XOR eax, eax
MoV ax, 0x444
Push eax
MoV eax, 0x7c837a77
Call eax // call beep
Pop eax
Add SP, 0x444
Pop ebp
Mov ecx, 0x7517F85B
Jmp ecx
}
}
Code 6: shellcode_beep.c
Pay attention to the relationship between function addresses and platforms. After compilation, the shellcode is put into the exploit on the front. The rest is that the remote host is "stolen!
In the attachment, I also provided two MS06-040 scanners I found, which were produced by EEYE and Venus respectively. You can try to find out if there are any friends around you who have this vulnerability, then we can use our experimental program "submit" him. You can also change the tone or time of the "voice", or even let your friend's machine "voice" a song based on the Exponential Relationship Between the half sounds, show off our research results. Don't forget to kindly remind him to patch it.
By now, all the seven experiments in this article have been completed. I have learned the meaning of the first sentence from my friends.
To be the apostrophe which changed \ "Impossible \" into \ "I'm possible \"
If you have enough perseverance and practical technology, many Impossible in the window will become I'm possible, and the difference between the two is often so clever! This ingenuity is the foundation of my favorite technology.