exploit - win32 - stack winding and unwinding

最新推荐文章于 2018-10-10 18:48:50 发布
最新推荐文章于 2018-10-10 18:48:50 发布
阅读量689 收藏
点赞数
分类专栏: exploit 文章标签: exploit
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/nixawk/article/details/46513701
版权

In order to understand function stack, we create the demo code. 

#include <stdio.h>
#include <stdlib.h>

int function3(int i3){
    char *local_var1_f3 = "Function3";

    return 3;
}

int function2(int i2){
    char *local_var1_f2 = "Function2";
    function3(0x33333333);

    return 2;
}

int function1(int i1){
    char *local_var1_f1 = "Function1";
    function2(0x22222222);

    return 1;
}

int main(int argc, char *argv[]){
    char *local_var1 = "Main Function";
    function1(0x11111111);

    return 0;
}

Functions executation flow as follow:

Main Function -> F1 -> F2 -> F3

Starts Immunity Debugger, and debug the executable file. CPU code is here:

00401290  /$  55            PUSH EBP
00401291  |.  89E5          MOV EBP,ESP
00401293  |.  83EC 04       SUB ESP,4
00401296  |.  C745 FC 00304>MOV DWORD PTR SS:[EBP-4],StackDem.00403000             ;  ASCII "Function3"
0040129D  |.  B8 03000000   MOV EAX,3
004012A2  |.  C9            LEAVE
004012A3  \.  C3            RETN
004012A4  /$  55            PUSH EBP
004012A5  |.  89E5          MOV EBP,ESP
004012A7  |.  83EC 08       SUB ESP,8
004012AA  |.  C745 FC 0A304>MOV DWORD PTR SS:[EBP-4],StackDem.0040300A             ;  ASCII "Function2"
004012B1  |.  C70424 333333>MOV DWORD PTR SS:[ESP],33333333
004012B8  |.  E8 D3FFFFFF   CALL StackDem.00401290
004012BD  |.  B8 02000000   MOV EAX,2
004012C2  |.  C9            LEAVE
004012C3  \.  C3            RETN
004012C4  /$  55            PUSH EBP
004012C5  |.  89E5          MOV EBP,ESP
004012C7  |.  83EC 08       SUB ESP,8
004012CA  |.  C745 FC 14304>MOV DWORD PTR SS:[EBP-4],StackDem.00403014             ;  ASCII "Function1"
004012D1  |.  C70424 222222>MOV DWORD PTR SS:[ESP],22222222
004012D8  |.  E8 C7FFFFFF   CALL StackDem.004012A4
004012DD  |.  B8 01000000   MOV EAX,1
004012E2  |.  C9            LEAVE
004012E3  \.  C3            RETN
004012E4  /$  55            PUSH EBP
004012E5  |.  89E5          MOV EBP,ESP
004012E7  |.  83EC 18       SUB ESP,18
004012EA  |.  83E4 F0       AND ESP,FFFFFFF0
004012ED  |.  B8 00000000   MOV EAX,0
004012F2  |.  83C0 0F       ADD EAX,0F
004012F5  |.  83C0 0F       ADD EAX,0F
004012F8  |.  C1E8 04       SHR EAX,4
004012FB  |.  C1E0 04       SHL EAX,4
004012FE  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
00401301  |.  8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
00401304  |.  E8 67040000   CALL StackDem.00401770
00401309  |.  E8 02010000   CALL StackDem.00401410
0040130E  |.  C745 FC 1E304>MOV DWORD PTR SS:[EBP-4],StackDem.0040301E             ;  ASCII "Main Function"
00401315  |.  C70424 111111>MOV DWORD PTR SS:[ESP],11111111
0040131C  |.  E8 A3FFFFFF   CALL StackDem.004012C4
00401321  |.  B8 00000000   MOV EAX,0
00401326  |.  C9            LEAVE
00401327  \.  C3            RETN

Debug prog with single step, and stop at 0x0040131C (Call Function1)

00401315  |.  C70424 111111>MOV DWORD PTR SS:[ESP],11111111
0040131C  |.  E8 A3FFFFFF   CALL StackDem.004012C4

stack information as follow:

0022FF50   11111111   ---- Argument of Function1 
0022FF54   003E3EF8

Step into function1 with keyboard F7, and stop at 004012D8 (Call Function2)

004012C4  /$  55            PUSH EBP
004012C5  |.  89E5          MOV EBP,ESP
004012C7  |.  83EC 08       SUB ESP,8
004012CA  |.  C745 FC 14304>MOV DWORD PTR SS:[EBP-4],StackDem.00403014             ;  ASCII "Function1"
004012D1  |.  C70424 222222>MOV DWORD PTR SS:[ESP],22222222
004012D8  |.  E8 C7FFFFFF   CALL StackDem.004012A4
004012DD  |.  B8 01000000   MOV EAX,1
004012E2  |.  C9            LEAVE
004012E3  \.  C3            RETN

Stack information as follow:

0022FF40   22222222  """"
0022FF44   00403014  0@.  ASCII "Function1"
0022FF48  /0022FF78  xÿ".
0022FF4C  |00401321  !@.  RETURN to StackDem.00401321 from StackDem.004012C4
0022FF50  |11111111

Finish similar steps. Step into function2 and function3, and stop at 0x004012A2

00401290  /$  55            PUSH EBP
00401291  |.  89E5          MOV EBP,ESP
00401293  |.  83EC 04       SUB ESP,4
00401296  |.  C745 FC 00304>MOV DWORD PTR SS:[EBP-4],StackDem.00403000             ;  ASCII "Function3"
0040129D  |.  B8 03000000   MOV EAX,3
004012A2  |.  C9            LEAVE
004012A3  \.  C3            RETN
004012A4  /$  55            PUSH EBP
004012A5  |.  89E5          MOV EBP,ESP
004012A7  |.  83EC 08       SUB ESP,8
004012AA  |.  C745 FC 0A304>MOV DWORD PTR SS:[EBP-4],StackDem.0040300A             ;  ASCII "Function2"
004012B1  |.  C70424 333333>MOV DWORD PTR SS:[ESP],33333333
004012B8  |.  E8 D3FFFFFF   CALL StackDem.00401290
004012BD  |.  B8 02000000   MOV EAX,2
004012C2  |.  C9            LEAVE
004012C3  \.  C3            RETN
004012C4  /$  55            PUSH EBP
004012C5  |.  89E5          MOV EBP,ESP
004012C7  |.  83EC 08       SUB ESP,8
004012CA  |.  C745 FC 14304>MOV DWORD PTR SS:[EBP-4],StackDem.00403014             ;  ASCII "Function1"
004012D1  |.  C70424 222222>MOV DWORD PTR SS:[ESP],22222222
004012D8  |.  E8 C7FFFFFF   CALL StackDem.004012A4

Stack Information as follow.

0022FF24   00403000  ASCII "Function3"
0022FF28  /0022FF38  Frame Pointer (EBP)
0022FF2C  |004012BD  RETURN Address
0022FF30  |33333333  Argument of Function3
0022FF34  |0040300A  ASCII "Function2"
0022FF38  /0022FF48  Frame Pointer (EBP)
0022FF3C  |004012DD  RETURN Address
0022FF40  |22222222  Argument of Function2
0022FF44  |00403014  ASCII "Function1"
0022FF48  /0022FF78  Frame Pointer (EBP)
0022FF4C  |00401321  RETURN Address
0022FF50  |11111111  Argument of Fnction1

OK, we find function stack structure as follow:

        |_____________________| Stack Top
        |      ......         |
        |---------------------|
        | Arguments           |
        |---------------------|
        | Return Address      |
        |---------------------|
        | Frame Pointer (EBP) |
        |---------------------|
        | Local Variables     |
        |---------------------| 
        |      ......         |
        |---------------------| Stack Bottom

In order to exploit executable file, we must understand it.

=========================  ===========================
|       Platforms       |  | Exploitation Techniques |
=========================  ===========================
| Windows XP - SP1, SP2 |  | Simple Buffer Overflows |
-------------------------  ---------------------------
| Windows Vista - SP... |  | SEH, SafeSEH            |
-------------------------  ---------------------------
| Windows 7 - 8         |  | NX, DEP                 |
-------------------------  ---------------------------
| Windows 2003, 2008    |  | ASLR                    |
-------------------------  ---------------------------
| Linux                 |  | Stack Cookies           |
-------------------------  ---------------------------
| Mac OSX               |  | ...                     |
-------------------------  ---------------------------
Nixawk
关注
专栏目录
Linux提权工具(linux-exploit-suggester、优)
墨痕诉清风的博客
04-22 748
【代码】Linux提权工具(linux-exploit-suggester.git、优)
exploit - dahua camera backdoor
热门推荐
Nixawk
03-17 1万+
Just for security assessment. If you can exploit the dahua camera devices, username/password/cookies can be used to access camera video.Exploit CodeI’ll share it later.$ python exploit_dahua.py 192.168
stack unwinding
八戒的专栏
04-25 895
当抛出异常,程序的控制权由try block交给catch block时,C++ runtime自动调用try block里的所有auto和register对象的dtor函数,这个过程叫stack unwinding。1> static和extern对象不调用dtor。 2> dtor的调用顺序和ctor的调用顺序相反。 3> 在构造对象时如果抛出了异常,对于其内部的子对象、或者数组,只有正确执行了ctor的才会调用dtor来析构。 4> 在析构对象时如果抛出了异常,且该异常未被处理,程序将调用ter
Stack Unwinding / Winding
weixin_33712881的博客
08-20 126
When program run, each function(data, registers, program counter, etc) is mapped onto the stack as it is called. Because the function calls other functions, they too are mapped onto the stack. Thi...
STL中stack的用法
wonder_boy869的专栏
06-13 481
STL中stack的用法      stack也是程序设计中常常用到的数据容器,STL为我们提供了stack的实现,因此在使用stack时必须包含头文件,并使用统一命名空间。 1.声明一个stack    stack s1;    stack s2; stack模板类需要2个模板参数,一个为元素类型,一个为容器类型,但是只有元素类型是必要的,在容器类型缺省时,默认为d
C++ 资源管理之 RAII
weixin_33871366的博客
05-22 97
RAII,它是“Resource Acquisition Is Initialization”的首字母缩写。也称为“资源获取就是初始化”,是c++等编程语言常用的管理资源、避免内存泄露的方法。它保证在任何情况下,使用对象时先构造对象,最后析构对象。 RAII的好处在于它提供了一种资源自动管理的方式,当产生异常、回滚等现象时,RAII可以正确地释放掉资源。 当讲述C++资源管理时,Bjarne这样写...
JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
05-27
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address] where: -C - command executed in the remote classfile. (optional , default command is "open /Applications/...
JNDI-Injection-Exploit-1.0-SNAPSHOT-all
04-30
该压缩包"JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar"可能包含了一个JNDI注入攻击的示例或者测试工具,"SNAPSHOT"通常表示这是一个开发中的版本,可能尚未经过完整测试,因此可能存在漏洞或不稳定性。使用这样的...
JNDI-Injection-Exploit-1.0-SNAPSHOT-all.zip
12-12
标题"JNDI-Injection-Exploit-1.0-SNAPSHOT-all.zip"暗示了这是一个关于JNDI注入漏洞的exploit工具包,版本为1.0 SNAPSHOT,可能包含了多个利用示例或攻击代码。"all"可能表示该压缩包包含了所有相关的组件或测试...
https://www.exploit-db.com/下载POC比较完善的代码
12-21
CVE(Common Vulnerabilities and Exposures)是用于识别安全漏洞的唯一标识,通常与安全补丁或exploit(利用)相关联。下面将详细讨论这些知识点: 1. **自动化下载**: - 通过CVE编号自动化下载代码是一种常见的...
抛出异常与栈展开(stack unwinding
weixin_34358092的博客
12-23 269
抛出异常时,将暂停当前函数的执行,开始查找匹配的catch子句。首先检查throw本身是否在try块内部,如果是,检查与该try相关的catch子句,看是否可以处理该异常。如果不能处理,就退出当前函数,并且释放当前函数的内存并销毁局部对象,继续到上层的调用函数中查找,直到找到一个可以处理该异常的catch。这个过程称为栈展开(stack unwinding)。当处理该异常的catch结束之后,紧接...
【C++设计技巧】C++中的RAII机制
weixin_34363171的博客
12-04 192
作者:gnuhpc 出处:http://www.cnblogs.com/gnuhpc/ 1.概念 Resource Acquisition Is Initialization 机制是Bjarne Stroustrup首先提出的。要解决的是这样一个问题: 在C++中,如果在这个程序段结束时需要完成一些资源释放工作,那么正常情况下自然是没有什么问题,但是当一个异常抛出时,释放资源的语句就不会被执...
C++资源管理技术之RAII
hycxag的博客
10-10 220
C++资源管理技术 RAII 是“Resource Acquisition Is Initialization”的首字母缩写。也称为“资源获取就是初始化”,是c++等编程语言常用的管理资源、避免内存泄露的方法。它保证在任何情况下,使用对象时先构造对象,最后析构对象。 我们在C++中经常使用new申请了内存空间,但是却也经常忘记delete回收申请的空间,容易造成内存溢出,于是RAII技术就诞...
exploit - CVE-2017-5638 - Apache Struts2 S2-045
Nixawk
03-07 5665
Metasploit-FrameworkExp Code#!/usr/bin/python # -*- coding: utf-8 -*-import urllib2 import httplib def exploit(url, cmd): payload = "%{(#_='multipart/form-data')." payload += "(#dm=@ognl.OgnlCo
exploit - mona.py - the manual
Nixawk
02-27 3638
mona.pyInstall mona.pyPut mona.py into C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands Basic usageOpen Immunity Debugger. At the bottom of the application you should see an input box (comm
exploit - SLMail 5.5 - POP3 PASS Buffer Overflow Exploit
Nixawk
07-26 3268
https://www.exploit-db.com/exploits/638/#!/usr/bin/python # -*- encoding: utf-8 -*-import sys import socket import struct# # OS Name: Microsoft Windows XP Professional # OS Version:
exploit - windbg - find "jmp esp"
Nixawk
06-20 2266
Demo Program: Easy RM to MP3 Converter Demo Platform: Windows XP SP3Exploit StackOverflowFinal exploit code as follow:#!/usr/bin/env python # -*- coding: utf8 -*-with open("windbg_crash.m3u", "w") as
linux-exploit-suggester2
最新发布
07-28
针对 Linux 系统的漏洞利用建议工具有很多,其中一个常用的工具是 Linux-exploit-suggester 2。它是一个能够检测 Linux 系统中已知漏洞的脚本,以帮助系统管理员评估系统安全性并提供潜在的漏洞利用建议。 该工具...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值