Easily rewrite jmp esp to jmp ebx

Reprinted: Q version hacker overflow tutorial

I am writing this article, hoping to give some help to cainiao who want to learn about Buffer Overflow just like me, because no such articles have been found yet. First, we will introduce two methods of using Stack Overflow-jmp esp and jmp ebx. Next, we will explain the simple method of conversion. Finally, we will give two practical examples, write isno. printer uses code and flashsky to write RPC code into jmp ebx, in order to achieve the unity of the full version of win2000 sp0-sp4 !!
TIPS: About jmp esp and jmp ebx. In overflow, we construct too long data to overwrite the original content in the system, and then try to jump to the program we want to execute. The most typical jump method here is jmp esp and jmp ebx-somewhere, the original system content is the address of jmp esp or jmp ebx, in this way, we can jump to the program we want to execute. Of course, the program we want to execute is also written by ourselves, usually called ShellCode. For more information about the redirection principle, see the following analysis.
I. Using JMP ESP
The usage format is NNNNNNRSSSSS. Here N = NOP, R = RET (jmp esp address), S = ShellCode. It is to overwrite the buffer to NOP (empty command, do nothing) until the original EIP location, we fill in the jmp esp address in a core dll in the system, followed by our ShellCode.
Why is this method executed to ShellCode? Under normal circumstances, when the function returns, execute the RET command, which is equal to the pop eip and restores the EIP value of the original program to complete the interrupt return. But here, we overwrite the saved EIP value and rewrite it to the jmp esp address. In this way, after pop eip, EIP = jmp esp address, and the stack pointer ESP will go down and point to the beginning of ShellCode. The program continues to run. In this case, the content in the EIP is jmp esp. When the system executes jmp esp, it just jumps to the location of our ShellCode.
TIPS: push and pop. A stack is a data structure that follows the rule of "first-in-first-out, later-in-first-out". Just like we usually fold a plate, it can be obtained only after it is placed below, the last put is obtained first. In the operating system, the SAVE and fetch actions are push and pop. Push put a piece of data into the stack, and Pop retrieves the data from the stack.
If ShellCode is a port, we can connect it remotely. If ShellCode is downloaded and executed, we can have the target machine upload and download files on the webpage and execute them ...... You can implement all the functions you want. ShellCode will be discussed later. Here, let's take a look at what we care about,
Ii. Using JMP EBX
The Exploitation format is nnnnn jessssss. Here N = NOP, J = Jmp 04, E = jmp ebx address, S = ShellCode.
Here, the location of J and E is the key. E is the entrance location for error handling, and J is in front of it.
In the first method, we know to overwrite the returned address to another address. But what if it is an invalid address? The data pointed to here may not be readable or executed. What will happen? As a matter of fact, I believe everyone has encountered this problem, that is, the system will pop up a dialog box with an error, and we click OK to terminate the operation.
This is because, as a system-level program, there is a sound internal error handling mechanism. To put it simply, if an error occurs during running, windows will jump to a specific place to handle the error, corresponding to different errors, and execute different code. The Code executed above is an error in the pop-up dialog box.
Therefore, we intentionally overwrite the returned address into an incorrect address. In this case, windows will jump to the error handling portal, and ebx points to the first four bytes of the portal! So we will overwrite the error entry to the jmp ebx address and jump to the first four bytes. How can we jump to ShellCode? Here we write jmp 04, haha, jump 4 bytes later, just skip the overwrite value to reach our ShellCode!
Iii. Converting jmp esp to JMP EBX
1. Why should we consider converting jmp esp to jmp ebx?
In fact, the biggest benefit is that jmp esp is different in various systems and patch versions, which may cause different systems to be unavailable; jmp ebx has a common address for all versions of NT/2000/XP/2003! So cool! ShellCode can be written into a common version. As long as the vulnerability's entry address is in the same position, it can be truly universal !! Imagine how pleasant it was!
However, in practice, there are a lot of expoit, but the jmp esp method is used, for example, written by isno. the printer Vulnerability exploit, And the RPC written by flashsky remotely overflows exploit, which can cause problems. Especially for RPC, if the address is incorrect, the RPC service will crash, in this way, the address cannot be changed for another attack. You must wait until the other party restarts before trying again. In this way, even if you know that the other party is a 2000 system, if you are not lucky, you may have to try five times before you can succeed (sp0-sp4 )....
If a general version is available, you can make sure that the system is successful no matter what the other party is!
2. How to convert jmp esp to jmp ebx?
The methods used by the ox are intuitive and clear, and of course the technical content is relatively high. They generally use the tool attach for problematic services, disassembly, and tracking. Locate the problematic point, and then locate the exception handling entry for the service. Directly analyzes the length of the exception handling entry point from the overflow point, so that jmp esp and jmp ebx can be used.
This method is still difficult for cainiao. Both tracking and computing length require profound experience and technology. No skill is required, and it is a manifestation of strength.
So there is no simple way to use it?
The answer is NO!
After my own experiments, I found a relatively simple method (compared with direct analysis service) to improve the existing jmp esp Method to the jmp ebx method. The idea is to first use the jmp esp attack program to keep up with "xebxfe" after the jmp esp code. This sentence is jmp-1. After a simulated attack is implemented and softice is called up on the attacked machine, the system will find that the attack stops at "xebxfe. In this case, we can check its fs: 0000 value, which stores the exception handling entry address! At this time, we can calculate the distance from the current value to easily know how much data needs to be filled to reach the exception handling portal.
Knowledge: SoftICE: the most important thing in dynamic analysis is the debugger, which can be divided into user mode and kernel mode. User Mode refers to the applications used to debug user mode. They work at the Ring Level 3, such as Visual C ++ and other built-in debugger of the compiler. The kernel mode debugger refers to the debugger that can debug the operating system kernel. It is located between the CPU and the operating system and works at the Ring Level 0, such as SofrICE. SoftICE is a product of Compuwar numbench. Is currently recognized as the best system-level debugging tool! Excellent compatibility and stability. You can debug various applications and device drivers at the source code level, or use RCP/IP connection for remote debugging.
The following are two examples of actual rewriting.
Iv. Actual printer and RPC exploit
1. exploit rewriting of the printer Vulnerability
The. printer vulnerability is old. It is a vulnerability in IIS servers of win2000 sp0 and sp1. Rewrite it mainly to explain the method.
Call up exploit in jmp esp mode written by isno (see the source code attached ). After analysis, we know that the vulnerability exploitation is
GET http: // AA ..... AAAAAESSSSSSSSSS/null. printer? X HTTP/1.0
|... 268... |
That is, after filling 268 A, it reaches the return address. Overwrite it to the address of E = jmp esp, And you can jump to our shellcode and execute it.
How to rewrite it?
It's just using our ideas!
Add "xebxfe" after E = jmp esp, attack our simulator, and open softice on the simulator. Haha, we can see that it stops at 0172f3e0, "0172f3e0 ebfe jmp 0172f3e0", followed by our original ShellCode. In this way, we enter the internal environment.
Find the exception entry address, D fs: 00. The result is 0x0172f428 in fs: 0. Haha. This is the exception entry address. If we write the return address value as an invalid value such as AAAA, an error will be generated. ebx will change to 0x0172f428, and the system will jump to 0x0172f42c to execute the processing code ,. If we overwrite 0x0172f42c to jmp ebx and overwrite 0x0172f428 to nop jmp 04, the overwrite address will be skipped and the shellcode following jmp ebx will be executed!
Try it! The exception entry address is 0x0172f428, and now the jmp esp address is 0x0172f428, which is reduced to 80. Based on the isno code, we add 80 more bytes and then write them to jmp04 in sequence, jmp ebx and shellcode are added before shellcode to execute jmp-1. Haha, It is interrupted! Verify that our shellcode has been executed! It is in the jmp ebx format! (Refer to the source code after rewriting)

2. RPC Vulnerability exploit Rewriting
More practical! Speaking of RPC, no one knows. Flashsky first analyzes and provides exploit, and the shock wave virus uses the basic code of flashsky. However, they all use the jmp esp address, which causes unavailability. The system indicates that the XP system will stop the RPC service and restart the system one minute after an error is reported.
Now we can change to the jmp ebx format to make it universal!
Method and. printer is exactly the same, but note that the distance between the win2000 sp0 sp1 sp2 and sp3 sp4 exception entry point and return point is 8. Therefore, we only need to overwrite jmp04 jmpebx jmp04 jmpebx once; for xp, the difference is 6, so that 2000 and xp cannot use the same program, you can write a dedicated for all versions of 2000, and then write a dedicated for xp and 2003, it can also be more common. For more information about the specific rewrite, see the source program and the code after the rewrite. I hope you will get some gains. In the future, you will be able to rewrite some attack programs into a general version!