At this time, if the parameter of the function call to meet the requirements 32e5941b, ebp-8 at this time that can be 0, no special configuration.
At this time, the memory ebp 1-address must be readable, then the contents of the memory at the address had been carefully constructed to meet the requirements normally performed, without re-configuration, after performing jmp 32e59579, ready to return the program execution flow to be hijacked overflowing the return address.
Comparative poc original document (msf0.rtf) file and copy attack 0x90 byte data (msfplus4.rtf)
Attack by copying files 0x90 bytes of data, more data can overflow to the memory used to store shellcode
It is arranged to issue the letter data represented in the document, and then the corresponding data is stored in memory
FIG poc the original document is msf0.rtf, can be seen from the figure, 0xc8ac been used in the process of copying data as the size of the copied data, we wondered if the data in memory to be used as a letter of need to store the file corresponding to the location of ascii lowercase letter, the letter before the experiment shown in the data file in the form of capital letters ascii saved, the corresponding data is stored in the memory to zero.
Msfplus4.rtf file in the attack, we found that some used to populate the data to ensure the program can still use the normal return of the corresponding letters uppercase ascii, because, in the actual experiment, if this part is 0, the program will be able to normal return, if you use lowercase letters ascii (ie memory layout identical to normal operation), but the program can not return to normal. ,
So in this case the memory layout, can not guarantee the data overflow condition does not affect the process of hijacking, try to overflow more data into memory to provide more memory space for shellcode it? By increasing the copy dichotomy length of the data file, it was found that such overflow data memory layout can support up 0x1c4 (decimal 452) overflows into the process of data bytes, the data length sufficient to accommodate simple shellcode.
More data on the stack overflow space
So Furthermore, if you use a very sophisticated shellcode, leading to shellcode long, need more data to the stack overflow, but also need to ensure followed by a stack overflow in memcoy, before the function returns the return address is overwritten, execute all instructions the normal execution is not affected by the overflow of the data stack.
If necessary to achieve the above object, the need for more data overflow special configuration, and ensure that such data does not affect the execution of shellcode (corresponding to the obtained data does not affect the shellcode after instruction execution, or the use of the short jump instruction shellocde such data is skipped).
Overflow need to construct the data part of which have, need to construct what value of a first length may overflow data file modified to a larger value, and then use the word open, use od debugging, to find the location of abnormal and normal function returns Comparative process, operand execution, the process returns to normal function to obtain a data structure in memory, as a basis, modify the corresponding data file in the same position.
Above debugging process may experience multiple rounds until the overflow data structure can be modified to ensure the return to normal procedures, and comprises shellcode contents to be executed, in theory, because an overflow to return from execution of the instruction is determined and limited, as long as All appear abnormal are correct, you can get shellcode structure to meet the requirements. In this process, the author spent a lot of energy, with the deepening of commissioning, trouble appears more and more abnormal, considering the time, effort, and this process can be harvested, and finally shellcode will not fully adjusted to meet the requirements of structure, given below abnormalities and anomalies resolution process debugging process I encountered, I hope to provide some ideas for the reader's reference
The following debugging through, try to modify the structure of the shellcode.
Here the first exception encountered after modification overflow data length:
Corresponding to the contents of the file
When the overflow has not been submerged portion of memory, the memory data is at
After the position data corresponding to the file modified accordingly, or abnormal operating procedures, it is carefully tracked during execution of the function, the memory contents will require a special configuration of the recording
Ready to enter the function to find out
Memory-related instructions
Modify the contents of the file to ensure the content [edi + 8] of the memory location
After editing, debugging loader press F9, we found that the program is still abnormal, found that also need to be at the memory address 0012a2e0 carefully arranged
The debug address 0x0012a2e memory data is at the lower view program works
The FIG data, modifying the file
After modifying the data file, directly f9 for debug, it still reported abnormal, presumably still there is an instruction using data directly overflow, the need to further position location data, and carefully constructed corresponding data in the file.
Research on the causes of
For cases can run successfully as follows
Run the appropriate failure cases as follows
Locate the file in the corresponding data to be modified
After solve the above problem, the same problem, the need to continue to address
The memory value under normal conditions in the following FIG.
Locate the file in the corresponding data
change the data
There are still problems, cry
But the question is, if it is normal, the program does not perform to the branch instruction, so they need through the stack when an error occurs retrospective analysis in which instruction, the overflow data leading to the normal program instructions have changed
Stack when an exception occurs
327b2e90 function in the first memory operation
The second memory operation
327b1467 find different functions into the case when the stack is not normal data call, parameters describing the error function abnormality occurs in 327b1467
In exceptional circumstances
Entering function 327b1467, abnormal data is generated for use in the instruction overflowing
Check the value of the memory under normal circumstances should be zero, modify the file
Still have problems after modification
Under normal circumstances
Query source of ecx
When an exception occurs
Modify the contents of the file, continue f9 still unusual
When an exception stack data
Stack retrospective analysis of the value of ecx from edi
Stack back, found the need to continue upward traceability function
Further retrospective
So in the end ecx from abnormal function 327ab0ed
At this point, the attacker document (msfplus6.rtf) in shellcode structure compared to the original poc (msf0.rtf) modified section below, you can see lots of tiny differences in the distribution of the shellcode in memory.
