WinaXe 7.7 'FTP client' - Remote Buffer Overflow

2017-01-06T00:00:00
ID SSV:92606
Type seebug
Reporter k0shl
Modified 2017-01-06T00:00:00

Description

Vulnerability reproduction

WinaXe is Windows next integrated management tools, there are many management tools, FTP Manager tool in connecting to the FTP server, if configured by a special FTP Server, when the WinaXe FTP connection, returns a malformed data packet, will cause the WinaXe stack overflow, causing the return address to be overwritten, causing the code execution, the following of this vulnerability for detailed analysis.

First attach Windbg, run the PoC, you will see local 21 port is open, connection to the FTP server, the program crashes.

0:001> p eax=00000000 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141 eip=41414141 esp=015bd514 ebp=0000081b iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 41414141?? ???

By kb backtracking stack call, the Find stack has been malformed data coverage

0:001> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 015bd510 000a0041 0042cc32 41303232 41414141 0x41414141 015bd514 0042cc32 41303232 41414141 41414141 0xa0041 015bd518 41303232 41414141 41414141 41414141 image00400000+0x2cc32 015bd51c 41414141 41414141 41414141 41414141 0x41303232

But we can still see some of the backtracking points, the following carried forward analysis

Vulnerability analysis

In the forward tracking, I found the reception to the deformity of the string after will enter a cycle.

0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52a edi=015bd526 eip=0042cbff esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cbff: 0042cbff 8a4601 mov al,byte ptr [esi+1] ds:0023:015bf52b=41 0:001> dd esi 015bf52c 41414141 41414141 41414141 41414141 015bf53c 41414141 41414141 41414141 41414141 015bf54c 41414141 41414141 41414141 41414141 015bf55c 41414141 41414141 41414141 41414141 015bf56c 41414141 41414141 41414141 41414141

This place will be the esi address to store the value of the removed byte to al, and then assigns. While the esi pointer is stored is received to the deformity of the string in esi points to the buffer.

0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52a edi=015bd526 eip=0042cc02 esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cc02: 0042cc02 83c602 add esi,2 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd526 eip=0042cc05 esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 image00400000+0x2cc05: 0042cc05 884701 mov byte ptr [edi+1],al ds:0023:015bd527=00 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd526 eip=0042cc08 esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 image00400000+0x2cc08: 0042cc08 83c702 add edi,2 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd528 eip=0042cc0b esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cc0b: 0042cc0b 3c00 cmp al,0 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd528 eip=0042cc0d esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cc0d: 0042cc0d 75e8 jne image00400000+0x2cbf7 (0042cbf7) [br=1] 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd528 eip=0042cbf7 esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cbf7: 0042cbf7 8a06 mov al,byte ptr [esi] ds:0023:015bf52c=41 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd528 eip=0042cbf9 esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cbf9: 0042cbf9 8807 mov byte ptr [edi],al ds:0023:015bd528=00 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd528 eip=0042cbfb esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cbfb: 0042cbfb 3c00 cmp al,0 0:001> p eax=00000041 ebx=000003fe ecx=00000000 edx=000003fe esi=015bf52c edi=015bd528 eip=0042cbfd esp=015bd518 ebp=00000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x2cbfd: 0042cbfd 7410 je image00400000+0x2cc0f (0042cc0f) [br=0]

Then you can see the cycle of the assignment, this process will be the esi stored in the deformity of the string copied to the stack, and this process marks the end of just determine to didn't to the end of the buffer, but not the length of the judgment, by IDA pro to observe.

do { v27 = *v1; *v26 = *v1; if ( ! v27 ) break; v28 = v1[1]; v1 += 2; v26[1] = v28; v26 += 2; } while ( v28 );

Then the program will execute to the back of a call.

`` if ( BYTE1(v15) == 13 || BYTE1(v15) == 10 || *(&v34 + v4) == 10 ) { if ( ! (BYTE)v36 && v2 > 3 && IsTable[(unsigned __int8)v30 + 1] & 0x20 ) { sscanf (&v30, aD_4, &dword_465104); if ( dword_468520 && dword_465104 != 631 && dword_465104 != 632 && dword_465104 != 633 ) sub_404597();

``

sub_404597 function processing stack of the data, at the end of the process, due to the previous cover, causing the return address to be overwritten.

0:001> g ! SETTRUE 0x680d0858ModLoad: 76ef0000 76f17000 C:\WINDOWS\system32\DNSAPI.dll ModLoad: 76d30000 76d48000 C:\WINDOWS\system32\iphlpapi.dll ModLoad: 76f90000 76f96000 C:\WINDOWS\system32\rasadhlp.dll Breakpoint 0 hit eax=015bd51c ebx=0000001f ecx=ffff0d02 edx=0000001f esi=015bf540 edi=00000001 eip=0042cc2d esp=015bd51c ebp=0000081b iopl=0 nv up ei ng nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000287 image00400000+0x2cc2d: 0042cc2d e86579fdff call image00400000+0x4597 (00404597) 0:001> dc esp 015bd51c 41303232 41414141 41414141 41414141 220AAAAAAAAAAAAA 015bd52c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 015bd53c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 015bd54c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 015bd55c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 015bd56c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 015bd57c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 015bd58c 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA

See incoming when the stack has been covered with malformed data.

``

0:001> p eax=00000000 ebx=00000000 ecx=41414141 edx=41414141 esi=41414141 edi=41414141 eip=00404595 esp=015bd50c ebp=0000081b iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x4595: 00404595 5b pop ebx 0:001> p eax=00000000 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141 eip=00404596 esp=015bd510 ebp=0000081b iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x4596: 00404596 c3 ret 0:001> dd esp 015bd510 41414141 000a0041 0042cc32 41303232 ``

Then the end of execution to return, has the eip can be controlled, which can lead to execute arbitrary code, by constructing a POP POP POP RET sequence, and then execute the jmp esp can reach the shellcode location.