Be a good carpenter

Author: F. Zh

= Ph4nt0m Security Team =

Issue 0x01, Phile #0x03 of 0x06

| = --------------------------------------------------------------------------- = |
| = --------------------- = [Be a good carpenter] = --------------------- = |
| = --------------------------------------------------------------------------- = |
| = --------------------------------------------------------------------------- = |
| = -------------------- = [By F. Zh] = -------------------- = |
| = --------------------------------------------------------------------------- = |
| = --------------------------------------------------------------------------- = |

[The content in this article may hurt the feelings of some celebrity fans. The author says that it is only intended to be used as a plug-in and is not malicious.]

A secondary figure describes the process from discovering a vulnerability to making a profit. It probably means that the researchers discovered a vulnerability in the house. The carpenter made a ladder for the vulnerability and finally the script kiddies in the house to steal things. In domestic circles, most of the security fans who play with tickets do not want to be script kiddies. At the same time, they do not have enough time to find vulnerabilities in the house. Therefore, they basically do the craftsmanship in their spare time. However, the carpenter also has three, six, nine, and so on. There are Zhu Xi School and Luban, and they can only make Nanmu coffin for the landlord's old financial house. As a carpenter with professional ethics, it is clear that we should try our best to move closer to the two sides, because we can only make Namu coffin, and it is too disappointing.

This article starts with a popular science competition in a famous Chinese cracking Forum. A carpenter at the Nanmu coffin level is struggling to introduce the skills he can see. Before proceeding to the topic, it is necessary to introduce the background and results of the Popular Science Competition: it is about to see that windows vulnerabilities are too valuable, and the cracking organization has started to reverse and exploit, the competition also attracted the attention of non-Carpenter. The question of the science competition is two, as Sowhat said (http://hi.baidu.com/secway/blog/item/cb121863a6af72640c33facf.html), the second question is Google to, and the first question is obviously a score, therefore, the popular science competition is actually a fast process. The final result is that nop took the lead. This name is reminiscent of the colors of the Labor Day and revolutionary martyrs. Of course, we still have great admiration and good expectations, I hope this nop is not a professional athlete in the amateur competition.

First look at the problematic program. The reverse direction is very simple, but for convenience, the officially published source code is provided directly. A carpenter with a serious tendency to self-abuse should use ida to reverse it after compilation, and bring his own low-temperature candle and Caring little whip.

======================================== A harmonious split line ================ ================================
# Include <iostream. h>
# Include <winsock2.h>
# Pragma comment (lib, "ws2_32.lib ")
Void msg_display (char * buf)
{
Char msg [200];
Strcpy (msg, buf); // overflow here, copy 0x200 to 200
Cout <"*********************" <endl;
Cout <"received:" <endl;
Cout <msg <endl;
}
Void main ()
{
Int sock, msgsock, lenth, receive_len;
Struct sockaddr_in sock_server, sock_client;
Char buf [0x200]; // noticed it is 0x200

WSADATA wsa;
WSAStartup (MAKEWORD (1, 1), & wsa );
If (sock = socket (AF_INET, SOCK_STREAM, 0) <0)
{
Cout <sock <"socket creating error! "<Endl;
Exit (1 );
}
Sock_server.sin_family = AF_INET;
Sock_server.sin_port = htons (7777 );
Sock_server.sin_addr.s_addr = htonl (INADDR_ANY );
If (bind (sock, (struct sockaddr *) & sock_server, sizeof (sock_server )))
{
Cout <"binding stream socket error! "<Endl;
}
Cout <"************************************ ** "<endl;
Cout <"exploit target server 1.0" <endl;
Cout <"************************************ ** "<endl;
Listen (sock, 4 );
Lenth = sizeof (struct sockaddr );
Do {
Msgsock = accept (sock, (struct sockaddr *) & sock_client, (int *) & lenth );
If (msgsock =-1)
{
Cout <"accept error! "<Endl;
Break;
}
Else
Do
{
Memset (buf, 0, sizeof (buf ));
If (receive_len = recv (msgsock, buf, sizeof (buf), 0) <0)
{
Cout <"reading stream message erro! "<Endl;
Receive_len = 0;
}
Msg_display (buf); // trigged the overflow
} While (receive_len );
Closesocket (msgsock );
} While (1 );
WSACleanup ();
}
======================================== A harmonious split line ================ ================================

As mentioned in the note, the 0x200 length is mistakenly copied to the 200 string. In fact, this problem is not representative. Uncle Bill's staff missed the widechar length, released the variables on the stack as a heap, and added the address content to the user, the only difference is that we don't have to confuse hexadecimal with hexadecimal. However, since the organizer writes it like this, let's take a look. In fact, after reverse partitioning, You can overwrite ret as a template, and then find jmp esp in the code page. Then, it's easy to get exp. Despite seeing the shadow of this method in the champion's answer, the Nanmu coffin-grade carpenter still needs to wave the saw in his hand, saying that this degree can only be used as a wash basin.

Well, let's take a step-by-step look at how much we can move from The footbath level to the Nanmu coffin level and look forward to a higher level.

The first is to obtain the CPU control.

In a certain phase of Phrack, dark spyrit proposes that the script code on the dll loaded by the system can be used to jump to and obtain control. There is a premise here, because it is a coincidence that after you overwrite a lot of things, esp points to the code you can control after ret is rolled back, so a jmp esp can be used to skip and execute, the rest is to write shellcode. However, it doesn't mean that we can only use this method, or this method is the best. The greatest contribution of dark spyrit is to propose a general method. Like Marxism-Leninism, Mao Zedong Thought, and Deng Xiaoping Theory, the three representatives of the eight honors and shame, although they are the perfect truth, in China, we still need to work with specific national conditions. Run jmp esp on the machine. What should I do with different operating system versions and/3 GB mode? It can be used to distinguish between men and female, but they may be used as super-female champions. If you do not know the name beforehand, you only look at the appearance, are you sure you want to give it?

Therefore, when creating a ladder, it is best to follow the actual situation. Generally, if Stack Overflow does not cause serious damage to the stack, we can see many local variables of upper-layer functions in the stack area, and these local variables are often very useful, for example, the pointer to your string. There are several advantages to the idea of making a variable on the stack. First, you can use other more stable methods to jump to the beginning of a malicious string. Second, this gives you more bytes to store shellcode, finally, it can prevent some ids/ips detection. We can use the following simple illustration to illustrate the three advantages.

<-- Lower upper -->
========================================================== ======================================
Var of vulnerable function | ret | var of upper function...
========================================================== ======================================
NOP | jmp esp | shellcode
========================================================== ======================================
Shellcode | jmp? | Var of upper function
========================================================== ======================================
 

The second line is the Marxism-Leninism method. You will certainly overwrite ret and continue to overwrite at least 2 bytes (eb xx redirects back ). Therefore, the signature of some ids/ips is written. If you exceed xxoo bytes, the message will be blocked. Even if the signature is not well written, it will at least check whether you have covered the four bytes of ret, and some stricter ones, even if you have covered the ret
In this case, the Marxism-Leninism method must have been killed. However, the specific national conditions of the third line have a chance to escape detection, we don't need to overwrite the four bytes of ret at all. We just need to use the variables on the stack to find some specific bytecode.

Here we can also intercept one thing. The exp of the. ani overflow leaked in May, and everyone is amazed at the exp that covers the lower two. This is a good example: First, you have completed the function with the smallest number of bytes, avoiding ids and other problems to the maximum extent. Second, the stability of this method is good. In this case, it is very abstract. Let's look back at the code of the popular science competition.

When msg_display is called, a parameter is passed in. On the stack, this parameter is immediately followed by the ret address. If we only overwrite the ret address, when the CPU completes msg_display and returns, esp just points to this parameter. In this case, you only need an address that can achieve the jmp [esp] function to jump to the input string accurately, obviously, the best command to satisfy this condition is 0xc3 (ret ). The following figure illustrates the problem.

<-- Lower upper -->
========================================================== ============================================
Var of vulnerable function | ret | ptr | other var of upper function...
========================================================== ============================================
^ --------------------------------------- |

The ret in the figure is overwritten with an address A whose content is 0xC3. When msg_display returns, it returns to address A and executes the 0xC3 (ret) command again, the eip jumps to the beginning of the string.

The situation here is quite simple. In actual exploiting, the ptr may be a little away from ret, and you may need to pop it several times. This form is the same as that used to cover seh, that's a coincidence.

Then let's look for the 0xC3 address. First of all, if you want to completely overwrite the ret address with four bytes, there is no common place. Msvcrt. dll is relatively fixed in different language systems of the same sp, and code page is relatively fixed in different versions of systems of the same language. Note: This is only relative. In some special cases, these common addresses may be invalid. More strict, if the address must comply with