Hacking Book | Free Online Hacking Learning


some experience of sink analysis

Posted by agaran at 2020-03-13

Reference documents:




Long term diving, recently found that there seems to be no loophole out, I and other rookies can only wander around, occasionally found this loophole in foreign language blog. The causes and implementation process of this vulnerability are relatively simple, so we use it to analyze and play, and come to the conclusion that this article hopes to share with the Rookies of our same level.

Analysis process:

In the original blog, there are many problems about the types and history of PHP vulnerabilities, as well as the interaction between PHP and web server. If you are interested, you can go to the original link I gave you to have a look. Here we focus on the vulnerabilities. First, let's look at a piece of PHP code:

The above code can be parsed through php.exe in the PHP directory. The result is to open a Google page. The main meaning of the above code is to create an ieeventsink object, and then create an IE COM interface with new, Finally, use the function com event sink to perform some operations. In order to understand the significance of these operations, I post the explanation of COM event sink on the PHP official website:

From the above text, you can roughly know that this function is used to connect a certain interface of a COM object. This course of English is very poor. The general understanding is to associate the interface in a COM object with the object created in PHP, so that the code in PHP can take over some time messages or define some operations. The example code here is to associate dwebbrowserevents2 with the object created by ieeventsink class. The dwebbrowserevents2 interface is mainly used to receive messages generated by some browser controls. For specific explanations, you can refer to the reference materials posted by me at noon, which will not be posted here, because so many of them are directly related to the vulnerability, only com event sink This function. After the above explanation of the example code, we can know that the parameters passed into the com event sink function are pointers to two objects and a string variable. If the pointers of these two objects are invalid pointers, will this function have some fault tolerance? This question is a key point to find out the cause of this vulnerability. Obviously, according to the article's explanation, this function does not effectively verify the incoming object, so if the incoming value is an invalid pointer, it will lead to an error that cannot be skipped. Yes, the interpreter crashes. Here we can construct the following code for testing:

We can use php.exe under CMD. As a result, the program crashes. The first step is that we have arrived. At this time, we can take out the debugger to determine the crash address and specific crash scenario. Here I use immunitydebug.

After normal loading, click Run, and remember to remove all exceptions, otherwise exceptions will not be interrupted.

After running, it will be interrupted. It can be seen that the address of the access exception is the value of the first parameter that we give to the com event sink function in the code. Then look at the register: at this time, EDI stores our third parameter, that is, the pointer of the string. According to the above two figures, we can find that in the code of 5a9c3bb1, the function address pointed to by the wrong pointer we passed in will be used. It is obvious to use it here. We can use the heap Fengshui method which is often used for vulnerability utilization. In order to make use of the Fengshui method, we need to carefully look at the following three lines of code:

8b76 18 mov ESI, DWORD PTR ds: [ESI + 18] >          CALL ECX

From the above code, we can guess to use the commonly used method of 0x0x0x0x0x0x0x0xx to spray. The code is as follows:

In my XP3 virtual machine, shellcode can be executed normally, and a lovely calculator program will pop up. It can be found that I am not using the commonly used address 0x0c0c0c in the code. As for why you can practice it yourself, you will understand. So far, the exploitation of the whole vulnerability is basically finished, but it seems that such a method does not fully benefit the conditions given by the vulnerability It seems that the condition that the pointer of the third parameter in the function is on the EDI register has not been fully used. Here, a more ingenious code is used:

After modification, the code is as shown above. The main idea used in this article is to use a springboard to realize the use of shellcode, that is, to find an address such as "JMP EDI", and then let the call ECX hit our springboard program correctly, and execute it to our shellcode after the springboard. To use this method, we need to spray the springboard address. Take a look at the address of the exception just now: 8b76 18 mov ESI, DWORD PTR ds: [ESI + 18] -- > here is the first parameter address 8b16 mov EDX, DWORD PTR ds: [ESI] >, DWORD PTR ds: [EDX + 10] >

First, ESI is the address we give, and then we will take this as a pointer to get the value in it, and the value in it will take the value of + 0x10 as a pointer again, and then we will call this value as a function pointer. To sort it out here, we need to have two pointer values, plus a springboard address value that can call shellcode, so we can combine the springboard address and a springboard address to jet, and then point the value of the first pointer (the address that we can control externally) to the value that points to the springboard address (it may be a little bit around here, and the language level has Excuse me!) In this way, shellcode can be utilized. The causes and utilization of this vulnerability are basically analyzed. However, the above codes can only be executed on Windows XP. The main reason is that dep is enabled in win7. The springboard address I use is an address in the heap with a high address. It is impossible to execute code in the heap under the protection of DEP, but it can be constructed with ROP or utilized, This doesn't mean that the construction of ROP is relatively simple after the Mona script, but it may be difficult to find a stable module.

The topic of the 2020 SDC (security developers Summit) was collected in Beijing, China in July!