IIS6 stack injection and memory corruption exploits shown in detail-vulnerability warning-the black bar safety net

2015-09-23T00:00:00
ID MYHACK58:62201567290
Type myhack58
Reporter 佚名
Modified 2015-09-23T00:00:00

Description

It turns out that the use of COM ActiveX vulnerability in is a good idea, the examples in this regard very much, and here we are with the Active Server page Active Server Page, ASP as an example a detailed description of such vulnerability is the use of the method. 0×0 1 Redim Preserve statement I found that the redim preserve statement can be used to allocate large amounts of memory, for example, the following figure shows the code in IIS 6.0, you can very well reach this goal: ! In fact, we can put the payload into the Block, you see, it is not simple to outrageous proportions. 0×0 2 SQLNS. SQLNamespace SQLNS. SQLNamespace widely present in the install SERVER SQL the machine above, this ActiveX released some of the methods must be defined as private type. If these methods cause memory corruption and can execute arbitrary code. Below we are to examine the Refresh()method, the method has only one parameter. ! Now, let us use cscript. exe to perform the poc. vbs and, of course, this requires the Immunity Debuger execution, and also in oleaut32. dll#DispCallFunc at To set a breakpoint, as shown below. ! Now, please continuously press F9, and by F8 to step into code CALL EAX register, as shown below. ! Here is sqlns#Refresh the entry point, in the establishment of a breakpoint, continue by pressing the F9 key. ! Well, it finally collapsed! 429DF9FE 8B02 MOV EAX,DWORD PTR DS:[EDX] 429DFA00 FF50 6C CALL DWORD PTR DS:[EAX+6C] Currently, the EAX = 0×4 1 4 1 4 1 4 1 AND ECX = 0×4 1 4 1 4 1 4 1, EDX = 0×4 1 4 1 4 1 4 1 The. Then, the 0×4 1 4 1 4 1 4 1 from where? 0×4 1 4 1 4 1 4 1 = 1 0 9 4 7 9 5 5 8 5 It is the Refresh()method of the parameters. 0×0 3 IIS? The vbs code is saved as asp file, and copy it to the IIS 6.0 web directory below. ! Open the site, and connected to the w3wp process. Press F9 to continue running the w3wp process, and then open in the browser poc. asp, you will see the following content: ! 0×0 4 Unicode&Ansi Since asp is in accordance with the unicode encoding to store data, so I want to use some function to allocate memory. Then, we to the memory and the transmission of Hex data, that fill the memory. ! 0×0 5 stack injection is! In the following, we will use the redim preserve statement to implement stack injection: ! Each block size is 5 1 2 * 2 0 4 8 = 0×1 0 0 0 0 0 0, we can view the memory mapping of the situation, as shown below. ! For each block, there are 3 to 6 bytes long of a managed struct. ! 0×0 6 ready scored EIP Due to where each payload length is 2 0 4 8 bytes and, therefore, 5 1 4 payload copy length is 0×1 0 1 0 0 0 0, It is exactly one memory page size. Therefore, we carefully design the payload completely can be used to control EIP. ! Note that, this time press F9 to continue to the w3wp process before, you need to first establish a breakpoint. 429DF9FE 8B02 MOV EAX,DWORD PTR DS:[EDX] ! Press F8 to step the step over mode debugging. ! As shown above, now came the CALL DWORD PTR DS:[EAX + 6C], EAX + 6C = 0x0c0c0c78 it. 0×0 7 bypass DEP We can be similar 0x0c0c0c10 such a heap address into the address of the 0x0c0c0c78 memory? The following is in w3core module found in the code, in particular as shown in Fig.

[1] [2] next