Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


what can you control? advanced techniques for exploit

Posted by loope at 2020-02-28

Turn over the articles written early again:

What can you control? Advanced techniques for exploit

What I always want to write is that I am lazy and never write. I simply write some information.

In fact, it is to use what can be controlled, how to expand the control step by step to control the whole program to achieve your goal. Text virus (new theory of virus)! Http:// actually means this. Don't simply understand this article as playing a word game. We can think of the goal we want to achieve as one permission island. Some permissions are equivalent. We can connect such islands with bridges. In fact, it becomes a game of how we can use some conditions to get to the island we want to go through one by one. For example, when we want to raise power, we often don't take advantage of the loophole of raising power. We know that the operation authority of CPU level 0 is connected with the highest authority. As long as we reach the island, we can get the highest authority. Our vulnerability utilization skill is to build as many islands as possible based on the understanding of the system and vulnerabilities, as well as the bridge between the islands.

In fact, it is easy to find some vulnerabilities of permission classes by using this idea. MS's RPC once had a loophole, that is, a RPC process can run a lot of thread code, some RPC threads are low permissions, but some RPC is a high privileged customer call. The low permissions code only hook the RPC with high full authority client calls, and then invokes an analog customer's call to get high permissions and achieve the right. The system directory and program directory all correspond to the system permission. In the past, WinNT and WIN2000 did not set the permission for the program directory, including many problems in setting the permission for the program directory until later.

Some people divide attacks into non code execution classes and code execution classes. We are used to code execution class attacks, because we know that the island of code execution and the island we need are basically connected. Non code execution classes are relatively sporadic, changing some identity, authentication identity, shell \ DLL path, etc. Code execution classes also have many countermeasures, DEP + ASLR, anti loop, emet attacks, and some CFI, SFI, etc. CFI (control flow integrity protection), CFI can be regarded as a box to protect program flow, but this box belongs to some weaker protections. They all run in a process memory. The memory control island and program flow island are connected, and the program flow is controlled, but as long as the vulnerability is used to reach the control memory Island, it will break through this one Box, and then the program flow can be completely arbitrary control, or even remove this protection. In fact, I think CFI is the same box as virtual machine. It is a simple isolation algorithm for virtual machine and real machine. NaCl can run C code in the web by using this algorithm. I'm afraid it's not a good solution for buffer overflow.

1. A wins vulnerability can only overflow a few bytes and can't cover EIP, EBP, internal pointer, etc. Microsoft claims that it can only crash. The overflow of this byte is used to cover a variable, which leads to the successful utilization of the overflow again.

2. Ms08-068, the vulnerability reveals the user name and encrypted password hash, which is usually cracked. But through the mathematical calculation, we know that the user name and the encrypted password hash can be used after the environment is constructed, the successful use of the intermediary authentication is successful, and then the automatic psexec upload Trojan runs.

3. For ms08-067, two 0x005c data are required for the stable exploitation of the vulnerability, one is the length of the string that can be passed, the other is the length of the string that can be passed, and the other can use the large memory application to accurately locate the lower two bytes of the memory pointer to get 0x005c by using the characteristics of the new page.

4. The wins pointer delivery vulnerability can accurately get the pointer, control the data in the pointer to get the opcode needed, accurately realize the jump, and do not depend on the system version. In addition, we use hook technology to let wins close the socket, while shellcode intercepts the socket, to avoid the processing of both wins and shellcode reading data, and to successfully use the data channel against the firewall.

5. Aspcode, heap overflow utilization. After overflow, construct your own memory chain list, allocate and merge two groups of memory write operations four times each time. Memory writes out a few bytes of small shellcode, overwriting the general PEB pointer to jump to the small shellcode for execution.

6. Phpcmd, PHP can execute the specified file. Control the log file to generate the required phpsell, and then load it.