CVE-2 0 1 6-2 5 6 3 vulnerability analysis and exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201675674
Type myhack58
Reporter 佚名
Modified 2016-06-09T00:00:00


0x01 vulnerability description

Using putty's pscp components can achieve the Windows and theLinux serverbetween the remote copy of the file. Recently 3 to on 7, broke the pscp in the presence of a buffer overflow vulnerability, when from the server-side copy of the file, the pscp client the sscanf function is not on the the remote server returned an SCP-SINK the size of the file to be checked, when data is received to produce an overflow, thereby triggering a standard stack overflow exploit.

The vulnerabilities disclosed after the putty web site quickly fixed this vulnerability, after the restoration of the version of putty0. 6 and 7. GitHubhas also been the emergence of the corresponding POC file:


Therefore suggested that the putty user as soon as possible to upgrade to the latest version.

This article will be in the POC on the basis of, try to reproduce the vulnerability scenarios and to analyze and take advantage of this vulnerability.

0x02 environment to build

Ø Client OS: WinXP sp3 here in order to facilitate debugging using a xp system

The Putty pscp: version 0.62

Server: Kali-Linux-1.1.0-amd64


Ø server-side python version 2. 7, while need to install python ssh library paramiko

Command: pip install paramiko

In my test of the Kali on the default python install paramiko, but not the latest version, so need to upgrade to the latest version.

Command: git clone <>

Into the paramiko directory for installation: python install


Test paramiko is installed successfully if the installation is successful as shown below.


Ø ensure that poc. py and test_rsa. key in the same directory, because the poc. py needs to read the key file.


随后 运行, turn off the SSH Service: service ssh stop must turn off the default SSH service

To open a malicious SSH connection


The client runs pscp, execute the download command:


After entering the password, pscp crash, malicious data to write into the success:



So far, the vulnerability is triggered successfully now!

0x03 vulnerability analysis

Program after a crash, attach Windbg to view the crash site. You can advance through the command Windbg-I will Windbg is set as the default Debugger, so the program crash after Windbg will immediately snap to the exception:


You can see the POC sent a large number of malicious data“AAAA...”in the client to cause a buffer overflow, the program return EIP to be hijacked.

From the collapse of the Start point of the traceback stack, and view the program crashes before the call to the which function:


See the number of suspected return address value, from the overflow point can be seen is definitely in the vicinity of several function causing the overflow, so one by one try to the next, disassemble 0x00406ff7 at the instructions:


With parameters to start PSCP: an scp root@ .


In the above several call at the following breakpoints:


As can be seen after executing the address 0x00406fd6 at the function, the occurrence of the overflow, therefore it can be concluded that the function is causing the overflow.

By the vulnerability described we know is due to the pscp client the sscanf function is causing the overflow, then the address of the function is sscanf. IDA view under the address of the code:

[1] [2] next