MS08-067 Vulnerability Analysis and Reclaim

tags: Vulnerability replay experiment  Network space security  Safety  system security

A vulnerability recovery experiment made by a network space security professional student, if there is a mistake or improvement, please advise.

MS08-067 Vulnerability Analysis and Reclaim

content

MS08-067 Vulnerability Analysis and Reclaim

1 pre-knowledge

2 vulnerability

3 vulnerability code analysis

4 Metasploit attack module code brief analysis

5 resent

6 may encounter problems

6.1 Unable to control the target computer after the VNC in Meterpreter can only be monitored.


1 pre-knowledge

        SMB (Server Message Block, Server Message Block):A network file sharing protocol, which allows applications and end users to access file resources from the remote file server, which can be used for information communication between web links and clients and servers. This protocol provides Windows Remote File and Printer Sharing Network Services. SMB is used as an application layer protocol, running directly on the TCP 445 port.

MSRPC (Microsoft Remote Procedure Call, Microsoft Remote Procedure Call):It is a re-improvement and implementation of the DCE / RPC remote procedure to support Under Windows systems to support applications in the Windows system to call the procedure in the remote host on the remote host. Independently running on the network transport layer protocol, mainly using the SMB named pipe transfer protocol, using the SMB named pipe mechanism as an RPC's bearer transport protocol (MSRPC over SMB). The MSRPC is called a network interface that calls a large number of local service processes, and MSRPC over SMB is often utilized as a channel to attack the security vulnerabilities in the local service.

2 vulnerability

The MS08-067 vulnerability was exploded at the end of 2008, existing in various versions of Windows 2000 / XP / Server 2003 / Vista / Server 2008, and even the Windows 7 Beta in the test phase. When accessing a remote host using the MSRPC, Server service program calls netapi32.dll in NetPathCanonicalize path parameter function normalizes, NetPathCanonicalize function will call the subordinate function CanonicalizePathName path to organize, CanonicalizePathName function will call the subroutine ConPathMacros, and function in ConPathMacros There is a buffer overflow vulnerability.

Path standardization mainly includes two parts: "/" in the path string is converted to "\", remove relative path "\. \" And "\ .. \". The canonicalizePathname function will first traverse the path string, replace "\" to "\", this step is very simple, no problem, and the next step will call the ConpathMacros function to remove the relative path, the service program is here There is a logical vulnerability in the address space of the path string. When the attacker is carefully designed, it can remove the "\ .. \" string in the function to copy the contents of the path in the path string to the address space before the path string ( In the low address), the overlay function returns the address to perform any code.

3 vulnerability code analysis

The Vulnerability Function NetPathcanonicalize In Netapi32.dll, open the DLL file using the IDA Pro.

Press CTRL + F search function name directly in Function WINDOW, double-click the jump.

  

This function contains 6 parameters: PathName Storage requires a standardized path, OUBUF stores buffer, Outbufflen stores buffer length, and prefix is ​​an optional parameter (useful when pathname is relative path), the pathType storage path type, Flags is 0 (reserved parameters).

Press F5 to view the anti-compiled pseudo code. When Ourbuffle is not 0, the lower-level function canonpathname is really started to perform path string processing.

Double click on CanonPathName to jump, check the pseudo code, first have two lengths of length. Check if wcslen (pathprefix) exceeds 520.

Check if WCSLEN (PathName) + WCSLEN (PathPrefix) is more than 519, that is, the length of the PathName is limited.

The loop processing path will be converted to "\" to "\" to complete the first step.

Call the ConpathMacros function to handle the relative path.

Double-click the jump, see the pseudo code, can cause the overflow key code exist in the While loop.

It can generally determine the relative path processing steps as follows:

\abc\a\..\b  ===>  \abc\b

          ^ ^

          |  |

| + - current\Pointer (indicated by currentslash)

+--- previous one\Pointer (represented by prevslash)

When the function scans ".. \", the code will copy the data started by the Currentslash to the memory space starting at Prevslash. After the first copy, the FOR loop will reposition Prevslash as the start of the next copy. Location, by the FOR cycle can be known as: The current prevslash pointer minus 1 position, forward (low address direction) traversed until "\", the location is positioned after the Prevslash pointer is positioned, when Prevslash points to the PREVSLASH The location is the start address of the path buffer, the FOR cycle ends.

However, when the relative path string "\ *** \ .. \" appears at the beginning of a path, such as "\ *** \ .. \ a", prevslash points to the first "\", completed After copying the contents of the buffer into "\ a", then the for loop re-position prevslash begins: Prevslash first minus 1, directly cross the start position of the path buffer, one of the FOR cycle termination conditions "Prevslash point to the path The buffer start address "failed, Prevslash will travel to the low address direction until a" \ "is searched at the low address area. However, when the subsequent path string also contains a relative path, WCSCPY () is executed to copy the data of the currentslash point to the PREVSLASH point to the PREVSLASH, and the wcscpy () function returns.

If an attacker constructs a malicious path string, first trigger prevslash to go forward the path buffer, and fill in a special location in the low address area to point the prevslash point to it, then trigger the second relative path detection, execute the first Second WCSCPY () path replication, and at this time, the data started by CurrentsLash contains a malicious address, which points to a string shellcode, and the low address area "\" location can make the copy of this malicious address just overwritten The returning address of the second wcscpy () function call, so that the wcscpy () function returns, the jump to the malicious code is executed.

4 Metasploit attack module code brief analysis

View the MS08-067 Vulnerability Attack Module under the Metasploit framework of Kali.

The first is the module initialization section, which will tell us about the vulnerability and attack configuration. Such as: Module Description Description, tell us that the vulnerability occurs in the NetApi32.dll dynamic link library that occurs in the Server service call, which can bypass some of the NX mechanisms (not executable / DEP data execution protection), if It is not possible to set a Target correctly, may cause the Server service to crash. Generally, the Windows XP system has high power, while the Server 2003 system goal will crash or hang.

Reference References, that is, the vulnerability in each vulnerability library.

Default options DefaultOptiions, such as the way of exiting the thread, if the session exits.

Attack load parameters PayLoad, available space size, bad characters, and adjust the relevant options for stack spatial layout.

Target Targets, optional target operating systems, several key variables of different targets vary, such as returning the address in the stack, bypassed the code block address required by Nx.

 

Then the function function of each operation in the module.

The EXPLOIT function contains the entire process of penetration attacks. First create a TCP connection, then perform an SMB empty meeting. If the target system is specified, the relevant parameter value is given. If you select the automatic acquisition target mode, you will try to obtain the target system information through the SMB protocol session.

Start constructing malicious paths, first initializing some variables, such as filling string Pad, server name server, prefix prefix, path PATH, calling the REX library, the library provides clients and server capabilities, logging, logging, logging, such as supporting multiple protocols , Coding, input and some other useful classes.

Then, according to the difference in the target system, select the corresponding code to make the package operation, then generate the malicious path structure PATH, PATH consists of 8 parts: Start character "\", 100 A to Z random string, shellcode, trigger Two continuous relative paths "\ .. \ .. \", fill string Pad, Rop Stager, 2 random characters end "\ 0". That is to say, the malicious path is like: "\ ****** \ .. \ .. \ ***".

The final job is to interact with the remote server, and send the structured data. The RPC request is first initiated to the SMB port of the remote main sentence, and then constructs the previously prepared elements into a complete packet stub, and finally call the STUB as the contents of the RPC interface. Stub is a standard call clip header that complies with the NetPathCanonicalize structure, which will trigger the Server service area call path specification processing function NetPWPWPWPWPWTHCANONICALIZE.

5 resent

Attack end OS:Kali 2021.2

Attacker IP:192.168.197.129

Attack OS:Windows XP Professional SP3

Attacker IP:192.168.197.130

Try ping first, test network connectivity.

Use the NMAP to scan the vulnerabilities exist in the target host.

Scan to MS08-067 vulnerability.

Use NMAP to scan the target system fingerprint (need to ROOT permissions).

The target system is Windows XP SP2 or SP3.

Turn on Metasploit.

Find Using the MS08-067 vulnerability available Express and use.

View the configuration.

Payload METERPRETER Attack Loads specified by default, do not need to be filled, other items need to be fill in manually.

View an optional goal.

 

The system that has confirmed the target target machine is a Windows XP SP3 Chinese Simplified, that is, the 34th (other information can be required in the actual attack scenario, one test, or set to Automatic Targeting), set the target.

Set the target IP.

View the configuration again, confirm that the configuration information is set correctly.

Execute an attack.

When you just got a meterpreter shell, the shell is extremely fragile, it is easy to be closed, so you should bind the shell to a stable process of the target machine as soon as possible after the attack is successful. First use the PS command to see the process on which the target computer is running.

The Services.exe process of PID = 688 is a commonly used stable process, ready to bundle it on the process. View the PID of the current shell.

Process migration is performed using MIGRATE.

View the PID again to confirm if the migration is successful.

Next, a variety of attackers can be started, such as calling the target system CMD.

Remote control is implemented using VNC.

 

6 may encounter problems

6.1 Unable to control the target computer after the VNC in Meterpreter can only be monitored.

- Need to modify the configuration file VNC.RB

Add PAY.DATASTORE ['Viewonly'] = FALSE to the code segment below, and set "Only Monitor".

Press ESC to enter ": wq!" To save modifications and exit.

Intelligent Recommendation

#windowsxpsp3 system MS08-067 vulnerability test

#windowsxpsp3 system MS08-067 vulnerability test Vulnerability description The full name of the MS08-067 vulnerability is "Windows Server Service RPC Request Buffer Overflow Vulnerability". ...

MS08-067 vulnerability penetration attack process

lab environment kali linux2.0 win-xp sp3 Steps 1. Execute in the Kali Linux command line 2. Query MS08067 Vulnerability 3. Using Exploit / Windows / SMB / MS08_067_Netapi and view Options 4. Using Pay...

"Metasploit Penetration Testing Devil Training Camp" MS08-067 vulnerability recovery and analysis

"Metasploit Penetration Testing Devil Training Camp" MS08-067 vulnerability recovery and analysis Vulnerability restoration According to the method in the book, we restore this vulnerability...

[Vulnerability recurrence] MS08-067 classic remote overflow vulnerability recurrence

ms08-067 introduction The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: Windows 2000/XP/Server 2003/Vista/Server 2008 versions, and even Windows 7 ...

MS08-067 Remote Overflow Vulnerability (CVE-2008-4250)

MS08-067 Remote Overflow Vulnerability   Brief description of the vulnerability principle The attacker uses the default open SMB service port 445 of the victim host to send a special RPC (Remote ...

More Recommendation

Using ms08-067 vulnerability to remotely control Windows XP

1. Find ms08-067: 2. Use: 3. Select the payload: (At the beginning, there is a difference between windows / shell / ... and windows / meterpreter / reverse_tpc) 4. View options (yes is required): 5. E...

The process of using metasploit (MSF) to exploit the ms08-067 vulnerability of windows

0x01 experimental environment Attack machine: kali linux ip:10.10.10.131 Target machine: windows server 2003 ip:10.10.10.130 0x02 configure exploit msf > use exploit/windows/smb/ms08_067_netapi&nbs...

Windows XP SP3 (MS08-067 Vulnerability Revision and Utilization)

Put the previous experiments and written in the note in the cloud, put it on the CSDN First, an experimental environment Target: Windows XP SP3 Professional (Close Windows self-contained firewall!!!) ...

Windows XP SP2 (MS08-067 vulnerability reappearance and utilization)

MS08-067 Vulnerability: It is a vulnerability in a remote process call (RPC) service. When calling the NetPathCanonicalize function in the SMB channel, the vulnerability is triggered, causing the use ...

MS08-067 (CVE-2008-4250) Remote command execution vulnerability

Articles directory Foreword Introduction Second, influence Third, vulnerability harm Fourth, local reproduction Five, patch number 6. Windows Server 2003 SP2 Chinese version Utilization method 7. Deep...

Copyright  DMCA © 2018-2026 - All Rights Reserved - www.programmersought.com  User Notice

Top