sh3llc0de development and testing in the dumpbin of use-vulnerability warning-the black bar safety net

Of course, based on the MSF(Metasploit Framework)shellcode development of a simple have almost don’t you go learn programming on something details, please refer to himself the preparation of the MSF Chinese manual, but for a beginner and like to explore the bottom of the people, The do-it-yourself programming is a good thing. Um…this article is for like I did in the system out on the beginners, if you are a master, this article make you laugh.

First, look at the dumpbin is.
This tool in Microsoft almost all of the tool kits are there, like VS, MASM…
In VS could not find the dumpbin for? Well, the path to the…\WINDOWS\System32, try the following command:
link.exe /dump /headers /exports kernel32.dll >E:\log
Notepad to open the E drive under the log file and see what the actual effect and:
dumpbin /headers /exports kernel32.dll >E:\log
Is the same.

Slightly explain the dumpbin parameters.
The dumpbin put it in an environment variable pointing to the path in the convenience of anytime to start dumpbin, the command line input dumpbin:

Microsoft ® COFF Binary File Dumper Version 6.00.8168
Copyright © Microsoft Corp 1992-1998. All rights reserved.

usage: DUMPBIN [options] [files]

options:
/ALL
/ARCH
/ARCHIVEMEMBERS
/DEPENDENTS
/DIRECTIVES
/DISASM
/EXPORTS
/FPO
/HEADERS
/IMPORTS
/LINENUMBERS
/LINKERMEMBER[:{1/2}]
/LOADCONFIG
/OUT:filename
/PDATA
/RAWDATA[:{NONE|BYTES|SHORTS|LONGS}[,#]]
/RELOCATIONS
/SECTION:name
/SUMMARY
/SYMBOLS

The pick we need,/HEADERS,/the EXPORTS, in/OUT, other parameters can refer to the Microsoft MSDN at the following address:
http://msdn2.microsoft.com/zh-cn/library/c1h23y6c(VS. 8 0). aspx

/HEADERS display the file header and each section header, there is one more important information is the file in the memory of the load address, which is OPTIONAL HEADER VALUES in the Image Base;/EXPORTS display from the executable file or DLL export all the definitions, here we need is a function of the relative offset address;/OUT specifies the output filename. By default, DUMPBIN displays information to standard output in a DOS window, and generally I don’t like to use this parameter, I use the pipe>instead, but if it is additional information, then you can use>>.

Then, we actually use a hand, just to Online to catch a shellcode, as follows:

#include <stdio. h>

unsigned char beepsp[] =
“\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC”
“\x77\x7A\x83\x7C” //Address \x77\x7A\x83\x7C = SP2
“\xC7\x44\x24\x04”
“\xD0\x03” //Length \xD0\x03 = 2 0 0 0 (2 seconds)
“\x00\x00\xC7\x04\x24”
“\x01\x0E” //Frequency \x01\x0E = 3 5 8 5
“\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3”;

int main()
{
void (*function)();
(long)&function = (long)beepsp;
function();
}

This piece of code I’ve modified in my machine running on is not the problem. With the VC compiled after the execution, will hear the Board“drop—”sound, in fact, is to call the kernel32. dll’s beep function.
As the code given:
“\x77\x7A\x83\x7C” //Address \x77\x7A\x83\x7C = SP2
This code on XP SP2 under which it will perform normal, but even SP2 system, also because of system patches lead to similar kernel32. dll the system dll in memory load address is different, this Address \x77\x7A\x83\x7C actually is 7C837A77, note that the small end of the arrangement also is pointing to the wrong place.

So, how to get your own machine on a reasonable address?
First, use dumpbin to obtain the dll’s load address, such as to refer to kernel32. dll in the beep function, we need to first get the kernel32. dll in the machine memory load address, as follows:

C:\Documents and Settings\Administrator>cd C:\WINDOWS\System32

C:\WINDOWS\system32>dumpbin /headers kernel32.dll > E:\log.txt

打开 log.txt find the following information:
OPTIONAL HEADER VALUES
7C800000 image base

Here, 7C800000 is kernel32. dll the machine to load the address.
Know the base address, we need to find the beep function in the kernel32. dll memory-mapped somewhere, the method is as follows:

C:\WINDOWS\system32>dumpbin /exports kernel32.dll >> E:\log.txt

We are in the Dump of file kernel32. dll in the Find function beep: the
2 8 1B 0 0 0 1 9 8 0 5 BasepCheckWinSaferRestrictions
2 9 1C 00037A77 Beep
3 0 1D 0006FC7B BeginUpdateResourceA
Wherein 00037A77 is the beep function with respect to the base address to the offset address, we put the two addresses are added, i.e., to get the beep function in the memory of the real address:
7C800000 + 00037A77 =7C837A77
To the small end of the arrangement, to obtain:\x77\x7A\x83\x7C
So the shellcode in the modifications:
“\x77\x7A\x83\x7C” //Address \x77\x7A\x83\x7C = SP2
You can normally run the test program.

The idea is so simple, if it is the kernel base address universal access, we need other techniques, beyond the scope of this article, not discussed.
Have Fun!

Attachment:
1.kernel32.dll
C:\WINDOWS\system32>dumpbin /headers /exports kernel32.dll > E:\kernel_log.txt
2.ntdll.dll
C:\WINDOWS\system32>dumpbin /headers /exports ntdll.dll > E:\ntdll_log.txt
3.msvcrt.dll
C:\WINDOWS\system32>dumpbin /headers /exports msvcrt.dll > E:\msvcrt_log.txt
4.ws2_32.dll (network programming)
C:\WINDOWS\system32>dumpbin /headers /exports ws2_32.dll > E:\ws2_log.txt