2018年5月14日星期一

CVE-2017-11885 Analysis

早上看到cve-2017-11885公开了exploit(https://www.exploit-db.com/exploits/44616/),遂跟进分析下。

通过修改如下位置,触发RRAS服务崩溃
stub += "\xff\xff\xff\xff" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)

也正如exp中注释"#0x1d MIBEntryGetFirst (other RPC calls are also affected)",定位崩溃点即iprtemgr.dll!RtrMgrMIBEntryGetFirst :
(通过xref可以验证作者所述,其他rpc调用同样存在类似漏洞)

在+6C位置下断,重新运行exp,通过wireshark抓取RRAS的数据包如下:

 同时od中断,下图的包括ECX在内的数据和原始exp有些差异,是我修改exp后的值

看到,eax指向的数据中,除了exp里的buf数据外,开头还包含了部分stub数据。回到作者的exp来看
stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)
i think he want to call address,the address contains 'jmp eax' .

Here have a question,you should to search modules(e.g shell32.dll)for 'jmp eax' address,we call it address1,and then search an address contains the address1,because of ' call dword ptr ds:[] ',and we should consider that after 'jmp eax', there are some garbage code before shellcode execute,we should ensure these code can not cause DoS;

Besides,I think windows2003 sp2 have opened DEP,and eax contains data don't have execute privilege.

Last, I closed DEP, and find esp+0x8 contains value equal eax,just 4 test,Get one Shell

没有评论:

发表评论