Windows下缓冲区溢出漏洞的利用

20079September2007162ComputerEngineering3317Vol.33No.17··10003428(2007)17016203ATP303.08Windows(100049)WindowsWindowsftpWindowsVulnerabilityExploitationofBufferOverflowonWindowsYUJun-song,ZHANGYu-qing,SONGYang,LIUQi-xu(NationalComputerNetworkIntrusionProtectionCenter,GraduateUniversity,ChineseAcademyofSciences,Beijing100049)AbstractThispaperdescribesthetechnicalprinciplesofbufferoverflow,andanalyzesthemethodsandfeaturesofnetworkattackbasedonbufferoverflowinWindowsenvironment,thengivesthedevelopmentprocessofexploitingabufferoverflowonWindows.Anexampleofexploitingabufferoverflowinaftpsoftwareispresentedtoverifythevalidityofthedevelopmentprocess.keywordsbufferoverflow;Windows;vulnerabilityexploitation11996AlephOnephrackSmashingtheStackforFunandProfit[1]1999IIS4.0darkspyritAKABarnabyJack[2]Windows322003HDMooreSpoonm4metasploit[3]shellcodeLinuxLinuxWindowsLinuxWindowsWindowsWindowsWindows21retshellcodeebpBuffer1eip(ret)(ebp)()(6037304060573048)(1981)2006-09-10E-mailyujs@nipc.org.cnret(shellcode)1retshellcoderetshellcode33.12retshellcode(OllyDbg)retshellcodejmpdlljmpshellcodedlljmpjmp22retshellcode33.2retretmetasploit2ret3(3PatternCreate()patternOffset.plmetasploit2~metasploit)3retret1.~/frameworklibPatternCreate2.3.4.eip5.~/framework/sdkpatternOffset.plret3ret3.3ShellcodeLinuxUnixLinuxUnixshellcodeWindowsshellcodeLinuxWindowsservicepackWindowsshellcodeWindowsAPIDLL(kernel32.dllntdll.dll)win32APIshellcodekernel32.dll3PEBSHETOPSTACk[4]PEBkernel32.dllLoadLibraryGetProcAddressshellcode3.4retshellcoderetshellcodestrcpy()retstrcpystrcatgets\0\nWindows4G0~2G2G~4G0x004000000strcpy()strcat()retshellcodestrcpy()ret0shellcodedllretespebpeaxebxecxedxesiediebxdllFFE3(jmpebx)2ret44jmpebxeipebxeipeipshellcode163shellcode4bytesret1.dlljmpebxret2.jmpebxeipebxeip3.ebxeip4.eipshellcode4dlljmpebx4War-FTPdv1.65WindowsFTPUSERWindows4.1ret(1)~/framework/libPatternCreate()1000(2)OllyDbgWar-FTPdv1.65(3)OllyDbg55espebpedi35OllyDbg(4)~/framework/sdkpatternOffset.pleipespebpedieip485(0)esp493ebp581edi7616485bytes4bytesret4byteseipespebpedipopeipesp493edi761ebp58164.2shellcodePEBkernel32.dllshellcodeshellcode()12345cmd.exetelnetcmd4.363espshellcode330shellcodeespespdlljmpespuser32.dlljmpesp0x77d785fb4.46485nop4\xfb\x85\xd7\x77(x86)4Bnop493shellcodeUSERWar-FTPIP192.168.1.34WindowsWar-FTPFTPLinuxwarftpexploit.pl21telnet192.168.1.3412345cmd7warftpexploit.pl7warftpexplo-it.pl12345telnetcmd5WindowsWindowsWindowsFTPWindows1OneA.SmashingtheStackforFunandProfit[Z].(1996-11-08).(Location,ExploitationandPrevention)[Z].[2006-09].[Z].[2006-06].[Z].[2006-09].[J].,2000,(7).6,.[M].:,2005.164