Httpdx 1.5.4 Remote HTTP Server Denial of Service Vulnerability Analysis

Author: kindsjay
1.Debugging environment:
 



2.Vulnerability descriptionPOC:
Httpdx does not properly process wildcards. Remote attackers can exploit the vulnerability to submit malicious GET requests, causing application crash.
Http://www.exploit-db.com/exploits/19988/

 
3.Vulnerability Analysis:
3. 1. Problem locating function:
A: The server runs httpdx-> connect with OD-> run poc on the client-> suspend OD (figure)

B: view the call stack information.

C: directly go to the httpdx.00402ff0 function and disconnect it.




D: restart and load httpdx-> RUN poc-> stop at 00402FF0 (the breakpoint just now). view the stack information after F8 (figure)

The problem may be caused by httpdx.0040845B.
E: the Disassembly window follows (figure) à to 0040845B





F: after countless OD reloads, it comes to the key function (00407E95)



Note: When the partition is broken under 45 B, you can see that the partition is located in a large function body and its position is rolled up several times.







The vulnerability is being analyzed.
 
3.2. Vulnerability Analysis:
 
I first use IDA to obtain a rough source code.
 
 
There are many variables ............. (Dozens of rows)



Omitted again ........ (Dozens of rows)

The key point is to understand several points. www.2cto.com
First: 00407D29 |. C785 00D4FFFF> | mov dword ptr [ebp-2C00], 0; the initial value of the loop
00407D33 |> 8B85 04D4FFFF |/mov eax, dword ptr [ebp-2BFC]
00407D39 |. C1E0 0C | shl eax, 0C; left shift
00407D3C |. 0385 00D4FFFF | add eax, dword ptr [ebp-2C00]
00407D42 |. 8D55 E8 | lea edx, dword ptr [ebp-18]
00407D45 |. 01D0 | add eax, edx
00407D47 |. 2D E02B0000 | sub eax, 2BE0
00407D4C |. 8038 00 | cmp byte ptr [eax], 0
00407D4F |. 0F84 99010000 | je 00407EEE
00407D55 |. 8B85 04D4FFFF | mov eax, dword ptr [ebp-2BFC]
00407D5B |. C1E0 0C | shl eax, 0C; left shift
00407D5E |. 0385 00D4FFFF | add eax, dword ptr [ebp-2C00]
00407D64 |. 8D55 E8 | lea edx, dword ptr [ebp-18]
00407D67 |. 01D0 | add eax, edx
00407D69 |. 2D E02B0000 | sub eax, 2BE0
00407D6E |. 0FB600 | movzx eax, byte ptr [eax]
00407D71 |. 8885 AEBFFFFF | mov byte ptr [ebp + FFFFBFAE], al
00407D77 |. 80BD AEBFFFFF> | cmp byte ptr [ebp + FFFFBFAE], 3E
00407D7E |. 7F 20 | jg short 00407DA0
00407D80 |. 80BD AEBFFFFF> | cmp byte ptr [ebp + FFFFBFAE], 3C
00407D87 |. 7D 28 | jge short 00407DB1
00407D89 |. 80BD AEBFFFFF> | cmp byte ptr [ebp + FFFFBFAE], 26
00407D90 |. 74 1F | je short 00407DB1
00407D92 |. 80BD AEBFFFFF> | cmp byte ptr [ebp + FFFFBFAE], 2A
00407D99 |. 74 16 | je short 00407DB1
00407D9B |. E9 41010000 | jmp 00407EE1
00407DA0 |> 0FB685 AEBFFF> | movzx eax, byte ptr [ebp + FFFFBFAE]
00407DA7 |. 2C 7B | sub al, 7B
00407DA9 |. 3C 02 | cmp al, 2
00407DAB |. 0F87 30010000 | ja 00407EE1
00407DB1 |> 8DBD E8D3FFFF | lea edi, dword ptr [ebp-2C18]; replace * With \ x2a
 
The red part identifies * (2A) | & (26) | <(3C) |> (3E) in the POC and can be replaced with \ x2a.
That is:
Continue as follows:
00407DFF |. 8D85 E8D3FFFF | lea eax, dword ptr [ebp-2C18]; |
00407E05 |. 890424 | mov dword ptr [esp], eax; |
00407E08 |. E8 63ED0000 | call <jmp. & msvcrt. strlen>; |||| \ strlen
00407E0D |. 8985 E4D3FFFF | mov dword ptr [ebp-2C1C], eax; | len Length
00407E13 |. 8D95 08D4FFFF | lea edx, dword ptr [ebp-2BF8]; |
00407E19 |. 8B85 04D4FFFF | mov eax, dword ptr [ebp-2BFC]; |
00407E1F |. C1E0 0C | shl eax, 0C; |
00407E22 |. 8D0402 | lea eax, dword ptr [edx + eax]; |
00407E25 |. 890424 | mov dword ptr [esp], eax; |
00407E28 |. E8 43ED0000 | call <jmp. & msvcrt. strlen>; | \ strlen
00407E2D |. 89C3 | mov ebx, eax; | remaining len Length
00407E2F |. 8D95 08D4FFFF | lea edx, dword ptr [ebp-2BF8]; |
00407E35 |. 8B85 04D4FFFF | mov eax, dword ptr [ebp-2BFC]; |
00407E3B |. C1E0 0C | shl eax, 0C; |
00407E3E |. 8D0402 | lea eax, dword ptr [edx + eax]; |
00407E41 |. 890424 | mov dword ptr [esp], eax; |
00407E44 |. E8 27ED0000 | call <jmp. & msvcrt. strlen>; | \ strlen
00407E49 |. 2B85 00D4FFFF | sub eax, dword ptr [ebp-2C00]; | eax is the I value
00407E4F |. 29C3 | sub ebx, eax; | I indicates updating Tcount
00407E51 |. 89D8 | mov eax, ebx; |
00407E53 |. 894424 08 | mov dword ptr [esp + 8], eax; |
00407E57 |. 8D95 08D4FFFF | lea edx, dword ptr [ebp-2BF8]; |
00407E5D |. 8B85 04D4FFFF | mov eax, dword ptr [ebp-2BFC]; |
00407E63 |. C1E0 0C | shl eax, 0C; |
00407E66 |. 8D0402 | lea eax, dword ptr [edx + eax]; |
00407E69 |. 0385 00D4FFFF | add eax, dword ptr [ebp-2C00]; |
00407E6F |. 40 | inc eax; |
00407E70 |. 894424 04 | mov dword ptr [esp + 4], eax; |
00407E74 |. 8D95 08D4FFFF | lea edx, dword ptr [ebp-2BF8]; |
00407E7A |. 8B85 04D4FFFF | mov eax, dword ptr [ebp-2BFC]; |
00407E80 |. C1E0 0C | shl eax, 0C; |
00407E83 |. 8D0402 | lea eax, dword ptr [edx + eax]; |
00407E86 |. 0385 00D4FFFF | add eax, dword ptr [ebp-2C00]; | Tcount count
00407E8C |. 0385 E4D3FFFF | add eax, dword ptr [ebp-2C1C]; | push src
00407E92 |. 890424 | mov dword ptr [esp], eax; | push dest
00407E95 |. E8 66ED0000 | call <jmp. & msvcrt. memmove>; | \ problem Function
00407E9A |. 8B85 E4D3FFFF | mov eax, dword ptr [ebp-2C1C]; |
00407EA0 |. 894424 08 | mov dword ptr [esp + 8], eax; |
00407EA4 |. 8D85 E8D3FFFF | lea eax, dword ptr [ebp-2C18]; |
00407EAA |. 894424 04 | mov dword ptr [esp + 4], eax; |
|. 8D95 08D4FFFF | lea edx, dword ptr [ebp-2BF8]; |
00407EB4 |. 8B85 04D4FFFF | mov eax, dword ptr [ebp-2BFC]; |
00407EBA |. C1E0 0C | shl eax, 0C; |
00407EBD |. 8D0402 | lea eax, dword ptr [edx + eax]; |
00407EC0 |. 0385 00D4FFFF | add eax, dword ptr [ebp-2C00]; |
00407EC6 |. 890424 | mov dword ptr [esp], eax; |
00407EC9 |. E8 12EC0000 | call <jmp. & msvcrt. memcpy>; \ memcpy
Description:
Prototype: extern void * memmove (void * dest, const void * src, unsigned int count );
 

Note: src and dest indicate that the memory areas can overlap, but the src content will be changed after replication. The function returns a pointer to dest.

In the For loop, when the 2450 * in the POC is read one by one through memmove and replaced by memcpy, memmove uses the loop id I to obtain the example of the remaining part: * ***** aaaaaaaacccccccccc reads 1st * numbers, I = 1, and the remaining 4 * numbers read 2nd * numbers, I = 2, the remaining 3 * numbers are used to determine the remaining * length so that when the I value is 4C9, the access is out of bounds (you can zoom in)






The original POC is that the memory is



After the first cross-border attack, the first three A s are overwritten by memmove


 


As I is worth increasing, the heap value is deformed, And the EBP value in the heap is filled with the extrusion all the time.
 



Due to an EBP error, the function will press the wrong value into another function during the next push, causing an error in the returned result. cause crash. conclusion: The remaining length of the string is not determined, resulting in the index I value crossing the border. Because the vulnerability itself is hard to understand in many places, and its ability is also limited, there are still some points that cannot be clearly analyzed, hope to raise