2017 SECCON CTF vm_no_fun writeup

发表于 2017-12-19 | 分类于漏洞利用 | 1 条评论

阅读全文 »

Xshell后门逆向分析

发表于 2017-09-22 | 分类于逆向工程 | 暂无评论

# 1. 前言

2017年8月7日，Xshell官方发布[公告][1]称其软件中存在后门。

![image.png-69.1kB][2]

后门存在于`nssock2.dll`中，初步分析之后发现其中包含加密的shellcode、花指令、线程注入等，满满的都是CTF套路，总体流程如下

![image.png-20.8kB][3]

[1]: https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
  [2]: http://static.zybuluo.com/birdg0/v8mpqewopb9mkaisyh4b8dgh/image.png
  [3]: http://static.zybuluo.com/birdg0/q1qr599jvhujho10ues3oszf/image.png
  [4]: http://static.zybuluo.com/birdg0/5gxyech73qb54qejoy31gydx/image.png
  [5]: http://static.zybuluo.com/birdg0/9nic8bdyetnf9wgdhac8e1ui/image.png
  [6]: http://static.zybuluo.com/birdg0/7rct49tfmjvy9u9h6b4my1d9/image.png
  [7]: http://static.zybuluo.com/birdg0/ib3167gjqw1rrg8fxfonmybs/image.png
  [8]: http://static.zybuluo.com/birdg0/b2b8yjpmx3tipfr4vy47atay/image.png
  [9]: http://static.zybuluo.com/birdg0/9kpx9pg28z4x3t70q56x5s7f/image.png
  [10]: http://static.zybuluo.com/birdg0/c0gf1lv4lhsgibdgjo858mk7/image.png
  [11]: http://static.zybuluo.com/birdg0/of912efv7xq4a5ezldlgvnja/image.png
  [12]: https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf
  [13]: http://static.zybuluo.com/birdg0/ksosm4zqfe6oudxoagm11uiq/image.png
  [14]: http://static.zybuluo.com/birdg0/57tg0hyvfgn5j0yb10spz0wy/image.png
  [15]: http://static.zybuluo.com/birdg0/1vjvgkr5vywdq4a4raa7jm9t/12.png
  [16]: http://static.zybuluo.com/birdg0/n37lzdzio6bldk8eijjxpzo9/13.png
  [17]: http://static.zybuluo.com/birdg0/s4gcl9ermbq09qst6pnr1lua/14.png
  [18]: http://static.zybuluo.com/birdg0/3j1ualmzvsekuviocigb97dm/image.png
  [19]: http://static.zybuluo.com/birdg0/qxocjgb7n8dbkosqou7zbzwb/16.png
  [20]: http://static.zybuluo.com/birdg0/dvadgnw29eq48x386tnk5l03/17.png
  [21]: http://static.zybuluo.com/birdg0/dna6ludzl2mczuygvtxwkbni/image.png
  [22]: http://static.zybuluo.com/birdg0/nx6adqo7q3u4v6vza1dpdp92/image.png
  [23]: http://static.zybuluo.com/birdg0/zcku02szm43oliiia9e6m3hz/image.png
  [24]: http://static.zybuluo.com/birdg0/3cq8xg4lz1c6400grtzui9v8/21.png
  [25]: https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
  [26]: https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf

阅读全文 »

CVE-2017-7308 Linux Kernel packet_set_ring 整数符号错误漏洞分析及利用(本地提权)

发表于 2017-07-21 | 分类于漏洞利用 | 4 条评论

# 1. 前言

此漏洞存在于`Linux Kernel 4.10.6`以下的版本中，本文的测试环境为`Ubuntu 14.04 LTS`

```
$ git clone git://kernel.ubuntu.com/ubuntu/ubuntu-trusty.git
$ git checkout Ubuntu-lts-4.4.0-31.50_14.04.1
```

# 2. 漏洞分析

漏洞发生在`net/packet/af_packet.c`的`packet_set_ring`函数中，此函数会在设置`ring buffer`时被调用，`ring buffer`是用于数据包处理的缓冲区，`rx_ring`是接收数据的缓冲区，`tx_ring`是传输数据的缓冲区，本文用到`rx_ring`，分别可以通过`setsockopt`的`PACKET_RX_RING`和`PACKET_TX_RING`参数进行设置，` packet_ring_buffer`定义如下：

```
struct packet_ring_buffer {
    struct pgv *pg_vec;
    struct tpacket_kbdq_core prb_bdqc;
}

struct pgv {
    char *buffer;
}
```

![1.png-17kB][1]

[1]: http://static.zybuluo.com/birdg0/n7sm7n9ojt71a3cavynwl3pz/1.png
  [2]: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c
  [3]: http://static.zybuluo.com/birdg0/2dvlfht4ygieooilcpuc2ozc/2.png
  [4]: http://static.zybuluo.com/birdg0/80200nifrv8olnr7t5w6mbti/3.png
  [5]: http://static.zybuluo.com/birdg0/9situ0n6a2pe53deq7bn4gng/image.png
  [6]: http://static.zybuluo.com/birdg0/6oko6ojl6rg5cys3k56tivde/image.png
  [7]: http://static.zybuluo.com/birdg0/6gucggdubx5k514fjis97qad/image.png
  [8]: http://static.zybuluo.com/birdg0/ardc2spk4gsofl59bi39rriy/image.png
  [9]: http://static.zybuluo.com/birdg0/1hib76a9ly0mzbwktyobae74/image.png
  [10]: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
  [11]: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c
  [12]: https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308
  [13]: http://blog.nsfocus.net/gdb-kgdb-debug-application/
  [14]: http://blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/

接下来看导致漏洞的代码

阅读全文 »

Windows 10下MS16-098 RGNOBJ整数溢出漏洞分析及利用(本地提权)

发表于 2017-07-08 | 分类于漏洞利用 | 暂无评论

# 1. 前言

此篇文章参考[https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/][1]，文中讲到了Windows Kernel Pool风水、SetBitmapBits/GetBitmapBits来进行任意地址的读写等利用手段，非常有助于学习Windows内核的漏洞利用。

> 测试环境：Windows 10 1511 x64 专业版(2016.04)

# 2. 漏洞分析

漏洞是发生在`win32kfull.sys`的`bFill`函数当中
![image.png-27.9kB][2]

[1]: https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/
  [2]: http://static.zybuluo.com/birdg0/f8399871umv26lsy8f940g5g/image.png
  [3]: http://static.zybuluo.com/birdg0/ey4acpmz4mrkyci2d44cp7iq/image.png
  [4]: http://static.zybuluo.com/birdg0/mf4d7cjrlahvij8frox8cada/image.png
  [5]: http://static.zybuluo.com/birdg0/6gwbjq0g0mu9h00ciz5fofac/image.png
  [6]: http://static.zybuluo.com/birdg0/ghobd2mrjw579shap4dorkqc/image.png
  [7]: http://static.zybuluo.com/birdg0/1r6el2q6bv6hm2l0ldqnfvcv/image.png
  [8]: http://static.zybuluo.com/birdg0/ox5k5auh0pjg1g85bcyga8d8/image.png
  [9]: http://static.zybuluo.com/birdg0/sqnfvrnb3lo25dezqg3sqblt/image.png
  [10]: http://static.zybuluo.com/birdg0/kakye29bmvlker47akw09gw6/image.png
  [11]: http://static.zybuluo.com/birdg0/4sofe2w4mk0g60epkgoldgho/image.png
  [12]: http://static.zybuluo.com/birdg0/ba4h6hum4zav5i3zcw6zoy26/image.png
  [13]: http://static.zybuluo.com/birdg0/pr5tc9l0fs57w8l64hcy2evz/image.png
  [14]: http://static.zybuluo.com/birdg0/ngb11e80pf0wkcpa2697skaf/image.png
  [15]: https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/
  [16]: https://github.com/sensepost/ms16-098
  [17]: https://www.coresecurity.com/blog/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects
  [18]: https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives
  [19]: https://www.coresecurity.com/system/files/publications/2016/10/Abusing-GDI-Reloaded-ekoparty-2016_0.pdf
  [20]: https://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes

如果`eax > 0x14`就会执行`lea ecx, [rax+rax*2]; shl ecx, 4`，这里就可能导致整数溢出使之后`PALLOCMEM2`时实际申请的是一个很小的`pool`，最后可能导致`pool overflow`

阅读全文 »

Windows 10 x64 Edge CVE-2016-7200 & CVE-2016-7201漏洞分析及利用

发表于 2017-05-20 | 分类于漏洞利用 | 2 条评论

# 1. 分析环境

操作系统：Windows 10 x64 专业版 10.0.14393
浏览器：Microsoft Edge x64 38.14393.0

# 2. CVE-2016-7200分析

这是发生在`JavascriptArray::FilterHelper`中，由于类型混淆所导致的漏洞，先看commit
```
     template <typename T>
     Var JavascriptArray::FilterHelper(JavascriptArray* pArr, RecyclableObject* obj, T length, Arguments& args, ScriptContext* scriptContext)
     {
         if (args.Info.Count < 2 || !JavascriptConversion::IsCallable(args[1]))
         {
             JavascriptError::ThrowTypeError(scriptContext, JSERR_FunctionArgument_NeedFunction, _u("Array.prototype.filter"));
         }
 
         RecyclableObject* callBackFn = RecyclableObject::FromVar(args[1]);
         Var thisArg = nullptr;
 
         if (args.Info.Count > 2)
         {
             thisArg = args[2];
         }
         else
         {
             thisArg = scriptContext->GetLibrary()->GetUndefined();
          }
  
          // If the source object is an Array exotic object we should try to load the constructor property and use it to construct the return object.
 -        RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext);
 +        bool isBuiltinArrayCtor = true;
 +        RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext, nullptr, nullptr, &isBuiltinArrayCtor);
          JavascriptArray* newArr = nullptr;
  
          if (newObj == nullptr)
         {
             newArr = scriptContext->GetLibrary()->CreateArray(0);
             newArr->EnsureHead<Var>();
             newObj = newArr;
         }
         else
         {
              // If the new object we created is an array, remember that as it will save us time setting properties in the object below
              if (JavascriptArray::Is(newObj))
              {
 +#if ENABLE_COPYONACCESS_ARRAY
 +                JavascriptLibrary::CheckAndConvertCopyOnAccessNativeIntArray<Var>(newObj);
 +#endif
                  newArr = JavascriptArray::FromVar(newObj);
              }
          }
 
         Var element = nullptr;
         Var selected = nullptr;
 
         if (pArr)
         {
             Assert(length <= MaxArrayLength);
             uint32 i = 0;
 
             for (uint32 k = 0; k < length; k++)
             {
                 if (!pArr->DirectGetItemAtFull(k, &element))
                 {
                     continue;
                 }
 
                 selected = callBackFn->GetEntryPoint()(callBackFn, CallInfo(CallFlags_Value, 4), thisArg,
                     element,
                     JavascriptNumber::ToVar(k, scriptContext),
                     pArr);
 
                  if (JavascriptConversion::ToBoolean(selected, scriptContext))
                  {
                      // Try to fast path if the return object is an array
 -                    if (newArr)
 +                    if (newArr && isBuiltinArrayCtor)
                      {
                          newArr->DirectSetItemAt(i, element);
                      }
```

</Var></Var></typename>

阅读全文 »

CVE-2016-10190 FFmpeg Heap Overflow漏洞分析及利用

发表于 2017-04-04 | 分类于漏洞利用 | 暂无评论

# 1. 前言

FFmpeg是一个著名的处理音视频的开源项目，使用者众多。2016年末paulcher发现FFmpeg三个堆溢出漏洞分别为CVE-2016-10190、CVE-2016-10191以及CVE-2016-10192。本文详细分析了CVE-2016-10190，是二进制安全入门学习堆溢出一个不错的案例。

调试环境：

1. FFmpeg版本：3.2.1按照[https://trac.ffmpeg.org/wiki/CompilationGuide/Ubuntu][1]编译
2. 操作系统：Ubuntu 16.04 x64

# 2. 漏洞分析

此漏洞是发生在处理`HTTP`流时，读取`HTTP`流的过程大概如下：

1. `avformat_open_input`函数初始化输入文件的主要信息，其中与漏洞有关的是创建`AVIOContext`结构体
2. 如果输入文件是`HTTP`流则调用`http_open`函数发起请求
3. 调用`http_read_header`函数解析响应数据的头信息
4. 解析完后调用`avio_read`->`io_read_packet`->`http_read`->`http_read_stream`函数读取之后的数据

首先看下`http_read_stream`函数
```c
static int http_read_stream(URLContext *h, uint8_t *buf, int size)
{
    HTTPContext *s = h->priv_data;
    int err, new_location, read_ret;
    int64_t seek_ret;
    ...
    if (s->chunksize >= 0) {
        if (!s->chunksize) {
            char line[32];

do {
                    if ((err = http_get_line(s, line, sizeof(line))) < 0)
                        return err;
                } while (!*line);    /* skip CR LF from last chunk */

s->chunksize = strtoll(line, NULL, 16);

av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
                        s->chunksize);

if (!s->chunksize)
                    return 0;
        }
        size = FFMIN(size, s->chunksize);
    }
    ...
    read_ret = http_buf_read(h, buf, size);
    ...
    return read_ret;
}
```

[1]: https://trac.ffmpeg.org/wiki/CompilationGuide/Ubuntu
  [2]: http://static.zybuluo.com/birdg0/cw1pcjpcms4qf5qds2w7j7uj/image_1b9neb1at1q2b1s5rco61ba11ubf9.png
  [3]: http://static.zybuluo.com/birdg0/0g69hl4e3gdq0t9eco1etvkk/image_1b9nehkdngtu112bjqh5e91hlfm.png
  [4]: http://static.zybuluo.com/birdg0/jmgf9wvj1r1ge5t36xxqcjhu/image_1b9nf0l4qsd017no1k3t1mur9bf13.png
  [5]: http://static.zybuluo.com/birdg0/r65us1hsde3r9nqa0mil2lzl/image_1b9nfjs3p10ka1tcj1anp1jad9a1g.png
  [6]: http://static.zybuluo.com/birdg0/w4scn7e6tbeuaxbibt9lwzrr/image_1b9ngbr781oejf7181vb431bg31t.png
  [7]: http://static.zybuluo.com/birdg0/obwj0j2vg65jj0fned8zvt8n/image_1b9ngpkhska3slm1d72ouuuh52a.png
  [8]: http://static.zybuluo.com/birdg0/eq4vqkrv49tj1d9z54lrqqyv/image_1b9nh0qn511hinqnbnb1rsdmh2n.png
  [9]: http://static.zybuluo.com/birdg0/q4z4k7luqi8aebhcjthemlx1/2017-03-20_142832.png
  [10]: https://gist.github.com/PaulCher/324690b88db8c4cf844e056289d4a1d6
  [11]: https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa
  [12]: http://www.openwall.com/lists/oss-security/2017/02/02/1
  [13]: https://gist.github.com/PaulCher/324690b88db8c4cf844e056289d4a1d6

阅读全文 »