Author of the article: davy_yan [EST] Source: Evil octal China http://www.eviloctal.com/forum/ this article I did spill a little experience, I hope you valuable amendments, and we hope to have some help :) Software Vulnerability and Buffer Overflow 1 SEH) (5) Debugging Technology (6) Windows API Development 2, Software Vulnerability Classification Logic Vulnerability: If the conditions are arguing. Encoding Vulnerability: such as buffer overflow vulnerability, formatted string vulnerability, etc. In 1989, Spafford submitted a analysis report of the technical details of the BSD version of the BSD version of the BSD version of the VAX machine, which has attracted some security people to pay attention to this research area, but only a few people Engaged in research work, for the public, there is no available information with academic value. Mudge from L0PHT Heavy Industries wrote an article on how to overflow vulnerabilities with libc / syslog buffer on BSDI. However, the first article of truly educational significance was born in 1996, Aleph One published in Underground detailed in detail the stack structure in the Linux system and how to overflow the stack-based buffer. The contribution of ALEPH One is also given how to write a shell's Exploit method and give this code to the name of Shellcode, and this styling is used, although it has lost its original meaning. We now understand such methods - compile a simple C program that uses system calls, extract assembly code through the debugger, and modify this assembly code as needed. The code he gives can work correctly in X86 / Linux, SPARC / Solaris and Sparc / Sunos systems. Inspired by Aleph One, a large number of articles appear on the Internet to tell how to overflow and how to write a desired Exploit. In 1997, Smith integrated articles provided how to write buffers overflowing Exploit more detailed guidelines in various UNIX variants. Smith also collected SHELLCODE under various processor architecture, including ALEPH One published and AIX and HPUX. He also talked about some security attributes of the * NIX operating system, such as SUID programs, Linux stack structure, and functionality, and discussed security programming, with some list of functional functions, and tell people how people Use some more secure code to replace them. Dildog from "Cult of the Dead COW" in the Bugtrq mailing list, in the Bugtrq mailing list, described in detail how to use Windows overflow, this article's biggest contribution is to propose a method of using the stack pointer to complete the jump. The return address is fixed to the address, whether or in a dynamic link library in a program, the fixed address contains assembly instructions used to use the stack pointer to complete the jump. The method provided by Dildog avoids that the stack position is not fixed due to the difference between the process thread. Dildog also has another classic of the Tao of Windows Buffer overflows.
The collection of the United States is Dark Spyrit. In the 1999 Phrack 55, the instructions in Phrack 55 generally propose instructions in the system core DLL to complete the idea of control, and the overflow Exploit under Windows has advanced a substantive step. Litchfield created a simple shellcode for the Windows NT platform in 1999. He discussed in detail the process memory and stack structure of Windows NT, as well as the stack-based buffer overflow, and as an instance of Rasman.exe as an example of research, the assembly code for creating a local shell is given. The 1999 W00W00 Safety Group wrote a tutorial based on the heap-based buffer, and the opening: "The HEAP / BSS overflow is already quite common in today's applications, but there are very few reports." He noted that the protection method of the time, such as non-executable stack, and it is not possible to prevent a heap overflow. And give a lot of examples. (The above information is from Xfocus) 4. Buffer overflow vulnerability classification (1) Stack overflow stack overflow (2) Remote overflow local overflow 2, buffer overflow principle and causes 1. Arch of the system (1) Efficiency and security The higher the efficiency, the worse the safety, the efficiency and security of the program is inversely proportional. (2) The stack can perform the most popular X86 system, the stack can be executed (3) When the subroutine call structure function is called, the return address is saved in the stack, causing the unsafe factor when the function is called. (4) Stack overflow stack grows down 2, program design (1) C / C relatively free programming language uses the popularity of the UNIX system, the C language has once become a standard language of programming, from operating system to the application Software, more than 80% of the C / C language. (2) Insequent library function calls, such as STRCPY, STRCAT, STRNCPY, STRNCAT (3) operating system calls, such as VSPrintf, Widechartomultibyte, WSPrintf, etc. in Windows, WSPrintf, etc. (4) The quality of program designers is not enough. The general programmers have no systematic security programming training. At the same time, there is no more scientific method for safe programming training. Recommended: Writing Secure Code 3, Buffer Overflow Vulnerability Utilization 1, Technical Preparation (1) Assembly language assembly language is the basis for the use of buffer overflow vulnerabilities, assembly language is closely related to the machine hardware system. The X86 system's instruction set is different from the SPARC machine's instruction set leads to different languages under these two systems; at the same time, assembly language is also related to the standards of the operating system, such as the DOS-Windows series of operating systems. Intel's assembly language standards, and * NIX series uses AT & T's assembly language standards. Since there are many programs released under Windows not public code, the analysis buffer overflow vulnerability is mostly involved in disassembly, which is to analyze its program algorithm, structures, and production through anti-assessment of the 2 credit. Causes of vulnerabilities, etc. Specialized terms: Reverse engineering recommends use of disassembly tools: iDapro. The latest version 4.7. http://www.datarescue.com/ida Pro is an interactive intelligent return tool, working under Windows and * NIX systems. IDA Pro can analyze the parameters of the function, and also analyze the local variables used in the function, and even analyze the function call relationship.
(2) In the process of vulnerability debugging, the debugging technology needs to be controlled in real time, and then controls some other processing according to the case executed by the program. Select a debugger according to your preferences or work. Softice, Windbg, OLLYDBG.VC6.0 comes with the debugger. SoftICE is powerful, suitable for crack and analysis of the operating system, but it is not convenient to use, and meet is not friendly. Windbg is a systematic and application software debugging tool developed by Microsoft, short and fine, powerful, friendly interface, and systematic combination. OLLYDBG is an application debugging tool. Breppoint setting: a In the instruction, the button B is set on the memory space. The breakpoint D on a specific interrupt point D sets the breakpoint on the I / O in the Windows environment, which is used in the API function. Set the breakpoint on the call. It can be said that key technologies for vulnerabilities is to debug technology, and the focus of debugging technology is set up in breakpoints. For example, 04011 Vulnerability Utilization, according to the analysis, we can know that the overflow vulnerability writes several strings to a log file, which speculates that it may call the createfile function and the WriteFile function. For example, when using the Office Super Heavy Machold Overflow Vulnerability, we only know that there is a problem when copying the macadan, then you can consider the process of setting the Word file, create a file, and create a memory impression for the file, etc. After we can intercept the function call to create the file, we look for a macro name, and then set an internal saver on the macro name. When the program is copied to the macro name, it will be interrupted, and we have to find the purpose of the overflow point. Of course, many professional organizations doing software security use their own debuggers, Windows offers user debugger interface for users to develop debuggers themselves. At the same time, debugging technology is also used for software vulnerability discovery. (3) Windows structured exception handling SEHSEH is a program error handling mechanism under Windows. Windows 95, Windows 98, and Windows 2000 (i.e., previous Windows NT) support a reliable exception handling method called structured abnormality, which involves collaboration with the operating system and has direct support in programming languages. For example, the Try {} catch {} syntax in C is compiled by the SHE.SEH structure is a linked list, each node of the linked list represents an exception handler. The head of the linked list is located at FS: 0. Where fs is an exception processing segment register, FS: 0 is located at the 0x7fxxxxxx location, written. Construct SEH: PUSH OFFSET ERRHANDLERPUSH FS: [0] MOV FS [0], ESP2, the use of the stack overflow is a buffer overflow vulnerability, and the stack overflows relatively universal. The principle of the stack is to use the return address that the buffer overflow override function calls, and the function can be controlled when the function returns. (1) Collecting materials and constructing the program overflow first is to collect information. BugTraq and CVE's vulnerability list is a very useful database. Collect the most primitive data of people or organizations as much as possible when collecting information. Http://www.k-otik.com/bugtraq/http://www.cve.mitre.org/cgi-bin/cVename.cgi?name=can-2004-0892 Some vulnerabilities have no detailed vulnerability description, for This vulnerability is nothing to do in accordance with our current capabilities or the current capacity of domestic security. Second, it is necessary to describe the loophole according to the vulnerability. Detailed analysis of vulnerability descriptions and other materials collected, reproduce vulnerabilities. Pay attention to operating system types, patch versions, and software environments when reproducing vulnerabilities.
For example, the system requires that Win2000 is still XP. The patch version is SP4 or less, and it is the version of the application software and the patch version. Some language versions of the operating system do not clearly prompt the current operating system patch version, which is available to obtain the patch version of the current system through some other ways. For example, you can get relevant information through key files such as NTDLL.DLL, and modify the date, etc. In general, the file size of NTDLL.DLL will increase each after the upgrade patch. (2) Analysis procedure overflow condition The overflow of each vulnerability is different, only the specific analysis is specifically analyzed. However, when analyzing overflows, pay attention to collecting related error messages, including the value of the EIP, and the reason for the error. For example, when analyzing the Office macro spillover vulnerability, after the vulnerability, the program reports accesses the memory error - "0xAAAAA quotes memory 0xBbbbbbbb is not read", we can judge this information, and the program has overflow, and we analyze 0xaaaaaa, It can be found that this is an address space that it is impossible to have instructions, and then finds the binary value of 0xAaaaaa in the Word document (generally looks high by 3 bytes, because it is possible to jump to a complete directive in the overflow, execute After several instructions, the interrupt is generated. After finding it, it will be changed to other values, resorbed, if the value of the EIP is the value after the error report, then it can be determined that the return address of the overflow is. Of course, the actual situation may be more complicated, only temporary solutions. (3) Control program overflow, and control the program process due to the uncertainty of the stack space, the address in the stack is different, so it cannot be directly redirected to the stack directly, but because of the current ESP pointing It is a stack space, and the space is located in our controllable area, so that the overflow can be returned to a "JMP ESP" or "Call ESP" before, and then use the jump instruction to implement the position of Shellcode. In general, the versatility of the stack is related to the universal address of the JMP ESP instruction. Many language versions of 2000 and XP have a universal JMP ESP address, but there is no found in the English version and Korean version. For these two language versions of the system, you can have targeted overflow. Note that distinguishable overflows and non-useful overflows. Some vulnerabilities will access the variables that have been changed after overflow, which will cause the program that does not return the previous error and unavailable. 3, the use of the spacing is now more and more vulnerabilities, and there is no more fixed utilization method, and there is no more fixed utilization method. It is the utilization of SEH to realize the use of SEH. The heap management structure is a two-way linked list. The structure is as follows: // Insert a heap structure Bidirectional Link Map When the stack overflows, it will cover the heap management structure. When the system is released or allocated again, it will generate an error, which is the pile of overflow. There are generally two ways to be overflow, one is used in the heap recovery, one is used in the next heap allocation. In heap allocation is: MOV [EAX], ECXMOV [ECX 4], Eax, and EAX, and ECX values can be controlled. In this way, in fact, we can control any of the 4-byte values in the current system, using these 4 bytes for utilization. With these 4 bytes, the export table of a common function can be rewritten, or the SEH's chain table node is rewritten, and the use of SEH is used. The more effective use method is to use SEH to use. The JPEG vulnerability belongs to a pile of overflow vulnerabilities.
According to the analysis, it is possible to find that the JPEG environment with Word is fixed, that is, the SEH structure is fixed at the time of overflow, and ESI points to the original heap, we controllable location, so that the function of changing 4 bytes will be first The process function of the SHE is changed to a CALL [ESI 48] instruction. Because all registers are changed after entering an abnormality, the value of the original ESI is in [ESP 48]. Piles are more flexible, using a lot of methods, but it can be generally relatively small, and there is more restricted conditions. Reference: http://www.w00w00.org/files/articles/heaptut.txt 4, how to write shellcode1, write shellcode based on your own needs, written shellcode as needed. For example, download Trojans, bind Trojans, return a shell, upload Trojan execution, etc. 2. Write shelcode with Win32 compilation Now, Win32 assembly or C language is usually written shellcode. Writing shellcode is relatively simple using assembly language, and it is easier to grasp the compiler's compiler, and the compiler is generally respecting the source program. Too much optimization. First, shellocde involves a problem with a code self-located. When executed in the X86 system, the access to the data segment uses absolute addressing mode, that is, the data addresses when we write shellcode are used in other systems to be used. By the following statement, you can locate the location where the current shellcode is positioned: Call @f @@: Pop EbxSub EBX, Offset @B, where Offset @B is compiled, when accessing data, use: [ EBX _TESTDATA] This form. Among them, TestData is also an address that is compiled. Secondly, determine the Kernel32.dll address of the current system in Shellcode. Then go to the kernel32.dll export table to find the function address we need. Many ways to position the Kernel32.dll address, the most effective one is to use the Teb / PEB positioning of the current process, and one is to search the process space yourself and find the starting address of the shellcode. Get kernel32.dll start address assume fs: NothingMov Eax, FS: 30HMOV Eax, [Eax 0ch] MOV ESI, [EAX 1CH] Lodsdmov EDX, [EAX 8h]; EDX is the address of kernel32.dll MOV @ HMODULE, EDX gets getProcadDress and loadLibrary, getModuleHandle function addresses. After obtaining the KERNEL32.DLL start address, the function address can be obtained by searching the method of searching the DLL export table. SHELLCODE specific method reference example. 3. After extracting shellcodeshellcode in the program, it has to fill it out of the program, and after encoding, it will be used in the overflower. One thing to pay attention to here is that some vulnerabilities have special requirements for shellcode, such as do not have 0, and do not have 0xFF, and so on. At this time, you must first encode the shellcode into the code that meets the needs, and then write a decoder to the front of Shellcode. After overflow, perform the decoder first, decode the shellcode to become normal instructions, and then execute.

