Wednesday, December 23, 2009

Stack Overflow 2

For Visual C++ :

-stack overflow experiement, we should use the debug version. If we use the release version, we may need to retest again.

-heap overflow, we should use the release version. If we use the debug version, it will fail.If heap test is running directly under Ollydbg or Windbg, the heap management will use the debugging management policy.

ESP - Pointing to the top of the stack
EBP - Poining to the base of the top stack

_stdcall and _cdecl will be different. Be default, Visual C++ will use the _stdcall

_stdcall
call function
push ebp
mov ebp, esp
sub esp, xxx

add esp, xxx
pop ebp
retn

Stack layout

Char buffer[0-3] Low addr
char buffer[4-7]
int.....
ebp
return address high addr

Example the input is 43214321432143214321

the memory layout at Ollydbg :

Char buffer[0-3] 1234 (Offset3,2,1,0)
char buffer[4-7] 1234
int..... 1234
ebp 1234
return address 1234

If the modified return adress is 0x00401122, we should input it in as 22 11 40 00 ( for little endian), so the end result EIP will show 0x00401122 correctly.

In Visual Studio 6.0, "Dependeny Walker" may obtain the user32.dll base address, MessageBoxA offset entry point and etc.

To obtain all the process various jumping address, Ollydbg plugin "OllyUni.dll" can be used. Put it in Ollydbg directory Plugins folder, restart Olly.

Right click on the code --> Overflow Return Address ---> ASCII Overflow returns --> Search JMP/ CALL ESP ---> >Click the L button on Olly tool bar or Log

- If the problem of different path length, heap spray method will be useful for this situation.

- The decoder for shellcode

ADD EAX,14h //the length of decoder is 20 bytes
XOR ECX, ECX
MOV BL, [EAX+ECX]
XOR BL,44h //the encode key is 0x44
MOV [EAX+ECX], BL
INC ECX
CMP BL,90h
JNZ

During the start of decoder, EAX will be aimed on the start of shellcode. After the decoder, it will follow with the real shellcode. For this decoder, we need to add a bit of 0x90 as the shellcode ending.

Tips for make the shellcode "thinner"

- Some super useful asm command to make the shortest shellcode

xchg eax, reg //exchange eax with the register value
lodsd //the dword pointed by esi will put to eax, increase esi
lodsb //the byte pointed by esi will put into al, increase esi
stosd
stosb
pushad/popad
cdq //use edx to extend eax to dword, if eax < 0x80000000,thi command can use as
mov edx, NULL

-use register such EBP, ESI,EDI or etc to store data, but not push into the stack
-hash
-the code can used as data
-protect the stack by raising the esp value at 1st, this can save a lot data initialising command

No comments:

Post a Comment