Shulou(Shulou.com)06/01 Report--

This article is about how to solve the common loopholes in the PC client under Windows. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Why did 0X00 write this article?

For rookies, web security seems to have a very complete knowledge system and loophole discovery process. Beginners always like to choose web as their development direction, because penetration testing for web systems seems to have a higher sense of achievement, and many rookies think that web seems to be easier to learn, but for PC client vulnerability discovery. Because it involves some underlying knowledge of computers and operating systems, many people do not dare to touch it, but in fact, the loophole in PC client is much easier than people think, and even you do not need to be proficient in assembly language to easily dig PC client loopholes, but assembly language is the basis of PC client vulnerability discovery, you still need to learn it well.

In addition, mining PC client vulnerabilities is the same as mining WEB vulnerabilities, which requires care and patience. You should learn to pay attention to every detail and understand how the system and software work together. This article is mainly about the discovery of PC client vulnerabilities under Windows. In order to be easy to understand and does not involve advanced memory threats and memory overflow technologies such as ROP, please make a detour.

0x01 tool

"if you want to do good work, you must first sharpen its tools."

PC client vulnerability mining is mainly based on reverse engineering and process monitoring.

In terms of reverse engineering, I recommend two tools, one is the king of static analysis: IDA pro, the other is very useful in dynamic debugging: Ollydbg (recommended to use my love to crack the forum version) these two reverse analysis tools can be found, there is no more introduction here.

Process monitoring tools are mainly divided into process local behavior monitoring and process network behavior monitoring.

Local behavior monitoring tools I recommend: ProcessExplorer process monitoring and Autoruns process monitoring, these two tools are not well known, but they are easy to use.

ProcessExplorer process monitoring

Autoruns process Monitoring tool

There is also a tool in the local monitoring tool that specifically monitors the registry. Here are several recommended tools:

Process Monitor: a powerful registry monitoring tool, you can add filtering rules, very convenient.

Regshot: a registry backup and alignment tool that can find out which values have changed in the registry by saving and comparing snapshots.

RegfromApp: also a process monitoring tool, you can select a process and then track its changes to the registry.

Of course, the first network behavior monitoring tool is the famous Wireshark, and of course there is a small but easy-to-use tool called WSExplorer (process capture package).

Wireshark

Years Alliance process grab package tool WSExplorer, very convenient, the left side is the process, the right side is the captured data packet.

With these tools, we can know exactly what the program does on our computers, know ourselves and the enemy can win a hundred battles, and we can start to explore the next step of loopholes.

0x02 defect

It is impossible for developers to develop a program without vulnerabilities, especially when the size of the program is so large, there must be vulnerabilities. What we need to know is where vulnerabilities are likely to occur.

Client authorization authentication vulnerability:

Generally, authentic client software is equipped with authorization authentication module, and the purpose of these authorization authentication methods is nothing more than "those who have bought it can use it, those who have not bought it cannot use it". General verification takes the form of registration code and binds with the machine code of the personal computer, or binds with some kind of personal authentication mechanism to achieve the purpose of verification. Authorization vulnerabilities can lead to serious consequences such as the cracking of software and functions, the circulation of pirated programs and so on. The vulnerability of authorization authentication is often caused by developers not paying attention to the confidentiality and security of authorization authentication.

Network service vulnerabilities of the client:

Such vulnerabilities are generally caused by clients not having strict authentication when sending or receiving packets, which can lead to unconditional invocation of services with advanced privileges.

Client functional logic vulnerabilities:

Such vulnerabilities are generally caused by unreasonable functional design of the client, which can lead to serious consequences such as unauthorized access.

Client overflow vulnerabilities:

This kind of vulnerability belongs to a more difficult part of reverse engineering, mainly due to the mismanagement of memory during development, or the execution logic loophole of the program itself.

This article only introduces the first three vulnerabilities.

0 × 03 actual combat

Client functional logic vulnerabilities:

Mining such vulnerabilities should focus on the logic between client functions, similar to Web logic vulnerabilities. But the difference is that the functional logic loophole is also included in the part after decompilation. Generally speaking, the vulnerability mining is carried out by modifying the jump logic above the key call function. The main reason is that the client logic is too simple and uses less logic judgment. This vulnerability is not common on fully functional clients.

Client authorization authentication vulnerability:

1. Based on local registry cracking:

Although some software uses the network for authorization verification, due to the verification defect of the design of the number of trials, it can lead to multiple trials by modifying the registry, which leads to "free use", that is, there is a vulnerability in authorization authentication. This is the case with the following client program. When we first open it, we will remind us that there are still 29 trials left.

Now let's open Process Monitor and use filtering to add a whitelist so that Pm displays only information about the process.

Added a filtered whitelist to show only the process.

The key parts have been treated.

After that, stop all captures, close and restart the client. After repeated several times, we monitor that every time the client is opened, we will automatically make a RegsetValue (registry value modification), as follows:

After testing, it is found that the remaining number of trials is the integer 30 minus the value under a key named Nowtimes in the registry.

So we write a BAT script, modify the value that the client points to, and let it run automatically when the client starts, so that we can lock the number of trials to 30 times, which will not be reduced.

Reg add HKCU\ Software\ client name\ a location / v Nowtimes / t REG_DWORD / d 0 / f

The cause of this loophole is mainly because the trial number of identification method is too simple, no network, no encryption directly written into the registry, and the key name is also so easy to understand called "Nowtimes", this exists in the registry loophole discovery and exploitation method is relatively simple, but the problem is that there are still many loopholes, so we pay attention to the registry when mining. In addition, if monitoring is prohibited in the registry, we can use REGshot to save before and after snapshots for comparison and analysis.

two。 Hosts spoofing cracking based on Network Authorization Verification

This part of the content needs to use some knowledge of reverse engineering. The client that cracked this time did not set up a trial mechanism, so let's focus on its network authentication mode to see how the client's network authorization authentication works.

Key location coding processing

Enter a registration code at random

Randomly enter a registration code and then determine, according to the pop-up error window to navigate to the client's registration detection and verification function. Drag into OLLYdbg to find the string "Registration Code error" and trace it to the assembly window.

So we got the server address that was registered and authorized. For further verification, we use wireshark to analyze the network request when this client registers.

You can see that the client carries our machine code and several other data to request the server's / verifycheck/login.php

Going back to our assembly window, we can see several unicode codes, suspected server returns, and record them.

Directly using the browser to access, we can find that the return value is the same as one of the record values in the assembly window, so we guess that we can construct a fake server and modify the host's hosts file to achieve request redirection, so that our server can return the information of successful registration.

Modify the hosts file to bind the server domain name to the ip address of our own fake server

By constructing different payload on the server, you can get different responses from the client, indicating that the vulnerability is half successful.

At this point, we can rule out other payload and make sure that a formatted date return value is a sign of successful registration. So we construct a formatting time, and reopen the client to enter any registration code to register, we can see the window of successful registration.

The final payload

The reason for this vulnerability is that the data returned by the client software when verifying the registration code is too simple, so it is very easy to construct the return of successful registration. And the decompilation ability of the client is also very poor, and the sensitive information can be seen directly after decompilation. When mining this kind of loopholes, we need some basic knowledge of reverse engineering, as well as some basic knowledge of computer network, focusing on the communication data between the client and the network server, and using packet capture tools for vulnerability mining.

Network service vulnerabilities of the client:

Since the vulnerability manufacturer who wants to use it as an example has not been fixed, I will not use the example here. Network service vulnerabilities are mainly discovered by the way of client network request analysis, and the main tools are the aforementioned process packet capture tool and Wireshark. Most of the network service vulnerabilities are caused by no authentication or very low security verification in the client's network requests, so that anyone can request the network service in the name of the client. Implement the call to the VPC service interface without permission. Often appear in the client vip paid resources audition service, client paid query function interface, etc., insecure client requests can be intercepted and analyzed, so as to achieve ultra vires to invoke unauthorized resources or interfaces. When mining this kind of loophole, we need to pay more attention to the things on the network transmission level of the client, and analyze every function of the client through the network server as much as possible to mine the loophole.

The above is how to solve the common loopholes in the PC client under Windows. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.