1. Foreword A few days ago, the author at exploit-db and found a kill. exe overflow vulnerability, in many of the UAF vulnerability, this simple overflow vulnerability simply as a unit of springs in General, then be picked out, deeply looked. The original plan to write a full available EXP, but seemingly failed. So, here in a semi-introduction to the semi-discussion in the form of a chat this EXP problem. For in this respect the more experienced have insight to the reader, the author sincerely requests feel free to enlighten me; and for this regard do not know much about the readers, hope this article can put some basic information to introduce to everyone. 2. Vulnerability analysis Kill. exe is the Microsoft release of the debugging tools for Windows package is a small tool, used to terminate one or more processes, as well as all their threads. In the exploit-db mentioned in the included vulnerability of the kill. exe the version number is: 6.3.9600.17298 it. During the installation the Windows Driver Kit (WDK)8.1 is automatically installed when the version of the kill. exe tool. In addition, in the 6. 1. 7 6 5 0. 0 version of the kill. exe tool, there are also similar problems. This version of the kill. exe tool you can install WDK 7.1 to obtain. First, the following analysis 6. 3. 9 6 0 0. 1 7 2 9 8 version of the kill. exe vulnerability function. Kill. exe in the process command-line parameters to trigger a stack overflow vulnerability that can be to the stack to write data: ! The vulnerability is a function of the internal logic is simple, when accepts only a parameter, can be summarized as follows: ! When there are multiple parameters, with a loop to put the content in, i.e., for each parameter to determine whether the numbers and then perform the corresponding operation and save the results. Note that the original function of the content than the expression more complex, the figure is just a schematic view, used to help the reader understand the function of the Do the job. The following careful description of the vulnerability a function of two branches: the left branch represents the received string of numbers a string as a parameter, the calculation of the string represented value. Wherein, v1 is the string starting address, the v7 for the final calculation result. 4 8 to’0’ascII code value*1 0 represents multiplied by the weights. The right branch represents the received string of string, the string content is copied to the stack. Wherein, v1 is the string starting address, the v5 is pointing to a stack pointer. If you carefully study the words that can be found in the left branch also exists a loophole: v7 there is an integer overflow vulnerability, the compilation code is as follows: ! Upper portion for judging whether the character string of the next bit is set to digital, the lower part is used to calculate its value. Obviously, EAX there is an integer overflow problem. However, this vulnerability and there is nothing available. Congratulations to you get“serious code reader”achievement. The following highlights to see on the right branch there is also a vulnerability, i.e., the stack overflow vulnerability. Which performs a copy operation of a compilation of instructions as follows: ! The figure of 3 times the judge the meaning is: whether the character is a space, whether it is tabs, is empty, and if it is then terminate the copy; otherwise, continue to copy the next character. When the author to a long string of’A’as a parameter to start the kill. exe after that, you can observe the stack is covering the situation: ! 3. EXP discussion With Win XP compared to Win 7 environment is more complex, so this section will be EXP related discussion put in the Win XP environment. First, will kill. exe copy the program to Win XP in a virtual machine, and then consider the vulnerability of the use of the method. Rough summarize, the common stack overflow exploits way has 3 kinds: 1. Overwrite the function return address. 2. Overwriting SEH structures. 3. Covering the other useful data or key data, such as the object and virtual table pointers. Let's start a separate discussion kill. exe of the situation, and trying to find a viable available. 3.1 overwrite the return address In WinXP environment, overwrite the return address of course is a simple reliable use, but here there is a problem: kill. exe is a stack cookie protection, i.e. a/GS mark: ! Naturally think of, there is no way through this stack of cookies. First of all, you can be sure of is that this cookie is not a static value. Further, some literature that can calculate or guess the cookie is roughly the range of values, to reduce the/GS protection, but here does not intend to use such methods. Finally, due to kill. exe in the stack overflow vulnerability can only cover part of the stack in the content, not the cover in place. the data segment of the data, so the modified value of the cookie is also not feasible. In desperation, can only choose overwrite SEH structures using the method, of course, this is also an effective to bypass the/GS protection the EXP method. 3.2 coverage of the SEH structure Overwriting the SEH structure is also a quite effective use of the technique. But here again there is a problem: the kill. exe is Safeseh protected, i.e., with/Safeseh tag: ! In addition, the figure can also be found kill. exe to open the. CFG protection, i.e., there are/guard:cf tag. However, due to the author's analysis of the environment is a winXP system, so temporarily does not consider the CFG protection. Because of the presence of Safeseh protected, so EXP becomes more troublesome. Bypass the Safeseh protection the best method is to not use the Overwrite SEH structures of the EXP skill, but directly to cover the function return address or other critical stack data, and it is clearly not feasible. The study is the kill. exe to load other modules, and found that all are with/Safeseh flag, which makes through not enabled/Safeseh modules to bypass Safeseh becomes feasible. However, the need to clear the kill. exe in the win7 environment is automatically turned on DEP and ASLR, screenshot as follows: !